diff options
| author | Jacques Vidrine <nectar@FreeBSD.org> | 2004-03-17 15:49:33 +0000 |
|---|---|---|
| committer | Jacques Vidrine <nectar@FreeBSD.org> | 2004-03-17 15:49:33 +0000 |
| commit | ced566fd0b59417323f6b6f17b51b25e942cff52 (patch) | |
| tree | c6fe9e2dc64448f48fdaf5e0b2778005ccc1baac /crypto/openssl | |
| parent | 81ac585294418460a598ae2c6d3eeaf0d993b18a (diff) | |
| download | src-ced566fd0b59417323f6b6f17b51b25e942cff52.tar.gz src-ced566fd0b59417323f6b6f17b51b25e942cff52.zip | |
Vendor import of OpenSSL 0.9.7d.
Notes
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=127128
Diffstat (limited to 'crypto/openssl')
190 files changed, 2619 insertions, 1517 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index b8630792adf1..4a0363a1c2dd 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,51 @@ OpenSSL CHANGES _______________ + Changes between 0.9.7c and 0.9.7d [17 Mar 2004] + + *) Fix null-pointer assignment in do_change_cipher_spec() revealed + by using the Codenomicon TLS Test Tool (CAN-2004-0079) + [Joe Orton, Steve Henson] + + *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites + (CAN-2004-0112) + [Joe Orton, Steve Henson] + + *) Make it possible to have multiple active certificates with the same + subject in the CA index file. This is done only if the keyword + 'unique_subject' is set to 'no' in the main CA section (default + if 'CA_default') of the configuration file. The value is saved + with the database itself in a separate index attribute file, + named like the index file with '.attr' appended to the name. + [Richard Levitte] + + *) X509 verify fixes. Disable broken certificate workarounds when + X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if + keyUsage extension present. Don't accept CRLs with unhandled critical + extensions: since verify currently doesn't process CRL extensions this + rejects a CRL with *any* critical extensions. Add new verify error codes + for these cases. + [Steve Henson] + + *) When creating an OCSP nonce use an OCTET STRING inside the extnValue. + A clarification of RFC2560 will require the use of OCTET STRINGs and + some implementations cannot handle the current raw format. Since OpenSSL + copies and compares OCSP nonces as opaque blobs without any attempt at + parsing them this should not create any compatibility issues. + [Steve Henson] + + *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when + calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without + this HMAC (and other) operations are several times slower than OpenSSL + < 0.9.7. + [Steve Henson] + + *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). + [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] + + *) Use the correct content when signing type "other". + [Steve Henson] + Changes between 0.9.7b and 0.9.7c [30 Sep 2003] *) Fix various bugs revealed by running the NISCC test suite: diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 61331dbb517f..4e7883c17abf 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -145,10 +145,10 @@ my %table=( "debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn", -"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "dist", "cc:-O::(unknown)::::::", # Basic configs that should work on any (32 and less bit) box @@ -216,13 +216,13 @@ my %table=( "irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### IRIX 6.x configs # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke -# './Configure irix-[g]cc' manually. +# './Configure irix-cc -o32' manually. # -mips4 flag is added by ./config when appropriate. -"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # N64 ABI builds. -"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Unified HP-UX ANSI C configs. # Special notes: @@ -260,6 +260,7 @@ my %table=( # 64bit PARISC for GCC without optimization, which seems to make problems. # Submitted by <ross.alexander@uk.neceur.com> "hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # IA-64 targets "hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index ca5683def779..0b40039ef81e 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -68,7 +68,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.7c was released on September 30, 2003. +OpenSSL 0.9.7d was released on March 17, 2004. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -116,11 +116,14 @@ OpenSSL. Information on the OpenSSL mailing lists is available from * Where can I get a compiled version of OpenSSL? +You can finder pointers to binary distributions in +http://www.openssl.org/related/binaries.html . + Some applications that use OpenSSL are distributed in binary form. When using such an application, you don't need to install OpenSSL yourself; the application will include the required parts (e.g. DLLs). -If you want to install OpenSSL on a Windows system and you don't have +If you want to build OpenSSL on a Windows system and you don't have a C compiler, read the "Mingw32" section of INSTALL.W32 for information on how to obtain and install the free GNU C compiler. diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE index dddb07842bb3..40277883a592 100644 --- a/crypto/openssl/LICENSE +++ b/crypto/openssl/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org index e80b22a32a18..a987a0298b20 100644 --- a/crypto/openssl/Makefile.org +++ b/crypto/openssl/Makefile.org @@ -456,10 +456,12 @@ do_irix-shared: if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ - ( set -x; ${CC} ${SHARED_LDFLAGS} \ + ( WHOLELIB="-all lib$$i.a -notall"; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \ + set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \ + $${WHOLELIB} $$libs ${EX_LIBS} -lc) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi @@ -832,7 +834,7 @@ install: all install_docs fi; \ fi cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ @@ -857,6 +859,7 @@ install_docs: > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ + grep -v "[ ]" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ @@ -873,6 +876,7 @@ install_docs: > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ + grep -v "[ ]" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl index 2a74a3db04f4..c8155a7628f8 100644 --- a/crypto/openssl/Makefile.ssl +++ b/crypto/openssl/Makefile.ssl @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.7c +VERSION=0.9.7d MAJOR=0 MINOR=9.7 SHLIB_VERSION_NUMBER=0.9.7 @@ -12,9 +12,9 @@ SHLIB_VERSION_HISTORY= SHLIB_MAJOR=0 SHLIB_MINOR=9.7 SHLIB_EXT= -PLATFORM=VC-WIN16 +PLATFORM=dist OPTIONS= no-krb5 -CONFIGURE_ARGS=VC-WIN16 +CONFIGURE_ARGS=dist SHLIB_TARGET= # HERE indicates where this Makefile lives. This can be used to indicate @@ -59,9 +59,9 @@ OPENSSLDIR=/usr/local/ssl # equal 4. # PKCS1_CHECK - pkcs1 tests. -CC= cl +CC= cc #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -CFLAG= -DOPENSSL_SYSNAME_WIN16 -DOPENSSL_NO_KRB5 +CFLAG= -DOPENSSL_NO_KRB5 -O DEPFLAG= PEX_LIBS= EX_LIBS= @@ -69,7 +69,7 @@ EXE_EXT= ARFLAGS= AR=ar $(ARFLAGS) r RANLIB= /usr/bin/ranlib -PERL= /usr/local/bin/perl5 +PERL= /usr/local/bin/perl TAR= tar TARFLAGS= --no-recursion MAKEDEPPROG=makedepend @@ -458,10 +458,12 @@ do_irix-shared: if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ - ( set -x; ${CC} ${SHARED_LDFLAGS} \ + ( WHOLELIB="-all lib$$i.a -notall"; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \ + set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \ + $${WHOLELIB} $$libs ${EX_LIBS} -lc) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi @@ -834,7 +836,7 @@ install: all install_docs fi; \ fi cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ @@ -859,6 +861,7 @@ install_docs: > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ + grep -v "[ ]" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ @@ -875,6 +878,7 @@ install_docs: > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ + grep -v "[ ]" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index f0282ebb8755..4c1ba0a241f6 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -5,6 +5,14 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d: + + o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug + o Security: Fix null-pointer assignment in do_change_cipher_spec() + o Allow multiple active certificates with same subject in CA index + o Multiple X590 verification fixes + o Speed up HMAC and other operations + Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c: o Security: fix various ASN1 parsing bugs. diff --git a/crypto/openssl/README b/crypto/openssl/README index 65e3a124263b..f72a21036f9f 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,7 +1,7 @@ - OpenSSL 0.9.7c 30 Sep 2003 + OpenSSL 0.9.7d 17 Mar 2004 - Copyright (c) 1998-2003 The OpenSSL Project + Copyright (c) 1998-2004 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl index 669a016b8432..8b2ce7ea4248 100755 --- a/crypto/openssl/apps/CA.pl +++ b/crypto/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl index 90e71dee7666..7068286204b2 100644 --- a/crypto/openssl/apps/Makefile.ssl +++ b/crypto/openssl/apps/Makefile.ssl @@ -121,7 +121,7 @@ tags: tests: links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile lint: lint -DLINT $(INCLUDES) $(SRC)>fluff diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c index 007e3e06c3e0..93a665e788a3 100644 --- a/crypto/openssl/apps/apps.c +++ b/crypto/openssl/apps/apps.c @@ -501,7 +501,7 @@ static int ui_read(UI *ui, UI_STRING *uis) { const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password; - if (password[0] != '\0') + if (password && password[0] != '\0') { UI_set_result(ui, uis, password); return 1; @@ -525,7 +525,7 @@ static int ui_write(UI *ui, UI_STRING *uis) { const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password; - if (password[0] != '\0') + if (password && password[0] != '\0') return 1; } default: @@ -1411,14 +1411,565 @@ int load_config(BIO *err, CONF *cnf) char *make_config_name() { const char *t=X509_get_default_cert_area(); + size_t len; char *p; - p=OPENSSL_malloc(strlen(t)+strlen(OPENSSL_CONF)+2); - strcpy(p,t); + len=strlen(t)+strlen(OPENSSL_CONF)+2; + p=OPENSSL_malloc(len); + BUF_strlcpy(p,t,len); #ifndef OPENSSL_SYS_VMS - strcat(p,"/"); + BUF_strlcat(p,"/",len); #endif - strcat(p,OPENSSL_CONF); + BUF_strlcat(p,OPENSSL_CONF,len); return p; } + +static unsigned long index_serial_hash(const char **a) + { + const char *n; + + n=a[DB_serial]; + while (*n == '0') n++; + return(lh_strhash(n)); + } + +static int index_serial_cmp(const char **a, const char **b) + { + const char *aa,*bb; + + for (aa=a[DB_serial]; *aa == '0'; aa++); + for (bb=b[DB_serial]; *bb == '0'; bb++); + return(strcmp(aa,bb)); + } + +static int index_name_qual(char **a) + { return(a[0][0] == 'V'); } + +static unsigned long index_name_hash(const char **a) + { return(lh_strhash(a[DB_name])); } + +int index_name_cmp(const char **a, const char **b) + { return(strcmp(a[DB_name], + b[DB_name])); } + +static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) +static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) +static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) +static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) + +#undef BSIZE +#define BSIZE 256 + +BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai) + { + BIO *in=NULL; + BIGNUM *ret=NULL; + MS_STATIC char buf[1024]; + ASN1_INTEGER *ai=NULL; + + ai=ASN1_INTEGER_new(); + if (ai == NULL) goto err; + + if ((in=BIO_new(BIO_s_file())) == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + + if (BIO_read_filename(in,serialfile) <= 0) + { + if (!create) + { + perror(serialfile); + goto err; + } + else + { + ASN1_INTEGER_set(ai,1); + ret=BN_new(); + if (ret == NULL) + BIO_printf(bio_err, "Out of memory\n"); + else + BN_one(ret); + } + } + else + { + if (!a2i_ASN1_INTEGER(in,ai,buf,1024)) + { + BIO_printf(bio_err,"unable to load number from %s\n", + serialfile); + goto err; + } + ret=ASN1_INTEGER_to_BN(ai,NULL); + if (ret == NULL) + { + BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); + goto err; + } + } + + if (ret && retai) + { + *retai = ai; + ai = NULL; + } + err: + if (in != NULL) BIO_free(in); + if (ai != NULL) ASN1_INTEGER_free(ai); + return(ret); + } + +int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai) + { + char buf[1][BSIZE]; + BIO *out = NULL; + int ret=0; + ASN1_INTEGER *ai=NULL; + int j; + + if (suffix == NULL) + j = strlen(serialfile); + else + j = strlen(serialfile) + strlen(suffix) + 1; + if (j >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + + if (suffix == NULL) + BUF_strlcpy(buf[0], serialfile, BSIZE); + else + { +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix); +#endif + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); +#endif + out=BIO_new(BIO_s_file()); + if (out == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + if (BIO_write_filename(out,buf[0]) <= 0) + { + perror(serialfile); + goto err; + } + + if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL) + { + BIO_printf(bio_err,"error converting serial to ASN.1 format\n"); + goto err; + } + i2a_ASN1_INTEGER(out,ai); + BIO_puts(out,"\n"); + ret=1; + if (retai) + { + *retai = ai; + ai = NULL; + } +err: + if (out != NULL) BIO_free_all(out); + if (ai != NULL) ASN1_INTEGER_free(ai); + return(ret); + } + +int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) + { + char buf[5][BSIZE]; + int i,j; + struct stat sb; + + i = strlen(serialfile) + strlen(old_suffix); + j = strlen(serialfile) + strlen(new_suffix); + if (i > j) j = i; + if (j + 1 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", + serialfile, new_suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", + serialfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", + serialfile, old_suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", + serialfile, old_suffix); +#endif + if (stat(serialfile,&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + serialfile, buf[1]); +#endif + if (rename(serialfile,buf[1]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + serialfile, buf[1]); + perror("reason"); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[0],serialfile); +#endif + if (rename(buf[0],serialfile) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[0],serialfile); + perror("reason"); + rename(buf[1],serialfile); + goto err; + } + return 1; + err: + return 0; + } + +CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) + { + CA_DB *retdb = NULL; + TXT_DB *tmpdb = NULL; + BIO *in = BIO_new(BIO_s_file()); + CONF *dbattr_conf = NULL; + char buf[1][BSIZE]; + long errorline= -1; + + if (in == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + if (BIO_read_filename(in,dbfile) <= 0) + { + perror(dbfile); + BIO_printf(bio_err,"unable to open '%s'\n",dbfile); + goto err; + } + if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL) + { + if (tmpdb != NULL) TXT_DB_free(tmpdb); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile); +#else + BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile); +#endif + dbattr_conf = NCONF_new(NULL); + if (NCONF_load(dbattr_conf,buf[0],&errorline) <= 0) + { + if (errorline > 0) + { + BIO_printf(bio_err, + "error on line %ld of db attribute file '%s'\n" + ,errorline,buf[0]); + goto err; + } + else + { + NCONF_free(dbattr_conf); + dbattr_conf = NULL; + } + } + + if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL) + { + fprintf(stderr, "Out of memory\n"); + goto err; + } + + retdb->db = tmpdb; + tmpdb = NULL; + if (db_attr) + retdb->attributes = *db_attr; + else + { + retdb->attributes.unique_subject = 1; + } + + if (dbattr_conf) + { + char *p = NCONF_get_string(dbattr_conf,NULL,"unique_subject"); + if (p) + { + BIO_printf(bio_err, "DEBUG[load_index]: unique_subject = \"%s\"\n", p); + switch(*p) + { + case 'f': /* false */ + case 'F': /* FALSE */ + case 'n': /* no */ + case 'N': /* NO */ + retdb->attributes.unique_subject = 0; + break; + case 't': /* true */ + case 'T': /* TRUE */ + case 'y': /* yes */ + case 'Y': /* YES */ + default: + retdb->attributes.unique_subject = 1; + break; + } + } + } + + err: + if (dbattr_conf) NCONF_free(dbattr_conf); + if (tmpdb) TXT_DB_free(tmpdb); + if (in) BIO_free_all(in); + return retdb; + } + +int index_index(CA_DB *db) + { + if (!TXT_DB_create_index(db->db, DB_serial, NULL, + LHASH_HASH_FN(index_serial_hash), + LHASH_COMP_FN(index_serial_cmp))) + { + BIO_printf(bio_err, + "error creating serial number index:(%ld,%ld,%ld)\n", + db->db->error,db->db->arg1,db->db->arg2); + return 0; + } + + if (db->attributes.unique_subject + && !TXT_DB_create_index(db->db, DB_name, index_name_qual, + LHASH_HASH_FN(index_name_hash), + LHASH_COMP_FN(index_name_cmp))) + { + BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", + db->db->error,db->db->arg1,db->db->arg2); + return 0; + } + return 1; + } + +int save_index(char *dbfile, char *suffix, CA_DB *db) + { + char buf[3][BSIZE]; + BIO *out = BIO_new(BIO_s_file()); + int j; + + if (out == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + + j = strlen(dbfile) + strlen(suffix); + if (j + 6 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile); +#else + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix); +#endif +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); +#endif + if (BIO_write_filename(out,buf[0]) <= 0) + { + perror(dbfile); + BIO_printf(bio_err,"unable to open '%s'\n", dbfile); + goto err; + } + j=TXT_DB_write(out,db->db); + if (j <= 0) goto err; + + BIO_free(out); + + out = BIO_new(BIO_s_file()); +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]); +#endif + if (BIO_write_filename(out,buf[1]) <= 0) + { + perror(buf[2]); + BIO_printf(bio_err,"unable to open '%s'\n", buf[2]); + goto err; + } + BIO_printf(out,"unique_subject = %s\n", + db->attributes.unique_subject ? "yes" : "no"); + BIO_free(out); + + return 1; + err: + return 0; + } + +int rotate_index(char *dbfile, char *new_suffix, char *old_suffix) + { + char buf[5][BSIZE]; + int i,j; + struct stat sb; + + i = strlen(dbfile) + strlen(old_suffix); + j = strlen(dbfile) + strlen(new_suffix); + if (i > j) j = i; + if (j + 6 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile); +#else + j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", + dbfile, new_suffix); +#else + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", + dbfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", + dbfile, new_suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", + dbfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", + dbfile, old_suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", + dbfile, old_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", + dbfile, old_suffix); +#else + j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", + dbfile, old_suffix); +#endif + if (stat(dbfile,&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + dbfile, buf[1]); +#endif + if (rename(dbfile,buf[1]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + dbfile, buf[1]); + perror("reason"); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[0],dbfile); +#endif + if (rename(buf[0],dbfile) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[0],dbfile); + perror("reason"); + rename(buf[1],dbfile); + goto err; + } + if (stat(buf[4],&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[4],buf[3]); +#endif + if (rename(buf[4],buf[3]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[4], buf[3]); + perror("reason"); + rename(dbfile,buf[0]); + rename(buf[1],dbfile); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[2],buf[4]); +#endif + if (rename(buf[2],buf[4]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[2],buf[4]); + perror("reason"); + rename(buf[3],buf[4]); + rename(dbfile,buf[0]); + rename(buf[1],dbfile); + goto err; + } + return 1; + err: + return 0; + } + +void free_index(CA_DB *db) + { + TXT_DB_free(db->db); + OPENSSL_free(db); + } diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h index c36b9d256657..8a9c4ab0a054 100644 --- a/crypto/openssl/apps/apps.h +++ b/crypto/openssl/apps/apps.h @@ -287,7 +287,38 @@ char *make_config_name(void); /* Functions defined in ca.c and also used in ocsp.c */ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str); -int make_serial_index(TXT_DB *db); + +#define DB_type 0 +#define DB_exp_date 1 +#define DB_rev_date 2 +#define DB_serial 3 /* index - unique */ +#define DB_file 4 +#define DB_name 5 /* index - unique when active and not disabled */ +#define DB_NUMBER 6 + +#define DB_TYPE_REV 'R' +#define DB_TYPE_EXP 'E' +#define DB_TYPE_VAL 'V' + +typedef struct db_attr_st + { + int unique_subject; + } DB_ATTR; +typedef struct ca_db_st + { + DB_ATTR attributes; + TXT_DB *db; + } CA_DB; + +BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai); +int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai); +int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix); +CA_DB *load_index(char *dbfile, DB_ATTR *dbattr); +int index_index(CA_DB *db); +int save_index(char *dbfile, char *suffix, CA_DB *db); +int rotate_index(char *dbfile, char *new_suffix, char *old_suffix); +void free_index(CA_DB *db); +int index_name_cmp(const char **a, const char **b); X509_NAME *do_subject(char *str, long chtype); diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c index 83674154053a..7db40adf0436 100644 --- a/crypto/openssl/apps/asn1pars.c +++ b/crypto/openssl/apps/asn1pars.c @@ -304,7 +304,15 @@ bad: num=tmplen; } - if (length == 0) length=(unsigned int)num; + if (offset >= num) + { + BIO_printf(bio_err, "Error: offset too large\n"); + goto end; + } + + num -= offset; + + if ((length == 0) || ((long)length > num)) length=(unsigned int)num; if(derout) { if(BIO_write(derout, str + offset, length) != (int)length) { BIO_printf(bio_err, "Error writing output\n"); diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index 7ed60c7a9ac1..2db61b1eae88 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -122,6 +122,7 @@ #define ENV_NEW_CERTS_DIR "new_certs_dir" #define ENV_CERTIFICATE "certificate" #define ENV_SERIAL "serial" +#define ENV_CRLNUMBER "crlnumber" #define ENV_CRL "crl" #define ENV_PRIVATE_KEY "private_key" #define ENV_RANDFILE "RANDFILE" @@ -143,18 +144,6 @@ #define ENV_DATABASE "database" -#define DB_type 0 -#define DB_exp_date 1 -#define DB_rev_date 2 -#define DB_serial 3 /* index - unique */ -#define DB_file 4 -#define DB_name 5 /* index - unique for active */ -#define DB_NUMBER 6 - -#define DB_TYPE_REV 'R' -#define DB_TYPE_EXP 'E' -#define DB_TYPE_VAL 'V' - /* Additional revocation information types */ #define REV_NONE 0 /* No addditional information */ @@ -211,43 +200,36 @@ extern int EF_ALIGNMENT; #endif static void lookup_fail(char *name,char *tag); -static unsigned long index_serial_hash(const char **a); -static int index_serial_cmp(const char **a, const char **b); -static unsigned long index_name_hash(const char **a); -static int index_name_qual(char **a); -static int index_name_cmp(const char **a,const char **b); -static BIGNUM *load_serial(char *serialfile); -static int save_serial(char *serialfile, BIGNUM *serial); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, - const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db, + const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial, char *subj, int email_dn, + CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf,int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, ENGINE *e); static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial,char *subj, int email_dn, + CA_DB *db, BIGNUM *serial,char *subj, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *conf, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); -static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval); -static int get_certificate_status(const char *ser_status, TXT_DB *db); -static int do_updatedb(TXT_DB *db); +static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval); +static int get_certificate_status(const char *ser_status, CA_DB *db); +static int do_updatedb(CA_DB *db); static int check_time_format(char *str); char *make_revocation_str(int rev_type, char *rev_arg); int make_revoked(X509_REVOKED *rev, char *str); @@ -259,11 +241,6 @@ static char *section=NULL; static int preserve=0; static int msie_hack=0; -static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) -static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) - int MAIN(int, char **); @@ -300,6 +277,7 @@ int MAIN(int argc, char **argv) char *outfile=NULL; char *outdir=NULL; char *serialfile=NULL; + char *crlnumberfile=NULL; char *extensions=NULL; char *extfile=NULL; char *subj=NULL; @@ -308,6 +286,7 @@ int MAIN(int argc, char **argv) int rev_type = REV_NONE; char *rev_arg = NULL; BIGNUM *serial=NULL; + BIGNUM *crlnumber=NULL; char *startdate=NULL; char *enddate=NULL; long days=0; @@ -320,14 +299,13 @@ int MAIN(int argc, char **argv) X509 *x=NULL; BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL; char *dbfile=NULL; - TXT_DB *db=NULL; + CA_DB *db=NULL; X509_CRL *crl=NULL; X509_REVOKED *r=NULL; ASN1_TIME *tmptm; ASN1_INTEGER *tmpser; char **pp,*p,*f; int i,j; - long l; const EVP_MD *dgst=NULL; STACK_OF(CONF_VALUE) *attribs=NULL; STACK_OF(X509) *cert_sk=NULL; @@ -339,6 +317,7 @@ int MAIN(int argc, char **argv) char *engine = NULL; #endif char *tofree=NULL; + DB_ATTR db_attr; #ifdef EFENCE EF_PROTECT_FREE=1; @@ -579,16 +558,19 @@ bad: if (configfile == NULL) { const char *s=X509_get_default_cert_area(); + size_t len; #ifdef OPENSSL_SYS_VMS - tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)); + len = strlen(s)+sizeof(CONFIG_FILE); + tofree=OPENSSL_malloc(len); strcpy(tofree,s); #else - tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1); - strcpy(tofree,s); - strcat(tofree,"/"); + len = strlen(s)+sizeof(CONFIG_FILE)+1; + tofree=OPENSSL_malloc(len); + BUF_strlcpy(tofree,s,len); + BUF_strlcat(tofree,"/",len); #endif - strcat(tofree,CONFIG_FILE); + BUF_strlcat(tofree,CONFIG_FILE,len); configfile=tofree; } @@ -659,6 +641,39 @@ bad: if (randfile == NULL) ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); + + db_attr.unique_subject = 1; + p = NCONF_get_string(conf, section, "unique_subject"); + if (p) + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p); +#endif + switch(*p) + { + case 'f': /* false */ + case 'F': /* FALSE */ + case 'n': /* no */ + case 'N': /* NO */ + db_attr.unique_subject = 0; + break; + case 't': /* true */ + case 'T': /* TRUE */ + case 'y': /* yes */ + case 'Y': /* YES */ + default: + db_attr.unique_subject = 1; + break; + } + } +#ifdef RL_DEBUG + else + BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p); +#endif +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n", + db_attr.unique_subject); +#endif in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); @@ -679,17 +694,10 @@ bad: lookup_fail(section,ENV_DATABASE); goto err; } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); + db = load_index(dbfile,&db_attr); if (db == NULL) goto err; - if (!make_serial_index(db)) - goto err; + if (!index_index(db)) goto err; if (get_certificate_status(ser_status,db) != 1) BIO_printf(bio_err,"Error verifying serial %s!\n", @@ -849,19 +857,13 @@ bad: lookup_fail(section,ENV_DATABASE); goto err; } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); + db = load_index(dbfile, &db_attr); if (db == NULL) goto err; /* Lets check some fields */ - for (i=0; i<sk_num(db->data); i++) + for (i=0; i<sk_num(db->db->data); i++) { - pp=(char **)sk_value(db->data,i); + pp=(char **)sk_value(db->db->data,i); if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { @@ -912,23 +914,13 @@ bad: out = BIO_push(tmpbio, out); } #endif - TXT_DB_write(out,db); + TXT_DB_write(out,db->db); BIO_printf(bio_err,"%d entries loaded from the database\n", - db->data->num); + db->db->data->num); BIO_printf(bio_err,"generating index\n"); } - if (!make_serial_index(db)) - goto err; - - if (!TXT_DB_create_index(db, DB_name, index_name_qual, - LHASH_HASH_FN(index_name_hash), - LHASH_COMP_FN(index_name_cmp))) - { - BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - goto err; - } + if (!index_index(db)) goto err; /*****************************************************************/ /* Update the db file for expired certificates */ @@ -951,62 +943,9 @@ bad: } else { - out = BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile); -#else - j = BIO_snprintf(buf[0], sizeof buf[0], "%s-new", dbfile); -#endif - if (j < 0 || j >= sizeof buf[0]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n", - dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - - BIO_free(out); - out = NULL; -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile); -#else - j = BIO_snprintf(buf[1], sizeof buf[1], "%s-old", dbfile); -#endif - if (j < 0 || j >= sizeof buf[1]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } + if (!save_index(dbfile,"new",db)) goto err; + + if (!rotate_index(dbfile,"new","old")) goto err; if (verbose) BIO_printf(bio_err, "Done. %d entries marked as expired\n",i); @@ -1167,7 +1106,7 @@ bad: goto err; } - if ((serial=load_serial(serialfile)) == NULL) + if ((serial=load_serial(serialfile, 0, NULL)) == NULL) { BIO_printf(bio_err,"error while loading serial number\n"); goto err; @@ -1301,38 +1240,9 @@ bad: BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk)); - if(strlen(serialfile) > BSIZE-5 || strlen(dbfile) > BSIZE-5) - { - BIO_printf(bio_err,"file name too long\n"); - goto err; - } - - strcpy(buf[0],serialfile); - -#ifdef OPENSSL_SYS_VMS - strcat(buf[0],"-new"); -#else - strcat(buf[0],".new"); -#endif - - if (!save_serial(buf[0],serial)) goto err; + if (!save_serial(serialfile,"new",serial,NULL)) goto err; - strcpy(buf[1],dbfile); - -#ifdef OPENSSL_SYS_VMS - strcat(buf[1],"-new"); -#else - strcat(buf[1],".new"); -#endif - - if (BIO_write_filename(out,buf[1]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - l=TXT_DB_write(out,db); - if (l <= 0) goto err; + if (!save_index(dbfile, "new", db)) goto err; } if (verbose) @@ -1340,7 +1250,7 @@ bad: for (i=0; i<sk_X509_num(cert_sk); i++) { int k; - unsigned char *n; + char *n; x=sk_X509_value(cert_sk,i); @@ -1356,15 +1266,19 @@ bad: strcpy(buf[2],outdir); #ifndef OPENSSL_SYS_VMS - strcat(buf[2],"/"); + BUF_strlcat(buf[2],"/",sizeof(buf[2])); #endif - n=(unsigned char *)&(buf[2][strlen(buf[2])]); + n=(char *)&(buf[2][strlen(buf[2])]); if (j > 0) { for (k=0; k<j; k++) { - sprintf((char *)n,"%02X",(unsigned char)*(p++)); + if (n >= &(buf[2][sizeof(buf[2])])) + break; + BIO_snprintf(n, + &buf[2][0] + sizeof(buf[2]) - n, + "%02X",(unsigned char)*(p++)); n+=2; } } @@ -1390,59 +1304,10 @@ bad: if (sk_X509_num(cert_sk)) { /* Rename the database and the serial file */ - strncpy(buf[2],serialfile,BSIZE-4); - buf[2][BSIZE-4]='\0'; + if (!rotate_serial(serialfile,"new","old")) goto err; -#ifdef OPENSSL_SYS_VMS - strcat(buf[2],"-old"); -#else - strcat(buf[2],".old"); -#endif + if (!rotate_index(dbfile,"new","old")) goto err; - BIO_free(in); - BIO_free_all(out); - in=NULL; - out=NULL; - if (rename(serialfile,buf[2]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - serialfile,buf[2]); - perror("reason"); - goto err; - } - if (rename(buf[0],serialfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - buf[0],serialfile); - perror("reason"); - rename(buf[2],serialfile); - goto err; - } - - strncpy(buf[2],dbfile,BSIZE-4); - buf[2][BSIZE-4]='\0'; - -#ifdef OPENSSL_SYS_VMS - strcat(buf[2],"-old"); -#else - strcat(buf[2],".old"); -#endif - - if (rename(dbfile,buf[2]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - dbfile,buf[2]); - perror("reason"); - goto err; - } - if (rename(buf[1],dbfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - buf[1],dbfile); - perror("reason"); - rename(buf[2],dbfile); - goto err; - } BIO_printf(bio_err,"Data Base Updated\n"); } } @@ -1473,6 +1338,14 @@ bad: } } + if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER)) + != NULL) + if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL) + { + BIO_printf(bio_err,"error while loading CRL number\n"); + goto err; + } + if (!crldays && !crlhours) { if (!NCONF_get_number(conf,section, @@ -1501,9 +1374,9 @@ bad: ASN1_TIME_free(tmptm); - for (i=0; i<sk_num(db->data); i++) + for (i=0; i<sk_num(db->db->data); i++) { - pp=(char **)sk_value(db->data,i); + pp=(char **)sk_value(db->db->data,i); if (pp[DB_type][0] == DB_TYPE_REV) { if ((r=X509_REVOKED_new()) == NULL) goto err; @@ -1549,14 +1422,24 @@ bad: /* Add any extensions asked for */ - if (crl_ext) + if (crl_ext || crlnumberfile != NULL) { X509V3_CTX crlctx; X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); X509V3_set_nconf(&crlctx, conf); - if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, - crl_ext, crl)) goto err; + if (crl_ext) + if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, + crl_ext, crl)) goto err; + if (crlnumberfile != NULL) + { + tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); + if (!tmpser) goto err; + X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0); + ASN1_INTEGER_free(tmpser); + crl_v2 = 1; + if (!BN_add_word(crlnumber,1)) goto err; + } } if (crl_ext || crl_v2) { @@ -1564,9 +1447,17 @@ bad: goto err; /* version 2 CRL */ } + + if (crlnumberfile != NULL) /* we have a CRL number that need updating */ + if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err; + if (!X509_CRL_sign(crl,pkey,dgst)) goto err; PEM_write_bio_X509_CRL(Sout,crl); + + if (crlnumberfile != NULL) /* Rename the crlnumber file */ + if (!rotate_serial(crlnumberfile,"new","old")) goto err; + } /*****************************************************************/ if (dorevoke) @@ -1587,50 +1478,10 @@ bad: if (j <= 0) goto err; X509_free(revcert); - if(strlen(dbfile) > BSIZE-5) - { - BIO_printf(bio_err,"filename too long\n"); - goto err; - } + if (!save_index(dbfile, "new", db)) goto err; + + if (!rotate_index(dbfile, "new", "old")) goto err; - strcpy(buf[0],dbfile); -#ifndef OPENSSL_SYS_VMS - strcat(buf[0],".new"); -#else - strcat(buf[0],"-new"); -#endif - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - BIO_free_all(out); - out = NULL; - BIO_free_all(in); - in = NULL; - strncpy(buf[1],dbfile,BSIZE-4); - buf[1][BSIZE-4]='\0'; -#ifndef OPENSSL_SYS_VMS - strcat(buf[1],".old"); -#else - strcat(buf[1],"-old"); -#endif - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } BIO_printf(bio_err,"Data Base Updated\n"); } } @@ -1652,7 +1503,7 @@ err: if (free_key && key) OPENSSL_free(key); BN_free(serial); - TXT_DB_free(db); + free_index(db); EVP_PKEY_free(pkey); X509_free(x509); X509_CRL_free(crl); @@ -1667,106 +1518,8 @@ static void lookup_fail(char *name, char *tag) BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); } -static unsigned long index_serial_hash(const char **a) - { - const char *n; - - n=a[DB_serial]; - while (*n == '0') n++; - return(lh_strhash(n)); - } - -static int index_serial_cmp(const char **a, const char **b) - { - const char *aa,*bb; - - for (aa=a[DB_serial]; *aa == '0'; aa++); - for (bb=b[DB_serial]; *bb == '0'; bb++); - return(strcmp(aa,bb)); - } - -static unsigned long index_name_hash(const char **a) - { return(lh_strhash(a[DB_name])); } - -static int index_name_qual(char **a) - { return(a[0][0] == 'V'); } - -static int index_name_cmp(const char **a, const char **b) - { return(strcmp(a[DB_name], - b[DB_name])); } - -static BIGNUM *load_serial(char *serialfile) - { - BIO *in=NULL; - BIGNUM *ret=NULL; - MS_STATIC char buf[1024]; - ASN1_INTEGER *ai=NULL; - - if ((in=BIO_new(BIO_s_file())) == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - - if (BIO_read_filename(in,serialfile) <= 0) - { - perror(serialfile); - goto err; - } - ai=ASN1_INTEGER_new(); - if (ai == NULL) goto err; - if (!a2i_ASN1_INTEGER(in,ai,buf,1024)) - { - BIO_printf(bio_err,"unable to load number from %s\n", - serialfile); - goto err; - } - ret=ASN1_INTEGER_to_BN(ai,NULL); - if (ret == NULL) - { - BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); - goto err; - } -err: - if (in != NULL) BIO_free(in); - if (ai != NULL) ASN1_INTEGER_free(ai); - return(ret); - } - -static int save_serial(char *serialfile, BIGNUM *serial) - { - BIO *out; - int ret=0; - ASN1_INTEGER *ai=NULL; - - out=BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - if (BIO_write_filename(out,serialfile) <= 0) - { - perror(serialfile); - goto err; - } - - if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL) - { - BIO_printf(bio_err,"error converting serial to ASN.1 format\n"); - goto err; - } - i2a_ASN1_INTEGER(out,ai); - BIO_puts(out,"\n"); - ret=1; -err: - if (out != NULL) BIO_free_all(out); - if (ai != NULL) ASN1_INTEGER_free(ai); - return(ret); - } - static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, @@ -1828,7 +1581,7 @@ err: } static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, @@ -1882,7 +1635,7 @@ err: } static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *lconf, unsigned long certopt, unsigned long nameopt, int default_op, @@ -1900,7 +1653,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, int ok= -1,i,j,last,nid; char *p; CONF_VALUE *cv; - char *row[DB_NUMBER],**rrow,**irow=NULL; + char *row[DB_NUMBER],**rrow=NULL,**irow=NULL; char buf[25]; tmptm=ASN1_UTCTIME_new(); @@ -2137,15 +1890,19 @@ again2: goto err; } - rrow=TXT_DB_get_by_index(db,DB_name,row); - if (rrow != NULL) + if (db->attributes.unique_subject) { - BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n", - row[DB_name]); + rrow=TXT_DB_get_by_index(db->db,DB_name,row); + if (rrow != NULL) + { + BIO_printf(bio_err, + "ERROR:There is already a certificate for %s\n", + row[DB_name]); + } } - else + if (rrow == NULL) { - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow != NULL) { BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n", @@ -2352,7 +2109,7 @@ again2: BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } - strcpy(row[DB_file],"unknown"); + BUF_strlcpy(row[DB_file],"unknown",8); row[DB_type][0]='V'; row[DB_type][1]='\0'; @@ -2369,10 +2126,10 @@ again2: } irow[DB_NUMBER]=NULL; - if (!TXT_DB_insert(db,irow)) + if (!TXT_DB_insert(db->db,irow)) { BIO_printf(bio_err,"failed to update database\n"); - BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error); + BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); goto err; } ok=1; @@ -2423,7 +2180,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) } static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) @@ -2602,7 +2359,7 @@ static int check_time_format(char *str) return(ASN1_UTCTIME_check(&tm)); } -static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) +static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) { ASN1_UTCTIME *tm=NULL; char *row[DB_NUMBER],**rrow,**irow; @@ -2627,10 +2384,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) /* We have to lookup by serial number because name lookup * skips revoked certs */ - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow == NULL) { - BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]); + BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]); /* We now just add it to the database */ row[DB_type]=(char *)OPENSSL_malloc(2); @@ -2653,7 +2410,7 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } - strcpy(row[DB_file],"unknown"); + BUF_strlcpy(row[DB_file],"unknown",8); row[DB_type][0]='V'; row[DB_type][1]='\0'; @@ -2670,10 +2427,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) } irow[DB_NUMBER]=NULL; - if (!TXT_DB_insert(db,irow)) + if (!TXT_DB_insert(db->db,irow)) { BIO_printf(bio_err,"failed to update database\n"); - BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error); + BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); goto err; } @@ -2718,7 +2475,7 @@ err: return(ok); } -static int get_certificate_status(const char *serial, TXT_DB *db) +static int get_certificate_status(const char *serial, CA_DB *db) { char *row[DB_NUMBER],**rrow; int ok=-1,i; @@ -2759,7 +2516,7 @@ static int get_certificate_status(const char *serial, TXT_DB *db) ok=1; /* Search for the certificate */ - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow == NULL) { BIO_printf(bio_err,"Serial %s not present in db.\n", @@ -2806,7 +2563,7 @@ err: return(ok); } -static int do_updatedb (TXT_DB *db) +static int do_updatedb (CA_DB *db) { ASN1_UTCTIME *a_tm = NULL; int i, cnt = 0; @@ -2832,9 +2589,9 @@ static int do_updatedb (TXT_DB *db) else a_y2k = 0; - for (i = 0; i < sk_num(db->data); i++) + for (i = 0; i < sk_num(db->db->data); i++) { - rrow = (char **) sk_value(db->data, i); + rrow = (char **) sk_value(db->db->data, i); if (rrow[DB_type][0] == 'V') { @@ -2977,16 +2734,16 @@ char *make_revocation_str(int rev_type, char *rev_arg) if (!str) return NULL; - strcpy(str, (char *)revtm->data); + BUF_strlcpy(str, (char *)revtm->data, i); if (reason) { - strcat(str, ","); - strcat(str, reason); + BUF_strlcat(str, ",", i); + BUF_strlcat(str, reason, i); } if (other) { - strcat(str, ","); - strcat(str, other); + BUF_strlcat(str, ",", i); + BUF_strlcat(str, other, i); } ASN1_UTCTIME_free(revtm); return str; @@ -3321,17 +3078,3 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_G return ret; } - -int make_serial_index(TXT_DB *db) - { - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) - { - BIO_printf(bio_err, - "error creating serial number index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - return 0; - } - return 1; - } diff --git a/crypto/openssl/apps/der_chop b/crypto/openssl/apps/der_chop index 2ee9d6bfd44b..9070b032fc38 100644 --- a/crypto/openssl/apps/der_chop +++ b/crypto/openssl/apps/der_chop @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # # der_chop ... this is one total hack that Eric is really not proud of # so don't look at it and don't ask for support diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c index 47d1309b14c1..be25dafef704 100644 --- a/crypto/openssl/apps/dgst.c +++ b/crypto/openssl/apps/dgst.c @@ -347,8 +347,9 @@ int MAIN(int argc, char **argv) } if(!out_bin) { - tmp=tofree=OPENSSL_malloc(strlen(name)+strlen(argv[i])+5); - sprintf(tmp,"%s(%s)= ",name,argv[i]); + size_t len = strlen(name)+strlen(argv[i])+5; + tmp=tofree=OPENSSL_malloc(len); + BIO_snprintf(tmp,len,"%s(%s)= ",name,argv[i]); } else tmp=""; diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c index 0a9f7310bf51..30378a9542e8 100644 --- a/crypto/openssl/apps/enc.c +++ b/crypto/openssl/apps/enc.c @@ -373,9 +373,9 @@ bad: { char buf[200]; - sprintf(buf,"enter %s %s password:", - OBJ_nid2ln(EVP_CIPHER_nid(cipher)), - (enc)?"encryption":"decryption"); + BIO_snprintf(buf,sizeof buf,"enter %s %s password:", + OBJ_nid2ln(EVP_CIPHER_nid(cipher)), + (enc)?"encryption":"decryption"); strbuf[0]='\0'; i=EVP_read_pw_string((char *)strbuf,SIZE,buf,enc); if (i == 0) diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c index c3e1e8de1c38..12283d0aed67 100644 --- a/crypto/openssl/apps/engine.c +++ b/crypto/openssl/apps/engine.c @@ -122,8 +122,8 @@ static int append_buf(char **buf, const char *s, int *size, int step) return 0; if (**buf != '\0') - strcat(*buf, ", "); - strcat(*buf, s); + BUF_strlcat(*buf, ", ", *size); + BUF_strlcat(*buf, s, *size); return 1; } diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c index e5f186fd5ea8..856b797b532e 100644 --- a/crypto/openssl/apps/ocsp.c +++ b/crypto/openssl/apps/ocsp.c @@ -68,19 +68,6 @@ /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) -/* CA index.txt definitions */ -#define DB_type 0 -#define DB_exp_date 1 -#define DB_rev_date 2 -#define DB_serial 3 /* index - unique */ -#define DB_file 4 -#define DB_name 5 /* index - unique for active */ -#define DB_NUMBER 6 - -#define DB_TYPE_REV 'R' -#define DB_TYPE_EXP 'E' -#define DB_TYPE_VAL 'V' - static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, @@ -89,12 +76,12 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, STACK *names, STACK_OF(OCSP_CERTID) *ids, long nsec, long maxage); -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db, +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays); -static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser); +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); @@ -143,7 +130,7 @@ int MAIN(int argc, char **argv) X509 *rca_cert = NULL; char *ridx_filename = NULL; char *rca_filename = NULL; - TXT_DB *rdb = NULL; + CA_DB *rdb = NULL; int nmin = 0, ndays = -1; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -700,22 +687,9 @@ int MAIN(int argc, char **argv) if (ridx_filename && !rdb) { - BIO *db_bio = NULL; - db_bio = BIO_new_file(ridx_filename, "r"); - if (!db_bio) - { - BIO_printf(bio_err, "Error opening index file %s\n", ridx_filename); - goto end; - } - rdb = TXT_DB_read(db_bio, DB_NUMBER); - BIO_free(db_bio); - if (!rdb) - { - BIO_printf(bio_err, "Error reading index file %s\n", ridx_filename); - goto end; - } - if (!make_serial_index(rdb)) - goto end; + rdb = load_index(ridx_filename, NULL); + if (!rdb) goto end; + if (!index_index(rdb)) goto end; } if (rdb) @@ -899,7 +873,7 @@ end: X509_free(cert); X509_free(rsigner); X509_free(rca_cert); - TXT_DB_free(rdb); + free_index(rdb); BIO_free_all(cbio); BIO_free_all(acbio); BIO_free(out); @@ -1041,7 +1015,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, } -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db, +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays) @@ -1133,7 +1107,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *d } -static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser) +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) { int i; BIGNUM *bn = NULL; @@ -1146,7 +1120,7 @@ static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser) itmp = BN_bn2hex(bn); row[DB_serial] = itmp; BN_free(bn); - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); OPENSSL_free(itmp); return rrow; } diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf index eca51c332280..854d1f164eb3 100644 --- a/crypto/openssl/apps/openssl.cnf +++ b/crypto/openssl/apps/openssl.cnf @@ -38,10 +38,14 @@ dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number +#crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file @@ -58,6 +62,7 @@ cert_opt = ca_default # Certificate field options # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c index 5136acdc5759..71192bdf749c 100644 --- a/crypto/openssl/apps/pkcs12.c +++ b/crypto/openssl/apps/pkcs12.c @@ -557,7 +557,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "Can't read Password\n"); goto export_end; } - if (!twopass) strcpy(macpass, pass); + if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); /* Turn certbags into encrypted authsafe */ authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0, iter, bags); @@ -658,7 +658,7 @@ int MAIN(int argc, char **argv) CRYPTO_pop_info(); #endif - if (!twopass) strcpy(macpass, pass); + if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1); if(macver) { diff --git a/crypto/openssl/apps/pkcs7.c b/crypto/openssl/apps/pkcs7.c index 6c58c67eb279..da4dbe7a07c0 100644 --- a/crypto/openssl/apps/pkcs7.c +++ b/crypto/openssl/apps/pkcs7.c @@ -102,6 +102,9 @@ int MAIN(int argc, char **argv) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); + if (!load_config(bio_err, NULL)) + goto end; + infile=NULL; outfile=NULL; informat=FORMAT_PEM; diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c index 5f6ec3d33914..1a3d1d0dfab4 100644 --- a/crypto/openssl/apps/req.c +++ b/crypto/openssl/apps/req.c @@ -824,7 +824,7 @@ loop: if ((x509ss=X509_new()) == NULL) goto end; /* Set version to V3 */ - if(!X509_set_version(x509ss, 2)) goto end; + if(extensions && !X509_set_version(x509ss, 2)) goto end; if (serial) { if (!X509_set_serialNumber(x509ss, serial)) goto end; @@ -1223,34 +1223,34 @@ start: for (;;) } /* If OBJ not recognised ignore it */ if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start; - - if(strlen(v->name) > sizeof buf-9) + if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name) + >= sizeof buf) { BIO_printf(bio_err,"Name '%s' too long\n",v->name); return 0; } - sprintf(buf,"%s_default",v->name); if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) { ERR_clear_error(); def=""; } - sprintf(buf,"%s_value",v->name); + + BIO_snprintf(buf,sizeof buf,"%s_value",v->name); if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) { ERR_clear_error(); value=NULL; } - sprintf(buf,"%s_min",v->name); + BIO_snprintf(buf,sizeof buf,"%s_min",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min)) { ERR_clear_error(); n_min = -1; } - sprintf(buf,"%s_max",v->name); + BIO_snprintf(buf,sizeof buf,"%s_max",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max)) { ERR_clear_error(); @@ -1288,13 +1288,13 @@ start2: for (;;) if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start2; - if(strlen(v->name) > sizeof buf-9) + if (BIO_snprintf(buf,sizeof buf,"%s_default",type) + >= sizeof buf) { BIO_printf(bio_err,"Name '%s' too long\n",v->name); return 0; } - sprintf(buf,"%s_default",type); if ((def=NCONF_get_string(req_conf,attr_sect,buf)) == NULL) { @@ -1303,7 +1303,7 @@ start2: for (;;) } - sprintf(buf,"%s_value",type); + BIO_snprintf(buf,sizeof buf,"%s_value",type); if ((value=NCONF_get_string(req_conf,attr_sect,buf)) == NULL) { @@ -1311,11 +1311,11 @@ start2: for (;;) value=NULL; } - sprintf(buf,"%s_min",type); + BIO_snprintf(buf,sizeof buf,"%s_min",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min)) n_min = -1; - sprintf(buf,"%s_max",type); + BIO_snprintf(buf,sizeof buf,"%s_max",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max)) n_max = -1; @@ -1397,9 +1397,8 @@ start: (void)BIO_flush(bio_err); if(value != NULL) { - OPENSSL_assert(strlen(value) < sizeof buf-2); - strcpy(buf,value); - strcat(buf,"\n"); + BUF_strlcpy(buf,value,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); BIO_printf(bio_err,"%s\n",value); } else @@ -1421,8 +1420,8 @@ start: { if ((def == NULL) || (def[0] == '\0')) return(1); - strcpy(buf,def); - strcat(buf,"\n"); + BUF_strlcpy(buf,def,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); } else if ((buf[0] == '.') && (buf[1] == '\n')) return(1); @@ -1456,9 +1455,8 @@ start: (void)BIO_flush(bio_err); if (value != NULL) { - OPENSSL_assert(strlen(value) < sizeof buf-2); - strcpy(buf,value); - strcat(buf,"\n"); + BUF_strlcpy(buf,value,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); BIO_printf(bio_err,"%s\n",value); } else @@ -1480,8 +1478,8 @@ start: { if ((def == NULL) || (def[0] == '\0')) return(1); - strcpy(buf,def); - strcat(buf,"\n"); + BUF_strlcpy(buf,def,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); } else if ((buf[0] == '.') && (buf[1] == '\n')) return(1); diff --git a/crypto/openssl/apps/rsautl.c b/crypto/openssl/apps/rsautl.c index 5a6fd115f41b..5db6fe7cd74f 100644 --- a/crypto/openssl/apps/rsautl.c +++ b/crypto/openssl/apps/rsautl.c @@ -97,6 +97,7 @@ int MAIN(int argc, char **argv) EVP_PKEY *pkey = NULL; RSA *rsa = NULL; unsigned char *rsa_in = NULL, *rsa_out = NULL, pad; + char *passargin = NULL, *passin = NULL; int rsa_inlen, rsa_outlen = 0; int keysize; @@ -124,6 +125,9 @@ int MAIN(int argc, char **argv) } else if(!strcmp(*argv, "-inkey")) { if (--argc < 1) badarg = 1; keyfile = *(++argv); + } else if (!strcmp(*argv,"-passin")) { + if (--argc < 1) badarg = 1; + passargin= *(++argv); } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) badarg = 1; keyform=str2fmt(*(++argv)); @@ -169,6 +173,10 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif + if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } /* FIXME: seed PRNG only if needed */ app_RAND_load_file(NULL, bio_err, 0); @@ -176,7 +184,7 @@ int MAIN(int argc, char **argv) switch(key_type) { case KEY_PRIVKEY: pkey = load_key(bio_err, keyfile, keyform, 0, - NULL, e, "Private Key"); + passin, e, "Private Key"); break; case KEY_PUBKEY: @@ -290,6 +298,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if(rsa_in) OPENSSL_free(rsa_in); if(rsa_out) OPENSSL_free(rsa_out); + if(passin) OPENSSL_free(passin); return ret; } @@ -313,6 +322,7 @@ static void usage() BIO_printf(bio_err, "-hexdump hex dump output\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); + BIO_printf (bio_err, "-passin arg pass phrase source\n"); #endif } diff --git a/crypto/openssl/apps/s_socket.c b/crypto/openssl/apps/s_socket.c index a88de6c8c85c..1867890966f6 100644 --- a/crypto/openssl/apps/s_socket.c +++ b/crypto/openssl/apps/s_socket.c @@ -389,7 +389,7 @@ redoit: perror("OPENSSL_malloc"); return(0); } - strcpy(*host,h1->h_name); + BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); h2=GetHostByName(*host); if (h2 == NULL) diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c index 1ad16cd607d4..7d4705746578 100644 --- a/crypto/openssl/apps/s_time.c +++ b/crypto/openssl/apps/s_time.c @@ -502,7 +502,7 @@ int MAIN(int argc, char **argv) if (s_www_path != NULL) { - sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); + BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); SSL_write(scon,buf,strlen(buf)); while ((i=SSL_read(scon,buf,sizeof(buf))) > 0) bytes_read+=i; @@ -557,7 +557,7 @@ next: if (s_www_path != NULL) { - sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); + BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); SSL_write(scon,buf,strlen(buf)); while (SSL_read(scon,buf,sizeof(buf)) > 0) ; @@ -595,7 +595,7 @@ next: if (s_www_path) { - sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); + BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); SSL_write(scon,buf,strlen(buf)); while ((i=SSL_read(scon,buf,sizeof(buf))) > 0) bytes_read+=i; diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c index ec55b4188cb4..24122000092a 100644 --- a/crypto/openssl/apps/speed.c +++ b/crypto/openssl/apps/speed.c @@ -773,6 +773,7 @@ int MAIN(int argc, char **argv) { dsa_doit[R_DSA_512]=1; dsa_doit[R_DSA_1024]=1; + dsa_doit[R_DSA_2048]=1; } else #endif @@ -1006,6 +1007,9 @@ int MAIN(int argc, char **argv) c[D_CBC_RC5][0]=count; c[D_CBC_BF][0]=count; c[D_CBC_CAST][0]=count; + c[D_CBC_128_AES][0]=count; + c[D_CBC_192_AES][0]=count; + c[D_CBC_256_AES][0]=count; for (i=1; i<SIZE_NUM; i++) { @@ -1031,6 +1035,9 @@ int MAIN(int argc, char **argv) c[D_CBC_RC5][i]=c[D_CBC_RC5][i-1]*l0/l1; c[D_CBC_BF][i]=c[D_CBC_BF][i-1]*l0/l1; c[D_CBC_CAST][i]=c[D_CBC_CAST][i-1]*l0/l1; + c[D_CBC_128_AES][i]=c[D_CBC_128_AES][i-1]*l0/l1; + c[D_CBC_192_AES][i]=c[D_CBC_192_AES][i-1]*l0/l1; + c[D_CBC_256_AES][i]=c[D_CBC_256_AES][i-1]*l0/l1; } #ifndef OPENSSL_NO_RSA rsa_c[R_RSA_512][0]=count/2000; diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c index 2020b51de064..9b95f7bd3fec 100644 --- a/crypto/openssl/apps/x509.c +++ b/crypto/openssl/apps/x509.c @@ -1022,31 +1022,31 @@ end: OPENSSL_EXIT(ret); } -static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create) +static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create) { char *buf = NULL, *p; - MS_STATIC char buf2[1024]; - ASN1_INTEGER *bs = NULL, *bs2 = NULL; - BIO *io = NULL; + ASN1_INTEGER *bs = NULL; BIGNUM *serial = NULL; + size_t len; - buf=OPENSSL_malloc( ((serialfile == NULL) - ?(strlen(CAfile)+strlen(POSTFIX)+1) - :(strlen(serialfile)))+1); + len = ((serialfile == NULL) + ?(strlen(CAfile)+strlen(POSTFIX)+1) + :(strlen(serialfile)))+1; + buf=OPENSSL_malloc(len); if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; } if (serialfile == NULL) { - strcpy(buf,CAfile); + BUF_strlcpy(buf,CAfile,len); for (p=buf; *p; p++) if (*p == '.') { *p='\0'; break; } - strcat(buf,POSTFIX); + BUF_strlcat(buf,POSTFIX,len); } else - strcpy(buf,serialfile); + BUF_strlcpy(buf,serialfile,len); serial=BN_new(); bs=ASN1_INTEGER_new(); if ((serial == NULL) || (bs == NULL)) @@ -1055,72 +1055,18 @@ static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create) goto end; } - io=BIO_new(BIO_s_file()); - if (io == NULL) - { - ERR_print_errors(bio_err); - goto end; - } - - if (BIO_read_filename(io,buf) <= 0) - { - if (!create) - { - perror(buf); - goto end; - } - else - { - ASN1_INTEGER_set(bs,1); - BN_one(serial); - } - } - else - { - if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2)) - { - BIO_printf(bio_err,"unable to load serial number from %s\n",buf); - ERR_print_errors(bio_err); - goto end; - } - else - { - serial=BN_bin2bn(bs->data,bs->length,serial); - if (serial == NULL) - { - BIO_printf(bio_err,"error converting bin 2 bn"); - goto end; - } - } - } + serial = load_serial(buf, create, NULL); + if (serial == NULL) goto end; if (!BN_add_word(serial,1)) { BIO_printf(bio_err,"add_word failure\n"); goto end; } - if (!(bs2 = BN_to_ASN1_INTEGER(serial, NULL))) - { BIO_printf(bio_err,"error converting bn 2 asn1_integer\n"); goto end; } - if (BIO_write_filename(io,buf) <= 0) - { - BIO_printf(bio_err,"error attempting to write serial number file\n"); - perror(buf); - goto end; - } - i2a_ASN1_INTEGER(io,bs2); - BIO_puts(io,"\n"); - BIO_free(io); - if (buf) OPENSSL_free(buf); - ASN1_INTEGER_free(bs2); - BN_free(serial); - io=NULL; - return bs; + if (!save_serial(buf, NULL, serial, &bs)) goto end; - end: + end: if (buf) OPENSSL_free(buf); - BIO_free(io); - ASN1_INTEGER_free(bs); BN_free(serial); - return NULL; - + return bs; } static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, @@ -1142,7 +1088,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, goto end; } if (sno) bs = sno; - else if (!(bs = load_serial(CAfile, serialfile, create))) + else if (!(bs = x509_load_serial(CAfile, serialfile, create))) goto end; /* if (!X509_STORE_add_cert(ctx,x)) goto end;*/ diff --git a/crypto/openssl/certs/expired/vsign3.pem b/crypto/openssl/certs/expired/vsign3.pem new file mode 100644 index 000000000000..aa5bb4c1f32b --- /dev/null +++ b/crypto/openssl/certs/expired/vsign3.pem @@ -0,0 +1,18 @@ +subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority +notBefore=Jan 29 00:00:00 1996 GMT +notAfter=Jan 7 23:59:59 2004 GMT +-----BEGIN CERTIFICATE----- +MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ +BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh +c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05 +NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD +VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp +bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB +jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo +RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4 +rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN +BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp +STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH +ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ +pA== +-----END CERTIFICATE----- diff --git a/crypto/openssl/certs/vsign3.pem b/crypto/openssl/certs/vsign3.pem index aa5bb4c1f32b..4b8c0251cb7b 100644 --- a/crypto/openssl/certs/vsign3.pem +++ b/crypto/openssl/certs/vsign3.pem @@ -1,18 +1,17 @@ subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority notBefore=Jan 29 00:00:00 1996 GMT -notAfter=Jan 7 23:59:59 2004 GMT +notAfter=Aug 1 23:59:59 2028 GMT -----BEGIN CERTIFICATE----- -MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ -BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh -c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05 -NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD -VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp -bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB -jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo -RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4 -rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN -BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp -STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH -ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ -pA== +MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG +A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz +cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 +MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV +BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt +YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE +BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is +I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G +CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do +lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc +AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -----END CERTIFICATE----- diff --git a/crypto/openssl/config b/crypto/openssl/config index b3bd96bbfcb6..25a3703c1fe0 100755 --- a/crypto/openssl/config +++ b/crypto/openssl/config @@ -134,7 +134,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in HPUXVER=`echo ${RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "$HPUXVER" in 1[0-9].*) # HPUX 10 and 11 targets are unified - echo "${MACHINE}-hp-hpux10"; exit 0 + echo "${MACHINE}-hp-hpux1x"; exit 0 ;; *) echo "${MACHINE}-hp-hpux"; exit 0 @@ -410,9 +410,10 @@ if [ "$SYSTEM" = "HP-UX" ];then GCC_BITS="32" if [ $GCCVER -ge 30 ]; then # PA64 support only came in with gcc 3.0.x. - # We look for the preprocessor symbol __LP64__ indicating - # 64bit bit long and pointer. sizeof(int) == 32 on HPUX64. - if gcc -v -E -x c /dev/null 2>&1 | grep __LP64__ > /dev/null; then + # We check if the preprocessor symbol __LP64__ is defined... + if echo "__LP64__" | gcc -v -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null; then + : # __LP64__ has slipped through, it therefore is not defined + else GCC_BITS="64" fi fi @@ -685,7 +686,7 @@ EOF if [ $CC = "gcc" ]; then if [ $GCC_BITS = "64" ]; then - OUT="hpux64-parisc-gcc" + OUT="hpux64-parisc2-gcc" else OUT="hpux-parisc-gcc" fi @@ -700,7 +701,7 @@ EOF if [ $CPU_VERSION -ge 768 ]; then # IA-64 CPU echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi." echo " If you wish to build 32-bit library, the you have to" - echo " invoke './Configure hpux-ia32-cc' *manually*." + echo " invoke './Configure hpux-ia64-cc' *manually*." if [ "$TEST" = "false" ]; then echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl index 9def17ae601f..b9951a460054 100644 --- a/crypto/openssl/crypto/Makefile.ssl +++ b/crypto/openssl/crypto/Makefile.ssl @@ -50,7 +50,7 @@ ALL= $(GENERAL) $(SRC) $(HEADER) top: @(cd ..; $(MAKE) DIRS=$(DIR) all) -all: buildinf.h lib subdirs shared +all: shared buildinf.h: ../Makefile.ssl ( echo "#ifndef MK1MF_BUILD"; \ @@ -81,11 +81,11 @@ files: done; links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS) - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @for i in $(SDIRS); do \ (cd $$i && echo "making links in crypto/$$i..." && \ $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \ @@ -96,7 +96,7 @@ lib: $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib -shared: +shared: buildinf.h lib subdirs if [ -n "$(SHARED_LIBS)" ]; then \ (cd ..; $(MAKE) $(SHARED_LIB)); \ fi diff --git a/crypto/openssl/crypto/aes/Makefile.ssl b/crypto/openssl/crypto/aes/Makefile.ssl index 364d05bbfe01..f353aeb697dd 100644 --- a/crypto/openssl/crypto/aes/Makefile.ssl +++ b/crypto/openssl/crypto/aes/Makefile.ssl @@ -52,7 +52,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/aes/aes_cbc.c b/crypto/openssl/crypto/aes/aes_cbc.c index 86b27b10d612..1222a21002c1 100644 --- a/crypto/openssl/crypto/aes/aes_cbc.c +++ b/crypto/openssl/crypto/aes/aes_cbc.c @@ -104,7 +104,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, memcpy(tmp, in, AES_BLOCK_SIZE); AES_decrypt(tmp, tmp, key); for(n=0; n < len; ++n) - out[n] ^= ivec[n]; + out[n] = tmp[n] ^ ivec[n]; memcpy(ivec, tmp, AES_BLOCK_SIZE); } } diff --git a/crypto/openssl/crypto/asn1/Makefile.ssl b/crypto/openssl/crypto/asn1/Makefile.ssl index 944d8f164ae6..cb45194d48e3 100644 --- a/crypto/openssl/crypto/asn1/Makefile.ssl +++ b/crypto/openssl/crypto/asn1/Makefile.ssl @@ -77,7 +77,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/asn1/a_gentm.c b/crypto/openssl/crypto/asn1/a_gentm.c index cd09f68b38f6..85810078681e 100644 --- a/crypto/openssl/crypto/asn1/a_gentm.c +++ b/crypto/openssl/crypto/asn1/a_gentm.c @@ -208,6 +208,7 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, char *p; struct tm *ts; struct tm data; + size_t len = 20; if (s == NULL) s=M_ASN1_GENERALIZEDTIME_new(); @@ -219,17 +220,17 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, return(NULL); p=(char *)s->data; - if ((p == NULL) || (s->length < 16)) + if ((p == NULL) || ((size_t)s->length < len)) { - p=OPENSSL_malloc(20); + p=OPENSSL_malloc(len); if (p == NULL) return(NULL); if (s->data != NULL) OPENSSL_free(s->data); s->data=(unsigned char *)p; } - sprintf(p,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900, - ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec); + BIO_snprintf(p,len,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900, + ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec); s->length=strlen(p); s->type=V_ASN1_GENERALIZEDTIME; #ifdef CHARSET_EBCDIC_not diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c index e8a26af521f2..208b3ec395f1 100644 --- a/crypto/openssl/crypto/asn1/a_mbstr.c +++ b/crypto/openssl/crypto/asn1/a_mbstr.c @@ -145,14 +145,14 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, if((minsize > 0) && (nchar < minsize)) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT); - sprintf(strbuf, "%ld", minsize); + BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize); ERR_add_error_data(2, "minsize=", strbuf); return -1; } if((maxsize > 0) && (nchar > maxsize)) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG); - sprintf(strbuf, "%ld", maxsize); + BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize); ERR_add_error_data(2, "maxsize=", strbuf); return -1; } diff --git a/crypto/openssl/crypto/asn1/a_strex.c b/crypto/openssl/crypto/asn1/a_strex.c index 8abfdfe59804..bde666a6ff15 100644 --- a/crypto/openssl/crypto/asn1/a_strex.c +++ b/crypto/openssl/crypto/asn1/a_strex.c @@ -285,7 +285,7 @@ const static signed char tag2nbyte[] = { -1, -1, 0, -1, /* 10-13 */ -1, -1, -1, -1, /* 15-17 */ -1, 1, 1, /* 18-20 */ - -1, 1, -1,-1, /* 21-24 */ + -1, 1, 1, 1, /* 21-24 */ -1, 1, -1, /* 25-27 */ 4, -1, 2 /* 28-30 */ }; diff --git a/crypto/openssl/crypto/asn1/a_time.c b/crypto/openssl/crypto/asn1/a_time.c index 7348da9457b3..159681fbcb06 100644 --- a/crypto/openssl/crypto/asn1/a_time.c +++ b/crypto/openssl/crypto/asn1/a_time.c @@ -128,6 +128,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE { ASN1_GENERALIZEDTIME *ret; char *str; + int newlen; if (!ASN1_TIME_check(t)) return NULL; @@ -150,12 +151,14 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE /* grow the string */ if (!ASN1_STRING_set(ret, NULL, t->length + 2)) return NULL; + /* ASN1_STRING_set() allocated 'len + 1' bytes. */ + newlen = t->length + 2 + 1; str = (char *)ret->data; /* Work out the century and prepend */ - if (t->data[0] >= '5') strcpy(str, "19"); - else strcpy(str, "20"); + if (t->data[0] >= '5') BUF_strlcpy(str, "19", newlen); + else BUF_strlcpy(str, "20", newlen); - BUF_strlcat(str, (char *)t->data, t->length+3); /* Include space for a '\0' */ + BUF_strlcat(str, (char *)t->data, newlen); return ret; } diff --git a/crypto/openssl/crypto/asn1/a_utctm.c b/crypto/openssl/crypto/asn1/a_utctm.c index dbb4a42c9d15..999852dae527 100644 --- a/crypto/openssl/crypto/asn1/a_utctm.c +++ b/crypto/openssl/crypto/asn1/a_utctm.c @@ -188,6 +188,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) char *p; struct tm *ts; struct tm data; + size_t len = 20; if (s == NULL) s=M_ASN1_UTCTIME_new(); @@ -199,17 +200,17 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) return(NULL); p=(char *)s->data; - if ((p == NULL) || (s->length < 14)) + if ((p == NULL) || ((size_t)s->length < len)) { - p=OPENSSL_malloc(20); + p=OPENSSL_malloc(len); if (p == NULL) return(NULL); if (s->data != NULL) OPENSSL_free(s->data); s->data=(unsigned char *)p; } - sprintf(p,"%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100, - ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec); + BIO_snprintf(p,len,"%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100, + ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec); s->length=strlen(p); s->type=V_ASN1_UTCTIME; #ifdef CHARSET_EBCDIC_not diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c index e30d5dd303c9..a74f1368d34d 100644 --- a/crypto/openssl/crypto/asn1/asn1_lib.c +++ b/crypto/openssl/crypto/asn1/asn1_lib.c @@ -414,8 +414,8 @@ void asn1_add_error(unsigned char *address, int offset) { char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; - sprintf(buf1,"%lu",(unsigned long)address); - sprintf(buf2,"%d",offset); + BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address); + BIO_snprintf(buf2,sizeof buf2,"%d",offset); ERR_add_error_data(4,"address=",buf1," offset=",buf2); } diff --git a/crypto/openssl/crypto/asn1/asn1_par.c b/crypto/openssl/crypto/asn1/asn1_par.c index e48532a24dc7..676d434f034d 100644 --- a/crypto/openssl/crypto/asn1/asn1_par.c +++ b/crypto/openssl/crypto/asn1/asn1_par.c @@ -83,11 +83,11 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed, p=str; if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE) - sprintf(str,"priv [ %d ] ",tag); + BIO_snprintf(str,sizeof str,"priv [ %d ] ",tag); else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC) - sprintf(str,"cont [ %d ]",tag); + BIO_snprintf(str,sizeof str,"cont [ %d ]",tag); else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION) - sprintf(str,"appl [ %d ]",tag); + BIO_snprintf(str,sizeof str,"appl [ %d ]",tag); else p = ASN1_tag2str(tag); if (p2 != NULL) diff --git a/crypto/openssl/crypto/asn1/asn_moid.c b/crypto/openssl/crypto/asn1/asn_moid.c index be20db4bad7f..edb44c988f08 100644 --- a/crypto/openssl/crypto/asn1/asn_moid.c +++ b/crypto/openssl/crypto/asn1/asn_moid.c @@ -87,9 +87,14 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf) } } return 1; -} + } + +static void oid_module_finish(CONF_IMODULE *md) + { + OBJ_cleanup(); + } void ASN1_add_oid_module(void) { - CONF_module_add("oid_section", oid_module_init, 0); + CONF_module_add("oid_section", oid_module_init, oid_module_finish); } diff --git a/crypto/openssl/crypto/asn1/t_pkey.c b/crypto/openssl/crypto/asn1/t_pkey.c index 4e09c9e44e23..d15006e6546c 100644 --- a/crypto/openssl/crypto/asn1/t_pkey.c +++ b/crypto/openssl/crypto/asn1/t_pkey.c @@ -139,9 +139,9 @@ int RSA_print(BIO *bp, const RSA *x, int off) } if (x->d == NULL) - sprintf(str,"Modulus (%d bit):",BN_num_bits(x->n)); + BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n)); else - strcpy(str,"modulus:"); + BUF_strlcpy(str,"modulus:",sizeof str); if (!print(bp,str,x->n,m,off)) goto err; s=(x->d == NULL)?"Exponent:":"publicExponent:"; if (!print(bp,s,x->e,m,off)) goto err; diff --git a/crypto/openssl/crypto/asn1/x_long.c b/crypto/openssl/crypto/asn1/x_long.c index c04b192794f1..c5f25956cb28 100644 --- a/crypto/openssl/crypto/asn1/x_long.c +++ b/crypto/openssl/crypto/asn1/x_long.c @@ -104,7 +104,12 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const A long ltmp; unsigned long utmp; int clen, pad, i; - ltmp = *(long *)pval; + /* this exists to bypass broken gcc optimization */ + char *cp = (char *)pval; + + /* use memcpy, because we may not be long aligned */ + memcpy(<mp, cp, sizeof(long)); + if(ltmp == it->size) return -1; /* Convert the long to positive: we subtract one if negative so * we can cleanly handle the padding if only the MSB of the leading @@ -136,6 +141,7 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, int neg, i; long ltmp; unsigned long utmp = 0; + char *cp = (char *)pval; if(len > sizeof(long)) { ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG); return 0; @@ -158,6 +164,6 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG); return 0; } - *(long *)pval = ltmp; + memcpy(cp, <mp, sizeof(long)); return 1; } diff --git a/crypto/openssl/crypto/bf/Makefile.ssl b/crypto/openssl/crypto/bf/Makefile.ssl index bb14a0ee8250..be3ad77a0563 100644 --- a/crypto/openssl/crypto/bf/Makefile.ssl +++ b/crypto/openssl/crypto/bf/Makefile.ssl @@ -22,6 +22,7 @@ BF_ENC= bf_enc.o #DES_ENC= bx86-elf.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=bftest.c @@ -67,7 +68,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/bio/Makefile.ssl b/crypto/openssl/crypto/bio/Makefile.ssl index 141a03ae1d21..d0b9e297b082 100644 --- a/crypto/openssl/crypto/bio/Makefile.ssl +++ b/crypto/openssl/crypto/bio/Makefile.ssl @@ -57,7 +57,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/bio/b_dump.c b/crypto/openssl/crypto/bio/b_dump.c index 8397cfab6a2c..f671e722fa39 100644 --- a/crypto/openssl/crypto/bio/b_dump.c +++ b/crypto/openssl/crypto/bio/b_dump.c @@ -104,38 +104,41 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent) for(i=0;i<rows;i++) { buf[0]='\0'; /* start with empty string */ - strcpy(buf,str); - sprintf(tmp,"%04x - ",i*dump_width); - strcat(buf,tmp); + BUF_strlcpy(buf,str,sizeof buf); + BIO_snprintf(tmp,sizeof tmp,"%04x - ",i*dump_width); + BUF_strlcat(buf,tmp,sizeof buf); for(j=0;j<dump_width;j++) { if (((i*dump_width)+j)>=len) { - strcat(buf," "); + BUF_strlcat(buf," ",sizeof buf); } else { ch=((unsigned char)*(s+i*dump_width+j)) & 0xff; - sprintf(tmp,"%02x%c",ch,j==7?'-':' '); - strcat(buf,tmp); + BIO_snprintf(tmp,sizeof tmp,"%02x%c",ch, + j==7?'-':' '); + BUF_strlcat(buf,tmp,sizeof buf); } } - strcat(buf," "); + BUF_strlcat(buf," ",sizeof buf); for(j=0;j<dump_width;j++) { if (((i*dump_width)+j)>=len) break; ch=((unsigned char)*(s+i*dump_width+j)) & 0xff; #ifndef CHARSET_EBCDIC - sprintf(tmp,"%c",((ch>=' ')&&(ch<='~'))?ch:'.'); + BIO_snprintf(tmp,sizeof tmp,"%c", + ((ch>=' ')&&(ch<='~'))?ch:'.'); #else - sprintf(tmp,"%c",((ch>=os_toascii[' '])&&(ch<=os_toascii['~'])) - ? os_toebcdic[ch] - : '.'); + BIO_snprintf(tmp,sizeof tmp,"%c", + ((ch>=os_toascii[' '])&&(ch<=os_toascii['~'])) + ? os_toebcdic[ch] + : '.'); #endif - strcat(buf,tmp); + BUF_strlcat(buf,tmp,sizeof buf); } - strcat(buf,"\n"); + BUF_strlcat(buf,"\n",sizeof buf); /* if this is the last call then update the ddt_dump thing so that * we will move the selection point in the debug window */ @@ -144,7 +147,8 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent) #ifdef TRUNCATE if (trunc > 0) { - sprintf(buf,"%s%04x - <SPACES/NULS>\n",str,len+trunc); + BIO_snprintf(buf,sizeof buf,"%s%04x - <SPACES/NULS>\n",str, + len+trunc); ret+=BIO_write(bio,(char *)buf,strlen(buf)); } #endif diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c index 2cfc689dd6b4..fbff33179680 100644 --- a/crypto/openssl/crypto/bio/b_print.c +++ b/crypto/openssl/crypto/bio/b_print.c @@ -576,12 +576,12 @@ abs_val(LDOUBLE value) } static LDOUBLE -pow10(int exp) +pow10(int in_exp) { LDOUBLE result = 1; - while (exp) { + while (in_exp) { result *= 10; - exp--; + in_exp--; } return result; } @@ -652,8 +652,8 @@ fmtfp( (caps ? "0123456789ABCDEF" : "0123456789abcdef")[intpart % 10]; intpart = (intpart / 10); - } while (intpart && (iplace < sizeof iplace)); - if (iplace == sizeof iplace) + } while (intpart && (iplace < sizeof iconvert)); + if (iplace == sizeof iconvert) iplace--; iconvert[iplace] = 0; @@ -664,7 +664,7 @@ fmtfp( : "0123456789abcdef")[fracpart % 10]; fracpart = (fracpart / 10); } while (fplace < max); - if (fplace == sizeof fplace) + if (fplace == sizeof fconvert) fplace--; fconvert[fplace] = 0; diff --git a/crypto/openssl/crypto/bio/b_sock.c b/crypto/openssl/crypto/bio/b_sock.c index 601a14f37c5b..c851298d1e60 100644 --- a/crypto/openssl/crypto/bio/b_sock.c +++ b/crypto/openssl/crypto/bio/b_sock.c @@ -709,12 +709,12 @@ int BIO_accept(int sock, char **addr) } *addr=p; } - sprintf(*addr,"%d.%d.%d.%d:%d", - (unsigned char)(l>>24L)&0xff, - (unsigned char)(l>>16L)&0xff, - (unsigned char)(l>> 8L)&0xff, - (unsigned char)(l )&0xff, - port); + BIO_snprintf(*addr,24,"%d.%d.%d.%d:%d", + (unsigned char)(l>>24L)&0xff, + (unsigned char)(l>>16L)&0xff, + (unsigned char)(l>> 8L)&0xff, + (unsigned char)(l )&0xff, + port); end: return(ret); } diff --git a/crypto/openssl/crypto/bio/bio_cb.c b/crypto/openssl/crypto/bio/bio_cb.c index 0ffa4d21367f..6f4254a1141a 100644 --- a/crypto/openssl/crypto/bio/bio_cb.c +++ b/crypto/openssl/crypto/bio/bio_cb.c @@ -70,55 +70,61 @@ long MS_CALLBACK BIO_debug_callback(BIO *bio, int cmd, const char *argp, MS_STATIC char buf[256]; char *p; long r=1; + size_t p_maxlen; if (BIO_CB_RETURN & cmd) r=ret; - sprintf(buf,"BIO[%08lX]:",(unsigned long)bio); + BIO_snprintf(buf,sizeof buf,"BIO[%08lX]:",(unsigned long)bio); p= &(buf[14]); + p_maxlen = sizeof buf - 14; switch (cmd) { case BIO_CB_FREE: - sprintf(p,"Free - %s\n",bio->method->name); + BIO_snprintf(p,p_maxlen,"Free - %s\n",bio->method->name); break; case BIO_CB_READ: if (bio->method->type & BIO_TYPE_DESCRIPTOR) - sprintf(p,"read(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num); + BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s fd=%d\n", + bio->num,argi,bio->method->name,bio->num); else - sprintf(p,"read(%d,%d) - %s\n",bio->num,argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s\n", + bio->num,argi,bio->method->name); break; case BIO_CB_WRITE: if (bio->method->type & BIO_TYPE_DESCRIPTOR) - sprintf(p,"write(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num); + BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s fd=%d\n", + bio->num,argi,bio->method->name,bio->num); else - sprintf(p,"write(%d,%d) - %s\n",bio->num,argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s\n", + bio->num,argi,bio->method->name); break; case BIO_CB_PUTS: - sprintf(p,"puts() - %s\n",bio->method->name); + BIO_snprintf(p,p_maxlen,"puts() - %s\n",bio->method->name); break; case BIO_CB_GETS: - sprintf(p,"gets(%d) - %s\n",argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"gets(%d) - %s\n",argi,bio->method->name); break; case BIO_CB_CTRL: - sprintf(p,"ctrl(%d) - %s\n",argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"ctrl(%d) - %s\n",argi,bio->method->name); break; case BIO_CB_RETURN|BIO_CB_READ: - sprintf(p,"read return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"read return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_WRITE: - sprintf(p,"write return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"write return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_GETS: - sprintf(p,"gets return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"gets return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_PUTS: - sprintf(p,"puts return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"puts return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_CTRL: - sprintf(p,"ctrl return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"ctrl return %ld\n",ret); break; default: - sprintf(p,"bio callback - unknown type (%d)\n",cmd); + BIO_snprintf(p,p_maxlen,"bio callback - unknown type (%d)\n",cmd); break; } diff --git a/crypto/openssl/crypto/bio/bss_conn.c b/crypto/openssl/crypto/bio/bss_conn.c index 743db6ff94a0..f5d0e759e230 100644 --- a/crypto/openssl/crypto/bio/bss_conn.c +++ b/crypto/openssl/crypto/bio/bss_conn.c @@ -521,8 +521,8 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) char buf[16]; unsigned char *p = ptr; - sprintf(buf,"%d.%d.%d.%d", - p[0],p[1],p[2],p[3]); + BIO_snprintf(buf,sizeof buf,"%d.%d.%d.%d", + p[0],p[1],p[2],p[3]); if (data->param_hostname != NULL) OPENSSL_free(data->param_hostname); data->param_hostname=BUF_strdup(buf); @@ -532,7 +532,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) { char buf[DECIMAL_SIZE(int)+1]; - sprintf(buf,"%d",*(int *)ptr); + BIO_snprintf(buf,sizeof buf,"%d",*(int *)ptr); if (data->param_port != NULL) OPENSSL_free(data->param_port); data->param_port=BUF_strdup(buf); diff --git a/crypto/openssl/crypto/bio/bss_file.c b/crypto/openssl/crypto/bio/bss_file.c index 6904b5c081c4..9cdf159f82f8 100644 --- a/crypto/openssl/crypto/bio/bss_file.c +++ b/crypto/openssl/crypto/bio/bss_file.c @@ -249,15 +249,15 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) if (num & BIO_FP_APPEND) { if (num & BIO_FP_READ) - strcpy(p,"a+"); - else strcpy(p,"a"); + BUF_strlcpy(p,"a+",sizeof p); + else BUF_strlcpy(p,"a",sizeof p); } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE)) - strcpy(p,"r+"); + BUF_strlcpy(p,"r+",sizeof p); else if (num & BIO_FP_WRITE) - strcpy(p,"w"); + BUF_strlcpy(p,"w",sizeof p); else if (num & BIO_FP_READ) - strcpy(p,"r"); + BUF_strlcpy(p,"r",sizeof p); else { BIOerr(BIO_F_FILE_CTRL,BIO_R_BAD_FOPEN_MODE); diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl index 090fccdf7d29..50892ef44c6b 100644 --- a/crypto/openssl/crypto/bn/Makefile.ssl +++ b/crypto/openssl/crypto/bn/Makefile.ssl @@ -120,11 +120,14 @@ asm/ia64-cpp.o: asm/ia64.S asm/x86_64-gcc.o: asm/x86_64-gcc.c +asm/pa-risc2W.o: asm/pa-risc2W.s + /usr/ccs/bin/as -o asm/pa-rics2W.o asm/pa-risc2W.s + files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/bn/asm/bn-586.pl b/crypto/openssl/crypto/bn/asm/bn-586.pl index 33f61259201a..c4de4a2beece 100644 --- a/crypto/openssl/crypto/bn/asm/bn-586.pl +++ b/crypto/openssl/crypto/bn/asm/bn-586.pl @@ -11,7 +11,7 @@ require "x86asm.pl"; &bn_div_words("bn_div_words"); &bn_add_words("bn_add_words"); &bn_sub_words("bn_sub_words"); -&bn_sub_part_words("bn_sub_part_words"); +#&bn_sub_part_words("bn_sub_part_words"); &asm_finish(); diff --git a/crypto/openssl/crypto/bn/asm/x86_64-gcc.c b/crypto/openssl/crypto/bn/asm/x86_64-gcc.c index b97b394661aa..450e8e43228e 100644 --- a/crypto/openssl/crypto/bn/asm/x86_64-gcc.c +++ b/crypto/openssl/crypto/bn/asm/x86_64-gcc.c @@ -142,7 +142,7 @@ void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n) BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) { BN_ULONG ret,waste; - asm ("divq %3" + asm ("divq %4" : "=a"(ret),"=d"(waste) : "a"(l),"d"(h),"g"(d) : "cc"); diff --git a/crypto/openssl/crypto/bn/bn_lcl.h b/crypto/openssl/crypto/bn/bn_lcl.h index 5614bc6164cf..253e195e2385 100644 --- a/crypto/openssl/crypto/bn/bn_lcl.h +++ b/crypto/openssl/crypto/bn/bn_lcl.h @@ -433,19 +433,18 @@ void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a); int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n); int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl); -#if 0 -/* bn_mul.c rollback <appro> */ -void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2, - int dna,int dnb,BN_ULONG *t); -void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, - int n,int tna,int tnb,BN_ULONG *t); -#endif -void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t); -void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n); +#ifdef BN_RECURSION +void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, + BN_ULONG *t); +void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn, + int n, BN_ULONG *t); void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2, BN_ULONG *t); void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2, BN_ULONG *t); +void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t); +#endif +void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n); #ifdef __cplusplus } diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c index fa0ff485ade4..e1660450bc0f 100644 --- a/crypto/openssl/crypto/bn/bn_lib.c +++ b/crypto/openssl/crypto/bn/bn_lib.c @@ -145,11 +145,11 @@ char *BN_options(void) { init++; #ifdef BN_LLONG - sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULLONG)*8, - (int)sizeof(BN_ULONG)*8); + BIO_snprintf(data,sizeof data,"bn(%d,%d)", + (int)sizeof(BN_ULLONG)*8,(int)sizeof(BN_ULONG)*8); #else - sprintf(data,"bn(%d,%d)",(int)sizeof(BN_ULONG)*8, - (int)sizeof(BN_ULONG)*8); + BIO_snprintf(data,sizeof data,"bn(%d,%d)", + (int)sizeof(BN_ULONG)*8,(int)sizeof(BN_ULONG)*8); #endif } return(data); diff --git a/crypto/openssl/crypto/bn/bn_print.c b/crypto/openssl/crypto/bn/bn_print.c index 5f46b1826c03..0d942603b1b1 100644 --- a/crypto/openssl/crypto/bn/bn_print.c +++ b/crypto/openssl/crypto/bn/bn_print.c @@ -119,6 +119,7 @@ char *BN_bn2dec(const BIGNUM *a) } if ((t=BN_dup(a)) == NULL) goto err; +#define BUF_REMAIN (num+3 - (size_t)(p - buf)) p=buf; lp=bn_data; if (t->neg) *(p++)='-'; @@ -139,12 +140,12 @@ char *BN_bn2dec(const BIGNUM *a) /* We now have a series of blocks, BN_DEC_NUM chars * in length, where the last one needs truncation. * The blocks need to be reversed in order. */ - sprintf(p,BN_DEC_FMT1,*lp); + BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT1,*lp); while (*p) p++; while (lp != bn_data) { lp--; - sprintf(p,BN_DEC_FMT2,*lp); + BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT2,*lp); while (*p) p++; } } diff --git a/crypto/openssl/crypto/buffer/Makefile.ssl b/crypto/openssl/crypto/buffer/Makefile.ssl index e8b6c9693a94..b131ca307894 100644 --- a/crypto/openssl/crypto/buffer/Makefile.ssl +++ b/crypto/openssl/crypto/buffer/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/cast/Makefile.ssl b/crypto/openssl/crypto/cast/Makefile.ssl index 70c47bf8e695..98393a37ba5d 100644 --- a/crypto/openssl/crypto/cast/Makefile.ssl +++ b/crypto/openssl/crypto/cast/Makefile.ssl @@ -25,6 +25,7 @@ CAST_ENC=c_enc.o #CAST_ENC=asm/cx86bdsi.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=casttest.c @@ -70,7 +71,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/comp/Makefile.ssl b/crypto/openssl/crypto/comp/Makefile.ssl index f60c7a1afc7b..f70ba1b2853d 100644 --- a/crypto/openssl/crypto/comp/Makefile.ssl +++ b/crypto/openssl/crypto/comp/Makefile.ssl @@ -50,7 +50,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/conf/Makefile.ssl b/crypto/openssl/crypto/conf/Makefile.ssl index 28b3f9ac0b55..c5873bc6e782 100644 --- a/crypto/openssl/crypto/conf/Makefile.ssl +++ b/crypto/openssl/crypto/conf/Makefile.ssl @@ -50,7 +50,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c index 57d2739ae0c8..2e9f52f1fd50 100644 --- a/crypto/openssl/crypto/conf/conf_def.c +++ b/crypto/openssl/crypto/conf/conf_def.c @@ -235,7 +235,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE); goto err; } - strcpy(section,"default"); + BUF_strlcpy(section,"default",10); if (_CONF_new_data(conf) == 0) { @@ -392,7 +392,7 @@ again: ERR_R_MALLOC_FAILURE); goto err; } - strcpy(v->name,pname); + BUF_strlcpy(v->name,pname,strlen(pname)+1); if (!str_copy(conf,psection,&(v->value),start)) goto err; if (strcmp(psection,section) != 0) @@ -447,7 +447,7 @@ err: if (buff != NULL) BUF_MEM_free(buff); if (section != NULL) OPENSSL_free(section); if (line != NULL) *line=eline; - sprintf(btmp,"%ld",eline); + BIO_snprintf(btmp,sizeof btmp,"%ld",eline); ERR_add_error_data(2,"line ",btmp); if ((h != conf->data) && (conf->data != NULL)) { diff --git a/crypto/openssl/crypto/conf/conf_mod.c b/crypto/openssl/crypto/conf/conf_mod.c index edcc08921c2f..d45adea85131 100644 --- a/crypto/openssl/crypto/conf/conf_mod.c +++ b/crypto/openssl/crypto/conf/conf_mod.c @@ -232,7 +232,7 @@ static int module_run(const CONF *cnf, char *name, char *value, { char rcode[DECIMAL_SIZE(ret)+1]; CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR); - sprintf(rcode, "%-8d", ret); + BIO_snprintf(rcode, sizeof rcode, "%-8d", ret); ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode); } } @@ -561,11 +561,11 @@ char *CONF_get1_default_config_file(void) if (!file) return NULL; - strcpy(file,X509_get_default_cert_area()); + BUF_strlcpy(file,X509_get_default_cert_area(),len + 1); #ifndef OPENSSL_SYS_VMS - strcat(file,"/"); + BUF_strlcat(file,"/",len + 1); #endif - strcat(file,OPENSSL_CONF); + BUF_strlcat(file,OPENSSL_CONF,len + 1); return file; } @@ -576,12 +576,12 @@ char *CONF_get1_default_config_file(void) * be used to parse comma separated lists for example. */ -int CONF_parse_list(const char *list, int sep, int nospc, +int CONF_parse_list(const char *list_, int sep, int nospc, int (*list_cb)(const char *elem, int len, void *usr), void *arg) { int ret; const char *lstart, *tmpend, *p; - lstart = list; + lstart = list_; for(;;) { diff --git a/crypto/openssl/crypto/cversion.c b/crypto/openssl/crypto/cversion.c index 8ecfba7b16ba..beeeb14013e7 100644 --- a/crypto/openssl/crypto/cversion.c +++ b/crypto/openssl/crypto/cversion.c @@ -61,7 +61,9 @@ #include "cryptlib.h" #include <openssl/crypto.h> +#ifndef NO_WINDOWS_BRAINDEATH #include "buildinf.h" +#endif const char *SSLeay_version(int t) { @@ -72,7 +74,7 @@ const char *SSLeay_version(int t) #ifdef DATE static char buf[sizeof(DATE)+11]; - sprintf(buf,"built on: %s",DATE); + BIO_snprintf(buf,sizeof buf,"built on: %s",DATE); return(buf); #else return("built on: date not available"); @@ -83,7 +85,7 @@ const char *SSLeay_version(int t) #ifdef CFLAGS static char buf[sizeof(CFLAGS)+11]; - sprintf(buf,"compiler: %s",CFLAGS); + BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS); return(buf); #else return("compiler: information not available"); @@ -94,7 +96,7 @@ const char *SSLeay_version(int t) #ifdef PLATFORM static char buf[sizeof(PLATFORM)+11]; - sprintf(buf,"platform: %s", PLATFORM); + BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM); return(buf); #else return("platform: information not available"); diff --git a/crypto/openssl/crypto/des/Makefile.ssl b/crypto/openssl/crypto/des/Makefile.ssl index 548573f4b185..0d9ba2b42f27 100644 --- a/crypto/openssl/crypto/des/Makefile.ssl +++ b/crypto/openssl/crypto/des/Makefile.ssl @@ -22,6 +22,7 @@ DES_ENC= des_enc.o fcrypt_b.o #DES_ENC= dx86-elf.o yx86-elf.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=destest.c @@ -96,7 +97,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) @@ -157,12 +158,13 @@ cfb64enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h cfb64enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h cfb64enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h cfb64enc.o: cfb64enc.c des_locl.h -cfb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h -cfb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h -cfb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -cfb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -cfb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -cfb_enc.o: ../../include/openssl/ui_compat.h cfb_enc.c des_locl.h +cfb_enc.o: ../../e_os.h ../../include/openssl/crypto.h +cfb_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h +cfb_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +cfb_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +cfb_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +cfb_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +cfb_enc.o: cfb_enc.c des_locl.h des_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h des_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h des_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h @@ -191,13 +193,13 @@ ecb3_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ecb3_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ecb3_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ecb3_enc.o: des_locl.h ecb3_enc.c -ecb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h -ecb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h -ecb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -ecb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -ecb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -ecb_enc.o: ../../include/openssl/ui_compat.h des_locl.h des_ver.h ecb_enc.c -ecb_enc.o: spr.h +ecb_enc.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +ecb_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h +ecb_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +ecb_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +ecb_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +ecb_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +ecb_enc.o: des_locl.h des_ver.h ecb_enc.c spr.h ede_cbcm_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ede_cbcm_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h ede_cbcm_enc.o: ../../include/openssl/opensslconf.h diff --git a/crypto/openssl/crypto/des/cfb_enc.c b/crypto/openssl/crypto/des/cfb_enc.c index 2600bdfc93a9..03cabb223cdf 100644 --- a/crypto/openssl/crypto/des/cfb_enc.c +++ b/crypto/openssl/crypto/des/cfb_enc.c @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include "e_os.h" #include "des_locl.h" /* The input and output are loaded in multiples of 8 bits. @@ -64,17 +65,15 @@ * the second. The second 12 bits will come from the 3rd and half the 4th * byte. */ -/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of - * length */ /* Until Aug 1 2003 this function did not correctly implement CFB-r, so it * will not be compatible with any encryption prior to that date. Ben. */ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc) { - register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8; - register unsigned long l=length; - register int num=numbits; + register DES_LONG d0,d1,v0,v1; + register unsigned long l=length,n=(numbits+7)/8; + register int num=numbits,i; DES_LONG ti[2]; unsigned char *iv; unsigned char ovec[16]; @@ -114,10 +113,10 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); /* now the remaining bits */ if(num%8 != 0) - for(n=0 ; n < 8 ; ++n) + for(i=0 ; i < 8 ; ++i) { - ovec[n]<<=num%8; - ovec[n]|=ovec[n+1]>>(8-num%8); + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); } iv=&ovec[0]; c2l(iv,v0); @@ -152,10 +151,10 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); /* now the remaining bits */ if(num%8 != 0) - for(n=0 ; n < 8 ; ++n) + for(i=0 ; i < 8 ; ++i) { - ovec[n]<<=num%8; - ovec[n]|=ovec[n+1]>>(8-num%8); + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); } iv=&ovec[0]; c2l(iv,v0); diff --git a/crypto/openssl/crypto/des/ecb_enc.c b/crypto/openssl/crypto/des/ecb_enc.c index 1b70f68806d9..784aa5ba23d2 100644 --- a/crypto/openssl/crypto/des/ecb_enc.c +++ b/crypto/openssl/crypto/des/ecb_enc.c @@ -60,6 +60,7 @@ #include "des_ver.h" #include "spr.h" #include <openssl/opensslv.h> +#include <openssl/bio.h> OPENSSL_GLOBAL const char *libdes_version="libdes" OPENSSL_VERSION_PTEXT; OPENSSL_GLOBAL const char *DES_version="DES" OPENSSL_VERSION_PTEXT; @@ -97,7 +98,8 @@ const char *DES_options(void) size="int"; else size="long"; - sprintf(buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,size); + BIO_snprintf(buf,sizeof buf,"des(%s,%s,%s,%s)",ptr,risc,unroll, + size); init=0; } return(buf); diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl index 1c447e971f87..e05fc01a1283 100644 --- a/crypto/openssl/crypto/dh/Makefile.ssl +++ b/crypto/openssl/crypto/dh/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl index 014d0063477e..e5f8a8cf514f 100644 --- a/crypto/openssl/crypto/dsa/Makefile.ssl +++ b/crypto/openssl/crypto/dsa/Makefile.ssl @@ -49,7 +49,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/dso/Makefile.ssl b/crypto/openssl/crypto/dso/Makefile.ssl index 3d00363bb664..c0449d184e5b 100644 --- a/crypto/openssl/crypto/dso/Makefile.ssl +++ b/crypto/openssl/crypto/dso/Makefile.ssl @@ -49,7 +49,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/dso/dso_lib.c b/crypto/openssl/crypto/dso/dso_lib.c index 556069b9b824..48d9fdb25e2b 100644 --- a/crypto/openssl/crypto/dso/dso_lib.c +++ b/crypto/openssl/crypto/dso/dso_lib.c @@ -383,7 +383,7 @@ int DSO_set_filename(DSO *dso, const char *filename) DSOerr(DSO_F_DSO_SET_FILENAME,ERR_R_MALLOC_FAILURE); return(0); } - strcpy(copied, filename); + BUF_strlcpy(copied, filename, strlen(filename) + 1); if(dso->filename) OPENSSL_free(dso->filename); dso->filename = copied; @@ -422,7 +422,7 @@ char *DSO_convert_filename(DSO *dso, const char *filename) ERR_R_MALLOC_FAILURE); return(NULL); } - strcpy(result, filename); + BUF_strlcpy(result, filename, strlen(filename) + 1); } return(result); } diff --git a/crypto/openssl/crypto/ec/Makefile.ssl b/crypto/openssl/crypto/ec/Makefile.ssl index c34a49c1b149..a2805c47a2f5 100644 --- a/crypto/openssl/crypto/ec/Makefile.ssl +++ b/crypto/openssl/crypto/ec/Makefile.ssl @@ -50,7 +50,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/ec/ecp_smpl.c b/crypto/openssl/crypto/ec/ecp_smpl.c index 4666a052bfab..e9a51fb87a1c 100644 --- a/crypto/openssl/crypto/ec/ecp_smpl.c +++ b/crypto/openssl/crypto/ec/ecp_smpl.c @@ -896,7 +896,7 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } form = buf[0]; y_bit = form & 1; - form = form & ~1; + form = form & ~1U; if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) && (form != POINT_CONVERSION_UNCOMPRESSED) && (form != POINT_CONVERSION_HYBRID)) diff --git a/crypto/openssl/crypto/engine/Makefile.ssl b/crypto/openssl/crypto/engine/Makefile.ssl index 847d6724000c..30a4446ff969 100644 --- a/crypto/openssl/crypto/engine/Makefile.ssl +++ b/crypto/openssl/crypto/engine/Makefile.ssl @@ -57,7 +57,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/engine/eng_ctrl.c b/crypto/openssl/crypto/engine/eng_ctrl.c index ad3858395bed..412c73fb0fd3 100644 --- a/crypto/openssl/crypto/engine/eng_ctrl.c +++ b/crypto/openssl/crypto/engine/eng_ctrl.c @@ -160,15 +160,19 @@ static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)()) case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD: return strlen(e->cmd_defns[idx].cmd_name); case ENGINE_CTRL_GET_NAME_FROM_CMD: - return sprintf(s, "%s", e->cmd_defns[idx].cmd_name); + return BIO_snprintf(s,strlen(e->cmd_defns[idx].cmd_name) + 1, + "%s", e->cmd_defns[idx].cmd_name); case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD: if(e->cmd_defns[idx].cmd_desc) return strlen(e->cmd_defns[idx].cmd_desc); return strlen(int_no_description); case ENGINE_CTRL_GET_DESC_FROM_CMD: if(e->cmd_defns[idx].cmd_desc) - return sprintf(s, "%s", e->cmd_defns[idx].cmd_desc); - return sprintf(s, "%s", int_no_description); + return BIO_snprintf(s, + strlen(e->cmd_defns[idx].cmd_desc) + 1, + "%s", e->cmd_defns[idx].cmd_desc); + return BIO_snprintf(s, strlen(int_no_description) + 1,"%s", + int_no_description); case ENGINE_CTRL_GET_CMD_FLAGS: return e->cmd_defns[idx].cmd_flags; } diff --git a/crypto/openssl/crypto/engine/eng_fat.c b/crypto/openssl/crypto/engine/eng_fat.c index 0d7dae00b243..7ccf7022ee38 100644 --- a/crypto/openssl/crypto/engine/eng_fat.c +++ b/crypto/openssl/crypto/engine/eng_fat.c @@ -107,14 +107,14 @@ static int int_def_cb(const char *alg, int len, void *arg) } -int ENGINE_set_default_string(ENGINE *e, const char *list) +int ENGINE_set_default_string(ENGINE *e, const char *def_list) { unsigned int flags = 0; - if (!CONF_parse_list(list, ',', 1, int_def_cb, &flags)) + if (!CONF_parse_list(def_list, ',', 1, int_def_cb, &flags)) { ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_STRING, ENGINE_R_INVALID_STRING); - ERR_add_error_data(2, "str=",list); + ERR_add_error_data(2, "str=",def_list); return 0; } return ENGINE_set_default(e, flags); diff --git a/crypto/openssl/crypto/engine/engine.h b/crypto/openssl/crypto/engine/engine.h index 9c3ab182d379..900f75ce8d6d 100644 --- a/crypto/openssl/crypto/engine/engine.h +++ b/crypto/openssl/crypto/engine/engine.h @@ -513,7 +513,7 @@ ENGINE *ENGINE_get_digest_engine(int nid); * structure will have had its reference count up'd so the caller * should still free their own reference 'e'. */ int ENGINE_set_default_RSA(ENGINE *e); -int ENGINE_set_default_string(ENGINE *e, const char *list); +int ENGINE_set_default_string(ENGINE *e, const char *def_list); /* Same for the other "methods" */ int ENGINE_set_default_DSA(ENGINE *e); int ENGINE_set_default_DH(ENGINE *e); @@ -616,17 +616,20 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, const dynamic_fns *fns); #define IMPLEMENT_DYNAMIC_BIND_FN(fn) \ int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \ - if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \ - fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \ - return 0; \ - CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \ - CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \ - CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \ - CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \ - CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \ - if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \ - return 0; \ - if(!ERR_set_implementation(fns->err_fns)) return 0; \ + if (ERR_get_implementation() != fns->err_fns) \ + { \ + if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \ + fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \ + return 0; \ + CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \ + CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \ + CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \ + CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \ + CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \ + if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \ + return 0; \ + if(!ERR_set_implementation(fns->err_fns)) return 0; \ + } \ if(!fn(e,id)) return 0; \ return 1; } diff --git a/crypto/openssl/crypto/engine/hw_cryptodev.c b/crypto/openssl/crypto/engine/hw_cryptodev.c index 40af97ac248b..467c0daa1b66 100644 --- a/crypto/openssl/crypto/engine/hw_cryptodev.c +++ b/crypto/openssl/crypto/engine/hw_cryptodev.c @@ -12,9 +12,6 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the author nor the names of contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED @@ -874,7 +871,6 @@ cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) goto err; } - printf("bar\n"); memset(&kop, 0, sizeof kop); kop.crk_op = CRK_DSA_SIGN; @@ -1054,14 +1050,17 @@ ENGINE_load_cryptodev(void) if (engine == NULL) return; - if ((fd = get_dev_crypto()) < 0) + if ((fd = get_dev_crypto()) < 0) { + ENGINE_free(engine); return; + } /* * find out what asymmetric crypto algorithms we support */ if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) { close(fd); + ENGINE_free(engine); return; } close(fd); diff --git a/crypto/openssl/crypto/err/Makefile.ssl b/crypto/openssl/crypto/err/Makefile.ssl index 390bde1f1680..b253061d0727 100644 --- a/crypto/openssl/crypto/err/Makefile.ssl +++ b/crypto/openssl/crypto/err/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c index 633a1addfe8c..792f32960096 100644 --- a/crypto/openssl/crypto/err/err.c +++ b/crypto/openssl/crypto/err/err.c @@ -1065,7 +1065,7 @@ void ERR_add_error_data(int num, ...) else str=p; } - strcat(str,a); + BUF_strlcat(str,a,s+1); } } ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING); diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl index 772afd71f5a0..f33aebd33a2c 100644 --- a/crypto/openssl/crypto/evp/Makefile.ssl +++ b/crypto/openssl/crypto/evp/Makefile.ssl @@ -67,7 +67,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) cp $(TESTDATA) ../../test diff --git a/crypto/openssl/crypto/evp/bio_ok.c b/crypto/openssl/crypto/evp/bio_ok.c index 530ab937cea7..4e3f10141bf3 100644 --- a/crypto/openssl/crypto/evp/bio_ok.c +++ b/crypto/openssl/crypto/evp/bio_ok.c @@ -102,7 +102,7 @@ *) digest is initialized with random seed instead of standardized one. - *) same seed is written to ouput + *) same seed is written to output *) well-known text is then hashed and the output of the digest is also written to output. diff --git a/crypto/openssl/crypto/evp/digest.c b/crypto/openssl/crypto/evp/digest.c index b22eed442115..0623ddf1f05f 100644 --- a/crypto/openssl/crypto/evp/digest.c +++ b/crypto/openssl/crypto/evp/digest.c @@ -248,6 +248,7 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { + unsigned char *tmp_buf; if ((in == NULL) || (in->digest == NULL)) { EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED); @@ -262,15 +263,22 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) } #endif + if (out->digest == in->digest) + { + tmp_buf = out->md_data; + EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE); + } + else tmp_buf = NULL; EVP_MD_CTX_cleanup(out); memcpy(out,in,sizeof *out); if (out->digest->ctx_size) { - out->md_data=OPENSSL_malloc(out->digest->ctx_size); + if (tmp_buf) out->md_data = tmp_buf; + else out->md_data=OPENSSL_malloc(out->digest->ctx_size); memcpy(out->md_data,in->md_data,out->digest->ctx_size); } - + if (out->digest->copy) return out->digest->copy(out,in); @@ -308,7 +316,8 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) if (ctx->digest && ctx->digest->cleanup && !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED)) ctx->digest->cleanup(ctx); - if (ctx->digest && ctx->digest->ctx_size && ctx->md_data) + if (ctx->digest && ctx->digest->ctx_size && ctx->md_data + && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) { OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h index 45a25f968d9f..4801d8eaa3b5 100644 --- a/crypto/openssl/crypto/evp/evp.h +++ b/crypto/openssl/crypto/evp/evp.h @@ -329,6 +329,8 @@ struct env_md_ctx_st * once only */ #define EVP_MD_CTX_FLAG_CLEANED 0x0002 /* context has already been * cleaned */ +#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data + * in EVP_MD_CTX_cleanup */ struct evp_cipher_st { diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c index be0758a87965..8ea5aa935dda 100644 --- a/crypto/openssl/crypto/evp/evp_enc.c +++ b/crypto/openssl/crypto/evp/evp_enc.c @@ -148,7 +148,19 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp #endif ctx->cipher=cipher; - ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size); + if (ctx->cipher->ctx_size) + { + ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size); + if (!ctx->cipher_data) + { + EVPerr(EVP_F_EVP_CIPHERINIT, ERR_R_MALLOC_FAILURE); + return 0; + } + } + else + { + ctx->cipher_data = NULL; + } ctx->key_len = cipher->key_len; ctx->flags = 0; if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT) diff --git a/crypto/openssl/crypto/evp/evp_pbe.c b/crypto/openssl/crypto/evp/evp_pbe.c index 0da88fdcffe2..91e545a1416d 100644 --- a/crypto/openssl/crypto/evp/evp_pbe.c +++ b/crypto/openssl/crypto/evp/evp_pbe.c @@ -87,7 +87,7 @@ int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen, if (i == -1) { char obj_tmp[80]; EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM); - if (!pbe_obj) strcpy (obj_tmp, "NULL"); + if (!pbe_obj) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp); else i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, pbe_obj); ERR_add_error_data(2, "TYPE=", obj_tmp); return 0; diff --git a/crypto/openssl/crypto/evp/evp_pkey.c b/crypto/openssl/crypto/evp/evp_pkey.c index 34b5b1d21ccb..eb481ec661da 100644 --- a/crypto/openssl/crypto/evp/evp_pkey.c +++ b/crypto/openssl/crypto/evp/evp_pkey.c @@ -210,7 +210,7 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8) #endif default: EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM); - if (!a->algorithm) strcpy (obj_tmp, "NULL"); + if (!a->algorithm) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp); else i2t_ASN1_OBJECT(obj_tmp, 80, a->algorithm); ERR_add_error_data(2, "TYPE=", obj_tmp); EVP_PKEY_free (pkey); diff --git a/crypto/openssl/crypto/hmac/Makefile.ssl b/crypto/openssl/crypto/hmac/Makefile.ssl index d48df0597e02..f1c07322c4bb 100644 --- a/crypto/openssl/crypto/hmac/Makefile.ssl +++ b/crypto/openssl/crypto/hmac/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/idea/Makefile.ssl b/crypto/openssl/crypto/idea/Makefile.ssl index ca4b76fc2f4a..fa016ea399e3 100644 --- a/crypto/openssl/crypto/idea/Makefile.ssl +++ b/crypto/openssl/crypto/idea/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/krb5/Makefile.ssl b/crypto/openssl/crypto/krb5/Makefile.ssl index 7136d7a4023c..d9224c0f092d 100644 --- a/crypto/openssl/crypto/krb5/Makefile.ssl +++ b/crypto/openssl/crypto/krb5/Makefile.ssl @@ -48,7 +48,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile ; + @sh $(TOP)/util/point.sh Makefile.ssl Makefile ; @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/lhash/Makefile.ssl b/crypto/openssl/crypto/lhash/Makefile.ssl index 1902e4a8998d..60e7ee339315 100644 --- a/crypto/openssl/crypto/lhash/Makefile.ssl +++ b/crypto/openssl/crypto/lhash/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/md2/Makefile.ssl b/crypto/openssl/crypto/md2/Makefile.ssl index e5b3265a442e..3206924c900a 100644 --- a/crypto/openssl/crypto/md2/Makefile.ssl +++ b/crypto/openssl/crypto/md2/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/md4/Makefile.ssl b/crypto/openssl/crypto/md4/Makefile.ssl index 4d2d7369e621..7d2e8d8d3b31 100644 --- a/crypto/openssl/crypto/md4/Makefile.ssl +++ b/crypto/openssl/crypto/md4/Makefile.ssl @@ -48,7 +48,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl index 2d4df972ffb6..2361775a2dc8 100644 --- a/crypto/openssl/crypto/md5/Makefile.ssl +++ b/crypto/openssl/crypto/md5/Makefile.ssl @@ -84,7 +84,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/mdc2/Makefile.ssl b/crypto/openssl/crypto/mdc2/Makefile.ssl index 387d7f8cd895..33f366fb087d 100644 --- a/crypto/openssl/crypto/mdc2/Makefile.ssl +++ b/crypto/openssl/crypto/mdc2/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/mem.c b/crypto/openssl/crypto/mem.c index 29df7d35b248..dd86733b7705 100644 --- a/crypto/openssl/crypto/mem.c +++ b/crypto/openssl/crypto/mem.c @@ -252,7 +252,7 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line) void *ret = NULL; extern unsigned char cleanse_ctr; - if (num < 0) return NULL; + if (num <= 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) @@ -293,7 +293,7 @@ void *CRYPTO_malloc(int num, const char *file, int line) void *ret = NULL; extern unsigned char cleanse_ctr; - if (num < 0) return NULL; + if (num <= 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) @@ -324,7 +324,7 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line) if (str == NULL) return CRYPTO_malloc(num, file, line); - if (num < 0) return NULL; + if (num <= 0) return NULL; if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); @@ -346,17 +346,21 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, if (str == NULL) return CRYPTO_malloc(num, file, line); - if (num < 0) return NULL; + if (num <= 0) return NULL; if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret=malloc_ex_func(num,file,line); if(ret) + { memcpy(ret,str,old_len); - OPENSSL_cleanse(str,old_len); - free_func(str); + OPENSSL_cleanse(str,old_len); + free_func(str); + } #ifdef LEVITTE_DEBUG_MEM - fprintf(stderr, "LEVITTE_DEBUG_MEM: | 0x%p -> 0x%p (%d)\n", str, ret, num); + fprintf(stderr, + "LEVITTE_DEBUG_MEM: | 0x%p -> 0x%p (%d)\n", + str, ret, num); #endif if (realloc_debug_func != NULL) realloc_debug_func(str, ret, num, file, line, 1); diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c index 57bd08f65d92..e212de27e488 100644 --- a/crypto/openssl/crypto/mem_dbg.c +++ b/crypto/openssl/crypto/mem_dbg.c @@ -597,6 +597,8 @@ static void print_leak(const MEM *m, MEM_LEAK *l) struct tm *lcl = NULL; unsigned long ti; +#define BUF_REMAIN (sizeof buf - (size_t)(bufp - buf)) + if(m->addr == (char *)l->bio) return; @@ -604,22 +606,22 @@ static void print_leak(const MEM *m, MEM_LEAK *l) { lcl = localtime(&m->time); - sprintf(bufp, "[%02d:%02d:%02d] ", + BIO_snprintf(bufp, BUF_REMAIN, "[%02d:%02d:%02d] ", lcl->tm_hour,lcl->tm_min,lcl->tm_sec); bufp += strlen(bufp); } - sprintf(bufp, "%5lu file=%s, line=%d, ", + BIO_snprintf(bufp, BUF_REMAIN, "%5lu file=%s, line=%d, ", m->order,m->file,m->line); bufp += strlen(bufp); if (options & V_CRYPTO_MDEBUG_THREAD) { - sprintf(bufp, "thread=%lu, ", m->thread); + BIO_snprintf(bufp, BUF_REMAIN, "thread=%lu, ", m->thread); bufp += strlen(bufp); } - sprintf(bufp, "number=%d, address=%08lX\n", + BIO_snprintf(bufp, BUF_REMAIN, "number=%d, address=%08lX\n", m->num,(unsigned long)m->addr); bufp += strlen(bufp); @@ -641,7 +643,7 @@ static void print_leak(const MEM *m, MEM_LEAK *l) ami_cnt++; memset(buf,'>',ami_cnt); - sprintf(buf + ami_cnt, + BIO_snprintf(buf + ami_cnt, sizeof buf - ami_cnt, " thread=%lu, file=%s, line=%d, info=\"", amip->thread, amip->file, amip->line); buf_len=strlen(buf); @@ -653,10 +655,11 @@ static void print_leak(const MEM *m, MEM_LEAK *l) } else { - strcpy(buf + buf_len, amip->info); + BUF_strlcpy(buf + buf_len, amip->info, + sizeof buf - buf_len); buf_len = strlen(buf); } - sprintf(buf + buf_len, "\"\n"); + BIO_snprintf(buf + buf_len, sizeof buf - buf_len, "\"\n"); BIO_puts(l->bio,buf); diff --git a/crypto/openssl/crypto/objects/Makefile.ssl b/crypto/openssl/crypto/objects/Makefile.ssl index 1f5d213495b9..3e7a194cf990 100644 --- a/crypto/openssl/crypto/objects/Makefile.ssl +++ b/crypto/openssl/crypto/objects/Makefile.ssl @@ -55,7 +55,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/objects/obj_dat.c b/crypto/openssl/crypto/objects/obj_dat.c index 5d983e3ed472..4534dc09856e 100644 --- a/crypto/openssl/crypto/objects/obj_dat.c +++ b/crypto/openssl/crypto/objects/obj_dat.c @@ -462,7 +462,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) if (i > 2) i=2; l-=(long)(i*40); - sprintf(tbuf,"%d.%lu",i,l); + BIO_snprintf(tbuf,sizeof tbuf,"%d.%lu",i,l); i=strlen(tbuf); BUF_strlcpy(buf,tbuf,buf_len); buf_len-=i; @@ -473,7 +473,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) for (; idx<len; idx++) { l|=p[idx]&0x7f; if (!(p[idx] & 0x80)) { - sprintf(tbuf,".%lu",l); + BIO_snprintf(tbuf,sizeof tbuf,".%lu",l); i=strlen(tbuf); if (buf_len > 0) BUF_strlcpy(buf,tbuf,buf_len); diff --git a/crypto/openssl/crypto/objects/obj_dat.pl b/crypto/openssl/crypto/objects/obj_dat.pl index 5dfb84ea0045..d0371661f973 100644 --- a/crypto/openssl/crypto/objects/obj_dat.pl +++ b/crypto/openssl/crypto/objects/obj_dat.pl @@ -1,5 +1,9 @@ #!/usr/local/bin/perl +# fixes bug in floating point emulation on sparc64 when +# this script produces off-by-one output on sparc64 +use integer; + sub obj_cmp { local(@a,@b,$_,$r); diff --git a/crypto/openssl/crypto/ocsp/Makefile.ssl b/crypto/openssl/crypto/ocsp/Makefile.ssl index 8d5a85a55cae..02477be53868 100644 --- a/crypto/openssl/crypto/ocsp/Makefile.ssl +++ b/crypto/openssl/crypto/ocsp/Makefile.ssl @@ -50,7 +50,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile ; + @sh $(TOP)/util/point.sh Makefile.ssl Makefile ; @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/ocsp/ocsp_ext.c b/crypto/openssl/crypto/ocsp/ocsp_ext.c index d6c8899f58e0..57399433fc42 100755 --- a/crypto/openssl/crypto/ocsp/ocsp_ext.c +++ b/crypto/openssl/crypto/ocsp/ocsp_ext.c @@ -305,6 +305,8 @@ err: /* Add a nonce to an extension stack. A nonce can be specificed or if NULL * a random nonce will be generated. + * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the + * nonce, previous versions used the raw nonce. */ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len) @@ -313,20 +315,28 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, ASN1_OCTET_STRING os; int ret = 0; if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH; - if (val) tmpval = val; + /* Create the OCTET STRING manually by writing out the header and + * appending the content octets. This avoids an extra memory allocation + * operation in some cases. Applications should *NOT* do this because + * it relies on library internals. + */ + os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING); + os.data = OPENSSL_malloc(os.length); + if (os.data == NULL) + goto err; + tmpval = os.data; + ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); + if (val) + memcpy(tmpval, val, len); else - { - if (!(tmpval = OPENSSL_malloc(len))) goto err; RAND_pseudo_bytes(tmpval, len); - } - os.data = tmpval; - os.length = len; if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) goto err; ret = 1; err: - if(!val) OPENSSL_free(tmpval); + if (os.data) + OPENSSL_free(os.data); return ret; } diff --git a/crypto/openssl/crypto/ocsp/ocsp_lib.c b/crypto/openssl/crypto/ocsp/ocsp_lib.c index 3875af165c71..9e87fc78957e 100755 --- a/crypto/openssl/crypto/ocsp/ocsp_lib.c +++ b/crypto/openssl/crypto/ocsp/ocsp_lib.c @@ -253,6 +253,7 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss err: + if (buf) OPENSSL_free(buf); if (*ppath) OPENSSL_free(*ppath); if (*pport) OPENSSL_free(*pport); if (*phost) OPENSSL_free(*phost); diff --git a/crypto/openssl/crypto/ocsp/ocsp_vfy.c b/crypto/openssl/crypto/ocsp/ocsp_vfy.c index 1f5fda7ca310..3d58dfb06cf3 100644 --- a/crypto/openssl/crypto/ocsp/ocsp_vfy.c +++ b/crypto/openssl/crypto/ocsp/ocsp_vfy.c @@ -3,7 +3,7 @@ * project 2000. */ /* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -272,7 +272,7 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) for (i = 1; i < idcount; i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; + tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; /* Check to see if IDs match */ if (OCSP_id_issuer_cmp(cid, tmpid)) { @@ -330,7 +330,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, OCSP_CERTID *tmpid; for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; + tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; ret = ocsp_match_issuerid(cert, tmpid, NULL); if (ret <= 0) return ret; } diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h index fe6ff88bdc6a..492041bc7cb5 100644 --- a/crypto/openssl/crypto/opensslconf.h +++ b/crypto/openssl/crypto/opensslconf.h @@ -2,9 +2,6 @@ /* WARNING: Generated automatically from opensslconf.h.in by Configure. */ /* OpenSSL was configured with the following options: */ -#ifndef OPENSSL_SYSNAME_WIN16 -# define OPENSSL_SYSNAME_WIN16 -#endif #ifndef OPENSSL_DOING_MAKEDEPEND #ifndef OPENSSL_NO_KRB5 @@ -44,7 +41,7 @@ #endif #if defined(HEADER_MD2_H) && !defined(MD2_INT) -#define MD2_INT unsigned char +#define MD2_INT unsigned int #endif #if defined(HEADER_RC2_H) && !defined(RC2_INT) @@ -101,7 +98,7 @@ #define CONFIG_HEADER_RC4_LOCL_H /* if this is defined data[i] is used instead of *data, this is a %20 * speedup on x86 */ -#define RC4_INDEX +#undef RC4_INDEX #endif #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) @@ -115,7 +112,7 @@ /* the following is tweaked from a config script, that is why it is a * protected undef/define */ #ifndef DES_PTR -#define DES_PTR +#undef DES_PTR #endif /* This helps C compiler generate the correct code for multiple functional @@ -136,7 +133,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! /* Unroll the inner loop, this sometimes helps, sometimes hinders. * Very mucy CPU dependant */ #ifndef DES_UNROLL -#define DES_UNROLL +#undef DES_UNROLL #endif /* These default values were supplied by diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index e226d9de7969..02f1710fb3f6 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090703fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7c 30 Sep 2003" +#define OPENSSL_VERSION_NUMBER 0x0090704fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d 17 Mar 2004" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pem/Makefile.ssl b/crypto/openssl/crypto/pem/Makefile.ssl index 90eda931f73a..d3043eb4013f 100644 --- a/crypto/openssl/crypto/pem/Makefile.ssl +++ b/crypto/openssl/crypto/pem/Makefile.ssl @@ -50,7 +50,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: $(EXHEADER) - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c index 70b5446797e9..7785039b993c 100644 --- a/crypto/openssl/crypto/pem/pem_lib.c +++ b/crypto/openssl/crypto/pem/pem_lib.c @@ -131,9 +131,9 @@ void PEM_proc_type(char *buf, int type) else str="BAD-TYPE"; - strcat(buf,"Proc-Type: 4,"); - strcat(buf,str); - strcat(buf,"\n"); + BUF_strlcat(buf,"Proc-Type: 4,",PEM_BUFSIZE); + BUF_strlcat(buf,str,PEM_BUFSIZE); + BUF_strlcat(buf,"\n",PEM_BUFSIZE); } void PEM_dek_info(char *buf, const char *type, int len, char *str) @@ -142,10 +142,12 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str) long i; int j; - strcat(buf,"DEK-Info: "); - strcat(buf,type); - strcat(buf,","); + BUF_strlcat(buf,"DEK-Info: ",PEM_BUFSIZE); + BUF_strlcat(buf,type,PEM_BUFSIZE); + BUF_strlcat(buf,",",PEM_BUFSIZE); j=strlen(buf); + if (j + (len * 2) + 1 > PEM_BUFSIZE) + return; for (i=0; i<len; i++) { buf[j+i*2] =map[(str[i]>>4)&0x0f]; @@ -533,7 +535,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, long len) { int nlen,n,i,j,outl; - unsigned char *buf; + unsigned char *buf = NULL; EVP_ENCODE_CTX ctx; int reason=ERR_R_BUF_LIB; @@ -553,7 +555,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, goto err; } - buf=(unsigned char *)OPENSSL_malloc(PEM_BUFSIZE*8); + buf = OPENSSL_malloc(PEM_BUFSIZE*8); if (buf == NULL) { reason=ERR_R_MALLOC_FAILURE; @@ -574,12 +576,15 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, EVP_EncodeFinal(&ctx,buf,&outl); if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; OPENSSL_free(buf); + buf = NULL; if ( (BIO_write(bp,"-----END ",9) != 9) || (BIO_write(bp,name,nlen) != nlen) || (BIO_write(bp,"-----\n",6) != 6)) goto err; return(i+outl); err: + if (buf) + OPENSSL_free(buf); PEMerr(PEM_F_PEM_WRITE_BIO,reason); return(0); } diff --git a/crypto/openssl/crypto/pem/pem_pkey.c b/crypto/openssl/crypto/pem/pem_pkey.c index d96ecf694067..f77c949e87b3 100644 --- a/crypto/openssl/crypto/pem/pem_pkey.c +++ b/crypto/openssl/crypto/pem/pem_pkey.c @@ -87,6 +87,10 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); + if(x) { + if(*x) EVP_PKEY_free((EVP_PKEY *)*x); + *x = ret; + } PKCS8_PRIV_KEY_INFO_free(p8inf); } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; diff --git a/crypto/openssl/crypto/pkcs12/Makefile.ssl b/crypto/openssl/crypto/pkcs12/Makefile.ssl index b4c564262cb3..a6e47b40855b 100644 --- a/crypto/openssl/crypto/pkcs12/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs12/Makefile.ssl @@ -53,7 +53,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/pkcs7/Makefile.ssl b/crypto/openssl/crypto/pkcs7/Makefile.ssl index 69cddb04b8b3..c3bfc7d560e9 100644 --- a/crypto/openssl/crypto/pkcs7/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs7/Makefile.ssl @@ -68,7 +68,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index 190ca0e9bf57..35c7dcd0b3e7 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -91,17 +91,19 @@ static int PKCS7_type_is_other(PKCS7* p7) } -static int PKCS7_type_is_octet_string(PKCS7* p7) +static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7) { - if ( 0==PKCS7_type_is_other(p7) ) - return 0; - - return (V_ASN1_OCTET_STRING==p7->d.other->type) ? 1 : 0; + if ( PKCS7_type_is_data(p7)) + return p7->d.data; + if ( PKCS7_type_is_other(p7) && p7->d.other + && (p7->d.other->type == V_ASN1_OCTET_STRING)) + return p7->d.other->value.octet_string; + return NULL; } BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) { - int i,j; + int i; BIO *out=NULL,*btmp=NULL; X509_ALGOR *xa; const EVP_MD *evp_md; @@ -159,8 +161,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) goto err; } - j=OBJ_obj2nid(xa->algorithm); - evp_md=EVP_get_digestbyname(OBJ_nid2sn(j)); + evp_md=EVP_get_digestbyobj(xa->algorithm); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNKNOWN_DIGEST_TYPE); @@ -250,29 +251,22 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) btmp=NULL; } - if (bio == NULL) { + if (bio == NULL) + { if (PKCS7_is_detached(p7)) bio=BIO_new(BIO_s_null()); - else { - if (PKCS7_type_is_signed(p7) ) { - if ( PKCS7_type_is_data(p7->d.sign->contents)) { - ASN1_OCTET_STRING *os; - os=p7->d.sign->contents->d.data; - if (os->length > 0) - bio = BIO_new_mem_buf(os->data, os->length); - } - else if ( PKCS7_type_is_octet_string(p7->d.sign->contents) ) { - ASN1_OCTET_STRING *os; - os=p7->d.sign->contents->d.other->value.octet_string; - if (os->length > 0) - bio = BIO_new_mem_buf(os->data, os->length); - } - } - if(bio == NULL) { + else + { + ASN1_OCTET_STRING *os; + os = PKCS7_get_octet_string(p7->d.sign->contents); + if (os && os->length > 0) + bio = BIO_new_mem_buf(os->data, os->length); + if(bio == NULL) + { bio=BIO_new(BIO_s_mem()); BIO_set_mem_eof_return(bio,0); + } } - } } BIO_push(out,bio); bio=NULL; @@ -311,7 +305,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) switch (i) { case NID_pkcs7_signed: - data_body=p7->d.sign->contents->d.data; + data_body=PKCS7_get_octet_string(p7->d.sign->contents); md_sk=p7->d.sign->md_algs; break; case NID_pkcs7_signedAndEnveloped: @@ -319,7 +313,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) md_sk=p7->d.signed_and_enveloped->md_algs; data_body=p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; - evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm))); + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); @@ -331,7 +325,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) rsk=p7->d.enveloped->recipientinfo; enc_alg=p7->d.enveloped->enc_data->algorithm; data_body=p7->d.enveloped->enc_data->enc_data; - evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm))); + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); @@ -357,7 +351,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) } j=OBJ_obj2nid(xa->algorithm); - evp_md=EVP_get_digestbyname(OBJ_nid2sn(j)); + evp_md=EVP_get_digestbynid(j); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNKNOWN_DIGEST_TYPE); @@ -531,9 +525,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) break; case NID_pkcs7_signed: si_sk=p7->d.sign->signer_info; - os=p7->d.sign->contents->d.data; + os=PKCS7_get_octet_string(p7->d.sign->contents); /* If detached data then the content is excluded */ - if(p7->detached) { + if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { M_ASN1_OCTET_STRING_free(os); p7->d.sign->contents->d.data = NULL; } diff --git a/crypto/openssl/crypto/rand/Makefile.ssl b/crypto/openssl/crypto/rand/Makefile.ssl index b25421e3ab45..e5cbe5319c3c 100644 --- a/crypto/openssl/crypto/rand/Makefile.ssl +++ b/crypto/openssl/crypto/rand/Makefile.ssl @@ -49,7 +49,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) @@ -101,7 +101,8 @@ md_rand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h md_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h md_rand.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h md_rand.o: md_rand.c rand_lcl.h -rand_egd.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +rand_egd.o: ../../include/openssl/buffer.h ../../include/openssl/e_os2.h +rand_egd.o: ../../include/openssl/opensslconf.h rand_egd.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h rand_egd.o: rand_egd.c rand_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h @@ -186,8 +187,9 @@ rand_win.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h rand_win.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rand_win.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h rand_win.o: ../cryptlib.h rand_lcl.h rand_win.c -randfile.o: ../../e_os.h ../../include/openssl/crypto.h -randfile.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +randfile.o: ../../e_os.h ../../include/openssl/buffer.h +randfile.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +randfile.o: ../../include/openssl/opensslconf.h randfile.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h randfile.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h randfile.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h diff --git a/crypto/openssl/crypto/rand/rand_egd.c b/crypto/openssl/crypto/rand/rand_egd.c index 1f168221e3c9..6f742900a0a2 100644 --- a/crypto/openssl/crypto/rand/rand_egd.c +++ b/crypto/openssl/crypto/rand/rand_egd.c @@ -56,6 +56,7 @@ #include <openssl/e_os2.h> #include <openssl/rand.h> +#include <openssl/buffer.h> /* * Query the EGD <URL: http://www.lothar.com/tech/crypto/>. @@ -145,7 +146,7 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) addr.sun_family = AF_UNIX; if (strlen(path) >= sizeof(addr.sun_path)) return (-1); - strcpy(addr.sun_path,path); + BUF_strlcpy(addr.sun_path,path,sizeof addr.sun_path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); fd = socket(AF_UNIX, SOCK_STREAM, 0); if (fd == -1) return (-1); diff --git a/crypto/openssl/crypto/rand/rand_unix.c b/crypto/openssl/crypto/rand/rand_unix.c index a776e522431b..0599719dd1d0 100644 --- a/crypto/openssl/crypto/rand/rand_unix.c +++ b/crypto/openssl/crypto/rand/rand_unix.c @@ -124,6 +124,24 @@ #include <unistd.h> #include <time.h> +#ifdef __OpenBSD__ +int RAND_poll(void) +{ + u_int32_t rnd = 0, i; + unsigned char buf[ENTROPY_NEEDED]; + + for (i = 0; i < sizeof(buf); i++) { + if (i % 4 == 0) + rnd = arc4random(); + buf[i] = rnd; + rnd >>= 8; + } + RAND_add(buf, sizeof(buf), ENTROPY_NEEDED); + memset(buf, 0, sizeof(buf)); + + return 1; +} +#else int RAND_poll(void) { unsigned long l; @@ -236,6 +254,7 @@ int RAND_poll(void) } #endif +#endif #if defined(OPENSSL_SYS_VXWORKS) int RAND_poll(void) diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c index 263068d25699..3584842224c0 100644 --- a/crypto/openssl/crypto/rand/rand_win.c +++ b/crypto/openssl/crypto/rand/rand_win.c @@ -646,7 +646,7 @@ static void readtimer(void) * Created 960901 by Gertjan van Oosten, gertjan@West.NL, West Consulting B.V. * * Code adapted from - * <URL:http://www.microsoft.com/kb/developr/win_dk/q97193.htm>; + * <URL:http://support.microsoft.com/default.aspx?scid=kb;[LN];97193>; * the original copyright message is: * * (C) Copyright Microsoft Corp. 1993. All rights reserved. diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c index 41574768ab76..f5d0843d139d 100644 --- a/crypto/openssl/crypto/rand/randfile.c +++ b/crypto/openssl/crypto/rand/randfile.c @@ -56,6 +56,9 @@ * [including the GNU Public Licence.] */ +/* We need to define this to get macros like S_IFBLK and S_IFCHR */ +#define _XOPEN_SOURCE 1 + #include <errno.h> #include <stdio.h> #include <stdlib.h> @@ -64,6 +67,7 @@ #include "e_os.h" #include <openssl/crypto.h> #include <openssl/rand.h> +#include <openssl/buffer.h> #ifdef OPENSSL_SYS_VMS #include <unixio.h> @@ -106,6 +110,16 @@ int RAND_load_file(const char *file, long bytes) in=fopen(file,"rb"); if (in == NULL) goto err; +#if defined(S_IFBLK) && defined(S_IFCHR) + if (sb.st_mode & (S_IFBLK | S_IFCHR)) { + /* this file is a device. we don't want read an infinite number + * of bytes from a random device, nor do we want to use buffered + * I/O because we will waste system entropy. + */ + bytes = (bytes == -1) ? 2048 : bytes; /* ok, is 2048 enough? */ + setvbuf(in, NULL, _IONBF, 0); /* don't do buffered reads */ + } +#endif for (;;) { if (bytes > 0) @@ -135,7 +149,22 @@ int RAND_write_file(const char *file) int i,ret=0,rand_err=0; FILE *out = NULL; int n; + struct stat sb; + i=stat(file,&sb); + if (i != -1) { +#if defined(S_IFBLK) && defined(S_IFCHR) + if (sb.st_mode & (S_IFBLK | S_IFCHR)) { + /* this file is a device. we don't write back to it. + * we "succeed" on the assumption this is some sort + * of random device. Otherwise attempting to write to + * and chmod the device causes problems. + */ + return(1); + } +#endif + } + #if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32) /* For some reason Win32 can't write to files created this way */ @@ -197,16 +226,17 @@ err: const char *RAND_file_name(char *buf, size_t size) { char *s=NULL; - char *ret=NULL; + int ok = 0; +#ifdef __OpenBSD__ + struct stat sb; +#endif if (OPENSSL_issetugid() == 0) s=getenv("RANDFILE"); - if (s != NULL) + if (s != NULL && *s && strlen(s) + 1 < size) { - if(strlen(s) >= size) + if (BUF_strlcpy(buf,s,size) >= size) return NULL; - strcpy(buf,s); - ret=buf; } else { @@ -218,17 +248,36 @@ const char *RAND_file_name(char *buf, size_t size) s = DEFAULT_HOME; } #endif - if (s != NULL && (strlen(s)+strlen(RFILE)+2 < size)) + if (s && *s && strlen(s)+strlen(RFILE)+2 < size) { - strcpy(buf,s); + BUF_strlcpy(buf,s,size); #ifndef OPENSSL_SYS_VMS - strcat(buf,"/"); + BUF_strlcat(buf,"/",size); #endif - strcat(buf,RFILE); - ret=buf; + BUF_strlcat(buf,RFILE,size); + ok = 1; } else buf[0] = '\0'; /* no file name */ } - return(ret); + +#ifdef __OpenBSD__ + /* given that all random loads just fail if the file can't be + * seen on a stat, we stat the file we're returning, if it + * fails, use /dev/arandom instead. this allows the user to + * use their own source for good random data, but defaults + * to something hopefully decent if that isn't available. + */ + + if (!ok) + if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) { + return(NULL); + } + if (stat(buf,&sb) == -1) + if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) { + return(NULL); + } + +#endif + return(buf); } diff --git a/crypto/openssl/crypto/rc2/Makefile.ssl b/crypto/openssl/crypto/rc2/Makefile.ssl index aa73dea5b601..98d5960d5d6c 100644 --- a/crypto/openssl/crypto/rc2/Makefile.ssl +++ b/crypto/openssl/crypto/rc2/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/rc4/Makefile.ssl b/crypto/openssl/crypto/rc4/Makefile.ssl index b210b42f8f4b..3e602662be2b 100644 --- a/crypto/openssl/crypto/rc4/Makefile.ssl +++ b/crypto/openssl/crypto/rc4/Makefile.ssl @@ -25,6 +25,7 @@ RC4_ENC=rc4_enc.o #RC4_ENC=asm/rx86bdsi.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=rc4test.c @@ -70,7 +71,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/rc5/Makefile.ssl b/crypto/openssl/crypto/rc5/Makefile.ssl index 3ad665594686..3f9632f8f753 100644 --- a/crypto/openssl/crypto/rc5/Makefile.ssl +++ b/crypto/openssl/crypto/rc5/Makefile.ssl @@ -22,6 +22,7 @@ RC5_ENC= rc5_enc.o #DES_ENC= r586-elf.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=rc5test.c @@ -67,7 +68,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/ripemd/Makefile.ssl b/crypto/openssl/crypto/ripemd/Makefile.ssl index 3583dfdcaf32..f22ac790aed3 100644 --- a/crypto/openssl/crypto/ripemd/Makefile.ssl +++ b/crypto/openssl/crypto/ripemd/Makefile.ssl @@ -20,6 +20,7 @@ AR= ar r RIP_ASM_OBJ= CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=rmdtest.c @@ -65,7 +66,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl index ce3f818e5b62..8089344a046f 100644 --- a/crypto/openssl/crypto/rsa/Makefile.ssl +++ b/crypto/openssl/crypto/rsa/Makefile.ssl @@ -51,7 +51,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/sha/Makefile.ssl b/crypto/openssl/crypto/sha/Makefile.ssl index 864645c8b547..4ba201c787de 100644 --- a/crypto/openssl/crypto/sha/Makefile.ssl +++ b/crypto/openssl/crypto/sha/Makefile.ssl @@ -20,6 +20,7 @@ AR= ar r SHA1_ASM_OBJ= CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=shatest.c sha1test.c @@ -65,7 +66,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/sha/asm/sha1-586.pl b/crypto/openssl/crypto/sha/asm/sha1-586.pl index fe51fd079457..e00f70955384 100644 --- a/crypto/openssl/crypto/sha/asm/sha1-586.pl +++ b/crypto/openssl/crypto/sha/asm/sha1-586.pl @@ -1,5 +1,30 @@ #!/usr/local/bin/perl +# It was noted that Intel IA-32 C compiler generates code which +# performs ~30% *faster* on P4 CPU than original *hand-coded* +# SHA1 assembler implementation. To address this problem (and +# prove that humans are still better than machines:-), the +# original code was overhauled, which resulted in following +# performance changes: +# +# compared with original compared with Intel cc +# assembler impl. generated code +# Pentium -25% +37% +# PIII/AMD +8% +16% +# P4 +85%(!) +45% +# +# As you can see Pentium came out as looser:-( Yet I reckoned that +# improvement on P4 outweights the loss and incorporate this +# re-tuned code to 0.9.7 and later. +# ---------------------------------------------------------------- +# Those who for any particular reason absolutely must score on +# Pentium can replace this module with one from 0.9.6 distribution. +# This "offer" shall be revoked the moment programming interface to +# this module is changed, in which case this paragraph should be +# removed. +# ---------------------------------------------------------------- +# <appro@fy.chalmers.se> + $normal=0; push(@INC,"perlasm","../../perlasm"); @@ -77,54 +102,21 @@ sub BODY_00_15 { local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; -return if $n & 1; &comment("00_15 $n"); - &mov($f,$c); - - &mov($tmp1,$a); - &xor($f,$d); # F2 - - &rotl($tmp1,5); # A2 - - &and($f,$b); # F3 - &add($tmp1,$e); - - &rotr($b,1); # B1 <- F - &mov($e,&swtmp($n)); # G1 - - &rotr($b,1); # B1 <- F - &xor($f,$d); # F4 - - &lea($tmp1,&DWP($K,$tmp1,$e,1)); - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - &mov($f,$c); - - &add($a,$tmp1); # MOVED DOWN - &xor($f,$d); # F2 - &mov($tmp1,$a); - &and($f,$b); # F3 - - &rotl($tmp1,5); # A2 - - &add($tmp1,$e); - &mov($e,&swtmp($n)); # G1 - - &rotr($b,1); # B1 <- F - &xor($f,$d); # F4 - - &rotr($b,1); # B1 <- F - &lea($tmp1,&DWP($K,$tmp1,$e,1)); - - &add($f,$tmp1); + &mov($f,$c); # f to hold F_00_19(b,c,d) + &rotl($tmp1,5); # tmp1=ROTATE(a,5) + &xor($f,$d); + &and($f,$b); + &rotr($b,2); # b=ROTATE(b,30) + &add($tmp1,$e); # tmp1+=e; + &mov($e,&swtmp($n)); # e becomes volatile and + # is loaded with xi + &xor($f,$d); # f holds F_00_19(b,c,d) + &lea($tmp1,&DWP($K,$tmp1,$e,1));# tmp1+=K_00_19+xi + + &add($f,$tmp1); # f+=tmp1 } sub BODY_16_19 @@ -132,66 +124,24 @@ sub BODY_16_19 local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; local($n0,$n1,$n2,$n3,$np)=&Na($n); -return if $n & 1; &comment("16_19 $n"); - &nop() if ($pos < 0); -&mov($tmp1,&swtmp($n0)); # X1 - &mov($f,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$c); # F1 -&rotl($f,1); # X8 - slot - &xor($tmp1,$d); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &and($tmp1,$b); # F3 -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &xor($tmp1,$d); # F4 -&mov($e,$a); # A1 - &add($f,$tmp1); # tot+=F(); - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($f,$e); # tot+=a - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&rotr($c,1); #&rotr($b,1); # B1 <- F # MOVED DOWN - &xor($f,$tmp1); # X7 - slot -&rotl($f,1); # X8 - slot - &mov($tmp1,$c); # F1 -&xor($tmp1,$d); # F2 - &mov(&swtmp($n0),$f); # X9 - anytime -&and($tmp1,$b); # F3 - &lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - -&xor($tmp1,$d); # F4 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($f,$e); # tot+=a - -&rotr($b,1); # B1 <- F - &add($f,$tmp1); # tot+=F(); - + &mov($f,&swtmp($n1)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$c); # tmp1 to hold F_00_19(b,c,d) + &xor($f,&swtmp($n0)); + &xor($tmp1,$d); + &xor($f,&swtmp($n2)); + &and($tmp1,$b); # tmp1 holds F_00_19(b,c,d) + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &rotr($b,2); # b=ROTATE(b,30) + &xor($tmp1,$d); # tmp1=F_00_19(b,c,d) + &rotl($f,1); # f=ROATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_00_19+e + &mov($e,$a); # e becomes volatile + &add($f,$tmp1); # f+=F_00_19(b,c,d) + &rotl($e,5); # e=ROTATE(a,5) + &add($f,$e); # f+=ROTATE(a,5) } sub BODY_20_39 @@ -201,42 +151,21 @@ sub BODY_20_39 &comment("20_39 $n"); local($n0,$n1,$n2,$n3,$np)=&Na($n); -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$b); # F1 -&rotl($f,1); # X8 - slot - &xor($tmp1,$c); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &xor($tmp1,$d); # F3 - -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -if ($n != 79) # last loop - { - &rotr($b,1); # B1 <- F - &add($e,$tmp1); # tmp1=F()+a - - &rotr($b,1); # B2 <- F - &add($f,$e); # tot+=tmp1; - } -else - { - &add($e,$tmp1); # tmp1=F()+a - &mov($tmp1,&wparam(0)); - - &rotr($b,1); # B1 <- F - &add($f,$e); # tot+=tmp1; - - &rotr($b,1); # B2 <- F - } + &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$b); # tmp1 to hold F_20_39(b,c,d) + &xor($f,&swtmp($n1)); + &rotr($b,2); # b=ROTATE(b,30) + &xor($f,&swtmp($n2)); + &xor($tmp1,$c); + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d) + &rotl($f,1); # f=ROTATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_20_39+e + &mov($e,$a); # e becomes volatile + &rotl($e,5); # e=ROTATE(a,5) + &add($f,$tmp1); # f+=F_20_39(b,c,d) + &add($f,$e); # f+=ROTATE(a,5) } sub BODY_40_59 @@ -244,70 +173,27 @@ sub BODY_40_59 local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; &comment("40_59 $n"); - return if $n & 1; local($n0,$n1,$n2,$n3,$np)=&Na($n); -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$b); # F1 -&rotl($f,1); # X8 - slot - &or($tmp1,$c); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &and($tmp1,$d); # F3 - -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$b); # F4 - -&rotr($b,1); # B1 <- F - &and($e,$c); # F5 - -&or($tmp1,$e); # F6 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&add($tmp1,$e); # tmp1=F()+a - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - &mov($f,&swtmp($n0)); # X1 -&add($a,$tmp1); # tot+=tmp1; # moved was add f,tmp1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&rotr($c,1); # B2 <- F # moved was rotr b,1 - &xor($f,$tmp1); # X7 - slot -&rotl($f,1); # X8 - slot - &mov($tmp1,$b); # F1 -&mov(&swtmp($n0),$f); # X9 - anytime - &or($tmp1,$c); # F2 -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$b); # F4 -&and($tmp1,$d); # F3 - &and($e,$c); # F5 - -&or($tmp1,$e); # F6 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($tmp1,$e); # tmp1=F()+a - -&rotr($b,1); # B2 <- F - &add($f,$tmp1); # tot+=tmp1; + &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$b); # tmp1 to hold F_40_59(b,c,d) + &xor($f,&swtmp($n1)); + &or($tmp1,$c); + &xor($f,&swtmp($n2)); + &and($tmp1,$d); + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &rotl($f,1); # f=ROTATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_40_59+e + &mov($e,$b); # e becomes volatile and is used + # to calculate F_40_59(b,c,d) + &rotr($b,2); # b=ROTATE(b,30) + &and($e,$c); + &or($tmp1,$e); # tmp1 holds F_40_59(b,c,d) + &mov($e,$a); + &rotl($e,5); # e=ROTATE(a,5) + &add($tmp1,$e); # tmp1+=ROTATE(a,5) + &add($f,$tmp1); # f+=tmp1; } sub BODY_60_79 @@ -495,8 +381,7 @@ sub sha1_block_data # C -> E # D -> T - # The last 2 have been moved into the last loop - # &mov($tmp1,&wparam(0)); + &mov($tmp1,&wparam(0)); &mov($D, &DWP(12,$tmp1,"",0)); &add($D,$B); diff --git a/crypto/openssl/crypto/stack/Makefile.ssl b/crypto/openssl/crypto/stack/Makefile.ssl index e4acfe6aba22..7120fb804a07 100644 --- a/crypto/openssl/crypto/stack/Makefile.ssl +++ b/crypto/openssl/crypto/stack/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/threads/mttest.c b/crypto/openssl/crypto/threads/mttest.c index 54d598565d53..7588966cb219 100644 --- a/crypto/openssl/crypto/threads/mttest.c +++ b/crypto/openssl/crypto/threads/mttest.c @@ -243,7 +243,8 @@ bad: goto end; } - if (cipher == NULL) cipher=getenv("SSL_CIPHER"); + if (cipher == NULL && OPENSSL_issetugid() == 0) + cipher=getenv("SSL_CIPHER"); SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); diff --git a/crypto/openssl/crypto/txt_db/Makefile.ssl b/crypto/openssl/crypto/txt_db/Makefile.ssl index 313f75313b78..6221dfae4d10 100644 --- a/crypto/openssl/crypto/txt_db/Makefile.ssl +++ b/crypto/openssl/crypto/txt_db/Makefile.ssl @@ -47,7 +47,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/ui/Makefile.ssl b/crypto/openssl/crypto/ui/Makefile.ssl index 90ae7d4a4a24..ba46951d1c39 100644 --- a/crypto/openssl/crypto/ui/Makefile.ssl +++ b/crypto/openssl/crypto/ui/Makefile.ssl @@ -51,7 +51,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/ui/ui_lib.c b/crypto/openssl/crypto/ui/ui_lib.c index 13e5f20dcb2a..dbc9711a2def 100644 --- a/crypto/openssl/crypto/ui/ui_lib.c +++ b/crypto/openssl/crypto/ui/ui_lib.c @@ -430,14 +430,14 @@ char *UI_construct_prompt(UI *ui, const char *object_desc, len += sizeof(prompt3) - 1; prompt = (char *)OPENSSL_malloc(len + 1); - strcpy(prompt, prompt1); - strcat(prompt, object_desc); + BUF_strlcpy(prompt, prompt1, len + 1); + BUF_strlcat(prompt, object_desc, len + 1); if (object_name) { - strcat(prompt, prompt2); - strcat(prompt, object_name); + BUF_strlcat(prompt, prompt2, len + 1); + BUF_strlcat(prompt, object_name, len + 1); } - strcat(prompt, prompt3); + BUF_strlcat(prompt, prompt3, len + 1); } return prompt; } @@ -865,7 +865,8 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result) return -1; } - strcpy(uis->result_buf, result); + BUF_strlcpy(uis->result_buf, result, + uis->_.string_data.result_maxsize + 1); break; case UIT_BOOLEAN: { diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl index 6a5a87969190..3a3452536c5a 100644 --- a/crypto/openssl/crypto/x509/Makefile.ssl +++ b/crypto/openssl/crypto/x509/Makefile.ssl @@ -57,7 +57,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c index 448bd7e69cca..6207340472e4 100644 --- a/crypto/openssl/crypto/x509/by_dir.c +++ b/crypto/openssl/crypto/x509/by_dir.c @@ -302,8 +302,38 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, k=0; for (;;) { - sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h, - postfix,k); + char c = '/'; +#ifdef OPENSSL_SYS_VMS + c = ctx->dirs[i][strlen(ctx->dirs[i])-1]; + if (c != ':' && c != '>' && c != ']') + { + /* If no separator is present, we assume the + directory specifier is a logical name, and + add a colon. We really should use better + VMS routines for merging things like this, + but this will do for now... + -- Richard Levitte */ + c = ':'; + } + else + { + c = '\0'; + } +#endif + if (c == '\0') + { + /* This is special. When c == '\0', no + directory separator should be added. */ + BIO_snprintf(b->data,b->max, + "%s%08lx.%s%d",ctx->dirs[i],h, + postfix,k); + } + else + { + BIO_snprintf(b->data,b->max, + "%s%c%08lx.%s%d",ctx->dirs[i],c,h, + postfix,k); + } k++; if (stat(b->data,&st) < 0) break; diff --git a/crypto/openssl/crypto/x509/x509.h b/crypto/openssl/crypto/x509/x509.h index eaad5685a8f8..8d0c7e2e1792 100644 --- a/crypto/openssl/crypto/x509/x509.h +++ b/crypto/openssl/crypto/x509/x509.h @@ -810,10 +810,6 @@ X509_REQ *X509_REQ_dup(X509_REQ *req); X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); X509_NAME *X509_NAME_dup(X509_NAME *xn); X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); -#ifndef OPENSSL_NO_RSA -RSA *RSAPublicKey_dup(RSA *rsa); -RSA *RSAPrivateKey_dup(RSA *rsa); -#endif #endif /* !SSLEAY_MACROS */ diff --git a/crypto/openssl/crypto/x509/x509_txt.c b/crypto/openssl/crypto/x509/x509_txt.c index 4f83db8ba2f5..e31ebc6741a0 100644 --- a/crypto/openssl/crypto/x509/x509_txt.c +++ b/crypto/openssl/crypto/x509/x509_txt.c @@ -147,8 +147,14 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); + case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: + return("key usage does not include CRL signing"); + + case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: + return("unhandled critical CRL extension"); + default: - sprintf(buf,"error number %ld",n); + BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); } } diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 2bb21b443ec0..2e4d0b823abe 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { + int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) @@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - if (!X509_check_purpose(x, ctx->purpose, i)) + ret = X509_check_purpose(x, ctx->purpose, i); + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) { if (i) ctx->error = X509_V_ERR_INVALID_CA; @@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) if(issuer) { + /* Check for cRLSign bit if keyUsage present */ + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & KU_CRL_SIGN)) + { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + ok = ctx->verify_cb(0, ctx); + if(!ok) goto err; + } /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); @@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { int idx, ok; X509_REVOKED rtmp; + STACK_OF(X509_EXTENSION) *exts; + X509_EXTENSION *ext; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); - /* Not found: OK */ - if(idx == -1) return 1; - /* Otherwise revoked: want something cleverer than + /* If found assume revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. */ - ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - return ok; + if(idx >= 0) + { + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + if (!ok) return 0; + } + + if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) + return 1; + + /* See if we have any critical CRL extensions: since we + * currently don't handle any CRL extensions the CRL must be + * rejected. + * This code accesses the X509_CRL structure directly: applications + * shouldn't do this. + */ + + exts = crl->crl->extensions; + + for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) + { + ext = sk_X509_EXTENSION_value(exts, idx); + if (ext->critical > 0) + { + ctx->error = + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if(!ok) return 0; + break; + } + } + return 1; } static int internal_verify(X509_STORE_CTX *ctx) diff --git a/crypto/openssl/crypto/x509/x509_vfy.h b/crypto/openssl/crypto/x509/x509_vfy.h index f0be21f4525c..198495884cfa 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.h +++ b/crypto/openssl/crypto/x509/x509_vfy.h @@ -304,17 +304,26 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 /* Certificate verify flags */ -#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 /* Send issuer+subject checks to verify_cb */ -#define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */ -#define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */ -#define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */ -#define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */ +/* Send issuer+subject checks to verify_cb */ +#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 +/* Use check time instead of current time */ +#define X509_V_FLAG_USE_CHECK_TIME 0x2 +/* Lookup CRLs */ +#define X509_V_FLAG_CRL_CHECK 0x4 +/* Lookup CRLs for whole chain */ +#define X509_V_FLAG_CRL_CHECK_ALL 0x8 +/* Ignore unhandled critical extensions */ +#define X509_V_FLAG_IGNORE_CRITICAL 0x10 +/* Disable workarounds for broken certificates */ +#define X509_V_FLAG_X509_STRICT 0x20 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); diff --git a/crypto/openssl/crypto/x509/x509type.c b/crypto/openssl/crypto/x509/x509type.c index f78c2a6b4380..c25959a74282 100644 --- a/crypto/openssl/crypto/x509/x509type.c +++ b/crypto/openssl/crypto/x509/x509type.c @@ -106,7 +106,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; } - if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look + if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); diff --git a/crypto/openssl/crypto/x509v3/Makefile.ssl b/crypto/openssl/crypto/x509v3/Makefile.ssl index 5ca169c37cd6..66df90c34624 100644 --- a/crypto/openssl/crypto/x509v3/Makefile.ssl +++ b/crypto/openssl/crypto/x509v3/Makefile.ssl @@ -53,7 +53,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) diff --git a/crypto/openssl/crypto/x509v3/v3_alt.c b/crypto/openssl/crypto/x509v3/v3_alt.c index 0e9e7dcb4fda..58b935a3b6b8 100644 --- a/crypto/openssl/crypto/x509v3/v3_alt.c +++ b/crypto/openssl/crypto/x509v3/v3_alt.c @@ -137,7 +137,8 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_add_value("IP Address","<invalid>", &ret); break; } - sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); + BIO_snprintf(oline, sizeof oline, + "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); X509V3_add_value("IP Address",oline, &ret); break; diff --git a/crypto/openssl/crypto/x509v3/v3_crld.c b/crypto/openssl/crypto/x509v3/v3_crld.c index 894a8b94d802..f90829c574e7 100644 --- a/crypto/openssl/crypto/x509v3/v3_crld.c +++ b/crypto/openssl/crypto/x509v3/v3_crld.c @@ -156,7 +156,7 @@ ASN1_SEQUENCE(DIST_POINT) = { IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT) ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, DIST_POINT, DIST_POINT) + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT) ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS) IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS) diff --git a/crypto/openssl/crypto/x509v3/v3_info.c b/crypto/openssl/crypto/x509v3/v3_info.c index e269df1373b0..53e3f4885904 100644 --- a/crypto/openssl/crypto/x509v3/v3_info.c +++ b/crypto/openssl/crypto/x509v3/v3_info.c @@ -105,7 +105,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method STACK_OF(CONF_VALUE) *ret) { ACCESS_DESCRIPTION *desc; - int i; + int i,nlen; char objtmp[80], *ntmp; CONF_VALUE *vtmp; for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) { @@ -114,15 +114,16 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method if(!ret) break; vtmp = sk_CONF_VALUE_value(ret, i); i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method); - ntmp = OPENSSL_malloc(strlen(objtmp) + strlen(vtmp->name) + 5); + nlen = strlen(objtmp) + strlen(vtmp->name) + 5; + ntmp = OPENSSL_malloc(nlen); if(!ntmp) { X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS, ERR_R_MALLOC_FAILURE); return NULL; } - strcpy(ntmp, objtmp); - strcat(ntmp, " - "); - strcat(ntmp, vtmp->name); + BUF_strlcpy(ntmp, objtmp, nlen); + BUF_strlcat(ntmp, " - ", nlen); + BUF_strlcat(ntmp, vtmp->name, nlen); OPENSSL_free(vtmp->name); vtmp->name = ntmp; diff --git a/crypto/openssl/crypto/x509v3/v3_purp.c b/crypto/openssl/crypto/x509v3/v3_purp.c index 4d145f71fd03..b3d1ae5d1cc8 100644 --- a/crypto/openssl/crypto/x509v3/v3_purp.c +++ b/crypto/openssl/crypto/x509v3/v3_purp.c @@ -3,7 +3,7 @@ * project 2001. */ /* ==================================================================== - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -415,6 +415,7 @@ static void x509v3_cache_extensions(X509 *x) * 1 is a CA * 2 basicConstraints absent so "maybe" a CA * 3 basicConstraints absent but self signed V1. + * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) @@ -436,7 +437,7 @@ static int ca_check(const X509 *x) } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; /* If key usage present it must have certSign so tolerate it */ - else if (x->ex_flags & EXFLAG_KUSAGE) return 3; + else if (x->ex_flags & EXFLAG_KUSAGE) return 4; else return 2; } } diff --git a/crypto/openssl/doc/apps/config.pod b/crypto/openssl/doc/apps/config.pod index ce874a42ce13..8f823fa6d69d 100644 --- a/crypto/openssl/doc/apps/config.pod +++ b/crypto/openssl/doc/apps/config.pod @@ -10,7 +10,8 @@ config - OpenSSL CONF library configuration files The OpenSSL CONF library can be used to read configuration files. It is used for the OpenSSL master configuration file B<openssl.cnf> and in a few other places like B<SPKAC> files and certificate extension -files for the B<x509> utility. +files for the B<x509> utility. OpenSSL applications can also use the +CONF library for their own purposes. A configuration file is divided into a number of sections. Each section starts with a line B<[ section_name ]> and ends when a new section is @@ -51,13 +52,146 @@ or the B<\> character. By making the last character of a line a B<\> a B<value> string can be spread across multiple lines. In addition the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized. +=head1 OPENSSL LIBRARY CONFIGURATION + +In OpenSSL 0.9.7 and later applications can automatically configure certain +aspects of OpenSSL using the master OpenSSL configuration file, or optionally +an alternative configuration file. The B<openssl> utility includes this +functionality: any sub command uses the master OpenSSL configuration file +unless an option is used in the sub command to use an alternative configuration +file. + +To enable library configuration the default section needs to contain an +appropriate line which points to the main configuration section. The default +name is B<openssl_conf> which is used by the B<openssl> utility. Other +applications may use an alternative name such as B<myapplicaton_conf>. + +The configuration section should consist of a set of name value pairs which +contain specific module configuration information. The B<name> represents +the name of the I<configuration module> the meaning of the B<value> is +module specific: it may, for example, represent a further configuration +section containing configuration module specific information. E.g. + + openssl_conf = openssl_init + + [openssl_init] + + oid_section = new_oids + engines = engine_section + + [new_oids] + + ... new oids here ... + + [engine_section] + + ... engine stuff here ... + +Currently there are two configuration modules. One for ASN1 objects another +for ENGINE configuration. + +=head2 ASN1 OBJECT CONFIGURATION MODULE + +This module has the name B<oid_section>. The value of this variable points +to a section containing name value pairs of OIDs: the name is the OID short +and long name, the value is the numerical form of the OID. Although some of +the B<openssl> utility sub commands already have their own ASN1 OBJECT section +functionality not all do. By using the ASN1 OBJECT configuration module +B<all> the B<openssl> utility sub commands can see the new objects as well +as any compliant applications. For example: + + [new_oids] + + some_new_oid = 1.2.3.4 + some_other_oid = 1.2.3.5 + +=head2 ENGINE CONFIGURATION MODULE + +This ENGINE configuration module has the name B<engines>. The value of this +variable points to a section containing further ENGINE configuration +information. + +The section pointed to by B<engines> is a table of engine names (though see +B<engine_id> below) and further sections containing configuration informations +specific to each ENGINE. + +Each ENGINE specific section is used to set default algorithms, load +dynamic, perform initialization and send ctrls. The actual operation performed +depends on the I<command> name which is the name of the name value pair. The +currently supported commands are listed below. + +For example: + + [engine_section] + + # Configure ENGINE named "foo" + foo = foo_section + # Configure ENGINE named "bar" + bar = bar_section + + [foo_section] + ... foo ENGINE specific commands ... + + [bar_section] + ... "bar" ENGINE specific commands ... + +The command B<engine_id> is used to give the ENGINE name. If used this +command must be first. For example: + + [engine_section] + # This would normally handle an ENGINE named "foo" + foo = foo_section + + [foo_section] + # Override default name and use "myfoo" instead. + engine_id = myfoo + +The command B<dynamic_path> loads and adds an ENGINE from the given path. It +is equivalent to sending the ctrls B<SO_PATH> with the path argument followed +by B<LIST_ADD> with value 2 and B<LOAD> to the dynamic ENGINE. If this is +not the required behaviour then alternative ctrls can be sent directly +to the dynamic ENGINE using ctrl commands. + +The command B<init> determines whether to initialize the ENGINE. If the value +is B<0> the ENGINE will not be initialized, if B<1> and attempt it made to +initialized the ENGINE immediately. If the B<init> command is not present +then an attempt will be made to initialize the ENGINE after all commands in +its section have been processed. + +The command B<default_algorithms> sets the default algorithms an ENGINE will +supply using the functions B<ENGINE_set_default_string()> + +If the name matches none of the above command names it is assumed to be a +ctrl command which is sent to the ENGINE. The value of the command is the +argument to the ctrl command. If the value is the string B<EMPTY> then no +value is sent to the command. + +For example: + + + [engine_section] + + # Configure ENGINE named "foo" + foo = foo_section + + [foo_section] + # Load engine from DSO + dynamic_path = /some/path/fooengine.so + # A foo specific ctrl. + some_ctrl = some_value + # Another ctrl that doesn't take a value. + other_ctrl = EMPTY + # Supply all default algorithms + default_algorithms = ALL + =head1 NOTES If a configuration file attempts to expand a variable that doesn't exist then an error is flagged and the file will not load. This can happen if an attempt is made to expand an environment variable that doesn't -exist. For example the default OpenSSL master configuration file used -the value of B<HOME> which may not be defined on non Unix systems. +exist. For example in a previous version of OpenSSL the default OpenSSL +master configuration file used the value of B<HOME> which may not be +defined on non Unix systems and would cause an error. This can be worked around by including a B<default> section to provide a default value: then if the environment lookup fails the default value diff --git a/crypto/openssl/doc/apps/openssl.pod b/crypto/openssl/doc/apps/openssl.pod index 07dd80eabe56..dc0f49ddca63 100644 --- a/crypto/openssl/doc/apps/openssl.pod +++ b/crypto/openssl/doc/apps/openssl.pod @@ -329,7 +329,8 @@ L<passwd(1)|passwd(1)>, L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>, L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>, L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>, -L<s_server(1)|s_server(1)>, L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>, +L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>, +L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>, L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>, L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)> diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod index d061326c1fca..8d19079973a4 100644 --- a/crypto/openssl/doc/apps/s_client.pod +++ b/crypto/openssl/doc/apps/s_client.pod @@ -8,7 +8,7 @@ s_client - SSL/TLS client program =head1 SYNOPSIS B<openssl> B<s_client> -[B<-connect> host:port>] +[B<-connect host:port>] [B<-verify depth>] [B<-cert filename>] [B<-key filename>] @@ -208,7 +208,7 @@ then an HTTP command can be given such as "GET /" to retrieve a web page. If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> can be tried +B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried in case it is a buggy server. In particular you should play with these options B<before> submitting a bug report to an OpenSSL mailing list. @@ -219,7 +219,7 @@ the clients certificate authority in its "acceptable CA list" when it requests a certificate. By using B<s_client> the CA list can be viewed and checked. However some servers only request client authentication after a specific URL is requested. To obtain the list in this case it -is necessary to use the B<-prexit> command and send an HTTP request +is necessary to use the B<-prexit> option and send an HTTP request for an appropriate page. If a certificate is specified on the command line using the B<-cert> diff --git a/crypto/openssl/doc/apps/s_time.pod b/crypto/openssl/doc/apps/s_time.pod new file mode 100644 index 000000000000..5a38aa2e0394 --- /dev/null +++ b/crypto/openssl/doc/apps/s_time.pod @@ -0,0 +1,173 @@ + +=pod + +=head1 NAME + +s_time - SSL/TLS performance timing program + +=head1 SYNOPSIS + +B<openssl> B<s_time> +[B<-connect host:port>] +[B<-www page>] +[B<-cert filename>] +[B<-key filename>] +[B<-CApath directory>] +[B<-CAfile filename>] +[B<-reuse>] +[B<-new>] +[B<-verify depth>] +[B<-nbio>] +[B<-time seconds>] +[B<-ssl2>] +[B<-ssl3>] +[B<-bugs>] +[B<-cipher cipherlist>] + +=head1 DESCRIPTION + +The B<s_client> command implements a generic SSL/TLS client which connects to a +remote host using SSL/TLS. It can request a page from the server and includes +the time to transfer the payload data in its timing measurements. It measures +the number of connections within a given timeframe, the amount of data +transferred (if any), and calculates the average time spent for one connection. + +=head1 OPTIONS + +=over 4 + +=item B<-connect host:port> + +This specifies the host and optional port to connect to. + +=item B<-www page> + +This specifies the page to GET from the server. A value of '/' gets the +index.htm[l] page. If this parameter is not specified, then B<s_time> will only +perform the handshake to establish SSL connections but not transfer any +payload data. + +=item B<-cert certname> + +The certificate to use, if one is requested by the server. The default is +not to use a certificate. The file is in PEM format. + +=item B<-key keyfile> + +The private key to use. If not specified then the certificate file will +be used. The file is in PEM format. + +=item B<-verify depth> + +The verify depth to use. This specifies the maximum length of the +server certificate chain and turns on server certificate verification. +Currently the verify operation continues after errors so all the problems +with a certificate chain can be seen. As a side effect the connection +will never fail due to a server certificate verify failure. + +=item B<-CApath directory> + +The directory to use for server certificate verification. This directory +must be in "hash format", see B<verify> for more information. These are +also used when building the client certificate chain. + +=item B<-CAfile file> + +A file containing trusted certificates to use during server authentication +and to use when attempting to build the client certificate chain. + +=item B<-new> + +performs the timing test using a new session ID for each connection. +If neither B<-new> nor B<-reuse> are specified, they are both on by default +and executed in sequence. + +=item B<-reuse> + +performs the timing test using the same session ID; this can be used as a test +that session caching is working. If neither B<-new> nor B<-reuse> are +specified, they are both on by default and executed in sequence. + +=item B<-nbio> + +turns on non-blocking I/O. + +=item B<-ssl2>, B<-ssl3> + +these options disable the use of certain SSL or TLS protocols. By default +the initial handshake uses a method which should be compatible with all +servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. +The timing program is not as rich in options to turn protocols on and off as +the L<s_client(1)|s_client(1)> program and may not connect to all servers. + +Unfortunately there are a lot of ancient and broken servers in use which +cannot handle this technique and will fail to connect. Some servers only +work if TLS is turned off with the B<-ssl3> option; others +will only support SSL v2 and may need the B<-ssl2> option. + +=item B<-bugs> + +there are several known bug in SSL and TLS implementations. Adding this +option enables various workarounds. + +=item B<-cipher cipherlist> + +this allows the cipher list sent by the client to be modified. Although +the server determines which cipher suite is used it should take the first +supported cipher in the list sent by the client. +See the L<ciphers(1)|ciphers(1)> command for more information. + +=item B<-time length> + +specifies how long (in seconds) B<s_time> should establish connections and +optionally transfer payload data from a server. Server and client performance +and the link speed determine how many connections B<s_time> can establish. + +=back + +=head1 NOTES + +B<s_client> can be used to measure the performance of an SSL connection. +To connect to an SSL HTTP server and get the default page the command + + openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] + +would typically be used (https uses port 443). 'commoncipher' is a cipher to +which both client and server can agree, see the L<ciphers(1)|ciphers(1)> command +for details. + +If the handshake fails then there are several possible causes, if it is +nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, +B<-ssl3> options can be tried +in case it is a buggy server. In particular you should play with these +options B<before> submitting a bug report to an OpenSSL mailing list. + +A frequent problem when attempting to get client certificates working +is that a web client complains it has no certificates or gives an empty +list to choose from. This is normally because the server is not sending +the clients certificate authority in its "acceptable CA list" when it +requests a certificate. By using L<s_client(1)|s_client(1)> the CA list can be +viewed and checked. However some servers only request client authentication +after a specific URL is requested. To obtain the list in this case it +is necessary to use the B<-prexit> option of L<s_client(1)|s_client(1)> and +send an HTTP request for an appropriate page. + +If a certificate is specified on the command line using the B<-cert> +option it will not be used unless the server specifically requests +a client certificate. Therefor merely including a client certificate +on the command line is no guarantee that the certificate works. + +=head1 BUGS + +Because this program does not have all the options of the +L<s_client(1)|s_client(1)> program to turn protocols on and off, you may not be +able to measure the performance of all protocols with all servers. + +The B<-verify> option should really exit if the server verification +fails. + +=head1 SEE ALSO + +L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)> + +=cut diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod index 2453dd2738d1..84b673f791ea 100644 --- a/crypto/openssl/doc/apps/smime.pod +++ b/crypto/openssl/doc/apps/smime.pod @@ -17,6 +17,9 @@ B<openssl> B<smime> [B<-rc2-40>] [B<-rc2-64>] [B<-rc2-128>] +[B<-aes128>] +[B<-aes192>] +[B<-aes256>] [B<-in file>] [B<-certfile file>] [B<-signer file>] @@ -126,11 +129,11 @@ B<-verify>. This directory must be a standard certificate directory: that is a hash of each subject name (using B<x509 -hash>) should be linked to each certificate. -=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128> +=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256> -the encryption algorithm to use. DES (56 bits), triple DES (168 bits) -or 40, 64 or 128 bit RC2 respectively if not specified 40 bit RC2 is -used. Only used with B<-encrypt>. +the encryption algorithm to use. DES (56 bits), triple DES (168 bits), +40, 64 or 128 bit RC2 or 128, 192 or 256 bit AES respectively. If not +specified 40 bit RC2 is used. Only used with B<-encrypt>. =item B<-nointern> diff --git a/crypto/openssl/doc/crypto/BIO_f_ssl.pod b/crypto/openssl/doc/crypto/BIO_f_ssl.pod index a56ee2b92f2b..f0b731731f50 100644 --- a/crypto/openssl/doc/crypto/BIO_f_ssl.pod +++ b/crypto/openssl/doc/crypto/BIO_f_ssl.pod @@ -287,8 +287,8 @@ a client and also echoes the request to standard output. return 0; } - BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n"); - BIO_puts(sbio, "<pre>\r\nConnection Established\r\nRequest headers:\r\n"); + BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n"); + BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n"); BIO_puts(sbio, "--------------------------------------------------\r\n"); for(;;) { @@ -301,7 +301,7 @@ a client and also echoes the request to standard output. } BIO_puts(sbio, "--------------------------------------------------\r\n"); - BIO_puts(sbio, "</pre>\r\n"); + BIO_puts(sbio, "\r\n"); /* Since there is a buffering BIO present we had better flush it */ BIO_flush(sbio); diff --git a/crypto/openssl/doc/crypto/CONF_modules_free.pod b/crypto/openssl/doc/crypto/CONF_modules_free.pod new file mode 100644 index 000000000000..af8ae6a5c92d --- /dev/null +++ b/crypto/openssl/doc/crypto/CONF_modules_free.pod @@ -0,0 +1,47 @@ +=pod + +=head1 NAME + + CONF_modules_free, CONF_modules_load, CONF_modules_unload - + OpenSSL configuration cleanup functions + +=head1 SYNOPSIS + + #include <openssl/conf.h> + + void CONF_modules_free(void); + void CONF_modules_unload(int all); + void CONF_modules_finish(void); + +=head1 DESCRIPTION + +CONF_modules_free() closes down and frees up all memory allocated by all +configuration modules. + +CONF_modules_finish() calls each configuration modules B<finish> handler +to free up any configuration that module may have performed. + +CONF_modules_unload() finishes and unloads configuration modules. If +B<all> is set to B<0> only modules loaded from DSOs will be unloads. If +B<all> is B<1> all modules, including builtin modules will be unloaded. + +=head1 NOTES + +Normally applications will only call CONF_modules_free() at application to +tidy up any configuration performed. + +=head1 RETURN VALUE + +None of the functions return a value. + +=head1 SEE ALSO + +L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>, +L<CONF_modules_load_file(3), CONF_modules_load_file(3)> + +=head1 HISTORY + +CONF_modules_free(), CONF_modules_unload(), and CONF_modules_finish() +first appeared in OpenSSL 0.9.7. + +=cut diff --git a/crypto/openssl/doc/crypto/CONF_modules_load_file.pod b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod new file mode 100644 index 000000000000..9965d69bf2ec --- /dev/null +++ b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod @@ -0,0 +1,60 @@ +=pod + +=head1 NAME + + CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions + +=head1 SYNOPSIS + + #include <openssl/conf.h> + + int CONF_modules_load_file(const char *filename, const char *appname, + unsigned long flags); + int CONF_modules_load(const CONF *cnf, const char *appname, + unsigned long flags); + +=head1 DESCRIPTION + +The function CONF_modules_load_file() configures OpenSSL using file +B<filename> and application name B<appname>. If B<filename> is NULL +the standard OpenSSL configuration file is used. If B<appname> is +NULL the standard OpenSSL application name B<openssl_conf> is used. +The behaviour can be cutomized using B<flags>. + +CONF_modules_load() is idential to CONF_modules_load_file() except it +read configuration information from B<cnf>. + +=head1 NOTES + +The following B<flags> are currently recognized: + +B<CONF_MFLAGS_IGNORE_ERRORS> if set errors returned by individual +configuration modules are ignored. If not set the first module error is +considered fatal and no further modules are loads. + +Normally any modules errors will add error information to the error queue. If +B<CONF_MFLAGS_SILENT> is set no error information is added. + +If B<CONF_MFLAGS_NO_DSO> is set configuration module loading from DSOs is +disabled. + +B<CONF_MFLAGS_IGNORE_MISSING_FILE> if set will make CONF_load_modules_file() +ignore missing configuration files. Normally a missing configuration file +return an error. + +=head1 RETURN VALUE + +These functions return 1 for success and a zero or negative value for +failure. If module errors are not ignored the return code will reflect the +return value of the failing module (this will always be zero or negative). + +=head1 SEE ALSO + +L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>, +L<CONF_free(3), CONF_free(3)>, L<err(3),err(3)> + +=head1 HISTORY + +CONF_modules_load_file and CONF_modules_load first appeared in OpenSSL 0.9.7. + +=cut diff --git a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod index 5ce4add0821c..016381f3e994 100644 --- a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod +++ b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod @@ -2,7 +2,7 @@ =head1 NAME - EVP_BytesToKey - password based encryption routine +EVP_BytesToKey - password based encryption routine =head1 SYNOPSIS diff --git a/crypto/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/openssl/doc/crypto/EVP_DigestInit.pod index 5901c3952660..1cb315e739dd 100644 --- a/crypto/openssl/doc/crypto/EVP_DigestInit.pod +++ b/crypto/openssl/doc/crypto/EVP_DigestInit.pod @@ -4,7 +4,7 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, -EVP_MD_CTX_copy_ex EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, +EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2, EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - diff --git a/crypto/openssl/doc/crypto/OPENSSL_config.pod b/crypto/openssl/doc/crypto/OPENSSL_config.pod new file mode 100644 index 000000000000..16600620ccf3 --- /dev/null +++ b/crypto/openssl/doc/crypto/OPENSSL_config.pod @@ -0,0 +1,82 @@ +=pod + +=head1 NAME + +OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions + +=head1 SYNOPSIS + + #include <openssl/conf.h> + + void OPENSSL_config(const char *config_name); + void OPENSSL_no_config(void); + +=head1 DESCRIPTION + +OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> +configuration file name using B<config_name>. If B<config_name> is NULL then +the default name B<openssl_conf> will be used. Any errors are ignored. Further +calls to OPENSSL_config() will have no effect. The configuration file format +is documented in the L<conf(5)|conf(5)> manual page. + +OPENSSL_no_config() disables configuration. If called before OPENSSL_config() +no configuration takes place. + +=head1 NOTES + +It is B<strongly> recommended that B<all> new applications call OPENSSL_config() +or the more sophisticated functions such as CONF_modules_load() during +initialization (that is before starting any threads). By doing this +an application does not need to keep track of all configuration options +and some new functionality can be supported automatically. + +It is also possible to automatically call OPENSSL_config() when an application +calls OPENSSL_add_all_algorithms() by compiling an application with the +preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration +can be added without source changes. + +The environment variable B<OPENSSL_CONFIG> can be set to specify the location +of the configuration file. + +Currently ASN1 OBJECTs and ENGINE configuration can be performed future +versions of OpenSSL will add new configuration options. + +There are several reasons why calling the OpenSSL configuration routines is +advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7. +In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be +used (among other things) to load dynamic ENGINEs from shared libraries (DSOs). +However very few applications currently support the control interface and so +very few can load and use dynamic ENGINEs. Equally in future more sophisticated +ENGINEs will require certain control operations to customize them. If an +application calls OPENSSL_config() it doesn't need to know or care about +ENGINE control operations because they can be performed by editing a +configuration file. + +Applications should free up configuration at application closedown by calling +CONF_modules_free(). + +=head1 RESTRICTIONS + +The OPENSSL_config() function is designed to be a very simple "call it and +forget it" function. As a result its behaviour is somewhat limited. It ignores +all errors silently and it can only load from the standard configuration file +location for example. + +It is however B<much> better than nothing. Applications which need finer +control over their configuration functionality should use the configuration +functions such as CONF_load_modules() directly. + +=head1 RETURN VALUES + +Neither OPENSSL_config() nor OPENSSL_no_config() return a value. + +=head1 SEE ALSO + +L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>, +L<CONF_modules_free(3),CONF_modules_free(3)> + +=head1 HISTORY + +OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7 + +=cut diff --git a/crypto/openssl/doc/crypto/OPENSSL_load_builtin_modules.pod b/crypto/openssl/doc/crypto/OPENSSL_load_builtin_modules.pod new file mode 100644 index 000000000000..f14dfaf005dd --- /dev/null +++ b/crypto/openssl/doc/crypto/OPENSSL_load_builtin_modules.pod @@ -0,0 +1,51 @@ +=pod + +=head1 NAME + +OPENSSL_load_builtin_modules - add standard configuration modules + +=head1 SYNOPSIS + + #include <openssl/conf.h> + + void OPENSSL_load_builtin_modules(void); + void ASN1_add_oid_module(void); + ENGINE_add_conf_module(); + +=head1 DESCRIPTION + +The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL +configuration modules to the internal list. They can then be used by the +OpenSSL configuration code. + +ASN1_add_oid_module() adds just the ASN1 OBJECT module. + +ENGINE_add_conf_module() adds just the ENGINE configuration module. + +=head1 NOTES + +If the simple configuration function OPENSSL_config() is called then +OPENSSL_load_builtin_modules() is called automatically. + +Applications which use the configuration functions directly will need to +call OPENSSL_load_builtin_modules() themselves I<before> any other +configuration code. + +Applications should call OPENSSL_load_builtin_modules() to load all +configuration modules instead of adding modules selectively: otherwise +functionality may be missing from the application if an when new +modules are added. + +=head1 RETURN VALUE + +None of the functions return a value. + +=head1 SEE ALSO + +L<conf(3)|conf(3)>, L<OPENSSL_config(3)|OPENSSL_config(3)> + +=head1 HISTORY + +These functions first appeared in OpenSSL 0.9.7. + +=cut diff --git a/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod b/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod index 486c90343078..e63411b5bba0 100644 --- a/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod +++ b/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod @@ -36,7 +36,7 @@ None of the functions return a value. =head1 NOTES -A typical application will will call OpenSSL_add_all_algorithms() initially and +A typical application will call OpenSSL_add_all_algorithms() initially and EVP_cleanup() before exiting. An application does not need to add algorithms to use them explicitly, for example diff --git a/crypto/openssl/doc/crypto/RSA_print.pod b/crypto/openssl/doc/crypto/RSA_print.pod index e28d107d1c6e..c971e91f4db6 100644 --- a/crypto/openssl/doc/crypto/RSA_print.pod +++ b/crypto/openssl/doc/crypto/RSA_print.pod @@ -44,6 +44,6 @@ L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)> RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(), DH_print_fp() are available in all versions of SSLeay and OpenSSL. -DSAparams_print() and DSAparams_print_pf() were added in SSLeay 0.8. +DSAparams_print() and DSAparams_print_fp() were added in SSLeay 0.8. =cut diff --git a/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod b/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod index 6ebd30427b88..22c1b50f2288 100644 --- a/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod +++ b/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod @@ -9,6 +9,7 @@ and parsing functions. =head1 SYNOPSIS #include <openssl/dsa.h> + #include <openssl/x509.h> DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length); @@ -35,8 +36,8 @@ and parsing functions. d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key components structure. -d2i_DSA_PUKEY() and i2d_DSA_PUKEY() decode and encode an DSA public key using a -SubjectPublicKeyInfo (certificate public key) structure. +d2i_DSA_PUBKEY() and i2d_DSA_PUBKEY() decode and encode an DSA public key using +a SubjectPublicKeyInfo (certificate public key) structure. d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key components. diff --git a/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod b/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod index 7c71bcbf3dbd..279b29c873c0 100644 --- a/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod +++ b/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod @@ -9,6 +9,7 @@ d2i_Netscape_RSA - RSA public and private key encoding functions. =head1 SYNOPSIS #include <openssl/rsa.h> + #include <openssl/x509.h> RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length); @@ -31,8 +32,8 @@ d2i_Netscape_RSA - RSA public and private key encoding functions. d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey structure. -d2i_RSA_PUKEY() and i2d_RSA_PUKEY() decode and encode an RSA public key using a -SubjectPublicKeyInfo (certificate public key) structure. +d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY() decode and encode an RSA public key using +a SubjectPublicKeyInfo (certificate public key) structure. d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey structure. diff --git a/crypto/openssl/doc/crypto/des.pod b/crypto/openssl/doc/crypto/des.pod index 528c73acac61..6f0cf1cc5e5f 100644 --- a/crypto/openssl/doc/crypto/des.pod +++ b/crypto/openssl/doc/crypto/des.pod @@ -283,7 +283,7 @@ DES_cbc_encrypt is used. =head1 NOTES Single-key DES is insecure due to its short key size. ECB mode is -not suitable for most applications; see L<DES_modes(7)|DES_modes(7)>. +not suitable for most applications; see L<des_modes(7)|des_modes(7)>. The L<evp(3)|evp(3)> library provides higher-level encryption functions. diff --git a/crypto/openssl/doc/crypto/pem.pod b/crypto/openssl/doc/crypto/pem.pod index a4f8cc33376a..8613114452e8 100644 --- a/crypto/openssl/doc/crypto/pem.pod +++ b/crypto/openssl/doc/crypto/pem.pod @@ -330,7 +330,7 @@ most of them are set to 0 or NULL. Read a certificate in PEM format from a BIO: X509 *x; - x = PEM_read_bio(bp, NULL, 0, NULL); + x = PEM_read_bio_X509(bp, NULL, 0, NULL); if (x == NULL) { /* Error */ @@ -459,12 +459,12 @@ returned by EVP_bytestokey(). The PEM read routines in some versions of OpenSSL will not correctly reuse an existing structure. Therefore the following: - PEM_read_bio(bp, &x, 0, NULL); + PEM_read_bio_X509(bp, &x, 0, NULL); where B<x> already contains a valid certificate, may not work, whereas: X509_free(x); - x = PEM_read_bio(bp, NULL, 0, NULL); + x = PEM_read_bio_X509(bp, NULL, 0, NULL); is guaranteed to work. diff --git a/crypto/openssl/doc/crypto/ui.pod b/crypto/openssl/doc/crypto/ui.pod index 2b3535a74618..6df68d604a82 100644 --- a/crypto/openssl/doc/crypto/ui.pod +++ b/crypto/openssl/doc/crypto/ui.pod @@ -5,7 +5,7 @@ UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string, UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean, UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string, -UI_add_error_string, UI_dup_error_string, UI_construct_prompt +UI_add_error_string, UI_dup_error_string, UI_construct_prompt, UI_add_user_data, UI_get0_user_data, UI_get0_result, UI_process, UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method, UI_set_method, UI_OpenSSL, ERR_load_UI_strings - New User Interface diff --git a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod b/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod index 2a987391147c..42fa66b19751 100644 --- a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod +++ b/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod @@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may return the following values: =over 4 -=item 1 +=item 0 The operation succeeded. -=item 0 +=item 1 The operation failed. Check the error queue to find out the reason. diff --git a/crypto/openssl/doc/ssleay.txt b/crypto/openssl/doc/ssleay.txt index c6049d5e53ba..d44d2f04a022 100644 --- a/crypto/openssl/doc/ssleay.txt +++ b/crypto/openssl/doc/ssleay.txt @@ -6245,7 +6245,7 @@ SSL_get_app_data void SSL_CTX_set_default_verify /* This callback, if set, totaly overrides the normal SSLeay verification - * functions and should return 1 on sucesss and 0 on failure */ + * functions and should return 1 on success and 0 on failure */ void SSL_CTX_set_cert_verify_callback /* The following are the same as the equivilent SSL_xxx functions. diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec index 9ce236e0d21e..6a272f69698e 100644 --- a/crypto/openssl/openssl.spec +++ b/crypto/openssl/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 7 -%define librev c +%define librev d Release: 1 %define openssldir /var/ssl diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl index e36a79b2d6ff..3ae3561ac1b3 100644 --- a/crypto/openssl/ssl/Makefile.ssl +++ b/crypto/openssl/ssl/Makefile.ssl @@ -55,14 +55,14 @@ ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ..; $(MAKE) DIRS=$(DIR) all) -all: lib shared +all: shared lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib -shared: +shared: lib if [ -n "$(SHARED_LIBS)" ]; then \ (cd ..; $(MAKE) $(SHARED_LIB)); \ fi @@ -71,7 +71,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS) @@ -280,84 +280,82 @@ s23_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s23_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_srvr.c s23_srvr.o: ssl_locl.h -s2_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_clnt.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_clnt.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s2_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s2_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h -s2_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h -s2_enc.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_enc.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_enc.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_enc.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s2_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h -s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_enc.c -s2_enc.o: ssl_locl.h -s2_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_lib.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_lib.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s2_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_lib.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h -s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_lib.c -s2_lib.o: ssl_locl.h +s2_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s2_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s2_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s2_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s2_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s2_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s2_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s2_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s2_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_clnt.c +s2_clnt.o: ssl_locl.h +s2_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_enc.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_enc.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s2_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s2_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s2_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_enc.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s2_enc.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s2_enc.o: ../include/openssl/x509_vfy.h s2_enc.c ssl_locl.h +s2_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_lib.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s2_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s2_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s2_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s2_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s2_lib.o: ../include/openssl/x509_vfy.h s2_lib.c ssl_locl.h s2_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s2_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s2_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h @@ -383,58 +381,57 @@ s2_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s2_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h s2_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s2_meth.o: ../include/openssl/x509_vfy.h s2_meth.c ssl_locl.h -s2_pkt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_pkt.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_pkt.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_pkt.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s2_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_pkt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h -s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c -s2_pkt.o: ssl_locl.h -s2_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_srvr.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_srvr.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s2_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s2_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/ui.h -s2_srvr.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h +s2_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s2_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s2_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s2_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s2_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s2_pkt.o: ../include/openssl/x509_vfy.h s2_pkt.c ssl_locl.h +s2_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s2_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s2_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s2_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s2_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s2_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s2_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s2_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_srvr.c +s2_srvr.o: ssl_locl.h s3_both.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s3_both.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s3_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h @@ -461,32 +458,32 @@ s3_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_both.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_both.c s3_both.o: ssl_locl.h -s3_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_clnt.o: ../include/openssl/des.h ../include/openssl/des_old.h -s3_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h -s3_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s3_clnt.o: ../include/openssl/md2.h ../include/openssl/md4.h -s3_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s3_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s3_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s3_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s3_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s3_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s3_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h -s3_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -s3_clnt.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_clnt.c ssl_locl.h +s3_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s3_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s3_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s3_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h +s3_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s3_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s3_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s3_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s3_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s3_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s3_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s3_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s3_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s3_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s3_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s3_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h +s3_clnt.o: s3_clnt.c ssl_locl.h s3_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s3_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s3_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h @@ -587,16 +584,15 @@ s3_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h s3_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s3_pkt.o: ../include/openssl/x509_vfy.h s3_pkt.c ssl_locl.h -s3_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_srvr.o: ../include/openssl/des.h ../include/openssl/des_old.h -s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h -s3_srvr.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h +s3_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s3_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s3_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h @@ -639,32 +635,32 @@ ssl_algs.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_algs.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_algs.o: ../include/openssl/x509_vfy.h ssl_algs.c ssl_locl.h -ssl_asn1.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h -ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h -ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h -ssl_asn1.o: ../include/openssl/des_old.h ../include/openssl/dh.h -ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/kssl.h -ssl_asn1.o: ../include/openssl/lhash.h ../include/openssl/md2.h -ssl_asn1.o: ../include/openssl/md4.h ../include/openssl/md5.h -ssl_asn1.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -ssl_asn1.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_asn1.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h -ssl_asn1.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -ssl_asn1.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/ui.h -ssl_asn1.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_asn1.c ssl_locl.h +ssl_asn1.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_asn1.o: ../include/openssl/asn1_mac.h ../include/openssl/bio.h +ssl_asn1.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/cast.h +ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h +ssl_asn1.o: ../include/openssl/des.h ../include/openssl/des_old.h +ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssl_asn1.o: ../include/openssl/e_os2.h ../include/openssl/err.h +ssl_asn1.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssl_asn1.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssl_asn1.o: ../include/openssl/md2.h ../include/openssl/md4.h +ssl_asn1.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +ssl_asn1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_asn1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ssl_asn1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ssl_asn1.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +ssl_asn1.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +ssl_asn1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ssl_asn1.o: ../include/openssl/sha.h ../include/openssl/ssl.h +ssl_asn1.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ssl_asn1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ssl_asn1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ssl_asn1.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_asn1.c +ssl_asn1.o: ssl_locl.h ssl_cert.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssl_cert.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_cert.o: ../include/openssl/bn.h ../include/openssl/buffer.h @@ -766,33 +762,32 @@ ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_err2.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c -ssl_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h -ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h -ssl_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h -ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h -ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h -ssl_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h -ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -ssl_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h -ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -ssl_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h -ssl_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h kssl_lcl.h -ssl_lib.o: ssl_lib.c ssl_locl.h +ssl_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_lib.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ssl_lib.o: ../include/openssl/des.h ../include/openssl/des_old.h +ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h +ssl_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssl_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssl_lib.o: ../include/openssl/md2.h ../include/openssl/md4.h +ssl_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +ssl_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ssl_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ssl_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +ssl_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +ssl_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ssl_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h +ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ssl_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ssl_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ssl_lib.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl_lib.o: ../include/openssl/x509v3.h kssl_lcl.h ssl_lib.c ssl_locl.h ssl_rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssl_rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h @@ -818,32 +813,32 @@ ssl_rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_rsa.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_rsa.c -ssl_sess.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_sess.o: ../include/openssl/des.h ../include/openssl/des_old.h -ssl_sess.o: ../include/openssl/dh.h ../include/openssl/dsa.h -ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h -ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h -ssl_sess.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -ssl_sess.o: ../include/openssl/md2.h ../include/openssl/md4.h -ssl_sess.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -ssl_sess.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl_sess.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ssl_sess.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rc2.h -ssl_sess.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -ssl_sess.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -ssl_sess.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/ui.h -ssl_sess.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -ssl_sess.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_sess.c +ssl_sess.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_sess.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_sess.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_sess.o: ../include/openssl/des_old.h ../include/openssl/dh.h +ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +ssl_sess.o: ../include/openssl/err.h ../include/openssl/evp.h +ssl_sess.o: ../include/openssl/idea.h ../include/openssl/kssl.h +ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h +ssl_sess.o: ../include/openssl/md4.h ../include/openssl/md5.h +ssl_sess.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ssl_sess.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ssl_sess.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +ssl_sess.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +ssl_sess.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +ssl_sess.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ssl_sess.o: ../include/openssl/sha.h ../include/openssl/ssl.h +ssl_sess.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ssl_sess.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ssl_sess.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ssl_sess.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h +ssl_sess.o: ssl_sess.c ssl_stat.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssl_stat.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_stat.o: ../include/openssl/bn.h ../include/openssl/buffer.h diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c index 7c45f8ff4e6d..51378897f6e2 100644 --- a/crypto/openssl/ssl/kssl.c +++ b/crypto/openssl/ssl/kssl.c @@ -953,7 +953,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata) printf("%s, authdata==0\n", label); return; } - printf("%s [%p]\n", label, adata); + printf("%s [%p]\n", label, (void *)adata); #if 0 { int i; @@ -1725,7 +1725,7 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx) return; } else - printf("%p\n", kssl_ctx); + printf("%p\n", (void *)kssl_ctx); printf("\tservice:\t%s\n", (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL"); diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c index 1d24dedc918b..43b32eb4159f 100644 --- a/crypto/openssl/ssl/s2_clnt.c +++ b/crypto/openssl/ssl/s2_clnt.c @@ -116,7 +116,6 @@ #include <openssl/buffer.h> #include <openssl/objects.h> #include <openssl/evp.h> -#include "cryptlib.h" static SSL_METHOD *ssl2_get_client_method(int ver); static int get_server_finished(SSL *s); diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c index d3b144f1c52c..21a06f76cb07 100644 --- a/crypto/openssl/ssl/s2_enc.c +++ b/crypto/openssl/ssl/s2_enc.c @@ -59,7 +59,6 @@ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 #include <stdio.h> -#include "cryptlib.h" int ssl2_enc_init(SSL *s, int client) { diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c index 910b9fe097d4..edcef4dda291 100644 --- a/crypto/openssl/ssl/s2_lib.c +++ b/crypto/openssl/ssl/s2_lib.c @@ -63,7 +63,6 @@ #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/md5.h> -#include "cryptlib.h" static long ssl2_default_timeout(void ); const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; @@ -139,6 +138,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ SSL_ALL_STRENGTHS, }, /* IDEA_128_CBC_WITH_MD5 */ +#ifndef OPENSSL_NO_IDEA { 1, SSL2_TXT_IDEA_128_CBC_WITH_MD5, @@ -151,6 +151,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +#endif /* DES_64_CBC_WITH_MD5 */ { 1, diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c index d82f1376135e..a10929a757f9 100644 --- a/crypto/openssl/ssl/s2_pkt.c +++ b/crypto/openssl/ssl/s2_pkt.c @@ -113,7 +113,6 @@ #ifndef OPENSSL_NO_SSL2 #include <stdio.h> #include <errno.h> -#include "cryptlib.h" #define USE_SOCKETS static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend); diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c index 62859a2d950e..5da2a54af37f 100644 --- a/crypto/openssl/ssl/s2_srvr.c +++ b/crypto/openssl/ssl/s2_srvr.c @@ -116,7 +116,6 @@ #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> -#include "cryptlib.h" static SSL_METHOD *ssl2_get_server_method(int ver); static int get_client_master_key(SSL *s); diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index eb7daebfdfb3..26ce0cb9639d 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -117,7 +117,6 @@ #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/md5.h> -#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -1947,7 +1946,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) if (algs & SSL_kRSA) { if (rsa == NULL - || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) + || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); goto f_err; @@ -1959,7 +1958,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { if (dh == NULL - || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) + || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); goto f_err; diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c index 559924d3681b..92efb9597d38 100644 --- a/crypto/openssl/ssl/s3_enc.c +++ b/crypto/openssl/ssl/s3_enc.c @@ -199,10 +199,10 @@ int ssl3_change_cipher_state(SSL *s, int which) COMP_METHOD *comp; const EVP_MD *m; EVP_MD_CTX md; - int exp,n,i,j,k,cl; + int is_exp,n,i,j,k,cl; int reuse_dd = 0; - exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); + is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; if (s->s3->tmp.new_compression == NULL) @@ -276,9 +276,9 @@ int ssl3_change_cipher_state(SSL *s, int which) p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); - j=exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? - cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; - /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ + j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; + /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) @@ -307,7 +307,7 @@ int ssl3_change_cipher_state(SSL *s, int which) EVP_MD_CTX_init(&md); memcpy(mac_secret,ms,i); - if (exp) + if (is_exp) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index 896b12fc4f38..d04096016ce3 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -271,6 +271,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, /* Cipher 07 */ +#ifndef OPENSSL_NO_IDEA { 1, SSL3_TXT_RSA_IDEA_128_SHA, @@ -283,6 +284,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +#endif /* Cipher 08 */ { 1, diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 881f68b99891..deb3cffabeb5 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -121,9 +121,10 @@ #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> +#ifndef OPENSSL_NO_KRB5 #include <openssl/krb5_asn.h> +#endif #include <openssl/md5.h> -#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -1587,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s) n2s(p,i); enc_ticket.length = i; + + if (n < enc_ticket.length + 6) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + enc_ticket.data = (char *)p; p+=enc_ticket.length; n2s(p,i); authenticator.length = i; + + if (n < enc_ticket.length + authenticator.length + 6) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + authenticator.data = (char *)p; p+=authenticator.length; diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index 4ae845825949..913bd40eea4a 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -1357,8 +1357,8 @@ const char *SSL_alert_type_string(int value); const char *SSL_alert_desc_string_long(int value); const char *SSL_alert_desc_string(int value); -void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); +void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); +void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s); int SSL_add_client_CA(SSL *ssl,X509 *x); diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c index 16bc11b559b1..d8ff8fc4a3dc 100644 --- a/crypto/openssl/ssl/ssl_asn1.c +++ b/crypto/openssl/ssl/ssl_asn1.c @@ -62,7 +62,6 @@ #include <openssl/asn1_mac.h> #include <openssl/objects.h> #include <openssl/x509.h> -#include "cryptlib.h" typedef struct ssl_session_asn1_st { diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c index da90078a378b..2cfb6158787a 100644 --- a/crypto/openssl/ssl/ssl_cert.c +++ b/crypto/openssl/ssl/ssl_cert.c @@ -505,12 +505,12 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) return(i); } -static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *list) +static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list) { if (*ca_list != NULL) sk_X509_NAME_pop_free(*ca_list,X509_NAME_free); - *ca_list=list; + *ca_list=name_list; } STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) @@ -532,14 +532,14 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) return(ret); } -void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *list) +void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(s->client_CA),list); + set_client_CA_list(&(s->client_CA),name_list); } -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *list) +void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(ctx->client_CA),list); + set_client_CA_list(&(ctx->client_CA),name_list); } STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx) diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c index 888b667fa12c..44c503eb048e 100644 --- a/crypto/openssl/ssl/ssl_ciph.c +++ b/crypto/openssl/ssl/ssl_ciph.c @@ -125,7 +125,9 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0}, +#ifndef OPENSSL_NO_IDEA {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, +#endif {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, @@ -166,8 +168,12 @@ static void load_ciphers(void) EVP_get_cipherbyname(SN_rc4); ssl_cipher_methods[SSL_ENC_RC2_IDX]= EVP_get_cipherbyname(SN_rc2_cbc); +#ifndef OPENSSL_NO_IDEA ssl_cipher_methods[SSL_ENC_IDEA_IDX]= EVP_get_cipherbyname(SN_idea_cbc); +#else + ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL; +#endif ssl_cipher_methods[SSL_ENC_AES128_IDX]= EVP_get_cipherbyname(SN_aes_128_cbc); ssl_cipher_methods[SSL_ENC_AES256_IDX]= @@ -334,10 +340,10 @@ static unsigned long ssl_cipher_get_disabled(void) } static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, - int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list, + int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { - int i, list_num; + int i, co_list_num; SSL_CIPHER *c; /* @@ -348,18 +354,18 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, */ /* Get the initial list of ciphers */ - list_num = 0; /* actual count of ciphers */ + co_list_num = 0; /* actual count of ciphers */ for (i = 0; i < num_of_ciphers; i++) { c = ssl_method->get_cipher(i); /* drop those that use any of that is not available */ if ((c != NULL) && c->valid && !(c->algorithms & mask)) { - list[list_num].cipher = c; - list[list_num].next = NULL; - list[list_num].prev = NULL; - list[list_num].active = 0; - list_num++; + co_list[co_list_num].cipher = c; + co_list[co_list_num].next = NULL; + co_list[co_list_num].prev = NULL; + co_list[co_list_num].active = 0; + co_list_num++; #ifdef KSSL_DEBUG printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms); #endif /* KSSL_DEBUG */ @@ -372,18 +378,18 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, /* * Prepare linked list from list entries */ - for (i = 1; i < list_num - 1; i++) + for (i = 1; i < co_list_num - 1; i++) { - list[i].prev = &(list[i-1]); - list[i].next = &(list[i+1]); + co_list[i].prev = &(co_list[i-1]); + co_list[i].next = &(co_list[i+1]); } - if (list_num > 0) + if (co_list_num > 0) { - (*head_p) = &(list[0]); + (*head_p) = &(co_list[0]); (*head_p)->prev = NULL; - (*head_p)->next = &(list[1]); - (*tail_p) = &(list[list_num - 1]); - (*tail_p)->prev = &(list[list_num - 2]); + (*head_p)->next = &(co_list[1]); + (*tail_p) = &(co_list[co_list_num - 1]); + (*tail_p)->prev = &(co_list[co_list_num - 2]); (*tail_p)->next = NULL; } } @@ -429,7 +435,7 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, unsigned long algo_strength, unsigned long mask_strength, - int rule, int strength_bits, CIPHER_ORDER *list, + int rule, int strength_bits, CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2; @@ -524,8 +530,9 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, *tail_p = tail; } -static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p) +static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list, + CIPHER_ORDER **head_p, + CIPHER_ORDER **tail_p) { int max_strength_bits, i, *number_uses; CIPHER_ORDER *curr; @@ -570,14 +577,14 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, for (i = max_strength_bits; i >= 0; i--) if (number_uses[i] > 0) ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i, - list, head_p, tail_p); + co_list, head_p, tail_p); OPENSSL_free(number_uses); return(1); } static int ssl_cipher_process_rulestr(const char *rule_str, - CIPHER_ORDER *list, CIPHER_ORDER **head_p, + CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list) { unsigned long algorithms, mask, algo_strength, mask_strength; @@ -702,7 +709,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, ok = 0; if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) - ok = ssl_cipher_strength_sort(list, + ok = ssl_cipher_strength_sort(co_list, head_p, tail_p); else SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, @@ -722,7 +729,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, { ssl_cipher_apply_rule(algorithms, mask, algo_strength, mask_strength, rule, -1, - list, head_p, tail_p); + co_list, head_p, tail_p); } else { @@ -744,7 +751,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, unsigned long disabled_mask; STACK_OF(SSL_CIPHER) *cipherstack; const char *rule_p; - CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr; + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; SSL_CIPHER **ca_list = NULL; /* @@ -774,15 +781,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, #ifdef KSSL_DEBUG printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); #endif /* KSSL_DEBUG */ - list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); - if (list == NULL) + co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); + if (co_list == NULL) { SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, - list, &head, &tail); + co_list, &head, &tail); /* * We also need cipher aliases for selecting based on the rule_str. @@ -798,7 +805,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); if (ca_list == NULL) { - OPENSSL_free(list); + OPENSSL_free(co_list); SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } @@ -814,21 +821,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, if (strncmp(rule_str,"DEFAULT",7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - list, &head, &tail, ca_list); + co_list, &head, &tail, ca_list); rule_p += 7; if (*rule_p == ':') rule_p++; } if (ok && (strlen(rule_p) > 0)) - ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail, + ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail, ca_list); OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ - OPENSSL_free(list); + OPENSSL_free(co_list); return(NULL); } /* @@ -837,7 +844,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { - OPENSSL_free(list); + OPENSSL_free(co_list); return(NULL); } @@ -855,7 +862,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, #endif } } - OPENSSL_free(list); /* Not needed any longer */ + OPENSSL_free(co_list); /* Not needed any longer */ /* * The following passage is a little bit odd. If pointer variables @@ -905,7 +912,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) { int is_export,pkl,kl; - char *ver,*exp; + char *ver,*exp_str; char *kx,*au,*enc,*mac; unsigned long alg,alg2,alg_s; #ifdef KSSL_DEBUG @@ -921,7 +928,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) is_export=SSL_C_IS_EXPORT(cipher); pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); kl=SSL_C_EXPORT_KEYLENGTH(cipher); - exp=is_export?" export":""; + exp_str=is_export?" export":""; if (alg & SSL_SSLV2) ver="SSLv2"; @@ -1040,9 +1047,9 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) return("Buffer too small"); #ifdef KSSL_DEBUG - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp,alg); + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg); #else - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp); + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); #endif /* KSSL_DEBUG */ return(buf); } @@ -1129,11 +1136,11 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { MemCheck_on(); SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); - return(0); + return(1); } else { MemCheck_on(); - return(1); + return(0); } } diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 6d698906884a..ee9a82d5860d 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -121,7 +121,6 @@ #include <openssl/objects.h> #include <openssl/lhash.h> #include <openssl/x509v3.h> -#include "cryptlib.h" const char *SSL_version_str=OPENSSL_VERSION_TEXT; diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index fabcdefa6ed6..7016c87d3b2d 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -60,7 +60,6 @@ #include <openssl/lhash.h> #include <openssl/rand.h> #include "ssl_locl.h" -#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c index 42289c255b27..28095148e740 100644 --- a/crypto/openssl/ssl/ssltest.c +++ b/crypto/openssl/ssl/ssltest.c @@ -564,7 +564,14 @@ bad: if (cm != NULL) { if (cm->type != NID_undef) - SSL_COMP_add_compression_method(comp, cm); + { + if (SSL_COMP_add_compression_method(comp, cm) != 0) + { + fprintf(stderr, + "Failed to add compression method\n"); + ERR_print_errors_fp(stderr); + } + } else { fprintf(stderr, diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl index a3339ca5d5b1..373f17a92978 100644 --- a/crypto/openssl/test/Makefile.ssl +++ b/crypto/openssl/test/Makefile.ssl @@ -103,11 +103,11 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @@$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile generate: $(SRC) $(SRC): - @$(TOP)/util/point.sh dummytest.c $@ + @sh $(TOP)/util/point.sh dummytest.c $@ errors: diff --git a/crypto/openssl/tools/Makefile.ssl b/crypto/openssl/tools/Makefile.ssl index bf0cd29c7745..cb33d4a41eee 100644 --- a/crypto/openssl/tools/Makefile.ssl +++ b/crypto/openssl/tools/Makefile.ssl @@ -42,7 +42,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile lint: diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash index e614fb546667..3e9ba1efe490 100644 --- a/crypto/openssl/tools/c_rehash +++ b/crypto/openssl/tools/c_rehash @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # Perl c_rehash script, scan all files in a directory diff --git a/crypto/openssl/util/extract-names.pl b/crypto/openssl/util/extract-names.pl index 9f2ad5ef166c..744a8e2324e6 100644 --- a/crypto/openssl/util/extract-names.pl +++ b/crypto/openssl/util/extract-names.pl @@ -10,6 +10,8 @@ while(<STDIN>) { if (/ - /) { s/ - .*//; s/,[ \t]+/,/g; + s/^[ \t]+//g; + s/[ \t]+$//g; push @words, split ','; } } diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl index c538f9dffb1d..b4bc0457e54a 100755 --- a/crypto/openssl/util/mk1mf.pl +++ b/crypto/openssl/util/mk1mf.pl @@ -277,6 +277,8 @@ $defs= <<"EOF"; EOF +$defs .= $preamble if defined $preamble; + if ($platform eq "VC-CE") { $defs.= <<"EOF"; diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl index cdd2164c4e25..01a1bfda197c 100755 --- a/crypto/openssl/util/mkdef.pl +++ b/crypto/openssl/util/mkdef.pl @@ -1116,27 +1116,55 @@ sub print_test_file } } +sub get_version { + local *MF; + my $v = '?'; + open MF, 'Makefile.ssl' or return $v; + while (<MF>) { + $v = $1, last if /^VERSION=(.*?)\s*$/; + } + close MF; + return $v; +} + sub print_def_file { (*OUT,my $name,*nums,my @symbols)=@_; my $n = 1; my @e; my @r; my @v; my $prev=""; my $liboptions=""; + my $libname = $name; + my $http_vendor = 'www.openssl.org/'; + my $version = get_version(); + my $what = "OpenSSL: implementation of Secure Socket Layer"; + my $description = "$what $version, $name - http://$http_vendor"; if ($W32) - { $name.="32"; } + { $libname.="32"; } elsif ($W16) - { $name.="16"; } + { $libname.="16"; } elsif ($OS2) - { $liboptions = "INITINSTANCE\nDATA NONSHARED"; } + { # DLL names should not clash on the whole system. + # However, they should not have any particular relationship + # to the name of the static library. Chose descriptive names + # (must be at most 8 chars). + my %translate = (ssl => 'open_ssl', crypto => 'cryptssl'); + $libname = $translate{$name} || $name; + $liboptions = <<EOO; +INITINSTANCE +DATA MULTIPLE NONSHARED +EOO + # Vendor field can't contain colon, drat; so we omit http:// + $description = "\@#$http_vendor:$version#\@$what; DLL for library $name. Build for EMX -Zmtd"; + } print OUT <<"EOF"; ; ; Definition file for the DLL version of the $name library from OpenSSL ; -LIBRARY $name $liboptions +LIBRARY $libname $liboptions -DESCRIPTION 'OpenSSL $name - http://www.openssl.org/' +DESCRIPTION '$description' EOF diff --git a/crypto/openssl/util/pl/OS2-EMX.pl b/crypto/openssl/util/pl/OS2-EMX.pl index d695dda623dc..ddb35242108c 100644 --- a/crypto/openssl/util/pl/OS2-EMX.pl +++ b/crypto/openssl/util/pl/OS2-EMX.pl @@ -3,10 +3,12 @@ # OS2-EMX.pl - for EMX GCC on OS/2 # -$o='\\'; -$cp='copy'; +$o='/'; +$cp='cp'; $rm='rm -f'; +$preamble = "SHELL=sh\n"; + # C compiler stuff $cc='gcc'; @@ -48,24 +50,24 @@ $bf_enc_src=""; if (!$no_asm) { - $bn_asm_obj="crypto\\bn\\asm\\bn-os2$obj crypto\\bn\\asm\\co-os2$obj"; - $bn_asm_src="crypto\\bn\\asm\\bn-os2.asm crypto\\bn\\asm\\co-os2.asm"; - $des_enc_obj="crypto\\des\\asm\\d-os2$obj crypto\\des\\asm\\y-os2$obj"; - $des_enc_src="crypto\\des\\asm\\d-os2.asm crypto\\des\\asm\\y-os2.asm"; - $bf_enc_obj="crypto\\bf\\asm\\b-os2$obj"; - $bf_enc_src="crypto\\bf\\asm\\b-os2.asm"; - $cast_enc_obj="crypto\\cast\\asm\\c-os2$obj"; - $cast_enc_src="crypto\\cast\\asm\\c-os2.asm"; - $rc4_enc_obj="crypto\\rc4\\asm\\r4-os2$obj"; - $rc4_enc_src="crypto\\rc4\\asm\\r4-os2.asm"; - $rc5_enc_obj="crypto\\rc5\\asm\\r5-os2$obj"; - $rc5_enc_src="crypto\\rc5\\asm\\r5-os2.asm"; - $md5_asm_obj="crypto\\md5\\asm\\m5-os2$obj"; - $md5_asm_src="crypto\\md5\\asm\\m5-os2.asm"; - $sha1_asm_obj="crypto\\sha\\asm\\s1-os2$obj"; - $sha1_asm_src="crypto\\sha\\asm\\s1-os2.asm"; - $rmd160_asm_obj="crypto\\ripemd\\asm\\rm-os2$obj"; - $rmd160_asm_src="crypto\\ripemd\\asm\\rm-os2.asm"; + $bn_asm_obj="crypto/bn/asm/bn-os2$obj crypto/bn/asm/co-os2$obj"; + $bn_asm_src="crypto/bn/asm/bn-os2.asm crypto/bn/asm/co-os2.asm"; + $des_enc_obj="crypto/des/asm/d-os2$obj crypto/des/asm/y-os2$obj"; + $des_enc_src="crypto/des/asm/d-os2.asm crypto/des/asm/y-os2.asm"; + $bf_enc_obj="crypto/bf/asm/b-os2$obj"; + $bf_enc_src="crypto/bf/asm/b-os2.asm"; + $cast_enc_obj="crypto/cast/asm/c-os2$obj"; + $cast_enc_src="crypto/cast/asm/c-os2.asm"; + $rc4_enc_obj="crypto/rc4/asm/r4-os2$obj"; + $rc4_enc_src="crypto/rc4/asm/r4-os2.asm"; + $rc5_enc_obj="crypto/rc5/asm/r5-os2$obj"; + $rc5_enc_src="crypto/rc5/asm/r5-os2.asm"; + $md5_asm_obj="crypto/md5/asm/m5-os2$obj"; + $md5_asm_src="crypto/md5/asm/m5-os2.asm"; + $sha1_asm_obj="crypto/sha/asm/s1-os2$obj"; + $sha1_asm_src="crypto/sha/asm/s1-os2.asm"; + $rmd160_asm_obj="crypto/ripemd/asm/rm-os2$obj"; + $rmd160_asm_src="crypto/ripemd/asm/rm-os2.asm"; } if ($shlib) |