diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2005-04-29 05:39:34 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2005-04-29 05:39:34 +0000 |
| commit | 96d1d9b6e08bc96e9e2ca66809e78057a7ad7715 (patch) | |
| tree | 3c21c706afbaf02026085e88634587633cdae96a /lib/libcrypto | |
| parent | ccd50423df222a7b368ec130192398b49e23114a (diff) | |
resolve conflicts
Diffstat (limited to 'lib/libcrypto')
199 files changed, 2880 insertions, 765 deletions
diff --git a/lib/libcrypto/aes/aes.h b/lib/libcrypto/aes/aes.h index da067f4a8fa..8a3ea0b8836 100644 --- a/lib/libcrypto/aes/aes.h +++ b/lib/libcrypto/aes/aes.h @@ -52,6 +52,8 @@ #ifndef HEADER_AES_H #define HEADER_AES_H +#include <openssl/e_os2.h> + #ifdef OPENSSL_NO_AES #error AES is disabled. #endif @@ -64,6 +66,10 @@ #define AES_MAXNR 14 #define AES_BLOCK_SIZE 16 +#if defined(OPENSSL_FIPS) +#define FIPS_AES_SIZE_T int +#endif + #ifdef __cplusplus extern "C" { #endif @@ -95,6 +101,15 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, int *num, const int enc); +void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc); +void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc); +void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out, + const int nbits,const AES_KEY *key, + unsigned char *ivec,const int enc); void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, int *num); diff --git a/lib/libcrypto/aes/aes_cbc.c b/lib/libcrypto/aes/aes_cbc.c index 1222a21002c..d2ba6bcdb46 100644 --- a/lib/libcrypto/aes/aes_cbc.c +++ b/lib/libcrypto/aes/aes_cbc.c @@ -66,6 +66,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, unsigned long n; unsigned long len = length; unsigned char tmp[AES_BLOCK_SIZE]; + const unsigned char *iv = ivec; assert(in && out && key && ivec); assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc)); @@ -73,22 +74,39 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, if (AES_ENCRYPT == enc) { while (len >= AES_BLOCK_SIZE) { for(n=0; n < AES_BLOCK_SIZE; ++n) - tmp[n] = in[n] ^ ivec[n]; - AES_encrypt(tmp, out, key); - memcpy(ivec, out, AES_BLOCK_SIZE); + out[n] = in[n] ^ iv[n]; + AES_encrypt(out, out, key); + iv = out; len -= AES_BLOCK_SIZE; in += AES_BLOCK_SIZE; out += AES_BLOCK_SIZE; } if (len) { for(n=0; n < len; ++n) - tmp[n] = in[n] ^ ivec[n]; + out[n] = in[n] ^ iv[n]; for(n=len; n < AES_BLOCK_SIZE; ++n) - tmp[n] = ivec[n]; - AES_encrypt(tmp, tmp, key); - memcpy(out, tmp, AES_BLOCK_SIZE); - memcpy(ivec, tmp, AES_BLOCK_SIZE); - } + out[n] = iv[n]; + AES_encrypt(out, out, key); + iv = out; + } + memcpy(ivec,iv,AES_BLOCK_SIZE); + } else if (in != out) { + while (len >= AES_BLOCK_SIZE) { + AES_decrypt(in, out, key); + for(n=0; n < AES_BLOCK_SIZE; ++n) + out[n] ^= iv[n]; + iv = in; + len -= AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + out += AES_BLOCK_SIZE; + } + if (len) { + AES_decrypt(in,tmp,key); + for(n=0; n < len; ++n) + out[n] = tmp[n] ^ iv[n]; + iv = in; + } + memcpy(ivec,iv,AES_BLOCK_SIZE); } else { while (len >= AES_BLOCK_SIZE) { memcpy(tmp, in, AES_BLOCK_SIZE); @@ -102,10 +120,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, } if (len) { memcpy(tmp, in, AES_BLOCK_SIZE); - AES_decrypt(tmp, tmp, key); + AES_decrypt(tmp, out, key); for(n=0; n < len; ++n) - out[n] = tmp[n] ^ ivec[n]; + out[n] ^= ivec[n]; + for(n=len; n < AES_BLOCK_SIZE; ++n) + out[n] = tmp[n]; memcpy(ivec, tmp, AES_BLOCK_SIZE); - } + } } } diff --git a/lib/libcrypto/aes/aes_cfb.c b/lib/libcrypto/aes/aes_cfb.c index 9b569dda903..49f0411010c 100644 --- a/lib/libcrypto/aes/aes_cfb.c +++ b/lib/libcrypto/aes/aes_cfb.c @@ -114,6 +114,7 @@ #include <openssl/aes.h> #include "aes_locl.h" +#include "e_os.h" /* The input and output encrypted as though 128bit cfb mode is being * used. The extra state information to record how much of the @@ -155,3 +156,70 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, *num=n; } +/* This expects a single block of size nbits for both in and out. Note that + it corrupts any extra bits in the last byte of out */ +void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out, + const int nbits,const AES_KEY *key, + unsigned char *ivec,const int enc) + { + int n,rem,num; + unsigned char ovec[AES_BLOCK_SIZE*2]; + + if (nbits<=0 || nbits>128) return; + + /* fill in the first half of the new IV with the current IV */ + memcpy(ovec,ivec,AES_BLOCK_SIZE); + /* construct the new IV */ + AES_encrypt(ivec,ivec,key); + num = (nbits+7)/8; + if (enc) /* encrypt the input */ + for(n=0 ; n < num ; ++n) + out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n] ^ ivec[n]); + else /* decrypt the input */ + for(n=0 ; n < num ; ++n) + out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n]) ^ ivec[n]; + /* shift ovec left... */ + rem = nbits%8; + num = nbits/8; + if(rem==0) + memcpy(ivec,ovec+num,AES_BLOCK_SIZE); + else + for(n=0 ; n < AES_BLOCK_SIZE ; ++n) + ivec[n] = ovec[n+num]<<rem | ovec[n+num+1]>>(8-rem); + + /* it is not necessary to cleanse ovec, since the IV is not secret */ + } + +/* N.B. This expects the input to be packed, MS bit first */ +void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc) + { + unsigned int n; + unsigned char c[1],d[1]; + + assert(in && out && key && ivec && num); + assert(*num == 0); + + memset(out,0,(length+7)/8); + for(n=0 ; n < length ; ++n) + { + c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0; + AES_cfbr_encrypt_block(c,d,1,key,ivec,enc); + out[n/8]=(out[n/8]&~(1 << (7-n%8)))|((d[0]&0x80) >> (n%8)); + } + } + +void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc) + { + unsigned int n; + + assert(in && out && key && ivec && num); + assert(*num == 0); + + for(n=0 ; n < length ; ++n) + AES_cfbr_encrypt_block(&in[n],&out[n],8,key,ivec,enc); + } + diff --git a/lib/libcrypto/aes/aes_core.c b/lib/libcrypto/aes/aes_core.c index 2f41a825f8d..ed566a81233 100644 --- a/lib/libcrypto/aes/aes_core.c +++ b/lib/libcrypto/aes/aes_core.c @@ -37,8 +37,11 @@ #include <stdlib.h> #include <openssl/aes.h> +#include <openssl/fips.h> #include "aes_locl.h" +#ifndef OPENSSL_FIPS + /* Te0[x] = S [x].[02, 01, 01, 03]; Te1[x] = S [x].[03, 02, 01, 01]; @@ -1255,3 +1258,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out, PUTU32(out + 12, s3); } +#endif /* ndef OPENSSL_FIPS */ diff --git a/lib/libcrypto/aes/aes_ctr.c b/lib/libcrypto/aes/aes_ctr.c index 79e1c18f193..f36982be1e2 100644 --- a/lib/libcrypto/aes/aes_ctr.c +++ b/lib/libcrypto/aes/aes_ctr.c @@ -59,7 +59,7 @@ #include <openssl/aes.h> #include "aes_locl.h" -/* NOTE: CTR mode is big-endian. The rest of the AES code +/* NOTE: the IV/counter CTR mode is big-endian. The rest of the AES code * is endian-neutral. */ /* increment counter (128-bit int) by 1 */ @@ -67,61 +67,36 @@ static void AES_ctr128_inc(unsigned char *counter) { unsigned long c; /* Grab bottom dword of counter and increment */ -#ifdef L_ENDIAN - c = GETU32(counter + 0); - c++; - PUTU32(counter + 0, c); -#else c = GETU32(counter + 12); - c++; + c++; c &= 0xFFFFFFFF; PUTU32(counter + 12, c); -#endif /* if no overflow, we're done */ if (c) return; /* Grab 1st dword of counter and increment */ -#ifdef L_ENDIAN - c = GETU32(counter + 4); - c++; - PUTU32(counter + 4, c); -#else c = GETU32(counter + 8); - c++; + c++; c &= 0xFFFFFFFF; PUTU32(counter + 8, c); -#endif /* if no overflow, we're done */ if (c) return; /* Grab 2nd dword of counter and increment */ -#ifdef L_ENDIAN - c = GETU32(counter + 8); - c++; - PUTU32(counter + 8, c); -#else c = GETU32(counter + 4); - c++; + c++; c &= 0xFFFFFFFF; PUTU32(counter + 4, c); -#endif /* if no overflow, we're done */ if (c) return; /* Grab top dword of counter and increment */ -#ifdef L_ENDIAN - c = GETU32(counter + 12); - c++; - PUTU32(counter + 12, c); -#else c = GETU32(counter + 0); - c++; + c++; c &= 0xFFFFFFFF; PUTU32(counter + 0, c); -#endif - } /* The input encrypted as though 128bit counter mode is being diff --git a/lib/libcrypto/aes/aes_locl.h b/lib/libcrypto/aes/aes_locl.h index f290946058e..4184729e344 100644 --- a/lib/libcrypto/aes/aes_locl.h +++ b/lib/libcrypto/aes/aes_locl.h @@ -62,7 +62,7 @@ #include <stdlib.h> #include <string.h> -#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE) +#if defined(_MSC_VER) && !defined(_M_IA64) && !defined(OPENSSL_SYS_WINCE) # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) # define GETU32(p) SWAP(*((u32 *)(p))) # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); } diff --git a/lib/libcrypto/asn1/a_bitstr.c b/lib/libcrypto/asn1/a_bitstr.c index f4ea96cd54e..b81bf4fc81a 100644 --- a/lib/libcrypto/asn1/a_bitstr.c +++ b/lib/libcrypto/asn1/a_bitstr.c @@ -194,8 +194,12 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) c=(unsigned char *)OPENSSL_realloc_clean(a->data, a->length, w+1); - if (c == NULL) return(0); - if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length); + if (c == NULL) + { + ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT,ERR_R_MALLOC_FAILURE); + return 0; + } + if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length); a->data=c; a->length=w+1; } diff --git a/lib/libcrypto/asn1/a_digest.c b/lib/libcrypto/asn1/a_digest.c index 4931e222a05..7182e9fa5d5 100644 --- a/lib/libcrypto/asn1/a_digest.c +++ b/lib/libcrypto/asn1/a_digest.c @@ -65,6 +65,7 @@ # include <sys/types.h> #endif +#include <openssl/err.h> #include <openssl/evp.h> #include <openssl/buffer.h> #include <openssl/x509.h> @@ -78,7 +79,11 @@ int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data, unsigned char *str,*p; i=i2d(data,NULL); - if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) return(0); + if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) + { + ASN1err(ASN1_F_ASN1_DIGEST,ERR_R_MALLOC_FAILURE); + return(0); + } p=str; i2d(data,&p); diff --git a/lib/libcrypto/asn1/a_enum.c b/lib/libcrypto/asn1/a_enum.c index ad8f0ffd1ab..03ede68d1cc 100644 --- a/lib/libcrypto/asn1/a_enum.c +++ b/lib/libcrypto/asn1/a_enum.c @@ -156,7 +156,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai) unsigned char *new_data=OPENSSL_realloc(ret->data, len+4); if (!new_data) { - ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE); + ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE); goto err; } ret->data=new_data; diff --git a/lib/libcrypto/asn1/a_gentm.c b/lib/libcrypto/asn1/a_gentm.c index 85810078681..0dfd5762110 100644 --- a/lib/libcrypto/asn1/a_gentm.c +++ b/lib/libcrypto/asn1/a_gentm.c @@ -192,8 +192,9 @@ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str) { if (s != NULL) { - ASN1_STRING_set((ASN1_STRING *)s, - (unsigned char *)str,t.length); + if (!ASN1_STRING_set((ASN1_STRING *)s, + (unsigned char *)str,t.length)) + return 0; s->type=V_ASN1_GENERALIZEDTIME; } return(1); @@ -223,7 +224,12 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, if ((p == NULL) || ((size_t)s->length < len)) { p=OPENSSL_malloc(len); - if (p == NULL) return(NULL); + if (p == NULL) + { + ASN1err(ASN1_F_ASN1_GENERALIZEDTIME_SET, + ERR_R_MALLOC_FAILURE); + return(NULL); + } if (s->data != NULL) OPENSSL_free(s->data); s->data=(unsigned char *)p; diff --git a/lib/libcrypto/asn1/a_int.c b/lib/libcrypto/asn1/a_int.c index edb243c0217..21cc64bb234 100644 --- a/lib/libcrypto/asn1/a_int.c +++ b/lib/libcrypto/asn1/a_int.c @@ -64,7 +64,26 @@ ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x) { return M_ASN1_INTEGER_dup(x);} int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y) -{ return M_ASN1_INTEGER_cmp(x,y);} + { + int neg, ret; + /* Compare signs */ + neg = x->type & V_ASN1_NEG; + if (neg != (y->type & V_ASN1_NEG)) + { + if (neg) + return -1; + else + return 1; + } + + ret = ASN1_STRING_cmp(x, y); + + if (neg) + return -ret; + else + return ret; + } + /* * This converts an ASN1 INTEGER into its content encoding. diff --git a/lib/libcrypto/asn1/a_print.c b/lib/libcrypto/asn1/a_print.c index 8035513f047..d18e7723204 100644 --- a/lib/libcrypto/asn1/a_print.c +++ b/lib/libcrypto/asn1/a_print.c @@ -60,7 +60,7 @@ #include "cryptlib.h" #include <openssl/asn1.h> -int ASN1_PRINTABLE_type(unsigned char *s, int len) +int ASN1_PRINTABLE_type(const unsigned char *s, int len) { int c; int ia5=0; diff --git a/lib/libcrypto/asn1/a_set.c b/lib/libcrypto/asn1/a_set.c index 0f839822ff2..e24061c5459 100644 --- a/lib/libcrypto/asn1/a_set.c +++ b/lib/libcrypto/asn1/a_set.c @@ -118,8 +118,13 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag, } pStart = p; /* Catch the beg of Setblobs*/ - if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array -we will store the SET blobs */ + /* In this array we will store the SET blobs */ + rgSetBlob = (MYBLOB *)OPENSSL_malloc(sk_num(a) * sizeof(MYBLOB)); + if (rgSetBlob == NULL) + { + ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE); + return(0); + } for (i=0; i<sk_num(a); i++) { @@ -135,7 +140,11 @@ SetBlob /* Now we have to sort the blobs. I am using a simple algo. *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/ qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp); - if (!(pTempMem = OPENSSL_malloc(totSize))) return 0; + if (!(pTempMem = OPENSSL_malloc(totSize))) + { + ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE); + return(0); + } /* Copy to temp mem */ p = pTempMem; @@ -160,7 +169,13 @@ STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length, STACK *ret=NULL; if ((a == NULL) || ((*a) == NULL)) - { if ((ret=sk_new_null()) == NULL) goto err; } + { + if ((ret=sk_new_null()) == NULL) + { + ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE); + goto err; + } + } else ret=(*a); diff --git a/lib/libcrypto/asn1/a_strex.c b/lib/libcrypto/asn1/a_strex.c index bde666a6ff1..a07122ba479 100644 --- a/lib/libcrypto/asn1/a_strex.c +++ b/lib/libcrypto/asn1/a_strex.c @@ -3,7 +3,7 @@ * project 2000. */ /* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -553,7 +553,12 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in) if((type < 0) || (type > 30)) return -1; mbflag = tag2nbyte[type]; if(mbflag == -1) return -1; - mbflag |= MBSTRING_FLAG; + if (mbflag == 0) + mbflag = MBSTRING_UTF8; + else if (mbflag == 4) + mbflag = MBSTRING_UNIV; + else + mbflag |= MBSTRING_FLAG; stmp.data = NULL; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; diff --git a/lib/libcrypto/asn1/a_type.c b/lib/libcrypto/asn1/a_type.c index fe3fcd40b0b..2292d49b93f 100644 --- a/lib/libcrypto/asn1/a_type.c +++ b/lib/libcrypto/asn1/a_type.c @@ -71,7 +71,10 @@ int ASN1_TYPE_get(ASN1_TYPE *a) void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value) { if (a->value.ptr != NULL) - ASN1_primitive_free((ASN1_VALUE **)&a, NULL); + { + ASN1_TYPE **tmp_a = &a; + ASN1_primitive_free((ASN1_VALUE **)tmp_a, NULL); + } a->type=type; a->value.ptr=value; } diff --git a/lib/libcrypto/asn1/a_utctm.c b/lib/libcrypto/asn1/a_utctm.c index 999852dae52..7b25fed331c 100644 --- a/lib/libcrypto/asn1/a_utctm.c +++ b/lib/libcrypto/asn1/a_utctm.c @@ -173,8 +173,9 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str) { if (s != NULL) { - ASN1_STRING_set((ASN1_STRING *)s, - (unsigned char *)str,t.length); + if (!ASN1_STRING_set((ASN1_STRING *)s, + (unsigned char *)str,t.length)) + return 0; s->type = V_ASN1_UTCTIME; } return(1); @@ -203,7 +204,11 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) if ((p == NULL) || ((size_t)s->length < len)) { p=OPENSSL_malloc(len); - if (p == NULL) return(NULL); + if (p == NULL) + { + ASN1err(ASN1_F_ASN1_UTCTIME_SET,ERR_R_MALLOC_FAILURE); + return(NULL); + } if (s->data != NULL) OPENSSL_free(s->data); s->data=(unsigned char *)p; diff --git a/lib/libcrypto/asn1/a_verify.c b/lib/libcrypto/asn1/a_verify.c index da2a0a6d695..18ef0acf002 100644 --- a/lib/libcrypto/asn1/a_verify.c +++ b/lib/libcrypto/asn1/a_verify.c @@ -142,6 +142,13 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat goto err; } + if (!EVP_VerifyInit_ex(&ctx,type, NULL)) + { + ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB); + ret=0; + goto err; + } + inl = ASN1_item_i2d(asn, &buf_in, it); if (buf_in == NULL) @@ -150,7 +157,6 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat goto err; } - EVP_VerifyInit_ex(&ctx,type, NULL); EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl); OPENSSL_cleanse(buf_in,(unsigned int)inl); diff --git a/lib/libcrypto/asn1/asn1.h b/lib/libcrypto/asn1/asn1.h index 3414509f1b7..ceaeb4cbe39 100644 --- a/lib/libcrypto/asn1/asn1.h +++ b/lib/libcrypto/asn1/asn1.h @@ -829,7 +829,7 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn); /* General */ /* given a string, return the correct type, max is the maximum length */ -int ASN1_PRINTABLE_type(unsigned char *s, int max); +int ASN1_PRINTABLE_type(const unsigned char *s, int max); int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass); ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, @@ -950,16 +950,19 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_A2I_ASN1_ENUMERATED 101 #define ASN1_F_A2I_ASN1_INTEGER 102 #define ASN1_F_A2I_ASN1_STRING 103 +#define ASN1_F_ASN1_BIT_STRING_SET_BIT 176 #define ASN1_F_ASN1_CHECK_TLEN 104 #define ASN1_F_ASN1_COLLATE_PRIMITIVE 105 #define ASN1_F_ASN1_COLLECT 106 #define ASN1_F_ASN1_D2I_BIO 107 #define ASN1_F_ASN1_D2I_EX_PRIMITIVE 108 #define ASN1_F_ASN1_D2I_FP 109 +#define ASN1_F_ASN1_DIGEST 177 #define ASN1_F_ASN1_DO_ADB 110 #define ASN1_F_ASN1_DUP 111 #define ASN1_F_ASN1_ENUMERATED_SET 112 #define ASN1_F_ASN1_ENUMERATED_TO_BN 113 +#define ASN1_F_ASN1_GENERALIZEDTIME_SET 178 #define ASN1_F_ASN1_GET_OBJECT 114 #define ASN1_F_ASN1_HEADER_NEW 115 #define ASN1_F_ASN1_I2D_BIO 116 @@ -975,6 +978,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_ASN1_SEQ_PACK 126 #define ASN1_F_ASN1_SEQ_UNPACK 127 #define ASN1_F_ASN1_SIGN 128 +#define ASN1_F_ASN1_STRING_SET 179 #define ASN1_F_ASN1_STRING_TABLE_ADD 129 #define ASN1_F_ASN1_STRING_TYPE_NEW 130 #define ASN1_F_ASN1_TEMPLATE_D2I 131 @@ -984,6 +988,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING 134 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING 135 #define ASN1_F_ASN1_UNPACK_STRING 136 +#define ASN1_F_ASN1_UTCTIME_SET 180 #define ASN1_F_ASN1_VERIFY 137 #define ASN1_F_BN_TO_ASN1_ENUMERATED 138 #define ASN1_F_BN_TO_ASN1_INTEGER 139 @@ -1007,6 +1012,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_D2I_X509_CINF 157 #define ASN1_F_D2I_X509_NAME 158 #define ASN1_F_D2I_X509_PKEY 159 +#define ASN1_F_I2D_ASN1_SET 181 #define ASN1_F_I2D_ASN1_TIME 160 #define ASN1_F_I2D_DSA_PUBKEY 161 #define ASN1_F_I2D_NETSCAPE_RSA 162 diff --git a/lib/libcrypto/asn1/asn1_err.c b/lib/libcrypto/asn1/asn1_err.c index 094ec06fda0..3b57c8fbae9 100644 --- a/lib/libcrypto/asn1/asn1_err.c +++ b/lib/libcrypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* crypto/asn1/asn1_err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,16 +70,19 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0), "a2i_ASN1_ENUMERATED"}, {ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0), "a2i_ASN1_INTEGER"}, {ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0), "a2i_ASN1_STRING"}, +{ERR_PACK(0,ASN1_F_ASN1_BIT_STRING_SET_BIT,0), "ASN1_BIT_STRING_set_bit"}, {ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0), "ASN1_CHECK_TLEN"}, {ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0), "ASN1_COLLATE_PRIMITIVE"}, {ERR_PACK(0,ASN1_F_ASN1_COLLECT,0), "ASN1_COLLECT"}, {ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0), "ASN1_d2i_bio"}, {ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0), "ASN1_D2I_EX_PRIMITIVE"}, {ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0), "ASN1_d2i_fp"}, +{ERR_PACK(0,ASN1_F_ASN1_DIGEST,0), "ASN1_digest"}, {ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0), "ASN1_DO_ADB"}, {ERR_PACK(0,ASN1_F_ASN1_DUP,0), "ASN1_dup"}, {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0), "ASN1_ENUMERATED_set"}, {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0), "ASN1_ENUMERATED_to_BN"}, +{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_SET,0), "ASN1_GENERALIZEDTIME_set"}, {ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0), "ASN1_get_object"}, {ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0), "ASN1_HEADER_new"}, {ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0), "ASN1_i2d_bio"}, @@ -95,6 +98,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0), "ASN1_seq_pack"}, {ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0), "ASN1_seq_unpack"}, {ERR_PACK(0,ASN1_F_ASN1_SIGN,0), "ASN1_sign"}, +{ERR_PACK(0,ASN1_F_ASN1_STRING_SET,0), "ASN1_STRING_set"}, {ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0), "ASN1_STRING_TABLE_add"}, {ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0), "ASN1_STRING_type_new"}, {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0), "ASN1_TEMPLATE_D2I"}, @@ -104,6 +108,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0), "ASN1_TYPE_get_int_octetstring"}, {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0), "ASN1_TYPE_get_octetstring"}, {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0), "ASN1_unpack_string"}, +{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_SET,0), "ASN1_UTCTIME_set"}, {ERR_PACK(0,ASN1_F_ASN1_VERIFY,0), "ASN1_verify"}, {ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0), "BN_to_ASN1_ENUMERATED"}, {ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0), "BN_to_ASN1_INTEGER"}, @@ -127,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_D2I_X509_CINF,0), "D2I_X509_CINF"}, {ERR_PACK(0,ASN1_F_D2I_X509_NAME,0), "D2I_X509_NAME"}, {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0), "d2i_X509_PKEY"}, +{ERR_PACK(0,ASN1_F_I2D_ASN1_SET,0), "i2d_ASN1_SET"}, {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0), "I2D_ASN1_TIME"}, {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0), "i2d_DSA_PUBKEY"}, {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"}, diff --git a/lib/libcrypto/asn1/asn1_lib.c b/lib/libcrypto/asn1/asn1_lib.c index a74f1368d34..97b9b35f4bd 100644 --- a/lib/libcrypto/asn1/asn1_lib.c +++ b/lib/libcrypto/asn1/asn1_lib.c @@ -349,6 +349,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len) if (str->data == NULL) { + ASN1err(ASN1_F_ASN1_STRING_SET,ERR_R_MALLOC_FAILURE); str->data=c; return(0); } diff --git a/lib/libcrypto/asn1/evp_asn1.c b/lib/libcrypto/asn1/evp_asn1.c index 3506005a714..f92ce6cb5d4 100644 --- a/lib/libcrypto/asn1/evp_asn1.c +++ b/lib/libcrypto/asn1/evp_asn1.c @@ -115,7 +115,11 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data, if ((osp=ASN1_STRING_new()) == NULL) return(0); /* Grow the 'string' */ - ASN1_STRING_set(osp,NULL,size); + if (!ASN1_STRING_set(osp,NULL,size)) + { + ASN1_STRING_free(osp); + return(0); + } M_ASN1_STRING_length_set(osp, size); p=M_ASN1_STRING_data(osp); diff --git a/lib/libcrypto/asn1/p5_pbe.c b/lib/libcrypto/asn1/p5_pbe.c index 891150638e9..ec788267e01 100644 --- a/lib/libcrypto/asn1/p5_pbe.c +++ b/lib/libcrypto/asn1/p5_pbe.c @@ -76,47 +76,55 @@ IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM) X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt, int saltlen) { - PBEPARAM *pbe; + PBEPARAM *pbe=NULL; ASN1_OBJECT *al; X509_ALGOR *algor; - ASN1_TYPE *astype; + ASN1_TYPE *astype=NULL; if (!(pbe = PBEPARAM_new ())) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } if(iter <= 0) iter = PKCS5_DEFAULT_ITER; - ASN1_INTEGER_set (pbe->iter, iter); + if (!ASN1_INTEGER_set(pbe->iter, iter)) { + ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); + goto err; + } if (!saltlen) saltlen = PKCS5_SALT_LEN; if (!(pbe->salt->data = OPENSSL_malloc (saltlen))) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } pbe->salt->length = saltlen; if (salt) memcpy (pbe->salt->data, salt, saltlen); else if (RAND_pseudo_bytes (pbe->salt->data, saltlen) < 0) - return NULL; + goto err; if (!(astype = ASN1_TYPE_new())) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } astype->type = V_ASN1_SEQUENCE; if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } PBEPARAM_free (pbe); + pbe = NULL; al = OBJ_nid2obj(alg); /* never need to free al */ if (!(algor = X509_ALGOR_new())) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } ASN1_OBJECT_free(algor->algorithm); algor->algorithm = al; algor->parameter = astype; return (algor); +err: + if (pbe != NULL) PBEPARAM_free(pbe); + if (astype != NULL) ASN1_TYPE_free(astype); + return NULL; } diff --git a/lib/libcrypto/asn1/p5_pbev2.c b/lib/libcrypto/asn1/p5_pbev2.c index 91e1c8987d3..e0dc0ec4ee3 100644 --- a/lib/libcrypto/asn1/p5_pbev2.c +++ b/lib/libcrypto/asn1/p5_pbev2.c @@ -1,6 +1,6 @@ /* p5_pbev2.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project 1999-2004. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. @@ -113,7 +113,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, if(!(scheme->parameter = ASN1_TYPE_new())) goto merr; /* Create random IV */ - if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) + if (EVP_CIPHER_iv_length(cipher) && + RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) goto err; EVP_CIPHER_CTX_init(&ctx); @@ -123,6 +124,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) { ASN1err(ASN1_F_PKCS5_PBE2_SET, ASN1_R_ERROR_SETTING_CIPHER_PARAMS); + EVP_CIPHER_CTX_cleanup(&ctx); goto err; } EVP_CIPHER_CTX_cleanup(&ctx); diff --git a/lib/libcrypto/asn1/t_bitst.c b/lib/libcrypto/asn1/t_bitst.c index 8ee789f0825..397332d9b8e 100644 --- a/lib/libcrypto/asn1/t_bitst.c +++ b/lib/libcrypto/asn1/t_bitst.c @@ -84,7 +84,10 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, int bitnum; bitnum = ASN1_BIT_STRING_num_asc(name, tbl); if(bitnum < 0) return 0; - if(bs) ASN1_BIT_STRING_set_bit(bs, bitnum, value); + if(bs) { + if(!ASN1_BIT_STRING_set_bit(bs, bitnum, value)) + return 0; + } return 1; } diff --git a/lib/libcrypto/asn1/x_crl.c b/lib/libcrypto/asn1/x_crl.c index 11fce968257..b99f8fc522c 100644 --- a/lib/libcrypto/asn1/x_crl.c +++ b/lib/libcrypto/asn1/x_crl.c @@ -63,8 +63,6 @@ static int X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b); -static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a, - const X509_REVOKED * const *b); ASN1_SEQUENCE(X509_REVOKED) = { ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER), @@ -72,43 +70,28 @@ ASN1_SEQUENCE(X509_REVOKED) = { ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION) } ASN1_SEQUENCE_END(X509_REVOKED) -/* The X509_CRL_INFO structure needs a bit of customisation. This is actually - * mirroring the old behaviour: its purpose is to allow the use of - * sk_X509_REVOKED_find to lookup revoked certificates. Unfortunately - * this will zap the original order and the signature so we keep a copy - * of the original positions and reorder appropriately before encoding. - * - * Might want to see if there's a better way of doing this later... +/* The X509_CRL_INFO structure needs a bit of customisation. + * Since we cache the original encoding the signature wont be affected by + * reordering of the revoked field. */ static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) { X509_CRL_INFO *a = (X509_CRL_INFO *)*pval; - int i; - int (*old_cmp)(const X509_REVOKED * const *, - const X509_REVOKED * const *); if(!a || !a->revoked) return 1; switch(operation) { - - /* Save original order */ + /* Just set cmp function here. We don't sort because that + * would affect the output of X509_CRL_print(). + */ case ASN1_OP_D2I_POST: - for (i=0; i<sk_X509_REVOKED_num(a->revoked); i++) - sk_X509_REVOKED_value(a->revoked,i)->sequence=i; sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp); break; - - /* Restore original order */ - case ASN1_OP_I2D_PRE: - old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp); - sk_X509_REVOKED_sort(a->revoked); - sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp); - break; } return 1; } -ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = { +ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = { ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER), ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR), ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME), @@ -116,7 +99,7 @@ ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = { ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME), ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED), ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0) -} ASN1_SEQUENCE_END_cb(X509_CRL_INFO, X509_CRL_INFO) +} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = { ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO), @@ -137,12 +120,6 @@ static int X509_REVOKED_cmp(const X509_REVOKED * const *a, (ASN1_STRING *)(*b)->serialNumber)); } -static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a, - const X509_REVOKED * const *b) - { - return((*a)->sequence-(*b)->sequence); - } - int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) { X509_CRL_INFO *inf; @@ -153,6 +130,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE); return 0; } + inf->enc.modified = 1; return 1; } diff --git a/lib/libcrypto/asn1/x_name.c b/lib/libcrypto/asn1/x_name.c index caece0f1585..31f3377b642 100644 --- a/lib/libcrypto/asn1/x_name.c +++ b/lib/libcrypto/asn1/x_name.c @@ -160,21 +160,22 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, cons int tag, int aclass, char opt, ASN1_TLC *ctx) { unsigned char *p = *in, *q; - STACK *intname = NULL; + STACK *intname = NULL, **intname_pp = &intname; int i, j, ret; - X509_NAME *nm = NULL; + X509_NAME *nm = NULL, **nm_pp = &nm; STACK_OF(X509_NAME_ENTRY) *entries; X509_NAME_ENTRY *entry; q = p; /* Get internal representation of Name */ - ret = ASN1_item_ex_d2i((ASN1_VALUE **)&intname, &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL), - tag, aclass, opt, ctx); + ret = ASN1_item_ex_d2i((ASN1_VALUE **)intname_pp, + &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL), + tag, aclass, opt, ctx); if(ret <= 0) return ret; if(*val) x509_name_ex_free(val, NULL); - if(!x509_name_ex_new((ASN1_VALUE **)&nm, NULL)) goto err; + if(!x509_name_ex_new((ASN1_VALUE **)nm_pp, NULL)) goto err; /* We've decoded it: now cache encoding */ if(!BUF_MEM_grow(nm->bytes, p - q)) goto err; memcpy(nm->bytes->data, q, p - q); @@ -218,7 +219,7 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_IT static int x509_name_encode(X509_NAME *a) { - STACK *intname = NULL; + STACK *intname = NULL, **intname_pp = &intname; int len; unsigned char *p; STACK_OF(X509_NAME_ENTRY) *entries = NULL; @@ -236,10 +237,12 @@ static int x509_name_encode(X509_NAME *a) } if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr; } - len = ASN1_item_ex_i2d((ASN1_VALUE **)&intname, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); + len = ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, NULL, + ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); if (!BUF_MEM_grow(a->bytes,len)) goto memerr; p=(unsigned char *)a->bytes->data; - ASN1_item_ex_i2d((ASN1_VALUE **)&intname, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); + ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, + &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); sk_pop_free(intname, sk_internal_free); a->modified = 0; return len; diff --git a/lib/libcrypto/asn1/x_pubkey.c b/lib/libcrypto/asn1/x_pubkey.c index d9585401206..7d6d71af88d 100644 --- a/lib/libcrypto/asn1/x_pubkey.c +++ b/lib/libcrypto/asn1/x_pubkey.c @@ -80,8 +80,7 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY) int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) { - int ok=0; - X509_PUBKEY *pk; + X509_PUBKEY *pk=NULL; X509_ALGOR *a; ASN1_OBJECT *o; unsigned char *s,*p = NULL; @@ -104,7 +103,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) (a->parameter->type != V_ASN1_NULL)) { ASN1_TYPE_free(a->parameter); - a->parameter=ASN1_TYPE_new(); + if (!(a->parameter=ASN1_TYPE_new())) + { + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } a->parameter->type=V_ASN1_NULL; } } @@ -118,14 +121,34 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) dsa=pkey->pkey.dsa; dsa->write_params=0; ASN1_TYPE_free(a->parameter); - i=i2d_DSAparams(dsa,NULL); - if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err; + if ((i=i2d_DSAparams(dsa,NULL)) <= 0) + goto err; + if (!(p=(unsigned char *)OPENSSL_malloc(i))) + { + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } pp=p; i2d_DSAparams(dsa,&pp); - a->parameter=ASN1_TYPE_new(); + if (!(a->parameter=ASN1_TYPE_new())) + { + OPENSSL_free(p); + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } a->parameter->type=V_ASN1_SEQUENCE; - a->parameter->value.sequence=ASN1_STRING_new(); - ASN1_STRING_set(a->parameter->value.sequence,p,i); + if (!(a->parameter->value.sequence=ASN1_STRING_new())) + { + OPENSSL_free(p); + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!ASN1_STRING_set(a->parameter->value.sequence,p,i)) + { + OPENSSL_free(p); + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } OPENSSL_free(p); } else @@ -143,7 +166,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) } p=s; i2d_PublicKey(pkey,&p); - if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err; + if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) + { + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } /* Set number of unused bits to zero */ pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT; @@ -159,12 +186,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) X509_PUBKEY_free(*x); *x=pk; - pk=NULL; - ok=1; + return 1; err: if (pk != NULL) X509_PUBKEY_free(pk); - return(ok); + return 0; } EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) diff --git a/lib/libcrypto/bf/bf_skey.c b/lib/libcrypto/bf/bf_skey.c index 3673cdee6e2..fc5bebefce4 100644 --- a/lib/libcrypto/bf/bf_skey.c +++ b/lib/libcrypto/bf/bf_skey.c @@ -58,11 +58,12 @@ #include <stdio.h> #include <string.h> +#include <openssl/crypto.h> #include <openssl/blowfish.h> #include "bf_locl.h" #include "bf_pi.h" -void BF_set_key(BF_KEY *key, int len, const unsigned char *data) +FIPS_NON_FIPS_VCIPHER_Init(BF) { int i; BF_LONG *p,ri,in[2]; diff --git a/lib/libcrypto/bf/blowfish.h b/lib/libcrypto/bf/blowfish.h index cd49e85ab29..b4d87749619 100644 --- a/lib/libcrypto/bf/blowfish.h +++ b/lib/libcrypto/bf/blowfish.h @@ -104,7 +104,10 @@ typedef struct bf_key_st BF_LONG S[4*256]; } BF_KEY; - + +#ifdef OPENSSL_FIPS +void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data); +#endif void BF_set_key(BF_KEY *key, int len, const unsigned char *data); void BF_encrypt(BF_LONG *data,const BF_KEY *key); diff --git a/lib/libcrypto/bio/b_print.c b/lib/libcrypto/bio/b_print.c index 880dc693035..8b753e7ca01 100644 --- a/lib/libcrypto/bio/b_print.c +++ b/lib/libcrypto/bio/b_print.c @@ -641,7 +641,7 @@ fmtfp( multiplying by a factor of 10 */ fracpart = roundv((pow10(max)) * (ufvalue - intpart)); - if (fracpart >= pow10(max)) { + if (fracpart >= (long)pow10(max)) { intpart++; fracpart -= (long)pow10(max); } diff --git a/lib/libcrypto/bio/bio.h b/lib/libcrypto/bio/bio.h index fbbc16d00c5..2eb703830f4 100644 --- a/lib/libcrypto/bio/bio.h +++ b/lib/libcrypto/bio/bio.h @@ -347,6 +347,7 @@ typedef struct bio_f_buffer_ctx_struct #define BIO_C_NWRITE0 145 #define BIO_C_NWRITE 146 #define BIO_C_RESET_READ_REQUEST 147 +#define BIO_C_SET_MD_CTX 148 #define BIO_set_app_data(s,arg) BIO_set_ex_data(s,0,arg) diff --git a/lib/libcrypto/bio/bss_file.c b/lib/libcrypto/bio/bss_file.c index 9cdf159f82f..8034ac93f97 100644 --- a/lib/libcrypto/bio/bss_file.c +++ b/lib/libcrypto/bio/bss_file.c @@ -213,13 +213,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) b->shutdown=(int)num&BIO_CLOSE; b->ptr=(char *)ptr; b->init=1; + { #if defined(OPENSSL_SYS_WINDOWS) + int fd = fileno((FILE*)ptr); if (num & BIO_FP_TEXT) - _setmode(fileno((FILE *)ptr),_O_TEXT); + _setmode(fd,_O_TEXT); else - _setmode(fileno((FILE *)ptr),_O_BINARY); + _setmode(fd,_O_BINARY); #elif defined(OPENSSL_SYS_MSDOS) - { int fd = fileno((FILE*)ptr); /* Set correct text/binary mode */ if (num & BIO_FP_TEXT) @@ -235,13 +236,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) else _setmode(fd,_O_BINARY); } - } #elif defined(OPENSSL_SYS_OS2) + int fd = fileno((FILE*)ptr); if (num & BIO_FP_TEXT) - setmode(fileno((FILE *)ptr), O_TEXT); + setmode(fd, O_TEXT); else - setmode(fileno((FILE *)ptr), O_BINARY); + setmode(fd, O_BINARY); #endif + } break; case BIO_C_SET_FILENAME: file_free(b); @@ -264,7 +266,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) ret=0; break; } -#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) +#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN) if (!(num & BIO_FP_TEXT)) strcat(p,"b"); else diff --git a/lib/libcrypto/bn/asm/ia64.S b/lib/libcrypto/bn/asm/ia64.S index 7dfda855660..7b82b820e62 100644 --- a/lib/libcrypto/bn/asm/ia64.S +++ b/lib/libcrypto/bn/asm/ia64.S @@ -1,6 +1,6 @@ .explicit .text -.ident "ia64.S, Version 2.0" +.ident "ia64.S, Version 2.1" .ident "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>" // @@ -35,7 +35,7 @@ // What does it mean? You might ratiocinate that the original code // should run just faster... Because sum of latencies is smaller... // Wrong! Note that getf latency increased. This means that if a loop is -// scheduled for lower latency (and they are), then it will suffer from +// scheduled for lower latency (as they were), then it will suffer from // stall condition and the code will therefore turn anti-scalable, e.g. // original bn_mul_words spun at 5*n or 2.5 times slower than expected // on Itanium2! What to do? Reschedule loops for Itanium2? But then @@ -145,6 +145,12 @@ // -Drum=nop.m in command line. // +#if defined(_HPUX_SOURCE) && !defined(_LP64) +#define ADDP addp4 +#else +#define ADDP add +#endif + #if 1 // // bn_[add|sub]_words routines. @@ -178,27 +184,12 @@ bn_add_words: brp.loop.imp .L_bn_add_words_ctop,.L_bn_add_words_cend-16 } .body -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp -#else - mov r14=r32 // rp -#endif +{ .mib; ADDP r14=0,r32 // rp mov r9=pr };; -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r15=0,r33 // ap -#else - mov r15=r33 // ap -#endif +{ .mii; ADDP r15=0,r33 // ap mov ar.lc=r10 mov ar.ec=6 } -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r16=0,r34 // bp -#else - mov r16=r34 // bp -#endif +{ .mib; ADDP r16=0,r34 // bp mov pr.rot=1<<16 };; .L_bn_add_words_ctop: @@ -246,27 +237,12 @@ bn_sub_words: brp.loop.imp .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16 } .body -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp -#else - mov r14=r32 // rp -#endif +{ .mib; ADDP r14=0,r32 // rp mov r9=pr };; -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r15=0,r33 // ap -#else - mov r15=r33 // ap -#endif +{ .mii; ADDP r15=0,r33 // ap mov ar.lc=r10 mov ar.ec=6 } -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r16=0,r34 // bp -#else - mov r16=r34 // bp -#endif +{ .mib; ADDP r16=0,r34 // bp mov pr.rot=1<<16 };; .L_bn_sub_words_ctop: @@ -332,16 +308,10 @@ bn_mul_words: #ifndef XMA_TEMPTATION -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp - addp4 r15=0,r33 // ap -#else - mov r14=r32 // rp - mov r15=r33 // ap -#endif +{ .mmi; ADDP r14=0,r32 // rp + ADDP r15=0,r33 // ap mov ar.lc=r10 } -{ .mii; mov r40=0 // serves as r35 at first (p27) +{ .mmi; mov r40=0 // serves as r35 at first (p27) mov ar.ec=13 };; // This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium @@ -424,89 +394,64 @@ bn_mul_words: .global bn_mul_add_words# .proc bn_mul_add_words# .align 64 -//.skip 0 // makes the loop split at 64-byte boundary +.skip 48 // makes the loop body aligned at 64-byte boundary bn_mul_add_words: .prologue .fframe 0 .save ar.pfs,r2 -{ .mii; alloc r2=ar.pfs,4,12,0,16 - cmp4.le p6,p0=r34,r0 };; -{ .mfb; mov r8=r0 // return value -(p6) br.ret.spnt.many b0 };; - .save ar.lc,r3 -{ .mii; sub r10=r34,r0,1 - mov r3=ar.lc - mov r9=pr };; + .save pr,r9 +{ .mmi; alloc r2=ar.pfs,4,4,0,8 + cmp4.le p6,p0=r34,r0 + mov r3=ar.lc };; +{ .mib; mov r8=r0 // return value + sub r10=r34,r0,1 +(p6) br.ret.spnt.many b0 };; .body -{ .mib; setf.sig f8=r35 // w - mov pr.rot=0x800001<<16 - // ------^----- serves as (p50) at first (p27) +{ .mib; setf.sig f8=r35 // w + mov r9=pr brp.loop.imp .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16 } -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp - addp4 r15=0,r33 // ap -#else - mov r14=r32 // rp - mov r15=r33 // ap -#endif +{ .mmi; ADDP r14=0,r32 // rp + ADDP r15=0,r33 // ap mov ar.lc=r10 } -{ .mii; mov r40=0 // serves as r35 at first (p27) -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r18=0,r32 // rp copy -#else - mov r18=r32 // rp copy -#endif - mov ar.ec=15 };; - -// This loop spins in 3*(n+14) ticks on Itanium and should spin in -// 2*(n+14) on "wider" IA-64 implementations (to be verified with new -// µ-architecture manuals as they become available). As usual it's -// possible to compress the epilogue, down to 10 in this case, at the -// cost of scalability. Compressed (and therefore non-scalable) loop -// running at 3*(n+11) would buy you ~10% on Itanium but take ~35% -// from "wider" IA-64 so let it be scalable! Special attention was -// paid for having the loop body split at 64-byte boundary. ld8 is -// scheduled for L1 cache as the data is more than likely there. -// Indeed, bn_mul_words has put it there a moment ago:-) +{ .mii; ADDP r16=0,r32 // rp copy + mov pr.rot=0x2001<<16 + // ------^----- serves as (p40) at first (p27) + mov ar.ec=11 };; + +// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on +// Itanium 2. Yes, unlike previous versions it scales:-) Previous +// version was peforming *all* additions in IALU and was starving +// for those even on Itanium 2. In this version one addition is +// moved to FPU and is folded with multiplication. This is at cost +// of propogating the result from previous call to this subroutine +// to L2 cache... In other words negligible even for shorter keys. +// *Overall* performance improvement [over previous version] varies +// from 11 to 22 percent depending on key length. .L_bn_mul_add_words_ctop: -{ .mfi; (p25) getf.sig r36=f52 // low - (p21) xmpy.lu f48=f37,f8 - (p28) cmp.ltu p54,p50=r41,r39 } -{ .mfi; (p16) ldf8 f32=[r15],8 - (p21) xmpy.hu f40=f37,f8 - (p28) add r45=r45,r41 };; -{ .mii; (p25) getf.sig r32=f44 // high - .pred.rel "mutex",p50,p54 - (p50) add r40=r38,r35 // (p27) - (p54) add r40=r38,r35,1 } // (p27) -{ .mfb; (p28) cmp.ltu.unc p60,p0=r45,r41 - (p0) nop.f 0x0 - (p0) nop.b 0x0 } -{ .mii; (p27) ld8 r44=[r18],8 - (p62) cmp.eq.or p61,p0=-1,r46 - (p62) add r46=1,r46 } -{ .mfb; (p30) st8 [r14]=r47,8 - (p0) nop.f 0x0 +.pred.rel "mutex",p40,p42 +{ .mfi; (p23) getf.sig r36=f45 // low + (p20) xma.lu f42=f36,f8,f50 // low + (p40) add r39=r39,r35 } // (p27) +{ .mfi; (p16) ldf8 f32=[r15],8 // *(ap++) + (p20) xma.hu f36=f36,f8,f50 // high + (p42) add r39=r39,r35,1 };; // (p27) +{ .mmi; (p24) getf.sig r32=f40 // high + (p16) ldf8 f46=[r16],8 // *(rp1++) + (p40) cmp.ltu p41,p39=r39,r35 } // (p27) +{ .mib; (p26) st8 [r14]=r39,8 // *(rp2++) + (p42) cmp.leu p41,p39=r39,r35 // (p27) br.ctop.sptk .L_bn_mul_add_words_ctop};; .L_bn_mul_add_words_cend: -{ .mii; nop.m 0x0 -.pred.rel "mutex",p53,p57 -(p53) add r8=r38,r0 -(p57) add r8=r38,r0,1 } -{ .mfb; nop.m 0x0 - nop.f 0x0 - nop.b 0x0 };; -{ .mii; -(p63) add r8=1,r8 - mov pr=r9,0x1ffff - mov ar.lc=r3 } -{ .mfb; rum 1<<5 // clear um.mfh - nop.f 0x0 +{ .mmi; .pred.rel "mutex",p40,p42 +(p40) add r8=r35,r0 +(p42) add r8=r35,r0,1 + mov pr=r9,0x1ffff } +{ .mib; rum 1<<5 // clear um.mfh + mov ar.lc=r3 br.ret.sptk.many b0 };; .endp bn_mul_add_words# #endif @@ -527,7 +472,8 @@ bn_sqr_words: sxt4 r34=r34 };; { .mii; cmp.le p6,p0=r34,r0 mov r8=r0 } // return value -{ .mfb; nop.f 0x0 +{ .mfb; ADDP r32=0,r32 + nop.f 0x0 (p6) br.ret.spnt.many b0 };; .save ar.lc,r3 @@ -536,11 +482,7 @@ bn_sqr_words: mov r9=pr };; .body -#if defined(_HPUX_SOURCE) && defined(_ILP32) -{ .mii; addp4 r32=0,r32 - addp4 r33=0,r33 };; -#endif -{ .mib; +{ .mib; ADDP r33=0,r33 mov pr.rot=1<<16 brp.loop.imp .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16 } @@ -605,7 +547,7 @@ bn_sqr_comba8: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,2,1,0,0 addp4 r33=0,r33 addp4 r32=0,r32 };; @@ -631,6 +573,10 @@ bn_sqr_comba8: // clause in Itanium µ-architecture manual? Comments are welcomed and // highly appreciated. // +// On Itanium 2 it takes ~190 ticks. This is because of stalls on +// result from getf.sig. I do nothing about it at this point for +// reasons depicted below. +// // However! It should be noted that even 160 ticks is darn good result // as it's over 10 (yes, ten, spelled as t-e-n) times faster than the // C version (compiled with gcc with inline assembler). I really @@ -673,7 +619,7 @@ bn_mul_comba8: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,3,0,0,0 addp4 r33=0,r33 addp4 r34=0,r34 };; @@ -1231,7 +1177,7 @@ bn_sqr_comba4: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,2,1,0,0 addp4 r32=0,r32 addp4 r33=0,r33 };; @@ -1264,7 +1210,7 @@ bn_mul_comba4: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,3,0,0,0 addp4 r33=0,r33 addp4 r34=0,r34 };; @@ -1448,8 +1394,8 @@ bn_mul_comba4: #define I r21 #if 0 -// Some preprocessors (most notably HP-UX) apper to be allergic to -// macros enclosed to parenthesis as these three will be. +// Some preprocessors (most notably HP-UX) appear to be allergic to +// macros enclosed to parenthesis [as these three were]. #define cont p16 #define break p0 // p20 #define equ p24 @@ -1581,9 +1527,18 @@ bn_div_words: // output: f8 = (int)(a/b) // clobbered: f8,f9,f10,f11,pred pred=p15 -// This procedure is essentially Intel code and therefore is -// copyrighted to Intel Corporation (I suppose...). It's sligtly -// modified for specific needs. +// One can argue that this snippet is copyrighted to Intel +// Corporation, as it's essentially identical to one of those +// found in "Divide, Square Root and Remainder" section at +// http://www.intel.com/software/products/opensource/libraries/num.htm. +// Yes, I admit that the referred code was used as template, +// but after I realized that there hardly is any other instruction +// sequence which would perform this operation. I mean I figure that +// any independent attempt to implement high-performance division +// will result in code virtually identical to the Intel code. It +// should be noted though that below division kernel is 1 cycle +// faster than Intel one (note commented splits:-), not to mention +// original prologue (rather lack of one) and epilogue. .align 32 .skip 16 .L_udiv64_32_b6: diff --git a/lib/libcrypto/bn/bn_mont.c b/lib/libcrypto/bn/bn_mont.c index c9ebdbaabeb..b79b1b60da0 100644 --- a/lib/libcrypto/bn/bn_mont.c +++ b/lib/libcrypto/bn/bn_mont.c @@ -273,7 +273,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) BN_init(&Ri); R= &(mont->RR); /* grab RR as a temp */ - BN_copy(&(mont->N),mod); /* Set N */ + if (!BN_copy(&(mont->N),mod)) goto err; /* Set N */ mont->N.neg = 0; #ifdef MONT_WORD diff --git a/lib/libcrypto/bn/bntest.c b/lib/libcrypto/bn/bntest.c index 8ef733013d6..79d813d85e1 100644 --- a/lib/libcrypto/bn/bntest.c +++ b/lib/libcrypto/bn/bntest.c @@ -232,7 +232,7 @@ int main(int argc, char *argv[]) EXIT(0); err: BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices - * the failure, see test_bn in test/Makefile.ssl*/ + * the failure, see test_bn in test/Makefile */ BIO_flush(out); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); diff --git a/lib/libcrypto/cast/c_skey.c b/lib/libcrypto/cast/c_skey.c index 76e40005c99..dc4791a8cff 100644 --- a/lib/libcrypto/cast/c_skey.c +++ b/lib/libcrypto/cast/c_skey.c @@ -56,7 +56,9 @@ * [including the GNU Public Licence.] */ +#include <openssl/crypto.h> #include <openssl/cast.h> + #include "cast_lcl.h" #include "cast_s.h" @@ -72,7 +74,7 @@ #define S6 CAST_S_table6 #define S7 CAST_S_table7 -void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) +FIPS_NON_FIPS_VCIPHER_Init(CAST) { CAST_LONG x[16]; CAST_LONG z[16]; diff --git a/lib/libcrypto/cast/cast.h b/lib/libcrypto/cast/cast.h index b28e4e4f3b3..9e300178d90 100644 --- a/lib/libcrypto/cast/cast.h +++ b/lib/libcrypto/cast/cast.h @@ -81,7 +81,10 @@ typedef struct cast_key_st int short_key; /* Use reduced rounds for short key */ } CAST_KEY; - + +#ifdef OPENSSL_FIPS +void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); +#endif void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key, int enc); diff --git a/lib/libcrypto/comp/c_zlib.c b/lib/libcrypto/comp/c_zlib.c index 8c0876151ac..1bd2850d15b 100644 --- a/lib/libcrypto/comp/c_zlib.c +++ b/lib/libcrypto/comp/c_zlib.c @@ -3,6 +3,7 @@ #include <string.h> #include <openssl/objects.h> #include <openssl/comp.h> +#include <openssl/err.h> COMP_METHOD *COMP_zlib(void ); @@ -189,7 +190,17 @@ COMP_METHOD *COMP_zlib(void) if (!zlib_loaded) { #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) - zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0); + zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0); + if (!zlib_dso) + { + zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0); + if (zlib_dso) + { + /* Clear the errors from the first failed + DSO_load() */ + ERR_clear_error(); + } + } #else zlib_dso = DSO_load(NULL, "z", NULL, 0); #endif diff --git a/lib/libcrypto/conf/conf_def.c b/lib/libcrypto/conf/conf_def.c index 2e9f52f1fd5..b5a876ae68a 100644 --- a/lib/libcrypto/conf/conf_def.c +++ b/lib/libcrypto/conf/conf_def.c @@ -632,6 +632,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from))); while (*p) buf->data[to++]= *(p++); + + /* Since we change the pointer 'from', we also have + to change the perceived length of the string it + points at. /RL */ + len -= e-from; from=e; } else diff --git a/lib/libcrypto/cryptlib.c b/lib/libcrypto/cryptlib.c index 2924def2bb0..fef0afb29fc 100644 --- a/lib/libcrypto/cryptlib.c +++ b/lib/libcrypto/cryptlib.c @@ -105,7 +105,9 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "engine", "ui", "hwcrhk", /* This is a HACK which will disappear in 0.9.8 */ -#if CRYPTO_NUM_LOCKS != 33 + "fips", + "fips2", +#if CRYPTO_NUM_LOCKS != 35 # error "Inconsistency between crypto.h and cryptlib.c" #endif }; @@ -478,13 +480,12 @@ const char *CRYPTO_get_lock_name(int type) return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS)); } -#ifdef _DLL -#ifdef OPENSSL_SYS_WIN32 +#if defined(_WIN32) && defined(_WINDLL) /* All we really need to do is remove the 'error' state when a thread * detaches */ -BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, +BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch(fdwReason) @@ -503,8 +504,6 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, } #endif -#endif - void OpenSSLDie(const char *file,int line,const char *assertion) { fprintf(stderr, @@ -512,3 +511,122 @@ void OpenSSLDie(const char *file,int line,const char *assertion) file,line,assertion); abort(); } + +#ifdef OPENSSL_FIPS +static int fips_started = 0; +static int fips_mode = 0; +static void *fips_rand_check = 0; +static unsigned long fips_thread = 0; + +void fips_set_started(void) + { + fips_started = 1; + } + +int fips_is_started(void) + { + return fips_started; + } + +int fips_is_owning_thread(void) + { + int ret = 0; + + if (fips_is_started()) + { + CRYPTO_r_lock(CRYPTO_LOCK_FIPS2); + if (fips_thread != 0 && fips_thread == CRYPTO_thread_id()) + ret = 1; + CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2); + } + return ret; + } + +int fips_set_owning_thread(void) + { + int ret = 0; + + if (fips_is_started()) + { + CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); + if (fips_thread == 0) + { + fips_thread = CRYPTO_thread_id(); + ret = 1; + } + CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); + } + return ret; + } + +int fips_clear_owning_thread(void) + { + int ret = 0; + + if (fips_is_started()) + { + CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); + if (fips_thread == CRYPTO_thread_id()) + { + fips_thread = 0; + ret = 1; + } + CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); + } + return ret; + } + +void fips_set_mode(int onoff) + { + int owning_thread = fips_is_owning_thread(); + + if (fips_is_started()) + { + if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS); + fips_mode = onoff; + if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); + } + } + +void fips_set_rand_check(void *rand_check) + { + int owning_thread = fips_is_owning_thread(); + + if (fips_is_started()) + { + if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS); + fips_rand_check = rand_check; + if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); + } + } + +int FIPS_mode(void) + { + int ret = 0; + int owning_thread = fips_is_owning_thread(); + + if (fips_is_started()) + { + if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS); + ret = fips_mode; + if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); + } + return ret; + } + +void *FIPS_rand_check(void) + { + void *ret = 0; + int owning_thread = fips_is_owning_thread(); + + if (fips_is_started()) + { + if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS); + ret = fips_rand_check; + if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); + } + return ret; + } + +#endif /* OPENSSL_FIPS */ + diff --git a/lib/libcrypto/crypto-lib.com b/lib/libcrypto/crypto-lib.com index 39e78c69e50..c044ce0099d 100644 --- a/lib/libcrypto/crypto-lib.com +++ b/lib/libcrypto/crypto-lib.com @@ -158,7 +158,7 @@ $! $ APPS_DES = "DES/DES,CBC3_ENC" $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE" $ -$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time" +$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time,o_str" $ LIB_MD2 = "md2_dgst,md2_one" $ LIB_MD4 = "md4_dgst,md4_one" $ LIB_MD5 = "md5_dgst,md5_one" @@ -247,7 +247,7 @@ $ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ - $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ - "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ - "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ - - "v3_ocsp,v3_akeya" + "v3_ocsp,v3_akeya,v3_pcia,v3_pci" $ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall,conf_sap" $ LIB_TXT_DB = "txt_db" $ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ - @@ -752,8 +752,8 @@ $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT "The Option ",P1," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " ALL : Just Build Everything." -$ WRITE SYS$OUTPUT " LIBRARY : To Compile Just The [.xxx.EXE.SSL]LIBCRYPTO.OLB Library." -$ WRITE SYS$OUTPUT " APPS : To Compile Just The [.xxx.EXE.SSL]*.EXE Programs." +$ WRITE SYS$OUTPUT " LIBRARY : To Compile Just The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library." +$ WRITE SYS$OUTPUT " APPS : To Compile Just The [.xxx.EXE.CRYPTO]*.EXE Programs." $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " Where 'xxx' Stands For:" $ WRITE SYS$OUTPUT "" diff --git a/lib/libcrypto/crypto.h b/lib/libcrypto/crypto.h index 273bc5e3f87..4d1dfac7f1e 100644 --- a/lib/libcrypto/crypto.h +++ b/lib/libcrypto/crypto.h @@ -128,7 +128,9 @@ extern "C" { #define CRYPTO_LOCK_ENGINE 30 #define CRYPTO_LOCK_UI 31 #define CRYPTO_LOCK_HWCRHK 32 /* This is a HACK which will disappear in 0.9.8 */ -#define CRYPTO_NUM_LOCKS 33 +#define CRYPTO_LOCK_FIPS 33 +#define CRYPTO_LOCK_FIPS2 34 +#define CRYPTO_NUM_LOCKS 35 #define CRYPTO_LOCK 1 #define CRYPTO_UNLOCK 2 @@ -434,6 +436,63 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb); void OpenSSLDie(const char *file,int line,const char *assertion); #define OPENSSL_assert(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) +#ifdef OPENSSL_FIPS +int FIPS_mode(void); +void *FIPS_rand_check(void); + +#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ + alg " previous FIPS forbidden algorithm error ignored"); + +#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \ + #alg " Algorithm forbidden in FIPS mode"); + +#ifdef OPENSSL_FIPS_STRICT +#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg) +#else +#define FIPS_BAD_ALGORITHM(alg) \ + { \ + FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \ + ERR_add_error_data(2, "Algorithm=", #alg); \ + return 0; \ + } +#endif + +/* Low level digest API blocking macro */ + +#define FIPS_NON_FIPS_MD_Init(alg) \ + int alg##_Init(alg##_CTX *c) \ + { \ + if (FIPS_mode()) \ + FIPS_BAD_ALGORITHM(alg) \ + return private_##alg##_Init(c); \ + } \ + int private_##alg##_Init(alg##_CTX *c) + +/* For ciphers the API often varies from cipher to cipher and each needs to + * be treated as a special case. Variable key length ciphers (Blowfish, RC4, + * CAST) however are very similar and can use a blocking macro. + */ + +#define FIPS_NON_FIPS_VCIPHER_Init(alg) \ + void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \ + { \ + if (FIPS_mode()) \ + FIPS_BAD_ABORT(alg) \ + private_##alg##_set_key(key, len, data); \ + } \ + void private_##alg##_set_key(alg##_KEY *key, int len, \ + const unsigned char *data) + +#else + +#define FIPS_NON_FIPS_VCIPHER_Init(alg) \ + void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) + +#define FIPS_NON_FIPS_MD_Init(alg) \ + int alg##_Init(alg##_CTX *c) + +#endif /* def OPENSSL_FIPS */ + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/lib/libcrypto/des/cfb64ede.c b/lib/libcrypto/des/cfb64ede.c index 60c1aa08db4..f3c60185288 100644 --- a/lib/libcrypto/des/cfb64ede.c +++ b/lib/libcrypto/des/cfb64ede.c @@ -57,6 +57,7 @@ */ #include "des_locl.h" +#include "e_os.h" /* The input and output encrypted as though 64bit cfb mode is being * used. The extra state information to record how much of the @@ -140,3 +141,114 @@ void DES_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length, DES_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc); } #endif + +/* This is compatible with the single key CFB-r for DES, even thought that's + * not what EVP needs. + */ + +void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out, + int numbits,long length,DES_key_schedule *ks1, + DES_key_schedule *ks2,DES_key_schedule *ks3, + DES_cblock *ivec,int enc) + { + register DES_LONG d0,d1,v0,v1; + register long l=length; + register int num=numbits,n=(numbits+7)/8,i; + DES_LONG ti[2]; + unsigned char *iv; + unsigned char ovec[16]; + + if (num > 64) return; + iv = &(*ivec)[0]; + c2l(iv,v0); + c2l(iv,v1); + if (enc) + { + while (l >= n) + { + l-=n; + ti[0]=v0; + ti[1]=v1; + DES_encrypt3(ti,ks1,ks2,ks3); + c2ln(in,d0,d1,n); + in+=n; + d0^=ti[0]; + d1^=ti[1]; + l2cn(d0,d1,out,n); + out+=n; + /* 30-08-94 - eay - changed because l>>32 and + * l<<32 are bad under gcc :-( */ + if (num == 32) + { v0=v1; v1=d0; } + else if (num == 64) + { v0=d0; v1=d1; } + else + { + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(i=0 ; i < 8 ; ++i) + { + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); + } + } + } + else + { + while (l >= n) + { + l-=n; + ti[0]=v0; + ti[1]=v1; + DES_encrypt3(ti,ks1,ks2,ks3); + c2ln(in,d0,d1,n); + in+=n; + /* 30-08-94 - eay - changed because l>>32 and + * l<<32 are bad under gcc :-( */ + if (num == 32) + { v0=v1; v1=d0; } + else if (num == 64) + { v0=d0; v1=d1; } + else + { + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(i=0 ; i < 8 ; ++i) + { + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); + } + d0^=ti[0]; + d1^=ti[1]; + l2cn(d0,d1,out,n); + out+=n; + } + } + iv = &(*ivec)[0]; + l2c(v0,iv); + l2c(v1,iv); + v0=v1=d0=d1=ti[0]=ti[1]=0; + } + diff --git a/lib/libcrypto/des/des.h b/lib/libcrypto/des/des.h index dfe5ff64e44..81bd874edd7 100644 --- a/lib/libcrypto/des/des.h +++ b/lib/libcrypto/des/des.h @@ -130,7 +130,7 @@ OPENSSL_DECLARE_GLOBAL(int,DES_rw_mode); /* defaults to DES_PCBC_MODE */ #define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode) const char *DES_options(void); -void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, +void DES_ecb3_encrypt(const unsigned char *input, unsigned char *output, DES_key_schedule *ks1,DES_key_schedule *ks2, DES_key_schedule *ks3, int enc); DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output, @@ -189,6 +189,10 @@ void DES_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out, long length,DES_key_schedule *ks1, DES_key_schedule *ks2,DES_key_schedule *ks3, DES_cblock *ivec,int *num,int enc); +void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out, + int numbits,long length,DES_key_schedule *ks1, + DES_key_schedule *ks2,DES_key_schedule *ks3, + DES_cblock *ivec,int enc); void DES_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out, long length,DES_key_schedule *ks1, DES_key_schedule *ks2,DES_key_schedule *ks3, diff --git a/lib/libcrypto/des/des_enc.c b/lib/libcrypto/des/des_enc.c index 4f09804c44f..6a49ec4a550 100644 --- a/lib/libcrypto/des/des_enc.c +++ b/lib/libcrypto/des/des_enc.c @@ -58,7 +58,9 @@ #include "des_locl.h" +#ifndef OPENSSL_FIPS #ifndef OPENBSD_DES_ASM + void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc) { register DES_LONG l,r,t,u; @@ -289,8 +291,12 @@ void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1, data[1]=r; } +#endif /* ndef OPENSSL_FIPS */ + #ifndef DES_DEFAULT_OPTIONS +#if !defined(OPENSSL_FIPS_DES_ASM) + #undef CBC_ENC_C__DONT_UPDATE_IV #include "ncbc_enc.c" /* DES_ncbc_encrypt */ @@ -406,4 +412,6 @@ void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output, tin[0]=tin[1]=0; } +#endif /* !defined(OPENSSL_FIPS_DES_ASM) */ + #endif /* DES_DEFAULT_OPTIONS */ diff --git a/lib/libcrypto/des/des_old.c b/lib/libcrypto/des/des_old.c index 7e4cd7180d1..88e9802aad0 100644 --- a/lib/libcrypto/des/des_old.c +++ b/lib/libcrypto/des/des_old.c @@ -84,7 +84,7 @@ void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock des_key_schedule ks1,des_key_schedule ks2, des_key_schedule ks3, int enc) { - DES_ecb3_encrypt((const_DES_cblock *)input, output, + DES_ecb3_encrypt((const unsigned char *)input, (unsigned char *)output, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2, (DES_key_schedule *)ks3, enc); } diff --git a/lib/libcrypto/des/destest.c b/lib/libcrypto/des/destest.c index 3983ac8e5f1..e3e9d77f144 100644 --- a/lib/libcrypto/des/destest.c +++ b/lib/libcrypto/des/destest.c @@ -439,8 +439,8 @@ int main(int argc, char *argv[]) memcpy(in,plain_data[i],8); memset(out,0,8); memset(outin,0,8); - des_ecb2_encrypt(&in,&out,ks,ks2,DES_ENCRYPT); - des_ecb2_encrypt(&out,&outin,ks,ks2,DES_DECRYPT); + des_ecb2_encrypt(in,out,ks,ks2,DES_ENCRYPT); + des_ecb2_encrypt(out,outin,ks,ks2,DES_DECRYPT); if (memcmp(out,cipher_ecb2[i],8) != 0) { diff --git a/lib/libcrypto/des/ecb3_enc.c b/lib/libcrypto/des/ecb3_enc.c index c3437bc6062..fa0c9c4d4fc 100644 --- a/lib/libcrypto/des/ecb3_enc.c +++ b/lib/libcrypto/des/ecb3_enc.c @@ -58,15 +58,13 @@ #include "des_locl.h" -void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, +void DES_ecb3_encrypt(const unsigned char *in, unsigned char *out, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, int enc) { register DES_LONG l0,l1; DES_LONG ll[2]; - const unsigned char *in = &(*input)[0]; - unsigned char *out = &(*output)[0]; c2l(in,l0); c2l(in,l1); diff --git a/lib/libcrypto/des/set_key.c b/lib/libcrypto/des/set_key.c index 143008ed9c5..8881d46a7ad 100644 --- a/lib/libcrypto/des/set_key.c +++ b/lib/libcrypto/des/set_key.c @@ -65,6 +65,8 @@ */ #include "des_locl.h" +#ifndef OPENSSL_FIPS + OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key); /* defaults to false */ static const unsigned char odd_parity[256]={ @@ -405,3 +407,5 @@ void des_fixup_key_parity(des_cblock *key) des_set_odd_parity(key); } */ + +#endif /* ndef OPENSSL_FIPS */ diff --git a/lib/libcrypto/dh/dh_check.c b/lib/libcrypto/dh/dh_check.c index f0373f7d687..a7e9920efb0 100644 --- a/lib/libcrypto/dh/dh_check.c +++ b/lib/libcrypto/dh/dh_check.c @@ -70,6 +70,8 @@ * should hold. */ +#ifndef OPENSSL_FIPS + int DH_check(const DH *dh, int *ret) { int ok=0; @@ -118,3 +120,5 @@ err: if (q != NULL) BN_free(q); return(ok); } + +#endif diff --git a/lib/libcrypto/dh/dh_err.c b/lib/libcrypto/dh/dh_err.c index d837950aecb..c2715044c91 100644 --- a/lib/libcrypto/dh/dh_err.c +++ b/lib/libcrypto/dh/dh_err.c @@ -1,6 +1,6 @@ /* crypto/dh/dh_err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/lib/libcrypto/dh/dh_gen.c b/lib/libcrypto/dh/dh_gen.c index 06f78b35ab7..23777f5a16c 100644 --- a/lib/libcrypto/dh/dh_gen.c +++ b/lib/libcrypto/dh/dh_gen.c @@ -86,6 +86,9 @@ * It's just as OK (and in some sense better) to use a generator of the * order-q subgroup. */ + +#ifndef OPENSSL_FIPS + DH *DH_generate_parameters(int prime_len, int generator, void (*callback)(int,int,void *), void *cb_arg) { @@ -146,6 +149,7 @@ DH *DH_generate_parameters(int prime_len, int generator, if (callback != NULL) callback(3,0,cb_arg); ret->p=p; ret->g=BN_new(); + if (ret->g == NULL) goto err; if (!BN_set_word(ret->g,g)) goto err; ok=1; err: @@ -167,3 +171,5 @@ err: } return(ret); } + +#endif diff --git a/lib/libcrypto/dh/dh_key.c b/lib/libcrypto/dh/dh_key.c index 77f2f50b516..ff125c2296f 100644 --- a/lib/libcrypto/dh/dh_key.c +++ b/lib/libcrypto/dh/dh_key.c @@ -62,6 +62,8 @@ #include <openssl/rand.h> #include <openssl/dh.h> +#ifndef OPENSSL_FIPS + static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, @@ -220,3 +222,5 @@ static int dh_finish(DH *dh) BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p); return(1); } + +#endif diff --git a/lib/libcrypto/doc/ERR_error_string.pod b/lib/libcrypto/doc/ERR_error_string.pod index e01beb817a3..cdfa7fe1fe7 100644 --- a/lib/libcrypto/doc/ERR_error_string.pod +++ b/lib/libcrypto/doc/ERR_error_string.pod @@ -11,7 +11,7 @@ error message #include <openssl/err.h> char *ERR_error_string(unsigned long e, char *buf); - char *ERR_error_string_n(unsigned long e, char *buf, size_t len); + void ERR_error_string_n(unsigned long e, char *buf, size_t len); const char *ERR_lib_error_string(unsigned long e); const char *ERR_func_error_string(unsigned long e); diff --git a/lib/libcrypto/doc/EVP_EncryptInit.pod b/lib/libcrypto/doc/EVP_EncryptInit.pod index daf57e5895f..40e525dd56e 100644 --- a/lib/libcrypto/doc/EVP_EncryptInit.pod +++ b/lib/libcrypto/doc/EVP_EncryptInit.pod @@ -479,6 +479,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen)) { /* Error */ + EVP_CIPHER_CTX_cleanup(&ctx); return 0; } fwrite(outbuf, 1, outlen, out); @@ -486,6 +487,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen)) { /* Error */ + EVP_CIPHER_CTX_cleanup(&ctx); return 0; } fwrite(outbuf, 1, outlen, out); diff --git a/lib/libcrypto/doc/EVP_SealInit.pod b/lib/libcrypto/doc/EVP_SealInit.pod index b5e477e2942..48a0e299542 100644 --- a/lib/libcrypto/doc/EVP_SealInit.pod +++ b/lib/libcrypto/doc/EVP_SealInit.pod @@ -8,8 +8,9 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption #include <openssl/evp.h> - int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek, - int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk); + int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, + unsigned char **ek, int *ekl, unsigned char *iv, + EVP_PKEY **pubk, int npubk); int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, diff --git a/lib/libcrypto/doc/EVP_SignInit.pod b/lib/libcrypto/doc/EVP_SignInit.pod index e65e54ce522..0bace249389 100644 --- a/lib/libcrypto/doc/EVP_SignInit.pod +++ b/lib/libcrypto/doc/EVP_SignInit.pod @@ -29,11 +29,10 @@ EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the signature context B<ctx>. This function can be called several times on the same B<ctx> to include additional data. -EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> -and places the signature in B<sig>. If the B<s> parameter is not NULL -then the number of bytes of data written (i.e. the length of the signature) -will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes -will be written. +EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and +places the signature in B<sig>. The number of bytes of data written (i.e. the +length of the signature) will be written to the integer at B<s>, at most +EVP_PKEY_size(pkey) bytes will be written. EVP_SignInit() initializes a signing context B<ctx> to use the default implementation of digest B<type>. diff --git a/lib/libcrypto/doc/RSA_public_encrypt.pod b/lib/libcrypto/doc/RSA_public_encrypt.pod index d53e19d2b74..ab0fe3b2cd1 100644 --- a/lib/libcrypto/doc/RSA_public_encrypt.pod +++ b/lib/libcrypto/doc/RSA_public_encrypt.pod @@ -47,9 +47,10 @@ Encrypting user data directly with RSA is insecure. =back B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5 -based padding modes, and less than RSA_size(B<rsa>) - 41 for -RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded -prior to calling RSA_public_encrypt(). +based padding modes, less than RSA_size(B<rsa>) - 41 for +RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING. +The random number generator must be seeded prior to calling +RSA_public_encrypt(). RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the private key B<rsa> and stores the plaintext in B<to>. B<to> must point diff --git a/lib/libcrypto/dsa/dsa.h b/lib/libcrypto/dsa/dsa.h index 9b3baadf2c4..225ff391f9b 100644 --- a/lib/libcrypto/dsa/dsa.h +++ b/lib/libcrypto/dsa/dsa.h @@ -81,6 +81,10 @@ #define DSA_FLAG_CACHE_MONT_P 0x01 +#if defined(OPENSSL_FIPS) +#define FIPS_DSA_SIZE_T int +#endif + #ifdef __cplusplus extern "C" { #endif diff --git a/lib/libcrypto/dsa/dsa_gen.c b/lib/libcrypto/dsa/dsa_gen.c index dc9c2493103..e40afeea516 100644 --- a/lib/libcrypto/dsa/dsa_gen.c +++ b/lib/libcrypto/dsa/dsa_gen.c @@ -80,6 +80,7 @@ #include <openssl/rand.h> #include <openssl/sha.h> +#ifndef OPENSSL_FIPS DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, @@ -127,8 +128,9 @@ DSA *DSA_generate_parameters(int bits, c = BN_CTX_get(ctx2); p = BN_CTX_get(ctx2); test = BN_CTX_get(ctx2); + if (test == NULL) goto err; - BN_lshift(test,BN_value_one(),bits-1); + if (!BN_lshift(test,BN_value_one(),bits-1)) goto err; for (;;) { @@ -196,7 +198,7 @@ DSA *DSA_generate_parameters(int bits, callback(0,counter,cb_arg); /* step 7 */ - BN_zero(W); + if (!BN_zero(W)) goto err; /* now 'buf' contains "SEED + offset - 1" */ for (k=0; k<=n; k++) { @@ -212,20 +214,20 @@ DSA *DSA_generate_parameters(int bits, /* step 8 */ if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) goto err; - BN_lshift(r0,r0,160*k); - BN_add(W,W,r0); + if (!BN_lshift(r0,r0,160*k)) goto err; + if (!BN_add(W,W,r0)) goto err; } /* more of step 8 */ - BN_mask_bits(W,bits-1); - BN_copy(X,W); /* this should be ok */ - BN_add(X,X,test); /* this should be ok */ + if (!BN_mask_bits(W,bits-1)) goto err; + if (!BN_copy(X,W)) goto err; + if (!BN_add(X,X,test)) goto err; /* step 9 */ - BN_lshift1(r0,q); - BN_mod(c,X,r0,ctx); - BN_sub(r0,c,BN_value_one()); - BN_sub(p,X,r0); + if (!BN_lshift1(r0,q)) goto err; + if (!BN_mod(c,X,r0,ctx)) goto err; + if (!BN_sub(r0,c,BN_value_one())) goto err; + if (!BN_sub(p,X,r0)) goto err; /* step 10 */ if (BN_cmp(p,test) >= 0) @@ -251,18 +253,18 @@ end: /* We now need to generate g */ /* Set r0=(p-1)/q */ - BN_sub(test,p,BN_value_one()); - BN_div(r0,NULL,test,q,ctx); + if (!BN_sub(test,p,BN_value_one())) goto err; + if (!BN_div(r0,NULL,test,q,ctx)) goto err; - BN_set_word(test,h); - BN_MONT_CTX_set(mont,p,ctx); + if (!BN_set_word(test,h)) goto err; + if (!BN_MONT_CTX_set(mont,p,ctx)) goto err; for (;;) { /* g=test^r0%p */ - BN_mod_exp_mont(g,test,r0,p,ctx,mont); + if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err; if (!BN_is_one(g)) break; - BN_add(test,test,BN_value_one()); + if (!BN_add(test,test,BN_value_one())) goto err; h++; } @@ -279,6 +281,11 @@ err: ret->p=BN_dup(p); ret->q=BN_dup(q); ret->g=BN_dup(g); + if (ret->p == NULL || ret->q == NULL || ret->g == NULL) + { + ok=0; + goto err; + } if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20); if (counter_ret != NULL) *counter_ret=counter; if (h_ret != NULL) *h_ret=h; @@ -293,4 +300,6 @@ err: if (mont != NULL) BN_MONT_CTX_free(mont); return(ok?ret:NULL); } -#endif +#endif /* ndef OPENSSL_FIPS */ +#endif /* ndef OPENSSL_NO_SHA */ + diff --git a/lib/libcrypto/dsa/dsa_key.c b/lib/libcrypto/dsa/dsa_key.c index ef87c3e6372..30607ca579f 100644 --- a/lib/libcrypto/dsa/dsa_key.c +++ b/lib/libcrypto/dsa/dsa_key.c @@ -64,6 +64,7 @@ #include <openssl/dsa.h> #include <openssl/rand.h> +#ifndef OPENSSL_FIPS int DSA_generate_key(DSA *dsa) { int ok=0; @@ -103,3 +104,4 @@ err: return(ok); } #endif +#endif diff --git a/lib/libcrypto/dsa/dsa_ossl.c b/lib/libcrypto/dsa/dsa_ossl.c index b9e7f3ea5c6..f1a85afcde8 100644 --- a/lib/libcrypto/dsa/dsa_ossl.c +++ b/lib/libcrypto/dsa/dsa_ossl.c @@ -65,6 +65,7 @@ #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef OPENSSL_FIPS static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, @@ -346,3 +347,4 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, { return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } +#endif diff --git a/lib/libcrypto/dsa/dsa_sign.c b/lib/libcrypto/dsa/dsa_sign.c index 89205026f01..3c9753bac39 100644 --- a/lib/libcrypto/dsa/dsa_sign.c +++ b/lib/libcrypto/dsa/dsa_sign.c @@ -64,9 +64,17 @@ #include <openssl/dsa.h> #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif +#include <openssl/fips.h> DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { +#ifdef OPENSSL_FIPS + if(FIPS_mode() && !FIPS_dsa_check(dsa)) + return NULL; +#endif return dsa->meth->dsa_do_sign(dgst, dlen, dsa); } @@ -87,6 +95,10 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { +#ifdef OPENSSL_FIPS + if(FIPS_mode() && !FIPS_dsa_check(dsa)) + return 0; +#endif return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); } diff --git a/lib/libcrypto/dsa/dsa_vrf.c b/lib/libcrypto/dsa/dsa_vrf.c index c4aeddd0560..8ef0c450252 100644 --- a/lib/libcrypto/dsa/dsa_vrf.c +++ b/lib/libcrypto/dsa/dsa_vrf.c @@ -65,10 +65,18 @@ #include <openssl/rand.h> #include <openssl/asn1.h> #include <openssl/asn1_mac.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif +#include <openssl/fips.h> int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { +#ifdef OPENSSL_FIPS + if(FIPS_mode() && !FIPS_dsa_check(dsa)) + return -1; +#endif return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); } diff --git a/lib/libcrypto/dso/dso_win32.c b/lib/libcrypto/dso/dso_win32.c index 6c30deb250b..3fa90eb27cf 100644 --- a/lib/libcrypto/dso/dso_win32.c +++ b/lib/libcrypto/dso/dso_win32.c @@ -61,7 +61,7 @@ #include "cryptlib.h" #include <openssl/dso.h> -#if !defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE) +#if !defined(DSO_WIN32) DSO_METHOD *DSO_METHOD_win32(void) { return NULL; diff --git a/lib/libcrypto/engine/hw_cryptodev.c b/lib/libcrypto/engine/hw_cryptodev.c index 0ca442af8a5..41184b67867 100644 --- a/lib/libcrypto/engine/hw_cryptodev.c +++ b/lib/libcrypto/engine/hw_cryptodev.c @@ -93,7 +93,7 @@ static int open_dev_crypto(void); static int get_dev_crypto(void); static struct dev_crypto_cipher *cipher_nid_to_cryptodev(int nid); static int get_cryptodev_ciphers(const int **cnids); -static int get_cryptodev_digests(const int **cnids); +/*static int get_cryptodev_digests(const int **cnids);*/ static int cryptodev_usable_ciphers(const int **nids); static int cryptodev_usable_digests(const int **nids); static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, @@ -150,6 +150,7 @@ static struct dev_crypto_cipher ciphers[] = { { 0, NID_undef, 0, 0, }, }; +#if 0 /* UNUSED */ static struct { int id; int nid; @@ -162,6 +163,7 @@ static struct { { CRYPTO_SHA1, NID_undef, }, { 0, NID_undef, }, }; +#endif /* * Return a fd if /dev/crypto seems usable, -1 otherwise. @@ -297,6 +299,7 @@ get_cryptodev_ciphers(const int **cnids) * returning them here is harmless, as long as we return NULL * when asked for a handler in the cryptodev_engine_digests routine */ +#if 0 /* UNUSED */ static int get_cryptodev_digests(const int **cnids) { @@ -326,6 +329,7 @@ get_cryptodev_digests(const int **cnids) *cnids = NULL; return (count); } +#endif /* * Find the useable ciphers|digests from dev/crypto - this is the first @@ -832,7 +836,7 @@ static int bn2crparam(const BIGNUM *a, struct crparam *crp) { int i, j, k; - ssize_t words, bytes, bits; + ssize_t bytes, bits; u_char *b; crp->crp_p = NULL; diff --git a/lib/libcrypto/err/err.c b/lib/libcrypto/err/err.c index 792f3296009..c78790a54cc 100644 --- a/lib/libcrypto/err/err.c +++ b/lib/libcrypto/err/err.c @@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]= {ERR_PACK(ERR_LIB_DSO,0,0) ,"DSO support routines"}, {ERR_PACK(ERR_LIB_ENGINE,0,0) ,"engine routines"}, {ERR_PACK(ERR_LIB_OCSP,0,0) ,"OCSP routines"}, +{ERR_PACK(ERR_LIB_FIPS,0,0) ,"FIPS routines"}, {0,NULL}, }; @@ -167,6 +168,7 @@ static ERR_STRING_DATA ERR_str_functs[]= #endif {ERR_PACK(0,SYS_F_OPENDIR,0), "opendir"}, {ERR_PACK(0,SYS_F_FREAD,0), "fread"}, + {ERR_PACK(0,SYS_F_GETADDRINFO,0), "getaddrinfo"}, {0,NULL}, }; diff --git a/lib/libcrypto/err/err.h b/lib/libcrypto/err/err.h index 8faa3a7b4f5..2efa18866ad 100644 --- a/lib/libcrypto/err/err.h +++ b/lib/libcrypto/err/err.h @@ -131,6 +131,7 @@ typedef struct err_state_st #define ERR_LIB_OCSP 39 #define ERR_LIB_UI 40 #define ERR_LIB_COMP 41 +#define ERR_LIB_FIPS 42 #define ERR_LIB_USER 128 @@ -159,6 +160,7 @@ typedef struct err_state_st #define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__) #define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__) #define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__) +#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__) /* Borland C seems too stupid to be able to shift and do longs in * the pre-processor :-( */ @@ -183,6 +185,7 @@ typedef struct err_state_st #define SYS_F_WSASTARTUP 9 /* Winsock stuff */ #define SYS_F_OPENDIR 10 #define SYS_F_FREAD 11 +#define SYS_F_GETADDRINFO 12 /* reasons */ diff --git a/lib/libcrypto/err/err_all.c b/lib/libcrypto/err/err_all.c index dc505d9d9d4..4dc93008929 100644 --- a/lib/libcrypto/err/err_all.c +++ b/lib/libcrypto/err/err_all.c @@ -87,6 +87,7 @@ #endif #include <openssl/ocsp.h> #include <openssl/err.h> +#include <openssl/fips.h> void ERR_load_crypto_strings(void) { @@ -130,4 +131,7 @@ void ERR_load_crypto_strings(void) ERR_load_OCSP_strings(); ERR_load_UI_strings(); #endif +#ifdef OPENSSL_FIPS + ERR_load_FIPS_strings(); +#endif } diff --git a/lib/libcrypto/err/openssl.ec b/lib/libcrypto/err/openssl.ec index 29a69dfdd43..447a7f87ed8 100644 --- a/lib/libcrypto/err/openssl.ec +++ b/lib/libcrypto/err/openssl.ec @@ -27,6 +27,7 @@ L DSO crypto/dso/dso.h crypto/dso/dso_err.c L ENGINE crypto/engine/engine.h crypto/engine/eng_err.c L OCSP crypto/ocsp/ocsp.h crypto/ocsp/ocsp_err.c L UI crypto/ui/ui.h crypto/ui/ui_err.c +L FIPS fips/fips.h fips/fips_err.h # additional header files to be scanned for function names L NONE crypto/x509/x509_vfy.h NONE diff --git a/lib/libcrypto/evp/bio_md.c b/lib/libcrypto/evp/bio_md.c index c632dfb2022..f4aa41ac4b4 100644 --- a/lib/libcrypto/evp/bio_md.c +++ b/lib/libcrypto/evp/bio_md.c @@ -176,10 +176,11 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) { case BIO_CTRL_RESET: if (b->init) - EVP_DigestInit_ex(ctx,ctx->digest, NULL); + ret = EVP_DigestInit_ex(ctx,ctx->digest, NULL); else ret=0; - ret=BIO_ctrl(b->next_bio,cmd,num,ptr); + if (ret > 0) + ret=BIO_ctrl(b->next_bio,cmd,num,ptr); break; case BIO_C_GET_MD: if (b->init) @@ -191,11 +192,12 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) ret=0; break; case BIO_C_GET_MD_CTX: + pctx=ptr; + *pctx=ctx; + break; + case BIO_C_SET_MD_CTX: if (b->init) - { - pctx=ptr; - *pctx=ctx; - } + b->ptr=ptr; else ret=0; break; @@ -207,8 +209,9 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_C_SET_MD: md=ptr; - EVP_DigestInit_ex(ctx,md, NULL); - b->init=1; + ret = EVP_DigestInit_ex(ctx,md, NULL); + if (ret > 0) + b->init=1; break; case BIO_CTRL_DUP: dbio=ptr; diff --git a/lib/libcrypto/evp/c_allc.c b/lib/libcrypto/evp/c_allc.c index 341a958fd47..fc968123657 100644 --- a/lib/libcrypto/evp/c_allc.c +++ b/lib/libcrypto/evp/c_allc.c @@ -67,6 +67,8 @@ void OpenSSL_add_all_ciphers(void) #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cfb()); + EVP_add_cipher(EVP_des_cfb1()); + EVP_add_cipher(EVP_des_cfb8()); EVP_add_cipher(EVP_des_ede_cfb()); EVP_add_cipher(EVP_des_ede3_cfb()); @@ -150,6 +152,8 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_128_ecb()); EVP_add_cipher(EVP_aes_128_cbc()); EVP_add_cipher(EVP_aes_128_cfb()); + EVP_add_cipher(EVP_aes_128_cfb1()); + EVP_add_cipher(EVP_aes_128_cfb8()); EVP_add_cipher(EVP_aes_128_ofb()); #if 0 EVP_add_cipher(EVP_aes_128_ctr()); @@ -159,6 +163,8 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_192_ecb()); EVP_add_cipher(EVP_aes_192_cbc()); EVP_add_cipher(EVP_aes_192_cfb()); + EVP_add_cipher(EVP_aes_192_cfb1()); + EVP_add_cipher(EVP_aes_192_cfb8()); EVP_add_cipher(EVP_aes_192_ofb()); #if 0 EVP_add_cipher(EVP_aes_192_ctr()); @@ -168,6 +174,8 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_256_ecb()); EVP_add_cipher(EVP_aes_256_cbc()); EVP_add_cipher(EVP_aes_256_cfb()); + EVP_add_cipher(EVP_aes_256_cfb1()); + EVP_add_cipher(EVP_aes_256_cfb8()); EVP_add_cipher(EVP_aes_256_ofb()); #if 0 EVP_add_cipher(EVP_aes_256_ctr()); diff --git a/lib/libcrypto/evp/c_alld.c b/lib/libcrypto/evp/c_alld.c index be91cdb0373..aae7bf7482a 100644 --- a/lib/libcrypto/evp/c_alld.c +++ b/lib/libcrypto/evp/c_alld.c @@ -75,7 +75,7 @@ void OpenSSL_add_all_digests(void) EVP_add_digest_alias(SN_md5,"ssl2-md5"); EVP_add_digest_alias(SN_md5,"ssl3-md5"); #endif -#ifndef OPENSSL_NO_SHA +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0) EVP_add_digest(EVP_sha()); #ifndef OPENSSL_NO_DSA EVP_add_digest(EVP_dss()); diff --git a/lib/libcrypto/evp/digest.c b/lib/libcrypto/evp/digest.c index 0623ddf1f05..f21c63842ca 100644 --- a/lib/libcrypto/evp/digest.c +++ b/lib/libcrypto/evp/digest.c @@ -137,6 +137,39 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) return EVP_DigestInit_ex(ctx, type, NULL); } +#ifdef OPENSSL_FIPS + +/* The purpose of these is to trap programs that attempt to use non FIPS + * algorithms in FIPS mode and ignore the errors. + */ + +static int bad_init(EVP_MD_CTX *ctx) + { FIPS_ERROR_IGNORED("Digest init"); return 0;} + +static int bad_update(EVP_MD_CTX *ctx,const void *data,unsigned long count) + { FIPS_ERROR_IGNORED("Digest update"); return 0;} + +static int bad_final(EVP_MD_CTX *ctx,unsigned char *md) + { FIPS_ERROR_IGNORED("Digest Final"); return 0;} + +static const EVP_MD bad_md = + { + 0, + 0, + 0, + 0, + bad_init, + bad_update, + bad_final, + NULL, + NULL, + NULL, + 0, + {0,0,0,0}, + }; + +#endif + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); @@ -195,6 +228,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) #endif if (ctx->digest != type) { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + { + if (!(type->flags & EVP_MD_FLAG_FIPS) + && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) + { + EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS); + ctx->digest = &bad_md; + return 0; + } + } +#endif if (ctx->digest && ctx->digest->ctx_size) OPENSSL_free(ctx->md_data); ctx->digest=type; diff --git a/lib/libcrypto/evp/e_aes.c b/lib/libcrypto/evp/e_aes.c index fe8bcda631f..f35036c9d76 100644 --- a/lib/libcrypto/evp/e_aes.c +++ b/lib/libcrypto/evp/e_aes.c @@ -67,34 +67,52 @@ typedef struct IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, NID_aes_128, 16, 16, 16, 128, - 0, aes_init_key, NULL, + EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY, NID_aes_192, 16, 24, 16, 128, - 0, aes_init_key, NULL, + EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, NID_aes_256, 16, 32, 16, 128, - 0, aes_init_key, NULL, + EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) +#define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags) + +IMPLEMENT_AES_CFBR(128,1,0) +IMPLEMENT_AES_CFBR(192,1,0) +IMPLEMENT_AES_CFBR(256,1,0) + +IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS) +IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS) +IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS) + static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) { + const unsigned char *iv, int enc) + { + int ret; if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE || enc) - AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); else - AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + + if(ret < 0) + { + EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); + return 0; + } return 1; -} + } #endif diff --git a/lib/libcrypto/evp/e_des.c b/lib/libcrypto/evp/e_des.c index 105266a4b36..46e2899825f 100644 --- a/lib/libcrypto/evp/e_des.c +++ b/lib/libcrypto/evp/e_des.c @@ -56,9 +56,9 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_DES #include <stdio.h> #include "cryptlib.h" +#ifndef OPENSSL_NO_DES #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" @@ -92,20 +92,55 @@ static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -static int des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, unsigned int inl) +static int des_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) { DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data, (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt); return 1; } +/* Although we have a CFB-r implementation for DES, it doesn't pack the right + way, so wrap it here */ +static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + unsigned int n; + unsigned char c[1],d[1]; + + for(n=0 ; n < inl ; ++n) + { + c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0; + DES_cfb_encrypt(c,d,1,1,ctx->cipher_data,(DES_cblock *)ctx->iv, + ctx->encrypt); + out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8)); + } + return 1; + } + +static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + DES_cfb_encrypt(in,out,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv, + ctx->encrypt); + return 1; + } + BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64, - 0, des_init_key, NULL, + EVP_CIPH_FLAG_FIPS, des_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1, + EVP_CIPH_FLAG_FIPS,des_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) + +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8, + EVP_CIPH_FLAG_FIPS,des_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) diff --git a/lib/libcrypto/evp/e_des3.c b/lib/libcrypto/evp/e_des3.c index 077860e7b61..677322bf021 100644 --- a/lib/libcrypto/evp/e_des3.c +++ b/lib/libcrypto/evp/e_des3.c @@ -56,9 +56,9 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_DES #include <stdio.h> #include "cryptlib.h" +#ifndef OPENSSL_NO_DES #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" @@ -85,7 +85,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { BLOCK_CIPHER_ecb_loop() - DES_ecb3_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), + DES_ecb3_encrypt(in + i,out + i, &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, ctx->encrypt); @@ -121,7 +121,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, +static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { DES_ede3_cfb64_encrypt(in, out, (long)inl, @@ -130,23 +130,62 @@ static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } +/* Although we have a CFB-r implementation for 3-DES, it doesn't pack the right + way, so wrap it here */ +static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + unsigned int n; + unsigned char c[1],d[1]; + + for(n=0 ; n < inl ; ++n) + { + c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0; + DES_ede3_cfb_encrypt(c,d,1,1, + &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3, + (DES_cblock *)ctx->iv,ctx->encrypt); + out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8)); + } + + return 1; + } + +static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + DES_ede3_cfb_encrypt(in,out,8,inl, + &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3, + (DES_cblock *)ctx->iv,ctx->encrypt); + return 1; + } + BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, - 0, des_ede_init_key, NULL, + EVP_CIPH_FLAG_FIPS, des_ede_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) -#define des_ede3_cfb_cipher des_ede_cfb_cipher +#define des_ede3_cfb64_cipher des_ede_cfb64_cipher #define des_ede3_ofb_cipher des_ede_ofb_cipher #define des_ede3_cbc_cipher des_ede_cbc_cipher #define des_ede3_ecb_cipher des_ede_ecb_cipher BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, - 0, des_ede3_init_key, NULL, + EVP_CIPH_FLAG_FIPS, des_ede3_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1, + EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) + +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8, + EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) + static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { diff --git a/lib/libcrypto/evp/e_null.c b/lib/libcrypto/evp/e_null.c index 2420d7e5af8..a84b0f14b1a 100644 --- a/lib/libcrypto/evp/e_null.c +++ b/lib/libcrypto/evp/e_null.c @@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher= { NID_undef, 1,0,0, - 0, + EVP_CIPH_FLAG_FIPS, null_init_key, null_cipher, NULL, diff --git a/lib/libcrypto/evp/e_rc4.c b/lib/libcrypto/evp/e_rc4.c index d58f507837b..8aa70585b9a 100644 --- a/lib/libcrypto/evp/e_rc4.c +++ b/lib/libcrypto/evp/e_rc4.c @@ -62,6 +62,7 @@ #include "cryptlib.h" #include <openssl/evp.h> #include <openssl/objects.h> +#include "evp_locl.h" #include <openssl/rc4.h> /* FIXME: surely this is available elsewhere? */ diff --git a/lib/libcrypto/evp/evp.h b/lib/libcrypto/evp/evp.h index f9b48792ce4..62d95354efd 100644 --- a/lib/libcrypto/evp/evp.h +++ b/lib/libcrypto/evp/evp.h @@ -75,6 +75,10 @@ #include <openssl/bio.h> #endif +#ifdef OPENSSL_FIPS +#include <openssl/fips.h> +#endif + /* #define EVP_RC2_KEY_SIZE 16 #define EVP_RC4_KEY_SIZE 16 @@ -236,6 +240,7 @@ struct env_md_st #define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single * block */ +#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */ #define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0} @@ -278,6 +283,9 @@ struct env_md_ctx_st #define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data * in EVP_MD_CTX_cleanup */ +#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest + * in FIPS mode */ + struct evp_cipher_st { int nid; @@ -319,6 +327,10 @@ struct evp_cipher_st #define EVP_CIPH_CUSTOM_KEY_LENGTH 0x80 /* Don't use standard block padding */ #define EVP_CIPH_NO_PADDING 0x100 +/* Note if suitable for use in FIPS mode */ +#define EVP_CIPH_FLAG_FIPS 0x400 +/* Allow non FIPS cipher in FIPS mode */ +#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800 /* ctrl() values */ @@ -425,6 +437,9 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d)) #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) #define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags) +#define EVP_CIPHER_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs)) +#define EVP_CIPHER_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs)) +#define EVP_CIPHER_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs)) #define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE) #define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80) @@ -446,6 +461,7 @@ void BIO_set_md(BIO *,const EVP_MD *md); #endif #define BIO_get_md(b,mdp) BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp) #define BIO_get_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp) +#define BIO_set_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_SET_MD_CTX,0,(char *)mdcp) #define BIO_get_cipher_status(b) BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL) #define BIO_get_cipher_ctx(b,c_pp) BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp) @@ -587,9 +603,20 @@ const EVP_CIPHER *EVP_des_ede(void); const EVP_CIPHER *EVP_des_ede3(void); const EVP_CIPHER *EVP_des_ede_ecb(void); const EVP_CIPHER *EVP_des_ede3_ecb(void); -const EVP_CIPHER *EVP_des_cfb(void); -const EVP_CIPHER *EVP_des_ede_cfb(void); -const EVP_CIPHER *EVP_des_ede3_cfb(void); +const EVP_CIPHER *EVP_des_cfb64(void); +# define EVP_des_cfb EVP_des_cfb64 +const EVP_CIPHER *EVP_des_cfb1(void); +const EVP_CIPHER *EVP_des_cfb8(void); +const EVP_CIPHER *EVP_des_ede_cfb64(void); +# define EVP_des_ede_cfb EVP_des_ede_cfb64 +#if 0 +const EVP_CIPHER *EVP_des_ede_cfb1(void); +const EVP_CIPHER *EVP_des_ede_cfb8(void); +#endif +const EVP_CIPHER *EVP_des_ede3_cfb64(void); +# define EVP_des_ede3_cfb EVP_des_ede3_cfb64 +const EVP_CIPHER *EVP_des_ede3_cfb1(void); +const EVP_CIPHER *EVP_des_ede3_cfb8(void); const EVP_CIPHER *EVP_des_ofb(void); const EVP_CIPHER *EVP_des_ede_ofb(void); const EVP_CIPHER *EVP_des_ede3_ofb(void); @@ -613,7 +640,8 @@ const EVP_CIPHER *EVP_rc4_40(void); #endif #ifndef OPENSSL_NO_IDEA const EVP_CIPHER *EVP_idea_ecb(void); -const EVP_CIPHER *EVP_idea_cfb(void); +const EVP_CIPHER *EVP_idea_cfb64(void); +# define EVP_idea_cfb EVP_idea_cfb64 const EVP_CIPHER *EVP_idea_ofb(void); const EVP_CIPHER *EVP_idea_cbc(void); #endif @@ -622,45 +650,58 @@ const EVP_CIPHER *EVP_rc2_ecb(void); const EVP_CIPHER *EVP_rc2_cbc(void); const EVP_CIPHER *EVP_rc2_40_cbc(void); const EVP_CIPHER *EVP_rc2_64_cbc(void); -const EVP_CIPHER *EVP_rc2_cfb(void); +const EVP_CIPHER *EVP_rc2_cfb64(void); +# define EVP_rc2_cfb EVP_rc2_cfb64 const EVP_CIPHER *EVP_rc2_ofb(void); #endif #ifndef OPENSSL_NO_BF const EVP_CIPHER *EVP_bf_ecb(void); const EVP_CIPHER *EVP_bf_cbc(void); -const EVP_CIPHER *EVP_bf_cfb(void); +const EVP_CIPHER *EVP_bf_cfb64(void); +# define EVP_bf_cfb EVP_bf_cfb64 const EVP_CIPHER *EVP_bf_ofb(void); #endif #ifndef OPENSSL_NO_CAST const EVP_CIPHER *EVP_cast5_ecb(void); const EVP_CIPHER *EVP_cast5_cbc(void); -const EVP_CIPHER *EVP_cast5_cfb(void); +const EVP_CIPHER *EVP_cast5_cfb64(void); +# define EVP_cast5_cfb EVP_cast5_cfb64 const EVP_CIPHER *EVP_cast5_ofb(void); #endif #ifndef OPENSSL_NO_RC5 const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); -const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); +const EVP_CIPHER *EVP_rc5_32_12_16_cfb64(void); +# define EVP_rc5_32_12_16_cfb EVP_rc5_32_12_16_cfb64 const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); #endif #ifndef OPENSSL_NO_AES const EVP_CIPHER *EVP_aes_128_ecb(void); const EVP_CIPHER *EVP_aes_128_cbc(void); -const EVP_CIPHER *EVP_aes_128_cfb(void); +const EVP_CIPHER *EVP_aes_128_cfb1(void); +const EVP_CIPHER *EVP_aes_128_cfb8(void); +const EVP_CIPHER *EVP_aes_128_cfb128(void); +# define EVP_aes_128_cfb EVP_aes_128_cfb128 const EVP_CIPHER *EVP_aes_128_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_128_ctr(void); #endif const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_cbc(void); -const EVP_CIPHER *EVP_aes_192_cfb(void); +const EVP_CIPHER *EVP_aes_192_cfb1(void); +const EVP_CIPHER *EVP_aes_192_cfb8(void); +const EVP_CIPHER *EVP_aes_192_cfb128(void); +# define EVP_aes_192_cfb EVP_aes_192_cfb128 const EVP_CIPHER *EVP_aes_192_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_192_ctr(void); #endif const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_cbc(void); -const EVP_CIPHER *EVP_aes_256_cfb(void); +const EVP_CIPHER *EVP_aes_256_cfb1(void); +const EVP_CIPHER *EVP_aes_256_cfb8(void); +const EVP_CIPHER *EVP_aes_256_cfb128(void); +# define EVP_aes_256_cfb EVP_aes_256_cfb128 const EVP_CIPHER *EVP_aes_256_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_256_ctr(void); @@ -775,13 +816,18 @@ void ERR_load_EVP_strings(void); /* Error codes for the EVP functions. */ /* Function codes. */ +#define EVP_F_AES_INIT_KEY 129 #define EVP_F_D2I_PKEY 100 +#define EVP_F_EVP_ADD_CIPHER 130 +#define EVP_F_EVP_ADD_DIGEST 131 #define EVP_F_EVP_CIPHERINIT 123 #define EVP_F_EVP_CIPHER_CTX_CTRL 124 #define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 #define EVP_F_EVP_DECRYPTFINAL 101 #define EVP_F_EVP_DIGESTINIT 128 #define EVP_F_EVP_ENCRYPTFINAL 127 +#define EVP_F_EVP_GET_CIPHERBYNAME 132 +#define EVP_F_EVP_GET_DIGESTBYNAME 133 #define EVP_F_EVP_MD_CTX_COPY 110 #define EVP_F_EVP_OPENINIT 102 #define EVP_F_EVP_PBE_ALG_ADD 115 @@ -805,6 +851,7 @@ void ERR_load_EVP_strings(void); #define EVP_F_RC5_CTRL 125 /* Reason codes. */ +#define EVP_R_AES_KEY_SETUP_FAILED 140 #define EVP_R_BAD_BLOCK_LENGTH 136 #define EVP_R_BAD_DECRYPT 100 #define EVP_R_BAD_KEY_LENGTH 137 @@ -816,6 +863,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 #define EVP_R_DECODE_ERROR 114 #define EVP_R_DIFFERENT_KEY_TYPES 101 +#define EVP_R_DISABLED_FOR_FIPS 141 #define EVP_R_ENCODE_ERROR 115 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 diff --git a/lib/libcrypto/evp/evp_enc.c b/lib/libcrypto/evp/evp_enc.c index 8ea5aa935dd..f549eeb4377 100644 --- a/lib/libcrypto/evp/evp_enc.c +++ b/lib/libcrypto/evp/evp_enc.c @@ -82,6 +82,48 @@ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc); } +#ifdef OPENSSL_FIPS + +/* The purpose of these is to trap programs that attempt to use non FIPS + * algorithms in FIPS mode and ignore the errors. + */ + +int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) + { FIPS_ERROR_IGNORED("Cipher init"); return 0;} + +int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { FIPS_ERROR_IGNORED("Cipher update"); return 0;} + +/* NB: no cleanup because it is allowed after failed init */ + +int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) + { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;} +int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) + { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;} +int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) + { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;} + +static const EVP_CIPHER bad_cipher = + { + 0, + 0, + 0, + 0, + 0, + bad_init, + bad_do_cipher, + NULL, + 0, + bad_set_asn1, + bad_get_asn1, + bad_ctrl, + NULL + }; + +#endif + int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc) { @@ -146,7 +188,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp else ctx->engine = NULL; #endif - ctx->cipher=cipher; if (ctx->cipher->ctx_size) { @@ -210,6 +251,24 @@ skip_to_init: } } +#ifdef OPENSSL_FIPS + /* After 'key' is set no further parameters changes are permissible. + * So only check for non FIPS enabling at this point. + */ + if (key && FIPS_mode()) + { + if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) + & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) + { + EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS); + ERR_add_error_data(2, "cipher=", + EVP_CIPHER_name(ctx->cipher)); + ctx->cipher = &bad_cipher; + return 0; + } + } +#endif + if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; } diff --git a/lib/libcrypto/evp/evp_err.c b/lib/libcrypto/evp/evp_err.c index 3a23d21c217..40135d07292 100644 --- a/lib/libcrypto/evp/evp_err.c +++ b/lib/libcrypto/evp/evp_err.c @@ -1,6 +1,6 @@ /* crypto/evp/evp_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,13 +66,18 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA EVP_str_functs[]= { +{ERR_PACK(0,EVP_F_AES_INIT_KEY,0), "AES_INIT_KEY"}, {ERR_PACK(0,EVP_F_D2I_PKEY,0), "D2I_PKEY"}, +{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0), "EVP_add_cipher"}, +{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0), "EVP_add_digest"}, {ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0), "EVP_CipherInit"}, {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0), "EVP_CIPHER_CTX_ctrl"}, {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0), "EVP_CIPHER_CTX_set_key_length"}, {ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0), "EVP_DecryptFinal"}, {ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0), "EVP_DigestInit"}, {ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0), "EVP_EncryptFinal"}, +{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0), "EVP_get_cipherbyname"}, +{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0), "EVP_get_digestbyname"}, {ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0), "EVP_MD_CTX_copy"}, {ERR_PACK(0,EVP_F_EVP_OPENINIT,0), "EVP_OpenInit"}, {ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0), "EVP_PBE_alg_add"}, @@ -99,6 +104,7 @@ static ERR_STRING_DATA EVP_str_functs[]= static ERR_STRING_DATA EVP_str_reasons[]= { +{EVP_R_AES_KEY_SETUP_FAILED ,"aes key setup failed"}, {EVP_R_BAD_BLOCK_LENGTH ,"bad block length"}, {EVP_R_BAD_DECRYPT ,"bad decrypt"}, {EVP_R_BAD_KEY_LENGTH ,"bad key length"}, @@ -110,6 +116,7 @@ static ERR_STRING_DATA EVP_str_reasons[]= {EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"}, {EVP_R_DECODE_ERROR ,"decode error"}, {EVP_R_DIFFERENT_KEY_TYPES ,"different key types"}, +{EVP_R_DISABLED_FOR_FIPS ,"disabled for fips"}, {EVP_R_ENCODE_ERROR ,"encode error"}, {EVP_R_EVP_PBE_CIPHERINIT_ERROR ,"evp pbe cipherinit error"}, {EVP_R_EXPECTING_AN_RSA_KEY ,"expecting an rsa key"}, diff --git a/lib/libcrypto/evp/evp_lib.c b/lib/libcrypto/evp/evp_lib.c index 52a3b287bee..a63ba19317c 100644 --- a/lib/libcrypto/evp/evp_lib.c +++ b/lib/libcrypto/evp/evp_lib.c @@ -68,7 +68,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) if (c->cipher->set_asn1_parameters != NULL) ret=c->cipher->set_asn1_parameters(c,type); else - ret=1; + return -1; return(ret); } @@ -79,7 +79,7 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type) if (c->cipher->get_asn1_parameters != NULL) ret=c->cipher->get_asn1_parameters(c,type); else - ret=1; + return -1; return(ret); } @@ -133,6 +133,30 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx) return NID_rc4; + case NID_aes_128_cfb128: + case NID_aes_128_cfb8: + case NID_aes_128_cfb1: + + return NID_aes_128_cfb128; + + case NID_aes_192_cfb128: + case NID_aes_192_cfb8: + case NID_aes_192_cfb1: + + return NID_aes_192_cfb128; + + case NID_aes_256_cfb128: + case NID_aes_256_cfb8: + case NID_aes_256_cfb1: + + return NID_aes_256_cfb128; + + case NID_des_cfb64: + case NID_des_cfb8: + case NID_des_cfb1: + + return NID_des_cfb64; + default: /* Check it has an OID and it is valid */ otmp = OBJ_nid2obj(nid); diff --git a/lib/libcrypto/evp/evp_locl.h b/lib/libcrypto/evp/evp_locl.h index 4d81a3bf4c5..f8c53436208 100644 --- a/lib/libcrypto/evp/evp_locl.h +++ b/lib/libcrypto/evp/evp_locl.h @@ -90,7 +90,7 @@ static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const uns } #define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \ -static int cname##_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \ +static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \ {\ cprefix##_cfb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\ return 1;\ @@ -127,7 +127,7 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \ #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \ iv_len, cbits, flags, init_key, cleanup, \ set_asn1, get_asn1, ctrl) \ -BLOCK_CIPHER_def1(cname, cfb##cbits, cfb, CFB, kstruct, nid, 1, \ +BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \ key_len, iv_len, flags, init_key, cleanup, set_asn1, \ get_asn1, ctrl) @@ -225,3 +225,28 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; } get_asn1, ctrl) #define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data) + +#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,flags) \ + BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ + BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ + NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \ + flags, cipher##_init_key, NULL, \ + EVP_CIPHER_set_asn1_iv, \ + EVP_CIPHER_get_asn1_iv, \ + NULL) + +#ifdef OPENSSL_FIPS +#define RC2_set_key private_RC2_set_key +#define RC4_set_key private_RC4_set_key +#define CAST_set_key private_CAST_set_key +#define RC5_32_set_key private_RC5_32_set_key +#define BF_set_key private_BF_set_key +#define idea_set_encrypt_key private_idea_set_encrypt_key + +#define MD5_Init private_MD5_Init +#define MD4_Init private_MD4_Init +#define MD2_Init private_MD2_Init +#define MDC2_Init private_MDC2_Init +#define SHA_Init private_SHA_Init + +#endif diff --git a/lib/libcrypto/evp/evp_pkey.c b/lib/libcrypto/evp/evp_pkey.c index eb481ec661d..47a69932a52 100644 --- a/lib/libcrypto/evp/evp_pkey.c +++ b/lib/libcrypto/evp/evp_pkey.c @@ -235,7 +235,11 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken) return NULL; } p8->broken = broken; - ASN1_INTEGER_set (p8->version, 0); + if (!ASN1_INTEGER_set(p8->version, 0)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + PKCS8_PRIV_KEY_INFO_free (p8); + return NULL; + } if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); PKCS8_PRIV_KEY_INFO_free (p8); @@ -303,29 +307,35 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken) #ifndef OPENSSL_NO_DSA static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) { - ASN1_STRING *params; - ASN1_INTEGER *prkey; - ASN1_TYPE *ttmp; - STACK_OF(ASN1_TYPE) *ndsa; - unsigned char *p, *q; + ASN1_STRING *params = NULL; + ASN1_INTEGER *prkey = NULL; + ASN1_TYPE *ttmp = NULL; + STACK_OF(ASN1_TYPE) *ndsa = NULL; + unsigned char *p = NULL, *q; int len; p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa); len = i2d_DSAparams (pkey->pkey.dsa, NULL); if (!(p = OPENSSL_malloc(len))) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); - PKCS8_PRIV_KEY_INFO_free (p8); - return 0; + goto err; } q = p; i2d_DSAparams (pkey->pkey.dsa, &q); - params = ASN1_STRING_new(); - ASN1_STRING_set(params, p, len); + if (!(params = ASN1_STRING_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!ASN1_STRING_set(params, p, len)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } OPENSSL_free(p); + p = NULL; /* Get private key into integer */ if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) { EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR); - return 0; + goto err; } switch(p8->broken) { @@ -336,12 +346,13 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER, &p8->pkey->value.octet_string)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); - M_ASN1_INTEGER_free (prkey); - return 0; + goto err; } M_ASN1_INTEGER_free (prkey); + prkey = NULL; p8->pkeyalg->parameter->value.sequence = params; + params = NULL; p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE; break; @@ -349,32 +360,51 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) case PKCS8_NS_DB: p8->pkeyalg->parameter->value.sequence = params; + params = NULL; p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE; - ndsa = sk_ASN1_TYPE_new_null(); - ttmp = ASN1_TYPE_new(); - if (!(ttmp->value.integer = BN_to_ASN1_INTEGER (pkey->pkey.dsa->pub_key, NULL))) { + if (!(ndsa = sk_ASN1_TYPE_new_null())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!(ttmp = ASN1_TYPE_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!(ttmp->value.integer = + BN_to_ASN1_INTEGER(pkey->pkey.dsa->pub_key, NULL))) { EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR); - PKCS8_PRIV_KEY_INFO_free(p8); - return 0; + goto err; } ttmp->type = V_ASN1_INTEGER; - sk_ASN1_TYPE_push(ndsa, ttmp); + if (!sk_ASN1_TYPE_push(ndsa, ttmp)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } - ttmp = ASN1_TYPE_new(); + if (!(ttmp = ASN1_TYPE_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } ttmp->value.integer = prkey; + prkey = NULL; ttmp->type = V_ASN1_INTEGER; - sk_ASN1_TYPE_push(ndsa, ttmp); + if (!sk_ASN1_TYPE_push(ndsa, ttmp)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + ttmp = NULL; - p8->pkey->value.octet_string = ASN1_OCTET_STRING_new(); + if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE, &p8->pkey->value.octet_string->data, &p8->pkey->value.octet_string->length)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); - sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); - M_ASN1_INTEGER_free(prkey); - return 0; + goto err; } sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); break; @@ -382,31 +412,57 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) case PKCS8_EMBEDDED_PARAM: p8->pkeyalg->parameter->type = V_ASN1_NULL; - ndsa = sk_ASN1_TYPE_new_null(); - ttmp = ASN1_TYPE_new(); + if (!(ndsa = sk_ASN1_TYPE_new_null())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!(ttmp = ASN1_TYPE_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } ttmp->value.sequence = params; + params = NULL; ttmp->type = V_ASN1_SEQUENCE; - sk_ASN1_TYPE_push(ndsa, ttmp); + if (!sk_ASN1_TYPE_push(ndsa, ttmp)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } - ttmp = ASN1_TYPE_new(); + if (!(ttmp = ASN1_TYPE_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } ttmp->value.integer = prkey; + prkey = NULL; ttmp->type = V_ASN1_INTEGER; - sk_ASN1_TYPE_push(ndsa, ttmp); + if (!sk_ASN1_TYPE_push(ndsa, ttmp)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + ttmp = NULL; - p8->pkey->value.octet_string = ASN1_OCTET_STRING_new(); + if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE, &p8->pkey->value.octet_string->data, &p8->pkey->value.octet_string->length)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); - sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); - M_ASN1_INTEGER_free (prkey); - return 0; + goto err; } sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); break; } return 1; +err: + if (p != NULL) OPENSSL_free(p); + if (params != NULL) ASN1_STRING_free(params); + if (prkey != NULL) M_ASN1_INTEGER_free(prkey); + if (ttmp != NULL) ASN1_TYPE_free(ttmp); + if (ndsa != NULL) sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); + return 0; } #endif diff --git a/lib/libcrypto/evp/evp_test.c b/lib/libcrypto/evp/evp_test.c index 28460173f7e..a624cfd248a 100644 --- a/lib/libcrypto/evp/evp_test.c +++ b/lib/libcrypto/evp/evp_test.c @@ -136,7 +136,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, const unsigned char *iv,int in, const unsigned char *plaintext,int pn, const unsigned char *ciphertext,int cn, - int encdec) + int encdec,int multiplier) { EVP_CIPHER_CTX ctx; unsigned char out[4096]; @@ -162,22 +162,25 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv)) { fprintf(stderr,"EncryptInit failed\n"); + ERR_print_errors_fp(stderr); test1_exit(10); } EVP_CIPHER_CTX_set_padding(&ctx,0); - if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn)) + if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn*multiplier)) { fprintf(stderr,"Encrypt failed\n"); + ERR_print_errors_fp(stderr); test1_exit(6); } if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2)) { fprintf(stderr,"EncryptFinal failed\n"); + ERR_print_errors_fp(stderr); test1_exit(7); } - if(outl+outl2 != cn) + if(outl+outl2 != cn*multiplier) { fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n", outl+outl2,cn); @@ -198,22 +201,25 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv)) { fprintf(stderr,"DecryptInit failed\n"); + ERR_print_errors_fp(stderr); test1_exit(11); } EVP_CIPHER_CTX_set_padding(&ctx,0); - if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn)) + if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn*multiplier)) { fprintf(stderr,"Decrypt failed\n"); + ERR_print_errors_fp(stderr); test1_exit(6); } if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2)) { fprintf(stderr,"DecryptFinal failed\n"); + ERR_print_errors_fp(stderr); test1_exit(7); } - if(outl+outl2 != cn) + if(outl+outl2 != cn*multiplier) { fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", outl+outl2,cn); @@ -238,7 +244,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn, const unsigned char *iv,int in, const unsigned char *plaintext,int pn, const unsigned char *ciphertext,int cn, - int encdec) + int encdec,int multiplier) { const EVP_CIPHER *c; @@ -246,7 +252,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn, if(!c) return 0; - test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec); + test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec,multiplier); return 1; } @@ -272,16 +278,19 @@ static int test_digest(const char *digest, if(!EVP_DigestInit_ex(&ctx,d, NULL)) { fprintf(stderr,"DigestInit failed\n"); + ERR_print_errors_fp(stderr); EXIT(100); } if(!EVP_DigestUpdate(&ctx,plaintext,pn)) { fprintf(stderr,"DigestUpdate failed\n"); + ERR_print_errors_fp(stderr); EXIT(101); } if(!EVP_DigestFinal_ex(&ctx,md,&mdn)) { fprintf(stderr,"DigestFinal failed\n"); + ERR_print_errors_fp(stderr); EXIT(101); } EVP_MD_CTX_cleanup(&ctx); @@ -359,6 +368,7 @@ int main(int argc,char **argv) unsigned char *iv,*key,*plaintext,*ciphertext; int encdec; int kn,in,pn,cn; + int multiplier=1; if(!fgets((char *)line,sizeof line,f)) break; @@ -383,7 +393,15 @@ int main(int argc,char **argv) pn=convert(plaintext); cn=convert(ciphertext); - if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec) + if(strchr(cipher,'*')) + { + p=cipher; + sstrsep(&p,"*"); + multiplier=atoi(sstrsep(&p,"*")); + } + + if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec, + multiplier) && !test_digest(cipher,plaintext,pn,ciphertext,cn)) { fprintf(stderr,"Can't find %s\n",cipher); diff --git a/lib/libcrypto/evp/evptests.txt b/lib/libcrypto/evp/evptests.txt index 80bd9c7765c..dfe91a5bc0e 100644 --- a/lib/libcrypto/evp/evptests.txt +++ b/lib/libcrypto/evp/evptests.txt @@ -92,7 +92,102 @@ AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B -# We don't support CFB{1,8}-AESxxx.{En,De}crypt + +# CFB1-AES128.Encrypt + +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:1 +# all of the above packed into one... +# in: 0110 1011 1100 0001 = 6bc1 +# out: 0110 1000 1011 0011 = 68b3 +AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:1 + +# CFB1-AES128.Decrypt +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:0 +# all of the above packed into one... +# in: 0110 1000 1011 0011 = 68b3 +# out: 0110 1011 1100 0001 = 6bc1 +AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:0 + +# TODO: CFB1-AES192 and 256 + +# CFB8-AES128.Encrypt + +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:1 +# all of the above packed into one +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:1 + +# CFB8-AES128.Decrypt + +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:0 +# all of the above packed into one +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:0 + +# TODO: 192 and 256 bit keys + # For all CFB128 encrypts and decrypts, the transformed sequence is # AES-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec # CFB128-AES128.Encrypt @@ -174,6 +269,16 @@ DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363 # DES EDE3 CBC tests (from destest) DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 +# DES CFB1 from FIPS 81 +# plaintext: 0100 1110 0110 1111 0111 0111 = 4e6f77 +# ciphertext: 1100 1101 0001 1110 1100 1001 = cd1ec9 + +DES-CFB1*8:0123456789abcdef:1234567890abcdef:4e6f77:cd1ec9 + +# DES CFB8 from FIPS 81 + +DES-CFB8:0123456789abcdef:1234567890abcdef:4e6f7720697320746865:f31fda07011462ee187f + # RC4 tests (from rc4test) RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596 RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879 diff --git a/lib/libcrypto/evp/m_dss.c b/lib/libcrypto/evp/m_dss.c index beb8d7fc5c9..d393eb34009 100644 --- a/lib/libcrypto/evp/m_dss.c +++ b/lib/libcrypto/evp/m_dss.c @@ -77,7 +77,7 @@ static const EVP_MD dsa_md= NID_dsaWithSHA, NID_dsaWithSHA, SHA_DIGEST_LENGTH, - 0, + EVP_MD_FLAG_FIPS, init, update, final, diff --git a/lib/libcrypto/evp/m_md2.c b/lib/libcrypto/evp/m_md2.c index 50914c83b3a..0df48e5199e 100644 --- a/lib/libcrypto/evp/m_md2.c +++ b/lib/libcrypto/evp/m_md2.c @@ -60,6 +60,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/md2.h> diff --git a/lib/libcrypto/evp/m_md4.c b/lib/libcrypto/evp/m_md4.c index e19b6637546..0605e4b707c 100644 --- a/lib/libcrypto/evp/m_md4.c +++ b/lib/libcrypto/evp/m_md4.c @@ -60,6 +60,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/md4.h> diff --git a/lib/libcrypto/evp/m_md5.c b/lib/libcrypto/evp/m_md5.c index b00a03e048b..752615d473a 100644 --- a/lib/libcrypto/evp/m_md5.c +++ b/lib/libcrypto/evp/m_md5.c @@ -60,6 +60,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/md5.h> diff --git a/lib/libcrypto/evp/m_mdc2.c b/lib/libcrypto/evp/m_mdc2.c index 9f6467c9314..62de1336b85 100644 --- a/lib/libcrypto/evp/m_mdc2.c +++ b/lib/libcrypto/evp/m_mdc2.c @@ -60,6 +60,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/mdc2.h> diff --git a/lib/libcrypto/evp/m_sha.c b/lib/libcrypto/evp/m_sha.c index 10697c7ed38..d1785e5f745 100644 --- a/lib/libcrypto/evp/m_sha.c +++ b/lib/libcrypto/evp/m_sha.c @@ -56,10 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SHA +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0) #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/lib/libcrypto/evp/m_sha1.c b/lib/libcrypto/evp/m_sha1.c index d6be3502f0a..fe4402389ae 100644 --- a/lib/libcrypto/evp/m_sha1.c +++ b/lib/libcrypto/evp/m_sha1.c @@ -77,7 +77,7 @@ static const EVP_MD sha1_md= NID_sha1, NID_sha1WithRSAEncryption, SHA_DIGEST_LENGTH, - 0, + EVP_MD_FLAG_FIPS, init, update, final, diff --git a/lib/libcrypto/evp/names.c b/lib/libcrypto/evp/names.c index eb9f4329cd4..77124530461 100644 --- a/lib/libcrypto/evp/names.c +++ b/lib/libcrypto/evp/names.c @@ -61,6 +61,9 @@ #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> +#ifdef OPENSSL_FIPS +#include <openssl/fips.h> +#endif int EVP_add_cipher(const EVP_CIPHER *c) { diff --git a/lib/libcrypto/hmac/hmac.c b/lib/libcrypto/hmac/hmac.c index 4c91f919d56..06ee80761ff 100644 --- a/lib/libcrypto/hmac/hmac.c +++ b/lib/libcrypto/hmac/hmac.c @@ -77,6 +77,15 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, if (key != NULL) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS) + && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) + || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) + || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) + OpenSSLDie(__FILE__,__LINE__, + "HMAC: digest not allowed in FIPS mode"); +#endif + reset=1; j=EVP_MD_block_size(md); OPENSSL_assert(j <= sizeof ctx->key); @@ -171,3 +180,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, return(md); } +void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) + { + EVP_MD_CTX_set_flags(&ctx->i_ctx, flags); + EVP_MD_CTX_set_flags(&ctx->o_ctx, flags); + EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); + } + diff --git a/lib/libcrypto/hmac/hmac.h b/lib/libcrypto/hmac/hmac.h index 0364a1fcbd9..294ab3b36a0 100644 --- a/lib/libcrypto/hmac/hmac.h +++ b/lib/libcrypto/hmac/hmac.h @@ -98,6 +98,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, int n, unsigned char *md, unsigned int *md_len); +void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags); #ifdef __cplusplus } diff --git a/lib/libcrypto/idea/idea.h b/lib/libcrypto/idea/idea.h index 67132414ee7..bf41844fd76 100644 --- a/lib/libcrypto/idea/idea.h +++ b/lib/libcrypto/idea/idea.h @@ -82,6 +82,10 @@ typedef struct idea_key_st const char *idea_options(void); void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, IDEA_KEY_SCHEDULE *ks); +#ifdef OPENSSL_FIPS +void private_idea_set_encrypt_key(const unsigned char *key, + IDEA_KEY_SCHEDULE *ks); +#endif void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, diff --git a/lib/libcrypto/md2/md2.h b/lib/libcrypto/md2/md2.h index ad9241455ca..d0ef9da08e7 100644 --- a/lib/libcrypto/md2/md2.h +++ b/lib/libcrypto/md2/md2.h @@ -80,6 +80,9 @@ typedef struct MD2state_st } MD2_CTX; const char *MD2_options(void); +#ifdef OPENSSL_FIPS +int private_MD2_Init(MD2_CTX *c); +#endif int MD2_Init(MD2_CTX *c); int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len); int MD2_Final(unsigned char *md, MD2_CTX *c); diff --git a/lib/libcrypto/md2/md2_dgst.c b/lib/libcrypto/md2/md2_dgst.c index ecb64f0ec40..8124acd6877 100644 --- a/lib/libcrypto/md2/md2_dgst.c +++ b/lib/libcrypto/md2/md2_dgst.c @@ -62,6 +62,8 @@ #include <openssl/md2.h> #include <openssl/opensslv.h> #include <openssl/crypto.h> +#include <openssl/fips.h> +#include <openssl/err.h> const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT; @@ -116,7 +118,7 @@ const char *MD2_options(void) return("md2(int)"); } -int MD2_Init(MD2_CTX *c) +FIPS_NON_FIPS_MD_Init(MD2) { c->num=0; memset(c->state,0,sizeof c->state); diff --git a/lib/libcrypto/md32_common.h b/lib/libcrypto/md32_common.h index 573850b1228..733da6acafe 100644 --- a/lib/libcrypto/md32_common.h +++ b/lib/libcrypto/md32_common.h @@ -128,6 +128,10 @@ * <appro@fy.chalmers.se> */ +#include <openssl/crypto.h> +#include <openssl/fips.h> +#include <openssl/err.h> + #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) #error "DATA_ORDER must be defined!" #endif @@ -207,7 +211,7 @@ : "cc"); \ ret; \ }) -# elif defined(__powerpc) || defined(__ppc) +# elif defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__) # define ROTATE(a,n) ({ register unsigned int ret; \ asm ( \ "rlwinm %0,%1,%2,0,31" \ @@ -555,6 +559,14 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c) static const unsigned char end[4]={0x80,0x00,0x00,0x00}; const unsigned char *cp=end; +#if 0 + if(FIPS_mode() && !FIPS_md5_allowed()) + { + FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); + return 0; + } +#endif + /* c->num should definitly have room for at least one more byte. */ p=c->data; i=c->num>>2; diff --git a/lib/libcrypto/md4/md4.h b/lib/libcrypto/md4/md4.h index 7a7b23682f8..7e761efb621 100644 --- a/lib/libcrypto/md4/md4.h +++ b/lib/libcrypto/md4/md4.h @@ -104,6 +104,9 @@ typedef struct MD4state_st int num; } MD4_CTX; +#ifdef OPENSSL_FIPS +int private_MD4_Init(MD4_CTX *c); +#endif int MD4_Init(MD4_CTX *c); int MD4_Update(MD4_CTX *c, const void *data, unsigned long len); int MD4_Final(unsigned char *md, MD4_CTX *c); diff --git a/lib/libcrypto/md4/md4_dgst.c b/lib/libcrypto/md4/md4_dgst.c index 7afb7185b68..ee7cc72262a 100644 --- a/lib/libcrypto/md4/md4_dgst.c +++ b/lib/libcrypto/md4/md4_dgst.c @@ -70,7 +70,7 @@ const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT; #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L -int MD4_Init(MD4_CTX *c) +FIPS_NON_FIPS_MD_Init(MD4) { c->A=INIT_DATA_A; c->B=INIT_DATA_B; diff --git a/lib/libcrypto/md5/md5.h b/lib/libcrypto/md5/md5.h index a252e021154..c663dd18160 100644 --- a/lib/libcrypto/md5/md5.h +++ b/lib/libcrypto/md5/md5.h @@ -104,6 +104,9 @@ typedef struct MD5state_st int num; } MD5_CTX; +#ifdef OPENSSL_FIPS +int private_MD5_Init(MD5_CTX *c); +#endif int MD5_Init(MD5_CTX *c); int MD5_Update(MD5_CTX *c, const void *data, unsigned long len); int MD5_Final(unsigned char *md, MD5_CTX *c); diff --git a/lib/libcrypto/md5/md5_dgst.c b/lib/libcrypto/md5/md5_dgst.c index 9c7abc36972..54b33c6509a 100644 --- a/lib/libcrypto/md5/md5_dgst.c +++ b/lib/libcrypto/md5/md5_dgst.c @@ -70,7 +70,7 @@ const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT; #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L -int MD5_Init(MD5_CTX *c) +FIPS_NON_FIPS_MD_Init(MD5) { c->A=INIT_DATA_A; c->B=INIT_DATA_B; diff --git a/lib/libcrypto/mdc2/Makefile b/lib/libcrypto/mdc2/Makefile new file mode 100644 index 00000000000..38c785bf959 --- /dev/null +++ b/lib/libcrypto/mdc2/Makefile @@ -0,0 +1,98 @@ +# +# SSLeay/crypto/mdc2/Makefile +# + +DIR= mdc2 +TOP= ../.. +CC= cc +INCLUDES= +CFLAG=-g +INSTALL_PREFIX= +OPENSSLDIR= /usr/local/ssl +INSTALLTOP=/usr/local/ssl +MAKEDEPPROG= makedepend +MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) +MAKEFILE= Makefile +AR= ar r + +CFLAGS= $(INCLUDES) $(CFLAG) + +GENERAL=Makefile +TEST= mdc2test.c +APPS= + +LIB=$(TOP)/libcrypto.a +LIBSRC=mdc2dgst.c mdc2_one.c +LIBOBJ=mdc2dgst.o mdc2_one.o + +SRC= $(LIBSRC) + +EXHEADER= mdc2.h +HEADER= $(EXHEADER) + +ALL= $(GENERAL) $(SRC) $(HEADER) + +top: + (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) + +all: lib + +lib: $(LIBOBJ) + $(AR) $(LIB) $(LIBOBJ) + $(RANLIB) $(LIB) || echo Never mind. + @touch lib + +files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO + +links: + @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) + @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) + @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) + +install: + @headerlist="$(EXHEADER)"; for i in $$headerlist ; \ + do \ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; + +tags: + ctags $(SRC) + +tests: + +lint: + lint -DLINT $(INCLUDES) $(SRC)>fluff + +depend: + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) + +dclean: + $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new + mv -f Makefile.new $(MAKEFILE) + +clean: + rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff + +# DO NOT DELETE THIS LINE -- make depend depends on it. + +mdc2_one.o: ../../e_os.h ../../include/openssl/bio.h +mdc2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +mdc2_one.o: ../../include/openssl/des.h ../../include/openssl/des_old.h +mdc2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +mdc2_one.o: ../../include/openssl/lhash.h ../../include/openssl/mdc2.h +mdc2_one.o: ../../include/openssl/opensslconf.h +mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +mdc2_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +mdc2_one.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +mdc2_one.o: ../cryptlib.h mdc2_one.c +mdc2dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h +mdc2dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +mdc2dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h +mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h +mdc2dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +mdc2dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +mdc2dgst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +mdc2dgst.o: mdc2dgst.c diff --git a/lib/libcrypto/mdc2/mdc2.h b/lib/libcrypto/mdc2/mdc2.h index 793a8a0f13f..4cba101f378 100644 --- a/lib/libcrypto/mdc2/mdc2.h +++ b/lib/libcrypto/mdc2/mdc2.h @@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st int pad_type; /* either 1 or 2, default 1 */ } MDC2_CTX; - +#ifdef OPENSSL_FIPS +int private_MDC2_Init(MDC2_CTX *c); +#endif int MDC2_Init(MDC2_CTX *c); int MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len); int MDC2_Final(unsigned char *md, MDC2_CTX *c); diff --git a/lib/libcrypto/o_time.c b/lib/libcrypto/o_time.c index 785468131e1..e29091d6504 100644 --- a/lib/libcrypto/o_time.c +++ b/lib/libcrypto/o_time.c @@ -114,16 +114,28 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) return NULL; logvalue[reslen] = '\0'; + t = *timer; + +/* The following is extracted from the DEC C header time.h */ +/* +** Beginning in OpenVMS Version 7.0 mktime, time, ctime, strftime +** have two implementations. One implementation is provided +** for compatibility and deals with time in terms of local time, +** the other __utc_* deals with time in terms of UTC. +*/ +/* We use the same conditions as in said time.h to check if we should + assume that t contains local time (and should therefore be adjusted) + or UTC (and should therefore be left untouched). */ +#if __CRTL_VER < 70000000 || defined _VMS_V6_SOURCE /* Get the numerical value of the equivalence string */ status = atoi(logvalue); /* and use it to move time to GMT */ - t = *timer - status; + t -= status; +#endif /* then convert the result to the time structure */ -#ifndef OPENSSL_THREADS - ts=(struct tm *)localtime(&t); -#else + /* Since there was no gmtime_r() to do this stuff for us, we have to do it the hard way. */ { @@ -198,7 +210,6 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) result->tm_isdst = 0; /* There's no way to know... */ ts = result; -#endif } } #endif diff --git a/lib/libcrypto/objects/o_names.c b/lib/libcrypto/objects/o_names.c index b4453b4a987..28c9370ca3c 100644 --- a/lib/libcrypto/objects/o_names.c +++ b/lib/libcrypto/objects/o_names.c @@ -2,6 +2,7 @@ #include <stdlib.h> #include <string.h> +#include <openssl/err.h> #include <openssl/lhash.h> #include <openssl/objects.h> #include <openssl/safestack.h> @@ -80,7 +81,11 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *), MemCheck_off(); name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS)); MemCheck_on(); - if (!name_funcs) return(0); + if (!name_funcs) + { + OBJerr(OBJ_F_OBJ_NAME_NEW_INDEX,ERR_R_MALLOC_FAILURE); + return(0); + } name_funcs->hash_func = lh_strhash; name_funcs->cmp_func = OPENSSL_strcmp; name_funcs->free_func = 0; /* NULL is often declared to diff --git a/lib/libcrypto/objects/obj_dat.c b/lib/libcrypto/objects/obj_dat.c index 4534dc09856..f549d078ef6 100644 --- a/lib/libcrypto/objects/obj_dat.c +++ b/lib/libcrypto/objects/obj_dat.c @@ -236,13 +236,13 @@ int OBJ_add_object(const ASN1_OBJECT *obj) if (added == NULL) if (!init_added()) return(0); if ((o=OBJ_dup(obj)) == NULL) goto err; - if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err; + if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; if ((o->length != 0) && (obj->data != NULL)) - ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); + if (!(ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; if (o->sn != NULL) - ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); + if (!(ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; if (o->ln != NULL) - ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); + if (!(ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; for (i=ADDED_DATA; i<=ADDED_NID; i++) { @@ -260,6 +260,8 @@ int OBJ_add_object(const ASN1_OBJECT *obj) ASN1_OBJECT_FLAG_DYNAMIC_DATA); return(o->nid); +err2: + OBJerr(OBJ_F_OBJ_ADD_OBJECT,ERR_R_MALLOC_FAILURE); err: for (i=ADDED_DATA; i<=ADDED_NID; i++) if (ao[i] != NULL) OPENSSL_free(ao[i]); @@ -648,7 +650,7 @@ int OBJ_create(const char *oid, const char *sn, const char *ln) if ((buf=(unsigned char *)OPENSSL_malloc(i)) == NULL) { - OBJerr(OBJ_F_OBJ_CREATE,OBJ_R_MALLOC_FAILURE); + OBJerr(OBJ_F_OBJ_CREATE,ERR_R_MALLOC_FAILURE); return(0); } i=a2d_ASN1_OBJECT(buf,i,oid,-1); diff --git a/lib/libcrypto/objects/obj_err.c b/lib/libcrypto/objects/obj_err.c index 80ab6855af3..2b5f43e3ccd 100644 --- a/lib/libcrypto/objects/obj_err.c +++ b/lib/libcrypto/objects/obj_err.c @@ -1,6 +1,6 @@ /* crypto/objects/obj_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,8 +66,10 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA OBJ_str_functs[]= { +{ERR_PACK(0,OBJ_F_OBJ_ADD_OBJECT,0), "OBJ_add_object"}, {ERR_PACK(0,OBJ_F_OBJ_CREATE,0), "OBJ_create"}, {ERR_PACK(0,OBJ_F_OBJ_DUP,0), "OBJ_dup"}, +{ERR_PACK(0,OBJ_F_OBJ_NAME_NEW_INDEX,0), "OBJ_NAME_new_index"}, {ERR_PACK(0,OBJ_F_OBJ_NID2LN,0), "OBJ_nid2ln"}, {ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0), "OBJ_nid2obj"}, {ERR_PACK(0,OBJ_F_OBJ_NID2SN,0), "OBJ_nid2sn"}, diff --git a/lib/libcrypto/objects/obj_mac.num b/lib/libcrypto/objects/obj_mac.num index 9838072b65c..0e64a929bab 100644 --- a/lib/libcrypto/objects/obj_mac.num +++ b/lib/libcrypto/objects/obj_mac.num @@ -647,3 +647,21 @@ joint_iso_itu_t 646 international_organizations 647 ms_smartcard_login 648 ms_upn 649 +aes_128_cfb1 650 +aes_192_cfb1 651 +aes_256_cfb1 652 +aes_128_cfb8 653 +aes_192_cfb8 654 +aes_256_cfb8 655 +des_cfb1 656 +des_cfb8 657 +des_ede3_cfb1 658 +des_ede3_cfb8 659 +streetAddress 660 +postalCode 661 +id_ppl 662 +proxyCertInfo 663 +id_ppl_anyLanguage 664 +id_ppl_inheritAll 665 +id_ppl_independent 666 +Independent 667 diff --git a/lib/libcrypto/objects/objects.h b/lib/libcrypto/objects/objects.h index de105328136..f859d859b85 100644 --- a/lib/libcrypto/objects/objects.h +++ b/lib/libcrypto/objects/objects.h @@ -1026,8 +1026,10 @@ void ERR_load_OBJ_strings(void); /* Error codes for the OBJ functions. */ /* Function codes. */ +#define OBJ_F_OBJ_ADD_OBJECT 105 #define OBJ_F_OBJ_CREATE 100 #define OBJ_F_OBJ_DUP 101 +#define OBJ_F_OBJ_NAME_NEW_INDEX 106 #define OBJ_F_OBJ_NID2LN 102 #define OBJ_F_OBJ_NID2OBJ 103 #define OBJ_F_OBJ_NID2SN 104 diff --git a/lib/libcrypto/objects/objects.txt b/lib/libcrypto/objects/objects.txt index 3ba11f65ccf..50e9031e61e 100644 --- a/lib/libcrypto/objects/objects.txt +++ b/lib/libcrypto/objects/objects.txt @@ -312,6 +312,7 @@ id-pkix 9 : id-pda id-pkix 10 : id-aca id-pkix 11 : id-qcs id-pkix 12 : id-cct +id-pkix 21 : id-ppl id-pkix 48 : id-ad # PKIX Modules @@ -346,6 +347,7 @@ id-pe 9 : sbqp-routerIdentifier id-pe 10 : ac-proxying !Cname sinfo-access id-pe 11 : subjectInfoAccess : Subject Information Access +id-pe 14 : proxyCertInfo : Proxy Certificate Information # PKIX policyQualifiers for Internet policy qualifiers id-qt 1 : id-qt-cps : Policy Qualifier CPS @@ -461,6 +463,11 @@ id-cct 1 : id-cct-crs id-cct 2 : id-cct-PKIData id-cct 3 : id-cct-PKIResponse +# Predefined Proxy Certificate policy languages +id-ppl 0 : id-ppl-anyLanguage : Any language +id-ppl 1 : id-ppl-inheritAll : Inherit all +id-ppl 2 : id-ppl-independent : Independent + # access descriptors for authority info access extension !Cname ad-OCSP id-ad 1 : OCSP : OCSP @@ -536,10 +543,12 @@ X509 5 : : serialNumber X509 6 : C : countryName X509 7 : L : localityName X509 8 : ST : stateOrProvinceName +X509 9 : : streetAddress X509 10 : O : organizationName X509 11 : OU : organizationalUnitName X509 12 : : title X509 13 : : description +X509 17 : : postalCode X509 41 : name : name X509 42 : GN : givenName X509 43 : : initials @@ -681,6 +690,19 @@ aes 43 : AES-256-OFB : aes-256-ofb !Cname aes-256-cfb128 aes 44 : AES-256-CFB : aes-256-cfb +# There are no OIDs for these modes... + + : AES-128-CFB1 : aes-128-cfb1 + : AES-192-CFB1 : aes-192-cfb1 + : AES-256-CFB1 : aes-256-cfb1 + : AES-128-CFB8 : aes-128-cfb8 + : AES-192-CFB8 : aes-192-cfb8 + : AES-256-CFB8 : aes-256-cfb8 + : DES-CFB1 : des-cfb1 + : DES-CFB8 : des-cfb8 + : DES-EDE3-CFB1 : des-ede3-cfb1 + : DES-EDE3-CFB8 : des-ede3-cfb8 + # Hold instruction CRL entry extension !Cname hold-instruction-code id-ce 23 : holdInstructionCode : Hold Instruction Code diff --git a/lib/libcrypto/opensslv.h b/lib/libcrypto/opensslv.h index 02f1710fb3f..5d5f688edd7 100644 --- a/lib/libcrypto/opensslv.h +++ b/lib/libcrypto/opensslv.h @@ -25,8 +25,12 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090704fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d 17 Mar 2004" +#define OPENSSL_VERSION_NUMBER 0x0090707fL +#ifdef OPENSSL_FIPS +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g-fips 11 Apr 2005" +#else +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g 11 Apr 2005" +#endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/lib/libcrypto/pem/pem_all.c b/lib/libcrypto/pem/pem_all.c index e72b7134cec..07963314c95 100644 --- a/lib/libcrypto/pem/pem_all.c +++ b/lib/libcrypto/pem/pem_all.c @@ -64,6 +64,7 @@ #include <openssl/x509.h> #include <openssl/pkcs7.h> #include <openssl/pem.h> +#include <openssl/fips.h> #ifndef OPENSSL_NO_RSA static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa); @@ -128,7 +129,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, #endif +#ifdef OPENSSL_FIPS + +int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_RSA(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + + EVP_PKEY_set1_RSA(k, x); + + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; +} +#endif + +#else + IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) + +#endif + IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) @@ -158,7 +201,48 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb, return pkey_get_dsa(pktmp, dsa); } + +#ifdef OPENSSL_FIPS + +int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_DSA(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_DSA(k, x); + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; +} +#endif + +#else + IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) + +#endif + IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) #ifndef OPENSSL_NO_FP_API @@ -190,7 +274,42 @@ IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams) * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything * appropriate.) */ + +#ifdef OPENSSL_FIPS + +int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) + { + if (FIPS_mode()) + return PEM_write_bio_PKCS8PrivateKey(bp, x, enc, + (char *)kstr, klen, cb, u); + else + return PEM_ASN1_write_bio((int (*)())i2d_PrivateKey, + (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), + bp,(char *)x,enc,kstr,klen,cb,u); + } + +#ifndef OPENSSL_NO_FP_API +int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) + { + if (FIPS_mode()) + return PEM_write_PKCS8PrivateKey(fp, x, enc, + (char *)kstr, klen, cb, u); + else + return PEM_ASN1_write((int (*)())i2d_PrivateKey, + (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), + fp,(char *)x,enc,kstr,klen,cb,u); + } +#endif + +#else + IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey) +#endif + IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY) diff --git a/lib/libcrypto/pem/pem_lib.c b/lib/libcrypto/pem/pem_lib.c index 7785039b993..82815067b39 100644 --- a/lib/libcrypto/pem/pem_lib.c +++ b/lib/libcrypto/pem/pem_lib.c @@ -73,7 +73,7 @@ const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT; #define MIN_LENGTH 4 -static int load_iv(unsigned char **fromp,unsigned char *to, int num); +static int load_iv(char **fromp,unsigned char *to, int num); static int check_pem(const char *nm, const char *name); int PEM_def_callback(char *buf, int num, int w, void *key) @@ -301,7 +301,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, if ((dsize=i2d(x,NULL)) < 0) { - PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE); + PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_ASN1_LIB); dsize=0; goto err; } @@ -432,6 +432,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) int o; const EVP_CIPHER *enc=NULL; char *p,c; + char **header_pp = &header; cipher->cipher=NULL; if ((header == NULL) || (*header == '\0') || (*header == '\n')) @@ -478,15 +479,16 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION); return(0); } - if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),enc->iv_len)) return(0); + if (!load_iv(header_pp,&(cipher->iv[0]),enc->iv_len)) + return(0); return(1); } -static int load_iv(unsigned char **fromp, unsigned char *to, int num) +static int load_iv(char **fromp, unsigned char *to, int num) { int v,i; - unsigned char *from; + char *from; from= *fromp; for (i=0; i<num; i++) to[i]=0; @@ -623,6 +625,9 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data, dataB=BUF_MEM_new(); if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL)) { + BUF_MEM_free(nameB); + BUF_MEM_free(headerB); + BUF_MEM_free(dataB); PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); return(0); } diff --git a/lib/libcrypto/pem/pem_pkey.c b/lib/libcrypto/pem/pem_pkey.c index f77c949e87b..9ecdbd5419e 100644 --- a/lib/libcrypto/pem/pem_pkey.c +++ b/lib/libcrypto/pem/pem_pkey.c @@ -104,6 +104,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo if (klen <= 0) { PEMerr(PEM_F_PEM_ASN1_READ_BIO, PEM_R_BAD_PASSWORD_READ); + X509_SIG_free(p8); goto err; } p8inf = PKCS8_decrypt(p8, psbuf, klen); diff --git a/lib/libcrypto/perlasm/x86asm.pl b/lib/libcrypto/perlasm/x86asm.pl index 7c675e3ced3..60233f80e85 100644 --- a/lib/libcrypto/perlasm/x86asm.pl +++ b/lib/libcrypto/perlasm/x86asm.pl @@ -130,4 +130,6 @@ BSDI - a.out with a very primative version of as. EOF } +sub main'align() {} # swallow align statements in 0.9.7 context + 1; diff --git a/lib/libcrypto/perlasm/x86ms.pl b/lib/libcrypto/perlasm/x86ms.pl index fbb4afb9bda..b6bd744057e 100644 --- a/lib/libcrypto/perlasm/x86ms.pl +++ b/lib/libcrypto/perlasm/x86ms.pl @@ -160,6 +160,7 @@ sub main'not { &out1("not",@_); } sub main'call { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } +sub main'movz { &out2("movzx",@_); } sub out2 { diff --git a/lib/libcrypto/perlasm/x86nasm.pl b/lib/libcrypto/perlasm/x86nasm.pl index 30346af4eac..5009acb4b31 100644 --- a/lib/libcrypto/perlasm/x86nasm.pl +++ b/lib/libcrypto/perlasm/x86nasm.pl @@ -86,7 +86,7 @@ sub get_mem { my($size,$addr,$reg1,$reg2,$idx)=@_; my($t,$post); - my($ret)="["; + my($ret)="$size ["; $addr =~ s/^\s+//; if ($addr =~ /^(.+)\+(.+)$/) { @@ -169,6 +169,7 @@ sub main'not { &out1("not",@_); } sub main'call { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } +sub main'movz { &out2("movzx",@_); } sub out2 { @@ -176,6 +177,11 @@ sub out2 my($l,$t); push(@out,"\t$name\t"); + if ($name eq "lea") + { + $p1 =~ s/^[^\[]*\[/\[/; + $p2 =~ s/^[^\[]*\[/\[/; + } $t=&conv($p1).","; $l=length($t); push(@out,$t); diff --git a/lib/libcrypto/perlasm/x86unix.pl b/lib/libcrypto/perlasm/x86unix.pl index 53ad5f49279..9717d185579 100644 --- a/lib/libcrypto/perlasm/x86unix.pl +++ b/lib/libcrypto/perlasm/x86unix.pl @@ -143,12 +143,12 @@ sub main'shl { &out2("sall",@_); } sub main'shr { &out2("shrl",@_); } sub main'xor { &out2("xorl",@_); } sub main'xorb { &out2("xorb",@_); } -sub main'add { &out2("addl",@_); } +sub main'add { &out2($_[0]=~/%[a-d][lh]/?"addb":"addl",@_); } sub main'adc { &out2("adcl",@_); } sub main'sub { &out2("subl",@_); } sub main'rotl { &out2("roll",@_); } sub main'rotr { &out2("rorl",@_); } -sub main'exch { &out2("xchg",@_); } +sub main'exch { &out2($_[0]=~/%[a-d][lh]/?"xchgb":"xchgl",@_); } sub main'cmp { &out2("cmpl",@_); } sub main'lea { &out2("leal",@_); } sub main'mul { &out1("mull",@_); } @@ -170,7 +170,7 @@ sub main'jc { &out1("jc",@_); } sub main'jnc { &out1("jnc",@_); } sub main'jno { &out1("jno",@_); } sub main'dec { &out1("decl",@_); } -sub main'inc { &out1("incl",@_); } +sub main'inc { &out1($_[0]=~/%[a-d][hl]/?"incb":"incl",@_); } sub main'push { &out1("pushl",@_); $stack+=4; } sub main'pop { &out1("popl",@_); $stack-=4; } sub main'pushf { &out0("pushf"); $stack+=4; } @@ -179,6 +179,7 @@ sub main'not { &out1("notl",@_); } sub main'call { &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } +sub main'movz { &out2("movzbl",@_); } # The bswapl instruction is new for the 486. Emulate if i386. sub main'bswap diff --git a/lib/libcrypto/pkcs12/p12_crpt.c b/lib/libcrypto/pkcs12/p12_crpt.c index 5e8958612b4..003ec7a33e6 100644 --- a/lib/libcrypto/pkcs12/p12_crpt.c +++ b/lib/libcrypto/pkcs12/p12_crpt.c @@ -88,7 +88,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de) { PBEPARAM *pbe; - int saltlen, iter; + int saltlen, iter, ret; unsigned char *salt, *pbuf; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; @@ -117,8 +117,8 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen, return 0; } PBEPARAM_free(pbe); - EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de); + ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de); OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); - return 1; + return ret; } diff --git a/lib/libcrypto/pkcs12/p12_init.c b/lib/libcrypto/pkcs12/p12_init.c index eb837a78cf7..5276b126698 100644 --- a/lib/libcrypto/pkcs12/p12_init.c +++ b/lib/libcrypto/pkcs12/p12_init.c @@ -76,15 +76,17 @@ PKCS12 *PKCS12_init (int mode) if (!(pkcs12->authsafes->d.data = M_ASN1_OCTET_STRING_new())) { PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } break; default: - PKCS12err(PKCS12_F_PKCS12_INIT,PKCS12_R_UNSUPPORTED_PKCS12_MODE); - PKCS12_free(pkcs12); - return NULL; - break; + PKCS12err(PKCS12_F_PKCS12_INIT, + PKCS12_R_UNSUPPORTED_PKCS12_MODE); + goto err; } return pkcs12; +err: + if (pkcs12 != NULL) PKCS12_free(pkcs12); + return NULL; } diff --git a/lib/libcrypto/pkcs12/p12_kiss.c b/lib/libcrypto/pkcs12/p12_kiss.c index 885087ad00f..2b31999e112 100644 --- a/lib/libcrypto/pkcs12/p12_kiss.c +++ b/lib/libcrypto/pkcs12/p12_kiss.c @@ -249,14 +249,26 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate ) return 1; if (!(x509 = PKCS12_certbag2x509(bag))) return 0; - if(ckid) X509_keyid_set1(x509, ckid->data, ckid->length); + if(ckid) + { + if (!X509_keyid_set1(x509, ckid->data, ckid->length)) + { + X509_free(x509); + return 0; + } + } if(fname) { - int len; + int len, r; unsigned char *data; len = ASN1_STRING_to_UTF8(&data, fname); if(len > 0) { - X509_alias_set1(x509, data, len); + r = X509_alias_set1(x509, data, len); OPENSSL_free(data); + if (!r) + { + X509_free(x509); + return 0; + } } } diff --git a/lib/libcrypto/pkcs12/p12_mutl.c b/lib/libcrypto/pkcs12/p12_mutl.c index 0fb67f74b8b..4886b9b2899 100644 --- a/lib/libcrypto/pkcs12/p12_mutl.c +++ b/lib/libcrypto/pkcs12/p12_mutl.c @@ -148,7 +148,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen, PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); return 0; } - ASN1_INTEGER_set(p12->mac->iter, iter); + if (!ASN1_INTEGER_set(p12->mac->iter, iter)) { + PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); + return 0; + } } if (!saltlen) saltlen = PKCS12_SALT_LEN; p12->mac->salt->length = saltlen; diff --git a/lib/libcrypto/pkcs7/pk7_attr.c b/lib/libcrypto/pkcs7/pk7_attr.c index 5ff5a88b5cf..039141027a6 100644 --- a/lib/libcrypto/pkcs7/pk7_attr.c +++ b/lib/libcrypto/pkcs7/pk7_attr.c @@ -3,7 +3,7 @@ * project 2001. */ /* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -94,17 +94,18 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap) } STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) -{ + { ASN1_TYPE *cap; unsigned char *p; cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities); - if (!cap) return NULL; + if (!cap || (cap->type != V_ASN1_SEQUENCE)) + return NULL; p = cap->value.sequence->data; return d2i_ASN1_SET_OF_X509_ALGOR(NULL, &p, cap->value.sequence->length, d2i_X509_ALGOR, X509_ALGOR_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); -} + } /* Basic smime-capabilities OID and optional integer arg */ int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg) diff --git a/lib/libcrypto/pkcs7/pk7_doit.c b/lib/libcrypto/pkcs7/pk7_doit.c index b78e22819cd..4ac29ae14d6 100644 --- a/lib/libcrypto/pkcs7/pk7_doit.c +++ b/lib/libcrypto/pkcs7/pk7_doit.c @@ -239,7 +239,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) OPENSSL_free(tmp); goto err; } - M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj); + if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj)) + { + PKCS7err(PKCS7_F_PKCS7_DATAINIT, + ERR_R_MALLOC_FAILURE); + OPENSSL_free(tmp); + goto err; + } } OPENSSL_free(tmp); OPENSSL_cleanse(key, keylen); @@ -520,12 +526,20 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) case NID_pkcs7_signedAndEnveloped: /* XXXXXXXXXXXXXXXX */ si_sk=p7->d.signed_and_enveloped->signer_info; - os=M_ASN1_OCTET_STRING_new(); + if (!(os=M_ASN1_OCTET_STRING_new())) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE); + goto err; + } p7->d.signed_and_enveloped->enc_data->enc_data=os; break; case NID_pkcs7_enveloped: /* XXXXXXXXXXXXXXXX */ - os=M_ASN1_OCTET_STRING_new(); + if (!(os=M_ASN1_OCTET_STRING_new())) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE); + goto err; + } p7->d.enveloped->enc_data->enc_data=os; break; case NID_pkcs7_signed: @@ -599,7 +613,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) { - sign_time=X509_gmtime_adj(NULL,0); + if (!(sign_time=X509_gmtime_adj(NULL,0))) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN, + ERR_R_MALLOC_FAILURE); + goto err; + } PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,sign_time); @@ -608,8 +627,19 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) /* Add digest */ md_tmp=EVP_MD_CTX_md(&ctx_tmp); EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len); - digest=M_ASN1_OCTET_STRING_new(); - M_ASN1_OCTET_STRING_set(digest,md_data,md_len); + if (!(digest=M_ASN1_OCTET_STRING_new())) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN, + ERR_R_MALLOC_FAILURE); + goto err; + } + if (!M_ASN1_OCTET_STRING_set(digest,md_data, + md_len)) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN, + ERR_R_MALLOC_FAILURE); + goto err; + } PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest, V_ASN1_OCTET_STRING,digest); diff --git a/lib/libcrypto/pkcs7/pk7_lib.c b/lib/libcrypto/pkcs7/pk7_lib.c index 985b07245cc..ee1817c7af9 100644 --- a/lib/libcrypto/pkcs7/pk7_lib.c +++ b/lib/libcrypto/pkcs7/pk7_lib.c @@ -164,7 +164,12 @@ int PKCS7_set_type(PKCS7 *p7, int type) p7->type=obj; if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.sign->version,1); + if (!ASN1_INTEGER_set(p7->d.sign->version,1)) + { + PKCS7_SIGNED_free(p7->d.sign); + p7->d.sign=NULL; + goto err; + } break; case NID_pkcs7_data: p7->type=obj; @@ -176,6 +181,8 @@ int PKCS7_set_type(PKCS7 *p7, int type) if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new()) == NULL) goto err; ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1); + if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1)) + goto err; p7->d.signed_and_enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; @@ -183,7 +190,8 @@ int PKCS7_set_type(PKCS7 *p7, int type) p7->type=obj; if ((p7->d.enveloped=PKCS7_ENVELOPE_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.enveloped->version,0); + if (!ASN1_INTEGER_set(p7->d.enveloped->version,0)) + goto err; p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; @@ -191,7 +199,8 @@ int PKCS7_set_type(PKCS7 *p7, int type) p7->type=obj; if ((p7->d.encrypted=PKCS7_ENCRYPT_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.encrypted->version,0); + if (!ASN1_INTEGER_set(p7->d.encrypted->version,0)) + goto err; p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; @@ -318,15 +327,18 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, if (pkey->type == EVP_PKEY_DSA) is_dsa = 1; else is_dsa = 0; /* We now need to add another PKCS7_SIGNER_INFO entry */ - ASN1_INTEGER_set(p7i->version,1); - X509_NAME_set(&p7i->issuer_and_serial->issuer, - X509_get_issuer_name(x509)); + if (!ASN1_INTEGER_set(p7i->version,1)) + goto err; + if (!X509_NAME_set(&p7i->issuer_and_serial->issuer, + X509_get_issuer_name(x509))) + goto err; /* because ASN1_INTEGER_set is used to set a 'long' we will do * things the ugly way. */ M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial); - p7i->issuer_and_serial->serial= - M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)); + if (!(p7i->issuer_and_serial->serial= + M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) + goto err; /* lets keep the pkey around for a while */ CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); @@ -423,16 +435,20 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) { - ASN1_INTEGER_set(p7i->version,0); - X509_NAME_set(&p7i->issuer_and_serial->issuer, - X509_get_issuer_name(x509)); + if (!ASN1_INTEGER_set(p7i->version,0)) + return 0; + if (!X509_NAME_set(&p7i->issuer_and_serial->issuer, + X509_get_issuer_name(x509))) + return 0; M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial); - p7i->issuer_and_serial->serial= - M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)); + if (!(p7i->issuer_and_serial->serial= + M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) + return 0; X509_ALGOR_free(p7i->key_enc_algor); - p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor); + if (!(p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor))) + return 0; CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); p7i->cert=x509; diff --git a/lib/libcrypto/pkcs7/pk7_smime.c b/lib/libcrypto/pkcs7/pk7_smime.c index 6e5735de118..a852b492358 100644 --- a/lib/libcrypto/pkcs7/pk7_smime.c +++ b/lib/libcrypto/pkcs7/pk7_smime.c @@ -155,7 +155,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, char buf[4096]; int i, j=0, k, ret = 0; BIO *p7bio; - BIO *tmpout; + BIO *tmpin, *tmpout; if(!p7) { PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER); @@ -228,7 +228,30 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, /* Check for revocation status here */ } - p7bio=PKCS7_dataInit(p7,indata); + /* Performance optimization: if the content is a memory BIO then + * store its contents in a temporary read only memory BIO. This + * avoids potentially large numbers of slow copies of data which will + * occur when reading from a read write memory BIO when signatures + * are calculated. + */ + + if (indata && (BIO_method_type(indata) == BIO_TYPE_MEM)) + { + char *ptr; + long len; + len = BIO_get_mem_data(indata, &ptr); + tmpin = BIO_new_mem_buf(ptr, len); + if (tmpin == NULL) + { + PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE); + return 0; + } + } + else + tmpin = indata; + + + p7bio=PKCS7_dataInit(p7,tmpin); if(flags & PKCS7_TEXT) { if(!(tmpout = BIO_new(BIO_s_mem()))) { @@ -270,9 +293,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, ret = 1; err: + + if (tmpin == indata) + { + if(indata) BIO_pop(p7bio); + BIO_free_all(p7bio); + } + else + BIO_free_all(tmpin); - if(indata) BIO_pop(p7bio); - BIO_free_all(p7bio); sk_X509_free(signers); return ret; @@ -296,10 +325,6 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE); return NULL; } - if(!(signers = sk_X509_new_null())) { - PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE); - return NULL; - } /* Collect all the signers together */ @@ -310,6 +335,11 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) return 0; } + if(!(signers = sk_X509_new_null())) { + PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE); + return NULL; + } + for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { si = sk_PKCS7_SIGNER_INFO_value(sinfos, i); diff --git a/lib/libcrypto/rand/md_rand.c b/lib/libcrypto/rand/md_rand.c index eeffc0df4cb..c84968df88f 100644 --- a/lib/libcrypto/rand/md_rand.c +++ b/lib/libcrypto/rand/md_rand.c @@ -126,6 +126,7 @@ #include <openssl/crypto.h> #include <openssl/err.h> +#include <openssl/fips.h> #ifdef BN_DEBUG # define PREDICT @@ -332,6 +333,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) #endif int do_stir_pool = 0; +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + { + FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD); + return 0; + } +#endif + #ifdef PREDICT if (rand_predictable) { diff --git a/lib/libcrypto/rand/rand.h b/lib/libcrypto/rand/rand.h index 606382dd211..604df9be6c3 100644 --- a/lib/libcrypto/rand/rand.h +++ b/lib/libcrypto/rand/rand.h @@ -71,6 +71,10 @@ extern "C" { #endif +#if defined(OPENSSL_FIPS) +#define FIPS_RAND_SIZE_T int +#endif + typedef struct rand_meth_st { void (*seed)(const void *buf, int num); @@ -121,11 +125,17 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ /* Function codes. */ +#define RAND_F_FIPS_RAND_BYTES 102 #define RAND_F_RAND_GET_RAND_METHOD 101 #define RAND_F_SSLEAY_RAND_BYTES 100 /* Reason codes. */ +#define RAND_R_NON_FIPS_METHOD 101 +#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 105 +#define RAND_R_PRNG_NOT_REKEYED 103 +#define RAND_R_PRNG_NOT_RESEEDED 104 #define RAND_R_PRNG_NOT_SEEDED 100 +#define RAND_R_PRNG_STUCK 102 #ifdef __cplusplus } diff --git a/lib/libcrypto/rand/rand_egd.c b/lib/libcrypto/rand/rand_egd.c index 6f742900a0a..cd666abfcb6 100644 --- a/lib/libcrypto/rand/rand_egd.c +++ b/lib/libcrypto/rand/rand_egd.c @@ -95,7 +95,7 @@ * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. */ -#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) +#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_VOS) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) { return(-1); @@ -216,7 +216,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) while (numbytes != 1) { num = read(fd, egdbuf, 1); - if (num >= 0) + if (num == 0) + goto err; /* descriptor closed */ + else if (num > 0) numbytes += num; else { @@ -246,7 +248,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) while (numbytes != egdbuf[0]) { num = read(fd, retrievebuf + numbytes, egdbuf[0] - numbytes); - if (num >= 0) + if (num == 0) + goto err; /* descriptor closed */ + else if (num > 0) numbytes += num; else { diff --git a/lib/libcrypto/rand/rand_err.c b/lib/libcrypto/rand/rand_err.c index b77267e213b..95574659ace 100644 --- a/lib/libcrypto/rand/rand_err.c +++ b/lib/libcrypto/rand/rand_err.c @@ -1,6 +1,6 @@ /* crypto/rand/rand_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,6 +66,7 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA RAND_str_functs[]= { +{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0), "FIPS_RAND_BYTES"}, {ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0), "RAND_get_rand_method"}, {ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0), "SSLEAY_RAND_BYTES"}, {0,NULL} @@ -73,7 +74,12 @@ static ERR_STRING_DATA RAND_str_functs[]= static ERR_STRING_DATA RAND_str_reasons[]= { +{RAND_R_NON_FIPS_METHOD ,"non fips method"}, +{RAND_R_PRNG_ASKING_FOR_TOO_MUCH ,"prng asking for too much"}, +{RAND_R_PRNG_NOT_REKEYED ,"prng not rekeyed"}, +{RAND_R_PRNG_NOT_RESEEDED ,"prng not reseeded"}, {RAND_R_PRNG_NOT_SEEDED ,"PRNG not seeded"}, +{RAND_R_PRNG_STUCK ,"prng stuck"}, {0,NULL} }; diff --git a/lib/libcrypto/rand/rand_lib.c b/lib/libcrypto/rand/rand_lib.c index 513e3389859..88f1b56d91e 100644 --- a/lib/libcrypto/rand/rand_lib.c +++ b/lib/libcrypto/rand/rand_lib.c @@ -63,6 +63,8 @@ #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif +#include <openssl/fips.h> +#include <openssl/fips_rand.h> #ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ @@ -85,6 +87,16 @@ int RAND_set_rand_method(const RAND_METHOD *meth) const RAND_METHOD *RAND_get_rand_method(void) { +#ifdef OPENSSL_FIPS + if(FIPS_mode() + && default_RAND_meth != FIPS_rand_check()) + { + RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD); + return 0; + } +#endif + + if (!default_RAND_meth) { #ifndef OPENSSL_NO_ENGINE diff --git a/lib/libcrypto/rand/rand_unix.c b/lib/libcrypto/rand/rand_unix.c index 0599719dd1d..9376554fae7 100644 --- a/lib/libcrypto/rand/rand_unix.c +++ b/lib/libcrypto/rand/rand_unix.c @@ -120,6 +120,7 @@ #include <sys/types.h> #include <sys/time.h> #include <sys/times.h> +#include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <time.h> @@ -151,9 +152,9 @@ int RAND_poll(void) int n = 0; #endif #ifdef DEVRANDOM - static const char *randomfiles[] = { DEVRANDOM, NULL }; - const char **randomfile = NULL; - int fd; + static const char *randomfiles[] = { DEVRANDOM }; + struct stat randomstats[sizeof(randomfiles)/sizeof(randomfiles[0])]; + int fd,i; #endif #ifdef DEVRANDOM_EGD static const char *egdsockets[] = { DEVRANDOM_EGD, NULL }; @@ -161,26 +162,42 @@ int RAND_poll(void) #endif #ifdef DEVRANDOM + memset(randomstats,0,sizeof(randomstats)); /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD * have this. Use /dev/urandom if you can as /dev/random may block * if it runs out of random entries. */ - for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++) + for (i=0; i<sizeof(randomfiles)/sizeof(randomfiles[0]) && n < ENTROPY_NEEDED; i++) { - if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK + if ((fd = open(randomfiles[i], O_RDONLY +#ifdef O_NONBLOCK + |O_NONBLOCK +#endif +#ifdef O_BINARY + |O_BINARY +#endif #ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it our controlling tty */ |O_NOCTTY #endif -#ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */ - |O_NOFOLLOW -#endif )) >= 0) { struct timeval t = { 0, 10*1000 }; /* Spend 10ms on each file. */ - int r; + int r,j; fd_set fset; + struct stat *st=&randomstats[i]; + + /* Avoid using same input... Used to be O_NOFOLLOW + * above, but it's not universally appropriate... */ + if (fstat(fd,st) != 0) { close(fd); continue; } + for (j=0;j<i;j++) + { + if (randomstats[j].st_ino==st->st_ino && + randomstats[j].st_dev==st->st_dev) + break; + } + if (j<i) { close(fd); continue; } do { diff --git a/lib/libcrypto/rand/rand_vms.c b/lib/libcrypto/rand/rand_vms.c index 29b2d7af0b0..1267a3acae7 100644 --- a/lib/libcrypto/rand/rand_vms.c +++ b/lib/libcrypto/rand/rand_vms.c @@ -101,11 +101,12 @@ int RAND_poll(void) pitem = item; /* Setup */ - while (pitems_data->length) + while (pitems_data->length + && (total_length + pitems_data->length <= 256)) { pitem->length = pitems_data->length; pitem->code = pitems_data->code; - pitem->buffer = (long *)data_buffer[total_length]; + pitem->buffer = (long *)&data_buffer[total_length]; pitem->retlen = 0; total_length += pitems_data->length; pitems_data++; diff --git a/lib/libcrypto/rand/rand_win.c b/lib/libcrypto/rand/rand_win.c index 3584842224c..30c69161ef8 100644 --- a/lib/libcrypto/rand/rand_win.c +++ b/lib/libcrypto/rand/rand_win.c @@ -125,7 +125,7 @@ * http://developer.intel.com/design/security/rng/redist_license.htm */ #define PROV_INTEL_SEC 22 -#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider") +#define INTEL_DEF_PROV L"Intel Hardware Cryptographic Service Provider" static void readtimer(void); static void readscreen(void); @@ -152,7 +152,7 @@ typedef struct tagCURSORINFO #define CURSOR_SHOWING 0x00000001 #endif /* CURSOR_SHOWING */ -typedef BOOL (WINAPI *CRYPTACQUIRECONTEXT)(HCRYPTPROV *, LPCTSTR, LPCTSTR, +typedef BOOL (WINAPI *CRYPTACQUIRECONTEXTW)(HCRYPTPROV *, LPCWSTR, LPCWSTR, DWORD, DWORD); typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV, DWORD, BYTE *); typedef BOOL (WINAPI *CRYPTRELEASECONTEXT)(HCRYPTPROV, DWORD); @@ -194,7 +194,7 @@ int RAND_poll(void) HWND h; HMODULE advapi, kernel, user, netapi; - CRYPTACQUIRECONTEXT acquire = 0; + CRYPTACQUIRECONTEXTW acquire = 0; CRYPTGENRANDOM gen = 0; CRYPTRELEASECONTEXT release = 0; #if 1 /* There was previously a problem with NETSTATGET. Currently, this @@ -213,6 +213,9 @@ int RAND_poll(void) GetVersionEx( &osverinfo ) ; #if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO +#ifndef CryptAcquireContext +#define CryptAcquireContext CryptAcquireContextW +#endif /* poll the CryptoAPI PRNG */ /* The CryptoAPI returns sizeof(buf) bytes of randomness */ if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) @@ -223,21 +226,35 @@ int RAND_poll(void) } #endif +#ifndef OPENSSL_SYS_WINCE + /* + * None of below libraries are present on Windows CE, which is + * why we #ifndef the whole section. This also excuses us from + * handling the GetProcAddress issue. The trouble is that in + * real Win32 API GetProcAddress is available in ANSI flavor + * only. In WinCE on the other hand GetProcAddress is a macro + * most commonly defined as GetProcAddressW, which accepts + * Unicode argument. If we were to call GetProcAddress under + * WinCE, I'd recommend to either redefine GetProcAddress as + * GetProcAddressA (there seem to be one in common CE spec) or + * implement own shim routine, which would accept ANSI argument + * and expand it to Unicode. + */ + /* load functions dynamically - not available on all systems */ advapi = LoadLibrary(TEXT("ADVAPI32.DLL")); kernel = LoadLibrary(TEXT("KERNEL32.DLL")); user = LoadLibrary(TEXT("USER32.DLL")); netapi = LoadLibrary(TEXT("NETAPI32.DLL")); -#ifndef OPENSSL_SYS_WINCE #if 1 /* There was previously a problem with NETSTATGET. Currently, this * section is still experimental, but if all goes well, this conditional * will be removed */ if (netapi) { - netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet")); - netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree")); + netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet"); + netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree"); } if (netstatget && netfree) @@ -264,9 +281,7 @@ int RAND_poll(void) if (netapi) FreeLibrary(netapi); #endif /* 1 */ -#endif /* !OPENSSL_SYS_WINCE */ - -#ifndef OPENSSL_SYS_WINCE + /* It appears like this can cause an exception deep within ADVAPI32.DLL * at random times on Windows 2000. Reported by Jeffrey Altman. * Only use it on NT. @@ -321,16 +336,20 @@ int RAND_poll(void) free(buf); } #endif -#endif /* !OPENSSL_SYS_WINCE */ if (advapi) { - acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi, - TEXT("CryptAcquireContextA")); + /* + * If it's available, then it's available in both ANSI + * and UNICODE flavors even in Win9x, documentation says. + * We favor Unicode... + */ + acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi, + "CryptAcquireContextW"); gen = (CRYPTGENRANDOM) GetProcAddress(advapi, - TEXT("CryptGenRandom")); + "CryptGenRandom"); release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, - TEXT("CryptReleaseContext")); + "CryptReleaseContext"); } if (acquire && gen && release) @@ -367,26 +386,15 @@ int RAND_poll(void) if (advapi) FreeLibrary(advapi); - /* timer data */ - readtimer(); - - /* memory usage statistics */ - GlobalMemoryStatus(&m); - RAND_add(&m, sizeof(m), 1); - - /* process ID */ - w = GetCurrentProcessId(); - RAND_add(&w, sizeof(w), 1); - if (user) { GETCURSORINFO cursor; GETFOREGROUNDWINDOW win; GETQUEUESTATUS queue; - win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow")); - cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo")); - queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus")); + win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow"); + cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo"); + queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus"); if (win) { @@ -458,19 +466,19 @@ int RAND_poll(void) MODULEENTRY32 m; snap = (CREATETOOLHELP32SNAPSHOT) - GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot")); + GetProcAddress(kernel, "CreateToolhelp32Snapshot"); close_snap = (CLOSETOOLHELP32SNAPSHOT) - GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot")); - heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First")); - heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next")); - heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst")); - heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext")); - process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First")); - process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next")); - thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First")); - thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next")); - module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First")); - module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next")); + GetProcAddress(kernel, "CloseToolhelp32Snapshot"); + heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First"); + heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next"); + heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst"); + heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext"); + process_first = (PROCESS32) GetProcAddress(kernel, "Process32First"); + process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next"); + thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First"); + thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next"); + module_first = (MODULE32) GetProcAddress(kernel, "Module32First"); + module_next = (MODULE32) GetProcAddress(kernel, "Module32Next"); if (snap && heap_first && heap_next && heaplist_first && heaplist_next && process_first && process_next && @@ -546,6 +554,18 @@ int RAND_poll(void) FreeLibrary(kernel); } +#endif /* !OPENSSL_SYS_WINCE */ + + /* timer data */ + readtimer(); + + /* memory usage statistics */ + GlobalMemoryStatus(&m); + RAND_add(&m, sizeof(m), 1); + + /* process ID */ + w = GetCurrentProcessId(); + RAND_add(&w, sizeof(w), 1); #if 0 printf("Exiting RAND_poll\n"); @@ -607,7 +627,7 @@ static void readtimer(void) DWORD w; LARGE_INTEGER l; static int have_perfc = 1; -#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE) +#if defined(_MSC_VER) && defined(_M_X86) static int have_tsc = 1; DWORD cyclecount; @@ -660,7 +680,7 @@ static void readtimer(void) static void readscreen(void) { -#ifndef OPENSSL_SYS_WINCE +#if !defined(OPENSSL_SYS_WINCE) && !defined(OPENSSL_SYS_WIN32_CYGWIN) HDC hScrDC; /* screen DC */ HDC hMemDC; /* memory DC */ HBITMAP hBitmap; /* handle for our bitmap */ diff --git a/lib/libcrypto/rand/randfile.c b/lib/libcrypto/rand/randfile.c index d88ee0d780b..9bd89ba495d 100644 --- a/lib/libcrypto/rand/randfile.c +++ b/lib/libcrypto/rand/randfile.c @@ -166,6 +166,7 @@ int RAND_write_file(const char *file) } #if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32) + { /* For some reason Win32 can't write to files created this way */ /* chmod(..., 0600) is too late to protect the file, @@ -173,6 +174,7 @@ int RAND_write_file(const char *file) int fd = open(file, O_CREAT, 0600); if (fd != -1) out = fdopen(fd, "wb"); + } #endif if (out == NULL) out = fopen(file,"wb"); diff --git a/lib/libcrypto/rc2/rc2.h b/lib/libcrypto/rc2/rc2.h index 7816b454dcd..71788158d84 100644 --- a/lib/libcrypto/rc2/rc2.h +++ b/lib/libcrypto/rc2/rc2.h @@ -79,7 +79,10 @@ typedef struct rc2_key_st RC2_INT data[64]; } RC2_KEY; - +#ifdef OPENSSL_FIPS +void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, + int bits); +#endif void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, int enc); diff --git a/lib/libcrypto/rc2/rc2_skey.c b/lib/libcrypto/rc2/rc2_skey.c index cab3080c73d..22f372f85cc 100644 --- a/lib/libcrypto/rc2/rc2_skey.c +++ b/lib/libcrypto/rc2/rc2_skey.c @@ -57,6 +57,7 @@ */ #include <openssl/rc2.h> +#include <openssl/crypto.h> #include "rc2_locl.h" static unsigned char key_table[256]={ @@ -90,7 +91,19 @@ static unsigned char key_table[256]={ * BSAFE uses the 'retarded' version. What I previously shipped is * the same as specifying 1024 for the 'bits' parameter. Bsafe uses * a version where the bits parameter is the same as len*8 */ + +#ifdef OPENSSL_FIPS +void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) + { + if (FIPS_mode()) + FIPS_BAD_ABORT(RC2) + private_RC2_set_key(key, len, data, bits); + } +void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, + int bits) +#else void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) +#endif { int i,j; unsigned char *k; diff --git a/lib/libcrypto/rc4/asm/rc4-586.pl b/lib/libcrypto/rc4/asm/rc4-586.pl index 7ef889e5a13..d6e98f08117 100644 --- a/lib/libcrypto/rc4/asm/rc4-586.pl +++ b/lib/libcrypto/rc4/asm/rc4-586.pl @@ -1,16 +1,37 @@ #!/usr/local/bin/perl -# define for pentium pro friendly version +# At some point it became apparent that the original SSLeay RC4 +# assembler implementation performs suboptimaly on latest IA-32 +# microarchitectures. After re-tuning performance has changed as +# following: +# +# Pentium +0% +# Pentium III +17% +# AMD +52%(*) +# P4 +180%(**) +# +# (*) This number is actually a trade-off:-) It's possible to +# achieve +72%, but at the cost of -48% off PIII performance. +# In other words code performing further 13% faster on AMD +# would perform almost 2 times slower on Intel PIII... +# For reference! This code delivers ~80% of rc4-amd64.pl +# performance on the same Opteron machine. +# (**) This number requires compressed key schedule set up by +# RC4_set_key and therefore doesn't apply to 0.9.7 [option for +# compressed key schedule is implemented in 0.9.8 and later, +# see commentary section in rc4_skey.c for further details]. +# +# <appro@fy.chalmers.se> push(@INC,"perlasm","../../perlasm"); require "x86asm.pl"; &asm_init($ARGV[0],"rc4-586.pl"); -$tx="eax"; -$ty="ebx"; -$x="ecx"; -$y="edx"; +$x="eax"; +$y="ebx"; +$tx="ecx"; +$ty="edx"; $in="esi"; $out="edi"; $d="ebp"; @@ -31,7 +52,7 @@ sub RC4_loop { &mov($ty, &swtmp(2)); &cmp($ty, $in); - &jle(&label("finished")); + &jbe(&label("finished")); &inc($in); } else @@ -39,27 +60,23 @@ sub RC4_loop &add($ty, 8); &inc($in); &cmp($ty, $in); - &jl(&label("finished")); + &jb(&label("finished")); &mov(&swtmp(2), $ty); } } # Moved out # &mov( $tx, &DWP(0,$d,$x,4)) if $p < 0; - &add( $y, $tx); - &and( $y, 0xff); - &inc( $x); # NEXT ROUND + &add( &LB($y), &LB($tx)); &mov( $ty, &DWP(0,$d,$y,4)); # XXX - &mov( &DWP(-4,$d,$x,4),$ty); # AGI + &mov( &DWP(0,$d,$x,4),$ty); &add( $ty, $tx); - &and( $x, 0xff); # NEXT ROUND - &and( $ty, 0xff); &mov( &DWP(0,$d,$y,4),$tx); - &nop(); - &mov( $ty, &DWP(0,$d,$ty,4)); - &mov( $tx, &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND - # XXX + &and( $ty, 0xff); + &inc( &LB($x)); # NEXT ROUND + &mov( $tx, &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND + &mov( $ty, &DWP(0,$d,$ty,4)); if (!$char) { @@ -88,35 +105,47 @@ sub RC4 &function_begin_B($name,""); + &mov($ty,&wparam(1)); # len + &cmp($ty,0); + &jne(&label("proceed")); + &ret(); + &set_label("proceed"); + &comment(""); &push("ebp"); &push("ebx"); - &mov( $d, &wparam(0)); # key - &mov( $ty, &wparam(1)); # num &push("esi"); - &push("edi"); + &xor( $x, $x); # avoid partial register stalls + &push("edi"); + &xor( $y, $y); # avoid partial register stalls + &mov( $d, &wparam(0)); # key + &mov( $in, &wparam(2)); - &mov( $x, &DWP(0,$d,"",1)); - &mov( $y, &DWP(4,$d,"",1)); + &movb( &LB($x), &BP(0,$d,"",1)); + &movb( &LB($y), &BP(4,$d,"",1)); - &mov( $in, &wparam(2)); - &inc( $x); + &mov( $out, &wparam(3)); + &inc( &LB($x)); &stack_push(3); # 3 temp variables &add( $d, 8); - &and( $x, 0xff); + + # detect compressed schedule, see commentary section in rc4_skey.c... + # in 0.9.7 context ~50 bytes below RC4_CHAR label remain redundant, + # as compressed key schedule is set up in 0.9.8 and later. + &cmp(&DWP(256,$d),-1); + &je(&label("RC4_CHAR")); &lea( $ty, &DWP(-8,$ty,$in)); # check for 0 length input - &mov( $out, &wparam(3)); &mov( &swtmp(2), $ty); # this is now address to exit at &mov( $tx, &DWP(0,$d,$x,4)); &cmp( $ty, $in); - &jl( &label("end")); # less than 8 bytes + &jb( &label("end")); # less than 8 bytes &set_label("start"); @@ -148,7 +177,7 @@ sub RC4 &mov( &DWP(-4,$out,"",0), $tx); &mov( $tx, &DWP(0,$d,$x,4)); &cmp($in, $ty); - &jle(&label("start")); + &jbe(&label("start")); &set_label("end"); @@ -162,10 +191,37 @@ sub RC4 &RC4_loop(5,0,1); &RC4_loop(6,1,1); + &jmp(&label("finished")); + + &align(16); + # this is essentially Intel P4 specific codepath, see rc4_skey.c, + # and is engaged in 0.9.8 and later context... + &set_label("RC4_CHAR"); + + &lea ($ty,&DWP(0,$in,$ty)); + &mov (&swtmp(2),$ty); + + # strangely enough unrolled loop performs over 20% slower... + &set_label("RC4_CHAR_loop"); + &movz ($tx,&BP(0,$d,$x)); + &add (&LB($y),&LB($tx)); + &movz ($ty,&BP(0,$d,$y)); + &movb (&BP(0,$d,$y),&LB($tx)); + &movb (&BP(0,$d,$x),&LB($ty)); + &add (&LB($ty),&LB($tx)); + &movz ($ty,&BP(0,$d,$ty)); + &xorb (&LB($ty),&BP(0,$in)); + &movb (&BP(0,$out),&LB($ty)); + &inc (&LB($x)); + &inc ($in); + &inc ($out); + &cmp ($in,&swtmp(2)); + &jb (&label("RC4_CHAR_loop")); + &set_label("finished"); &dec( $x); &stack_pop(3); - &mov( &DWP(-4,$d,"",0),$y); + &movb( &BP(-4,$d,"",0),&LB($y)); &movb( &BP(-8,$d,"",0),&LB($x)); &function_end($name); diff --git a/lib/libcrypto/rc4/rc4.h b/lib/libcrypto/rc4/rc4.h index 8722091f2ec..dd90d9fde09 100644 --- a/lib/libcrypto/rc4/rc4.h +++ b/lib/libcrypto/rc4/rc4.h @@ -73,10 +73,17 @@ typedef struct rc4_key_st { RC4_INT x,y; RC4_INT data[256]; +#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64) + /* see crypto/rc4/asm/rc4-ia64.S for further details... */ + RC4_INT pad[512-256-2]; +#endif } RC4_KEY; const char *RC4_options(void); +#ifdef OPENSSL_FIPS +void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); +#endif void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata, unsigned char *outdata); diff --git a/lib/libcrypto/rc4/rc4_enc.c b/lib/libcrypto/rc4/rc4_enc.c index d5f18a3a707..81a97ea3b7c 100644 --- a/lib/libcrypto/rc4/rc4_enc.c +++ b/lib/libcrypto/rc4/rc4_enc.c @@ -77,6 +77,10 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata, x=key->x; y=key->y; d=key->data; +#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64) + /* see crypto/rc4/asm/rc4-ia64.S for further details... */ + d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1)); +#endif #if defined(RC4_CHUNK) /* diff --git a/lib/libcrypto/rc4/rc4_locl.h b/lib/libcrypto/rc4/rc4_locl.h index 3bb80b6ce9e..c712e1632ea 100644 --- a/lib/libcrypto/rc4/rc4_locl.h +++ b/lib/libcrypto/rc4/rc4_locl.h @@ -1,4 +1,5 @@ #ifndef HEADER_RC4_LOCL_H #define HEADER_RC4_LOCL_H #include <openssl/opensslconf.h> +#include <cryptlib.h> #endif diff --git a/lib/libcrypto/rc4/rc4_skey.c b/lib/libcrypto/rc4/rc4_skey.c index bb10c1ebe28..07234f061af 100644 --- a/lib/libcrypto/rc4/rc4_skey.c +++ b/lib/libcrypto/rc4/rc4_skey.c @@ -57,6 +57,7 @@ */ #include <openssl/rc4.h> +#include <openssl/crypto.h> #include "rc4_locl.h" #include <openssl/opensslv.h> @@ -85,7 +86,7 @@ const char *RC4_options(void) * Date: Wed, 14 Sep 1994 06:35:31 GMT */ -void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) +FIPS_NON_FIPS_VCIPHER_Init(RC4) { register RC4_INT tmp; register int id1,id2; @@ -93,6 +94,11 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) unsigned int i; d= &(key->data[0]); +#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64) + /* see crypto/rc4/asm/rc4-ia64.S for further details... */ + d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1)); +#endif + for (i=0; i<256; i++) d[i]=i; key->x = 0; diff --git a/lib/libcrypto/rc5/rc5.h b/lib/libcrypto/rc5/rc5.h index 4adfd2db5ab..aa3f26920bf 100644 --- a/lib/libcrypto/rc5/rc5.h +++ b/lib/libcrypto/rc5/rc5.h @@ -92,7 +92,10 @@ typedef struct rc5_key_st RC5_32_INT data[2*(RC5_16_ROUNDS+1)]; } RC5_32_KEY; - +#ifdef OPENSSL_FIPS +void private_RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data, + int rounds); +#endif void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data, int rounds); void RC5_32_ecb_encrypt(const unsigned char *in,unsigned char *out,RC5_32_KEY *key, diff --git a/lib/libcrypto/ripemd/ripemd.h b/lib/libcrypto/ripemd/ripemd.h index 78d5f365605..7d0d9981894 100644 --- a/lib/libcrypto/ripemd/ripemd.h +++ b/lib/libcrypto/ripemd/ripemd.h @@ -90,6 +90,9 @@ typedef struct RIPEMD160state_st int num; } RIPEMD160_CTX; +#ifdef OPENSSL_FIPS +int private_RIPEMD160_Init(RIPEMD160_CTX *c); +#endif int RIPEMD160_Init(RIPEMD160_CTX *c); int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len); int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); diff --git a/lib/libcrypto/ripemd/rmd_dgst.c b/lib/libcrypto/ripemd/rmd_dgst.c index 28896512e7c..58ff010d110 100644 --- a/lib/libcrypto/ripemd/rmd_dgst.c +++ b/lib/libcrypto/ripemd/rmd_dgst.c @@ -58,6 +58,7 @@ #include <stdio.h> #include "rmd_locl.h" +#include <openssl/fips.h> #include <openssl/opensslv.h> const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT; @@ -69,7 +70,7 @@ const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT; void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num); # endif -int RIPEMD160_Init(RIPEMD160_CTX *c) +FIPS_NON_FIPS_MD_Init(RIPEMD160) { c->A=RIPEMD160_A; c->B=RIPEMD160_B; diff --git a/lib/libcrypto/rsa/rsa.h b/lib/libcrypto/rsa/rsa.h index 62fa745f79e..fc3bb5f86de 100644 --- a/lib/libcrypto/rsa/rsa.h +++ b/lib/libcrypto/rsa/rsa.h @@ -72,6 +72,10 @@ #error RSA is disabled. #endif +#if defined(OPENSSL_FIPS) +#define FIPS_RSA_SIZE_T int +#endif + #ifdef __cplusplus extern "C" { #endif diff --git a/lib/libcrypto/rsa/rsa_eay.c b/lib/libcrypto/rsa/rsa_eay.c index e0d286266e0..d4caab3f953 100644 --- a/lib/libcrypto/rsa/rsa_eay.c +++ b/lib/libcrypto/rsa/rsa_eay.c @@ -62,7 +62,7 @@ #include <openssl/rsa.h> #include <openssl/rand.h> -#ifndef RSA_NULL +#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS) static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,int padding); diff --git a/lib/libcrypto/rsa/rsa_gen.c b/lib/libcrypto/rsa/rsa_gen.c index 00c25adbc58..adb5e34da56 100644 --- a/lib/libcrypto/rsa/rsa_gen.c +++ b/lib/libcrypto/rsa/rsa_gen.c @@ -62,6 +62,8 @@ #include <openssl/bn.h> #include <openssl/rsa.h> +#ifndef OPENSSL_FIPS + RSA *RSA_generate_key(int bits, unsigned long e_value, void (*callback)(int,int,void *), void *cb_arg) { @@ -195,3 +197,4 @@ err: return(rsa); } +#endif diff --git a/lib/libcrypto/rsa/rsa_saos.c b/lib/libcrypto/rsa/rsa_saos.c index f462716a57f..24fc94835e2 100644 --- a/lib/libcrypto/rsa/rsa_saos.c +++ b/lib/libcrypto/rsa/rsa_saos.c @@ -139,8 +139,11 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, ret=1; err: if (sig != NULL) M_ASN1_OCTET_STRING_free(sig); - OPENSSL_cleanse(s,(unsigned int)siglen); - OPENSSL_free(s); + if (s != NULL) + { + OPENSSL_cleanse(s,(unsigned int)siglen); + OPENSSL_free(s); + } return(ret); } diff --git a/lib/libcrypto/rsa/rsa_sign.c b/lib/libcrypto/rsa/rsa_sign.c index 8a1e642183c..cee09eccb1f 100644 --- a/lib/libcrypto/rsa/rsa_sign.c +++ b/lib/libcrypto/rsa/rsa_sign.c @@ -169,7 +169,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, } if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) { RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH); - return(0); + goto err; } i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); @@ -222,8 +222,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, } err: if (sig != NULL) X509_SIG_free(sig); - OPENSSL_cleanse(s,(unsigned int)siglen); - OPENSSL_free(s); + if (s != NULL) + { + OPENSSL_cleanse(s,(unsigned int)siglen); + OPENSSL_free(s); + } return(ret); } diff --git a/lib/libcrypto/sha/asm/sha1-586.pl b/lib/libcrypto/sha/asm/sha1-586.pl index e00f7095538..041acc03486 100644 --- a/lib/libcrypto/sha/asm/sha1-586.pl +++ b/lib/libcrypto/sha/asm/sha1-586.pl @@ -405,7 +405,7 @@ sub sha1_block_data &mov(&DWP(16,$tmp1,"",0),$E); &cmp("esi","eax"); &mov(&DWP( 4,$tmp1,"",0),$B); - &jl(&label("start")); + &jb(&label("start")); &stack_pop(18+9); &pop("edi"); diff --git a/lib/libcrypto/sha/sha.h b/lib/libcrypto/sha/sha.h index 3fd54a10cc7..79c07b0fd1f 100644 --- a/lib/libcrypto/sha/sha.h +++ b/lib/libcrypto/sha/sha.h @@ -69,6 +69,10 @@ extern "C" { #error SHA is disabled. #endif +#if defined(OPENSSL_FIPS) +#define FIPS_SHA_SIZE_T unsigned long +#endif + /* * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! @@ -101,6 +105,9 @@ typedef struct SHAstate_st } SHA_CTX; #ifndef OPENSSL_NO_SHA0 +#ifdef OPENSSL_FIPS +int private_SHA_Init(SHA_CTX *c); +#endif int SHA_Init(SHA_CTX *c); int SHA_Update(SHA_CTX *c, const void *data, unsigned long len); int SHA_Final(unsigned char *md, SHA_CTX *c); diff --git a/lib/libcrypto/sha/sha1dgst.c b/lib/libcrypto/sha/sha1dgst.c index 182f65982ab..1e2009b7608 100644 --- a/lib/libcrypto/sha/sha1dgst.c +++ b/lib/libcrypto/sha/sha1dgst.c @@ -62,12 +62,20 @@ #define SHA_1 #include <openssl/opensslv.h> +#include <openssl/opensslconf.h> +#ifndef OPENSSL_FIPS const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT; /* The implementation is in ../md32_common.h */ #include "sha_locl.h" +#else /* ndef OPENSSL_FIPS */ + +static void *dummy=&dummy; + +#endif /* ndef OPENSSL_FIPS */ + #endif diff --git a/lib/libcrypto/sha/sha_locl.h b/lib/libcrypto/sha/sha_locl.h index 2dd63a62a64..a3623f72da1 100644 --- a/lib/libcrypto/sha/sha_locl.h +++ b/lib/libcrypto/sha/sha_locl.h @@ -121,6 +121,11 @@ # define sha1_block_data_order sha1_block_asm_data_order # define DONT_IMPLEMENT_BLOCK_DATA_ORDER # define HASH_BLOCK_DATA_ORDER_ALIGNED sha1_block_asm_data_order +# elif defined(__ia64) || defined(__ia64__) || defined(_M_IA64) +# define sha1_block_host_order sha1_block_asm_host_order +# define DONT_IMPLEMENT_BLOCK_HOST_ORDER +# define sha1_block_data_order sha1_block_asm_data_order +# define DONT_IMPLEMENT_BLOCK_DATA_ORDER # endif # endif void sha1_block_host_order (SHA_CTX *c, const void *p,int num); @@ -138,7 +143,11 @@ #define INIT_DATA_h3 0x10325476UL #define INIT_DATA_h4 0xc3d2e1f0UL +#if defined(SHA_0) && defined(OPENSSL_FIPS) +FIPS_NON_FIPS_MD_Init(SHA) +#else int HASH_INIT (SHA_CTX *c) +#endif { c->h0=INIT_DATA_h0; c->h1=INIT_DATA_h1; diff --git a/lib/libcrypto/sha/shatest.c b/lib/libcrypto/sha/shatest.c index 5d2b1d3b1ae..ff702aa53e4 100644 --- a/lib/libcrypto/sha/shatest.c +++ b/lib/libcrypto/sha/shatest.c @@ -62,10 +62,10 @@ #include "../e_os.h" -#ifdef OPENSSL_NO_SHA +#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA0) int main(int argc, char *argv[]) { - printf("No SHA support\n"); + printf("No SHA0 support\n"); return(0); } #else diff --git a/lib/libcrypto/stack/safestack.h b/lib/libcrypto/stack/safestack.h index ed9ed2c23a0..bd1121c279e 100644 --- a/lib/libcrypto/stack/safestack.h +++ b/lib/libcrypto/stack/safestack.h @@ -113,6 +113,8 @@ STACK_OF(type) \ ((type * (*)(STACK_OF(type) *))sk_pop)(st) #define SKM_sk_sort(type, st) \ ((void (*)(STACK_OF(type) *))sk_sort)(st) +#define SKM_sk_is_sorted(type, st) \ + ((int (*)(const STACK_OF(type) *))sk_is_sorted)(st) #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ ((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \ @@ -187,6 +189,8 @@ STACK_OF(type) \ ((type *)sk_pop(st)) #define SKM_sk_sort(type, st) \ sk_sort(st) +#define SKM_sk_is_sorted(type, st) \ + sk_is_sorted(st) #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ d2i_ASN1_SET(st,pp,length, (char *(*)())d2i_func, (void (*)(void *))free_func, ex_tag,ex_class) @@ -223,6 +227,7 @@ STACK_OF(type) \ #define sk_ACCESS_DESCRIPTION_shift(st) SKM_sk_shift(ACCESS_DESCRIPTION, (st)) #define sk_ACCESS_DESCRIPTION_pop(st) SKM_sk_pop(ACCESS_DESCRIPTION, (st)) #define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st)) +#define sk_ACCESS_DESCRIPTION_is_sorted(st) SKM_sk_is_sorted(ACCESS_DESCRIPTION, (st)) #define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st)) #define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING) @@ -243,6 +248,7 @@ STACK_OF(type) \ #define sk_ASN1_GENERALSTRING_shift(st) SKM_sk_shift(ASN1_GENERALSTRING, (st)) #define sk_ASN1_GENERALSTRING_pop(st) SKM_sk_pop(ASN1_GENERALSTRING, (st)) #define sk_ASN1_GENERALSTRING_sort(st) SKM_sk_sort(ASN1_GENERALSTRING, (st)) +#define sk_ASN1_GENERALSTRING_is_sorted(st) SKM_sk_is_sorted(ASN1_GENERALSTRING, (st)) #define sk_ASN1_INTEGER_new(st) SKM_sk_new(ASN1_INTEGER, (st)) #define sk_ASN1_INTEGER_new_null() SKM_sk_new_null(ASN1_INTEGER) @@ -263,6 +269,7 @@ STACK_OF(type) \ #define sk_ASN1_INTEGER_shift(st) SKM_sk_shift(ASN1_INTEGER, (st)) #define sk_ASN1_INTEGER_pop(st) SKM_sk_pop(ASN1_INTEGER, (st)) #define sk_ASN1_INTEGER_sort(st) SKM_sk_sort(ASN1_INTEGER, (st)) +#define sk_ASN1_INTEGER_is_sorted(st) SKM_sk_is_sorted(ASN1_INTEGER, (st)) #define sk_ASN1_OBJECT_new(st) SKM_sk_new(ASN1_OBJECT, (st)) #define sk_ASN1_OBJECT_new_null() SKM_sk_new_null(ASN1_OBJECT) @@ -283,6 +290,7 @@ STACK_OF(type) \ #define sk_ASN1_OBJECT_shift(st) SKM_sk_shift(ASN1_OBJECT, (st)) #define sk_ASN1_OBJECT_pop(st) SKM_sk_pop(ASN1_OBJECT, (st)) #define sk_ASN1_OBJECT_sort(st) SKM_sk_sort(ASN1_OBJECT, (st)) +#define sk_ASN1_OBJECT_is_sorted(st) SKM_sk_is_sorted(ASN1_OBJECT, (st)) #define sk_ASN1_STRING_TABLE_new(st) SKM_sk_new(ASN1_STRING_TABLE, (st)) #define sk_ASN1_STRING_TABLE_new_null() SKM_sk_new_null(ASN1_STRING_TABLE) @@ -303,6 +311,7 @@ STACK_OF(type) \ #define sk_ASN1_STRING_TABLE_shift(st) SKM_sk_shift(ASN1_STRING_TABLE, (st)) #define sk_ASN1_STRING_TABLE_pop(st) SKM_sk_pop(ASN1_STRING_TABLE, (st)) #define sk_ASN1_STRING_TABLE_sort(st) SKM_sk_sort(ASN1_STRING_TABLE, (st)) +#define sk_ASN1_STRING_TABLE_is_sorted(st) SKM_sk_is_sorted(ASN1_STRING_TABLE, (st)) #define sk_ASN1_TYPE_new(st) SKM_sk_new(ASN1_TYPE, (st)) #define sk_ASN1_TYPE_new_null() SKM_sk_new_null(ASN1_TYPE) @@ -323,6 +332,7 @@ STACK_OF(type) \ #define sk_ASN1_TYPE_shift(st) SKM_sk_shift(ASN1_TYPE, (st)) #define sk_ASN1_TYPE_pop(st) SKM_sk_pop(ASN1_TYPE, (st)) #define sk_ASN1_TYPE_sort(st) SKM_sk_sort(ASN1_TYPE, (st)) +#define sk_ASN1_TYPE_is_sorted(st) SKM_sk_is_sorted(ASN1_TYPE, (st)) #define sk_ASN1_VALUE_new(st) SKM_sk_new(ASN1_VALUE, (st)) #define sk_ASN1_VALUE_new_null() SKM_sk_new_null(ASN1_VALUE) @@ -343,6 +353,7 @@ STACK_OF(type) \ #define sk_ASN1_VALUE_shift(st) SKM_sk_shift(ASN1_VALUE, (st)) #define sk_ASN1_VALUE_pop(st) SKM_sk_pop(ASN1_VALUE, (st)) #define sk_ASN1_VALUE_sort(st) SKM_sk_sort(ASN1_VALUE, (st)) +#define sk_ASN1_VALUE_is_sorted(st) SKM_sk_is_sorted(ASN1_VALUE, (st)) #define sk_BIO_new(st) SKM_sk_new(BIO, (st)) #define sk_BIO_new_null() SKM_sk_new_null(BIO) @@ -363,6 +374,7 @@ STACK_OF(type) \ #define sk_BIO_shift(st) SKM_sk_shift(BIO, (st)) #define sk_BIO_pop(st) SKM_sk_pop(BIO, (st)) #define sk_BIO_sort(st) SKM_sk_sort(BIO, (st)) +#define sk_BIO_is_sorted(st) SKM_sk_is_sorted(BIO, (st)) #define sk_CONF_IMODULE_new(st) SKM_sk_new(CONF_IMODULE, (st)) #define sk_CONF_IMODULE_new_null() SKM_sk_new_null(CONF_IMODULE) @@ -383,6 +395,7 @@ STACK_OF(type) \ #define sk_CONF_IMODULE_shift(st) SKM_sk_shift(CONF_IMODULE, (st)) #define sk_CONF_IMODULE_pop(st) SKM_sk_pop(CONF_IMODULE, (st)) #define sk_CONF_IMODULE_sort(st) SKM_sk_sort(CONF_IMODULE, (st)) +#define sk_CONF_IMODULE_is_sorted(st) SKM_sk_is_sorted(CONF_IMODULE, (st)) #define sk_CONF_MODULE_new(st) SKM_sk_new(CONF_MODULE, (st)) #define sk_CONF_MODULE_new_null() SKM_sk_new_null(CONF_MODULE) @@ -403,6 +416,7 @@ STACK_OF(type) \ #define sk_CONF_MODULE_shift(st) SKM_sk_shift(CONF_MODULE, (st)) #define sk_CONF_MODULE_pop(st) SKM_sk_pop(CONF_MODULE, (st)) #define sk_CONF_MODULE_sort(st) SKM_sk_sort(CONF_MODULE, (st)) +#define sk_CONF_MODULE_is_sorted(st) SKM_sk_is_sorted(CONF_MODULE, (st)) #define sk_CONF_VALUE_new(st) SKM_sk_new(CONF_VALUE, (st)) #define sk_CONF_VALUE_new_null() SKM_sk_new_null(CONF_VALUE) @@ -423,6 +437,7 @@ STACK_OF(type) \ #define sk_CONF_VALUE_shift(st) SKM_sk_shift(CONF_VALUE, (st)) #define sk_CONF_VALUE_pop(st) SKM_sk_pop(CONF_VALUE, (st)) #define sk_CONF_VALUE_sort(st) SKM_sk_sort(CONF_VALUE, (st)) +#define sk_CONF_VALUE_is_sorted(st) SKM_sk_is_sorted(CONF_VALUE, (st)) #define sk_CRYPTO_EX_DATA_FUNCS_new(st) SKM_sk_new(CRYPTO_EX_DATA_FUNCS, (st)) #define sk_CRYPTO_EX_DATA_FUNCS_new_null() SKM_sk_new_null(CRYPTO_EX_DATA_FUNCS) @@ -443,6 +458,7 @@ STACK_OF(type) \ #define sk_CRYPTO_EX_DATA_FUNCS_shift(st) SKM_sk_shift(CRYPTO_EX_DATA_FUNCS, (st)) #define sk_CRYPTO_EX_DATA_FUNCS_pop(st) SKM_sk_pop(CRYPTO_EX_DATA_FUNCS, (st)) #define sk_CRYPTO_EX_DATA_FUNCS_sort(st) SKM_sk_sort(CRYPTO_EX_DATA_FUNCS, (st)) +#define sk_CRYPTO_EX_DATA_FUNCS_is_sorted(st) SKM_sk_is_sorted(CRYPTO_EX_DATA_FUNCS, (st)) #define sk_CRYPTO_dynlock_new(st) SKM_sk_new(CRYPTO_dynlock, (st)) #define sk_CRYPTO_dynlock_new_null() SKM_sk_new_null(CRYPTO_dynlock) @@ -463,6 +479,7 @@ STACK_OF(type) \ #define sk_CRYPTO_dynlock_shift(st) SKM_sk_shift(CRYPTO_dynlock, (st)) #define sk_CRYPTO_dynlock_pop(st) SKM_sk_pop(CRYPTO_dynlock, (st)) #define sk_CRYPTO_dynlock_sort(st) SKM_sk_sort(CRYPTO_dynlock, (st)) +#define sk_CRYPTO_dynlock_is_sorted(st) SKM_sk_is_sorted(CRYPTO_dynlock, (st)) #define sk_DIST_POINT_new(st) SKM_sk_new(DIST_POINT, (st)) #define sk_DIST_POINT_new_null() SKM_sk_new_null(DIST_POINT) @@ -483,6 +500,7 @@ STACK_OF(type) \ #define sk_DIST_POINT_shift(st) SKM_sk_shift(DIST_POINT, (st)) #define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st)) #define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st)) +#define sk_DIST_POINT_is_sorted(st) SKM_sk_is_sorted(DIST_POINT, (st)) #define sk_ENGINE_new(st) SKM_sk_new(ENGINE, (st)) #define sk_ENGINE_new_null() SKM_sk_new_null(ENGINE) @@ -503,6 +521,7 @@ STACK_OF(type) \ #define sk_ENGINE_shift(st) SKM_sk_shift(ENGINE, (st)) #define sk_ENGINE_pop(st) SKM_sk_pop(ENGINE, (st)) #define sk_ENGINE_sort(st) SKM_sk_sort(ENGINE, (st)) +#define sk_ENGINE_is_sorted(st) SKM_sk_is_sorted(ENGINE, (st)) #define sk_ENGINE_CLEANUP_ITEM_new(st) SKM_sk_new(ENGINE_CLEANUP_ITEM, (st)) #define sk_ENGINE_CLEANUP_ITEM_new_null() SKM_sk_new_null(ENGINE_CLEANUP_ITEM) @@ -523,6 +542,7 @@ STACK_OF(type) \ #define sk_ENGINE_CLEANUP_ITEM_shift(st) SKM_sk_shift(ENGINE_CLEANUP_ITEM, (st)) #define sk_ENGINE_CLEANUP_ITEM_pop(st) SKM_sk_pop(ENGINE_CLEANUP_ITEM, (st)) #define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st)) +#define sk_ENGINE_CLEANUP_ITEM_is_sorted(st) SKM_sk_is_sorted(ENGINE_CLEANUP_ITEM, (st)) #define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st)) #define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME) @@ -543,6 +563,7 @@ STACK_OF(type) \ #define sk_GENERAL_NAME_shift(st) SKM_sk_shift(GENERAL_NAME, (st)) #define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st)) #define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st)) +#define sk_GENERAL_NAME_is_sorted(st) SKM_sk_is_sorted(GENERAL_NAME, (st)) #define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st)) #define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY) @@ -563,6 +584,7 @@ STACK_OF(type) \ #define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st)) #define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st)) #define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st)) +#define sk_KRB5_APREQBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_APREQBODY, (st)) #define sk_KRB5_AUTHDATA_new(st) SKM_sk_new(KRB5_AUTHDATA, (st)) #define sk_KRB5_AUTHDATA_new_null() SKM_sk_new_null(KRB5_AUTHDATA) @@ -583,6 +605,7 @@ STACK_OF(type) \ #define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st)) #define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st)) #define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st)) +#define sk_KRB5_AUTHDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHDATA, (st)) #define sk_KRB5_AUTHENTBODY_new(st) SKM_sk_new(KRB5_AUTHENTBODY, (st)) #define sk_KRB5_AUTHENTBODY_new_null() SKM_sk_new_null(KRB5_AUTHENTBODY) @@ -603,6 +626,7 @@ STACK_OF(type) \ #define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st)) #define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st)) #define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st)) +#define sk_KRB5_AUTHENTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHENTBODY, (st)) #define sk_KRB5_CHECKSUM_new(st) SKM_sk_new(KRB5_CHECKSUM, (st)) #define sk_KRB5_CHECKSUM_new_null() SKM_sk_new_null(KRB5_CHECKSUM) @@ -623,6 +647,7 @@ STACK_OF(type) \ #define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st)) #define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st)) #define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st)) +#define sk_KRB5_CHECKSUM_is_sorted(st) SKM_sk_is_sorted(KRB5_CHECKSUM, (st)) #define sk_KRB5_ENCDATA_new(st) SKM_sk_new(KRB5_ENCDATA, (st)) #define sk_KRB5_ENCDATA_new_null() SKM_sk_new_null(KRB5_ENCDATA) @@ -643,6 +668,7 @@ STACK_OF(type) \ #define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st)) #define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st)) #define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st)) +#define sk_KRB5_ENCDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCDATA, (st)) #define sk_KRB5_ENCKEY_new(st) SKM_sk_new(KRB5_ENCKEY, (st)) #define sk_KRB5_ENCKEY_new_null() SKM_sk_new_null(KRB5_ENCKEY) @@ -663,6 +689,7 @@ STACK_OF(type) \ #define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st)) #define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st)) #define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st)) +#define sk_KRB5_ENCKEY_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCKEY, (st)) #define sk_KRB5_PRINCNAME_new(st) SKM_sk_new(KRB5_PRINCNAME, (st)) #define sk_KRB5_PRINCNAME_new_null() SKM_sk_new_null(KRB5_PRINCNAME) @@ -683,6 +710,7 @@ STACK_OF(type) \ #define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st)) #define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st)) #define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st)) +#define sk_KRB5_PRINCNAME_is_sorted(st) SKM_sk_is_sorted(KRB5_PRINCNAME, (st)) #define sk_KRB5_TKTBODY_new(st) SKM_sk_new(KRB5_TKTBODY, (st)) #define sk_KRB5_TKTBODY_new_null() SKM_sk_new_null(KRB5_TKTBODY) @@ -703,6 +731,7 @@ STACK_OF(type) \ #define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st)) #define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st)) #define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st)) +#define sk_KRB5_TKTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_TKTBODY, (st)) #define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st)) #define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER) @@ -723,6 +752,7 @@ STACK_OF(type) \ #define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st)) #define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st)) #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st)) +#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st)) #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st)) #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM) @@ -743,6 +773,7 @@ STACK_OF(type) \ #define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st)) #define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st)) #define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st)) +#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st)) #define sk_NAME_FUNCS_new(st) SKM_sk_new(NAME_FUNCS, (st)) #define sk_NAME_FUNCS_new_null() SKM_sk_new_null(NAME_FUNCS) @@ -763,6 +794,7 @@ STACK_OF(type) \ #define sk_NAME_FUNCS_shift(st) SKM_sk_shift(NAME_FUNCS, (st)) #define sk_NAME_FUNCS_pop(st) SKM_sk_pop(NAME_FUNCS, (st)) #define sk_NAME_FUNCS_sort(st) SKM_sk_sort(NAME_FUNCS, (st)) +#define sk_NAME_FUNCS_is_sorted(st) SKM_sk_is_sorted(NAME_FUNCS, (st)) #define sk_OCSP_CERTID_new(st) SKM_sk_new(OCSP_CERTID, (st)) #define sk_OCSP_CERTID_new_null() SKM_sk_new_null(OCSP_CERTID) @@ -783,6 +815,7 @@ STACK_OF(type) \ #define sk_OCSP_CERTID_shift(st) SKM_sk_shift(OCSP_CERTID, (st)) #define sk_OCSP_CERTID_pop(st) SKM_sk_pop(OCSP_CERTID, (st)) #define sk_OCSP_CERTID_sort(st) SKM_sk_sort(OCSP_CERTID, (st)) +#define sk_OCSP_CERTID_is_sorted(st) SKM_sk_is_sorted(OCSP_CERTID, (st)) #define sk_OCSP_ONEREQ_new(st) SKM_sk_new(OCSP_ONEREQ, (st)) #define sk_OCSP_ONEREQ_new_null() SKM_sk_new_null(OCSP_ONEREQ) @@ -803,6 +836,7 @@ STACK_OF(type) \ #define sk_OCSP_ONEREQ_shift(st) SKM_sk_shift(OCSP_ONEREQ, (st)) #define sk_OCSP_ONEREQ_pop(st) SKM_sk_pop(OCSP_ONEREQ, (st)) #define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ, (st)) +#define sk_OCSP_ONEREQ_is_sorted(st) SKM_sk_is_sorted(OCSP_ONEREQ, (st)) #define sk_OCSP_SINGLERESP_new(st) SKM_sk_new(OCSP_SINGLERESP, (st)) #define sk_OCSP_SINGLERESP_new_null() SKM_sk_new_null(OCSP_SINGLERESP) @@ -823,6 +857,7 @@ STACK_OF(type) \ #define sk_OCSP_SINGLERESP_shift(st) SKM_sk_shift(OCSP_SINGLERESP, (st)) #define sk_OCSP_SINGLERESP_pop(st) SKM_sk_pop(OCSP_SINGLERESP, (st)) #define sk_OCSP_SINGLERESP_sort(st) SKM_sk_sort(OCSP_SINGLERESP, (st)) +#define sk_OCSP_SINGLERESP_is_sorted(st) SKM_sk_is_sorted(OCSP_SINGLERESP, (st)) #define sk_PKCS12_SAFEBAG_new(st) SKM_sk_new(PKCS12_SAFEBAG, (st)) #define sk_PKCS12_SAFEBAG_new_null() SKM_sk_new_null(PKCS12_SAFEBAG) @@ -843,6 +878,7 @@ STACK_OF(type) \ #define sk_PKCS12_SAFEBAG_shift(st) SKM_sk_shift(PKCS12_SAFEBAG, (st)) #define sk_PKCS12_SAFEBAG_pop(st) SKM_sk_pop(PKCS12_SAFEBAG, (st)) #define sk_PKCS12_SAFEBAG_sort(st) SKM_sk_sort(PKCS12_SAFEBAG, (st)) +#define sk_PKCS12_SAFEBAG_is_sorted(st) SKM_sk_is_sorted(PKCS12_SAFEBAG, (st)) #define sk_PKCS7_new(st) SKM_sk_new(PKCS7, (st)) #define sk_PKCS7_new_null() SKM_sk_new_null(PKCS7) @@ -863,6 +899,7 @@ STACK_OF(type) \ #define sk_PKCS7_shift(st) SKM_sk_shift(PKCS7, (st)) #define sk_PKCS7_pop(st) SKM_sk_pop(PKCS7, (st)) #define sk_PKCS7_sort(st) SKM_sk_sort(PKCS7, (st)) +#define sk_PKCS7_is_sorted(st) SKM_sk_is_sorted(PKCS7, (st)) #define sk_PKCS7_RECIP_INFO_new(st) SKM_sk_new(PKCS7_RECIP_INFO, (st)) #define sk_PKCS7_RECIP_INFO_new_null() SKM_sk_new_null(PKCS7_RECIP_INFO) @@ -883,6 +920,7 @@ STACK_OF(type) \ #define sk_PKCS7_RECIP_INFO_shift(st) SKM_sk_shift(PKCS7_RECIP_INFO, (st)) #define sk_PKCS7_RECIP_INFO_pop(st) SKM_sk_pop(PKCS7_RECIP_INFO, (st)) #define sk_PKCS7_RECIP_INFO_sort(st) SKM_sk_sort(PKCS7_RECIP_INFO, (st)) +#define sk_PKCS7_RECIP_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_RECIP_INFO, (st)) #define sk_PKCS7_SIGNER_INFO_new(st) SKM_sk_new(PKCS7_SIGNER_INFO, (st)) #define sk_PKCS7_SIGNER_INFO_new_null() SKM_sk_new_null(PKCS7_SIGNER_INFO) @@ -903,6 +941,7 @@ STACK_OF(type) \ #define sk_PKCS7_SIGNER_INFO_shift(st) SKM_sk_shift(PKCS7_SIGNER_INFO, (st)) #define sk_PKCS7_SIGNER_INFO_pop(st) SKM_sk_pop(PKCS7_SIGNER_INFO, (st)) #define sk_PKCS7_SIGNER_INFO_sort(st) SKM_sk_sort(PKCS7_SIGNER_INFO, (st)) +#define sk_PKCS7_SIGNER_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_SIGNER_INFO, (st)) #define sk_POLICYINFO_new(st) SKM_sk_new(POLICYINFO, (st)) #define sk_POLICYINFO_new_null() SKM_sk_new_null(POLICYINFO) @@ -923,6 +962,7 @@ STACK_OF(type) \ #define sk_POLICYINFO_shift(st) SKM_sk_shift(POLICYINFO, (st)) #define sk_POLICYINFO_pop(st) SKM_sk_pop(POLICYINFO, (st)) #define sk_POLICYINFO_sort(st) SKM_sk_sort(POLICYINFO, (st)) +#define sk_POLICYINFO_is_sorted(st) SKM_sk_is_sorted(POLICYINFO, (st)) #define sk_POLICYQUALINFO_new(st) SKM_sk_new(POLICYQUALINFO, (st)) #define sk_POLICYQUALINFO_new_null() SKM_sk_new_null(POLICYQUALINFO) @@ -943,6 +983,7 @@ STACK_OF(type) \ #define sk_POLICYQUALINFO_shift(st) SKM_sk_shift(POLICYQUALINFO, (st)) #define sk_POLICYQUALINFO_pop(st) SKM_sk_pop(POLICYQUALINFO, (st)) #define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st)) +#define sk_POLICYQUALINFO_is_sorted(st) SKM_sk_is_sorted(POLICYQUALINFO, (st)) #define sk_SSL_CIPHER_new(st) SKM_sk_new(SSL_CIPHER, (st)) #define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER) @@ -963,6 +1004,7 @@ STACK_OF(type) \ #define sk_SSL_CIPHER_shift(st) SKM_sk_shift(SSL_CIPHER, (st)) #define sk_SSL_CIPHER_pop(st) SKM_sk_pop(SSL_CIPHER, (st)) #define sk_SSL_CIPHER_sort(st) SKM_sk_sort(SSL_CIPHER, (st)) +#define sk_SSL_CIPHER_is_sorted(st) SKM_sk_is_sorted(SSL_CIPHER, (st)) #define sk_SSL_COMP_new(st) SKM_sk_new(SSL_COMP, (st)) #define sk_SSL_COMP_new_null() SKM_sk_new_null(SSL_COMP) @@ -983,6 +1025,7 @@ STACK_OF(type) \ #define sk_SSL_COMP_shift(st) SKM_sk_shift(SSL_COMP, (st)) #define sk_SSL_COMP_pop(st) SKM_sk_pop(SSL_COMP, (st)) #define sk_SSL_COMP_sort(st) SKM_sk_sort(SSL_COMP, (st)) +#define sk_SSL_COMP_is_sorted(st) SKM_sk_is_sorted(SSL_COMP, (st)) #define sk_SXNETID_new(st) SKM_sk_new(SXNETID, (st)) #define sk_SXNETID_new_null() SKM_sk_new_null(SXNETID) @@ -1003,6 +1046,7 @@ STACK_OF(type) \ #define sk_SXNETID_shift(st) SKM_sk_shift(SXNETID, (st)) #define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st)) #define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st)) +#define sk_SXNETID_is_sorted(st) SKM_sk_is_sorted(SXNETID, (st)) #define sk_UI_STRING_new(st) SKM_sk_new(UI_STRING, (st)) #define sk_UI_STRING_new_null() SKM_sk_new_null(UI_STRING) @@ -1023,6 +1067,7 @@ STACK_OF(type) \ #define sk_UI_STRING_shift(st) SKM_sk_shift(UI_STRING, (st)) #define sk_UI_STRING_pop(st) SKM_sk_pop(UI_STRING, (st)) #define sk_UI_STRING_sort(st) SKM_sk_sort(UI_STRING, (st)) +#define sk_UI_STRING_is_sorted(st) SKM_sk_is_sorted(UI_STRING, (st)) #define sk_X509_new(st) SKM_sk_new(X509, (st)) #define sk_X509_new_null() SKM_sk_new_null(X509) @@ -1043,6 +1088,7 @@ STACK_OF(type) \ #define sk_X509_shift(st) SKM_sk_shift(X509, (st)) #define sk_X509_pop(st) SKM_sk_pop(X509, (st)) #define sk_X509_sort(st) SKM_sk_sort(X509, (st)) +#define sk_X509_is_sorted(st) SKM_sk_is_sorted(X509, (st)) #define sk_X509V3_EXT_METHOD_new(st) SKM_sk_new(X509V3_EXT_METHOD, (st)) #define sk_X509V3_EXT_METHOD_new_null() SKM_sk_new_null(X509V3_EXT_METHOD) @@ -1063,6 +1109,7 @@ STACK_OF(type) \ #define sk_X509V3_EXT_METHOD_shift(st) SKM_sk_shift(X509V3_EXT_METHOD, (st)) #define sk_X509V3_EXT_METHOD_pop(st) SKM_sk_pop(X509V3_EXT_METHOD, (st)) #define sk_X509V3_EXT_METHOD_sort(st) SKM_sk_sort(X509V3_EXT_METHOD, (st)) +#define sk_X509V3_EXT_METHOD_is_sorted(st) SKM_sk_is_sorted(X509V3_EXT_METHOD, (st)) #define sk_X509_ALGOR_new(st) SKM_sk_new(X509_ALGOR, (st)) #define sk_X509_ALGOR_new_null() SKM_sk_new_null(X509_ALGOR) @@ -1083,6 +1130,7 @@ STACK_OF(type) \ #define sk_X509_ALGOR_shift(st) SKM_sk_shift(X509_ALGOR, (st)) #define sk_X509_ALGOR_pop(st) SKM_sk_pop(X509_ALGOR, (st)) #define sk_X509_ALGOR_sort(st) SKM_sk_sort(X509_ALGOR, (st)) +#define sk_X509_ALGOR_is_sorted(st) SKM_sk_is_sorted(X509_ALGOR, (st)) #define sk_X509_ATTRIBUTE_new(st) SKM_sk_new(X509_ATTRIBUTE, (st)) #define sk_X509_ATTRIBUTE_new_null() SKM_sk_new_null(X509_ATTRIBUTE) @@ -1103,6 +1151,7 @@ STACK_OF(type) \ #define sk_X509_ATTRIBUTE_shift(st) SKM_sk_shift(X509_ATTRIBUTE, (st)) #define sk_X509_ATTRIBUTE_pop(st) SKM_sk_pop(X509_ATTRIBUTE, (st)) #define sk_X509_ATTRIBUTE_sort(st) SKM_sk_sort(X509_ATTRIBUTE, (st)) +#define sk_X509_ATTRIBUTE_is_sorted(st) SKM_sk_is_sorted(X509_ATTRIBUTE, (st)) #define sk_X509_CRL_new(st) SKM_sk_new(X509_CRL, (st)) #define sk_X509_CRL_new_null() SKM_sk_new_null(X509_CRL) @@ -1123,6 +1172,7 @@ STACK_OF(type) \ #define sk_X509_CRL_shift(st) SKM_sk_shift(X509_CRL, (st)) #define sk_X509_CRL_pop(st) SKM_sk_pop(X509_CRL, (st)) #define sk_X509_CRL_sort(st) SKM_sk_sort(X509_CRL, (st)) +#define sk_X509_CRL_is_sorted(st) SKM_sk_is_sorted(X509_CRL, (st)) #define sk_X509_EXTENSION_new(st) SKM_sk_new(X509_EXTENSION, (st)) #define sk_X509_EXTENSION_new_null() SKM_sk_new_null(X509_EXTENSION) @@ -1143,6 +1193,7 @@ STACK_OF(type) \ #define sk_X509_EXTENSION_shift(st) SKM_sk_shift(X509_EXTENSION, (st)) #define sk_X509_EXTENSION_pop(st) SKM_sk_pop(X509_EXTENSION, (st)) #define sk_X509_EXTENSION_sort(st) SKM_sk_sort(X509_EXTENSION, (st)) +#define sk_X509_EXTENSION_is_sorted(st) SKM_sk_is_sorted(X509_EXTENSION, (st)) #define sk_X509_INFO_new(st) SKM_sk_new(X509_INFO, (st)) #define sk_X509_INFO_new_null() SKM_sk_new_null(X509_INFO) @@ -1163,6 +1214,7 @@ STACK_OF(type) \ #define sk_X509_INFO_shift(st) SKM_sk_shift(X509_INFO, (st)) #define sk_X509_INFO_pop(st) SKM_sk_pop(X509_INFO, (st)) #define sk_X509_INFO_sort(st) SKM_sk_sort(X509_INFO, (st)) +#define sk_X509_INFO_is_sorted(st) SKM_sk_is_sorted(X509_INFO, (st)) #define sk_X509_LOOKUP_new(st) SKM_sk_new(X509_LOOKUP, (st)) #define sk_X509_LOOKUP_new_null() SKM_sk_new_null(X509_LOOKUP) @@ -1183,6 +1235,7 @@ STACK_OF(type) \ #define sk_X509_LOOKUP_shift(st) SKM_sk_shift(X509_LOOKUP, (st)) #define sk_X509_LOOKUP_pop(st) SKM_sk_pop(X509_LOOKUP, (st)) #define sk_X509_LOOKUP_sort(st) SKM_sk_sort(X509_LOOKUP, (st)) +#define sk_X509_LOOKUP_is_sorted(st) SKM_sk_is_sorted(X509_LOOKUP, (st)) #define sk_X509_NAME_new(st) SKM_sk_new(X509_NAME, (st)) #define sk_X509_NAME_new_null() SKM_sk_new_null(X509_NAME) @@ -1203,6 +1256,7 @@ STACK_OF(type) \ #define sk_X509_NAME_shift(st) SKM_sk_shift(X509_NAME, (st)) #define sk_X509_NAME_pop(st) SKM_sk_pop(X509_NAME, (st)) #define sk_X509_NAME_sort(st) SKM_sk_sort(X509_NAME, (st)) +#define sk_X509_NAME_is_sorted(st) SKM_sk_is_sorted(X509_NAME, (st)) #define sk_X509_NAME_ENTRY_new(st) SKM_sk_new(X509_NAME_ENTRY, (st)) #define sk_X509_NAME_ENTRY_new_null() SKM_sk_new_null(X509_NAME_ENTRY) @@ -1223,6 +1277,7 @@ STACK_OF(type) \ #define sk_X509_NAME_ENTRY_shift(st) SKM_sk_shift(X509_NAME_ENTRY, (st)) #define sk_X509_NAME_ENTRY_pop(st) SKM_sk_pop(X509_NAME_ENTRY, (st)) #define sk_X509_NAME_ENTRY_sort(st) SKM_sk_sort(X509_NAME_ENTRY, (st)) +#define sk_X509_NAME_ENTRY_is_sorted(st) SKM_sk_is_sorted(X509_NAME_ENTRY, (st)) #define sk_X509_OBJECT_new(st) SKM_sk_new(X509_OBJECT, (st)) #define sk_X509_OBJECT_new_null() SKM_sk_new_null(X509_OBJECT) @@ -1243,6 +1298,7 @@ STACK_OF(type) \ #define sk_X509_OBJECT_shift(st) SKM_sk_shift(X509_OBJECT, (st)) #define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st)) #define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st)) +#define sk_X509_OBJECT_is_sorted(st) SKM_sk_is_sorted(X509_OBJECT, (st)) #define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st)) #define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE) @@ -1263,6 +1319,7 @@ STACK_OF(type) \ #define sk_X509_PURPOSE_shift(st) SKM_sk_shift(X509_PURPOSE, (st)) #define sk_X509_PURPOSE_pop(st) SKM_sk_pop(X509_PURPOSE, (st)) #define sk_X509_PURPOSE_sort(st) SKM_sk_sort(X509_PURPOSE, (st)) +#define sk_X509_PURPOSE_is_sorted(st) SKM_sk_is_sorted(X509_PURPOSE, (st)) #define sk_X509_REVOKED_new(st) SKM_sk_new(X509_REVOKED, (st)) #define sk_X509_REVOKED_new_null() SKM_sk_new_null(X509_REVOKED) @@ -1283,6 +1340,7 @@ STACK_OF(type) \ #define sk_X509_REVOKED_shift(st) SKM_sk_shift(X509_REVOKED, (st)) #define sk_X509_REVOKED_pop(st) SKM_sk_pop(X509_REVOKED, (st)) #define sk_X509_REVOKED_sort(st) SKM_sk_sort(X509_REVOKED, (st)) +#define sk_X509_REVOKED_is_sorted(st) SKM_sk_is_sorted(X509_REVOKED, (st)) #define sk_X509_TRUST_new(st) SKM_sk_new(X509_TRUST, (st)) #define sk_X509_TRUST_new_null() SKM_sk_new_null(X509_TRUST) @@ -1303,6 +1361,7 @@ STACK_OF(type) \ #define sk_X509_TRUST_shift(st) SKM_sk_shift(X509_TRUST, (st)) #define sk_X509_TRUST_pop(st) SKM_sk_pop(X509_TRUST, (st)) #define sk_X509_TRUST_sort(st) SKM_sk_sort(X509_TRUST, (st)) +#define sk_X509_TRUST_is_sorted(st) SKM_sk_is_sorted(X509_TRUST, (st)) #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) diff --git a/lib/libcrypto/stack/stack.c b/lib/libcrypto/stack/stack.c index 2496f28a8c0..c7173eb6ab2 100644 --- a/lib/libcrypto/stack/stack.c +++ b/lib/libcrypto/stack/stack.c @@ -191,8 +191,7 @@ char *sk_delete(STACK *st, int loc) char *ret; int i,j; - if ((st == NULL) || (st->num == 0) || (loc < 0) - || (loc >= st->num)) return(NULL); + if(!st || (loc < 0) || (loc >= st->num)) return NULL; ret=st->data[loc]; if (loc != st->num-1) @@ -306,13 +305,13 @@ int sk_num(const STACK *st) char *sk_value(const STACK *st, int i) { - if(st == NULL) return NULL; + if(!st || (i < 0) || (i >= st->num)) return NULL; return st->data[i]; } char *sk_set(STACK *st, int i, char *value) { - if(st == NULL) return NULL; + if(!st || (i < 0) || (i >= st->num)) return NULL; return (st->data[i] = value); } @@ -332,3 +331,10 @@ void sk_sort(STACK *st) st->sorted=1; } } + +int sk_is_sorted(const STACK *st) + { + if (!st) + return 1; + return st->sorted; + } diff --git a/lib/libcrypto/stack/stack.h b/lib/libcrypto/stack/stack.h index 8b436ca4b98..7570b85fe85 100644 --- a/lib/libcrypto/stack/stack.h +++ b/lib/libcrypto/stack/stack.h @@ -99,6 +99,7 @@ int (*sk_set_cmp_func(STACK *sk, int (*c)(const char * const *, (const char * const *, const char * const *); STACK *sk_dup(STACK *st); void sk_sort(STACK *st); +int sk_is_sorted(const STACK *st); #ifdef __cplusplus } diff --git a/lib/libcrypto/util/cygwin.sh b/lib/libcrypto/util/cygwin.sh index 930f766b4ff..7f791d47f4b 100644 --- a/lib/libcrypto/util/cygwin.sh +++ b/lib/libcrypto/util/cygwin.sh @@ -21,11 +21,11 @@ function cleanup() function get_openssl_version() { - eval `grep '^VERSION=' Makefile.ssl` + eval `grep '^VERSION=' Makefile` if [ -z "${VERSION}" ] then - echo "Error: Couldn't retrieve OpenSSL version from Makefile.ssl." - echo " Check value of variable VERSION in Makefile.ssl." + echo "Error: Couldn't retrieve OpenSSL version from Makefile." + echo " Check value of variable VERSION in Makefile." exit 1 fi } @@ -39,7 +39,7 @@ function base_install() function doc_install() { - DOC_DIR=${INSTALL_PREFIX}/usr/doc/openssl + DOC_DIR=${INSTALL_PREFIX}/usr/share/doc/openssl mkdir -p ${DOC_DIR} cp CHANGES CHANGES.SSLeay INSTALL LICENSE NEWS README ${DOC_DIR} @@ -49,7 +49,7 @@ function doc_install() function create_cygwin_readme() { - README_DIR=${INSTALL_PREFIX}/usr/doc/Cygwin + README_DIR=${INSTALL_PREFIX}/usr/share/doc/Cygwin README_FILE=${README_DIR}/openssl-${VERSION}.README mkdir -p ${README_DIR} @@ -112,8 +112,8 @@ cd ${INSTALL_PREFIX} strip usr/bin/*.exe usr/bin/*.dll # Runtime package -find etc usr/bin usr/doc usr/ssl/certs usr/ssl/man/man[157] usr/ssl/misc \ - usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d | +find etc usr/bin usr/share/doc usr/ssl/certs usr/ssl/man/man[157] \ + usr/ssl/misc usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d | tar cjfT openssl-${VERSION}-${SUBVERSION}.tar.bz2 - # Development package find usr/include usr/lib usr/ssl/man/man3 -empty -o \! -type d | diff --git a/lib/libcrypto/util/domd b/lib/libcrypto/util/domd index 49310bbdd1a..5610521f0b8 100644 --- a/lib/libcrypto/util/domd +++ b/lib/libcrypto/util/domd @@ -11,7 +11,7 @@ if [ "$1" = "-MD" ]; then fi if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi -cp Makefile.ssl Makefile.save +cp Makefile Makefile.save # fake the presence of Kerberos touch $TOP/krb5.h if [ "$MAKEDEPEND" = "gcc" ]; then @@ -20,15 +20,15 @@ if [ "$MAKEDEPEND" = "gcc" ]; then if [ "$1" != "--" ]; then args="$args $1"; fi shift done - sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp + sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new rm -f Makefile.tmp else - ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile.ssl $@ - ${PERL} $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new + ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile $@ + ${PERL} $TOP/util/clean-depend.pl < Makefile > Makefile.new fi -mv Makefile.new Makefile.ssl +mv Makefile.new Makefile # unfake the presence of Kerberos rm $TOP/krb5.h diff --git a/lib/libcrypto/util/libeay.num b/lib/libcrypto/util/libeay.num index 203c7713e72..56fb7446e04 100644 --- a/lib/libcrypto/util/libeay.num +++ b/lib/libcrypto/util/libeay.num @@ -284,20 +284,20 @@ EVP_add_alias 291 NOEXIST::FUNCTION: EVP_add_cipher 292 EXIST::FUNCTION: EVP_add_digest 293 EXIST::FUNCTION: EVP_bf_cbc 294 EXIST::FUNCTION:BF -EVP_bf_cfb 295 EXIST::FUNCTION:BF +EVP_bf_cfb64 295 EXIST::FUNCTION:BF EVP_bf_ecb 296 EXIST::FUNCTION:BF EVP_bf_ofb 297 EXIST::FUNCTION:BF EVP_cleanup 298 EXIST::FUNCTION: EVP_des_cbc 299 EXIST::FUNCTION:DES -EVP_des_cfb 300 EXIST::FUNCTION:DES +EVP_des_cfb64 300 EXIST::FUNCTION:DES EVP_des_ecb 301 EXIST::FUNCTION:DES EVP_des_ede 302 EXIST::FUNCTION:DES EVP_des_ede3 303 EXIST::FUNCTION:DES EVP_des_ede3_cbc 304 EXIST::FUNCTION:DES -EVP_des_ede3_cfb 305 EXIST::FUNCTION:DES +EVP_des_ede3_cfb64 305 EXIST::FUNCTION:DES EVP_des_ede3_ofb 306 EXIST::FUNCTION:DES EVP_des_ede_cbc 307 EXIST::FUNCTION:DES -EVP_des_ede_cfb 308 EXIST::FUNCTION:DES +EVP_des_ede_cfb64 308 EXIST::FUNCTION:DES EVP_des_ede_ofb 309 EXIST::FUNCTION:DES EVP_des_ofb 310 EXIST::FUNCTION:DES EVP_desx_cbc 311 EXIST::FUNCTION:DES @@ -308,14 +308,14 @@ EVP_get_cipherbyname 315 EXIST::FUNCTION: EVP_get_digestbyname 316 EXIST::FUNCTION: EVP_get_pw_prompt 317 EXIST::FUNCTION: EVP_idea_cbc 318 EXIST::FUNCTION:IDEA -EVP_idea_cfb 319 EXIST::FUNCTION:IDEA +EVP_idea_cfb64 319 EXIST::FUNCTION:IDEA EVP_idea_ecb 320 EXIST::FUNCTION:IDEA EVP_idea_ofb 321 EXIST::FUNCTION:IDEA EVP_md2 322 EXIST::FUNCTION:MD2 EVP_md5 323 EXIST::FUNCTION:MD5 EVP_md_null 324 EXIST::FUNCTION: EVP_rc2_cbc 325 EXIST::FUNCTION:RC2 -EVP_rc2_cfb 326 EXIST::FUNCTION:RC2 +EVP_rc2_cfb64 326 EXIST::FUNCTION:RC2 EVP_rc2_ecb 327 EXIST::FUNCTION:RC2 EVP_rc2_ofb 328 EXIST::FUNCTION:RC2 EVP_rc4 329 EXIST::FUNCTION:RC4 @@ -962,7 +962,7 @@ i2t_ASN1_OBJECT 979 EXIST::FUNCTION: BN_BLINDING_new 980 EXIST::FUNCTION: BN_BLINDING_free 981 EXIST::FUNCTION: EVP_cast5_cbc 983 EXIST::FUNCTION:CAST -EVP_cast5_cfb 984 EXIST::FUNCTION:CAST +EVP_cast5_cfb64 984 EXIST::FUNCTION:CAST EVP_cast5_ecb 985 EXIST::FUNCTION:CAST EVP_cast5_ofb 986 EXIST::FUNCTION:CAST BF_decrypt 987 EXIST::FUNCTION:BF @@ -1057,7 +1057,7 @@ EVP_CIPHER_param_to_asn1 1084 EXIST::FUNCTION: EVP_CIPHER_get_asn1_iv 1085 EXIST::FUNCTION: EVP_CIPHER_set_asn1_iv 1086 EXIST::FUNCTION: EVP_rc5_32_12_16_cbc 1087 EXIST::FUNCTION:RC5 -EVP_rc5_32_12_16_cfb 1088 EXIST::FUNCTION:RC5 +EVP_rc5_32_12_16_cfb64 1088 EXIST::FUNCTION:RC5 EVP_rc5_32_12_16_ecb 1089 EXIST::FUNCTION:RC5 EVP_rc5_32_12_16_ofb 1090 EXIST::FUNCTION:RC5 asn1_add_error 1091 EXIST::FUNCTION: @@ -2776,10 +2776,10 @@ ENGINE_load_4758cca 3218 EXIST::FUNCTION:ENGINE _ossl_096_des_random_seed 3219 EXIST::FUNCTION:DES EVP_aes_256_ofb 3220 EXIST::FUNCTION:AES EVP_aes_192_ofb 3221 EXIST::FUNCTION:AES -EVP_aes_128_cfb 3222 EXIST::FUNCTION:AES -EVP_aes_256_cfb 3223 EXIST::FUNCTION:AES +EVP_aes_128_cfb128 3222 EXIST::FUNCTION:AES +EVP_aes_256_cfb128 3223 EXIST::FUNCTION:AES EVP_aes_128_ofb 3224 EXIST::FUNCTION:AES -EVP_aes_192_cfb 3225 EXIST::FUNCTION:AES +EVP_aes_192_cfb128 3225 EXIST::FUNCTION:AES CONF_modules_free 3226 EXIST::FUNCTION: NCONF_default 3227 EXIST::FUNCTION: OPENSSL_no_config 3228 EXIST::FUNCTION: @@ -2803,3 +2803,67 @@ OpenSSLDie 3244 EXIST::FUNCTION: OPENSSL_cleanse 3245 EXIST::FUNCTION: ENGINE_setup_bsd_cryptodev 3246 EXIST:__FreeBSD__:FUNCTION:ENGINE ERR_release_err_state_table 3247 EXIST::FUNCTION:LHASH +EVP_aes_128_cfb8 3248 EXIST::FUNCTION:AES +FIPS_corrupt_rsa 3249 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_des 3250 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_aes_128_cfb1 3251 EXIST::FUNCTION:AES +EVP_aes_192_cfb8 3252 EXIST::FUNCTION:AES +FIPS_mode_set 3253 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_dsa 3254 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_aes_256_cfb8 3255 EXIST::FUNCTION:AES +FIPS_allow_md5 3256 EXIST:OPENSSL_FIPS:FUNCTION: +DES_ede3_cfb_encrypt 3257 EXIST::FUNCTION:DES +EVP_des_ede3_cfb8 3258 EXIST::FUNCTION:DES +FIPS_rand_seeded 3259 EXIST:OPENSSL_FIPS:FUNCTION: +AES_cfbr_encrypt_block 3260 EXIST::FUNCTION:AES +AES_cfb8_encrypt 3261 EXIST::FUNCTION:AES +FIPS_rand_seed 3262 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_corrupt_des 3263 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_aes_192_cfb1 3264 EXIST::FUNCTION:AES +FIPS_selftest_aes 3265 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_set_prng_key 3266 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_des_cfb8 3267 EXIST::FUNCTION:DES +FIPS_corrupt_dsa 3268 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_test_mode 3269 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_rand_method 3270 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_aes_256_cfb1 3271 EXIST::FUNCTION:AES +ERR_load_FIPS_strings 3272 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_corrupt_aes 3273 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_sha1 3274 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_rsa 3275 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_corrupt_sha1 3276 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_des_cfb1 3277 EXIST::FUNCTION:DES +FIPS_dsa_check 3278 EXIST:OPENSSL_FIPS:FUNCTION: +AES_cfb1_encrypt 3279 EXIST::FUNCTION:AES +EVP_des_ede3_cfb1 3280 EXIST::FUNCTION:DES +FIPS_rand_check 3281 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_md5_allowed 3282 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_mode 3283 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_failed 3284 EXIST:OPENSSL_FIPS:FUNCTION: +sk_is_sorted 3285 EXIST::FUNCTION: +X509_check_ca 3286 EXIST::FUNCTION: +private_idea_set_encrypt_key 3287 EXIST:OPENSSL_FIPS:FUNCTION:IDEA +HMAC_CTX_set_flags 3288 EXIST::FUNCTION:HMAC +private_SHA_Init 3289 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA0 +private_CAST_set_key 3290 EXIST:OPENSSL_FIPS:FUNCTION:CAST +private_RIPEMD160_Init 3291 EXIST:OPENSSL_FIPS:FUNCTION:RIPEMD +private_RC5_32_set_key 3292 EXIST:OPENSSL_FIPS:FUNCTION:RC5 +private_MD5_Init 3293 EXIST:OPENSSL_FIPS:FUNCTION:MD5 +private_RC4_set_key 3294 EXIST:OPENSSL_FIPS:FUNCTION:RC4 +private_MDC2_Init 3295 EXIST:OPENSSL_FIPS:FUNCTION:MDC2 +private_RC2_set_key 3296 EXIST:OPENSSL_FIPS:FUNCTION:RC2 +private_MD4_Init 3297 EXIST:OPENSSL_FIPS:FUNCTION:MD4 +private_BF_set_key 3298 EXIST:OPENSSL_FIPS:FUNCTION:BF +private_MD2_Init 3299 EXIST:OPENSSL_FIPS:FUNCTION:MD2 +d2i_PROXY_CERT_INFO_EXTENSION 3300 EXIST::FUNCTION: +PROXY_POLICY_it 3301 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +PROXY_POLICY_it 3301 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +i2d_PROXY_POLICY 3302 EXIST::FUNCTION: +i2d_PROXY_CERT_INFO_EXTENSION 3303 EXIST::FUNCTION: +d2i_PROXY_POLICY 3304 EXIST::FUNCTION: +PROXY_CERT_INFO_EXTENSION_new 3305 EXIST::FUNCTION: +PROXY_CERT_INFO_EXTENSION_free 3306 EXIST::FUNCTION: +PROXY_CERT_INFO_EXTENSION_it 3307 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +PROXY_CERT_INFO_EXTENSION_it 3307 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +PROXY_POLICY_free 3308 EXIST::FUNCTION: +PROXY_POLICY_new 3309 EXIST::FUNCTION: diff --git a/lib/libcrypto/util/mk1mf.pl b/lib/libcrypto/util/mk1mf.pl index b4bc0457e54..957264c6b54 100644 --- a/lib/libcrypto/util/mk1mf.pl +++ b/lib/libcrypto/util/mk1mf.pl @@ -10,7 +10,7 @@ $OPTIONS=""; $ssl_version=""; $banner="\t\@echo Building OpenSSL"; -open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n"; +open(IN,"<Makefile") || die "unable to open Makefile!\n"; while(<IN>) { $ssl_version=$1 if (/^VERSION=(.*)$/); $OPTIONS=$1 if (/^OPTIONS=(.*)$/); @@ -18,7 +18,7 @@ while(<IN>) { } close(IN); -die "Makefile.ssl is not the toplevel Makefile!\n" if $ssl_version eq ""; +die "Makefile is not the toplevel Makefile!\n" if $ssl_version eq ""; $infile="MINFO"; @@ -222,7 +222,7 @@ $cflags.=" -DOPENSSL_NO_SHA" if $no_sha; $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1; $cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd; $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2; -$cflags.=" -DOPENSSL_NO_BF" if $no_bf; +$cflags.=" -DOPENSSL_NO_BF" if $no_bf; $cflags.=" -DOPENSSL_NO_CAST" if $no_cast; $cflags.=" -DOPENSSL_NO_DES" if $no_des; $cflags.=" -DOPENSSL_NO_RSA" if $no_rsa; @@ -236,6 +236,7 @@ $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5; $cflags.=" -DOPENSSL_NO_EC" if $no_ec; $cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine; $cflags.=" -DOPENSSL_NO_HW" if $no_hw; +$cflags.=" -DOPENSSL_FIPS" if $fips; #$cflags.=" -DRSAref" if $rsaref ne ""; ## if ($unix) @@ -631,15 +632,21 @@ foreach (split(/\s+/,$test)) $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)"); $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)"); -$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)"); - +if ($fips) + { + $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)","\$(BIN_D)$o.sha1","\$(BIN_D)$o\$(E_EXE)$exep"); + } +else + { + $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)"); + } print $defs; if ($platform eq "linux-elf") { print <<"EOF"; # Generate perlasm output files %.cpp: - (cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F)) + (cd \$(\@D)/..; PERL=perl make -f Makefile asm/\$(\@F)) EOF } print "###################################################################\n"; @@ -921,6 +928,7 @@ sub read_options $no_aes=1; } elsif (/^rsaref$/) { } + elsif (/^fips$/) { $fips=1; } elsif (/^gcc$/) { $gcc=1; } elsif (/^debug$/) { $debug=1; } elsif (/^profile$/) { $profile=1; } diff --git a/lib/libcrypto/util/mkdef.pl b/lib/libcrypto/util/mkdef.pl index 01a1bfda197..9918c3d549c 100644 --- a/lib/libcrypto/util/mkdef.pl +++ b/lib/libcrypto/util/mkdef.pl @@ -79,7 +79,7 @@ my $OS2=0; my $safe_stack_def = 0; my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT", - "EXPORT_VAR_AS_FUNCTION" ); + "EXPORT_VAR_AS_FUNCTION", "OPENSSL_FIPS" ); my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" ); my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1", @@ -94,7 +94,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" ); my $options=""; -open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n"; +open(IN,"<Makefile") || die "unable to open Makefile!\n"; while(<IN>) { $options=$1 if (/^OPTIONS=(.*)$/); } @@ -109,6 +109,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5; my $no_ec; my $no_engine; my $no_hw; my $no_fp_api; +my $fips; foreach (@ARGV, split(/ /, $options)) { @@ -129,6 +130,7 @@ foreach (@ARGV, split(/ /, $options)) } $VMS=1 if $_ eq "VMS"; $OS2=1 if $_ eq "OS2"; + $fips=1 if $_ eq "fips"; $do_ssl=1 if $_ eq "ssleay"; if ($_ eq "ssl") { @@ -265,6 +267,7 @@ $crypto.=" crypto/ocsp/ocsp.h"; $crypto.=" crypto/ui/ui.h crypto/ui/ui_compat.h"; $crypto.=" crypto/krb5/krb5_asn.h"; $crypto.=" crypto/tmdiff.h"; +$crypto.=" fips/fips.h fips/rand/fips_rand.h"; my $symhacks="crypto/symhacks.h"; @@ -469,7 +472,7 @@ sub do_defs push(@tag,$1); $tag{$1}=-1; } - } elsif (/^\#\s*ifdef\s+(.*)/) { + } elsif (/^\#\s*ifdef\s+(\S*)/) { push(@tag,"-"); push(@tag,$1); $tag{$1}=1; @@ -794,7 +797,7 @@ sub do_defs } close(IN); - my $algs; + my $algs = ''; my $plays; print STDERR "DEBUG: postprocessing ----------\n" if $debug; @@ -864,6 +867,7 @@ sub do_defs $platform{$s} = &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p); + $algorithm{$s} = '' if !defined $algorithm{$s}; $algorithm{$s} .= ','.$a; if (defined($variant{$s})) { @@ -1028,6 +1032,9 @@ sub is_valid if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) { return 1; } + if ($keyword eq "OPENSSL_FIPS" && $fips) { + return 1; + } return 0; } else { # algorithms @@ -1119,7 +1126,7 @@ sub print_test_file sub get_version { local *MF; my $v = '?'; - open MF, 'Makefile.ssl' or return $v; + open MF, 'Makefile' or return $v; while (<MF>) { $v = $1, last if /^VERSION=(.*?)\s*$/; } diff --git a/lib/libcrypto/util/mkerr.pl b/lib/libcrypto/util/mkerr.pl index 1b2915c7677..60e534807eb 100644 --- a/lib/libcrypto/util/mkerr.pl +++ b/lib/libcrypto/util/mkerr.pl @@ -41,7 +41,8 @@ while (@ARGV) { } if($recurse) { - @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>); + @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>, <fips/*.c>, + <fips/*/*.c>); } else { @source = @ARGV; } @@ -262,7 +263,7 @@ foreach $lib (keys %csrc) } else { push @out, "/* ====================================================================\n", -" * Copyright (c) 2001-2003 The OpenSSL Project. All rights reserved.\n", +" * Copyright (c) 2001-2005 The OpenSSL Project. All rights reserved.\n", " *\n", " * Redistribution and use in source and binary forms, with or without\n", " * modification, are permitted provided that the following conditions\n", @@ -404,7 +405,7 @@ EOF print OUT <<"EOF"; /* $cfile */ /* ==================================================================== - * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/lib/libcrypto/util/mkfiles.pl b/lib/libcrypto/util/mkfiles.pl index 29e1404c695..928a274303d 100644 --- a/lib/libcrypto/util/mkfiles.pl +++ b/lib/libcrypto/util/mkfiles.pl @@ -51,6 +51,14 @@ my @dirs = ( "crypto/ocsp", "crypto/ui", "crypto/krb5", +"fips", +"fips/aes", +"fips/des", +"fips/dsa", +"fips/dh", +"fips/rand", +"fips/rsa", +"fips/sha1", "ssl", "apps", "test", @@ -58,7 +66,7 @@ my @dirs = ( ); foreach (@dirs) { - &files_dir ($_, "Makefile.ssl"); + &files_dir ($_, "Makefile"); } exit(0); diff --git a/lib/libcrypto/util/mklink.pl b/lib/libcrypto/util/mklink.pl index 9386da7aa4c..c8653cecc37 100644 --- a/lib/libcrypto/util/mklink.pl +++ b/lib/libcrypto/util/mklink.pl @@ -52,6 +52,7 @@ $symlink_exists=eval {symlink("",""); 1}; foreach $file (@files) { my $err = ""; if ($symlink_exists) { + unlink "$from/$file"; symlink("$to/$file", "$from/$file") or $err = " [$!]"; } else { unlink "$from/$file"; diff --git a/lib/libcrypto/util/mkstack.pl b/lib/libcrypto/util/mkstack.pl index 085c50f790f..0ca9eb6a766 100644 --- a/lib/libcrypto/util/mkstack.pl +++ b/lib/libcrypto/util/mkstack.pl @@ -84,6 +84,7 @@ while(<IN>) { #define sk_${type_thing}_shift(st) SKM_sk_shift($type_thing, (st)) #define sk_${type_thing}_pop(st) SKM_sk_pop($type_thing, (st)) #define sk_${type_thing}_sort(st) SKM_sk_sort($type_thing, (st)) +#define sk_${type_thing}_is_sorted(st) SKM_sk_is_sorted($type_thing, (st)) EOF } foreach $type_thing (sort @asn1setlst) { diff --git a/lib/libcrypto/util/pl/BC-16.pl b/lib/libcrypto/util/pl/BC-16.pl index 2033f524ca5..8030653daad 100644 --- a/lib/libcrypto/util/pl/BC-16.pl +++ b/lib/libcrypto/util/pl/BC-16.pl @@ -64,7 +64,7 @@ $lfile=''; $asm='bcc -c -B -Tml'; $afile='/o'; -if ($no_asm) +if ($no_asm || $fips) { $bn_asm_obj=''; $bn_asm_src=''; @@ -119,11 +119,11 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$f,$_,@f); - + $file =~ s/\//$o/g if $o ne '/'; - $n=&bname($targer); + $n=&bname($target); $ret.="$target: $files $dep_libs\n"; $ret.=" \$(LINK) @&&|"; @@ -139,7 +139,12 @@ sub do_link_rule } else { $ret.="\n $r \$(APP_EX_OBJ) $files\n"; } - $ret.=" $target\n\n $libs\n\n|\n\n"; + $ret.=" $target\n\n $libs\n\n|\n"; + if (defined $sha1file) + { + $ret.=" $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libcrypto/util/pl/BC-32.pl b/lib/libcrypto/util/pl/BC-32.pl index e83b3361908..897ae9d8249 100644 --- a/lib/libcrypto/util/pl/BC-32.pl +++ b/lib/libcrypto/util/pl/BC-32.pl @@ -62,7 +62,7 @@ $des_enc_src=''; $bf_enc_obj=''; $bf_enc_src=''; -if (!$no_asm) +if (!$no_asm && !$fips) { $bn_mulw_obj='crypto\bn\asm\bn_win32.obj'; $bn_mulw_src='crypto\bn\asm\bn_win32.asm'; @@ -122,13 +122,18 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); - + $file =~ s/\//$o/g if $o ne '/'; $n=&bname($targer); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n\n"; + $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libcrypto/util/pl/Mingw32.pl b/lib/libcrypto/util/pl/Mingw32.pl index 4bee638c4a6..b9bb24d21d7 100644 --- a/lib/libcrypto/util/pl/Mingw32.pl +++ b/lib/libcrypto/util/pl/Mingw32.pl @@ -21,7 +21,7 @@ if ($debug) else { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; } -if ($gaswin and !$no_asm) +if ($gaswin and !$no_asm and !$fips) { $bn_asm_obj='$(OBJ_D)\bn-win32.o'; $bn_asm_src='crypto/bn/asm/bn-win32.s'; @@ -92,13 +92,18 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n"; + $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } 1; diff --git a/lib/libcrypto/util/pl/OS2-EMX.pl b/lib/libcrypto/util/pl/OS2-EMX.pl index ddb35242108..75d72ebbcbd 100644 --- a/lib/libcrypto/util/pl/OS2-EMX.pl +++ b/lib/libcrypto/util/pl/OS2-EMX.pl @@ -48,7 +48,7 @@ $des_enc_src=""; $bf_enc_obj=""; $bf_enc_src=""; -if (!$no_asm) +if (!$no_asm && !$fips) { $bn_asm_obj="crypto/bn/asm/bn-os2$obj crypto/bn/asm/co-os2$obj"; $bn_asm_src="crypto/bn/asm/bn-os2.asm crypto/bn/asm/co-os2.asm"; @@ -106,13 +106,18 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n\n"; + $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libcrypto/util/pl/VC-16.pl b/lib/libcrypto/util/pl/VC-16.pl index 7cda5e67a94..564ba3fd08b 100644 --- a/lib/libcrypto/util/pl/VC-16.pl +++ b/lib/libcrypto/util/pl/VC-16.pl @@ -61,7 +61,7 @@ if ($shlib) else { $mlflags=''; } -$app_ex_obj="setargv.obj"; +$app_ex_obj=""; $obj='.obj'; $ofile="/Fo"; @@ -90,7 +90,7 @@ $des_enc_src=''; $bf_enc_obj=''; $bf_enc_src=''; -if (!$no_asm) +if (!$no_asm && !$fips) { if ($asmbits == 32) { @@ -147,7 +147,7 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$f,$_,@f); $file =~ s/\//$o/g if $o ne '/'; @@ -165,7 +165,12 @@ sub do_link_rule } else { $ret.=" \$(APP_EX_OBJ) $files"; } - $ret.="\n $target\n\n $libs\n\n<<\n\n"; + $ret.="\n $target\n\n $libs\n\n<<\n"; + if (defined $sha1file) + { + $ret.=" $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libcrypto/util/pl/VC-32.pl b/lib/libcrypto/util/pl/VC-32.pl index 285990c5896..cf689b9feb4 100644 --- a/lib/libcrypto/util/pl/VC-32.pl +++ b/lib/libcrypto/util/pl/VC-32.pl @@ -64,7 +64,7 @@ $des_enc_src=''; $bf_enc_obj=''; $bf_enc_src=''; -if (!$no_asm) +if (!$no_asm && !$fips) { $bn_asm_obj='crypto\bn\asm\bn_win32.obj'; $bn_asm_src='crypto\bn\asm\bn_win32.asm'; @@ -126,14 +126,19 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($targer); $ret.="$target: $files $dep_libs\n"; $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n"; - $ret.=" \$(APP_EX_OBJ) $files $libs\n<<\n\n"; + $ret.=" \$(APP_EX_OBJ) $files $libs\n<<\n"; + if (defined $sha1file) + { + $ret.=" $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libcrypto/util/pl/linux.pl b/lib/libcrypto/util/pl/linux.pl index 8924ed54808..df05c40526e 100644 --- a/lib/libcrypto/util/pl/linux.pl +++ b/lib/libcrypto/util/pl/linux.pl @@ -72,13 +72,18 @@ sub do_shlib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n"; + $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libcrypto/util/pl/ultrix.pl b/lib/libcrypto/util/pl/ultrix.pl index ea370c71f96..447b8547080 100644 --- a/lib/libcrypto/util/pl/ultrix.pl +++ b/lib/libcrypto/util/pl/ultrix.pl @@ -17,7 +17,7 @@ else $cflags.=" -std1 -DL_ENDIAN"; -if (!$no_asm) +if (!$no_asm && !$fips) { $bn_asm_obj='$(OBJ_D)/mips1.o'; $bn_asm_src='crypto/bn/asm/mips1.s'; @@ -25,13 +25,18 @@ if (!$no_asm) sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n"; + $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libcrypto/util/pl/unix.pl b/lib/libcrypto/util/pl/unix.pl index 146611ad995..bbd1798a2e5 100644 --- a/lib/libcrypto/util/pl/unix.pl +++ b/lib/libcrypto/util/pl/unix.pl @@ -70,13 +70,18 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n"; + $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libcrypto/util/selftest.pl b/lib/libcrypto/util/selftest.pl index 276b81183d2..e9d5aa8938e 100644 --- a/lib/libcrypto/util/selftest.pl +++ b/lib/libcrypto/util/selftest.pl @@ -34,9 +34,9 @@ foreach $_ (split("\n",$c)) { $platform0=$1 if (/Configuring for (.*)$/); } -system "sh config" if (! -f "Makefile.ssl"); +system "sh config" if (! -f "Makefile"); -if (open(IN,"<Makefile.ssl")) { +if (open(IN,"<Makefile")) { while (<IN>) { $version=$1 if (/^VERSION=(.*)$/); $platform=$1 if (/^PLATFORM=(.*)$/); diff --git a/lib/libcrypto/x509/by_file.c b/lib/libcrypto/x509/by_file.c index b4b04183d07..a5e0d4aefa1 100644 --- a/lib/libcrypto/x509/by_file.c +++ b/lib/libcrypto/x509/by_file.c @@ -150,7 +150,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL); if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_error()) == + if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); @@ -217,7 +217,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_error()) == + if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h index 8d0c7e2e179..e8c1a59cf2f 100644 --- a/lib/libcrypto/x509/x509.h +++ b/lib/libcrypto/x509/x509.h @@ -410,6 +410,7 @@ typedef struct X509_crl_info_st ASN1_TIME *nextUpdate; STACK_OF(X509_REVOKED) *revoked; STACK_OF(X509_EXTENSION) /* [0] */ *extensions; + ASN1_ENCODING enc; } X509_CRL_INFO; struct X509_crl_st @@ -1037,18 +1038,18 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, - char *field, int type, unsigned char *bytes, int len); + const char *field, int type, const unsigned char *bytes, int len); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len); -int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, - unsigned char *bytes, int len, int loc, int set); +int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, + const unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, - ASN1_OBJECT *obj, int type,unsigned char *bytes, + ASN1_OBJECT *obj, int type,const unsigned char *bytes, int len); int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj); int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, - unsigned char *bytes, int len); + const unsigned char *bytes, int len); ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c index f460102f497..030d0966fc0 100644 --- a/lib/libcrypto/x509/x509_cmp.c +++ b/lib/libcrypto/x509/x509_cmp.c @@ -254,33 +254,49 @@ static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b) return 0; } +static int asn1_string_memcmp(ASN1_STRING *a, ASN1_STRING *b) + { + int j; + j = a->length - b->length; + if (j) + return j; + return memcmp(a->data, b->data, a->length); + } + +#define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING) + int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { int i,j; X509_NAME_ENTRY *na,*nb; - if (sk_X509_NAME_ENTRY_num(a->entries) - != sk_X509_NAME_ENTRY_num(b->entries)) - return sk_X509_NAME_ENTRY_num(a->entries) - -sk_X509_NAME_ENTRY_num(b->entries); + unsigned long nabit, nbbit; + + j = sk_X509_NAME_ENTRY_num(a->entries) + - sk_X509_NAME_ENTRY_num(b->entries); + if (j) + return j; for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) { na=sk_X509_NAME_ENTRY_value(a->entries,i); nb=sk_X509_NAME_ENTRY_value(b->entries,i); j=na->value->type-nb->value->type; - if (j) return(j); - if (na->value->type == V_ASN1_PRINTABLESTRING) + if (j) + { + nabit = ASN1_tag2bit(na->value->type); + nbbit = ASN1_tag2bit(nb->value->type); + if (!(nabit & STR_TYPE_CMP) || + !(nbbit & STR_TYPE_CMP)) + return j; + j = asn1_string_memcmp(na->value, nb->value); + } + else if (na->value->type == V_ASN1_PRINTABLESTRING) j=nocase_spacenorm_cmp(na->value, nb->value); else if (na->value->type == V_ASN1_IA5STRING && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) j=nocase_cmp(na->value, nb->value); else - { - j=na->value->length-nb->value->length; - if (j) return(j); - j=memcmp(na->value->data,nb->value->data, - na->value->length); - } + j = asn1_string_memcmp(na->value, nb->value); if (j) return(j); j=na->set-nb->set; if (j) return(j); @@ -306,10 +322,16 @@ unsigned long X509_NAME_hash(X509_NAME *x) { unsigned long ret=0; unsigned char md[16]; + EVP_MD_CTX md_ctx; /* Make sure X509_NAME structure contains valid cached encoding */ i2d_X509_NAME(x,NULL); - EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); + EVP_MD_CTX_init(&md_ctx); + EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL); + EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length); + EVP_DigestFinal_ex(&md_ctx,md,NULL); + EVP_MD_CTX_cleanup(&md_ctx); ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) diff --git a/lib/libcrypto/x509/x509_r2x.c b/lib/libcrypto/x509/x509_r2x.c index db051033d9b..fb8a78dabeb 100644 --- a/lib/libcrypto/x509/x509_r2x.c +++ b/lib/libcrypto/x509/x509_r2x.c @@ -92,8 +92,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) X509_set_subject_name(ret,X509_NAME_dup(xn)); X509_set_issuer_name(ret,X509_NAME_dup(xn)); - X509_gmtime_adj(xi->validity->notBefore,0); - X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days); + if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL) + goto err; + if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL) + goto err; X509_set_pubkey(ret,X509_REQ_get_pubkey(r)); diff --git a/lib/libcrypto/x509/x509_req.c b/lib/libcrypto/x509/x509_req.c index 0affa3bf306..59fc6ca5484 100644 --- a/lib/libcrypto/x509/x509_req.c +++ b/lib/libcrypto/x509/x509_req.c @@ -118,7 +118,7 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) * used and there may be more: so the list is configurable. */ -static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef}; +static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef}; static int *ext_nids = ext_nid_list; @@ -143,32 +143,33 @@ void X509_REQ_set_extension_nids(int *nids) } STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) -{ + { X509_ATTRIBUTE *attr; - STACK_OF(X509_ATTRIBUTE) *sk; ASN1_TYPE *ext = NULL; - int i; + int idx, *pnid; unsigned char *p; - if ((req == NULL) || (req->req_info == NULL)) + + if ((req == NULL) || (req->req_info == NULL) || !ext_nids) return(NULL); - sk=req->req_info->attributes; - if (!sk) return NULL; - for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { - attr = sk_X509_ATTRIBUTE_value(sk, i); - if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) { - if(attr->single) ext = attr->value.single; - else if(sk_ASN1_TYPE_num(attr->value.set)) - ext = sk_ASN1_TYPE_value(attr->value.set, 0); - break; + for (pnid = ext_nids; *pnid != NID_undef; pnid++) + { + idx = X509_REQ_get_attr_by_NID(req, *pnid, -1); + if (idx == -1) + continue; + attr = X509_REQ_get_attr(req, idx); + if(attr->single) ext = attr->value.single; + else if(sk_ASN1_TYPE_num(attr->value.set)) + ext = sk_ASN1_TYPE_value(attr->value.set, 0); + break; } - } - if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL; + if(!ext || (ext->type != V_ASN1_SEQUENCE)) + return NULL; p = ext->value.sequence->data; return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p, ext->value.sequence->length, d2i_X509_EXTENSION, X509_EXTENSION_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); -} + } /* Add a STACK_OF extensions to a certificate request: allow alternative OIDs * in case we want to create a non standard one. diff --git a/lib/libcrypto/x509/x509_txt.c b/lib/libcrypto/x509/x509_txt.c index e31ebc6741a..f19e66a238a 100644 --- a/lib/libcrypto/x509/x509_txt.c +++ b/lib/libcrypto/x509/x509_txt.c @@ -122,8 +122,14 @@ const char *X509_verify_cert_error_string(long n) return("certificate revoked"); case X509_V_ERR_INVALID_CA: return ("invalid CA certificate"); + case X509_V_ERR_INVALID_NON_CA: + return ("invalid non-CA certificate (has CA markings)"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return("proxy path length constraint exceeded"); + case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: + return("proxy cerificates not allowed, please set the appropriate flag"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: @@ -140,19 +146,16 @@ const char *X509_verify_cert_error_string(long n) return("authority and issuer serial number mismatch"); case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: return("key usage does not include certificate signing"); - case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); - case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); - case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: return("key usage does not include CRL signing"); - + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + return("key usage does not include digital signature"); case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: return("unhandled critical CRL extension"); - default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 2e4d0b823ab..e43c861ee77 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -73,7 +73,7 @@ static int null_callback(int ok,X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); -static int check_chain_purpose(X509_STORE_CTX *ctx); +static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_trust(X509_STORE_CTX *ctx); static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); @@ -281,7 +281,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) } /* We have the chain complete: now we need to check its purpose */ - if (ctx->purpose > 0) ok = check_chain_purpose(ctx); + ok = check_chain_extensions(ctx); if (!ok) goto end; @@ -365,21 +365,39 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) else return 0; } - + /* Check a certificate chains extensions for consistency * with the supplied purpose */ -static int check_chain_purpose(X509_STORE_CTX *ctx) +static int check_chain_extensions(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else - int i, ok=0; + int i, ok=0, must_be_ca; X509 *x; int (*cb)(); + int proxy_path_length = 0; + int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); cb=ctx->verify_cb; + + /* must_be_ca can have 1 of 3 values: + -1: we accept both CA and non-CA certificates, to allow direct + use of self-signed certificates (which are marked as CA). + 0: we only accept non-CA certificates. This is currently not + used, but the possibility is present for future extensions. + 1: we only accept CA certificates. This is currently used for + all certificates in the chain except the leaf certificate. + */ + must_be_ca = -1; + + /* A hack to keep people who don't want to modify their software + happy */ + if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + allow_proxy_certs = 1; + /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { @@ -394,23 +412,73 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - ret = X509_check_purpose(x, ctx->purpose, i); - if ((ret == 0) - || ((ctx->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) + if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { - if (i) + ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + ret = X509_check_ca(x); + switch(must_be_ca) + { + case -1: + if ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1) && (ret != 0)) + { + ret = 0; ctx->error = X509_V_ERR_INVALID_CA; + } else - ctx->error = X509_V_ERR_INVALID_PURPOSE; + ret = 1; + break; + case 0: + if (ret != 0) + { + ret = 0; + ctx->error = X509_V_ERR_INVALID_NON_CA; + } + else + ret = 1; + break; + default: + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) + { + ret = 0; + ctx->error = X509_V_ERR_INVALID_CA; + } + else + ret = 1; + break; + } + if (ret == 0) + { ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; } + if (ctx->purpose > 0) + { + ret = X509_check_purpose(x, ctx->purpose, + must_be_ca > 0); + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) + { + ctx->error = X509_V_ERR_INVALID_PURPOSE; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + } /* Check pathlen */ if ((i > 1) && (x->ex_pathlen != -1) - && (i > (x->ex_pathlen + 1))) + && (i > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; @@ -418,6 +486,32 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } + /* If this certificate is a proxy certificate, the next + certificate must be another proxy certificate or a EE + certificate. If not, the next certificate must be a + CA certificate. */ + if (x->ex_flags & EXFLAG_PROXY) + { + PROXY_CERT_INFO_EXTENSION *pci = + X509_get_ext_d2i(x, NID_proxyCertInfo, + NULL, NULL); + if (pci->pcPathLengthConstraint && + ASN1_INTEGER_get(pci->pcPathLengthConstraint) + < i) + { + PROXY_CERT_INFO_EXTENSION_free(pci); + ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + PROXY_CERT_INFO_EXTENSION_free(pci); + proxy_path_length++; + must_be_ca = 0; + } + else + must_be_ca = 1; } ok = 1; end: @@ -627,6 +721,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) X509_EXTENSION *ext; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); + /* Sort revoked into serial number order if not already sorted. + * Do this under a lock to avoid race condition. + */ + if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) + { + CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL); + sk_X509_REVOKED_sort(crl->crl->revoked); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL); + } idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); /* If found assume revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. @@ -772,6 +875,7 @@ static int internal_verify(X509_STORE_CTX *ctx) } /* The last error (if any) is still in the error value */ + ctx->current_issuer=xi; ctx->current_cert=xs; ok=(*cb)(1,ctx); if (!ok) goto end; @@ -851,7 +955,8 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) atm.length=sizeof(buff2); atm.data=(unsigned char *)buff2; - X509_time_adj(&atm,-offset*60, cmp_time); + if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL) + return 0; if (ctm->type == V_ASN1_UTCTIME) { diff --git a/lib/libcrypto/x509/x509_vfy.h b/lib/libcrypto/x509/x509_vfy.h index 198495884cf..7fd1f0bc4de 100644 --- a/lib/libcrypto/x509/x509_vfy.h +++ b/lib/libcrypto/x509/x509_vfy.h @@ -276,7 +276,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 #define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 #define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_NOT_YET_VALID 9 #define X509_V_ERR_CERT_HAS_EXPIRED 10 #define X509_V_ERR_CRL_NOT_YET_VALID 11 #define X509_V_ERR_CRL_HAS_EXPIRED 12 @@ -306,6 +306,10 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 #define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 #define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 +#define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 @@ -324,6 +328,8 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Disable workarounds for broken certificates */ #define X509_V_FLAG_X509_STRICT 0x20 +/* Enable proxy certificate validation */ +#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); diff --git a/lib/libcrypto/x509/x509cset.c b/lib/libcrypto/x509/x509cset.c index 6cac440ea93..9d1646d5c8d 100644 --- a/lib/libcrypto/x509/x509cset.c +++ b/lib/libcrypto/x509/x509cset.c @@ -129,6 +129,7 @@ int X509_CRL_sort(X509_CRL *c) r=sk_X509_REVOKED_value(c->crl->revoked,i); r->sequence=i; } + c->crl->enc.modified = 1; return 1; } diff --git a/lib/libcrypto/x509/x509name.c b/lib/libcrypto/x509/x509name.c index 4c20e03eced..068abfe5f04 100644 --- a/lib/libcrypto/x509/x509name.c +++ b/lib/libcrypto/x509/x509name.c @@ -195,8 +195,8 @@ int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, return ret; } -int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, - unsigned char *bytes, int len, int loc, int set) +int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, + const unsigned char *bytes, int len, int loc, int set) { X509_NAME_ENTRY *ne; int ret; @@ -273,7 +273,7 @@ err: } X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, - char *field, int type, unsigned char *bytes, int len) + const char *field, int type, const unsigned char *bytes, int len) { ASN1_OBJECT *obj; X509_NAME_ENTRY *nentry; @@ -309,7 +309,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, } X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, - ASN1_OBJECT *obj, int type, unsigned char *bytes, int len) + ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) { X509_NAME_ENTRY *ret; @@ -347,7 +347,7 @@ int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj) } int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, - unsigned char *bytes, int len) + const unsigned char *bytes, int len) { int i; diff --git a/lib/libcrypto/x509/x_all.c b/lib/libcrypto/x509/x_all.c index fb5015cd4de..ac6dea493a8 100644 --- a/lib/libcrypto/x509/x_all.c +++ b/lib/libcrypto/x509/x_all.c @@ -103,6 +103,7 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { + x->crl->enc.modified = 1; return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg, x->sig_alg, x->signature, x->crl,pkey,md)); } diff --git a/lib/libcrypto/x509v3/ext_dat.h b/lib/libcrypto/x509v3/ext_dat.h index 5442480595b..d8328ac468c 100644 --- a/lib/libcrypto/x509v3/ext_dat.h +++ b/lib/libcrypto/x509v3/ext_dat.h @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -60,10 +60,11 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; -extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld; +extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; +extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld; extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; -extern X509V3_EXT_METHOD v3_crl_hold; +extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; /* This table will be searched using OBJ_bsearch so it *must* kept in * order of the ext_nid values. @@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = { &v3_akey_id, &v3_crld, &v3_ext_ku, +&v3_delta_crl, &v3_crl_reason, #ifndef OPENSSL_NO_OCSP &v3_crl_invdate, @@ -105,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = { #endif &v3_sinfo, #ifndef OPENSSL_NO_OCSP -&v3_crl_hold +&v3_crl_hold, #endif +&v3_pci, }; /* Number of standard extensions */ diff --git a/lib/libcrypto/x509v3/v3_bitst.c b/lib/libcrypto/x509v3/v3_bitst.c index 16cf1255621..274965306d4 100644 --- a/lib/libcrypto/x509v3/v3_bitst.c +++ b/lib/libcrypto/x509v3/v3_bitst.c @@ -124,7 +124,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, for(bnam = method->usr_data; bnam->lname; bnam++) { if(!strcmp(bnam->sname, val->name) || !strcmp(bnam->lname, val->name) ) { - ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1); + if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) { + X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, + ERR_R_MALLOC_FAILURE); + M_ASN1_BIT_STRING_free(bs); + return NULL; + } break; } } diff --git a/lib/libcrypto/x509v3/v3_ia5.c b/lib/libcrypto/x509v3/v3_ia5.c index f9414456de2..9683afa47c4 100644 --- a/lib/libcrypto/x509v3/v3_ia5.c +++ b/lib/libcrypto/x509v3/v3_ia5.c @@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, { char *tmp; if(!ia5 || !ia5->length) return NULL; - if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL; + if(!(tmp = OPENSSL_malloc(ia5->length + 1))) { + X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE); + return NULL; + } memcpy(tmp, ia5->data, ia5->length); tmp[ia5->length] = 0; return tmp; diff --git a/lib/libcrypto/x509v3/v3_int.c b/lib/libcrypto/x509v3/v3_int.c index f34cbfb7315..7a43b4717bc 100644 --- a/lib/libcrypto/x509v3/v3_int.c +++ b/lib/libcrypto/x509v3/v3_int.c @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -61,9 +61,16 @@ #include <openssl/x509v3.h> X509V3_EXT_METHOD v3_crl_num = { -NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), -0,0,0,0, -(X509V3_EXT_I2S)i2s_ASN1_INTEGER, -0, -0,0,0,0, NULL}; + NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), + 0,0,0,0, + (X509V3_EXT_I2S)i2s_ASN1_INTEGER, + 0, + 0,0,0,0, NULL}; + +X509V3_EXT_METHOD v3_delta_crl = { + NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER), + 0,0,0,0, + (X509V3_EXT_I2S)i2s_ASN1_INTEGER, + 0, + 0,0,0,0, NULL}; diff --git a/lib/libcrypto/x509v3/v3_purp.c b/lib/libcrypto/x509v3/v3_purp.c index b3d1ae5d1cc..bbdf6da4937 100644 --- a/lib/libcrypto/x509v3/v3_purp.c +++ b/lib/libcrypto/x509v3/v3_purp.c @@ -63,7 +63,6 @@ static void x509v3_cache_extensions(X509 *x); -static int ca_check(const X509 *x); static int check_ssl_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); @@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_key_usage, /* 83 */ NID_subject_alt_name, /* 85 */ NID_basic_constraints, /* 87 */ - NID_ext_key_usage /* 126 */ + NID_ext_key_usage, /* 126 */ + NID_proxyCertInfo /* 661 */ }; int ex_nid; @@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex) static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; + PROXY_CERT_INFO_EXTENSION *pci; ASN1_BIT_STRING *usage; ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; @@ -335,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x) BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; } + /* Handle proxy certificates */ + if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { + if (x->ex_flags & EXFLAG_CA + || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0 + || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { + x->ex_flags |= EXFLAG_INVALID; + } + PROXY_CERT_INFO_EXTENSION_free(pci); + x->ex_flags |= EXFLAG_PROXY; + } /* Handle key usage */ if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { if(usage->length > 0) { @@ -426,7 +437,7 @@ static void x509v3_cache_extensions(X509 *x) #define ns_reject(x, usage) \ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) -static int ca_check(const X509 *x) +static int check_ca(const X509 *x) { /* keyUsage if present should allow cert signing */ if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; @@ -435,25 +446,37 @@ static int ca_check(const X509 *x) /* If basicConstraints says not a CA then say so */ else return 0; } else { + /* we support V1 roots for... uh, I don't really know why. */ if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; /* If key usage present it must have certSign so tolerate it */ else if (x->ex_flags & EXFLAG_KUSAGE) return 4; - else return 2; + /* Older certificates could have Netscape-specific CA types */ + else if (x->ex_flags & EXFLAG_NSCERT + && x->ex_nscert & NS_ANY_CA) return 5; + /* can this still be regarded a CA certificate? I doubt it */ + return 0; } } +int X509_check_ca(X509 *x) +{ + if(!(x->ex_flags & EXFLAG_SET)) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions(x); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + + return check_ca(x); +} + /* Check SSL CA: common checks for SSL client and server */ static int check_ssl_ca(const X509 *x) { int ca_ret; - ca_ret = ca_check(x); + ca_ret = check_ca(x); if(!ca_ret) return 0; /* check nsCertType if present */ - if(x->ex_flags & EXFLAG_NSCERT) { - if(x->ex_nscert & NS_SSL_CA) return ca_ret; - return 0; - } - if(ca_ret != 2) return ca_ret; + if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; else return 0; } @@ -498,14 +521,10 @@ static int purpose_smime(const X509 *x, int ca) if(xku_reject(x,XKU_SMIME)) return 0; if(ca) { int ca_ret; - ca_ret = ca_check(x); + ca_ret = check_ca(x); if(!ca_ret) return 0; /* check nsCertType if present */ - if(x->ex_flags & EXFLAG_NSCERT) { - if(x->ex_nscert & NS_SMIME_CA) return ca_ret; - return 0; - } - if(ca_ret != 2) return ca_ret; + if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; else return 0; } if(x->ex_flags & EXFLAG_NSCERT) { @@ -539,7 +558,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { if(ca) { int ca_ret; - if((ca_ret = ca_check(x)) != 2) return ca_ret; + if((ca_ret = check_ca(x)) != 2) return ca_ret; else return 0; } if(ku_reject(x, KU_CRL_SIGN)) return 0; @@ -552,17 +571,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) { - /* Must be a valid CA */ - if(ca) { - int ca_ret; - ca_ret = ca_check(x); - if(ca_ret != 2) return ca_ret; - if(x->ex_flags & EXFLAG_NSCERT) { - if(x->ex_nscert & NS_ANY_CA) return ca_ret; - return 0; - } - return 0; - } + /* Must be a valid CA. Should we really support the "I don't know" + value (2)? */ + if(ca) return check_ca(x); /* leaf certificate is checked in OCSP_verify() */ return 1; } @@ -624,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject) return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } } - if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; + if(subject->ex_flags & EXFLAG_PROXY) + { + if(ku_reject(issuer, KU_DIGITAL_SIGNATURE)) + return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; + } + else if(ku_reject(issuer, KU_KEY_CERT_SIGN)) + return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; } diff --git a/lib/libcrypto/x509v3/v3err.c b/lib/libcrypto/x509v3/v3err.c index 6458e95bb91..2df0c3ef01d 100644 --- a/lib/libcrypto/x509v3/v3err.c +++ b/lib/libcrypto/x509v3/v3err.c @@ -1,6 +1,6 @@ /* crypto/x509v3/v3err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -72,12 +72,14 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, +{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0), "I2S_ASN1_IA5STRING"}, {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, {ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"}, {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"}, {ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, {ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, +{ERR_PACK(0,X509V3_F_R2I_PCI,0), "R2I_PCI"}, {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, @@ -128,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, {X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, {X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, +{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG ,"incorrect policy syntax tag"}, {X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, {X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, {X509V3_R_INVALID_NAME ,"invalid name"}, @@ -139,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, {X509V3_R_INVALID_OPTION ,"invalid option"}, {X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, +{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"}, +{X509V3_R_INVALID_PROXY_POLICY_SETTING ,"invalid proxy policy setting"}, {X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, {X509V3_R_INVALID_SECTION ,"invalid section"}, {X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, @@ -149,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, {X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, {X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, +{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"}, {X509V3_R_NO_PUBLIC_KEY ,"no public key"}, {X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, {X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, +{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"}, +{X509V3_R_POLICY_PATH_LENGTH ,"policy path length"}, +{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"}, +{X509V3_R_POLICY_SYNTAX_NOT ,"policy syntax not"}, +{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"}, +{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"}, {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, diff --git a/lib/libcrypto/x509v3/x509v3.h b/lib/libcrypto/x509v3/x509v3.h index fb07a19016f..e6d91251c2a 100644 --- a/lib/libcrypto/x509v3/x509v3.h +++ b/lib/libcrypto/x509v3/x509v3.h @@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; DECLARE_STACK_OF(POLICYINFO) DECLARE_ASN1_SET_OF(POLICYINFO) +/* Proxy certificate structures, see RFC 3820 */ +typedef struct PROXY_POLICY_st + { + ASN1_OBJECT *policyLanguage; + ASN1_OCTET_STRING *policy; + } PROXY_POLICY; + +typedef struct PROXY_CERT_INFO_EXTENSION_st + { + ASN1_INTEGER *pcPathLengthConstraint; + PROXY_POLICY *proxyPolicy; + } PROXY_CERT_INFO_EXTENSION; + +DECLARE_ASN1_FUNCTIONS(PROXY_POLICY) +DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) + + #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ ",name:", val->name, ",value:", val->value); @@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO) #define EXFLAG_INVALID 0x80 #define EXFLAG_SET 0x100 #define EXFLAG_CRITICAL 0x200 +#define EXFLAG_PROXY 0x400 #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040 @@ -527,6 +545,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); +int X509_check_ca(X509 *x); int X509_check_purpose(X509 *x, int id, int ca); int X509_supported_extension(X509_EXTENSION *ex); int X509_PURPOSE_set(int *p, int purpose); @@ -564,12 +583,14 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_DO_EXT_I2D 135 #define X509V3_F_HEX_TO_STRING 111 #define X509V3_F_I2S_ASN1_ENUMERATED 121 +#define X509V3_F_I2S_ASN1_IA5STRING 142 #define X509V3_F_I2S_ASN1_INTEGER 120 #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 #define X509V3_F_NOTICE_SECTION 132 #define X509V3_F_NREF_NOS 133 #define X509V3_F_POLICY_SECTION 131 #define X509V3_F_R2I_CERTPOL 130 +#define X509V3_F_R2I_PCI 142 #define X509V3_F_S2I_ASN1_IA5STRING 100 #define X509V3_F_S2I_ASN1_INTEGER 108 #define X509V3_F_S2I_ASN1_OCTET_STRING 112 @@ -617,6 +638,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 #define X509V3_R_EXTENSION_VALUE_ERROR 116 #define X509V3_R_ILLEGAL_HEX_DIGIT 113 +#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 153 #define X509V3_R_INVALID_BOOLEAN_STRING 104 #define X509V3_R_INVALID_EXTENSION_STRING 105 #define X509V3_R_INVALID_NAME 106 @@ -628,6 +650,8 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 #define X509V3_R_INVALID_OPTION 138 #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 +#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER 147 +#define X509V3_R_INVALID_PROXY_POLICY_SETTING 151 #define X509V3_R_INVALID_PURPOSE 146 #define X509V3_R_INVALID_SECTION 135 #define X509V3_R_INVALID_SYNTAX 143 @@ -638,9 +662,16 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_NO_ISSUER_CERTIFICATE 121 #define X509V3_R_NO_ISSUER_DETAILS 127 #define X509V3_R_NO_POLICY_IDENTIFIER 139 +#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 148 #define X509V3_R_NO_PUBLIC_KEY 114 #define X509V3_R_NO_SUBJECT_DETAILS 125 #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 +#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 149 +#define X509V3_R_POLICY_PATH_LENGTH 152 +#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 150 +#define X509V3_R_POLICY_SYNTAX_NOT 154 +#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 155 +#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 |