diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2000-12-15 02:58:48 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2000-12-15 02:58:48 +0000 |
| commit | 01c37e03996dffeff1618614755c6cc676899acb (patch) | |
| tree | 988002fb9b1d859c10890511aa5273cfb00662dc /lib/libssl | |
| parent | 9865f3ff77de9cfef0c5c8b0470daf6faa2f14af (diff) | |
openssl-engine-0.9.6 merge
Diffstat (limited to 'lib/libssl')
| -rw-r--r-- | lib/libssl/bio_ssl.c | 22 | ||||
| -rw-r--r-- | lib/libssl/doc/openssl.txt | 59 | ||||
| -rw-r--r-- | lib/libssl/s23_clnt.c | 4 | ||||
| -rw-r--r-- | lib/libssl/s23_srvr.c | 32 | ||||
| -rw-r--r-- | lib/libssl/s3_both.c | 4 | ||||
| -rw-r--r-- | lib/libssl/s3_clnt.c | 26 | ||||
| -rw-r--r-- | lib/libssl/s3_lib.c | 14 | ||||
| -rw-r--r-- | lib/libssl/s3_pkt.c | 54 | ||||
| -rw-r--r-- | lib/libssl/s3_srvr.c | 26 | ||||
| -rw-r--r-- | lib/libssl/shlib_version | 2 | ||||
| -rw-r--r-- | lib/libssl/ssl.h | 63 | ||||
| -rw-r--r-- | lib/libssl/ssl2.h | 4 | ||||
| -rw-r--r-- | lib/libssl/ssl3.h | 5 | ||||
| -rw-r--r-- | lib/libssl/ssl_asn1.c | 16 | ||||
| -rw-r--r-- | lib/libssl/ssl_cert.c | 164 | ||||
| -rw-r--r-- | lib/libssl/ssl_ciph.c | 32 | ||||
| -rw-r--r-- | lib/libssl/ssl_err.c | 1 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 38 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 5 | ||||
| -rw-r--r-- | lib/libssl/ssl_sess.c | 6 | ||||
| -rw-r--r-- | lib/libssl/ssl_txt.c | 52 | ||||
| -rw-r--r-- | lib/libssl/t1_enc.c | 12 | ||||
| -rw-r--r-- | lib/libssl/test/Makefile.ssl | 135 | ||||
| -rw-r--r-- | lib/libssl/test/enginetest.c | 251 | ||||
| -rw-r--r-- | lib/libssl/test/maketests.com | 2 | ||||
| -rw-r--r-- | lib/libssl/test/md4test.c | 131 | ||||
| -rw-r--r-- | lib/libssl/test/testp7.pem | 88 | ||||
| -rw-r--r-- | lib/libssl/test/tests.com | 96 | ||||
| -rw-r--r-- | lib/libssl/tls1.h | 11 |
29 files changed, 978 insertions, 377 deletions
diff --git a/lib/libssl/bio_ssl.c b/lib/libssl/bio_ssl.c index d73c41adcdc..d85555a7e69 100644 --- a/lib/libssl/bio_ssl.c +++ b/lib/libssl/bio_ssl.c @@ -65,13 +65,13 @@ #include <openssl/err.h> #include <openssl/ssl.h> -static int ssl_write(BIO *h,char *buf,int num); -static int ssl_read(BIO *h,char *buf,int size); -static int ssl_puts(BIO *h,char *str); -static long ssl_ctrl(BIO *h,int cmd,long arg1,char *arg2); +static int ssl_write(BIO *h, const char *buf, int num); +static int ssl_read(BIO *h, char *buf, int size); +static int ssl_puts(BIO *h, const char *str); +static long ssl_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int ssl_new(BIO *h); static int ssl_free(BIO *data); -static long ssl_callback_ctrl(BIO *h,int cmd,void (*fp)()); +static long ssl_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp); typedef struct bio_ssl_st { SSL *ssl; /* The ssl handle :-) */ @@ -105,7 +105,7 @@ static int ssl_new(BIO *bi) { BIO_SSL *bs; - bs=(BIO_SSL *)Malloc(sizeof(BIO_SSL)); + bs=(BIO_SSL *)OPENSSL_malloc(sizeof(BIO_SSL)); if (bs == NULL) { BIOerr(BIO_F_SSL_NEW,ERR_R_MALLOC_FAILURE); @@ -133,7 +133,7 @@ static int ssl_free(BIO *a) a->flags=0; } if (a->ptr != NULL) - Free(a->ptr); + OPENSSL_free(a->ptr); return(1); } @@ -221,7 +221,7 @@ static int ssl_read(BIO *b, char *out, int outl) return(ret); } -static int ssl_write(BIO *b, char *out, int outl) +static int ssl_write(BIO *b, const char *out, int outl) { int ret,r=0; int retry_reason=0; @@ -289,7 +289,7 @@ static int ssl_write(BIO *b, char *out, int outl) return(ret); } -static long ssl_ctrl(BIO *b, int cmd, long num, char *ptr) +static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) { SSL **sslp,*ssl; BIO_SSL *bs; @@ -470,7 +470,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, char *ptr) return(ret); } -static long ssl_callback_ctrl(BIO *b, int cmd, void (*fp)()) +static long ssl_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp) { SSL *ssl; BIO_SSL *bs; @@ -492,7 +492,7 @@ static long ssl_callback_ctrl(BIO *b, int cmd, void (*fp)()) return(ret); } -static int ssl_puts(BIO *bp, char *str) +static int ssl_puts(BIO *bp, const char *str) { int n,ret; diff --git a/lib/libssl/doc/openssl.txt b/lib/libssl/doc/openssl.txt index 880eace4da8..5da519e7e46 100644 --- a/lib/libssl/doc/openssl.txt +++ b/lib/libssl/doc/openssl.txt @@ -355,6 +355,24 @@ that would not make sense. It does support an additional issuer:copy option that will copy all the subject alternative name values from the issuer certificate (if possible). +Example: + +issuserAltName = issuer:copy + +Authority Info Access. + +The authority information access extension gives details about how to access +certain information relating to the CA. Its syntax is accessOID;location +where 'location' has the same syntax as subject alternative name (except +that email:copy is not supported). accessOID can be any valid OID but only +certain values are meaningful for example OCSP and caIssuers. OCSP gives the +location of an OCSP responder: this is used by Netscape PSM and other software. + +Example: + +authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ +authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html + CRL distribution points. This is a multi-valued extension that supports all the literal options of @@ -489,6 +507,47 @@ details about the structures returned. The returned structure should be freed after use using the relevant free function, BASIC_CONSTRAINTS_free() for example. +void * X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx); +void * X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx); +void * X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx); +void * X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx); + +These functions combine the operations of searching for extensions and +parsing them. They search a certificate, a CRL a CRL entry or a stack +of extensions respectively for extension whose NID is 'nid' and return +the parsed result of NULL if an error occurred. For example: + +BASIC_CONSTRAINTS *bs; +bs = X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL); + +This will search for the basicConstraints extension and either return +it value or NULL. NULL can mean either the extension was not found, it +occurred more than once or it could not be parsed. + +If 'idx' is NULL then an extension is only parsed if it occurs precisely +once. This is standard behaviour because extensions normally cannot occur +more than once. If however more than one extension of the same type can +occur it can be used to parse successive extensions for example: + +int i; +void *ext; + +i = -1; +for(;;) { + ext = X509_get_ext_d2i(x, nid, crit, &idx); + if(ext == NULL) break; + /* Do something with ext */ +} + +If 'crit' is not NULL and the extension was found then the int it points to +is set to 1 for critical extensions and 0 for non critical. Therefore if the +function returns NULL but 'crit' is set to 0 or 1 then the extension was +found but it could not be parsed. + +The int pointed to by crit will be set to -1 if the extension was not found +and -2 if the extension occurred more than once (this will only happen if +idx is NULL). In both cases the function will return NULL. + 3. Generating extensions. An extension will typically be generated from a configuration file, or some diff --git a/lib/libssl/s23_clnt.c b/lib/libssl/s23_clnt.c index aaedf6a9bbc..5050a13ef20 100644 --- a/lib/libssl/s23_clnt.c +++ b/lib/libssl/s23_clnt.c @@ -366,7 +366,9 @@ static int ssl23_get_server_hello(SSL *s) } s->state=SSL2_ST_GET_SERVER_HELLO_A; - s->s2->ssl2_rollback=1; + if (!(s->client_version == SSL2_VERSION)) + /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */ + s->s2->ssl2_rollback=1; /* setup the 5 bytes we have read so we get them from * the sslv2 buffer */ diff --git a/lib/libssl/s23_srvr.c b/lib/libssl/s23_srvr.c index 6a3bbb10b95..050618235f0 100644 --- a/lib/libssl/s23_srvr.c +++ b/lib/libssl/s23_srvr.c @@ -297,7 +297,7 @@ int ssl23_get_client_hello(SSL *s) if (n <= 0) return(n); p=s->packet; - if ((buf=Malloc(n)) == NULL) + if ((buf=OPENSSL_malloc(n)) == NULL) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE); goto err; @@ -348,16 +348,21 @@ int ssl23_get_client_hello(SSL *s) * SSLv3 or tls1 header */ - v[0]=p[1]; /* major version */ + v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */ /* We must look at client_version inside the Client Hello message - * to get the correct minor version: */ - v[1]=p[10]; - /* However if we have only a pathologically small fragment of the - * Client Hello message, we simply use the version from the - * record header -- this is incorrect but unlikely to fail in - * practice */ + * to get the correct minor version. + * However if we have only a pathologically small fragment of the + * Client Hello message, this would be difficult, we'd have + * to read at least one additional record to find out. + * This doesn't usually happen in real life, so we just complain + * for now. + */ if (p[3] == 0 && p[4] < 6) - v[1]=p[2]; + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL); + goto err; + } + v[1]=p[10]; /* minor version according to client_version */ if (v[1] >= TLS1_VERSION_MINOR) { if (!(s->options & SSL_OP_NO_TLSv1)) @@ -495,9 +500,12 @@ int ssl23_get_client_hello(SSL *s) s->state=SSL2_ST_GET_CLIENT_HELLO_A; if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) || - use_sslv2_strong) + use_sslv2_strong || + (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)) s->s2->ssl2_rollback=0; else + /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0 + * (SSL 3.0 draft/RFC 2246, App. E.2) */ s->s2->ssl2_rollback=1; /* setup the n bytes we have read so we get them from @@ -559,10 +567,10 @@ int ssl23_get_client_hello(SSL *s) } s->init_num=0; - if (buf != buf_space) Free(buf); + if (buf != buf_space) OPENSSL_free(buf); s->first_packet=1; return(SSL_accept(s)); err: - if (buf != buf_space) Free(buf); + if (buf != buf_space) OPENSSL_free(buf); return(-1); } diff --git a/lib/libssl/s3_both.c b/lib/libssl/s3_both.c index 03e0c38770b..d92c164b0fa 100644 --- a/lib/libssl/s3_both.c +++ b/lib/libssl/s3_both.c @@ -567,7 +567,7 @@ int ssl3_setup_buffers(SSL *s) extra=SSL3_RT_MAX_EXTRA; else extra=0; - if ((p=Malloc(SSL3_RT_MAX_PACKET_SIZE+extra)) + if ((p=OPENSSL_malloc(SSL3_RT_MAX_PACKET_SIZE+extra)) == NULL) goto err; s->s3->rbuf.buf=p; @@ -575,7 +575,7 @@ int ssl3_setup_buffers(SSL *s) if (s->s3->wbuf.buf == NULL) { - if ((p=Malloc(SSL3_RT_MAX_PACKET_SIZE)) + if ((p=OPENSSL_malloc(SSL3_RT_MAX_PACKET_SIZE)) == NULL) goto err; s->s3->wbuf.buf=p; diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index 0c8f551f736..62040f9f1d0 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -69,7 +69,7 @@ static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); static int ssl3_get_server_hello(SSL *s); static int ssl3_get_certificate_request(SSL *s); -static int ca_dn_cmp(X509_NAME **a,X509_NAME **b); +static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); static int ssl3_get_server_done(SSL *s); static int ssl3_send_client_verify(SSL *s); static int ssl3_send_client_certificate(SSL *s); @@ -142,7 +142,12 @@ int ssl3_connect(SSL *s) if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version & 0xff00 ) != 0x0300) - abort(); + { + SSLerr(SSL_F_SSL3_CONNECT, SSL_R_INTERNAL_ERROR); + ret = -1; + goto end; + } + /* s->version=SSL3_VERSION; */ s->type=SSL_ST_CONNECT; @@ -764,6 +769,7 @@ static int ssl3_get_server_certificate(SSL *s) SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); goto f_err; } + ERR_clear_error(); /* but we keep s->verify_result */ sc=ssl_sess_cert_new(); if (sc == NULL) goto err; @@ -934,10 +940,12 @@ static int ssl3_get_key_exchange(SSL *s) s->session->sess_cert->peer_rsa_tmp=rsa; rsa=NULL; } - else +#else /* NO_RSA */ + if (0) + ; #endif #ifndef NO_DH - if (alg & SSL_kEDH) + else if (alg & SSL_kEDH) { if ((dh=DH_new()) == NULL) { @@ -993,10 +1001,12 @@ static int ssl3_get_key_exchange(SSL *s) #ifndef NO_RSA if (alg & SSL_aRSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); - else +#else + if (0) + ; #endif #ifndef NO_DSA - if (alg & SSL_aDSS) + else if (alg & SSL_aDSS) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); #endif /* else anonymous DH, so no certificate or pkey. */ @@ -1010,7 +1020,7 @@ static int ssl3_get_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); goto f_err; } -#endif +#endif /* !NO_DH */ if (alg & SSL_aFZA) { al=SSL_AD_HANDSHAKE_FAILURE; @@ -1274,7 +1284,7 @@ err: return(ret); } -static int ca_dn_cmp(X509_NAME **a, X509_NAME **b) +static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) { return(X509_NAME_cmp(*a,*b)); } diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 7ada26cbb69..cee2021b6b0 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -648,7 +648,7 @@ int ssl3_new(SSL *s) { SSL3_STATE *s3; - if ((s3=Malloc(sizeof *s3)) == NULL) goto err; + if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; memset(s3,0,sizeof *s3); s->s3=s3; @@ -666,11 +666,11 @@ void ssl3_free(SSL *s) ssl3_cleanup_key_block(s); if (s->s3->rbuf.buf != NULL) - Free(s->s3->rbuf.buf); + OPENSSL_free(s->s3->rbuf.buf); if (s->s3->wbuf.buf != NULL) - Free(s->s3->wbuf.buf); + OPENSSL_free(s->s3->wbuf.buf); if (s->s3->rrec.comp != NULL) - Free(s->s3->rrec.comp); + OPENSSL_free(s->s3->rrec.comp); #ifndef NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); @@ -678,7 +678,7 @@ void ssl3_free(SSL *s) if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); memset(s->s3,0,sizeof *s->s3); - Free(s->s3); + OPENSSL_free(s->s3); s->s3=NULL; } @@ -692,7 +692,7 @@ void ssl3_clear(SSL *s) if (s->s3->rrec.comp != NULL) { - Free(s->s3->rrec.comp); + OPENSSL_free(s->s3->rrec.comp); s->s3->rrec.comp=NULL; } #ifndef NO_DH @@ -1041,7 +1041,7 @@ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp, (char *)sorted, SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *), - (int (*)())ssl_cipher_ptr_id_cmp); + FP_ICC ssl_cipher_ptr_id_cmp); if ((cpp == NULL) || !(*cpp)->valid) return(NULL); else diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c index eb965310d9b..14140798539 100644 --- a/lib/libssl/s3_pkt.c +++ b/lib/libssl/s3_pkt.c @@ -899,19 +899,21 @@ start: return(-1); } - if (s->s3->rbuf.left == 0) /* no read-ahead left? */ + if (!(s->mode & SSL_MODE_AUTO_RETRY)) { - BIO *bio; - /* In the case where we try to read application data - * the first time, but we trigger an SSL handshake, we - * return -1 with the retry option set. I do this - * otherwise renegotiation can cause nasty problems - * in the blocking world */ /* ? */ - s->rwstate=SSL_READING; - bio=SSL_get_rbio(s); - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return(-1); + if (s->s3->rbuf.left == 0) /* no read-ahead left? */ + { + BIO *bio; + /* In the case where we try to read application data, + * but we trigger an SSL handshake, we return -1 with + * the retry option set. Otherwise renegotiation may + * cause nasty problems in the blocking world */ + s->rwstate=SSL_READING; + bio=SSL_get_rbio(s); + BIO_clear_retry_flags(bio); + BIO_set_retry_read(bio); + return(-1); + } } } } @@ -954,7 +956,7 @@ start: s->rwstate=SSL_NOTHING; s->s3->fatal_alert = alert_descr; SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); - sprintf(tmp,"%d",alert_descr); + BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr); ERR_add_error_data(2,"SSL alert number ",tmp); s->shutdown|=SSL_RECEIVED_SHUTDOWN; SSL_CTX_remove_session(s->ctx,s->session); @@ -1022,19 +1024,21 @@ start: return(-1); } - if (s->s3->rbuf.left == 0) /* no read-ahead left? */ + if (!(s->mode & SSL_MODE_AUTO_RETRY)) { - BIO *bio; - /* In the case where we try to read application data - * the first time, but we trigger an SSL handshake, we - * return -1 with the retry option set. I do this - * otherwise renegotiation can cause nasty problems - * in the blocking world */ /* ? */ - s->rwstate=SSL_READING; - bio=SSL_get_rbio(s); - BIO_clear_retry_flags(bio); - BIO_set_retry_read(bio); - return(-1); + if (s->s3->rbuf.left == 0) /* no read-ahead left? */ + { + BIO *bio; + /* In the case where we try to read application data, + * but we trigger an SSL handshake, we return -1 with + * the retry option set. Otherwise renegotiation may + * cause nasty problems in the blocking world */ + s->rwstate=SSL_READING; + bio=SSL_get_rbio(s); + BIO_clear_retry_flags(bio); + BIO_set_retry_read(bio); + return(-1); + } } goto start; } diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index e23ca20bd31..bb8cfb31e55 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -153,7 +153,10 @@ int ssl3_accept(SSL *s) if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version>>8) != 3) - abort(); + { + SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_INTERNAL_ERROR); + return -1; + } s->type=SSL_ST_ACCEPT; if (s->init_buf == NULL) @@ -982,7 +985,7 @@ static int ssl3_send_server_key_exchange(SSL *s) dhp=cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) dhp=s->cert->dh_tmp_cb(s, - !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), + SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); if (dhp == NULL) { @@ -1326,11 +1329,22 @@ static int ssl3_get_client_key_exchange(SSL *s) goto f_err; } - if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff))) + if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) { - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); - goto f_err; + /* The premaster secret must contain the same version number as the + * ClientHello to detect version rollback attacks (strangely, the + * protocol does not offer such protection for DH ciphersuites). + * However, buggy clients exist that send the negotiated protocol + * version instead if the server does not support the requested + * protocol version. + * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ + if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && + (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) + { + al=SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); + goto f_err; + } } s->session->master_key_length= diff --git a/lib/libssl/shlib_version b/lib/libssl/shlib_version index c87e1c60d46..c29621c831e 100644 --- a/lib/libssl/shlib_version +++ b/lib/libssl/shlib_version @@ -1,2 +1,2 @@ major=2 -minor=4 +minor=5 diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index bb846f491c4..fdbdc70ba72 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -59,12 +59,21 @@ #ifndef HEADER_SSL_H #define HEADER_SSL_H +#ifndef NO_COMP +#include <openssl/comp.h> +#endif +#ifndef NO_BIO +#include <openssl/bio.h> +#endif +#ifndef NO_X509 +#include <openssl/x509.h> +#endif +#include <openssl/safestack.h> + #ifdef __cplusplus extern "C" { #endif -#include <openssl/safestack.h> - /* SSLeay version number for ASN.1 encoding of the session information */ /* Version 0 - initial version * Version 1 - added the optional peer certificate @@ -140,6 +149,10 @@ extern "C" { #define SSL_SENT_SHUTDOWN 1 #define SSL_RECEIVED_SHUTDOWN 2 +#ifdef __cplusplus +} +#endif + #include <openssl/crypto.h> #include <openssl/lhash.h> #include <openssl/buffer.h> @@ -147,6 +160,10 @@ extern "C" { #include <openssl/pem.h> #include <openssl/x509.h> +#ifdef __cplusplus +extern "C" { +#endif + #if (defined(NO_RSA) || defined(NO_MD5)) && !defined(NO_SSL2) #define NO_SSL2 #endif @@ -318,6 +335,9 @@ typedef struct ssl_session_st * the misconception that non-blocking SSL_write() behaves like * non-blocking write(): */ #define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L +/* Never bother the application with retries if the transport + * is blocking: */ +#define SSL_MODE_AUTO_RETRY 0x00000004L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ @@ -343,15 +363,15 @@ typedef struct ssl_session_st #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20) typedef struct ssl_comp_st -{ - int id; - char *name; -#ifdef HEADER_COMP_H - COMP_METHOD *method; + { + int id; + char *name; +#ifndef NO_COMP + COMP_METHOD *method; #else - char *method; + char *method; #endif -} SSL_COMP; + } SSL_COMP; DECLARE_STACK_OF(SSL_COMP) @@ -533,10 +553,10 @@ struct ssl_st * same. This is so data can be read and written to different * handlers */ -#ifdef HEADER_BIO_H +#ifndef NO_BIO BIO *rbio; /* used by SSL_read */ BIO *wbio; /* used by SSL_write */ - BIO *bbio; /* used during session-id reuse to concatinate + BIO *bbio; /* used during session-id reuse to concatenate * messages */ #else char *rbio; /* used by SSL_read */ @@ -597,7 +617,7 @@ struct ssl_st EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */ const EVP_MD *read_hash; /* used for mac generation */ -#ifdef HEADER_COMP_H +#ifndef NO_COMP COMP_CTX *expand; /* uncompress */ #else char *expand; @@ -605,7 +625,7 @@ struct ssl_st EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ const EVP_MD *write_hash; /* used for mac generation */ -#ifdef HEADER_COMP_H +#ifndef NO_COMP COMP_CTX *compress; /* compression */ #else char *compress; @@ -655,11 +675,19 @@ struct ssl_st * SSLv3/TLS rollback check */ }; +#ifdef __cplusplus +} +#endif + #include <openssl/ssl2.h> #include <openssl/ssl3.h> #include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */ #include <openssl/ssl23.h> +#ifdef __cplusplus +extern "C" { +#endif + /* compatibility */ #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) @@ -883,7 +911,7 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); #define SSL_add_dir_cert_subjects_to_stack SSL_add_dir_cert_sub_to_stack #endif -#ifdef HEADER_BIO_H +#ifndef NO_BIO BIO_METHOD *BIO_f_ssl(void); BIO *BIO_new_ssl(SSL_CTX *ctx,int client); BIO *BIO_new_ssl_connect(SSL_CTX *ctx); @@ -920,7 +948,7 @@ int SSL_set_fd(SSL *s, int fd); int SSL_set_rfd(SSL *s, int fd); int SSL_set_wfd(SSL *s, int fd); #endif -#ifdef HEADER_BIO_H +#ifndef NO_BIO void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio); BIO * SSL_get_rbio(SSL *s); BIO * SSL_get_wbio(SSL *s); @@ -975,7 +1003,7 @@ int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b); #ifndef NO_FP_API int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses); #endif -#ifdef HEADER_BIO_H +#ifndef NO_BIO int SSL_SESSION_print(BIO *fp,SSL_SESSION *ses); #endif void SSL_SESSION_free(SSL_SESSION *ses); @@ -1171,7 +1199,7 @@ void SSL_set_tmp_dh_callback(SSL *ssl, int keylength)); #endif -#ifdef HEADER_COMP_H +#ifndef NO_COMP int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm); #else int SSL_COMP_add_compression_method(int id,char *cm); @@ -1443,6 +1471,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_R_READ_WRONG_PACKET_TYPE 212 #define SSL_R_RECORD_LENGTH_MISMATCH 213 #define SSL_R_RECORD_TOO_LARGE 214 +#define SSL_R_RECORD_TOO_SMALL 1093 #define SSL_R_REQUIRED_CIPHER_MISSING 215 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 diff --git a/lib/libssl/ssl2.h b/lib/libssl/ssl2.h index 01d41c88c57..df7d03c18f7 100644 --- a/lib/libssl/ssl2.h +++ b/lib/libssl/ssl2.h @@ -133,7 +133,11 @@ extern "C" { /* Upper/Lower Bounds */ #define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 +#ifdef MPE +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998 +#else #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767 +#endif #define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/ #define SSL2_CHALLENGE_LENGTH 16 diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h index f616763830e..7ee1feaa677 100644 --- a/lib/libssl/ssl3.h +++ b/lib/libssl/ssl3.h @@ -59,6 +59,9 @@ #ifndef HEADER_SSL3_H #define HEADER_SSL3_H +#ifndef NO_COMP +#include <openssl/comp.h> +#endif #include <openssl/buffer.h> #include <openssl/evp.h> #include <openssl/ssl.h> @@ -310,7 +313,7 @@ typedef struct ssl3_state_st const EVP_CIPHER *new_sym_enc; const EVP_MD *new_hash; -#ifdef HEADER_COMP_H +#ifndef NO_COMP const SSL_COMP *new_compression; #else char *new_compression; diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c index e77cdddfd3f..fa6456e4f5e 100644 --- a/lib/libssl/ssl_asn1.c +++ b/lib/libssl/ssl_asn1.c @@ -92,7 +92,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) /* Note that I cheat in the following 2 assignments. I know * that if the ASN1_INTEGER passed to ASN1_INTEGER_set - * is > sizeof(long)+1, the buffer will not be re-Malloc()ed. + * is > sizeof(long)+1, the buffer will not be re-OPENSSL_malloc()ed. * This is a bit evil but makes things simple, no dynamic allocation * to clean up :-) */ a.version.length=LSIZE2; @@ -223,13 +223,13 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, ai.data=NULL; ai.length=0; M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER); version=(int)ASN1_INTEGER_get(aip); - if (ai.data != NULL) { Free(ai.data); ai.data=NULL; ai.length=0; } + if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } /* we don't care about the version right now :-) */ M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER); ssl_version=(int)ASN1_INTEGER_get(aip); ret->ssl_version=ssl_version; - if (ai.data != NULL) { Free(ai.data); ai.data=NULL; ai.length=0; } + if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } os.data=NULL; os.length=0; M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); @@ -291,14 +291,14 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, else ret->key_arg_length=os.length; memcpy(ret->key_arg,os.data,ret->key_arg_length); - if (os.data != NULL) Free(os.data); + if (os.data != NULL) OPENSSL_free(os.data); ai.length=0; M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1); if (ai.data != NULL) { ret->time=ASN1_INTEGER_get(aip); - Free(ai.data); ai.data=NULL; ai.length=0; + OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } else ret->time=time(NULL); @@ -308,7 +308,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, if (ai.data != NULL) { ret->timeout=ASN1_INTEGER_get(aip); - Free(ai.data); ai.data=NULL; ai.length=0; + OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } else ret->timeout=3; @@ -330,7 +330,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH); ret->sid_ctx_length=os.length; memcpy(ret->sid_ctx,os.data,os.length); - Free(os.data); os.data=NULL; os.length=0; + OPENSSL_free(os.data); os.data=NULL; os.length=0; } else ret->sid_ctx_length=0; @@ -340,7 +340,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, if (ai.data != NULL) { ret->verify_result=ASN1_INTEGER_get(aip); - Free(ai.data); ai.data=NULL; ai.length=0; + OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } else ret->verify_result=X509_V_OK; diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index f2335d56503..c26df62c207 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -143,7 +143,7 @@ CERT *ssl_cert_new(void) { CERT *ret; - ret=(CERT *)Malloc(sizeof(CERT)); + ret=(CERT *)OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE); @@ -162,7 +162,7 @@ CERT *ssl_cert_dup(CERT *cert) CERT *ret; int i; - ret = (CERT *)Malloc(sizeof(CERT)); + ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); @@ -331,7 +331,7 @@ void ssl_cert_free(CERT *c) EVP_PKEY_free(c->pkeys[i].publickey); #endif } - Free(c); + OPENSSL_free(c); } int ssl_cert_inst(CERT **o) @@ -367,7 +367,7 @@ SESS_CERT *ssl_sess_cert_new(void) { SESS_CERT *ret; - ret = Malloc(sizeof *ret); + ret = OPENSSL_malloc(sizeof *ret); if (ret == NULL) { SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE); @@ -426,7 +426,7 @@ void ssl_sess_cert_free(SESS_CERT *sc) DH_free(sc->peer_dh_tmp); #endif - Free(sc); + OPENSSL_free(sc); } int ssl_set_peer_cert_type(SESS_CERT *sc,int type) @@ -568,7 +568,7 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x) return(add_client_CA(&(ctx->client_CA),x)); } -static int xname_cmp(X509_NAME **a,X509_NAME **b) +static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b) { return(X509_NAME_cmp(*a,*b)); } @@ -589,7 +589,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) X509_NAME *xn=NULL; STACK_OF(X509_NAME) *ret,*sk; - ret=sk_X509_NAME_new(NULL); + ret=sk_X509_NAME_new_null(); sk=sk_X509_NAME_new(xname_cmp); in=BIO_new(BIO_s_file_internal()); @@ -644,53 +644,53 @@ err: int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *file) - { - BIO *in; - X509 *x=NULL; - X509_NAME *xn=NULL; - int ret=1; - int (*oldcmp)(X509_NAME **a, X509_NAME **b); - - oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp); - - in=BIO_new(BIO_s_file_internal()); - - if (in == NULL) { - SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE); - goto err; - } + BIO *in; + X509 *x=NULL; + X509_NAME *xn=NULL; + int ret=1; + int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b); - if (!BIO_read_filename(in,file)) - goto err; - - for (;;) - { - if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL) - break; - if ((xn=X509_get_subject_name(x)) == NULL) goto err; - xn=X509_NAME_dup(xn); - if (xn == NULL) goto err; - if (sk_X509_NAME_find(stack,xn) >= 0) - X509_NAME_free(xn); - else - sk_X509_NAME_push(stack,xn); - } + oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp); + + in=BIO_new(BIO_s_file_internal()); + + if (in == NULL) + { + SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE); + goto err; + } + + if (!BIO_read_filename(in,file)) + goto err; + + for (;;) + { + if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL) + break; + if ((xn=X509_get_subject_name(x)) == NULL) goto err; + xn=X509_NAME_dup(xn); + if (xn == NULL) goto err; + if (sk_X509_NAME_find(stack,xn) >= 0) + X509_NAME_free(xn); + else + sk_X509_NAME_push(stack,xn); + } - if (0) - { + if (0) + { err: - ret=0; - } - if(in != NULL) - BIO_free(in); - if(x != NULL) - X509_free(x); - - sk_X509_NAME_set_cmp_func(stack,oldcmp); + ret=0; + } + if(in != NULL) + BIO_free(in); + if(x != NULL) + X509_free(x); + + sk_X509_NAME_set_cmp_func(stack,oldcmp); - return ret; - } + return ret; + } /*! * Add a directory of certs to a stack. @@ -709,44 +709,46 @@ err: int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) - { - DIR *d; - struct dirent *dstruct; - int ret = 0; - - CRYPTO_w_lock(CRYPTO_LOCK_READDIR); - d = opendir(dir); - - /* Note that a side effect is that the CAs will be sorted by name */ - if(!d) { - SYSerr(SYS_F_OPENDIR, get_last_sys_error()); - ERR_add_error_data(3, "opendir('", dir, "')"); - SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); - goto err; - } + DIR *d; + struct dirent *dstruct; + int ret = 0; - while((dstruct=readdir(d))) - { - char buf[1024]; + CRYPTO_w_lock(CRYPTO_LOCK_READDIR); + d = opendir(dir); - if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf) - { - SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); - goto err; - } + /* Note that a side effect is that the CAs will be sorted by name */ + if(!d) + { + SYSerr(SYS_F_OPENDIR, get_last_sys_error()); + ERR_add_error_data(3, "opendir('", dir, "')"); + SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); + goto err; + } - sprintf(buf,"%s/%s",dir,dstruct->d_name); - if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) - goto err; - } - ret = 1; + while((dstruct=readdir(d))) + { + char buf[1024]; + int r; + + if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf) + { + SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); + goto err; + } + + r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,dstruct->d_name); + if (r <= 0 || r >= sizeof buf) + goto err; + if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) + goto err; + } + ret = 1; err: - closedir(d); - CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); - return ret; - } + CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); + return ret; + } #endif #endif diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 7436a50ad14..f63163f26c3 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -518,7 +518,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, curr = curr->next; } - number_uses = Malloc((max_strength_bits + 1) * sizeof(int)); + number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); if (!number_uses) { SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE); @@ -545,7 +545,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i, list, head_p, tail_p); - Free(number_uses); + OPENSSL_free(number_uses); return(1); } @@ -738,7 +738,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * it is used for allocation. */ num_of_ciphers = ssl_method->num_ciphers(); - list = (CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); + list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); if (list == NULL) { SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); @@ -759,10 +759,10 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = - (SSL_CIPHER **)Malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); + (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); if (ca_list == NULL) { - Free(list); + OPENSSL_free(list); SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } @@ -788,20 +788,20 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail, ca_list); - Free(ca_list); /* Not needed anymore */ + OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ - Free(list); + OPENSSL_free(list); return(NULL); } /* * Allocate new "cipherstack" for the result, return with error * if we cannot get one. */ - if ((cipherstack = sk_SSL_CIPHER_new(NULL)) == NULL) + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { - Free(list); + OPENSSL_free(list); return(NULL); } @@ -819,7 +819,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, #endif } } - Free(list); /* Not needed any longer */ + OPENSSL_free(list); /* Not needed any longer */ /* * The following passage is a little bit odd. If pointer variables @@ -975,13 +975,14 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) if (buf == NULL) { - buf=Malloc(128); - if (buf == NULL) return("Malloc Error"); + len=128; + buf=OPENSSL_malloc(len); + if (buf == NULL) return("OPENSSL_malloc Error"); } else if (len < 128) return("Buffer too small"); - sprintf(buf,format,cipher->name,ver,kx,au,enc,mac,exp); + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp); return(buf); } @@ -1036,7 +1037,8 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) return(NULL); } -static int sk_comp_cmp(SSL_COMP **a,SSL_COMP **b) +static int sk_comp_cmp(const SSL_COMP * const *a, + const SSL_COMP * const *b) { return((*a)->id-(*b)->id); } @@ -1051,7 +1053,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) SSL_COMP *comp; STACK_OF(SSL_COMP) *sk; - comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP)); + comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); comp->id=id; comp->method=cm; if (ssl_comp_methods == NULL) diff --git a/lib/libssl/ssl_err.c b/lib/libssl/ssl_err.c index 642c3f93e7b..17b4caf528a 100644 --- a/lib/libssl/ssl_err.c +++ b/lib/libssl/ssl_err.c @@ -327,6 +327,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_READ_WRONG_PACKET_TYPE ,"read wrong packet type"}, {SSL_R_RECORD_LENGTH_MISMATCH ,"record length mismatch"}, {SSL_R_RECORD_TOO_LARGE ,"record too large"}, +{SSL_R_RECORD_TOO_SMALL ,"record too small"}, {SSL_R_REQUIRED_CIPHER_MISSING ,"required cipher missing"}, {SSL_R_REUSE_CERT_LENGTH_NOT_ZERO ,"reuse cert length not zero"}, {SSL_R_REUSE_CERT_TYPE_NOT_ZERO ,"reuse cert type not zero"}, diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index c515c41b4e7..635b25062e8 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -58,6 +58,8 @@ * [including the GNU Public Licence.] */ + +#include <assert.h> #include <stdio.h> #include <openssl/objects.h> #include <openssl/lhash.h> @@ -183,7 +185,7 @@ SSL *SSL_new(SSL_CTX *ctx) return(NULL); } - s=(SSL *)Malloc(sizeof(SSL)); + s=(SSL *)OPENSSL_malloc(sizeof(SSL)); if (s == NULL) goto err; memset(s,0,sizeof(SSL)); @@ -239,7 +241,7 @@ err: ssl_cert_free(s->cert); if (s->ctx != NULL) SSL_CTX_free(s->ctx); /* decrement reference count */ - Free(s); + OPENSSL_free(s); } SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); return(NULL); @@ -375,7 +377,7 @@ void SSL_free(SSL *s) if (s->method != NULL) s->method->ssl_free(s); - Free(s); + OPENSSL_free(s); } void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio) @@ -874,7 +876,7 @@ long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) } } -int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b) +int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) { long l; @@ -885,7 +887,8 @@ int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b) return((l > 0)?1:-1); } -int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp) +int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, + const SSL_CIPHER * const *bp) { long l; @@ -1033,7 +1036,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, return(NULL); } if ((skp == NULL) || (*skp == NULL)) - sk=sk_SSL_CIPHER_new(NULL); /* change perhaps later */ + sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */ else { sk= *skp; @@ -1099,7 +1102,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; } - ret=(SSL_CTX *)Malloc(sizeof(SSL_CTX)); + ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); if (ret == NULL) goto err; @@ -1195,7 +1198,7 @@ err2: } static void SSL_COMP_free(SSL_COMP *comp) - { Free(comp); } + { OPENSSL_free(comp); } void SSL_CTX_free(SSL_CTX *a) { @@ -1236,7 +1239,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_X509_pop_free(a->extra_certs,X509_free); if (a->comp_methods != NULL) sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); - Free(a); + OPENSSL_free(a); } void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) @@ -1759,13 +1762,13 @@ void ssl_clear_cipher_ctx(SSL *s) if (s->enc_read_ctx != NULL) { EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); - Free(s->enc_read_ctx); + OPENSSL_free(s->enc_read_ctx); s->enc_read_ctx=NULL; } if (s->enc_write_ctx != NULL) { EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); - Free(s->enc_write_ctx); + OPENSSL_free(s->enc_write_ctx); s->enc_write_ctx=NULL; } if (s->expand != NULL) @@ -1843,19 +1846,16 @@ int ssl_init_wbio_buffer(SSL *s,int push) void ssl_free_wbio_buffer(SSL *s) { - BIO *under; - if (s->bbio == NULL) return; if (s->bbio == s->wbio) { /* remove buffering */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - } + s->wbio=BIO_pop(s->wbio); +#ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */ + assert(s->wbio != NULL); +#endif + } BIO_free(s->bbio); s->bbio=NULL; } diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 9a52bab254a..d70fff4627d 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -423,8 +423,9 @@ void ssl_sess_cert_free(SESS_CERT *sc); int ssl_set_peer_cert_type(SESS_CERT *c, int type); int ssl_get_new_session(SSL *s, int session); int ssl_get_prev_session(SSL *s, unsigned char *session,int len); -int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b); -int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp); +int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b); +int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, + const SSL_CIPHER * const *bp); STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, STACK_OF(SSL_CIPHER) **skp); int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p); diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index 9e01f727532..416def8908e 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -111,7 +111,7 @@ SSL_SESSION *SSL_SESSION_new(void) { SSL_SESSION *ss; - ss=(SSL_SESSION *)Malloc(sizeof(SSL_SESSION)); + ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION)); if (ss == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE); @@ -310,7 +310,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len) #if 0 /* This is way too late. */ /* If a thread got the session, then 'swaped', and another got - * it and then due to a time-out decided to 'Free' it we could + * it and then due to a time-out decided to 'OPENSSL_free' it we could * be in trouble. So I'll increment it now, then double decrement * later - am I speaking rubbish?. */ CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); @@ -474,7 +474,7 @@ void SSL_SESSION_free(SSL_SESSION *ss) if (ss->peer != NULL) X509_free(ss->peer); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); memset(ss,0,sizeof(*ss)); - Free(ss); + OPENSSL_free(ss); } int SSL_set_session(SSL *s, SSL_SESSION *session) diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c index c07d9575767..6e33eec3e4f 100644 --- a/lib/libssl/ssl_txt.c +++ b/lib/libssl/ssl_txt.c @@ -81,7 +81,7 @@ int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x) int SSL_SESSION_print(BIO *bp, SSL_SESSION *x) { unsigned int i; - char str[128],*s; + char *s; if (x == NULL) goto err; if (BIO_puts(bp,"SSL-Session:\n") <= 0) goto err; @@ -93,36 +93,41 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x) s="TLSv1"; else s="unknown"; - sprintf(str," Protocol : %s\n",s); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp," Protocol : %s\n",s) <= 0) goto err; if (x->cipher == NULL) { if (((x->cipher_id) & 0xff000000) == 0x02000000) - sprintf(str," Cipher : %06lX\n",x->cipher_id&0xffffff); + { + if (BIO_printf(bp," Cipher : %06lX\n",x->cipher_id&0xffffff) <= 0) + goto err; + } else - sprintf(str," Cipher : %04lX\n",x->cipher_id&0xffff); + { + if (BIO_printf(bp," Cipher : %04lX\n",x->cipher_id&0xffff) <= 0) + goto err; + } } else - sprintf(str," Cipher : %s\n",(x->cipher == NULL)?"unknown":x->cipher->name); - if (BIO_puts(bp,str) <= 0) goto err; + { + if (BIO_printf(bp," Cipher : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0) + goto err; + } if (BIO_puts(bp," Session-ID: ") <= 0) goto err; for (i=0; i<x->session_id_length; i++) { - sprintf(str,"%02X",x->session_id[i]); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp,"%02X",x->session_id[i]) <= 0) goto err; } if (BIO_puts(bp,"\n Session-ID-ctx: ") <= 0) goto err; for (i=0; i<x->sid_ctx_length; i++) { - sprintf(str,"%02X",x->sid_ctx[i]); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp,"%02X",x->sid_ctx[i]) <= 0) + goto err; } if (BIO_puts(bp,"\n Master-Key: ") <= 0) goto err; for (i=0; i<(unsigned int)x->master_key_length; i++) { - sprintf(str,"%02X",x->master_key[i]); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp,"%02X",x->master_key[i]) <= 0) goto err; } if (BIO_puts(bp,"\n Key-Arg : ") <= 0) goto err; if (x->key_arg_length == 0) @@ -132,8 +137,7 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x) else for (i=0; i<x->key_arg_length; i++) { - sprintf(str,"%02X",x->key_arg[i]); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err; } if (x->compress_meth != 0) { @@ -142,32 +146,26 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x) ssl_cipher_get_evp(x,NULL,NULL,&comp); if (comp == NULL) { - sprintf(str,"\n Compression: %d",x->compress_meth); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp,"\n Compression: %d",x->compress_meth) <= 0) goto err; } else { - sprintf(str,"\n Compression: %d (%s)", - comp->id,comp->method->name); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp,"\n Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err; } } if (x->time != 0L) { - sprintf(str,"\n Start Time: %ld",x->time); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp, "\n Start Time: %ld",x->time) <= 0) goto err; } if (x->timeout != 0L) { - sprintf(str,"\n Timeout : %ld (sec)",x->timeout); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp, "\n Timeout : %ld (sec)",x->timeout) <= 0) goto err; } if (BIO_puts(bp,"\n") <= 0) goto err; if (BIO_puts(bp, " Verify return code: ") <= 0) goto err; - sprintf(str, "%ld (%s)\n", x->verify_result, - X509_verify_cert_error_string(x->verify_result)); - if (BIO_puts(bp,str) <= 0) goto err; + if (BIO_printf(bp, "%ld (%s)\n", x->verify_result, + X509_verify_cert_error_string(x->verify_result)) <= 0) goto err; return(1); err: diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index 279e45db5dd..0d34357eb47 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -178,7 +178,7 @@ int tls1_change_cipher_state(SSL *s, int which) { if ((s->enc_read_ctx == NULL) && ((s->enc_read_ctx=(EVP_CIPHER_CTX *) - Malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) + OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; dd= s->enc_read_ctx; s->read_hash=m; @@ -197,7 +197,7 @@ int tls1_change_cipher_state(SSL *s, int which) } if (s->s3->rrec.comp == NULL) s->s3->rrec.comp=(unsigned char *) - Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); + OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } @@ -208,7 +208,7 @@ int tls1_change_cipher_state(SSL *s, int which) { if ((s->enc_write_ctx == NULL) && ((s->enc_write_ctx=(EVP_CIPHER_CTX *) - Malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) + OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; dd= s->enc_write_ctx; s->write_hash=m; @@ -355,9 +355,9 @@ int tls1_setup_key_block(SSL *s) ssl3_cleanup_key_block(s); - if ((p1=(unsigned char *)Malloc(num)) == NULL) + if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) goto err; - if ((p2=(unsigned char *)Malloc(num)) == NULL) + if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) goto err; s->s3->tmp.key_block_length=num; @@ -374,7 +374,7 @@ printf("pre-master\n"); #endif tls1_generate_key_block(s,p1,p2,num); memset(p2,0,num); - Free(p2); + OPENSSL_free(p2); #ifdef TLS_DEBUG printf("\nkey block\n"); { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } diff --git a/lib/libssl/test/Makefile.ssl b/lib/libssl/test/Makefile.ssl index dbb523bf15f..b961dabc3cc 100644 --- a/lib/libssl/test/Makefile.ssl +++ b/lib/libssl/test/Makefile.ssl @@ -38,6 +38,7 @@ SHA1TEST= sha1test MDC2TEST= mdc2test RMDTEST= rmdtest MD2TEST= md2test +MD4TEST= md4test MD5TEST= md5test HMACTEST= hmactest RC2TEST= rc2test @@ -52,24 +53,27 @@ DSATEST= dsatest METHTEST= methtest SSLTEST= ssltest RSATEST= rsa_test +ENGINETEST= enginetest -EXE= $(BNTEST) $(IDEATEST) $(MD2TEST) $(MD5TEST) $(HMACTEST) \ +EXE= $(BNTEST) $(IDEATEST) $(MD2TEST) $(MD4TEST) $(MD5TEST) $(HMACTEST) \ $(RC2TEST) $(RC4TEST) $(RC5TEST) \ $(DESTEST) $(SHATEST) $(SHA1TEST) $(MDC2TEST) $(RMDTEST) \ - $(RANDTEST) $(DHTEST) \ + $(RANDTEST) $(DHTEST) $(ENGINETEST) \ $(BFTEST) $(CASTTEST) $(SSLTEST) $(EXPTEST) $(DSATEST) $(RSATEST) # $(METHTEST) -OBJ= $(BNTEST).o $(IDEATEST).o $(MD2TEST).o $(MD5TEST).o $(HMACTEST).o \ +OBJ= $(BNTEST).o $(IDEATEST).o $(MD2TEST).o $(MD4TEST).o $(MD5TEST).o \ + $(HMACTEST).o \ $(RC2TEST).o $(RC4TEST).o $(RC5TEST).o \ $(DESTEST).o $(SHATEST).o $(SHA1TEST).o $(MDC2TEST).o $(RMDTEST).o \ - $(RANDTEST).o $(DHTEST).o $(CASTTEST).o \ + $(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \ $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o -SRC= $(BNTEST).c $(IDEATEST).c $(MD2TEST).c $(MD5TEST).c $(HMACTEST).c \ +SRC= $(BNTEST).c $(IDEATEST).c $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ + $(HMACTEST).c \ $(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \ $(DESTEST).c $(SHATEST).c $(SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \ - $(RANDTEST).c $(DHTEST).c $(CASTTEST).c \ + $(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \ $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c EXHEADER= @@ -98,11 +102,12 @@ tags: ctags $(SRC) tests: exe apps \ - test_des test_idea test_sha test_md5 test_hmac test_md2 test_mdc2 \ + test_des test_idea test_sha test_md4 test_md5 test_hmac \ + test_md2 test_mdc2 \ test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast \ test_rand test_bn test_enc test_x509 test_rsa test_crl test_sid \ test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ - test_ss test_ssl test_ca + test_ss test_ca test_engine test_ssl apps: @(cd ../apps; $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' all) @@ -123,6 +128,9 @@ test_mdc2: test_md5: ./$(MD5TEST) +test_md4: + ./$(MD4TEST) + test_hmac: ./$(HMACTEST) @@ -210,6 +218,10 @@ test_ss: @echo "Generate and certify a test certificate" @sh ./testss +test_engine: + @echo "Manipulate the ENGINE structures" + ./$(ENGINETEST) + test_ssl: @echo "test SSL protocol" @sh ./testssl @@ -264,6 +276,9 @@ $(RMDTEST): $(RMDTEST).o $(DLIBCRYPTO) $(MDC2TEST): $(MDC2TEST).o $(DLIBCRYPTO) $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) +$(MD4TEST): $(MD4TEST).o $(DLIBCRYPTO) + $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) + $(MD5TEST): $(MD5TEST).o $(DLIBCRYPTO) $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) @@ -303,25 +318,31 @@ $(METHTEST): $(METHTEST).o $(DLIBCRYPTO) $(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO) $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS) +$(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO) + $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) + # DO NOT DELETE THIS LINE -- make depend depends on it. bftest.o: ../include/openssl/blowfish.h bntest.o: ../include/openssl/asn1.h ../include/openssl/bio.h bntest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -bntest.o: ../include/openssl/cast.h ../include/openssl/crypto.h -bntest.o: ../include/openssl/des.h ../include/openssl/dh.h -bntest.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -bntest.o: ../include/openssl/e_os2.h ../include/openssl/err.h -bntest.o: ../include/openssl/evp.h ../include/openssl/idea.h -bntest.o: ../include/openssl/md2.h ../include/openssl/md5.h -bntest.o: ../include/openssl/mdc2.h ../include/openssl/objects.h +bntest.o: ../include/openssl/buffer.h ../include/openssl/cast.h +bntest.o: ../include/openssl/crypto.h ../include/openssl/des.h +bntest.o: ../include/openssl/dh.h ../include/openssl/dsa.h +bntest.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h +bntest.o: ../include/openssl/err.h ../include/openssl/evp.h +bntest.o: ../include/openssl/idea.h ../include/openssl/lhash.h +bntest.o: ../include/openssl/md2.h ../include/openssl/md4.h +bntest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +bntest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h bntest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h bntest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h bntest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h bntest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h bntest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h -bntest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +bntest.o: ../include/openssl/symhacks.h ../include/openssl/x509.h +bntest.o: ../include/openssl/x509_vfy.h casttest.o: ../include/openssl/cast.h destest.o: ../include/openssl/des.h ../include/openssl/e_os2.h destest.o: ../include/openssl/opensslconf.h @@ -329,18 +350,37 @@ dhtest.o: ../include/openssl/bio.h ../include/openssl/bn.h dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h dhtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h -dhtest.o: ../include/openssl/stack.h +dhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dsatest.o: ../include/openssl/bio.h ../include/openssl/bn.h dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h dsatest.o: ../include/openssl/dsa.h ../include/openssl/err.h -dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -dsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h -dsatest.o: ../include/openssl/stack.h +dsatest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h +dsatest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h +dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h +dsatest.o: ../include/openssl/symhacks.h +enginetest.o: ../include/openssl/asn1.h ../include/openssl/bio.h +enginetest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +enginetest.o: ../include/openssl/cast.h ../include/openssl/crypto.h +enginetest.o: ../include/openssl/des.h ../include/openssl/dh.h +enginetest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +enginetest.o: ../include/openssl/engine.h ../include/openssl/err.h +enginetest.o: ../include/openssl/evp.h ../include/openssl/idea.h +enginetest.o: ../include/openssl/lhash.h ../include/openssl/md2.h +enginetest.o: ../include/openssl/md4.h ../include/openssl/md5.h +enginetest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +enginetest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +enginetest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h +enginetest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +enginetest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +enginetest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +enginetest.o: ../include/openssl/sha.h ../include/openssl/stack.h +enginetest.o: ../include/openssl/symhacks.h exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h exptest.o: ../include/openssl/crypto.h ../include/openssl/err.h -exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -exptest.o: ../include/openssl/rand.h ../include/openssl/safestack.h -exptest.o: ../include/openssl/stack.h +exptest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h +exptest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h +exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h +exptest.o: ../include/openssl/symhacks.h hmactest.o: ../include/openssl/asn1.h ../include/openssl/bio.h hmactest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h hmactest.o: ../include/openssl/cast.h ../include/openssl/crypto.h @@ -348,15 +388,17 @@ hmactest.o: ../include/openssl/des.h ../include/openssl/dh.h hmactest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h hmactest.o: ../include/openssl/evp.h ../include/openssl/hmac.h hmactest.o: ../include/openssl/idea.h ../include/openssl/md2.h -hmactest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +hmactest.o: ../include/openssl/md4.h ../include/openssl/md5.h +hmactest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h hmactest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h hmactest.o: ../include/openssl/opensslv.h ../include/openssl/rc2.h hmactest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h hmactest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h hmactest.o: ../include/openssl/safestack.h ../include/openssl/sha.h -hmactest.o: ../include/openssl/stack.h +hmactest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ideatest.o: ../include/openssl/idea.h ../include/openssl/opensslconf.h md2test.o: ../include/openssl/md2.h ../include/openssl/opensslconf.h +md4test.o: ../include/openssl/md4.h md5test.o: ../include/openssl/md5.h mdc2test.o: ../include/openssl/des.h ../include/openssl/e_os2.h mdc2test.o: ../include/openssl/mdc2.h ../include/openssl/opensslconf.h @@ -365,32 +407,35 @@ rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h rc5test.o: ../include/openssl/rc5.h rmdtest.o: ../include/openssl/ripemd.h -rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h -rsa_test.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h -rsa_test.o: ../include/openssl/err.h ../include/openssl/opensslconf.h +rsa_test.o: ../include/openssl/bio.h ../include/openssl/bn.h +rsa_test.o: ../include/openssl/crypto.h ../include/openssl/e_os.h +rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h +rsa_test.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/rand.h rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -rsa_test.o: ../include/openssl/stack.h +rsa_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h sha1test.o: ../include/openssl/sha.h shatest.o: ../include/openssl/sha.h ssltest.o: ../include/openssl/asn1.h ../include/openssl/bio.h ssltest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h ssltest.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssltest.o: ../include/openssl/crypto.h ../include/openssl/des.h -ssltest.o: ../include/openssl/dh.h ../include/openssl/dsa.h -ssltest.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h -ssltest.o: ../include/openssl/err.h ../include/openssl/evp.h -ssltest.o: ../include/openssl/idea.h ../include/openssl/lhash.h -ssltest.o: ../include/openssl/md2.h ../include/openssl/md5.h -ssltest.o: ../include/openssl/mdc2.h ../include/openssl/objects.h -ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h -ssltest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -ssltest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ssltest.o: ../include/openssl/comp.h ../include/openssl/crypto.h +ssltest.o: ../include/openssl/des.h ../include/openssl/dh.h +ssltest.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +ssltest.o: ../include/openssl/e_os2.h ../include/openssl/err.h +ssltest.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssltest.o: ../include/openssl/lhash.h ../include/openssl/md2.h +ssltest.o: ../include/openssl/md4.h ../include/openssl/md5.h +ssltest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +ssltest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +ssltest.o: ../include/openssl/opensslv.h ../include/openssl/pem.h +ssltest.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ssltest.o: ../include/openssl/rand.h ../include/openssl/rc2.h +ssltest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +ssltest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +ssltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssltest.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssltest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssltest.o: ../include/openssl/tls1.h ../include/openssl/x509.h ssltest.o: ../include/openssl/x509_vfy.h diff --git a/lib/libssl/test/enginetest.c b/lib/libssl/test/enginetest.c new file mode 100644 index 00000000000..a5a3c47fcbf --- /dev/null +++ b/lib/libssl/test/enginetest.c @@ -0,0 +1,251 @@ +/* crypto/engine/enginetest.c */ +/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL + * project 2000. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <stdio.h> +#include <string.h> +#include <openssl/engine.h> +#include <openssl/err.h> + +static void display_engine_list() + { + ENGINE *h; + int loop; + + h = ENGINE_get_first(); + loop = 0; + printf("listing available engine types\n"); + while(h) + { + printf("engine %i, id = \"%s\", name = \"%s\"\n", + loop++, ENGINE_get_id(h), ENGINE_get_name(h)); + h = ENGINE_get_next(h); + } + printf("end of list\n"); + } + +int main(int argc, char *argv[]) + { + ENGINE *block[512]; + char buf[256]; + const char *id, *name; + ENGINE *ptr; + int loop; + int to_return = 1; + ENGINE *new_h1 = NULL; + ENGINE *new_h2 = NULL; + ENGINE *new_h3 = NULL; + ENGINE *new_h4 = NULL; + + ERR_load_crypto_strings(); + + memset(block, 0, 512 * sizeof(ENGINE *)); + if(((new_h1 = ENGINE_new()) == NULL) || + !ENGINE_set_id(new_h1, "test_id0") || + !ENGINE_set_name(new_h1, "First test item") || + ((new_h2 = ENGINE_new()) == NULL) || + !ENGINE_set_id(new_h2, "test_id1") || + !ENGINE_set_name(new_h2, "Second test item") || + ((new_h3 = ENGINE_new()) == NULL) || + !ENGINE_set_id(new_h3, "test_id2") || + !ENGINE_set_name(new_h3, "Third test item") || + ((new_h4 = ENGINE_new()) == NULL) || + !ENGINE_set_id(new_h4, "test_id3") || + !ENGINE_set_name(new_h4, "Fourth test item")) + { + printf("Couldn't set up test ENGINE structures\n"); + goto end; + } + printf("\nenginetest beginning\n\n"); + display_engine_list(); + if(!ENGINE_add(new_h1)) + { + printf("Add failed!\n"); + goto end; + } + display_engine_list(); + ptr = ENGINE_get_first(); + if(!ENGINE_remove(ptr)) + { + printf("Remove failed!\n"); + goto end; + } + display_engine_list(); + if(!ENGINE_add(new_h3) || !ENGINE_add(new_h2)) + { + printf("Add failed!\n"); + goto end; + } + display_engine_list(); + if(!ENGINE_remove(new_h2)) + { + printf("Remove failed!\n"); + goto end; + } + display_engine_list(); + if(!ENGINE_add(new_h4)) + { + printf("Add failed!\n"); + goto end; + } + display_engine_list(); + if(ENGINE_add(new_h3)) + { + printf("Add *should* have failed but didn't!\n"); + goto end; + } + else + printf("Add that should fail did.\n"); + ERR_clear_error(); + if(ENGINE_remove(new_h2)) + { + printf("Remove *should* have failed but didn't!\n"); + goto end; + } + else + printf("Remove that should fail did.\n"); + if(!ENGINE_remove(new_h1)) + { + printf("Remove failed!\n"); + goto end; + } + display_engine_list(); + if(!ENGINE_remove(new_h3)) + { + printf("Remove failed!\n"); + goto end; + } + display_engine_list(); + if(!ENGINE_remove(new_h4)) + { + printf("Remove failed!\n"); + goto end; + } + display_engine_list(); + /* Depending on whether there's any hardware support compiled + * in, this remove may be destined to fail. */ + ptr = ENGINE_get_first(); + if(ptr) + if(!ENGINE_remove(ptr)) + printf("Remove failed!i - probably no hardware " + "support present.\n"); + display_engine_list(); + if(!ENGINE_add(new_h1) || !ENGINE_remove(new_h1)) + { + printf("Couldn't add and remove to an empty list!\n"); + goto end; + } + else + printf("Successfully added and removed to an empty list!\n"); + printf("About to beef up the engine-type list\n"); + for(loop = 0; loop < 512; loop++) + { + sprintf(buf, "id%i", loop); + id = strdup(buf); + sprintf(buf, "Fake engine type %i", loop); + name = strdup(buf); + if(((block[loop] = ENGINE_new()) == NULL) || + !ENGINE_set_id(block[loop], id) || + !ENGINE_set_name(block[loop], name)) + { + printf("Couldn't create block of ENGINE structures.\n" + "I'll probably also core-dump now, damn.\n"); + goto end; + } + } + for(loop = 0; loop < 512; loop++) + { + if(!ENGINE_add(block[loop])) + { + printf("\nAdding stopped at %i, (%s,%s)\n", + loop, ENGINE_get_id(block[loop]), + ENGINE_get_name(block[loop])); + goto cleanup_loop; + } + else + printf("."); fflush(stdout); + } +cleanup_loop: + printf("\nAbout to empty the engine-type list\n"); + while((ptr = ENGINE_get_first()) != NULL) + { + if(!ENGINE_remove(ptr)) + { + printf("\nRemove failed!\n"); + goto end; + } + printf("."); fflush(stdout); + } + for(loop = 0; loop < 512; loop++) + { + free((char *)(ENGINE_get_id(block[loop]))); + free((char *)(ENGINE_get_name(block[loop]))); + } + printf("\nTests completed happily\n"); + to_return = 0; +end: + if(to_return) + ERR_print_errors_fp(stderr); + if(new_h1) ENGINE_free(new_h1); + if(new_h2) ENGINE_free(new_h2); + if(new_h3) ENGINE_free(new_h3); + if(new_h4) ENGINE_free(new_h4); + for(loop = 0; loop < 512; loop++) + if(block[loop]) + ENGINE_free(block[loop]); + return to_return; + } diff --git a/lib/libssl/test/maketests.com b/lib/libssl/test/maketests.com index 1246d9a077e..135e0bfeb98 100644 --- a/lib/libssl/test/maketests.com +++ b/lib/libssl/test/maketests.com @@ -143,7 +143,7 @@ $ GOSUB CHECK_OPT_FILE $! $! Define The TEST Files. $! -$ TEST_FILES = "BNTEST,IDEATEST,MD2TEST,MD5TEST,HMACTEST,"+ - +$ TEST_FILES = "BNTEST,IDEATEST,MD2TEST,MD4TEST,MD5TEST,HMACTEST,"+ - "RC2TEST,RC4TEST,RC5TEST,"+ - "DESTEST,SHATEST,SHA1TEST,MDC2TEST,RMDTEST,"+ - "RANDTEST,DHTEST,"+ - diff --git a/lib/libssl/test/md4test.c b/lib/libssl/test/md4test.c new file mode 100644 index 00000000000..97e6e21efd1 --- /dev/null +++ b/lib/libssl/test/md4test.c @@ -0,0 +1,131 @@ +/* crypto/md4/md4test.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +#ifdef NO_MD4 +int main(int argc, char *argv[]) +{ + printf("No MD4 support\n"); + return(0); +} +#else +#include <openssl/md4.h> + +static char *test[]={ + "", + "a", + "abc", + "message digest", + "abcdefghijklmnopqrstuvwxyz", + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + "12345678901234567890123456789012345678901234567890123456789012345678901234567890", + NULL, + }; + +static char *ret[]={ +"31d6cfe0d16ae931b73c59d7e0c089c0", +"bde52cb31de33e46245e05fbdbd6fb24", +"a448017aaf21d8525fc10ae87aa6729d", +"d9130a8164549fe818874806e1c7014b", +"d79e1c308aa5bbcdeea8ed63df412da9", +"043f8582f241db351ce627e153e7f0e4", +"e33b4ddc9c38f2199c3e7b164fcc0536", +}; + +static char *pt(unsigned char *md); +int main(int argc, char *argv[]) + { + int i,err=0; + unsigned char **P,**R; + char *p; + + P=(unsigned char **)test; + R=(unsigned char **)ret; + i=1; + while (*P != NULL) + { + p=pt(MD4(&(P[0][0]),(unsigned long)strlen((char *)*P),NULL)); + if (strcmp(p,(char *)*R) != 0) + { + printf("error calculating MD4 on '%s'\n",*P); + printf("got %s instead of %s\n",p,*R); + err++; + } + else + printf("test %d ok\n",i); + i++; + R++; + P++; + } + exit(err); + return(0); + } + +static char *pt(unsigned char *md) + { + int i; + static char buf[80]; + + for (i=0; i<MD4_DIGEST_LENGTH; i++) + sprintf(&(buf[i*2]),"%02x",md[i]); + return(buf); + } +#endif diff --git a/lib/libssl/test/testp7.pem b/lib/libssl/test/testp7.pem index 6bba16f1376..e5b7866c315 100644 --- a/lib/libssl/test/testp7.pem +++ b/lib/libssl/test/testp7.pem @@ -1,46 +1,46 @@ -----BEGIN PKCS7----- -MIAGCSqGSIb3DQEHAqCAMIIIBwIBATEAMIAGCSqGSIb3DQEHAQAAoIIGPDCCBHIw -ggQcoAMCAQICEHkvjiX1iVGQMenF9HgIjI8wDQYJKoZIhvcNAQEEBQAwYjERMA8G -A1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQL -EytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMB4X -DTk2MDcxOTAwMDAwMFoXDTk3MDMzMDIzNTk1OVowgdUxETAPBgNVBAcTCEludGVy -bmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24g -Q2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjEoMCYGA1UECxMfRGln -aXRhbCBJRCBDbGFzcyAxIC0gU01JTUUgVGVzdDFHMEUGA1UECxM+d3d3LnZlcmlz -aWduLmNvbS9yZXBvc2l0b3J5L0NQUy0xLjAgSW5jLiBieSBSZWYuLExJQUIuTFRE -KGMpOTYwWzANBgkqhkiG9w0BAQEFAANKADBHAkAOy7xxCAIkOfuIA2LyRpxgKlDO -Rl8htdXYhF5iBGUx1GYaK6KF+bK/CCI0l4j2OfWGFBUrwGoWqxTNcWgTfMzRAgMB -AAGjggI5MIICNTAJBgNVHRMEAjAAMIICJgYDVR0DBIICHTCCAhkwggIVMIICEQYL -YIZIAYb4RQEHAQEwggIAFoIBq1RoaXMgY2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVz -IGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0 -bywgdGhlIFZlcmlTaWduIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50 -IChDUFMpLCBhdmFpbGFibGUgYXQ6IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9D -UFMtMS4wOyBieSBFLW1haWwgYXQgQ1BTLXJlcXVlc3RzQHZlcmlzaWduLmNvbTsg -b3IgYnkgbWFpbCBhdCBWZXJpU2lnbiwgSW5jLiwgMjU5MyBDb2FzdCBBdmUuLCBN -b3VudGFpbiBWaWV3LCBDQSA5NDA0MyBVU0EgVGVsLiArMSAoNDE1KSA5NjEtODgz -MCBDb3B5cmlnaHQgKGMpIDE5OTYgVmVyaVNpZ24sIEluYy4gIEFsbCBSaWdodHMg -UmVzZXJ2ZWQuIENFUlRBSU4gV0FSUkFOVElFUyBESVNDTEFJTUVEIGFuZCBMSUFC -SUxJVFkgTElNSVRFRC6gDgYMYIZIAYb4RQEHAQEBoQ4GDGCGSAGG+EUBBwEBAjAv -MC0WK2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUy0xLgMw -DQYJKoZIhvcNAQEEBQADQQDAmA7km/3iJWEsWN9Z2WU2gmZAknx45WnDKHxMa3Bf -gNsh6BLk/ngkJKjNKTDR13XVHqEPUY1flbjATZputw1GMIIBwjCCAWygAwIBAgIQ -fAmE6tW5ERSQWDneu3KfSTANBgkqhkiG9w0BAQIFADA+MQswCQYDVQQGEwJVUzEX -MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xFjAUBgNVBAsTDVRFU1QgUm9vdCBQQ0Ew -HhcNOTYwNzE3MDAwMDAwWhcNOTcwNzE3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRl -cm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWdu -IENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwXDANBgkqhkiG9w0B -AQEFAANLADBIAkEA7Fc6zYJw4WwCWa1ni3fYNbzGSQNluuw990024GusjLfhEk1h -MsIUukTT/n8yxoO7rYp4x+LS+tHF2tBtuxg7CwIDAQABoyIwIDALBgNVHQ8EBAMC -AQYwEQYJYIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEBAgUAA0EAFKem0cJGg9nd -TAbP5o1HIEyNn11ZlvLU5v1Hejs1MKQt72IMm4jjgOH+pjguXW8lB6yzrK4oVOO2 -UNCaNQ1H26GCAa0wgcEwbTANBgkqhkiG9w0BAQIFADA+MQswCQYDVQQGEwJVUzEX -MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xFjAUBgNVBAsTDVRFU1QgUm9vdCBQQ0EX -DTk2MDcxNzE3NDQwOVoXDTk4MDcxNzAwMDAwMFowDQYJKoZIhvcNAQECBQADQQB4 -rQNP8QLpAox83odQDE/5dqAuvDfshW/miTxwQTMXOoBtjGiowTcG+YXF1JZTJRMT -jQN47tdH+6MCKt7N8MddMIHmMIGRMA0GCSqGSIb3DQEBAgUAMGIxETAPBgNVBAcT -CEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy -aVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlchcNOTYwNzE3 -MTc1OTI5WhcNOTcwNzE4MDAwMDAwWjANBgkqhkiG9w0BAQIFAANBALm1VmE7FrEJ -rLXvX/lIDMPAZIw5TNuX8EC6wn5ppy8Y3sHstdJEkTsqVGiS2/q+KEQC3NHxvV32 -bGooiIKLUB4xAAAAAAA= +MIIIGAYJKoZIhvcNAQcCoIIICTCCCAUCAQExADALBgkqhkiG9w0BBwGgggY8MIIE +cjCCBBygAwIBAgIQeS+OJfWJUZAx6cX0eAiMjzANBgkqhkiG9w0BAQQFADBiMREw +DwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNV +BAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIw +HhcNOTYwNzE5MDAwMDAwWhcNOTcwMzMwMjM1OTU5WjCB1TERMA8GA1UEBxMISW50 +ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2ln +biBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMSgwJgYDVQQLEx9E +aWdpdGFsIElEIENsYXNzIDEgLSBTTUlNRSBUZXN0MUcwRQYDVQQLEz53d3cudmVy +aXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMCBJbmMuIGJ5IFJlZi4sTElBQi5M +VEQoYyk5NjBbMA0GCSqGSIb3DQEBAQUAA0oAMEcCQA7LvHEIAiQ5+4gDYvJGnGAq +UM5GXyG11diEXmIEZTHUZhorooX5sr8IIjSXiPY59YYUFSvAaharFM1xaBN8zNEC +AwEAAaOCAjkwggI1MAkGA1UdEwQCMAAwggImBgNVHQMEggIdMIICGTCCAhUwggIR +BgtghkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0 +ZXMgYnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0 +IHRvLCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1l +bnQgKENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t +L0NQUy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29t +OyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4s +IE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04 +ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0 +cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ +QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQEC +MC8wLRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEu +AzANBgkqhkiG9w0BAQQFAANBAMCYDuSb/eIlYSxY31nZZTaCZkCSfHjlacMofExr +cF+A2yHoEuT+eCQkqM0pMNHXddUeoQ9RjV+VuMBNmm63DUYwggHCMIIBbKADAgEC +AhB8CYTq1bkRFJBYOd67cp9JMA0GCSqGSIb3DQEBAgUAMD4xCzAJBgNVBAYTAlVT +MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEWMBQGA1UECxMNVEVTVCBSb290IFBD +QTAeFw05NjA3MTcwMDAwMDBaFw05NzA3MTcyMzU5NTlaMGIxETAPBgNVBAcTCElu +dGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNp +Z24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjBcMA0GCSqGSIb3 +DQEBAQUAA0sAMEgCQQDsVzrNgnDhbAJZrWeLd9g1vMZJA2W67D33TTbga6yMt+ES +TWEywhS6RNP+fzLGg7utinjH4tL60cXa0G27GDsLAgMBAAGjIjAgMAsGA1UdDwQE +AwIBBjARBglghkgBhvhCAQEEBAMCAgQwDQYJKoZIhvcNAQECBQADQQAUp6bRwkaD +2d1MBs/mjUcgTI2fXVmW8tTm/Ud6OzUwpC3vYgybiOOA4f6mOC5dbyUHrLOsrihU +47ZQ0Jo1DUfboYIBrTCBwTBtMA0GCSqGSIb3DQEBAgUAMD4xCzAJBgNVBAYTAlVT +MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEWMBQGA1UECxMNVEVTVCBSb290IFBD +QRcNOTYwNzE3MTc0NDA5WhcNOTgwNzE3MDAwMDAwWjANBgkqhkiG9w0BAQIFAANB +AHitA0/xAukCjHzeh1AMT/l2oC68N+yFb+aJPHBBMxc6gG2MaKjBNwb5hcXUllMl +ExONA3ju10f7owIq3s3wx10wgeYwgZEwDQYJKoZIhvcNAQECBQAwYjERMA8GA1UE +BxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytW +ZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyFw05NjA3 +MTcxNzU5MjlaFw05NzA3MTgwMDAwMDBaMA0GCSqGSIb3DQEBAgUAA0EAubVWYTsW +sQmste9f+UgMw8BkjDlM25fwQLrCfmmnLxjewey10kSROypUaJLb+r4oRALc0fG9 +XfZsaiiIgotQHjEA -----END PKCS7----- diff --git a/lib/libssl/test/tests.com b/lib/libssl/test/tests.com index 040dafab8dc..df8f46e75d1 100644 --- a/lib/libssl/test/tests.com +++ b/lib/libssl/test/tests.com @@ -19,11 +19,12 @@ $ then $ tests = p1 $ else $ tests := - - test_des,test_idea,test_sha,test_md5,test_hmac,test_md2,test_mdc2,- + test_des,test_idea,test_sha,test_md4,test_md5,test_hmac,- + test_md2,test_mdc2,- test_rmd,test_rc2,test_rc4,test_rc5,test_bf,test_cast,- test_rand,test_bn,test_enc,test_x509,test_rsa,test_crl,test_sid,- test_gen,test_req,test_pkcs7,test_verify,test_dh,test_dsa,- - test_ss,test_ssl,test_ca + test_ss,test_ca,test_ssl $ endif $ tests = f$edit(tests,"COLLAPSE") $ @@ -35,6 +36,7 @@ $ SHA1TEST := sha1test $ MDC2TEST := mdc2test $ RMDTEST := rmdtest $ MD2TEST := md2test +$ MD4TEST := md4test $ MD5TEST := md5test $ HMACTEST := hmactest $ RC2TEST := rc2test @@ -55,54 +57,58 @@ $ loop_tests: $ tests_e = f$element(tests_i,",",tests) $ tests_i = tests_i + 1 $ if tests_e .eqs. "," then goto exit -$ goto 'tests_e' +$ gosub 'tests_e' +$ goto loop_tests $ $ test_des: $ mcr 'texe_dir''destest' -$ goto loop_tests +$ return $ test_idea: $ mcr 'texe_dir''ideatest' -$ goto loop_tests +$ return $ test_sha: $ mcr 'texe_dir''shatest' $ mcr 'texe_dir''sha1test' -$ goto loop_tests +$ return $ test_mdc2: $ mcr 'texe_dir''mdc2test' -$ goto loop_tests +$ return $ test_md5: $ mcr 'texe_dir''md5test' -$ goto loop_tests +$ return +$ test_md4: +$ mcr 'texe_dir''md4test' +$ return $ test_hmac: $ mcr 'texe_dir''hmactest' -$ goto loop_tests +$ return $ test_md2: $ mcr 'texe_dir''md2test' -$ goto loop_tests +$ return $ test_rmd: $ mcr 'texe_dir''rmdtest' -$ goto loop_tests +$ return $ test_bf: $ mcr 'texe_dir''bftest' -$ goto loop_tests +$ return $ test_cast: $ mcr 'texe_dir''casttest' -$ goto loop_tests +$ return $ test_rc2: $ mcr 'texe_dir''rc2test' -$ goto loop_tests +$ return $ test_rc4: $ mcr 'texe_dir''rc4test' -$ goto loop_tests +$ return $ test_rc5: $ mcr 'texe_dir''rc5test' -$ goto loop_tests +$ return $ test_rand: $ mcr 'texe_dir''randtest' -$ goto loop_tests +$ return $ test_enc: $ @testenc.com -$ goto loop_tests +$ return $ test_x509: $ define sys$error nla0: $ write sys$output "test normal x509v1 certificate" @@ -112,35 +118,35 @@ $ @tx509.com v3-cert1.pem $ write sys$output "test second x509v3 certificate" $ @tx509.com v3-cert2.pem $ deassign sys$error -$ goto loop_tests +$ return $ test_rsa: $ define sys$error nla0: $ @trsa.com $ deassign sys$error $ mcr 'texe_dir''rsatest' -$ goto loop_tests +$ return $ test_crl: $ define sys$error nla0: $ @tcrl.com $ deassign sys$error -$ goto loop_tests +$ return $ test_sid: $ define sys$error nla0: $ @tsid.com $ deassign sys$error -$ goto loop_tests +$ return $ test_req: $ define sys$error nla0: $ @treq.com $ @treq.com testreq2.pem $ deassign sys$error -$ goto loop_tests +$ return $ test_pkcs7: $ define sys$error nla0: $ @tpkcs7.com $ @tpkcs7d.com $ deassign sys$error -$ goto loop_tests +$ return $ test_bn: $ write sys$output "starting big number library test, could take a while..." $ create bntest-vms.fdl @@ -164,36 +170,56 @@ $ write sys$output "-- through sh or bash to verify that the bignum operations w $ write sys$output "" $ write sys$output "test a^b%c implementations" $ mcr 'texe_dir''exptest' -$ goto loop_tests +$ return $ test_verify: $ write sys$output "The following command should have some OK's and some failures" $ write sys$output "There are definitly a few expired certificates" $ @tverify.com -$ goto loop_tests +$ return $ test_dh: $ write sys$output "Generate a set of DH parameters" $ mcr 'texe_dir''dhtest' -$ goto loop_tests +$ return $ test_dsa: $ write sys$output "Generate a set of DSA parameters" $ mcr 'texe_dir''dsatest' -$ goto loop_tests +$ return $ test_gen: $ write sys$output "Generate and verify a certificate request" $ @testgen.com -$ goto loop_tests +$ return +$ maybe_test_ss: +$ testss_RDT = f$cvtime(f$file_attributes("testss.com","RDT")) +$ if f$cvtime(f$file_attributes("keyU.ss","RDT")) .les. testss_RDT then - + goto test_ss +$ if f$cvtime(f$file_attributes("certU.ss","RDT")) .les. testss_RDT then - + goto test_ss +$ if f$cvtime(f$file_attributes("certCA.ss","RDT")) .les. testss_RDT then - + goto test_ss +$ return $ test_ss: $ write sys$output "Generate and certify a test certificate" $ @testss.com -$ goto loop_tests +$ return $ test_ssl: $ write sys$output "test SSL protocol" -$ @testssl.com -$ goto loop_tests +$ gosub maybe_test_ss +$ @testssl.com keyU.ss certU.ss certCA.ss +$ return $ test_ca: -$ write sys$output "Generate and certify a test certificate via the 'ca' program" -$ @testca.com -$ goto loop_tests +$ set noon +$ define/user sys$output nla0: +$ mcr 'exe_dir'openssl no-rsa +$ save_severity=$SEVERITY +$ set on +$ if save_severity +$ then +$ write sys$output "skipping CA.com test -- requires RSA" +$ else +$ write sys$output "Generate and certify a test certificate via the 'ca' program" +$ @testca.com +$ endif +$ return $ $ $ exit: diff --git a/lib/libssl/tls1.h b/lib/libssl/tls1.h index 6e2b06d34f7..cf92ae034f0 100644 --- a/lib/libssl/tls1.h +++ b/lib/libssl/tls1.h @@ -84,6 +84,10 @@ extern "C" { #define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_NO_RENEGOTIATION 100 +/* Additional TLS ciphersuites from draft-ietf-tls-56-bit-ciphersuites-00.txt + * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see + * s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably + * shouldn't. */ #define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 #define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 #define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062 @@ -92,6 +96,13 @@ extern "C" { #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065 #define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066 +/* XXX + * Inconsistency alert: + * The OpenSSL names of ciphers with ephemeral DH here include the string + * "DHE", while elsewhere it has always been "EDH". + * (The alias for the list of all such ciphers also is "EDH".) + * The specifications speak of "EDH"; maybe we should allow both forms + * for everything. */ #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5" #define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5" #define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DES-CBC-SHA" |