diff options
author | Bob Beck <beck@cvs.openbsd.org> | 2001-06-22 00:03:45 +0000 |
---|---|---|
committer | Bob Beck <beck@cvs.openbsd.org> | 2001-06-22 00:03:45 +0000 |
commit | 13b984a4565b6813966f6070097ab3070c122f23 (patch) | |
tree | 7e4b8b77c8e8ba094b4c7eb67185403e0b07a5a2 /lib | |
parent | 4fc9a56991eb28595d259c82ba5d4f92d15e8581 (diff) |
openssl-engine-0.9.6a merge
Diffstat (limited to 'lib')
203 files changed, 2843 insertions, 1081 deletions
diff --git a/lib/libssl/crypto/Makefile b/lib/libssl/crypto/Makefile index a44392a9bd4..a05ac78e0ed 100644 --- a/lib/libssl/crypto/Makefile +++ b/lib/libssl/crypto/Makefile @@ -29,7 +29,7 @@ CFLAGS+= -DNO_RC5 CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST} CFLAGS+= -I${LCRYPTO_SRC} CFLAGS+= -I${LCRYPTO_INC} -SRCS+= cryptlib.c ex_data.c cpt_err.c mem.c mem_dbg.c tmdiff.c cversion.c +SRCS+= cryptlib.c ex_data.c cpt_err.c mem.c mem_dbg.c tmdiff.c cversion.c uid.c CFLAGS+= -I${LCRYPTO_SRC}/md2 SRCS+= md2_dgst.c md2_one.c CFLAGS+= -I${LCRYPTO_SRC}/md5 diff --git a/lib/libssl/crypto/shlib_version b/lib/libssl/crypto/shlib_version index 890c57389b5..3066b9771e7 100644 --- a/lib/libssl/crypto/shlib_version +++ b/lib/libssl/crypto/shlib_version @@ -1,2 +1,2 @@ -major=4 -minor=1 +major=5 +minor=0 diff --git a/lib/libssl/src/CHANGES b/lib/libssl/src/CHANGES index 87853c3b29d..08ef8508d80 100644 --- a/lib/libssl/src/CHANGES +++ b/lib/libssl/src/CHANGES @@ -2,6 +2,291 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6 and 0.9.6a [5 Apr 2001] + + *) Fix a couple of memory leaks in PKCS7_dataDecode() + [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>] + + *) Change Configure and Makefiles to provide EXE_EXT, which will contain + the default extension for executables, if any. Also, make the perl + scripts that use symlink() to test if it really exists and use "cp" + if it doesn't. All this made OpenSSL compilable and installable in + CygWin. + [Richard Levitte] + + *) Fix for asn1_GetSequence() for indefinite length constructed data. + If SEQUENCE is length is indefinite just set c->slen to the total + amount of data available. + [Steve Henson, reported by shige@FreeBSD.org] + [This change does not apply to 0.9.7.] + + *) Change bctest to avoid here-documents inside command substitution + (workaround for FreeBSD /bin/sh bug). + For compatibility with Ultrix, avoid shell functions (introduced + in the bctest version that searches along $PATH). + [Bodo Moeller] + + *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes + with des_encrypt() defined on some operating systems, like Solaris + and UnixWare. + [Richard Levitte] + + *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: + On the Importance of Eliminating Errors in Cryptographic + Computations, J. Cryptology 14 (2001) 2, 101-119, + http://theory.stanford.edu/~dabo/papers/faults.ps.gz). + [Ulf Moeller] + + *) MIPS assembler BIGNUM division bug fix. + [Andy Polyakov] + + *) Disabled incorrect Alpha assembler code. + [Richard Levitte] + + *) Fix PKCS#7 decode routines so they correctly update the length + after reading an EOC for the EXPLICIT tag. + [Steve Henson] + [This change does not apply to 0.9.7.] + + *) Fix bug in PKCS#12 key generation routines. This was triggered + if a 3DES key was generated with a 0 initial byte. Include + PKCS12_BROKEN_KEYGEN compilation option to retain the old + (but broken) behaviour. + [Steve Henson] + + *) Enhance bctest to search for a working bc along $PATH and print + it when found. + [Tim Rice <tim@multitalents.net> via Richard Levitte] + + *) Fix memory leaks in err.c: free err_data string if necessary; + don't write to the wrong index in ERR_set_error_data. + [Bodo Moeller] + + *) Implement ssl23_peek (analogous to ssl23_read), which previously + did not exist. + [Bodo Moeller] + + *) Replace rdtsc with _emit statements for VC++ version 5. + [Jeremy Cooper <jeremy@baymoo.org>] + + *) Make it possible to reuse SSLv2 sessions. + [Richard Levitte] + + *) In copy_email() check for >= 0 as a return value for + X509_NAME_get_index_by_NID() since 0 is a valid index. + [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>] + + *) Avoid coredump with unsupported or invalid public keys by checking if + X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when + PKCS7_verify() fails with non detached data. + [Steve Henson] + + *) Don't use getenv in library functions when run as setuid/setgid. + New function OPENSSL_issetugid(). + [Ulf Moeller] + + *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c) + due to incorrect handling of multi-threading: + + 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). + + 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). + + 3. Count how many times MemCheck_off() has been called so that + nested use can be treated correctly. This also avoids + inband-signalling in the previous code (which relied on the + assumption that thread ID 0 is impossible). + [Bodo Moeller] + + *) Add "-rand" option also to s_client and s_server. + [Lutz Jaenicke] + + *) Fix CPU detection on Irix 6.x. + [Kurt Hockenbury <khockenb@stevens-tech.edu> and + "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] + + *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME + was empty. + [Steve Henson] + [This change does not apply to 0.9.7.] + + *) Use the cached encoding of an X509_NAME structure rather than + copying it. This is apparently the reason for the libsafe "errors" + but the code is actually correct. + [Steve Henson] + + *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent + Bleichenbacher's DSA attack. + Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits + to be set and top=0 forces the highest bit to be set; top=-1 is new + and leaves the highest bit random. + [Ulf Moeller, Bodo Moeller] + + *) In the NCONF_...-based implementations for CONF_... queries + (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using + a temporary CONF structure with the data component set to NULL + (which gives segmentation faults in lh_retrieve). + Instead, use NULL for the CONF pointer in CONF_get_string and + CONF_get_number (which may use environment variables) and directly + return NULL from CONF_get_section. + [Bodo Moeller] + + *) Fix potential buffer overrun for EBCDIC. + [Ulf Moeller] + + *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign + keyUsage if basicConstraints absent for a CA. + [Steve Henson] + + *) Make SMIME_write_PKCS7() write mail header values with a format that + is more generally accepted (no spaces before the semicolon), since + some programs can't parse those values properly otherwise. Also make + sure BIO's that break lines after each write do not create invalid + headers. + [Richard Levitte] + + *) Make the CRL encoding routines work with empty SEQUENCE OF. The + macros previously used would not encode an empty SEQUENCE OF + and break the signature. + [Steve Henson] + [This change does not apply to 0.9.7.] + + *) Zero the premaster secret after deriving the master secret in + DH ciphersuites. + [Steve Henson] + + *) Add some EVP_add_digest_alias registrations (as found in + OpenSSL_add_all_digests()) to SSL_library_init() + aka OpenSSL_add_ssl_algorithms(). This provides improved + compatibility with peers using X.509 certificates + with unconventional AlgorithmIdentifier OIDs. + [Bodo Moeller] + + *) Fix for Irix with NO_ASM. + ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] + + *) ./config script fixes. + [Ulf Moeller, Richard Levitte] + + *) Fix 'openssl passwd -1'. + [Bodo Moeller] + + *) Change PKCS12_key_gen_asc() so it can cope with non null + terminated strings whose length is passed in the passlen + parameter, for example from PEM callbacks. This was done + by adding an extra length parameter to asc2uni(). + [Steve Henson, reported by <oddissey@samsung.co.kr>] + + *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn + call failed, free the DSA structure. + [Bodo Moeller] + + *) Fix to uni2asc() to cope with zero length Unicode strings. + These are present in some PKCS#12 files. + [Steve Henson] + + *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). + Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits + when writing a 32767 byte record. + [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>] + + *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), + obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. + + (RSA objects have a reference count access to which is protected + by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], + so they are meant to be shared between threads.) + [Bodo Moeller, Geoff Thorpe; original patch submitted by + "Reddie, Steven" <Steven.Reddie@ca.com>] + + *) Fix a deadlock in CRYPTO_mem_leaks(). + [Bodo Moeller] + + *) Use better test patterns in bntest. + [Ulf Möller] + + *) rand_win.c fix for Borland C. + [Ulf Möller] + + *) BN_rshift bugfix for n == 0. + [Bodo Moeller] + + *) Add a 'bctest' script that checks for some known 'bc' bugs + so that 'make test' does not abort just because 'bc' is broken. + [Bodo Moeller] + + *) Store verify_result within SSL_SESSION also for client side to + avoid potential security hole. (Re-used sessions on the client side + always resulted in verify_result==X509_V_OK, not using the original + result of the server certificate verification.) + [Lutz Jaenicke] + + *) Fix ssl3_pending: If the record in s->s3->rrec is not of type + SSL3_RT_APPLICATION_DATA, return 0. + Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. + [Bodo Moeller] + + *) Fix SSL_peek: + Both ssl2_peek and ssl3_peek, which were totally broken in earlier + releases, have been re-implemented by renaming the previous + implementations of ssl2_read and ssl3_read to ssl2_read_internal + and ssl3_read_internal, respectively, and adding 'peek' parameters + to them. The new ssl[23]_{read,peek} functions are calls to + ssl[23]_read_internal with the 'peek' flag set appropriately. + A 'peek' parameter has also been added to ssl3_read_bytes, which + does the actual work for ssl3_read_internal. + [Bodo Moeller] + + *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling + the method-specific "init()" handler. Also clean up ex_data after + calling the method-specific "finish()" handler. Previously, this was + happening the other way round. + [Geoff Thorpe] + + *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. + The previous value, 12, was not always sufficient for BN_mod_exp(). + [Bodo Moeller] + + *) Make sure that shared libraries get the internal name engine with + the full version number and not just 0. This should mark the + shared libraries as not backward compatible. Of course, this should + be changed again when we can guarantee backward binary compatibility. + [Richard Levitte] + + *) Fix typo in get_cert_by_subject() in by_dir.c + [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>] + + *) Rework the system to generate shared libraries: + + - Make note of the expected extension for the shared libraries and + if there is a need for symbolic links from for example libcrypto.so.0 + to libcrypto.so.0.9.7. There is extended info in Configure for + that. + + - Make as few rebuilds of the shared libraries as possible. + + - Still avoid linking the OpenSSL programs with the shared libraries. + + - When installing, install the shared libraries separately from the + static ones. + [Richard Levitte] + + *) Fix SSL_CTX_set_read_ahead macro to actually use its argument. + + Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new + and not in SSL_clear because the latter is also used by the + accept/connect functions; previously, the settings made by + SSL_set_read_ahead would be lost during the handshake. + [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>] + + *) Correct util/mkdef.pl to be selective about disabled algorithms. + Previously, it would create entries for disableed algorithms no + matter what. + [Richard Levitte] + + *) Added several new manual pages for SSL_* function. + [Lutz Jaenicke] + Changes between 0.9.5a and 0.9.6 [24 Sep 2000] *) In ssl23_get_client_hello, generate an error message when faced diff --git a/lib/libssl/src/Configure b/lib/libssl/src/Configure index eed48cfd3c6..98bc46bf878 100644 --- a/lib/libssl/src/Configure +++ b/lib/libssl/src/Configure @@ -98,6 +98,11 @@ my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o"; my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o"; +my $mips3_irix_asm="asm/mips3.o::::::::"; +# There seems to be boundary faults in asm/alpha.s. +#my $alpha_asm="asm/alpha.o::::::::"; +my $alpha_asm="::::::::"; + # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1. # So the md5_locl.h file has an undef B_ENDIAN if sun is defined @@ -136,32 +141,32 @@ my %table=( # surrounds it with #APP #NO_APP comment pair which (at least Solaris # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic" # error message. -"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC", +"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with GNU C setups -"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC", -"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC", -"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC", +"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8 # but keep the assembler modules. -"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC", +"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### -"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC", -"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC", +"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with Sun C setups # DO NOT use /xO[34] on sparc with SC3.0. It is broken, and will not pass the tests -"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC", +"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2. # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8 # SC5.0 note: Compiler common patch 107357-01 or later is required! -"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC", -"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC", -"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC", -"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC", +"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs", #### -"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC", -"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC", +"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Linux setups "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::", @@ -187,11 +192,11 @@ my %table=( # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke # './Configure irix-[g]cc' manually. # -mips4 flag is added by ./config when appropriate. -"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::", -"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::", +"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}", +"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}", # N64 ABI builds. -"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::", -"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::", +"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}", +"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}", #### Unified HP-UX ANSI C configs. # Special notes: @@ -271,10 +276,10 @@ my %table=( # Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with # the new compiler # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version -"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o:::::::::dlfcn:true64-shared", -"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", -"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", -"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::", +"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:tru64-shared::.so", +"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", +"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", +"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Alpha Linux with GNU C and Compaq C setups # Special notes: @@ -289,31 +294,32 @@ my %table=( # # <appro@fy.chalmers.se> # -"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::", -"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::", -"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", -"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", +"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", +"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", # assembler versions -- currently defunct: -##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:asm/alpha.o::", +##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}", # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the # bn86-elf.o file file since it is hand tweaked assembler. -"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC", +"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::", "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", +"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::", -"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:", -"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}", -"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "nextstep", "cc:-O -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", "nextstep3.3", "cc:-O3 -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # NCR MP-RAS UNIX ver 02.03.01 @@ -323,18 +329,27 @@ my %table=( "qnx4", "cc:-DL_ENDIAN -DTERMIO::(unknown)::${x86_gcc_des} ${x86_gcc_opts}:", # Linux on ARM -"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC", +"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + +# UnixWare 2.0x fails destest with -O +"unixware-2.0","cc:-DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", +"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", -# UnixWare 2.0 -"unixware-2.0","cc:-O -DFILIO_H::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::", -"unixware-2.0-pentium","cc:-O -DFILIO_H -Kpentium -Kthread::(unknown):-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +# UnixWare 2.1 +"unixware-2.1","cc:-O -DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", +"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", # UnixWare 7 -"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", # IBM's AIX. "aix-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::", "aix-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::", +"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", +"aix43-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", # # Cray T90 (SDSC) @@ -361,12 +376,16 @@ my %table=( # DGUX, 88100. "dgux-R3-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::RC4_INDEX DES_UNROLL:::", -"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX:RC4_INDEX DES_UNROLL:::", +"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX DES_UNROLL:::", "dgux-R4-x86-gcc", "gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +# SCO 3 - Tim Rice <tim@multitalents.net> +"sco3-gcc", "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... + # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the # SCO cc. "sco5-cc", "cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? +"sco5-cc-pentium", "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? "sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... # Sinix/ReliantUNIX RM400 @@ -406,12 +425,12 @@ my %table=( ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown)::::::", # Some OpenBSD from Bob Beck <beck@obtuse.com> -"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::", +"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-vax", "gcc:-DL_ENDIAN -DTERMIOS -O2 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn", +"OpenBSD-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-m68k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::RC2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::", +"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ##### MacOS X (a.k.a. Rhapsody) setup "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", @@ -426,6 +445,7 @@ my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32 my $prefix=""; my $openssldir=""; +my $exe_ext=""; my $install_prefix=""; my $no_threads=0; my $no_shared=1; @@ -453,10 +473,10 @@ my $md5_obj=""; my $sha1_obj=""; my $rmd160_obj=""; my $processor=""; -my $ranlib; +my $default_ranlib; my $perl; -$ranlib=&which("ranlib") or $ranlib="true"; +$default_ranlib= &which("ranlib") or $default_ranlib="true"; $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl") or $perl="perl"; @@ -642,6 +662,7 @@ print "Configuring for $target\n"; my $IsWindows=scalar grep /^$target$/,@WinTargets; +$exe_ext=".exe" if ($target eq "CygWin32"); $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq ""); $prefix=$openssldir if $prefix eq ""; @@ -655,8 +676,8 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//; print "IsWindows=$IsWindows\n"; (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj, - $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag)= - split(/\s*:\s*/,$table{$target} . ":" x 22 , -1); + $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,my $shared_extension,my $ranlib)= + split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); $cflags="$flags$cflags" if ($flags ne ""); # The DSO code currently always implements all functions so that no @@ -731,17 +752,27 @@ if ($threads) } # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org -my $shared_mark1 = ""; -my $shared_mark2 = ""; -if ($shared_cflag ne "") +my $shared_mark = ""; +if ($shared_target ne "") { - $cflags = "$shared_cflag $cflags"; + if ($shared_cflag ne "") + { + $cflags = "$shared_cflag $cflags"; + } if (!$no_shared) { - $shared_mark1 = ".shlib-clean."; - $shared_mark2 = ".shlib."; + #$shared_mark = "\$(SHARED_LIBS)"; } } +else + { + $no_shared = 1; + } + +if ($ranlib eq "") + { + $ranlib = $default_ranlib; + } #my ($bn1)=split(/\s+/,$bn_obj); #$bn1 = "" unless defined $bn1; @@ -823,6 +854,7 @@ while (<IN>) s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/; s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/; s/^SHLIB_MINOR=.*/SHLIB_MINOR=$shlib_minor/; + s/^SHLIB_EXT=.*/SHLIB_EXT=$shared_extension/; s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/; s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/; s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/; @@ -833,6 +865,7 @@ while (<IN>) s/^CFLAG=.*$/CFLAG= $cflags/; s/^DEPFLAG=.*$/DEPFLAG= $depflags/; s/^EX_LIBS=.*$/EX_LIBS= $lflags/; + s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/; s/^BN_ASM=.*$/BN_ASM= $bn_obj/; s/^DES_ENC=.*$/DES_ENC= $des_obj/; s/^BF_ENC=.*$/BF_ENC= $bf_obj/; @@ -846,9 +879,9 @@ while (<IN>) s/^RANLIB=.*/RANLIB= $ranlib/; s/^PERL=.*/PERL= $perl/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; - s/^SHLIB_MARK1=.*/SHLIB_MARK1=$shared_mark1/; - s/^SHLIB_MARK2=.*/SHLIB_MARK2=$shared_mark2/; - s/^LIBS=.*/LIBS=libcrypto\.so\* libssl\.so\*/ if (!$no_shared); + s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; + s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.so.\$(SHLIB_MAJOR) .so/ if ($shared_extension ne "" && $shared_extension !~ /^\.s[ol]$/); print OUT $_."\n"; } close(IN); @@ -1135,8 +1168,9 @@ sub print_table_entry (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops, my $bn_obj,my $des_obj,my $bf_obj, my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj, - my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag)= - split(/\s*:\s*/,$table{$target} . ":" x 22 , -1); + my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag, + my $shared_extension,my $ranlib)= + split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); print <<EOF @@ -1159,5 +1193,7 @@ sub print_table_entry \$dso_scheme = $dso_scheme \$shared_target= $shared_target \$shared_cflag = $shared_cflag +\$shared_extension = $shared_extension +\$ranlib = $ranlib EOF } diff --git a/lib/libssl/src/FAQ b/lib/libssl/src/FAQ index 29acc8afdf5..cd759e02025 100644 --- a/lib/libssl/src/FAQ +++ b/lib/libssl/src/FAQ @@ -1,20 +1,22 @@ OpenSSL - Frequently Asked Questions -------------------------------------- +[MISC] Miscellaneous questions + * Which is the current version of OpenSSL? * Where is the documentation? * How can I contact the OpenSSL developers? +* Where can I get a compiled version of OpenSSL? +* Why aren't tools like 'autoconf' and 'libtool' used? + +[LEGAL] Legal questions + * Do I need patent licenses to use OpenSSL? -* Is OpenSSL thread-safe? +* Can I use OpenSSL with GPL software? + +[USER] Questions on using the OpenSSL applications + * Why do I get a "PRNG not seeded" error message? -* Why does the linker complain about undefined symbols? -* Where can I get a compiled version of OpenSSL? -* I've compiled a program under Windows and it crashes: why? -* How do I read or write a DER encoded buffer using the ASN1 functions? -* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? -* I've called <some function> and it fails, why? -* I just get a load of numbers for the error output, what do they mean? -* Why do I get errors about unknown algorithms? * How do I create certificates or certificate requests? * Why can't I create certificate requests? * Why does <SSL program> fail with a certificate verify error? @@ -22,17 +24,38 @@ OpenSSL - Frequently Asked Questions * How can I create DSA certificates? * Why can't I make an SSL connection using a DSA certificate? * How can I remove the passphrase on a private key? -* Why can't the OpenSSH configure script detect OpenSSL? +* Why can't I use OpenSSL certificates with SSL client authentication? +* Why does my browser give a warning about a mismatched hostname? + +[BUILD] Questions about building and testing OpenSSL + +* Why does the linker complain about undefined symbols? * Why does the OpenSSL test fail with "bc: command not found"? * Why does the OpenSSL test fail with "bc: 1 no implemented"? * Why does the OpenSSL compilation fail on Alpha True64 Unix? * Why does the OpenSSL compilation fail with "ar: command not found"? +* Why does the OpenSSL compilation fail on Win32 with VC++? + +[PROG] Questions about programming with OpenSSL + +* Is OpenSSL thread-safe? +* I've compiled a program under Windows and it crashes: why? +* How do I read or write a DER encoded buffer using the ASN1 functions? +* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? +* I've called <some function> and it fails, why? +* I just get a load of numbers for the error output, what do they mean? +* Why do I get errors about unknown algorithms? +* Why can't the OpenSSH configure script detect OpenSSL? +* Can I use OpenSSL's SSL library with non-blocking I/O? + +=============================================================================== +[MISC] ======================================================================== * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.6 was released on September 24th, 2000. +OpenSSL 0.9.6a was released on April 5th, 2001. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -78,6 +101,27 @@ OpenSSL. Information on the OpenSSL mailing lists is available from <URL: http://www.openssl.org>. +* Where can I get a compiled version of OpenSSL? + +Some applications that use OpenSSL are distributed in binary form. +When using such an application, you don't need to install OpenSSL +yourself; the application will include the required parts (e.g. DLLs). + +If you want to install OpenSSL on a Windows system and you don't have +a C compiler, read the "Mingw32" section of INSTALL.W32 for information +on how to obtain and install the free GNU C compiler. + +A number of Linux and *BSD distributions include OpenSSL. + + +* Why aren't tools like 'autoconf' and 'libtool' used? + +autoconf will probably be used in future OpenSSL versions. If it was +less Unix-centric, it might have been used much earlier. + + +[LEGAL] ======================================================================= + * Do I need patent licenses to use OpenSSL? The patents section of the README file lists patents that may apply to @@ -89,18 +133,26 @@ You can configure OpenSSL so as not to use RC5 and IDEA by using ./config no-rc5 no-idea -* Is OpenSSL thread-safe? +* Can I use OpenSSL with GPL software? -Yes (with limitations: an SSL connection may not concurrently be used -by multiple threads). On Windows and many Unix systems, OpenSSL -automatically uses the multi-threaded versions of the standard -libraries. If your platform is not one of these, consult the INSTALL -file. +On many systems including the major Linux and BSD distributions, yes (the +GPL does not place restrictions on using libraries that are part of the +normal operating system distribution). -Multi-threaded applications must provide two callback functions to -OpenSSL. This is described in the threads(3) manpage. +On other systems, the situation is less clear. Some GPL software copyright +holders claim that you infringe on their rights if you use OpenSSL with +their software on operating systems that don't normally include OpenSSL. + +If you develop open source software that uses OpenSSL, you may find it +useful to choose an other license than the GPL, or state explicitely that +"This program is released under the GPL with the additional exemption that +compiling, linking, and/or using OpenSSL is allowed." If you are using +GPL software developed by others, you may want to ask the copyright holder +for permission to use their software with OpenSSL. +[USER] ======================================================================== + * Why do I get a "PRNG not seeded" error message? Cryptographic software needs a source of unpredictable data to work @@ -138,6 +190,101 @@ versions. However, be warned that /dev/random is usually a blocking device, which may have some effects on OpenSSL. +* How do I create certificates or certificate requests? + +Check out the CA.pl(1) manual page. This provides a simple wrapper round +the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check +out the manual pages for the individual utilities and the certificate +extensions documentation (currently in doc/openssl.txt). + + +* Why can't I create certificate requests? + +You typically get the error: + + unable to find 'distinguished_name' in config + problems making Certificate Request + +This is because it can't find the configuration file. Check out the +DIAGNOSTICS section of req(1) for more information. + + +* Why does <SSL program> fail with a certificate verify error? + +This problem is usually indicated by log messages saying something like +"unable to get local issuer certificate" or "self signed certificate". +When a certificate is verified its root CA must be "trusted" by OpenSSL +this typically means that the CA certificate must be placed in a directory +or file and the relevant program configured to read it. The OpenSSL program +'verify' behaves in a similar way and issues similar error messages: check +the verify(1) program manual page for more information. + + +* Why can I only use weak ciphers when I connect to a server using OpenSSL? + +This is almost certainly because you are using an old "export grade" browser +which only supports weak encryption. Upgrade your browser to support 128 bit +ciphers. + + +* How can I create DSA certificates? + +Check the CA.pl(1) manual page for a DSA certificate example. + + +* Why can't I make an SSL connection to a server using a DSA certificate? + +Typically you'll see a message saying there are no shared ciphers when +the same setup works fine with an RSA certificate. There are two possible +causes. The client may not support connections to DSA servers most web +browsers (including Netscape and MSIE) only support connections to servers +supporting RSA cipher suites. The other cause is that a set of DH parameters +has not been supplied to the server. DH parameters can be created with the +dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: +check the source to s_server in apps/s_server.c for an example. + + +* How can I remove the passphrase on a private key? + +Firstly you should be really *really* sure you want to do this. Leaving +a private key unencrypted is a major security risk. If you decide that +you do have to do this check the EXAMPLES sections of the rsa(1) and +dsa(1) manual pages. + + +* Why can't I use OpenSSL certificates with SSL client authentication? + +What will typically happen is that when a server requests authentication +it will either not include your certificate or tell you that you have +no client certificates (Netscape) or present you with an empty list box +(MSIE). The reason for this is that when a server requests a client +certificate it includes a list of CAs names which it will accept. Browsers +will only let you select certificates from the list on the grounds that +there is little point presenting a certificate which the server will +reject. + +The solution is to add the relevant CA certificate to your servers "trusted +CA list". How you do this depends on the server sofware in uses. You can +print out the servers list of acceptable CAs using the OpenSSL s_client tool: + +openssl s_client -connect www.some.host:443 -prexit + +If your server only requests certificates on certain URLs then you may need +to manually issue an HTTP GET command to get the list when s_client connects: + +GET /some/page/needing/a/certificate.html + +If your CA does not appear in the list then this confirms the problem. + + +* Why does my browser give a warning about a mismatched hostname? + +Browsers expect the server's hostname to match the value in the commonName +(CN) field of the certificate. If it does not then you get a warning. + + +[BUILD] ======================================================================= + * Why does the linker complain about undefined symbols? Maybe the compilation was interrupted, and make doesn't notice that @@ -162,17 +309,99 @@ If none of these helps, you may want to try using the current snapshot. If the problem persists, please submit a bug report. -* Where can I get a compiled version of OpenSSL? +* Why does the OpenSSL test fail with "bc: command not found"? -Some applications that use OpenSSL are distributed in binary form. -When using such an application, you don't need to install OpenSSL -yourself; the application will include the required parts (e.g. DLLs). +You didn't install "bc", the Unix calculator. If you want to run the +tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. -If you want to install OpenSSL on a Windows system and you don't have -a C compiler, read the "Mingw32" section of INSTALL.W32 for information -on how to obtain and install the free GNU C compiler. -A number of Linux and *BSD distributions include OpenSSL. +* Why does the OpenSSL test fail with "bc: 1 no implemented"? + +On some SCO installations or versions, bc has a bug that gets triggered +when you run the test suite (using "make test"). The message returned is +"bc: 1 not implemented". + +The best way to deal with this is to find another implementation of bc +and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +for download instructions) can be safely used, for example. + + +* Why does the OpenSSL compilation fail on Alpha True64 Unix? + +On some Alpha installations running True64 Unix and Compaq C, the compilation +of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual +memory to continue compilation.' As far as the tests have shown, this may be +a compiler bug. What happens is that it eats up a lot of resident memory +to build something, probably a table. The problem is clearly in the +optimization code, because if one eliminates optimization completely (-O0), +the compilation goes through (and the compiler consumes about 2MB of resident +memory instead of 240MB or whatever one's limit is currently). + +There are three options to solve this problem: + +1. set your current data segment size soft limit higher. Experience shows +that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do +this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of +kbytes to set the limit to. + +2. If you have a hard limit that is lower than what you need and you can't +get it changed, you can compile all of OpenSSL with -O0 as optimization +level. This is however not a very nice thing to do for those who expect to +get the best result from OpenSSL. A bit more complicated solution is the +following: + +----- snip:start ----- + make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ + sed -e 's/ -O[0-9] / -O0 /'`" + rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` + make +----- snip:end ----- + +This will only compile sha_dgst.c with -O0, the rest with the optimization +level chosen by the configuration process. When the above is done, do the +test and installation and you're set. + + +* Why does the OpenSSL compilation fail with "ar: command not found"? + +Getting this message is quite usual on Solaris 2, because Sun has hidden +away 'ar' and other development commands in directories that aren't in +$PATH by default. One of those directories is '/usr/ccs/bin'. The +quickest way to fix this is to do the following (it assumes you use sh +or any sh-compatible shell): + +----- snip:start ----- + PATH=${PATH}:/usr/ccs/bin; export PATH +----- snip:end ----- + +and then redo the compilation. What you should really do is make sure +'/usr/ccs/bin' is permanently in your $PATH, for example through your +'.profile' (again, assuming you use a sh-compatible shell). + + +* Why does the OpenSSL compilation fail on Win32 with VC++? + +Sometimes, you may get reports from VC++ command line (cl) that it +can't find standard include files like stdio.h and other weirdnesses. +One possible cause is that the environment isn't correctly set up. +To solve that problem, one should run VCVARS32.BAT which is found in +the 'bin' subdirectory of the VC++ installation directory (somewhere +under 'Program Files'). This needs to be done prior to running NMAKE, +and the changes are only valid for the current DOS session. + + +[PROG] ======================================================================== + +* Is OpenSSL thread-safe? + +Yes (with limitations: an SSL connection may not concurrently be used +by multiple threads). On Windows and many Unix systems, OpenSSL +automatically uses the multi-threaded versions of the standard +libraries. If your platform is not one of these, consult the INSTALL +file. + +Multi-threaded applications must provide two callback functions to +OpenSSL. This is described in the threads(3) manpage. * I've compiled a program under Windows and it crashes: why? @@ -259,68 +488,6 @@ is forgetting to load OpenSSL's table of algorithms with OpenSSL_add_all_algorithms(). See the manual page for more information. -* How do I create certificates or certificate requests? - -Check out the CA.pl(1) manual page. This provides a simple wrapper round -the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check -out the manual pages for the individual utilities and the certificate -extensions documentation (currently in doc/openssl.txt). - - -* Why can't I create certificate requests? - -You typically get the error: - - unable to find 'distinguished_name' in config - problems making Certificate Request - -This is because it can't find the configuration file. Check out the -DIAGNOSTICS section of req(1) for more information. - - -* Why does <SSL program> fail with a certificate verify error? - -This problem is usually indicated by log messages saying something like -"unable to get local issuer certificate" or "self signed certificate". -When a certificate is verified its root CA must be "trusted" by OpenSSL -this typically means that the CA certificate must be placed in a directory -or file and the relevant program configured to read it. The OpenSSL program -'verify' behaves in a similar way and issues similar error messages: check -the verify(1) program manual page for more information. - - -* Why can I only use weak ciphers when I connect to a server using OpenSSL? - -This is almost certainly because you are using an old "export grade" browser -which only supports weak encryption. Upgrade your browser to support 128 bit -ciphers. - - -* How can I create DSA certificates? - -Check the CA.pl(1) manual page for a DSA certificate example. - - -* Why can't I make an SSL connection to a server using a DSA certificate? - -Typically you'll see a message saying there are no shared ciphers when -the same setup works fine with an RSA certificate. There are two possible -causes. The client may not support connections to DSA servers most web -browsers (including Netscape and MSIE) only support connections to servers -supporting RSA cipher suites. The other cause is that a set of DH parameters -has not been supplied to the server. DH parameters can be created with the -dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: -check the source to s_server in apps/s_server.c for an example. - - -* How can I remove the passphrase on a private key? - -Firstly you should be really *really* sure you want to do this. Leaving -a private key unencrypted is a major security risk. If you decide that -you do have to do this check the EXAMPLES sections of the rsa(1) and -dsa(1) manual pages. - - * Why can't the OpenSSH configure script detect OpenSSL? There is a problem with OpenSSH 1.2.2p1, in that the configure script @@ -362,71 +529,19 @@ applied to the OpenSSH distribution: ----- snip:end ----- -* Why does the OpenSSL test fail with "bc: command not found"? +* Can I use OpenSSL's SSL library with non-blocking I/O? -You didn't install "bc", the Unix calculator. If you want to run the -tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. - - -* Why does the OpenSSL test fail with "bc: 1 no implemented"? +Yes; make sure to read the SSL_get_error(3) manual page! -On some SCO installations or versions, bc has a bug that gets triggered when -you run the test suite (using "make test"). The message returned is "bc: -1 not implemented". The best way to deal with this is to find another -implementation of bc and compile/install it. For example, GNU bc (see -http://www.gnu.org/software/software.html for download instructions) can -be safely used. +A pitfall to avoid: Don't assume that SSL_read() will just read from +the underlying transport or that SSL_write() will just write to it -- +it is also possible that SSL_write() cannot do any useful work until +there is data to read, or that SSL_read() cannot do anything until it +is possible to send data. One reason for this is that the peer may +request a new TLS/SSL handshake at any time during the protocol, +requiring a bi-directional message exchange; both SSL_read() and +SSL_write() will try to continue any pending handshake. -* Why does the OpenSSL compilation fail on Alpha True64 Unix? - -On some Alpha installations running True64 Unix and Compaq C, the compilation -of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual -memory to continue compilation.' As far as the tests have shown, this may be -a compiler bug. What happens is that it eats up a lot of resident memory -to build something, probably a table. The problem is clearly in the -optimization code, because if one eliminates optimization completely (-O0), -the compilation goes through (and the compiler consumes about 2MB of resident -memory instead of 240MB or whatever one's limit is currently). - -There are three options to solve this problem: - -1. set your current data segment size soft limit higher. Experience shows -that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do -this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of -kbytes to set the limit to. - -2. If you have a hard limit that is lower than what you need and you can't -get it changed, you can compile all of OpenSSL with -O0 as optimization -level. This is however not a very nice thing to do for those who expect to -get the best result from OpenSSL. A bit more complicated solution is the -following: - ------ snip:start ----- - make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ - sed -e 's/ -O[0-9] / -O0 /'`" - rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` - make ------ snip:end ----- - -This will only compile sha_dgst.c with -O0, the rest with the optimization -level chosen by the configuration process. When the above is done, do the -test and installation and you're set. - - -* Why does the OpenSSL compilation fail with "ar: command not found"? - -Getting this message is quite usual on Solaris 2, because Sun has hidden -away 'ar' and other development commands in directories that aren't in -$PATH by default. One of those directories is '/usr/ccs/bin'. The -quickest way to fix this is to do the following (it assumes you use sh -or any sh-compatible shell): - ------ snip:start ----- - PATH=${PATH}:/usr/ccs/bin; export PATH ------ snip:end ----- - -and then redo the compilation. What you should really do is make sure -'/usr/ccs/bin' is permanently in your $PATH, for example through your -'.profile' (again, assuming you use a sh-compatible shell). +=============================================================================== diff --git a/lib/libssl/src/LICENSE b/lib/libssl/src/LICENSE index bdd5f7bdd09..3fd259ac323 100644 --- a/lib/libssl/src/LICENSE +++ b/lib/libssl/src/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/lib/libssl/src/Makefile.org b/lib/libssl/src/Makefile.org index 0dd8a4e6446..d24a0b50103 100644 --- a/lib/libssl/src/Makefile.org +++ b/lib/libssl/src/Makefile.org @@ -9,6 +9,7 @@ SHLIB_VERSION_NUMBER= SHLIB_VERSION_HISTORY= SHLIB_MAJOR= SHLIB_MINOR= +SHLIB_EXT= PLATFORM=dist OPTIONS= CONFIGURE_ARGS= @@ -58,8 +59,9 @@ CC= gcc #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM CFLAG= -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM DEPFLAG= -PEX_LIBS= -L. -L.. -L../.. -L../../.. +PEX_LIBS= EX_LIBS= +EXE_EXT= AR=ar r RANLIB= ranlib PERL= perl @@ -151,14 +153,11 @@ RMD160_ASM_OBJ= asm/rm86-out.o #RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD #RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi -# To do special treatment, use "directory names" starting with a period. # When we're prepared to use shared libraries in the programs we link here -# we might have SHLIB_MARK1 get the value ".shlib." and SHLIB_MARK2 be empty, -# or have that configurable. -SHLIB_MARK1=.shlib-clean. -SHLIB_MARK2=.shlib. +# we might set SHLIB_MARK to '$(SHARED_LIBS)'. +SHLIB_MARK= -DIRS= crypto ssl rsaref $(SHLIB_MARK1) apps test tools $(SHLIB_MARK2) +DIRS= crypto ssl rsaref $(SHLIB_MARK) apps test tools SHLIBDIRS= crypto ssl # dirs in crypto to build @@ -182,7 +181,10 @@ ONEDIRS=out tmp EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS WDIRS= windows LIBS= libcrypto.a libssl.a -SHARED_LIBS=libcrypto.so libssl.so +SHARED_CRYPTO=libcrypto$(SHLIB_EXT) +SHARED_SSL=libssl$(SHLIB_EXT) +SHARED_LIBS= +SHARED_LIBS_LINK_EXTS= GENERAL= Makefile BASENAME= openssl @@ -192,108 +194,93 @@ WTARFILE= $(NAME)-win.tar EXHEADER= e_os.h e_os2.h HEADER= e_os.h -all: Makefile.ssl - @need_shlib=true; \ - for i in $(DIRS) ;\ - do \ - if [ "$$i" = ".shlib-clean." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) clean-shared; \ - fi; \ - elif [ "$$i" = ".shlib." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi; \ - need_shlib=false; \ - else \ - (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ - fi; \ - done; \ - if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi +# When we're prepared to use shared libraries in the programs we link here +# we might remove 'clean-shared' from the targets to perform at this stage + +all: clean-shared Makefile.ssl sub_all sub_all: - @need_shlib=true; \ - for i in $(DIRS) ;\ + @for i in $(DIRS); \ do \ - if [ "$$i" = ".shlib-clean." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) clean-shared; \ - fi; \ - elif [ "$$i" = ".shlib." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi; \ - need_shlib=false; \ - else \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' all ) || exit 1; \ + else \ + $(MAKE) $$i; \ fi; \ done; \ - if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ + if echo "$(DIRS)" | \ + egrep '(^| )(crypto|ssl)( |$$)' > /dev/null 2>&1 && \ + [ -n "$(SHARED_LIBS)" ]; then \ $(MAKE) $(SHARED_LIBS); \ fi -libcrypto.so: libcrypto.a +libcrypto$(SHLIB_EXT): libcrypto.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=crypto $(SHLIB_TARGET); \ + $(MAKE) SHLIBDIRS=crypto build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi -libssl.so: libcrypto.so libssl.a +libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-L. -lcrypto' $(SHLIB_TARGET); \ + $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi clean-shared: - for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + @for i in $(SHLIBDIRS); do \ + if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ + tmp="$(SHARED_LIBS_LINK_EXTS)"; \ + for j in $${tmp:-x}; do \ + ( set -x; rm -f lib$$i$$j ); \ + done; \ + fi; \ + ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \ done -linux-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ +link-shared: + @for i in $(SHLIBDIRS); do \ + prev=lib$$i$(SHLIB_EXT); \ + if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ + tmp="$(SHARED_LIBS_LINK_EXTS)"; \ + for j in $${tmp:-x}; do \ + ( set -x; ln -f -s $$prev lib$$i$$j ); \ + prev=lib$$i$$j; \ + done; \ + fi; \ + done + +build-shared: clean-shared do_$(SHLIB_TARGET) link-shared + +do_bsd-gcc-shared: do_gnu-shared +do_linux-shared: do_gnu-shared +do_gnu-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR} \ + -Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,--whole-archive lib$$i.a \ -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ - ( set -x; \ - ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - lib$$i.so.${SHLIB_MAJOR}; \ - ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so ); \ + libs="$$libs -l$$i"; \ done # This assumes that GNU utilities are *not* used -true64-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ +do_tru64-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} -shared -no_archive -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ + libs="$$libs -l$$i"; \ done # This assumes that GNU utilities are *not* used -solaris-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ - ( set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -h lib$$i.so.${SHLIB_MAJOR} \ +do_solaris-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ + set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ - ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - lib$$i.so.${SHLIB_MAJOR}; \ - ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so; \ + libs="$$libs -l$$i"; \ done Makefile.ssl: Makefile.org @@ -308,7 +295,7 @@ clean: rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making clean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \ rm -f $(LIBS); \ @@ -329,7 +316,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making 'files' in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \ fi; \ @@ -340,7 +327,7 @@ links: @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @for i in $(DIRS); do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making links in $$i..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \ fi; \ @@ -350,7 +337,7 @@ dclean: rm -f *.bak @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making dclean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \ fi; \ @@ -365,7 +352,7 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' tests ); + $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' EXE_EXT='${EXE_EXT}' tests ); @apps/openssl version -a report: @@ -374,7 +361,7 @@ report: depend: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making dependencies $$i..." && \ $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \ fi; \ @@ -383,7 +370,7 @@ depend: lint: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making lint $$i..." && \ $(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \ fi; \ @@ -392,7 +379,7 @@ lint: tags: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making tags $$i..." && \ $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \ fi; \ @@ -454,9 +441,9 @@ install: all install_docs done; @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i; echo "installing $$i..."; \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \ + $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' install ); \ fi; \ done @for i in $(LIBS) ;\ @@ -468,6 +455,20 @@ install: all install_docs chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done + @if [ -n "$(SHARED_LIBS)" ]; then \ + tmp="$(SHARED_LIBS)"; \ + for i in $${tmp:-x}; \ + do \ + if [ -f "$$i" ]; then \ + ( echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + fi \ + done; \ + ( here="`pwd`"; \ + cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ + make -f $$here/Makefile link-shared ); \ + fi install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ diff --git a/lib/libssl/src/NEWS b/lib/libssl/src/NEWS index 7cf95cfb0bf..b9ea61239f0 100644 --- a/lib/libssl/src/NEWS +++ b/lib/libssl/src/NEWS @@ -5,6 +5,31 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: + + o Security fix: change behavior of OpenSSL to avoid using + environment variables when running as root. + o Security fix: check the result of RSA-CRT to reduce the + possibility of deducing the private key from an incorrectly + calculated signature. + o Security fix: prevent Bleichenbacher's DSA attack. + o Security fix: Zero the premaster secret after deriving the + master secret in DH ciphersuites. + o Reimplement SSL_peek(), which had various problems. + o Compatibility fix: the function des_encrypt() renamed to + des_encrypt1() to avoid clashes with some Unixen libc. + o Bug fixes for Win32, HP/UX and Irix. + o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and + memory checking routines. + o Bug fixes for RSA operations in threaded enviroments. + o Bug fixes in misc. openssl applications. + o Remove a few potential memory leaks. + o Add tighter checks of BIGNUM routines. + o Shared library support has been reworked for generality. + o More documentation. + o New function BN_rand_range(). + o Add "-rand" option to openssl s_client and s_server. + Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: o Some documentation for BIO and SSL libraries. diff --git a/lib/libssl/src/README b/lib/libssl/src/README index e8f20f49a6c..c500744c6b0 100644 --- a/lib/libssl/src/README +++ b/lib/libssl/src/README @@ -1,5 +1,6 @@ - OpenSSL 0.9.5 28 Feb 2000 + OpenSSL 0.9.6a [engine] 5 Apr 2001 + Copyright (c) 1998-2000 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/lib/libssl/src/apps/Makefile.ssl b/lib/libssl/src/apps/Makefile.ssl index e8677cbb2d7..75aeb56df3d 100644 --- a/lib/libssl/src/apps/Makefile.ssl +++ b/lib/libssl/src/apps/Makefile.ssl @@ -18,6 +18,7 @@ RM= rm -f PEX_LIBS= EX_LIBS= +EXE_EXT= CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG) @@ -32,7 +33,7 @@ PROGRAM= openssl SCRIPTS=CA.sh CA.pl der_chop -EXE= $(PROGRAM) +EXE= $(PROGRAM)$(EXE_EXT) E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \ ca crl rsa rsautl dsa dsaparam \ @@ -77,7 +78,7 @@ top: all: exe -exe: $(EXE) +exe: $(PROGRAM) req: sreq.o $(A_OBJ) $(DLIBCRYPTO) $(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) diff --git a/lib/libssl/src/apps/app_rand.c b/lib/libssl/src/apps/app_rand.c index 1146f9f7f38..8a78e12eb73 100644 --- a/lib/libssl/src/apps/app_rand.c +++ b/lib/libssl/src/apps/app_rand.c @@ -177,8 +177,10 @@ long app_RAND_load_files(char *name) if (*n == '\0') break; egd=RAND_egd(n); - if (egd > 0) tot+=egd; - tot+=RAND_load_file(n,-1); + if (egd > 0) + tot+=egd; + else + tot+=RAND_load_file(n,-1); if (last) break; } if (tot > 512) diff --git a/lib/libssl/src/apps/ca-cert.srl b/lib/libssl/src/apps/ca-cert.srl index eeee65ec419..2c7456e3eb6 100644 --- a/lib/libssl/src/apps/ca-cert.srl +++ b/lib/libssl/src/apps/ca-cert.srl @@ -1 +1 @@ -05 +07 diff --git a/lib/libssl/src/apps/dsaparam.c b/lib/libssl/src/apps/dsaparam.c index 67f054c6455..34230b2cfb4 100644 --- a/lib/libssl/src/apps/dsaparam.c +++ b/lib/libssl/src/apps/dsaparam.c @@ -313,7 +313,7 @@ bad: printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n", bits_p,bits_p); printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n"); - printf("\t\treturn(NULL);\n"); + printf("\t\t{ DSA_free(dsa); return(NULL); }\n"); printf("\treturn(dsa);\n\t}\n"); } diff --git a/lib/libssl/src/apps/md5.c b/lib/libssl/src/apps/md5.c new file mode 100644 index 00000000000..7ed0024ae19 --- /dev/null +++ b/lib/libssl/src/apps/md5.c @@ -0,0 +1,127 @@ +/* crypto/md5/md5.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include <stdio.h> +#include <stdlib.h> +#include <openssl/md5.h> + +#define BUFSIZE 1024*16 + +void do_fp(FILE *f); +void pt(unsigned char *md); +#ifndef _OSD_POSIX +int read(int, void *, unsigned int); +#endif + +int main(int argc, char **argv) + { + int i,err=0; + FILE *IN; + + if (argc == 1) + { + do_fp(stdin); + } + else + { + for (i=1; i<argc; i++) + { + IN=fopen(argv[i],"r"); + if (IN == NULL) + { + perror(argv[i]); + err++; + continue; + } + printf("MD5(%s)= ",argv[i]); + do_fp(IN); + fclose(IN); + } + } + exit(err); + } + +void do_fp(FILE *f) + { + MD5_CTX c; + unsigned char md[MD5_DIGEST_LENGTH]; + int fd; + int i; + static unsigned char buf[BUFSIZE]; + + fd=fileno(f); + MD5_Init(&c); + for (;;) + { + i=read(fd,buf,BUFSIZE); + if (i <= 0) break; + MD5_Update(&c,buf,(unsigned long)i); + } + MD5_Final(&(md[0]),&c); + pt(md); + } + +void pt(unsigned char *md) + { + int i; + + for (i=0; i<MD5_DIGEST_LENGTH; i++) + printf("%02x",md[i]); + printf("\n"); + } + diff --git a/lib/libssl/src/apps/passwd.c b/lib/libssl/src/apps/passwd.c index 6851a9927d3..ea2b089e24a 100644 --- a/lib/libssl/src/apps/passwd.c +++ b/lib/libssl/src/apps/passwd.c @@ -272,6 +272,7 @@ int MAIN(int argc, char **argv) } while (!done); } + ret = 0; err: ERR_print_errors(bio_err); @@ -315,7 +316,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt) strncat(out_buf, "$", 1); strncat(out_buf, salt, 8); assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */ - salt_out = out_buf + 6; + salt_out = out_buf + 2 + strlen(magic); salt_len = strlen(salt_out); assert(salt_len <= 8); diff --git a/lib/libssl/src/apps/pca-cert.srl b/lib/libssl/src/apps/pca-cert.srl index 8a0f05e166a..2c7456e3eb6 100644 --- a/lib/libssl/src/apps/pca-cert.srl +++ b/lib/libssl/src/apps/pca-cert.srl @@ -1 +1 @@ -01 +07 diff --git a/lib/libssl/src/apps/req.c b/lib/libssl/src/apps/req.c index 0751d92201d..ca8dc879572 100644 --- a/lib/libssl/src/apps/req.c +++ b/lib/libssl/src/apps/req.c @@ -725,16 +725,15 @@ loop: if (newreq || x509) { -#ifndef NO_DSA - if (pkey->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif - if (pkey == NULL) { BIO_printf(bio_err,"you need to specify a private key\n"); goto end; } +#ifndef NO_DSA + if (pkey->type == EVP_PKEY_DSA) + digest=EVP_dss1(); +#endif if (req == NULL) { req=X509_REQ_new(); diff --git a/lib/libssl/src/apps/rmd160.c b/lib/libssl/src/apps/rmd160.c new file mode 100644 index 00000000000..4f8b88a18ac --- /dev/null +++ b/lib/libssl/src/apps/rmd160.c @@ -0,0 +1,127 @@ +/* crypto/ripemd/rmd160.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include <stdio.h> +#include <stdlib.h> +#include <openssl/ripemd.h> + +#define BUFSIZE 1024*16 + +void do_fp(FILE *f); +void pt(unsigned char *md); +#ifndef _OSD_POSIX +int read(int, void *, unsigned int); +#endif + +int main(int argc, char **argv) + { + int i,err=0; + FILE *IN; + + if (argc == 1) + { + do_fp(stdin); + } + else + { + for (i=1; i<argc; i++) + { + IN=fopen(argv[i],"r"); + if (IN == NULL) + { + perror(argv[i]); + err++; + continue; + } + printf("RIPEMD160(%s)= ",argv[i]); + do_fp(IN); + fclose(IN); + } + } + exit(err); + } + +void do_fp(FILE *f) + { + RIPEMD160_CTX c; + unsigned char md[RIPEMD160_DIGEST_LENGTH]; + int fd; + int i; + static unsigned char buf[BUFSIZE]; + + fd=fileno(f); + RIPEMD160_Init(&c); + for (;;) + { + i=read(fd,buf,BUFSIZE); + if (i <= 0) break; + RIPEMD160_Update(&c,buf,(unsigned long)i); + } + RIPEMD160_Final(&(md[0]),&c); + pt(md); + } + +void pt(unsigned char *md) + { + int i; + + for (i=0; i<RIPEMD160_DIGEST_LENGTH; i++) + printf("%02x",md[i]); + printf("\n"); + } + diff --git a/lib/libssl/src/apps/rsautl.c b/lib/libssl/src/apps/rsautl.c index 2ef75649dd7..95fce436bb4 100644 --- a/lib/libssl/src/apps/rsautl.c +++ b/lib/libssl/src/apps/rsautl.c @@ -55,6 +55,9 @@ * Hudson (tjh@cryptsoft.com). * */ + +#ifndef NO_RSA + #include "apps.h" #include <string.h> #include <openssl/err.h> @@ -313,3 +316,4 @@ static void usage() BIO_printf(bio_err, "-hexdump hex dump output\n"); } +#endif diff --git a/lib/libssl/src/apps/s_client.c b/lib/libssl/src/apps/s_client.c index 45d627a60a7..0e1a61b7896 100644 --- a/lib/libssl/src/apps/s_client.c +++ b/lib/libssl/src/apps/s_client.c @@ -79,6 +79,7 @@ typedef unsigned int u_int; #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/pem.h> +#include <openssl/rand.h> #include <openssl/engine.h> #include "s_apps.h" @@ -153,8 +154,8 @@ static void sc_usage(void) BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); BIO_printf(bio_err," command to see what is available\n"); + BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); - } int MAIN(int, char **); @@ -181,6 +182,7 @@ int MAIN(int argc, char **argv) int prexit = 0; SSL_METHOD *meth=NULL; BIO *sbio; + char *inrand=NULL; char *engine_id=NULL; ENGINE *e=NULL; #ifdef WINDOWS @@ -320,6 +322,11 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-nbio") == 0) { c_nbio=1; } #endif + else if (strcmp(*argv,"-rand") == 0) + { + if (--argc < 1) goto bad; + inrand= *(++argv); + } else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; @@ -341,7 +348,14 @@ bad: goto end; } - app_RAND_load_file(NULL, bio_err, 0); + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL + && !RAND_status()) + { + BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err,"%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); if (bio_c_out == NULL) { diff --git a/lib/libssl/src/apps/s_server.c b/lib/libssl/src/apps/s_server.c index 61a77dff115..a107b8c14a1 100644 --- a/lib/libssl/src/apps/s_server.c +++ b/lib/libssl/src/apps/s_server.c @@ -83,6 +83,7 @@ typedef unsigned int u_int; #include <openssl/pem.h> #include <openssl/x509.h> #include <openssl/ssl.h> +#include <openssl/rand.h> #include <openssl/engine.h> #include "s_apps.h" @@ -245,6 +246,7 @@ static void sv_usage(void) BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); BIO_printf(bio_err," -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); + BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); } @@ -415,6 +417,8 @@ int MAIN(int argc, char *argv[]) int no_tmp_rsa=0,no_dhe=0,nocert=0; int state=0; SSL_METHOD *meth=NULL; + char *inrand=NULL; + char *engine_id=NULL; ENGINE *e=NULL; #ifndef NO_DH DH *dh=NULL; @@ -570,6 +574,11 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-tls1") == 0) { meth=TLSv1_server_method(); } #endif + else if (strcmp(*argv,"-rand") == 0) + { + if (--argc < 1) goto bad; + inrand= *(++argv); + } else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; @@ -591,7 +600,14 @@ bad: goto end; } - app_RAND_load_file(NULL, bio_err, 0); + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL + && !RAND_status()) + { + BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err,"%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); if (bio_s_out == NULL) { @@ -709,7 +725,8 @@ bad: #ifndef NO_RSA #if 1 - SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb); + if (!no_tmp_rsa) + SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb); #else if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) { @@ -1369,15 +1386,29 @@ static int www_body(char *hostname, int s, unsigned char *context) /* skip the '/' */ p= &(buf[5]); - dot=0; + + dot = 1; for (e=p; *e != '\0'; e++) { - if (e[0] == ' ') break; - if ( (e[0] == '.') && - (strncmp(&(e[-1]),"/../",4) == 0)) - dot=1; + if (e[0] == ' ') + break; + + switch (dot) + { + case 1: + dot = (e[0] == '.') ? 2 : 0; + break; + case 2: + dot = (e[0] == '.') ? 3 : 0; + break; + case 3: + dot = (e[0] == '/') ? -1 : 0; + break; + } + if (dot == 0) + dot = (e[0] == '/') ? 1 : 0; } - + dot = (dot == 3) || (dot == -1); /* filename contains ".." component */ if (*e == '\0') { @@ -1401,9 +1432,11 @@ static int www_body(char *hostname, int s, unsigned char *context) break; } +#if 0 /* append if a directory lookup */ if (e[-1] == '/') strcat(p,"index.html"); +#endif /* if a directory, do the index thang */ if (stat(p,&st_buf) < 0) @@ -1415,7 +1448,13 @@ static int www_body(char *hostname, int s, unsigned char *context) } if (S_ISDIR(st_buf.st_mode)) { +#if 0 /* must check buffer size */ strcat(p,"/index.html"); +#else + BIO_puts(io,text); + BIO_printf(io,"'%s' is a directory\r\n",p); + break; +#endif } if ((file=BIO_new_file(p,"r")) == NULL) diff --git a/lib/libssl/src/apps/server.pem b/lib/libssl/src/apps/server.pem index c57b32507d0..56248e57a3f 100644 --- a/lib/libssl/src/apps/server.pem +++ b/lib/libssl/src/apps/server.pem @@ -1,17 +1,17 @@ issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) +subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) -----BEGIN CERTIFICATE----- -MIIB6TCCAVICAQQwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV +MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD -VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTgwNjI5MjM1MjQwWhcNMDAwNjI4 -MjM1MjQwWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG +VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0 +MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2// -Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCVvvfkGSe2GHgDFfmOua4Isjb9 -JVhImWMASiOClkZlMESDJjsszg/6+d/W+8TrbObhazpl95FivXBVucbj9dudh7AO -IZu1h1MAPlyknc9Ud816vz3FejB4qqUoaXjnlkrIgEbr/un7jSS86WOe0hRhwHkJ -FUGcPZf9ND22Etc+AQ== +Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4 +GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM +k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz +itAE+OjGF+PFKbwX8Q== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD diff --git a/lib/libssl/src/apps/speed.c b/lib/libssl/src/apps/speed.c index ba419163714..3562ea277bd 100644 --- a/lib/libssl/src/apps/speed.c +++ b/lib/libssl/src/apps/speed.c @@ -865,6 +865,7 @@ int MAIN(int argc, char **argv) } #endif +#ifndef NO_DSA dsa_c[R_DSA_512][0]=count/1000; dsa_c[R_DSA_512][1]=count/1000/2; for (i=1; i<DSA_NUM; i++) @@ -882,6 +883,7 @@ int MAIN(int argc, char **argv) } } } +#endif #define COND(d) (count < (d)) #define COUNT(d) (d) @@ -1207,7 +1209,7 @@ int MAIN(int argc, char **argv) { BIO_printf(bio_err,"RSA verify failure. No RSA verify will be done.\n"); ERR_print_errors(bio_err); - dsa_doit[j] = 0; + rsa_doit[j] = 0; } else { diff --git a/lib/libssl/src/apps/x509.c b/lib/libssl/src/apps/x509.c index 0c0d42a0ac4..95f05e580c4 100644 --- a/lib/libssl/src/apps/x509.c +++ b/lib/libssl/src/apps/x509.c @@ -894,8 +894,10 @@ bad: BIO_printf(bio_err,"Generating certificate request\n"); +#ifndef NO_DSA if (pk->type == EVP_PKEY_DSA) digest=EVP_dss1(); +#endif rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); diff --git a/lib/libssl/src/certs/rsa-ssca.pem b/lib/libssl/src/certs/rsa-ssca.pem index c9403212d18..e69de29bb2d 100644 --- a/lib/libssl/src/certs/rsa-ssca.pem +++ b/lib/libssl/src/certs/rsa-ssca.pem @@ -1,19 +0,0 @@ -subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority -issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority -notBefore=941109235417Z -notAfter =991231235417Z ------BEGIN X509 CERTIFICATE----- - -MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw -HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl -IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda -Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0 -YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB -roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12 -aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc -HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A -iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7 -suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h -cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk= ------END X509 CERTIFICATE----- diff --git a/lib/libssl/src/config b/lib/libssl/src/config index 458838d800c..d22836f80f4 100644 --- a/lib/libssl/src/config +++ b/lib/libssl/src/config @@ -49,10 +49,18 @@ if [ "x$XREL" != "x" ]; then echo "whatever-whatever-sco5"; exit 0 ;; 4.2MP) - if [ "x$VERSION" = "x2.1.1" ]; then + if [ "x$VERSION" = "x2.01" ]; then + echo "${MACHINE}-whatever-unixware201"; exit 0 + elif [ "x$VERSION" = "x2.02" ]; then + echo "${MACHINE}-whatever-unixware202"; exit 0 + elif [ "x$VERSION" = "x2.03" ]; then + echo "${MACHINE}-whatever-unixware203"; exit 0 + elif [ "x$VERSION" = "x2.1.1" ]; then echo "${MACHINE}-whatever-unixware211"; exit 0 elif [ "x$VERSION" = "x2.1.2" ]; then echo "${MACHINE}-whatever-unixware212"; exit 0 + elif [ "x$VERSION" = "x2.1.3" ]; then + echo "${MACHINE}-whatever-unixware213"; exit 0 else echo "${MACHINE}-whatever-unixware2"; exit 0 fi @@ -79,6 +87,14 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "m68k-apple-aux3"; exit 0 ;; + AIX:[3456789]:4:*) + echo "${MACHINE}-ibm-aix43"; exit 0 + ;; + + AIX:*:[56789]:*) + echo "${MACHINE}-ibm-aix43"; exit 0 + ;; + AIX:*) echo "${MACHINE}-ibm-aix"; exit 0 ;; @@ -168,7 +184,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in ;; NetBSD:*:*:*386*) - echo "`/usr/sbin/sysctl -n hw.model | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 + echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 ;; NetBSD:*) @@ -393,10 +409,16 @@ case "$GUESSOS" in ;; mips4-sgi-irix64) echo "WARNING! If you wish to build 64-bit library, then you have to" - echo " invoke './Configre irix64-mips4-$CC' *manually*." - echo " Type Ctrl-C if you don't want to continue." + echo " invoke './Configure irix64-mips4-$CC' *manually*." + echo " Type return if you want to continue, Ctrl-C to abort." read waste < /dev/tty - options="$options -mips4" + CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=${CPU:-0} + if [ $CPU -ge 5000 ]; then + options="$options -mips4" + else + options="$options -mips3" + fi OUT="irix-mips3-$CC" ;; alpha-*-linux2) @@ -422,11 +444,11 @@ case "$GUESSOS" in #till 64-bit glibc for SPARC is operational:-( #echo "WARNING! If you wish to build 64-bit library, then you have to" #echo " invoke './Configure linux64-sparcv9' *manually*." - #echo " Type Ctrl-C if you don't want to continue." + #echo " Type return if you want to continue, Ctrl-C to abort." #read waste < /dev/tty OUT="linux-sparcv9" ;; sparc-*-linux2) - KARCH=`awk '/type/{print$3}' /proc/cpuinfo` + KARCH=`awk '/^type/{print$3}' /proc/cpuinfo` case ${KARCH:-sun4} in sun4u*) OUT="linux-sparcv9" ;; sun4m) OUT="linux-sparcv8" ;; @@ -434,6 +456,7 @@ case "$GUESSOS" in *) OUT="linux-sparcv7" ;; esac ;; arm*-*-linux2) OUT="linux-elf-arm" ;; + s390-*-linux2) OUT="linux-s390" ;; *-*-linux2) OUT="linux-elf" ;; *-*-linux1) OUT="linux-aout" ;; sun4u*-*-solaris2) @@ -441,7 +464,7 @@ case "$GUESSOS" in if [ "$ISA64" != "" -a "$CC" = "cc" -a $CCVER -ge 50 ]; then echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-cc' *manually*." - echo " Type Ctrl-C if you don't want to continue." + echo " Type return if you want to continue, Ctrl-C to abort." read waste < /dev/tty fi OUT="solaris-sparcv9-$CC" ;; @@ -466,9 +489,12 @@ case "$GUESSOS" in *-*-unixware7) OUT="unixware-7" ;; *-*-UnixWare7) OUT="unixware-7" ;; *-*-Unixware7) OUT="unixware-7" ;; - *-*-unixware[1-2]*) OUT="unixware-2.0" ;; - *-*-UnixWare[1-2]*) OUT="unixware-2.0" ;; - *-*-Unixware[1-2]*) OUT="unixware-2.0" ;; + *-*-unixware20*) OUT="unixware-2.0" ;; + *-*-unixware21*) OUT="unixware-2.1" ;; + *-*-UnixWare20*) OUT="unixware-2.0" ;; + *-*-UnixWare21*) OUT="unixware-2.1" ;; + *-*-Unixware20*) OUT="unixware-2.0" ;; + *-*-Unixware21*) OUT="unixware-2.1" ;; BS2000-siemens-sysv4) OUT="BS2000-OSD" ;; RM*-siemens-sysv4) OUT="ReliantUNIX" ;; *-siemens-sysv4) OUT="SINIX" ;; @@ -563,7 +589,7 @@ OUT="$PREFIX$OUT" $PERL ./Configure LIST | grep "$OUT" > /dev/null if [ $? = "0" ]; then - #echo Configuring for $OUT + echo Configuring for $OUT if [ "$TEST" = "true" ]; then echo $PERL ./Configure $OUT $options diff --git a/lib/libssl/src/crypto/Makefile b/lib/libssl/src/crypto/Makefile index 05e3bb701e1..6759b2e4d0d 100644 --- a/lib/libssl/src/crypto/Makefile +++ b/lib/libssl/src/crypto/Makefile @@ -34,8 +34,8 @@ SDIRS= md2 md5 sha mdc2 hmac ripemd \ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a -LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c -LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o +LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c +LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o SRC= $(LIBSRC) @@ -90,7 +90,8 @@ links: lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib libs: @@ -197,3 +198,6 @@ tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h +uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h +uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h +uid.o: ../include/openssl/symhacks.h diff --git a/lib/libssl/src/crypto/Makefile.ssl b/lib/libssl/src/crypto/Makefile.ssl index 05e3bb701e1..6759b2e4d0d 100644 --- a/lib/libssl/src/crypto/Makefile.ssl +++ b/lib/libssl/src/crypto/Makefile.ssl @@ -34,8 +34,8 @@ SDIRS= md2 md5 sha mdc2 hmac ripemd \ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a -LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c -LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o +LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c +LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o SRC= $(LIBSRC) @@ -90,7 +90,8 @@ links: lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib libs: @@ -197,3 +198,6 @@ tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h +uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h +uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h +uid.o: ../include/openssl/symhacks.h diff --git a/lib/libssl/src/crypto/asn1/Makefile.ssl b/lib/libssl/src/crypto/asn1/Makefile.ssl index b8059ddffe7..dace5be2bc3 100644 --- a/lib/libssl/src/crypto/asn1/Makefile.ssl +++ b/lib/libssl/src/crypto/asn1/Makefile.ssl @@ -75,7 +75,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/asn1/a_strnid.c b/lib/libssl/src/crypto/asn1/a_strnid.c index 6b10cff9944..732e68fe462 100644 --- a/lib/libssl/src/crypto/asn1/a_strnid.c +++ b/lib/libssl/src/crypto/asn1/a_strnid.c @@ -133,7 +133,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, if(tbl) { mask = tbl->mask; if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask; - ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask, + ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask, tbl->minsize, tbl->maxsize); } else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask); if(ret <= 0) return NULL; diff --git a/lib/libssl/src/crypto/asn1/asn1_lib.c b/lib/libssl/src/crypto/asn1/asn1_lib.c index 77447a52409..a8b651e54e7 100644 --- a/lib/libssl/src/crypto/asn1/asn1_lib.c +++ b/lib/libssl/src/crypto/asn1/asn1_lib.c @@ -301,7 +301,7 @@ int asn1_GetSequence(ASN1_CTX *c, long *length) return(0); } if (c->inf == (1|V_ASN1_CONSTRUCTED)) - c->slen= *length+ *(c->pp)-c->p; + c->slen= *length; c->eos=0; return(1); } diff --git a/lib/libssl/src/crypto/asn1/asn1_mac.h b/lib/libssl/src/crypto/asn1/asn1_mac.h index 4512ba6cc60..af0e664b2de 100644 --- a/lib/libssl/src/crypto/asn1/asn1_mac.h +++ b/lib/libssl/src/crypto/asn1/asn1_mac.h @@ -196,6 +196,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_put_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_put_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_put_SEQUENCE_type(type,a,f); + #define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \ if ((c.slen != 0) && \ (M_ASN1_next == \ @@ -389,6 +392,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_len_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_len_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_len_SEQUENCE_type(type,a,f); + #define M_ASN1_I2D_len_IMP_SET(a,f,x) \ ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET); @@ -452,6 +458,15 @@ err:\ ret+=ASN1_object_size(1,v,mtag); \ } +#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a)\ + { \ + v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \ + V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + ret+=ASN1_object_size(1,v,mtag); \ + } + /* Put Macros */ #define M_ASN1_I2D_put(a,f) f(a,&p) @@ -536,6 +551,14 @@ err:\ IS_SEQUENCE); \ } +#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a) \ + { \ + ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \ + i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + } + #define M_ASN1_I2D_seq_total() \ r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \ if (pp == NULL) return(r); \ diff --git a/lib/libssl/src/crypto/asn1/p7_lib.c b/lib/libssl/src/crypto/asn1/p7_lib.c index b1196ef581c..8a340b01190 100644 --- a/lib/libssl/src/crypto/asn1/p7_lib.c +++ b/lib/libssl/src/crypto/asn1/p7_lib.c @@ -307,12 +307,14 @@ PKCS7 *d2i_PKCS7(PKCS7 **a, unsigned char **pp, long length) } if (Tinf == (1|V_ASN1_CONSTRUCTED)) { + c.q=c.p; if (!ASN1_check_infinite_end(&c.p,c.slen)) { c.error=ERR_R_MISSING_ASN1_EOS; c.line=__LINE__; goto err; } + c.slen-=(c.p-c.q); } } else diff --git a/lib/libssl/src/crypto/asn1/x_crl.c b/lib/libssl/src/crypto/asn1/x_crl.c index 1f302d0e01e..51518cdf350 100644 --- a/lib/libssl/src/crypto/asn1/x_crl.c +++ b/lib/libssl/src/crypto/asn1/x_crl.c @@ -71,14 +71,14 @@ int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **pp) M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_len_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_seq_total(); M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_put_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_finish(); @@ -121,7 +121,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_len_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -138,7 +138,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -260,7 +260,7 @@ X509_CRL_INFO *X509_CRL_INFO_new(void) M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new); ret->nextUpdate=NULL; M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null); - M_ASN1_New(ret->extensions,sk_X509_EXTENSION_new_null); + ret->extensions = NULL; sk_X509_REVOKED_set_cmp_func(ret->revoked,X509_REVOKED_cmp); return(ret); M_ASN1_New_Error(ASN1_F_X509_CRL_INFO_NEW); diff --git a/lib/libssl/src/crypto/asn1/x_name.c b/lib/libssl/src/crypto/asn1/x_name.c index b832deb928b..1885d699efd 100644 --- a/lib/libssl/src/crypto/asn1/x_name.c +++ b/lib/libssl/src/crypto/asn1/x_name.c @@ -141,10 +141,12 @@ static int i2d_X509_NAME_entries(X509_NAME *a) } size+=i2d_X509_NAME_ENTRY(ne,NULL); } - - ret+=ASN1_object_size(1,size,V_ASN1_SET); if (fe != NULL) + { + /* SET OF needed only if entries is non empty */ + ret+=ASN1_object_size(1,size,V_ASN1_SET); fe->size=size; + } r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); diff --git a/lib/libssl/src/crypto/bf/Makefile.ssl b/lib/libssl/src/crypto/bf/Makefile.ssl index f4eb90f13f4..9205ee7901d 100644 --- a/lib/libssl/src/crypto/bf/Makefile.ssl +++ b/lib/libssl/src/crypto/bf/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/lib/libssl/src/crypto/bio/Makefile.ssl b/lib/libssl/src/crypto/bio/Makefile.ssl index 916d651d470..567d3fb870c 100644 --- a/lib/libssl/src/crypto/bio/Makefile.ssl +++ b/lib/libssl/src/crypto/bio/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: @@ -95,13 +96,13 @@ b_dump.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h b_dump.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h b_dump.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h b_dump.o: ../cryptlib.h -b_print.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h -b_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h -b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -b_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h -b_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h -b_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -b_print.o: ../cryptlib.h +b_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +b_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +b_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h +b_print.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +b_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +b_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +b_print.o: ../../include/openssl/symhacks.h ../cryptlib.h b_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h b_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/lib/libssl/src/crypto/bio/b_print.c b/lib/libssl/src/crypto/bio/b_print.c index a62f5516354..b4f7a85f2e4 100644 --- a/lib/libssl/src/crypto/bio/b_print.c +++ b/lib/libssl/src/crypto/bio/b_print.c @@ -69,6 +69,7 @@ #ifndef NO_SYS_TYPES_H #include <sys/types.h> #endif +#include <openssl/bn.h> /* To get BN_LLONG properly defined */ #include <openssl/bio.h> #ifdef BN_LLONG diff --git a/lib/libssl/src/crypto/bio/b_sock.c b/lib/libssl/src/crypto/bio/b_sock.c index 64310058b45..62cc3f1a0c8 100644 --- a/lib/libssl/src/crypto/bio/b_sock.c +++ b/lib/libssl/src/crypto/bio/b_sock.c @@ -113,8 +113,8 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) /* At this point, we have something that is most probably correct in some way, so let's init the socket. */ - if (!BIO_sock_init()) - return(0); /* don't generate another error code here */ + if (BIO_sock_init() != 1) + return 0; /* don't generate another error code here */ /* If the string actually contained an IP address, we need not do anything more */ @@ -519,15 +519,15 @@ int BIO_get_accept_socket(char *host, int bind_mode) { int ret=0; struct sockaddr_in server,client; - int s= -1,cs; + int s=INVALID_SOCKET,cs; unsigned char ip[4]; unsigned short port; - char *str,*e; + char *str=NULL,*e; const char *h,*p; unsigned long l; int err_num; - if (!BIO_sock_init()) return(INVALID_SOCKET); + if (BIO_sock_init() != 1) return(INVALID_SOCKET); if ((str=BUF_strdup(host)) == NULL) return(INVALID_SOCKET); @@ -553,7 +553,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) h="*"; } - if (!BIO_get_port(p,&port)) return(INVALID_SOCKET); + if (!BIO_get_port(p,&port)) goto err; memset((char *)&server,0,sizeof(server)); server.sin_family=AF_INET; @@ -563,7 +563,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) server.sin_addr.s_addr=INADDR_ANY; else { - if (!BIO_get_host_ip(h,&(ip[0]))) return(INVALID_SOCKET); + if (!BIO_get_host_ip(h,&(ip[0]))) goto err; l=(unsigned long) ((unsigned long)ip[0]<<24L)| ((unsigned long)ip[1]<<16L)| diff --git a/lib/libssl/src/crypto/bn/Makefile.ssl b/lib/libssl/src/crypto/bn/Makefile.ssl index 17b72d577f3..526d7adb5c1 100644 --- a/lib/libssl/src/crypto/bn/Makefile.ssl +++ b/lib/libssl/src/crypto/bn/Makefile.ssl @@ -68,7 +68,8 @@ bnbug: bnbug.c ../../libcrypto.a top lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/lib/libssl/src/crypto/bn/asm/mips3.s b/lib/libssl/src/crypto/bn/asm/mips3.s index 2df4dcd4b0b..45786c00a5f 100644 --- a/lib/libssl/src/crypto/bn/asm/mips3.s +++ b/lib/libssl/src/crypto/bn/asm/mips3.s @@ -586,13 +586,13 @@ LEAF(bn_div_3_words) ld a0,(a3) move ta2,a1 ld a1,-8(a3) - move ta3,ra - move v1,zero + bne a0,a2,.L_bn_div_3_words_proceed li v0,-1 - beq a0,a2,.L_bn_div_3_words_skip_div + jr ra +.L_bn_div_3_words_proceed: + move ta3,ra bal bn_div_words move ra,ta3 -.L_bn_div_3_words_skip_div: dmultu ta2,v0 ld t2,-16(a3) move ta0,zero diff --git a/lib/libssl/src/crypto/bn/asm/pa-risc2.s b/lib/libssl/src/crypto/bn/asm/pa-risc2.s index 7239aa2c762..af9730d0621 100644 --- a/lib/libssl/src/crypto/bn/asm/pa-risc2.s +++ b/lib/libssl/src/crypto/bn/asm/pa-risc2.s @@ -1611,7 +1611,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$7 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/lib/libssl/src/crypto/bn/asm/pa-risc2W.s b/lib/libssl/src/crypto/bn/asm/pa-risc2W.s index 54b6606252e..a99545754d1 100644 --- a/lib/libssl/src/crypto/bn/asm/pa-risc2W.s +++ b/lib/libssl/src/crypto/bn/asm/pa-risc2W.s @@ -1598,7 +1598,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$4 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/lib/libssl/src/crypto/bn/bn.h b/lib/libssl/src/crypto/bn/bn.h index 1eb8395b25c..b232c2ceae3 100644 --- a/lib/libssl/src/crypto/bn/bn.h +++ b/lib/libssl/src/crypto/bn/bn.h @@ -239,7 +239,7 @@ typedef struct bignum_st } BIGNUM; /* Used for temp variables */ -#define BN_CTX_NUM 12 +#define BN_CTX_NUM 16 #define BN_CTX_NUM_POS 12 typedef struct bignum_ctx { @@ -328,6 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx); void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); +int BN_rand_range(BIGNUM *rnd, BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); @@ -467,6 +468,8 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num); # define bn_dump(a,b) #endif +int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -493,16 +496,19 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num); #define BN_F_BN_MPI2BN 112 #define BN_F_BN_NEW 113 #define BN_F_BN_RAND 114 +#define BN_F_BN_RAND_RANGE 122 #define BN_F_BN_USUB 115 /* Reason codes. */ #define BN_R_ARG2_LT_ARG3 100 #define BN_R_BAD_RECIPROCAL 101 +#define BN_R_BIGNUM_TOO_LONG 114 #define BN_R_CALLED_WITH_EVEN_MODULUS 102 #define BN_R_DIV_BY_ZERO 103 #define BN_R_ENCODING_ERROR 104 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105 #define BN_R_INVALID_LENGTH 106 +#define BN_R_INVALID_RANGE 115 #define BN_R_NOT_INITIALIZED 107 #define BN_R_NO_INVERSE 108 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 diff --git a/lib/libssl/src/crypto/bn/bn_div.c b/lib/libssl/src/crypto/bn/bn_div.c index c3772c243be..c328b5b4110 100644 --- a/lib/libssl/src/crypto/bn/bn_div.c +++ b/lib/libssl/src/crypto/bn/bn_div.c @@ -180,13 +180,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, BN_CTX_start(ctx); tmp=BN_CTX_get(ctx); - tmp->neg=0; snum=BN_CTX_get(ctx); sdiv=BN_CTX_get(ctx); if (dv == NULL) res=BN_CTX_get(ctx); else res=dv; - if (res == NULL) goto err; + if (sdiv==NULL || res == NULL) goto err; + tmp->neg=0; /* First we normalise the numbers */ norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2); @@ -237,7 +237,8 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, for (i=0; i<loop-1; i++) { BN_ULONG q,l0; -#ifdef BN_DIV3W +#if defined(BN_DIV3W) && !defined(NO_ASM) + BN_ULONG bn_div_3_words(BN_ULONG*,BN_ULONG,BN_ULONG); q=bn_div_3_words(wnump,d1,d0); #else BN_ULONG n0,n1,rem=0; diff --git a/lib/libssl/src/crypto/bn/bn_err.c b/lib/libssl/src/crypto/bn/bn_err.c index 86550c4c21d..adc6a214fc6 100644 --- a/lib/libssl/src/crypto/bn/bn_err.c +++ b/lib/libssl/src/crypto/bn/bn_err.c @@ -84,6 +84,7 @@ static ERR_STRING_DATA BN_str_functs[]= {ERR_PACK(0,BN_F_BN_MPI2BN,0), "BN_mpi2bn"}, {ERR_PACK(0,BN_F_BN_NEW,0), "BN_new"}, {ERR_PACK(0,BN_F_BN_RAND,0), "BN_rand"}, +{ERR_PACK(0,BN_F_BN_RAND_RANGE,0), "BN_rand_range"}, {ERR_PACK(0,BN_F_BN_USUB,0), "BN_usub"}, {0,NULL} }; @@ -92,11 +93,13 @@ static ERR_STRING_DATA BN_str_reasons[]= { {BN_R_ARG2_LT_ARG3 ,"arg2 lt arg3"}, {BN_R_BAD_RECIPROCAL ,"bad reciprocal"}, +{BN_R_BIGNUM_TOO_LONG ,"bignum too long"}, {BN_R_CALLED_WITH_EVEN_MODULUS ,"called with even modulus"}, {BN_R_DIV_BY_ZERO ,"div by zero"}, {BN_R_ENCODING_ERROR ,"encoding error"}, {BN_R_EXPAND_ON_STATIC_BIGNUM_DATA ,"expand on static bignum data"}, {BN_R_INVALID_LENGTH ,"invalid length"}, +{BN_R_INVALID_RANGE ,"invalid range"}, {BN_R_NOT_INITIALIZED ,"not initialized"}, {BN_R_NO_INVERSE ,"no inverse"}, {BN_R_TOO_MANY_TEMPORARY_VARIABLES ,"too many temporary variables"}, diff --git a/lib/libssl/src/crypto/bn/bn_lib.c b/lib/libssl/src/crypto/bn/bn_lib.c index b6b0ce4b3c9..7767d651702 100644 --- a/lib/libssl/src/crypto/bn/bn_lib.c +++ b/lib/libssl/src/crypto/bn/bn_lib.c @@ -62,6 +62,7 @@ #endif #include <assert.h> +#include <limits.h> #include <stdio.h> #include "cryptlib.h" #include "bn_lcl.h" @@ -319,6 +320,12 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) if (words > b->dmax) { + if (words > (INT_MAX/(4*BN_BITS2))) + { + BNerr(BN_F_BN_EXPAND2,BN_R_BIGNUM_TOO_LONG); + return NULL; + } + bn_check_top(b); if (BN_get_flags(b,BN_FLG_STATIC_DATA)) { diff --git a/lib/libssl/src/crypto/bn/bn_rand.c b/lib/libssl/src/crypto/bn/bn_rand.c index 21ecbc04ed0..acd06199218 100644 --- a/lib/libssl/src/crypto/bn/bn_rand.c +++ b/lib/libssl/src/crypto/bn/bn_rand.c @@ -76,7 +76,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) bytes=(bits+7)/8; bit=(bits-1)%8; - mask=0xff<<bit; + mask=0xff<<(bit+1); buf=(unsigned char *)OPENSSL_malloc(bytes); if (buf == NULL) @@ -100,25 +100,48 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) goto err; } - if (top) +#if 1 + if (pseudorand == 2) { - if (bit == 0) + /* generate patterns that are more likely to trigger BN + library bugs */ + int i; + unsigned char c; + + for (i = 0; i < bytes; i++) + { + RAND_pseudo_bytes(&c, 1); + if (c >= 128 && i > 0) + buf[i] = buf[i-1]; + else if (c < 42) + buf[i] = 0; + else if (c < 84) + buf[i] = 255; + } + } +#endif + + if (top != -1) + { + if (top) { - buf[0]=1; - buf[1]|=0x80; + if (bit == 0) + { + buf[0]=1; + buf[1]|=0x80; + } + else + { + buf[0]|=(3<<(bit-1)); + } } else { - buf[0]|=(3<<(bit-1)); - buf[0]&= ~(mask<<1); + buf[0]|=(1<<bit); } } - else - { - buf[0]|=(1<<bit); - buf[0]&= ~(mask<<1); - } - if (bottom) /* set bottom bits to whatever odd is */ + buf[0] &= ~mask; + if (bottom) /* set bottom bit if requested */ buf[bytes-1]|=1; if (!BN_bin2bn(buf,bytes,rnd)) goto err; ret=1; @@ -140,3 +163,61 @@ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(1, rnd, bits, top, bottom); } + +#if 1 +int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) + { + return bnrand(2, rnd, bits, top, bottom); + } +#endif + +/* random number r: 0 <= r < range */ +int BN_rand_range(BIGNUM *r, BIGNUM *range) + { + int n; + + if (range->neg || BN_is_zero(range)) + { + BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); + return 0; + } + + n = BN_num_bits(range); /* n > 0 */ + + if (n == 1) + { + if (!BN_zero(r)) return 0; + } + else if (BN_is_bit_set(range, n - 2)) + { + do + { + /* range = 11..._2, so each iteration succeeds with probability >= .75 */ + if (!BN_rand(r, n, -1, 0)) return 0; + } + while (BN_cmp(r, range) >= 0); + } + else + { + /* range = 10..._2, + * so 3*range (= 11..._2) is exactly one bit longer than range */ + do + { + if (!BN_rand(r, n + 1, -1, 0)) return 0; + /* If r < 3*range, use r := r MOD range + * (which is either r, r - range, or r - 2*range). + * Otherwise, iterate once more. + * Since 3*range = 11..._2, each iteration succeeds with + * probability >= .75. */ + if (BN_cmp(r ,range) >= 0) + { + if (!BN_sub(r, r, range)) return 0; + if (BN_cmp(r, range) >= 0) + if (!BN_sub(r, r, range)) return 0; + } + } + while (BN_cmp(r, range) >= 0); + } + + return 1; + } diff --git a/lib/libssl/src/crypto/bn/bn_shift.c b/lib/libssl/src/crypto/bn/bn_shift.c index 0883247384e..c2608f9f4a9 100644 --- a/lib/libssl/src/crypto/bn/bn_shift.c +++ b/lib/libssl/src/crypto/bn/bn_shift.c @@ -172,6 +172,11 @@ int BN_rshift(BIGNUM *r, BIGNUM *a, int n) r->neg=a->neg; if (bn_wexpand(r,a->top-nw+1) == NULL) return(0); } + else + { + if (n == 0) + return 1; /* or the copying loop will go berserk */ + } f= &(a->d[nw]); t=r->d; diff --git a/lib/libssl/src/crypto/bn/bntest.c b/lib/libssl/src/crypto/bn/bntest.c index 0a97af69c58..af0c2629e87 100644 --- a/lib/libssl/src/crypto/bn/bntest.c +++ b/lib/libssl/src/crypto/bn/bntest.c @@ -107,11 +107,9 @@ static const char rnd_seed[] = "string to make the random number generator think static void message(BIO *out, char *m) { fprintf(stderr, "test %s\n", m); -#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */ BIO_puts(out, "print \"test "); BIO_puts(out, m); BIO_puts(out, "\\n\"\n"); -#endif } int main(int argc, char *argv[]) @@ -122,9 +120,7 @@ int main(int argc, char *argv[]) results = 0; - RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't - * even check its return value - * (which we should) */ + RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */ argc--; argv++; @@ -253,10 +249,10 @@ int test_add(BIO *bp) BN_init(&b); BN_init(&c); - BN_rand(&a,512,0,0); + BN_bntest_rand(&a,512,0,0); for (i=0; i<num0; i++) { - BN_rand(&b,450+i,0,0); + BN_bntest_rand(&b,450+i,0,0); a.neg=rand_neg(); b.neg=rand_neg(); if (bp == NULL) @@ -305,14 +301,14 @@ int test_sub(BIO *bp) { if (i < num1) { - BN_rand(&a,512,0,0); + BN_bntest_rand(&a,512,0,0); BN_copy(&b,&a); if (BN_set_bit(&a,i)==0) return(0); BN_add_word(&b,i); } else { - BN_rand(&b,400+i-num1,0,0); + BN_bntest_rand(&b,400+i-num1,0,0); a.neg=rand_neg(); b.neg=rand_neg(); } @@ -362,13 +358,13 @@ int test_div(BIO *bp, BN_CTX *ctx) { if (i < num1) { - BN_rand(&a,400,0,0); + BN_bntest_rand(&a,400,0,0); BN_copy(&b,&a); BN_lshift(&a,&a,i); BN_add_word(&a,i); } else - BN_rand(&b,50+3*(i-num1),0,0); + BN_bntest_rand(&b,50+3*(i-num1),0,0); a.neg=rand_neg(); b.neg=rand_neg(); if (bp == NULL) @@ -432,13 +428,13 @@ int test_div_recp(BIO *bp, BN_CTX *ctx) { if (i < num1) { - BN_rand(&a,400,0,0); + BN_bntest_rand(&a,400,0,0); BN_copy(&b,&a); BN_lshift(&a,&a,i); BN_add_word(&a,i); } else - BN_rand(&b,50+3*(i-num1),0,0); + BN_bntest_rand(&b,50+3*(i-num1),0,0); a.neg=rand_neg(); b.neg=rand_neg(); BN_RECP_CTX_set(&recp,&b,ctx); @@ -509,11 +505,11 @@ int test_mul(BIO *bp) { if (i <= num1) { - BN_rand(&a,100,0,0); - BN_rand(&b,100,0,0); + BN_bntest_rand(&a,100,0,0); + BN_bntest_rand(&b,100,0,0); } else - BN_rand(&b,i-num1,0,0); + BN_bntest_rand(&b,i-num1,0,0); a.neg=rand_neg(); b.neg=rand_neg(); if (bp == NULL) @@ -562,7 +558,7 @@ int test_sqr(BIO *bp, BN_CTX *ctx) for (i=0; i<num0; i++) { - BN_rand(&a,40+i*10,0,0); + BN_bntest_rand(&a,40+i*10,0,0); a.neg=rand_neg(); if (bp == NULL) for (j=0; j<100; j++) @@ -613,15 +609,15 @@ int test_mont(BIO *bp, BN_CTX *ctx) mont=BN_MONT_CTX_new(); - BN_rand(&a,100,0,0); /**/ - BN_rand(&b,100,0,0); /**/ + BN_bntest_rand(&a,100,0,0); /**/ + BN_bntest_rand(&b,100,0,0); /**/ for (i=0; i<num2; i++) { int bits = (200*(i+1))/num2; if (bits == 0) continue; - BN_rand(&n,bits,0,1); + BN_bntest_rand(&n,bits,0,1); BN_MONT_CTX_set(mont,&n,ctx); BN_to_montgomery(&A,&a,mont,ctx); @@ -683,10 +679,10 @@ int test_mod(BIO *bp, BN_CTX *ctx) d=BN_new(); e=BN_new(); - BN_rand(a,1024,0,0); /**/ + BN_bntest_rand(a,1024,0,0); /**/ for (i=0; i<num0; i++) { - BN_rand(b,450+i*10,0,0); /**/ + BN_bntest_rand(b,450+i*10,0,0); /**/ a->neg=rand_neg(); b->neg=rand_neg(); if (bp == NULL) @@ -732,11 +728,11 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx) d=BN_new(); e=BN_new(); - BN_rand(c,1024,0,0); /**/ + BN_bntest_rand(c,1024,0,0); /**/ for (i=0; i<num0; i++) { - BN_rand(a,475+i*10,0,0); /**/ - BN_rand(b,425+i*11,0,0); /**/ + BN_bntest_rand(a,475+i*10,0,0); /**/ + BN_bntest_rand(b,425+i*11,0,0); /**/ a->neg=rand_neg(); b->neg=rand_neg(); /* if (bp == NULL) @@ -794,11 +790,11 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx) d=BN_new(); e=BN_new(); - BN_rand(c,30,0,1); /* must be odd for montgomery */ + BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */ for (i=0; i<num2; i++) { - BN_rand(a,20+i*5,0,0); /**/ - BN_rand(b,2+i,0,0); /**/ + BN_bntest_rand(a,20+i*5,0,0); /**/ + BN_bntest_rand(b,2+i,0,0); /**/ if (!BN_mod_exp(d,a,b,c,ctx)) return(00); @@ -848,8 +844,8 @@ int test_exp(BIO *bp, BN_CTX *ctx) for (i=0; i<num2; i++) { - BN_rand(a,20+i*5,0,0); /**/ - BN_rand(b,2+i,0,0); /**/ + BN_bntest_rand(a,20+i*5,0,0); /**/ + BN_bntest_rand(b,2+i,0,0); /**/ if (!BN_exp(d,a,b,ctx)) return(00); @@ -899,7 +895,7 @@ int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_) else { a=BN_new(); - BN_rand(a,200,0,0); /**/ + BN_bntest_rand(a,200,0,0); /**/ a->neg=rand_neg(); } for (i=0; i<num0; i++) @@ -951,7 +947,7 @@ int test_lshift1(BIO *bp) b=BN_new(); c=BN_new(); - BN_rand(a,200,0,0); /**/ + BN_bntest_rand(a,200,0,0); /**/ a->neg=rand_neg(); for (i=0; i<num0; i++) { @@ -995,7 +991,7 @@ int test_rshift(BIO *bp,BN_CTX *ctx) e=BN_new(); BN_one(c); - BN_rand(a,200,0,0); /**/ + BN_bntest_rand(a,200,0,0); /**/ a->neg=rand_neg(); for (i=0; i<num0; i++) { @@ -1038,7 +1034,7 @@ int test_rshift1(BIO *bp) b=BN_new(); c=BN_new(); - BN_rand(a,200,0,0); /**/ + BN_bntest_rand(a,200,0,0); /**/ a->neg=rand_neg(); for (i=0; i<num0; i++) { diff --git a/lib/libssl/src/crypto/buffer/Makefile.ssl b/lib/libssl/src/crypto/buffer/Makefile.ssl index f473d1ab4b0..a64681fd226 100644 --- a/lib/libssl/src/crypto/buffer/Makefile.ssl +++ b/lib/libssl/src/crypto/buffer/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/cast/Makefile.ssl b/lib/libssl/src/crypto/cast/Makefile.ssl index 4c70d1e3e8b..1f8b898f7c4 100644 --- a/lib/libssl/src/crypto/cast/Makefile.ssl +++ b/lib/libssl/src/crypto/cast/Makefile.ssl @@ -47,7 +47,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/lib/libssl/src/crypto/comp/Makefile.ssl b/lib/libssl/src/crypto/comp/Makefile.ssl index 39e79934165..b696ac75fe1 100644 --- a/lib/libssl/src/crypto/comp/Makefile.ssl +++ b/lib/libssl/src/crypto/comp/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/conf/Makefile.ssl b/lib/libssl/src/crypto/conf/Makefile.ssl index efbb5789812..9df4fca8773 100644 --- a/lib/libssl/src/crypto/conf/Makefile.ssl +++ b/lib/libssl/src/crypto/conf/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/conf/conf.h b/lib/libssl/src/crypto/conf/conf.h index 2f70634455b..cd40a0db215 100644 --- a/lib/libssl/src/crypto/conf/conf.h +++ b/lib/libssl/src/crypto/conf/conf.h @@ -167,6 +167,8 @@ int NCONF_dump_bio(CONF *conf, BIO *out); #define CONF_R_MISSING_EQUAL_SIGN 101 #define CONF_R_NO_CLOSE_BRACE 102 #define CONF_R_NO_CONF 105 +#define CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE 106 +#define CONF_R_NO_SECTION 107 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103 #define CONF_R_VARIABLE_HAS_NO_VALUE 104 diff --git a/lib/libssl/src/crypto/conf/conf_err.c b/lib/libssl/src/crypto/conf/conf_err.c index 06d3163573c..8c2bc6f1c4c 100644 --- a/lib/libssl/src/crypto/conf/conf_err.c +++ b/lib/libssl/src/crypto/conf/conf_err.c @@ -87,6 +87,8 @@ static ERR_STRING_DATA CONF_str_reasons[]= {CONF_R_MISSING_EQUAL_SIGN ,"missing equal sign"}, {CONF_R_NO_CLOSE_BRACE ,"no close brace"}, {CONF_R_NO_CONF ,"no conf"}, +{CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE ,"no conf or environment variable"}, +{CONF_R_NO_SECTION ,"no section"}, {CONF_R_UNABLE_TO_CREATE_NEW_SECTION ,"unable to create new section"}, {CONF_R_VARIABLE_HAS_NO_VALUE ,"variable has no value"}, {0,NULL} diff --git a/lib/libssl/src/crypto/conf/conf_lib.c b/lib/libssl/src/crypto/conf/conf_lib.c index 4c8ca9e9ae4..11ec6397324 100644 --- a/lib/libssl/src/crypto/conf/conf_lib.c +++ b/lib/libssl/src/crypto/conf/conf_lib.c @@ -131,38 +131,59 @@ LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline) STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section) { - CONF ctmp; + if (conf == NULL) + { + return NULL; + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_section(&ctmp, section); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_section(&ctmp, section); + } } char *CONF_get_string(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_string(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_string(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_string(&ctmp, group, name); + } } long CONF_get_number(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_number(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_number(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_number(&ctmp, group, name); + } } void CONF_free(LHASH *conf) @@ -299,27 +320,46 @@ STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section) return NULL; } + if (section == NULL) + { + CONFerr(CONF_F_NCONF_GET_SECTION,CONF_R_NO_SECTION); + return NULL; + } + return _CONF_get_section_values(conf, section); } char *NCONF_get_string(CONF *conf,char *group,char *name) { + char *s = _CONF_get_string(conf, group, name); + + /* Since we may get a value from an environment variable even + if conf is NULL, let's check the value first */ + if (s) return s; + if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_STRING,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_STRING, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return NULL; } - - return _CONF_get_string(conf, group, name); + return NULL; } long NCONF_get_number(CONF *conf,char *group,char *name) { +#if 0 /* As with _CONF_get_string(), we rely on the possibility of finding + an environment variable with a suitable name. Unfortunately, there's + no way with the current API to see if we found one or not... + The meaning of this is that if a number is not found anywhere, it + will always default to 0. */ if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_NUMBER,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_NUMBER, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return 0; } +#endif return _CONF_get_number(conf, group, name); } diff --git a/lib/libssl/src/crypto/crypto-lib.com b/lib/libssl/src/crypto/crypto-lib.com index 21d56a4b50d..482a1361779 100644 --- a/lib/libssl/src/crypto/crypto-lib.com +++ b/lib/libssl/src/crypto/crypto-lib.com @@ -174,7 +174,7 @@ $! $ APPS_DES = "DES/DES,CBC3_ENC" $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE" $ -$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err" +$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid" $ LIB_MD2 = "md2_dgst,md2_one" $ LIB_MD4 = "md4_dgst,md4_one" $ LIB_MD5 = "md5_dgst,md5_one" diff --git a/lib/libssl/src/crypto/crypto.h b/lib/libssl/src/crypto/crypto.h index 52ee97b71a2..92576732795 100644 --- a/lib/libssl/src/crypto/crypto.h +++ b/lib/libssl/src/crypto/crypto.h @@ -278,6 +278,8 @@ int CRYPTO_is_mem_check_on(void); const char *SSLeay_version(int type); unsigned long SSLeay(void); +int OPENSSL_issetugid(void); + int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val); diff --git a/lib/libssl/src/crypto/des/Makefile.ssl b/lib/libssl/src/crypto/des/Makefile.ssl index 34a360b7abe..cc5379feb2b 100644 --- a/lib/libssl/src/crypto/des/Makefile.ssl +++ b/lib/libssl/src/crypto/des/Makefile.ssl @@ -57,7 +57,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib des: des.o cbc3_enc.o lib diff --git a/lib/libssl/src/crypto/des/asm/des-586.pl b/lib/libssl/src/crypto/des/asm/des-586.pl index f0540710778..c890766bc9f 100644 --- a/lib/libssl/src/crypto/des/asm/des-586.pl +++ b/lib/libssl/src/crypto/des/asm/des-586.pl @@ -20,11 +20,11 @@ $L="edi"; $R="esi"; &external_label("des_SPtrans"); -&des_encrypt("des_encrypt",1); +&des_encrypt("des_encrypt1",1); &des_encrypt("des_encrypt2",0); &des_encrypt3("des_encrypt3",1); &des_encrypt3("des_decrypt3",0); -&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1); +&cbc("des_ncbc_encrypt","des_encrypt1","des_encrypt1",0,4,5,3,5,-1); &cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5); &asm_finish(); diff --git a/lib/libssl/src/crypto/des/asm/des686.pl b/lib/libssl/src/crypto/des/asm/des686.pl index 77dc5b51cdf..84c3e854381 100644 --- a/lib/libssl/src/crypto/des/asm/des686.pl +++ b/lib/libssl/src/crypto/des/asm/des686.pl @@ -46,7 +46,7 @@ EOF $L="edi"; $R="esi"; -&des_encrypt("des_encrypt",1); +&des_encrypt("des_encrypt1",1); &des_encrypt("des_encrypt2",0); &des_encrypt3("des_encrypt3",1); diff --git a/lib/libssl/src/crypto/des/asm/readme b/lib/libssl/src/crypto/des/asm/readme index f8529d9307e..1beafe253b1 100644 --- a/lib/libssl/src/crypto/des/asm/readme +++ b/lib/libssl/src/crypto/des/asm/readme @@ -8,7 +8,7 @@ assembler for the inner DES routines in libdes :-). The file to implement in assembler is des_enc.c. Replace the following 4 functions -des_encrypt(DES_LONG data[2],des_key_schedule ks, int encrypt); +des_encrypt1(DES_LONG data[2],des_key_schedule ks, int encrypt); des_encrypt2(DES_LONG data[2],des_key_schedule ks, int encrypt); des_encrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3); des_decrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3); diff --git a/lib/libssl/src/crypto/des/cbc_cksm.c b/lib/libssl/src/crypto/des/cbc_cksm.c index 1e543cb2a19..b857df09852 100644 --- a/lib/libssl/src/crypto/des/cbc_cksm.c +++ b/lib/libssl/src/crypto/des/cbc_cksm.c @@ -82,7 +82,7 @@ DES_LONG des_cbc_cksum(const unsigned char *in, des_cblock *output, tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); /* fix 15/10/91 eay - thanks to keithr@sco.COM */ tout0=tin[0]; tout1=tin[1]; diff --git a/lib/libssl/src/crypto/des/cfb64enc.c b/lib/libssl/src/crypto/des/cfb64enc.c index 389a232cb36..105530dfa3b 100644 --- a/lib/libssl/src/crypto/des/cfb64enc.c +++ b/lib/libssl/src/crypto/des/cfb64enc.c @@ -82,7 +82,7 @@ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out, { c2l(iv,v0); ti[0]=v0; c2l(iv,v1); ti[1]=v1; - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); iv = &(*ivec)[0]; v0=ti[0]; l2c(v0,iv); v0=ti[1]; l2c(v0,iv); @@ -102,7 +102,7 @@ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out, { c2l(iv,v0); ti[0]=v0; c2l(iv,v1); ti[1]=v1; - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); iv = &(*ivec)[0]; v0=ti[0]; l2c(v0,iv); v0=ti[1]; l2c(v0,iv); diff --git a/lib/libssl/src/crypto/des/cfb_enc.c b/lib/libssl/src/crypto/des/cfb_enc.c index cca34dd7c5e..ec4fd4ea67b 100644 --- a/lib/libssl/src/crypto/des/cfb_enc.c +++ b/lib/libssl/src/crypto/des/cfb_enc.c @@ -100,7 +100,7 @@ void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, l-=n; ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); c2ln(in,d0,d1,n); in+=n; d0=(d0^ti[0])&mask0; @@ -132,7 +132,7 @@ void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, l-=n; ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); c2ln(in,d0,d1,n); in+=n; /* 30-08-94 - eay - changed because l>>32 and diff --git a/lib/libssl/src/crypto/des/des.h b/lib/libssl/src/crypto/des/des.h index 2db9748cb41..6b8a7ee11b1 100644 --- a/lib/libssl/src/crypto/des/des.h +++ b/lib/libssl/src/crypto/des/des.h @@ -147,14 +147,14 @@ void des_ecb_encrypt(const_des_cblock *input,des_cblock *output, Data is a pointer to 2 unsigned long's and ks is the des_key_schedule to use. enc, is non zero specifies encryption, zero if decryption. */ -void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc); +void des_encrypt1(DES_LONG *data,des_key_schedule ks, int enc); -/* This functions is the same as des_encrypt() except that the DES +/* This functions is the same as des_encrypt1() except that the DES initial permutation (IP) and final permutation (FP) have been left - out. As for des_encrypt(), you should not use this function. + out. As for des_encrypt1(), you should not use this function. It is used by the routines in the library that implement triple DES. IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same - as des_encrypt() des_encrypt() des_encrypt() except faster :-). */ + as des_encrypt1() des_encrypt1() des_encrypt1() except faster :-). */ void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc); void des_encrypt3(DES_LONG *data, des_key_schedule ks1, diff --git a/lib/libssl/src/crypto/des/des_enc.c b/lib/libssl/src/crypto/des/des_enc.c index 8311e106281..0bd9fa39bcd 100644 --- a/lib/libssl/src/crypto/des/des_enc.c +++ b/lib/libssl/src/crypto/des/des_enc.c @@ -58,7 +58,7 @@ #include "des_locl.h" -void des_encrypt(DES_LONG *data, des_key_schedule ks, int enc) +void des_encrypt1(DES_LONG *data, des_key_schedule ks, int enc) { register DES_LONG l,r,t,u; #ifdef DES_PTR diff --git a/lib/libssl/src/crypto/des/des_opts.c b/lib/libssl/src/crypto/des/des_opts.c index b2ca7ac31d6..138ee1c6b47 100644 --- a/lib/libssl/src/crypto/des/des_opts.c +++ b/lib/libssl/src/crypto/des/des_opts.c @@ -118,7 +118,7 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#define des_encrypt des_encrypt_u4_cisc_idx +#define des_encrypt1 des_encrypt_u4_cisc_idx #define des_encrypt2 des_encrypt2_u4_cisc_idx #define des_encrypt3 des_encrypt3_u4_cisc_idx #define des_decrypt3 des_decrypt3_u4_cisc_idx @@ -130,11 +130,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_idx +#define des_encrypt1 des_encrypt_u16_cisc_idx #define des_encrypt2 des_encrypt2_u16_cisc_idx #define des_encrypt3 des_encrypt3_u16_cisc_idx #define des_decrypt3 des_decrypt3_u16_cisc_idx @@ -146,11 +146,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_idx +#define des_encrypt1 des_encrypt_u4_risc1_idx #define des_encrypt2 des_encrypt2_u4_risc1_idx #define des_encrypt3 des_encrypt3_u4_risc1_idx #define des_decrypt3 des_decrypt3_u4_risc1_idx @@ -166,11 +166,11 @@ extern void exit(); #define DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_idx +#define des_encrypt1 des_encrypt_u4_risc2_idx #define des_encrypt2 des_encrypt2_u4_risc2_idx #define des_encrypt3 des_encrypt3_u4_risc2_idx #define des_decrypt3 des_decrypt3_u4_risc2_idx @@ -182,11 +182,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_idx +#define des_encrypt1 des_encrypt_u16_risc1_idx #define des_encrypt2 des_encrypt2_u16_risc1_idx #define des_encrypt3 des_encrypt3_u16_risc1_idx #define des_decrypt3 des_decrypt3_u16_risc1_idx @@ -198,11 +198,11 @@ extern void exit(); #define DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_idx +#define des_encrypt1 des_encrypt_u16_risc2_idx #define des_encrypt2 des_encrypt2_u16_risc2_idx #define des_encrypt3 des_encrypt3_u16_risc2_idx #define des_decrypt3 des_decrypt3_u16_risc2_idx @@ -218,11 +218,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_cisc_ptr +#define des_encrypt1 des_encrypt_u4_cisc_ptr #define des_encrypt2 des_encrypt2_u4_cisc_ptr #define des_encrypt3 des_encrypt3_u4_cisc_ptr #define des_decrypt3 des_decrypt3_u4_cisc_ptr @@ -234,11 +234,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_ptr +#define des_encrypt1 des_encrypt_u16_cisc_ptr #define des_encrypt2 des_encrypt2_u16_cisc_ptr #define des_encrypt3 des_encrypt3_u16_cisc_ptr #define des_decrypt3 des_decrypt3_u16_cisc_ptr @@ -250,11 +250,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_ptr +#define des_encrypt1 des_encrypt_u4_risc1_ptr #define des_encrypt2 des_encrypt2_u4_risc1_ptr #define des_encrypt3 des_encrypt3_u4_risc1_ptr #define des_decrypt3 des_decrypt3_u4_risc1_ptr @@ -270,11 +270,11 @@ extern void exit(); #define DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_ptr +#define des_encrypt1 des_encrypt_u4_risc2_ptr #define des_encrypt2 des_encrypt2_u4_risc2_ptr #define des_encrypt3 des_encrypt3_u4_risc2_ptr #define des_decrypt3 des_decrypt3_u4_risc2_ptr @@ -286,11 +286,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_ptr +#define des_encrypt1 des_encrypt_u16_risc1_ptr #define des_encrypt2 des_encrypt2_u16_risc1_ptr #define des_encrypt3 des_encrypt3_u16_risc1_ptr #define des_decrypt3 des_decrypt3_u16_risc1_ptr @@ -302,11 +302,11 @@ extern void exit(); #define DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_ptr +#define des_encrypt1 des_encrypt_u16_risc2_ptr #define des_encrypt2 des_encrypt2_u16_risc2_ptr #define des_encrypt3 des_encrypt3_u16_risc2_ptr #define des_decrypt3 des_decrypt3_u16_risc2_ptr @@ -453,7 +453,7 @@ int main(int argc, char **argv) count*=2; Time_F(START); for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); d=Time_F(STOP); } while (d < 3.0); ca=count; diff --git a/lib/libssl/src/crypto/des/dess.cpp b/lib/libssl/src/crypto/des/dess.cpp index 753e67ad9be..5549bab90af 100644 --- a/lib/libssl/src/crypto/des/dess.cpp +++ b/lib/libssl/src/crypto/des/dess.cpp @@ -45,19 +45,19 @@ void main(int argc,char *argv[]) { for (i=0; i<1000; i++) /**/ { - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(s1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(e1); GetTSC(s2); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(e2); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); } printf("des %d %d (%d)\n", diff --git a/lib/libssl/src/crypto/des/ecb_enc.c b/lib/libssl/src/crypto/des/ecb_enc.c index b261a8aad94..d481327ef3b 100644 --- a/lib/libssl/src/crypto/des/ecb_enc.c +++ b/lib/libssl/src/crypto/des/ecb_enc.c @@ -114,7 +114,7 @@ void des_ecb_encrypt(const_des_cblock *input, des_cblock *output, c2l(in,l); ll[0]=l; c2l(in,l); ll[1]=l; - des_encrypt(ll,ks,enc); + des_encrypt1(ll,ks,enc); l=ll[0]; l2c(l,out); l=ll[1]; l2c(l,out); l=ll[0]=ll[1]=0; diff --git a/lib/libssl/src/crypto/des/ede_cbcm_enc.c b/lib/libssl/src/crypto/des/ede_cbcm_enc.c index c53062481dd..b98f7e17af1 100644 --- a/lib/libssl/src/crypto/des/ede_cbcm_enc.c +++ b/lib/libssl/src/crypto/des/ede_cbcm_enc.c @@ -95,7 +95,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, { tin[0]=m0; tin[1]=m1; - des_encrypt(tin,ks3,1); + des_encrypt1(tin,ks3,1); m0=tin[0]; m1=tin[1]; @@ -113,13 +113,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, tin[0]=tin0; tin[1]=tin1; - des_encrypt(tin,ks1,1); + des_encrypt1(tin,ks1,1); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks2,0); + des_encrypt1(tin,ks2,0); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks1,1); + des_encrypt1(tin,ks1,1); tout0=tin[0]; tout1=tin[1]; @@ -146,7 +146,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, { tin[0]=m0; tin[1]=m1; - des_encrypt(tin,ks3,1); + des_encrypt1(tin,ks3,1); m0=tin[0]; m1=tin[1]; @@ -158,13 +158,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, tin[0]=tin0; tin[1]=tin1; - des_encrypt(tin,ks1,0); + des_encrypt1(tin,ks1,0); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks2,1); + des_encrypt1(tin,ks2,1); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks1,0); + des_encrypt1(tin,ks1,0); tout0=tin[0]; tout1=tin[1]; diff --git a/lib/libssl/src/crypto/des/ncbc_enc.c b/lib/libssl/src/crypto/des/ncbc_enc.c index 3b681691a9b..b8db07b199d 100644 --- a/lib/libssl/src/crypto/des/ncbc_enc.c +++ b/lib/libssl/src/crypto/des/ncbc_enc.c @@ -89,7 +89,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, c2l(in,tin1); tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; l2c(tout0,out); tout1=tin[1]; l2c(tout1,out); } @@ -98,7 +98,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, c2ln(in,tin0,tin1,l+8); tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; l2c(tout0,out); tout1=tin[1]; l2c(tout1,out); } @@ -116,7 +116,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, { c2l(in,tin0); tin[0]=tin0; c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; l2c(tout0,out); @@ -128,7 +128,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, { c2l(in,tin0); tin[0]=tin0; c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; l2cn(tout0,tout1,out,l+8); diff --git a/lib/libssl/src/crypto/des/ofb64enc.c b/lib/libssl/src/crypto/des/ofb64enc.c index 64953959cab..1a1d1f1ac47 100644 --- a/lib/libssl/src/crypto/des/ofb64enc.c +++ b/lib/libssl/src/crypto/des/ofb64enc.c @@ -87,7 +87,7 @@ void des_ofb64_encrypt(register const unsigned char *in, { if (n == 0) { - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); dp=d; t=ti[0]; l2c(t,dp); t=ti[1]; l2c(t,dp); diff --git a/lib/libssl/src/crypto/des/ofb_enc.c b/lib/libssl/src/crypto/des/ofb_enc.c index a8f425a575a..70493e632cc 100644 --- a/lib/libssl/src/crypto/des/ofb_enc.c +++ b/lib/libssl/src/crypto/des/ofb_enc.c @@ -101,7 +101,7 @@ void des_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits, { ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); vv0=ti[0]; vv1=ti[1]; c2ln(in,d0,d1,n); diff --git a/lib/libssl/src/crypto/des/pcbc_enc.c b/lib/libssl/src/crypto/des/pcbc_enc.c index dd69a26d4aa..5b987f074d3 100644 --- a/lib/libssl/src/crypto/des/pcbc_enc.c +++ b/lib/libssl/src/crypto/des/pcbc_enc.c @@ -85,7 +85,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, c2ln(in,sin0,sin1,length); tin[0]=sin0^xor0; tin[1]=sin1^xor1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; tout1=tin[1]; xor0=sin0^tout0; @@ -103,7 +103,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, c2l(in,sin1); tin[0]=sin0; tin[1]=sin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; if (length >= 8) diff --git a/lib/libssl/src/crypto/des/speed.c b/lib/libssl/src/crypto/des/speed.c index 814b86f4aee..1223edf2907 100644 --- a/lib/libssl/src/crypto/des/speed.c +++ b/lib/libssl/src/crypto/des/speed.c @@ -204,7 +204,7 @@ int main(int argc, char **argv) count*=2; Time_F(START); for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); d=Time_F(STOP); } while (d < 3.0); ca=count; @@ -241,7 +241,7 @@ int main(int argc, char **argv) { DES_LONG data[2]; - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); } d=Time_F(STOP); printf("%ld des_encrypt's in %.2f second\n",count,d); diff --git a/lib/libssl/src/crypto/des/xcbc_enc.c b/lib/libssl/src/crypto/des/xcbc_enc.c index 51e17e6b8a6..ccfede13aca 100644 --- a/lib/libssl/src/crypto/des/xcbc_enc.c +++ b/lib/libssl/src/crypto/des/xcbc_enc.c @@ -138,7 +138,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, c2l(in,tin1); tin0^=tout0^inW0; tin[0]=tin0; tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt(tin,schedule,DES_ENCRYPT); + des_encrypt1(tin,schedule,DES_ENCRYPT); tout0=tin[0]^outW0; l2c(tout0,out); tout1=tin[1]^outW1; l2c(tout1,out); } @@ -147,7 +147,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, c2ln(in,tin0,tin1,l+8); tin0^=tout0^inW0; tin[0]=tin0; tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt(tin,schedule,DES_ENCRYPT); + des_encrypt1(tin,schedule,DES_ENCRYPT); tout0=tin[0]^outW0; l2c(tout0,out); tout1=tin[1]^outW1; l2c(tout1,out); } @@ -163,7 +163,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, { c2l(in,tin0); tin[0]=tin0^outW0; c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt(tin,schedule,DES_DECRYPT); + des_encrypt1(tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0^inW0; tout1=tin[1]^xor1^inW1; l2c(tout0,out); @@ -175,7 +175,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, { c2l(in,tin0); tin[0]=tin0^outW0; c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt(tin,schedule,DES_DECRYPT); + des_encrypt1(tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0^inW0; tout1=tin[1]^xor1^inW1; l2cn(tout0,tout1,out,l+8); diff --git a/lib/libssl/src/crypto/dh/Makefile.ssl b/lib/libssl/src/crypto/dh/Makefile.ssl index 88d0d1748b2..bf4b47ca9ac 100644 --- a/lib/libssl/src/crypto/dh/Makefile.ssl +++ b/lib/libssl/src/crypto/dh/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/dh/dh_key.c b/lib/libssl/src/crypto/dh/dh_key.c index 6915d79dcc2..22b087b778f 100644 --- a/lib/libssl/src/crypto/dh/dh_key.c +++ b/lib/libssl/src/crypto/dh/dh_key.c @@ -100,7 +100,6 @@ DH_METHOD *DH_OpenSSL(void) static int generate_key(DH *dh) { int ok=0; - unsigned int i; BN_CTX ctx; BN_MONT_CTX *mont; BIGNUM *pub_key=NULL,*priv_key=NULL; @@ -109,15 +108,11 @@ static int generate_key(DH *dh) if (dh->priv_key == NULL) { - i=dh->length; - if (i == 0) - { - /* Make the number p-1 bits long */ - i=BN_num_bits(dh->p)-1; - } priv_key=BN_new(); if (priv_key == NULL) goto err; - if (!BN_rand(priv_key,i,0,0)) goto err; + do + if (!BN_rand_range(priv_key, dh->p)) goto err; + while (BN_is_zero(priv_key)); } else priv_key=dh->priv_key; diff --git a/lib/libssl/src/crypto/dh/dh_lib.c b/lib/libssl/src/crypto/dh/dh_lib.c index 66803b55656..96f118c1538 100644 --- a/lib/libssl/src/crypto/dh/dh_lib.c +++ b/lib/libssl/src/crypto/dh/dh_lib.c @@ -168,13 +168,13 @@ DH *DH_new_method(ENGINE *engine) ret->method_mont_p=NULL; ret->references = 1; ret->flags=meth->flags; + CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data); if ((meth->init != NULL) && !meth->init(ret)) { + CRYPTO_free_ex_data(dh_meth,ret,&ret->ex_data); OPENSSL_free(ret); ret=NULL; } - else - CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data); return(ret); } @@ -196,12 +196,12 @@ void DH_free(DH *r) } #endif - CRYPTO_free_ex_data(dh_meth, r, &r->ex_data); - meth = ENGINE_get_DH(r->engine); if(meth->finish) meth->finish(r); ENGINE_finish(r->engine); + CRYPTO_free_ex_data(dh_meth, r, &r->ex_data); + if (r->p != NULL) BN_clear_free(r->p); if (r->g != NULL) BN_clear_free(r->g); if (r->q != NULL) BN_clear_free(r->q); diff --git a/lib/libssl/src/crypto/dsa/Makefile.ssl b/lib/libssl/src/crypto/dsa/Makefile.ssl index dac582be00d..d88f5963647 100644 --- a/lib/libssl/src/crypto/dsa/Makefile.ssl +++ b/lib/libssl/src/crypto/dsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/dso/Makefile.ssl b/lib/libssl/src/crypto/dso/Makefile.ssl index a37f547482c..48b36c83306 100644 --- a/lib/libssl/src/crypto/dso/Makefile.ssl +++ b/lib/libssl/src/crypto/dso/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/dso/dso_dl.c b/lib/libssl/src/crypto/dso/dso_dl.c index 69810fc3bb9..455bd66ecfc 100644 --- a/lib/libssl/src/crypto/dso/dso_dl.c +++ b/lib/libssl/src/crypto/dso/dso_dl.c @@ -82,7 +82,7 @@ static int dl_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr); static int dl_init(DSO *dso); static int dl_finish(DSO *dso); #endif -static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg); +static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg); static DSO_METHOD dso_meth_dl = { "OpenSSL 'dl' shared library method", @@ -111,6 +111,11 @@ DSO_METHOD *DSO_METHOD_dl(void) * type so the cast is safe. */ +#if defined(__hpux) +static const char extension[] = ".sl"; +#else +static const char extension[] = ".so"; +#endif static int dl_load(DSO *dso, const char *filename) { shl_t ptr; @@ -118,12 +123,12 @@ static int dl_load(DSO *dso, const char *filename) int len; /* The same comment as in dlfcn_load applies here. bleurgh. */ - len = strlen(filename); + len = strlen(filename) + strlen(extension); if((dso->flags & DSO_FLAG_NAME_TRANSLATION) && - (len + 6 < DSO_MAX_TRANSLATED_SIZE) && + (len + 3 < DSO_MAX_TRANSLATED_SIZE) && (strstr(filename, "/") == NULL)) { - sprintf(translated, "lib%s.so", filename); + sprintf(translated, "lib%s%s", filename, extension); ptr = shl_load(translated, BIND_IMMEDIATE, NULL); } else @@ -187,7 +192,7 @@ static void *dl_bind_var(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_VAR,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_VAR,DSO_R_SYM_FAILURE); return(NULL); @@ -216,7 +221,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_SYM_FAILURE); return(NULL); @@ -224,7 +229,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname) return((DSO_FUNC_TYPE)sym); } -static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg) +static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg) { if(dso == NULL) { @@ -236,10 +241,10 @@ static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg) case DSO_CTRL_GET_FLAGS: return dso->flags; case DSO_CTRL_SET_FLAGS: - dso->flags = (int)larg; + dso->flags = larg; return(0); case DSO_CTRL_OR_FLAGS: - dso->flags |= (int)larg; + dso->flags |= larg; return(0); default: break; diff --git a/lib/libssl/src/crypto/dso/dso_vms.c b/lib/libssl/src/crypto/dso/dso_vms.c index 8ff7090129c..ab48b63eb76 100644 --- a/lib/libssl/src/crypto/dso/dso_vms.c +++ b/lib/libssl/src/crypto/dso/dso_vms.c @@ -62,7 +62,6 @@ #ifdef VMS #pragma message disable DOLLARID #include <lib$routines.h> -#include <libfisdef.h> #include <stsdef.h> #include <descrip.h> #include <starlet.h> @@ -260,7 +259,8 @@ void vms_bind_sym(DSO *dso, const char *symname, void **sym) { DSO_VMS_INTERNAL *ptr; int status; - int flags = LIB$M_FIS_MIXEDCASE; + int flags = (1<<4); /* LIB$M_FIS_MIXEDCASE, but this symbol isn't + defined in VMS older than 7.0 or so */ struct dsc$descriptor_s symname_dsc; *sym = NULL; diff --git a/lib/libssl/src/crypto/ebcdic.c b/lib/libssl/src/crypto/ebcdic.c index 31397b2add7..91a7a8bcb43 100644 --- a/lib/libssl/src/crypto/ebcdic.c +++ b/lib/libssl/src/crypto/ebcdic.c @@ -211,7 +211,7 @@ ascii2ebcdic(void *dest, const void *srce, size_t count) } #else /*CHARSET_EBCDIC*/ -#ifdef PEDANTIC +#if defined(PEDANTIC) || defined(VMS) || defined(__VMS) static void *dummy=&dummy; #endif #endif diff --git a/lib/libssl/src/crypto/engine/engine_lib.c b/lib/libssl/src/crypto/engine/engine_lib.c index 1df07af03a6..d6e9109f6ea 100644 --- a/lib/libssl/src/crypto/engine/engine_lib.c +++ b/lib/libssl/src/crypto/engine/engine_lib.c @@ -230,17 +230,18 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if(e->funct_ref == 0) { + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY, ENGINE_R_NOT_INITIALISED); return 0; } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!e->load_privkey) { ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY, ENGINE_R_NO_LOAD_FUNCTION); return 0; } - CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); pkey = e->load_privkey(key_id, passphrase); if (!pkey) { @@ -265,17 +266,18 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if(e->funct_ref == 0) { + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY, ENGINE_R_NOT_INITIALISED); return 0; } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!e->load_pubkey) { ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY, ENGINE_R_NO_LOAD_FUNCTION); return 0; } - CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); pkey = e->load_pubkey(key_id, passphrase); if (!pkey) { @@ -286,8 +288,6 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, return pkey; } -/* Initialise a engine type for use (or up its functional reference count - * if it's already in use). */ int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) { if(e == NULL) @@ -298,15 +298,16 @@ int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if(e->struct_ref == 0) { + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_REFERENCE); return 0; } + CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); if (!e->ctrl) { ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION); return 0; } - CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); return e->ctrl(cmd, i, p, f); } diff --git a/lib/libssl/src/crypto/err/Makefile.ssl b/lib/libssl/src/crypto/err/Makefile.ssl index cf94f406e40..58218d1cead 100644 --- a/lib/libssl/src/crypto/err/Makefile.ssl +++ b/lib/libssl/src/crypto/err/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/err/err.c b/lib/libssl/src/crypto/err/err.c index 99272e437c7..839f4ab81ac 100644 --- a/lib/libssl/src/crypto/err/err.c +++ b/lib/libssl/src/crypto/err/err.c @@ -389,20 +389,18 @@ void ERR_put_error(int lib, int func, int reason, const char *file, void ERR_clear_error(void) { + int i; ERR_STATE *es; es=ERR_get_state(); -#if 0 - /* hmm... is this needed */ for (i=0; i<ERR_NUM_ERRORS; i++) { es->err_buffer[i]=0; + err_clear_data(es,i); es->err_file[i]=NULL; es->err_line[i]= -1; - err_clear_data(es,i); } -#endif es->top=es->bottom=0; } @@ -464,7 +462,14 @@ static unsigned long get_error_values(int inc, const char **file, int *line, } } - if (data != NULL) + if (data == NULL) + { + if (inc) + { + err_clear_data(es, i); + } + } + else { if (es->err_data[i] == NULL) { @@ -749,8 +754,9 @@ void ERR_set_error_data(char *data, int flags) if (i == 0) i=ERR_NUM_ERRORS-1; + err_clear_data(es,i); es->err_data[i]=data; - es->err_data_flags[es->top]=flags; + es->err_data_flags[i]=flags; } void ERR_add_error_data(int num, ...) @@ -759,7 +765,7 @@ void ERR_add_error_data(int num, ...) int i,n,s; char *str,*p,*a; - s=64; + s=80; str=OPENSSL_malloc(s+1); if (str == NULL) return; str[0]='\0'; diff --git a/lib/libssl/src/crypto/evp/Makefile.ssl b/lib/libssl/src/crypto/evp/Makefile.ssl index ad39fcc9e74..624168031d0 100644 --- a/lib/libssl/src/crypto/evp/Makefile.ssl +++ b/lib/libssl/src/crypto/evp/Makefile.ssl @@ -58,7 +58,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/evp/evp.h b/lib/libssl/src/crypto/evp/evp.h index 62350dfd69e..76d417b44a3 100644 --- a/lib/libssl/src/crypto/evp/evp.h +++ b/lib/libssl/src/crypto/evp/evp.h @@ -462,12 +462,20 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md, int en_de); +#ifndef NO_RSA #define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) +#endif + +#ifndef NO_DSA #define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ (char *)(dsa)) +#endif + +#ifndef NO_DH #define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\ (char *)(dh)) +#endif /* Add some extra combinations */ #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) @@ -611,17 +619,29 @@ void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k, #endif EVP_MD *EVP_md_null(void); +#ifndef NO_MD2 EVP_MD *EVP_md2(void); +#endif +#ifndef NO_MD4 EVP_MD *EVP_md4(void); +#endif +#ifndef NO_MD5 EVP_MD *EVP_md5(void); +#endif +#ifndef NO_SHA EVP_MD *EVP_sha(void); EVP_MD *EVP_sha1(void); EVP_MD *EVP_dss(void); EVP_MD *EVP_dss1(void); +#endif +#ifndef NO_MDC2 EVP_MD *EVP_mdc2(void); +#endif +#ifndef NO_RIPEMD EVP_MD *EVP_ripemd160(void); - +#endif EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */ +#ifndef NO_DES EVP_CIPHER *EVP_des_ecb(void); EVP_CIPHER *EVP_des_ede(void); EVP_CIPHER *EVP_des_ede3(void); @@ -635,31 +655,43 @@ EVP_CIPHER *EVP_des_cbc(void); EVP_CIPHER *EVP_des_ede_cbc(void); EVP_CIPHER *EVP_des_ede3_cbc(void); EVP_CIPHER *EVP_desx_cbc(void); +#endif +#ifndef NO_RC4 EVP_CIPHER *EVP_rc4(void); EVP_CIPHER *EVP_rc4_40(void); +#endif +#ifndef NO_IDEA EVP_CIPHER *EVP_idea_ecb(void); EVP_CIPHER *EVP_idea_cfb(void); EVP_CIPHER *EVP_idea_ofb(void); EVP_CIPHER *EVP_idea_cbc(void); +#endif +#ifndef NO_RC2 EVP_CIPHER *EVP_rc2_ecb(void); EVP_CIPHER *EVP_rc2_cbc(void); EVP_CIPHER *EVP_rc2_40_cbc(void); EVP_CIPHER *EVP_rc2_64_cbc(void); EVP_CIPHER *EVP_rc2_cfb(void); EVP_CIPHER *EVP_rc2_ofb(void); +#endif +#ifndef NO_BF EVP_CIPHER *EVP_bf_ecb(void); EVP_CIPHER *EVP_bf_cbc(void); EVP_CIPHER *EVP_bf_cfb(void); EVP_CIPHER *EVP_bf_ofb(void); +#endif +#ifndef NO_CAST EVP_CIPHER *EVP_cast5_ecb(void); EVP_CIPHER *EVP_cast5_cbc(void); EVP_CIPHER *EVP_cast5_cfb(void); EVP_CIPHER *EVP_cast5_ofb(void); +#endif +#ifndef NO_RC5 EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); - +#endif void OpenSSL_add_all_algorithms(void); void OpenSSL_add_all_ciphers(void); void OpenSSL_add_all_digests(void); diff --git a/lib/libssl/src/crypto/ex_data.c b/lib/libssl/src/crypto/ex_data.c index 1ee88da2a83..739e543d782 100644 --- a/lib/libssl/src/crypto/ex_data.c +++ b/lib/libssl/src/crypto/ex_data.c @@ -101,7 +101,7 @@ int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long ret=idx; err: MemCheck_on(); - return(idx); + return(ret); } int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val) diff --git a/lib/libssl/src/crypto/hmac/Makefile.ssl b/lib/libssl/src/crypto/hmac/Makefile.ssl index cf573119733..326339a90d5 100644 --- a/lib/libssl/src/crypto/hmac/Makefile.ssl +++ b/lib/libssl/src/crypto/hmac/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/idea/Makefile.ssl b/lib/libssl/src/crypto/idea/Makefile.ssl index 5b334ce9211..30302e0b9f0 100644 --- a/lib/libssl/src/crypto/idea/Makefile.ssl +++ b/lib/libssl/src/crypto/idea/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/lhash/Makefile.ssl b/lib/libssl/src/crypto/lhash/Makefile.ssl index 6c3d442e22a..79849d7d6ed 100644 --- a/lib/libssl/src/crypto/lhash/Makefile.ssl +++ b/lib/libssl/src/crypto/lhash/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/md2/Makefile.ssl b/lib/libssl/src/crypto/md2/Makefile.ssl index d46c73a9b9f..269628d7393 100644 --- a/lib/libssl/src/crypto/md2/Makefile.ssl +++ b/lib/libssl/src/crypto/md2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/md4/Makefile.ssl b/lib/libssl/src/crypto/md4/Makefile.ssl index 6ee3ca88edf..646607274ee 100644 --- a/lib/libssl/src/crypto/md4/Makefile.ssl +++ b/lib/libssl/src/crypto/md4/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/md5/Makefile.ssl b/lib/libssl/src/crypto/md5/Makefile.ssl index e8d0cced7fe..784215579b4 100644 --- a/lib/libssl/src/crypto/md5/Makefile.ssl +++ b/lib/libssl/src/crypto/md5/Makefile.ssl @@ -50,7 +50,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/lib/libssl/src/crypto/mdc2/Makefile.ssl b/lib/libssl/src/crypto/mdc2/Makefile.ssl index da11c4edeac..a9b06b02bd4 100644 --- a/lib/libssl/src/crypto/mdc2/Makefile.ssl +++ b/lib/libssl/src/crypto/mdc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/mem_dbg.c b/lib/libssl/src/crypto/mem_dbg.c index 866c53e73a9..ef19d8f8448 100644 --- a/lib/libssl/src/crypto/mem_dbg.c +++ b/lib/libssl/src/crypto/mem_dbg.c @@ -81,7 +81,8 @@ static int mh_mode=CRYPTO_MEM_CHECK_OFF; */ static unsigned long order = 0; /* number of memory requests */ -static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */ +static LHASH *mh=NULL; /* hash-table of memory requests (address as key); + * access requires MALLOC2 lock */ typedef struct app_mem_info_st @@ -103,7 +104,8 @@ typedef struct app_mem_info_st static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's * that are at the top of their thread's stack - * (with `thread' as key) */ + * (with `thread' as key); + * access requires MALLOC2 lock */ typedef struct mem_st /* memory-block description */ @@ -128,7 +130,15 @@ static long options = /* extra information to be recorded */ 0; -static unsigned long disabling_thread = 0; +static unsigned int num_disable = 0; /* num_disable > 0 + * iff + * mh_mode == CRYPTO_MEM_CHECK_ON (w/o ..._ENABLE) + */ +static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0. + * CRYPTO_LOCK_MALLOC2 is locked + * exactly in this case (by the + * thread named in disabling_thread). + */ int CRYPTO_mem_ctrl(int mode) { @@ -137,22 +147,23 @@ int CRYPTO_mem_ctrl(int mode) CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); switch (mode) { - /* for applications: */ + /* for applications (not to be called while multiple threads + * use the library): */ case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */ mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE; - disabling_thread = 0; + num_disable = 0; break; case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */ mh_mode = 0; - disabling_thread = 0; + num_disable = 0; /* should be true *before* MemCheck_stop is used, + or there'll be a lot of confusion */ break; /* switch off temporarily (for library-internal use): */ case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { - mh_mode&= ~CRYPTO_MEM_CHECK_ENABLE; - if (disabling_thread != CRYPTO_thread_id()) /* otherwise we already have the MALLOC2 lock */ + if (!num_disable || (disabling_thread != CRYPTO_thread_id())) /* otherwise we already have the MALLOC2 lock */ { /* Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed while * we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock if @@ -169,18 +180,23 @@ int CRYPTO_mem_ctrl(int mode) * OpenSSL threads. */ CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2); CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + mh_mode &= ~CRYPTO_MEM_CHECK_ENABLE; disabling_thread=CRYPTO_thread_id(); } + num_disable++; } break; case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { - mh_mode|=CRYPTO_MEM_CHECK_ENABLE; - if (disabling_thread != 0) + if (num_disable) /* always true, or something is going wrong */ { - disabling_thread=0; - CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); + num_disable--; + if (num_disable == 0) + { + mh_mode|=CRYPTO_MEM_CHECK_ENABLE; + CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); + } } } break; @@ -198,12 +214,12 @@ int CRYPTO_is_mem_check_on(void) if (mh_mode & CRYPTO_MEM_CHECK_ON) { - CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + CRYPTO_r_lock(CRYPTO_LOCK_MALLOC); ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE) - && disabling_thread != CRYPTO_thread_id(); + || (disabling_thread != CRYPTO_thread_id()); - CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); + CRYPTO_r_unlock(CRYPTO_LOCK_MALLOC); } return(ret); } @@ -293,7 +309,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line) if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ if ((ami = (APP_INFO *)OPENSSL_malloc(sizeof(APP_INFO))) == NULL) { @@ -330,7 +346,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line) ami->next=amim; } err: - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); @@ -342,11 +358,11 @@ int CRYPTO_pop_info(void) if (is_MemCheck_on()) /* _must_ be true, or something went severely wrong */ { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ ret=(pop_info() != NULL); - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } @@ -357,12 +373,12 @@ int CRYPTO_remove_all_info(void) if (is_MemCheck_on()) /* _must_ be true */ { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ while(pop_info() != NULL) ret++; - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } @@ -385,11 +401,12 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* make sure we hold MALLOC2 lock */ if ((m=(MEM *)OPENSSL_malloc(sizeof(MEM))) == NULL) { OPENSSL_free(addr); - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ return; } if (mh == NULL) @@ -448,7 +465,8 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, OPENSSL_free(mm); } err: - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; } @@ -467,7 +485,7 @@ void CRYPTO_dbg_free(void *addr, int before_p) if (is_MemCheck_on() && (mh != NULL)) { - MemCheck_off(); + MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr; mp=(MEM *)lh_delete(mh,(char *)&m); @@ -484,7 +502,8 @@ void CRYPTO_dbg_free(void *addr, int before_p) OPENSSL_free(mp); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; case 1: @@ -518,7 +537,7 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr1; mp=(MEM *)lh_delete(mh,(char *)&m); @@ -535,7 +554,8 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, lh_insert(mh,(char *)mp); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; } @@ -642,10 +662,12 @@ void CRYPTO_mem_leaks(BIO *b) if (mh == NULL && amih == NULL) return; + + MemCheck_off(); /* obtain MALLOC2 lock */ + ml.bio=b; ml.bytes=0; ml.chunks=0; - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ if (mh != NULL) lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml); if (ml.chunks != 0) @@ -671,7 +693,15 @@ void CRYPTO_mem_leaks(BIO *b) * void_fn_to_char kludge in CRYPTO_mem_leaks_cb. * Otherwise the code police will come and get us.) */ + int old_mh_mode; + CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + + /* avoid deadlock when lh_free() uses CRYPTO_dbg_free(), + * which uses CRYPTO_is_mem_check_on */ + old_mh_mode = mh_mode; + mh_mode = CRYPTO_MEM_CHECK_OFF; + if (mh != NULL) { lh_free(mh); @@ -685,15 +715,11 @@ void CRYPTO_mem_leaks(BIO *b) amih = NULL; } } + + mh_mode = old_mh_mode; CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ - -#if 0 - lh_stats_bio(mh,b); - lh_node_stats_bio(mh,b); - lh_node_usage_stats_bio(mh,b); -#endif + MemCheck_on(); /* release MALLOC2 lock */ } #ifndef NO_FP_API diff --git a/lib/libssl/src/crypto/objects/Makefile.ssl b/lib/libssl/src/crypto/objects/Makefile.ssl index bdb7aa94dc0..6746ad21e72 100644 --- a/lib/libssl/src/crypto/objects/Makefile.ssl +++ b/lib/libssl/src/crypto/objects/Makefile.ssl @@ -39,7 +39,8 @@ all: obj_dat.h lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/opensslv.h b/lib/libssl/src/crypto/opensslv.h index 6b5aedeea6e..dc50f6d7da6 100644 --- a/lib/libssl/src/crypto/opensslv.h +++ b/lib/libssl/src/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090600fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6 [engine] 24 Sep 2000" +#define OPENSSL_VERSION_NUMBER 0x0090601fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a [engine] 5 Apr 2001" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/lib/libssl/src/crypto/pem/Makefile.ssl b/lib/libssl/src/crypto/pem/Makefile.ssl index 97af8255a3c..31db6b65a11 100644 --- a/lib/libssl/src/crypto/pem/Makefile.ssl +++ b/lib/libssl/src/crypto/pem/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/pem/pem_info.c b/lib/libssl/src/crypto/pem/pem_info.c index 1c5c6dea000..f1694f11253 100644 --- a/lib/libssl/src/crypto/pem/pem_info.c +++ b/lib/libssl/src/crypto/pem/pem_info.c @@ -305,7 +305,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, { if ( (xi->enc_data!=NULL) && (xi->enc_len>0) ) { - /* copy from wierdo names into more normal things */ + /* copy from weirdo names into more normal things */ iv=xi->enc_cipher.iv; data=(unsigned char *)xi->enc_data; i=xi->enc_len; diff --git a/lib/libssl/src/crypto/pkcs12/Makefile.ssl b/lib/libssl/src/crypto/pkcs12/Makefile.ssl index 67869f204fb..d745c536216 100644 --- a/lib/libssl/src/crypto/pkcs12/Makefile.ssl +++ b/lib/libssl/src/crypto/pkcs12/Makefile.ssl @@ -45,7 +45,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/pkcs12/p12_attr.c b/lib/libssl/src/crypto/pkcs12/p12_attr.c index f1a210b5d27..a16a97d03df 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_attr.c +++ b/lib/libssl/src/crypto/pkcs12/p12_attr.c @@ -151,7 +151,7 @@ int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name, { unsigned char *uniname; int ret, unilen; - if (!asc2uni(name, &uniname, &unilen)) { + if (!asc2uni(name, namelen, &uniname, &unilen)) { PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC, ERR_R_MALLOC_FAILURE); return 0; diff --git a/lib/libssl/src/crypto/pkcs12/p12_key.c b/lib/libssl/src/crypto/pkcs12/p12_key.c index b042dcf05c9..a4fd5b98ec9 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_key.c +++ b/lib/libssl/src/crypto/pkcs12/p12_key.c @@ -84,7 +84,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, if(!pass) { unipass = NULL; uniplen = 0; - } else if (!asc2uni(pass, &unipass, &uniplen)) { + } else if (!asc2uni(pass, passlen, &unipass, &uniplen)) { PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE); return 0; } @@ -102,7 +102,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, const EVP_MD *md_type) { unsigned char *B, *D, *I, *p, *Ai; - int Slen, Plen, Ilen; + int Slen, Plen, Ilen, Ijlen; int i, j, u, v; BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */ EVP_MD_CTX ctx; @@ -180,10 +180,17 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, BN_bin2bn (I + j, v, Ij); BN_add (Ij, Ij, Bpl1); BN_bn2bin (Ij, B); + Ijlen = BN_num_bytes (Ij); /* If more than 2^(v*8) - 1 cut off MSB */ - if (BN_num_bytes (Ij) > v) { + if (Ijlen > v) { BN_bn2bin (Ij, B); memcpy (I + j, B + 1, v); +#ifndef PKCS12_BROKEN_KEYGEN + /* If less than v bytes pad with zeroes */ + } else if (Ijlen < v) { + memset(I + j, 0, v - Ijlen); + BN_bn2bin(Ij, I + j + v - Ijlen); +#endif } else BN_bn2bin (Ij, I + j); } } diff --git a/lib/libssl/src/crypto/pkcs12/p12_kiss.c b/lib/libssl/src/crypto/pkcs12/p12_kiss.c index 1fbbd6c99f9..5d67f19b455 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_kiss.c +++ b/lib/libssl/src/crypto/pkcs12/p12_kiss.c @@ -264,6 +264,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, if (lkey) { *keymatch |= MATCH_CERT; if (cert) *cert = x509; + else X509_free(x509); } else { if(ca) sk_X509_push (*ca, x509); else X509_free(x509); diff --git a/lib/libssl/src/crypto/pkcs12/p12_utl.c b/lib/libssl/src/crypto/pkcs12/p12_utl.c index 17f41b45496..2f1d1e534fc 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_utl.c +++ b/lib/libssl/src/crypto/pkcs12/p12_utl.c @@ -62,30 +62,34 @@ /* Cheap and nasty Unicode stuff */ -unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen) +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) { int ulen, i; unsigned char *unitmp; - ulen = strlen(asc)*2 + 2; - if (!(unitmp = OPENSSL_malloc (ulen))) return NULL; - for (i = 0; i < ulen; i+=2) { + if (asclen == -1) asclen = strlen(asc); + ulen = asclen*2 + 2; + if (!(unitmp = OPENSSL_malloc(ulen))) return NULL; + for (i = 0; i < ulen - 2; i+=2) { unitmp[i] = 0; unitmp[i + 1] = asc[i>>1]; } + /* Make result double null terminated */ + unitmp[ulen - 2] = 0; + unitmp[ulen - 1] = 0; if (unilen) *unilen = ulen; if (uni) *uni = unitmp; return unitmp; } -char *uni2asc (unsigned char *uni, int unilen) +char *uni2asc(unsigned char *uni, int unilen) { int asclen, i; char *asctmp; asclen = unilen / 2; /* If no terminating zero allow for one */ - if (uni[unilen - 1]) asclen++; + if (!unilen || uni[unilen - 1]) asclen++; uni++; - if (!(asctmp = OPENSSL_malloc (asclen))) return NULL; + if (!(asctmp = OPENSSL_malloc(asclen))) return NULL; for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i]; asctmp[asclen - 1] = 0; return asctmp; diff --git a/lib/libssl/src/crypto/pkcs12/pkcs12.h b/lib/libssl/src/crypto/pkcs12/pkcs12.h index 502fceff954..e529154f263 100644 --- a/lib/libssl/src/crypto/pkcs12/pkcs12.h +++ b/lib/libssl/src/crypto/pkcs12/pkcs12.h @@ -247,7 +247,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, EVP_MD *md_type); int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, EVP_MD *md_type); -unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen); +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen); char *uni2asc(unsigned char *uni, int unilen); int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp); PKCS12_BAGS *PKCS12_BAGS_new(void); diff --git a/lib/libssl/src/crypto/pkcs7/Makefile.ssl b/lib/libssl/src/crypto/pkcs7/Makefile.ssl index 6cd18b671e7..37b72f08902 100644 --- a/lib/libssl/src/crypto/pkcs7/Makefile.ssl +++ b/lib/libssl/src/crypto/pkcs7/Makefile.ssl @@ -58,7 +58,8 @@ verify: verify.o example.o lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/lib/libssl/src/crypto/pkcs7/pk7_doit.c index 099e9651c1c..bf43d030ade 100644 --- a/lib/libssl/src/crypto/pkcs7/pk7_doit.c +++ b/lib/libssl/src/crypto/pkcs7/pk7_doit.c @@ -370,7 +370,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) if (ri == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); - return(NULL); + goto err; } jj=EVP_PKEY_size(pkey); @@ -393,7 +393,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) BIO_get_cipher_ctx(etmp,&evp_ctx); EVP_CipherInit(evp_ctx,evp_cipher,NULL,NULL,0); if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) - return(NULL); + goto err; if (jj != EVP_CIPHER_CTX_key_length(evp_ctx)) { /* Some S/MIME clients don't use the same key @@ -588,8 +588,10 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) pp=NULL; } +#ifndef NO_DSA if (si->pkey->type == EVP_PKEY_DSA) ctx_tmp.digest=EVP_dss1(); +#endif if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data, (unsigned int *)&buf->length,si->pkey)) @@ -783,7 +785,14 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n"); os=si->enc_digest; pkey = X509_get_pubkey(x509); + if (!pkey) + { + ret = -1; + goto err; + } +#ifndef NO_DSA if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1(); +#endif i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey); EVP_PKEY_free(pkey); diff --git a/lib/libssl/src/crypto/pkcs7/pk7_mime.c b/lib/libssl/src/crypto/pkcs7/pk7_mime.c index 994473c0bd3..086d3942701 100644 --- a/lib/libssl/src/crypto/pkcs7/pk7_mime.c +++ b/lib/libssl/src/crypto/pkcs7/pk7_mime.c @@ -165,9 +165,9 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) } bound[32] = 0; BIO_printf(bio, "MIME-Version: 1.0\n"); - BIO_printf(bio, "Content-Type: multipart/signed ; "); - BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; "); - BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound); + BIO_printf(bio, "Content-Type: multipart/signed;"); + BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";"); + BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound); BIO_printf(bio, "This is an S/MIME signed message\n\n"); /* Now write out the first part */ BIO_printf(bio, "------%s\n", bound); diff --git a/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/lib/libssl/src/crypto/pkcs7/pk7_smime.c index d716f9faeba..3d3214f5eee 100644 --- a/lib/libssl/src/crypto/pkcs7/pk7_smime.c +++ b/lib/libssl/src/crypto/pkcs7/pk7_smime.c @@ -153,7 +153,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, PKCS7_SIGNER_INFO *si; X509_STORE_CTX cert_ctx; char buf[4096]; - int i, j=0, k; + int i, j=0, k, ret = 0; BIO *p7bio; BIO *tmpout; @@ -258,18 +258,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, } } - sk_X509_free(signers); - if(indata) BIO_pop(p7bio); - BIO_free_all(p7bio); - - return 1; + ret = 1; err: + if(indata) BIO_pop(p7bio); + BIO_free_all(p7bio); sk_X509_free(signers); - BIO_free(p7bio); - return 0; + return ret; } STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) diff --git a/lib/libssl/src/crypto/rand/Makefile.ssl b/lib/libssl/src/crypto/rand/Makefile.ssl index 5f6199a35fd..707eaac6786 100644 --- a/lib/libssl/src/crypto/rand/Makefile.ssl +++ b/lib/libssl/src/crypto/rand/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/rand/md_rand.c b/lib/libssl/src/crypto/rand/md_rand.c index d167dea77db..567838f6c33 100644 --- a/lib/libssl/src/crypto/rand/md_rand.c +++ b/lib/libssl/src/crypto/rand/md_rand.c @@ -482,12 +482,12 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) unpredictable */ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) { - int ret, err; + int ret; ret = RAND_bytes(buf, num); if (ret == 0) { - err = ERR_peek_error(); + long err = ERR_peek_error(); if (ERR_GET_LIB(err) == ERR_LIB_RAND && ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED) (void)ERR_get_error(); diff --git a/lib/libssl/src/crypto/rand/rand.h b/lib/libssl/src/crypto/rand/rand.h index eb9c8c034de..9c6052733e1 100644 --- a/lib/libssl/src/crypto/rand/rand.h +++ b/lib/libssl/src/crypto/rand/rand.h @@ -59,6 +59,8 @@ #ifndef HEADER_RAND_H #define HEADER_RAND_H +#include <stdlib.h> + #ifdef __cplusplus extern "C" { #endif @@ -89,7 +91,7 @@ void RAND_seed(const void *buf,int num); void RAND_add(const void *buf,int num,double entropy); int RAND_load_file(const char *file,long max_bytes); int RAND_write_file(const char *file); -const char *RAND_file_name(char *file,int num); +const char *RAND_file_name(char *file,size_t num); int RAND_status(void); int RAND_egd(const char *path); int RAND_egd_bytes(const char *path,int bytes); diff --git a/lib/libssl/src/crypto/rand/rand_egd.c b/lib/libssl/src/crypto/rand/rand_egd.c index 02a0d86fa33..79b5e6fa57f 100644 --- a/lib/libssl/src/crypto/rand/rand_egd.c +++ b/lib/libssl/src/crypto/rand/rand_egd.c @@ -74,7 +74,14 @@ int RAND_egd_bytes(const char *path,int bytes) #include OPENSSL_UNISTD #include <sys/types.h> #include <sys/socket.h> +#ifndef NO_SYS_UN_H #include <sys/un.h> +#else +struct sockaddr_un { + short sun_family; /* AF_UNIX */ + char sun_path[108]; /* path name (gag) */ +}; +#endif /* NO_SYS_UN_H */ #include <string.h> #ifndef offsetof diff --git a/lib/libssl/src/crypto/rand/rand_win.c b/lib/libssl/src/crypto/rand/rand_win.c index 9f2dcff9a92..3d137badd0e 100644 --- a/lib/libssl/src/crypto/rand/rand_win.c +++ b/lib/libssl/src/crypto/rand/rand_win.c @@ -570,14 +570,15 @@ static void readtimer(void) DWORD w; LARGE_INTEGER l; static int have_perfc = 1; -#ifndef __GNUC__ +#ifdef _MSC_VER static int have_tsc = 1; DWORD cyclecount; if (have_tsc) { __try { __asm { - rdtsc + _emit 0x0f + _emit 0x31 mov cyclecount, eax } RAND_add(&cyclecount, sizeof(cyclecount), 1); @@ -725,8 +726,9 @@ int RAND_poll(void) #ifdef DEVRANDOM return 1; -#endif +#else return 0; +#endif } #endif diff --git a/lib/libssl/src/crypto/rand/randfile.c b/lib/libssl/src/crypto/rand/randfile.c index 663a36cb701..f4376cf8cc5 100644 --- a/lib/libssl/src/crypto/rand/randfile.c +++ b/lib/libssl/src/crypto/rand/randfile.c @@ -73,7 +73,7 @@ # include <sys/stat.h> #endif -#include <openssl/e_os.h> +#include "openssl/e_os.h" #include <openssl/crypto.h> #include <openssl/rand.h> @@ -83,6 +83,9 @@ /* #define RFILE ".rnd" - defined in ../../e_os.h */ +/* Note that these functions are intended for seed files only. + * Entropy devices and EGD sockets are handled in rand_unix.c */ + int RAND_load_file(const char *file, long bytes) { /* If bytes >= 0, read up to 'bytes' bytes. @@ -213,7 +216,7 @@ err: return (rand_err ? -1 : ret); } -const char *RAND_file_name(char *buf, int size) +const char *RAND_file_name(char *buf, size_t size) { char *s = NULL; char *ret=NULL; @@ -239,6 +242,8 @@ const char *RAND_file_name(char *buf, int size) strlcat(buf,RFILE,size); ret=buf; } + else + buf[0] = '\0'; /* no file name */ } #ifdef DEVRANDOM @@ -257,3 +262,4 @@ const char *RAND_file_name(char *buf, int size) #endif return(ret); } + diff --git a/lib/libssl/src/crypto/rc2/Makefile.ssl b/lib/libssl/src/crypto/rc2/Makefile.ssl index 9e94051cd7b..39813d68be0 100644 --- a/lib/libssl/src/crypto/rc2/Makefile.ssl +++ b/lib/libssl/src/crypto/rc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/rc4/Makefile.ssl b/lib/libssl/src/crypto/rc4/Makefile.ssl index 8d2a795c22a..e75858d3b92 100644 --- a/lib/libssl/src/crypto/rc4/Makefile.ssl +++ b/lib/libssl/src/crypto/rc4/Makefile.ssl @@ -47,7 +47,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/lib/libssl/src/crypto/rc5/Makefile.ssl b/lib/libssl/src/crypto/rc5/Makefile.ssl index 5a54a162bae..c8ee124776b 100644 --- a/lib/libssl/src/crypto/rc5/Makefile.ssl +++ b/lib/libssl/src/crypto/rc5/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/lib/libssl/src/crypto/ripemd/Makefile.ssl b/lib/libssl/src/crypto/ripemd/Makefile.ssl index de01a953ec6..1550c32ca1b 100644 --- a/lib/libssl/src/crypto/ripemd/Makefile.ssl +++ b/lib/libssl/src/crypto/ripemd/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/lib/libssl/src/crypto/rsa/Makefile.ssl b/lib/libssl/src/crypto/rsa/Makefile.ssl index c159eedafed..2bee181d4e8 100644 --- a/lib/libssl/src/crypto/rsa/Makefile.ssl +++ b/lib/libssl/src/crypto/rsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/rsa/rsa_eay.c b/lib/libssl/src/crypto/rsa/rsa_eay.c index ccaa62b2392..cde5ca27d50 100644 --- a/lib/libssl/src/crypto/rsa/rsa_eay.c +++ b/lib/libssl/src/crypto/rsa/rsa_eay.c @@ -141,9 +141,26 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from, if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, @@ -378,9 +395,26 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from, /* do the decrypt */ if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, @@ -433,20 +467,53 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) { if (rsa->_method_mod_p == NULL) { - if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_p == NULL) + { + rsa->_method_mod_p = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } + if (rsa->_method_mod_q == NULL) { - if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_q == NULL) + { + rsa->_method_mod_q = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } } - + if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, rsa->_method_mod_q)) goto err; diff --git a/lib/libssl/src/crypto/rsa/rsa_lib.c b/lib/libssl/src/crypto/rsa/rsa_lib.c index 5e1e8fcdf33..94395cc22c8 100644 --- a/lib/libssl/src/crypto/rsa/rsa_lib.c +++ b/lib/libssl/src/crypto/rsa/rsa_lib.c @@ -191,13 +191,13 @@ RSA *RSA_new_method(ENGINE *engine) ret->blinding=NULL; ret->bignum_data=NULL; ret->flags=meth->flags; + CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data); if ((meth->init != NULL) && !meth->init(ret)) { + CRYPTO_free_ex_data(rsa_meth,ret,&ret->ex_data); OPENSSL_free(ret); ret=NULL; } - else - CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data); return(ret); } @@ -221,13 +221,13 @@ void RSA_free(RSA *r) } #endif - CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data); - meth = ENGINE_get_RSA(r->engine); if (meth->finish != NULL) meth->finish(r); ENGINE_finish(r->engine); + CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data); + if (r->n != NULL) BN_clear_free(r->n); if (r->e != NULL) BN_clear_free(r->e); if (r->d != NULL) BN_clear_free(r->d); @@ -325,7 +325,7 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) BN_CTX_start(ctx); A = BN_CTX_get(ctx); - if (!BN_rand(A,BN_num_bits(rsa->n)-1,1,0)) goto err; + if (!BN_rand_range(A,rsa->n)) goto err; if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!ENGINE_get_RSA(rsa->engine)->bn_mod_exp(A,A, diff --git a/lib/libssl/src/crypto/sha/Makefile.ssl b/lib/libssl/src/crypto/sha/Makefile.ssl index 72acd8f0462..790e572fa29 100644 --- a/lib/libssl/src/crypto/sha/Makefile.ssl +++ b/lib/libssl/src/crypto/sha/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/lib/libssl/src/crypto/sha/asm/sha1-586.pl b/lib/libssl/src/crypto/sha/asm/sha1-586.pl index 09df993ecd4..fe51fd07945 100644 --- a/lib/libssl/src/crypto/sha/asm/sha1-586.pl +++ b/lib/libssl/src/crypto/sha/asm/sha1-586.pl @@ -317,7 +317,7 @@ sub BODY_60_79 sub sha1_block_host { - local($name)=@_; + local($name, $sclabel)=@_; &function_begin_B($name,""); @@ -352,7 +352,7 @@ sub sha1_block_host &mov(&swtmp($i+0),$A); &mov(&swtmp($i+1),$B); } - &jmp(&label("shortcut")); + &jmp($sclabel); &function_end_B($name); } @@ -529,10 +529,12 @@ sub sha1_block_data &pop("esi"); &ret(); - # it has to reside within sha1_block_asm_host_order body - # because it calls &jmp(&label("shortcut")); - &sha1_block_host("sha1_block_asm_host_order"); + # keep a note of shortcut label so it can be used outside + # block. + my $sclabel = &label("shortcut"); &function_end_B($name); + # Putting this here avoids problems with MASM in debugging mode + &sha1_block_host("sha1_block_asm_host_order", $sclabel); } diff --git a/lib/libssl/src/crypto/stack/Makefile.ssl b/lib/libssl/src/crypto/stack/Makefile.ssl index 86ed9287503..c916fd54516 100644 --- a/lib/libssl/src/crypto/stack/Makefile.ssl +++ b/lib/libssl/src/crypto/stack/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/txt_db/Makefile.ssl b/lib/libssl/src/crypto/txt_db/Makefile.ssl index cb54d533234..ee054e91f26 100644 --- a/lib/libssl/src/crypto/txt_db/Makefile.ssl +++ b/lib/libssl/src/crypto/txt_db/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/x509/Makefile.ssl b/lib/libssl/src/crypto/x509/Makefile.ssl index 46196937334..79f09d4f713 100644 --- a/lib/libssl/src/crypto/x509/Makefile.ssl +++ b/lib/libssl/src/crypto/x509/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/x509/by_dir.c b/lib/libssl/src/crypto/x509/by_dir.c index cac64a6f404..448bd7e69cc 100644 --- a/lib/libssl/src/crypto/x509/by_dir.c +++ b/lib/libssl/src/crypto/x509/by_dir.c @@ -327,7 +327,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, * it out again */ CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp); - if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i); + if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j); else tmp = NULL; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); diff --git a/lib/libssl/src/crypto/x509/x509_cmp.c b/lib/libssl/src/crypto/x509/x509_cmp.c index b147d573d2f..3f9f9b3d472 100644 --- a/lib/libssl/src/crypto/x509/x509_cmp.c +++ b/lib/libssl/src/crypto/x509/x509_cmp.c @@ -199,19 +199,13 @@ unsigned long X509_NAME_hash(X509_NAME *x) { unsigned long ret=0; unsigned char md[16]; - unsigned char str[256],*p,*pp; - int i; - - i=i2d_X509_NAME(x,NULL); - if (i > sizeof(str)) - p=OPENSSL_malloc(i); - else - p=str; - pp=p; - i2d_X509_NAME(x,&pp); - MD5((unsigned char *)p,i,&(md[0])); - if (p != str) OPENSSL_free(p); + /* Ensure cached version is up to date */ + i2d_X509_NAME(x,NULL); + /* Use cached encoding directly rather than copying: this should + * keep libsafe happy. + */ + MD5((unsigned char *)x->bytes->data,x->bytes->length,&(md[0])); ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) diff --git a/lib/libssl/src/crypto/x509v3/Makefile.ssl b/lib/libssl/src/crypto/x509v3/Makefile.ssl index f7c3a6ca138..236e13af4e6 100644 --- a/lib/libssl/src/crypto/x509v3/Makefile.ssl +++ b/lib/libssl/src/crypto/x509v3/Makefile.ssl @@ -43,7 +43,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/crypto/x509v3/v3_alt.c b/lib/libssl/src/crypto/x509v3/v3_alt.c index 733919f2507..94bebcd4480 100644 --- a/lib/libssl/src/crypto/x509v3/v3_alt.c +++ b/lib/libssl/src/crypto/x509v3/v3_alt.c @@ -270,7 +270,7 @@ static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens) /* Now add any email address(es) to STACK */ i = -1; while((i = X509_NAME_get_index_by_NID(nm, - NID_pkcs9_emailAddress, i)) > 0) { + NID_pkcs9_emailAddress, i)) >= 0) { ne = X509_NAME_get_entry(nm, i); email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne)); if(!email || !(gen = GENERAL_NAME_new())) { diff --git a/lib/libssl/src/crypto/x509v3/v3_prn.c b/lib/libssl/src/crypto/x509v3/v3_prn.c index dbc4fb1f160..14b804c4ad3 100644 --- a/lib/libssl/src/crypto/x509v3/v3_prn.c +++ b/lib/libssl/src/crypto/x509v3/v3_prn.c @@ -85,9 +85,16 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) else BIO_printf(out, "%s:%s", nval->name, nval->value); #else else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1); - BIO_printf(out, "%s:%s", nval->name, tmp); + int len; + char *tmp; + len = strlen(nval->value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, nval->value, len); + BIO_printf(out, "%s:%s", nval->name, tmp); + OPENSSL_free(tmp); + } } #endif if(ml) BIO_puts(out, "\n"); @@ -115,9 +122,16 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent) BIO_printf(out, "%*s%s", indent, "", value); #else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, value, strlen(value)+1); - BIO_printf(out, "%*s%s", indent, "", tmp); + int len; + char *tmp; + len = strlen(value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, value, len); + BIO_printf(out, "%*s%s", indent, "", tmp); + OPENSSL_free(tmp); + } } #endif } else if(method->i2v) { diff --git a/lib/libssl/src/crypto/x509v3/v3_purp.c b/lib/libssl/src/crypto/x509v3/v3_purp.c index 867699b26f3..8aecd00e632 100644 --- a/lib/libssl/src/crypto/x509v3/v3_purp.c +++ b/lib/libssl/src/crypto/x509v3/v3_purp.c @@ -362,6 +362,8 @@ static int ca_check(const X509 *x) else return 0; } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; + /* If key usage present it must have certSign so tolerate it */ + else if (x->ex_flags & EXFLAG_KUSAGE) return 3; else return 2; } } @@ -380,7 +382,7 @@ static int check_ssl_ca(const X509 *x) if(ca_ret != 2) return ca_ret; else return 0; } - + static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { @@ -446,7 +448,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c int ret; ret = purpose_smime(x, ca); if(!ret || ca) return ret; - if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0; + if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; return ret; } diff --git a/lib/libssl/src/doc/apps/pkcs12.pod b/lib/libssl/src/doc/apps/pkcs12.pod index c4009998b8a..7e0307dda0b 100644 --- a/lib/libssl/src/doc/apps/pkcs12.pod +++ b/lib/libssl/src/doc/apps/pkcs12.pod @@ -304,6 +304,26 @@ Include some extra certificates: Some would argue that the PKCS#12 standard is one big bug :-) +Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation +routines. Under rare circumstances this could produce a PKCS#12 file encrypted +with an invalid key. As a result some PKCS#12 files which triggered this bug +from other implementations (MSIE or Netscape) could not be decrypted +by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could +not be decrypted by other implementations. The chances of producing such +a file are relatively small: less than 1 in 256. + +A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 +files cannot no longer be parsed by the fixed version. Under such circumstances +the B<pkcs12> utility will report that the MAC is OK but fail with a decryption +error when extracting private keys. + +This problem can be resolved by extracting the private keys and certificates +from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 +file from the keys and certificates using a newer version of OpenSSL. For example: + + old-openssl -in bad.p12 -out keycerts.pem + openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 + =head1 SEE ALSO L<pkcs8(1)|pkcs8(1)> diff --git a/lib/libssl/src/doc/apps/s_client.pod b/lib/libssl/src/doc/apps/s_client.pod index 9df1c07fb79..078ff086c39 100644 --- a/lib/libssl/src/doc/apps/s_client.pod +++ b/lib/libssl/src/doc/apps/s_client.pod @@ -32,6 +32,7 @@ B<openssl> B<s_client> [B<-no_tls1>] [B<-bugs>] [B<-cipher cipherlist>] +[B<-rand file(s)>] [B<-engine id>] =head1 DESCRIPTION @@ -157,6 +158,14 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B<ciphers> command for more information. +=item B<-rand file(s)> + +a file or files containing random data used to seed the random number +generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). +Multiple files can be specified separated by a OS-dependent character. +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for +all others. + =item B<-engine id> specifying an engine (by it's unique B<id> string) will cause B<s_client> diff --git a/lib/libssl/src/doc/apps/s_server.pod b/lib/libssl/src/doc/apps/s_server.pod index 3a5bf46e284..419383b55db 100644 --- a/lib/libssl/src/doc/apps/s_server.pod +++ b/lib/libssl/src/doc/apps/s_server.pod @@ -39,6 +39,7 @@ B<openssl> B<s_client> [B<-hack>] [B<-www>] [B<-WWW>] +[B<-rand file(s)>] [B<-engine id>] =head1 DESCRIPTION @@ -95,7 +96,7 @@ using a set of DH parameters. If not specified then an attempt is made to load the parameters from the server certificate file. If this fails then a static set of parameters hard coded into the s_server program will be used. -=item B<-nodhe> +=item B<-no_dhe> if this option is set then no DH parameters will be loaded effectively disabling the ephemeral DH cipher suites. @@ -187,6 +188,14 @@ emulates a simple web server. Pages will be resolved relative to the current directory, for example if the URL https://myhost/page.html is requested the file ./page.html will be loaded. +=item B<-rand file(s)> + +a file or files containing random data used to seed the random number +generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). +Multiple files can be specified separated by a OS-dependent character. +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for +all others. + =item B<-engine id> specifying an engine (by it's unique B<id> string) will cause B<s_server> diff --git a/lib/libssl/src/doc/crypto/BN_rand.pod b/lib/libssl/src/doc/crypto/BN_rand.pod index f2345538531..5406552ba48 100644 --- a/lib/libssl/src/doc/crypto/BN_rand.pod +++ b/lib/libssl/src/doc/crypto/BN_rand.pod @@ -12,24 +12,31 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *range); + =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of -B<bits> bits in length and stores it in B<rnd>. If B<top> is true, the -two most significant bits of the number will be set to 1, so that the -product of two such random numbers will always have 2*B<bits> length. -If B<bottom> is true, the number will be odd. +B<bits> bits in length and stores it in B<rnd>. If B<top> is -1, the +most significant bit of the random number can be zero. If B<top> is 0, +it is set to 1, and if B<top> is 1, the two most significant bits of +the number will be set to 1, so that the product of two such random +numbers will always have 2*B<bits> length. If B<bottom> is true, the +number will be odd. BN_pseudo_rand() does the same, but pseudo-random numbers generated by this function are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc. -The PRNG must be seeded prior to calling BN_rand(). +BN_rand_range() generates a cryptographically strong pseudo-random +number B<rnd> in the range 0 <lt>= B<rnd> E<lt> B<range>. + +The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). =head1 RETURN VALUES -BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error. +The functions return 1 on success, 0 on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO @@ -40,6 +47,7 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)> =head1 HISTORY BN_rand() is available in all versions of SSLeay and OpenSSL. -BN_pseudo_rand() was added in OpenSSL 0.9.5. +BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case +and the function BN_rand_range() were added in OpenSSL 0.9.6a. =cut diff --git a/lib/libssl/src/doc/crypto/RAND_egd.pod b/lib/libssl/src/doc/crypto/RAND_egd.pod index 40241e2df8e..71cab3ca04a 100644 --- a/lib/libssl/src/doc/crypto/RAND_egd.pod +++ b/lib/libssl/src/doc/crypto/RAND_egd.pod @@ -9,10 +9,30 @@ RAND_egd - query entropy gathering daemon #include <openssl/rand.h> int RAND_egd(const char *path); + int RAND_egd_bytes(const char *path, int bytes); =head1 DESCRIPTION RAND_egd() queries the entropy gathering daemon EGD on socket B<path>. +It queries 255 bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the +OpenSSL built-in PRNG. RAND_egd(path) is a wrapper for +RAND_egd_bytes(path, 255); + +RAND_egd_bytes() queries the entropy gathering daemon EGD on socket B<path>. +It queries B<bytes> bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the +OpenSSL built-in PRNG. +This function is more flexible than RAND_egd(). +When only one secret key must +be generated, it is not necessary to request the full amount 255 bytes from +the EGD socket. This can be advantageous, since the amount of entropy +that can be retrieved from EGD over time is limited. + +=head1 NOTES + +On systems without /dev/*random devices providing entropy from the kernel, +the EGD entropy gathering daemon can be used to collect entropy. It provides +a socket interface through which entropy can be gathered in chunks up to +255 bytes. Several chunks can be queried during one connection. EGD is available from http://www.lothar.com/tech/crypto/ (C<perl Makefile.PL; make; make install> to install). It is run as B<egd> @@ -21,22 +41,27 @@ RAND_egd() is called with that path as an argument, it tries to read random bytes that EGD has collected. The read is performed in non-blocking mode. -Alternatively, the EGD-compatible daemon PRNGD can be used. It is +Alternatively, the EGD-interface compatible daemon PRNGD can be used. It is available from http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html . +PRNGD does employ an internal PRNG itself and can therefore never run +out of entropy. =head1 RETURN VALUE -RAND_egd() returns the number of bytes read from the daemon on -success, and -1 if the connection failed or the daemon did not return -enough data to fully seed the PRNG. +RAND_egd() and RAND_egd_bytes() return the number of bytes read from the +daemon on success, and -1 if the connection failed or the daemon did not +return enough data to fully seed the PRNG. =head1 SEE ALSO -L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)> +L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, +L<RAND_cleanup(3)|RAND_cleanup(3)> =head1 HISTORY RAND_egd() is available since OpenSSL 0.9.5. +RAND_egd_bytes() is available since OpenSSL 0.9.6. + =cut diff --git a/lib/libssl/src/doc/crypto/RAND_load_file.pod b/lib/libssl/src/doc/crypto/RAND_load_file.pod index 8dd700ca3d4..d8c134e621d 100644 --- a/lib/libssl/src/doc/crypto/RAND_load_file.pod +++ b/lib/libssl/src/doc/crypto/RAND_load_file.pod @@ -8,7 +8,7 @@ RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file #include <openssl/rand.h> - const char *RAND_file_name(char *buf, int num); + const char *RAND_file_name(char *buf, size_t num); int RAND_load_file(const char *filename, long max_bytes); diff --git a/lib/libssl/src/doc/crypto/bn.pod b/lib/libssl/src/doc/crypto/bn.pod index 1504a1c92df..d183028d612 100644 --- a/lib/libssl/src/doc/crypto/bn.pod +++ b/lib/libssl/src/doc/crypto/bn.pod @@ -60,6 +60,7 @@ bn - multiprecision integer arithmetics int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *range); BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); diff --git a/lib/libssl/src/doc/crypto/evp.pod b/lib/libssl/src/doc/crypto/evp.pod index f089dd49a21..edf47dbde66 100644 --- a/lib/libssl/src/doc/crypto/evp.pod +++ b/lib/libssl/src/doc/crypto/evp.pod @@ -10,7 +10,7 @@ evp - high-level cryptographic functions =head1 DESCRIPTION -The EVP library provided a high-level interface to cryptographic +The EVP library provides a high-level interface to cryptographic functions. B<EVP_Seal>I<...> and B<EVP_Open>I<...> provide public key encryption diff --git a/lib/libssl/src/doc/crypto/rand.pod b/lib/libssl/src/doc/crypto/rand.pod index 295b6810505..9545f0e1095 100644 --- a/lib/libssl/src/doc/crypto/rand.pod +++ b/lib/libssl/src/doc/crypto/rand.pod @@ -8,17 +8,17 @@ rand - pseudo-random number generator #include <openssl/rand.h> - int RAND_bytes(unsigned char *buf,int num); - int RAND_pseudo_bytes(unsigned char *buf,int num); + int RAND_bytes(unsigned char *buf, int num); + int RAND_pseudo_bytes(unsigned char *buf, int num); - void RAND_seed(const void *buf,int num); - void RAND_add(const void *buf,int num,int entropy); + void RAND_seed(const void *buf, int num); + void RAND_add(const void *buf, int num, int entropy); int RAND_status(void); void RAND_screen(void); - int RAND_load_file(const char *file,long max_bytes); + int RAND_load_file(const char *file, long max_bytes); int RAND_write_file(const char *file); - const char *RAND_file_name(char *file,int num); + const char *RAND_file_name(char *file, size_t num); int RAND_egd(const char *path); diff --git a/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod b/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod index 7fea14ee686..4b91c63ba0d 100644 --- a/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod +++ b/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod @@ -2,8 +2,7 @@ =head1 NAME -SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, -SSL_CIPHER_description - get SSL_CIPHER properties +SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description - get SSL_CIPHER properties =head1 SYNOPSIS @@ -29,9 +28,10 @@ SSL_CIPHER_get_version() returns the protocol version for B<cipher>, currently SSL_CIPHER_description() returns a textual description of the cipher used into the buffer B<buf> of length B<len> provided. B<len> must be at least -128 bytes, otherwise the string "Buffer too small" is returned. If B<buf> -is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the -allocation fails, the string "OPENSSL_malloc Error" is returned. +128 bytes, otherwise a pointer to the the string "Buffer too small" is +returned. If B<buf> is NULL, a buffer of 128 bytes is allocated using +OPENSSL_malloc(). If the allocation fails, a pointer to the string +"OPENSSL_malloc Error" is returned. =head1 NOTES @@ -40,11 +40,66 @@ export cipher like e.g. EXP-RC4-MD5 has only 40 secret bits. The algorithm does use the full 128 bits (which would be returned for B<alg_bits>), of which however 88bits are fixed. The search space is hence only 40 bits. +The string returned by SSL_CIPHER_description() in case of success consists +of cleartext information separated by one or more blanks in the following +sequence: + +=over 4 + +=item <ciphername> + +Textual representation of the cipher name. + +=item <protocol version> + +Protocol version: B<SSLv2>, B<SSLv3>. The TLSv1 ciphers are flagged with SSLv3. + +=item Kx=<key exchange> + +Key exchange method: B<RSA> (for export ciphers as B<RSA(512)> or +B<RSA(1024)>), B<DH> (for export ciphers as B<DH(512)> or B<DH(1024)>), +B<DH/RSA>, B<DH/DSS>, B<Fortezza>. + +=item Au=<authentication> + +Authentication method: B<RSA>, B<DSS>, B<DH>, B<None>. None is the +representation of anonymous ciphers. + +=item Enc=<symmetric encryption method> + +Encryption method with number of secret bits: B<DES(40)>, B<DES(56)>, +B<3DES(168)>, B<RC4(40)>, B<RC4(56)>, B<RC4(64)>, B<RC4(128)>, +B<RC2(40)>, B<RC2(56)>, B<RC2(128)>, B<IDEA(128)>, B<Fortezza>, B<None>. + +=item Mac=<message authentication code> + +Message digest: B<MD5>, B<SHA1>. + +=item <export flag> + +If the cipher is flagged exportable with respect to old US crypto +regulations, the word "B<export>" is printed. + +=back + +=head1 EXAMPLES + +Some examples for the output of SSL_CIPHER_description(): + + EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 + EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 + RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 + EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export + =head1 BUGS If SSL_CIPHER_description() is called with B<cipher> being NULL, the library crashes. +If SSL_CIPHER_description() cannot handle a built-in cipher, the according +description of the cipher property is B<unknown>. This case should not +occur. + =head1 RETURN VALUES See DESCRIPTION @@ -52,6 +107,6 @@ See DESCRIPTION =head1 SEE ALSO L<ssl(3)|ssl(3)>, L<SSL_get_current_cipher(3)|SSL_get_current_cipher(3)>, -L<SSL_get_ciphers(3)|SSL_get_ciphers(3)> +L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_free.pod b/lib/libssl/src/doc/ssl/SSL_CTX_free.pod index de696724222..c716cde164c 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_free.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_free.pod @@ -17,7 +17,7 @@ SSL_CTX object pointed to by B<ctx> and frees up the allocated memory if the the reference count has reached 0. It also calls the free()ing procedures for indirectly affected items, if -applicable: the session cacahe, the list of ciphers, the list of Client CAs, +applicable: the session cache, the list of ciphers, the list of Client CAs, the certificates and keys. =head1 RETURN VALUES diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_new.pod b/lib/libssl/src/doc/ssl/SSL_CTX_new.pod index e166c692c35..1dae8b0bdd0 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_new.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_new.pod @@ -33,9 +33,9 @@ understand SSLv2 client hello messages. =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) A TLS/SSL connection established with these methods will only understand the -SSLv3 and TLSv1 protocol. A client will send out SSLv3 client hello messages -and will indicate that it also understands TLSv1. A server will only understand -SSLv3 and TLSv1 client hello messages. This especially means, that it will +SSLv3 protocol. A client will send out SSLv3 client hello messages +and will indicate that it only understands SSLv3. A server will only understand +SSLv3 client hello messages. This especially means, that it will not understand SSLv2 client hello messages which are widely used for compatibility reasons, see SSLv23_*_method(). @@ -46,7 +46,8 @@ TLSv1 protocol. A client will send out TLSv1 client hello messages and will indicate that it only understands TLSv1. A server will only understand TLSv1 client hello messages. This especially means, that it will not understand SSLv2 client hello messages which are widely used for -compatibility reasons, see SSLv23_*_method(). +compatibility reasons, see SSLv23_*_method(). It will also not understand +SSLv3 client hello messages. =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) @@ -58,6 +59,10 @@ choice when compatibility is a concern. =back +If a generic method is used, it is necessary to explicitly set client or +server mode with L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> +or SSL_set_accept_state(). + The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B<SSL_CTX_set_options()> or B<SSL_set_options()> functions. Using these options it is possible to choose @@ -88,6 +93,6 @@ The return value points to an allocated SSL_CTX object. =head1 SEE ALSO L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>, -L<ssl(3)|ssl(3)> +L<ssl(3)|ssl(3)>, L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod b/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod index 272d6b3de28..9a29eeeb955 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod @@ -2,8 +2,7 @@ =head1 NAME -SSL_CTX_set_cipher_list, SSL_set_cipher_list -- choose list of available SSL_CIPHERs +SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs =head1 SYNOPSIS @@ -47,6 +46,7 @@ could be selected and 0 on complete failure. =head1 SEE ALSO L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, +L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, L<ciphers(1)|ciphers(1)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod b/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod index 3091bd6895f..00201809655 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_ssl_version.pod @@ -17,8 +17,8 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method SSL_CTX_set_ssl_version() sets a new default TLS/SSL B<method> for SSL objects newly created from this B<ctx>. SSL objects already created with -L<SSL_new(3)|SSL_new(3)> are not affected, except when SSL_clear() is -being called. +L<SSL_new(3)|SSL_new(3)> are not affected, except when +L<SSL_clear(3)|SSL_clear(3)> is being called. SSL_set_ssl_method() sets a new TLS/SSL B<method> for a particular B<ssl> object. It may be reset, when SSL_clear() is called. @@ -31,9 +31,9 @@ set in B<ssl>. The available B<method> choices are described in L<SSL_CTX_new(3)|SSL_CTX_new(3)>. -When SSL_clear() is called and no session is connected to an SSL object, -the method of the SSL object is reset to the method currently set in -the corresponding SSL_CTX object. +When L<SSL_clear(3)|SSL_clear(3)> is called and no session is connected to +an SSL object, the method of the SSL object is reset to the method currently +set in the corresponding SSL_CTX object. =head1 RETURN VALUES @@ -55,6 +55,7 @@ The operation succeeded. =head1 SEE ALSO L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_new(3)|SSL_new(3)>, -L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)> +L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)>, +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_accept.pod b/lib/libssl/src/doc/ssl/SSL_accept.pod index 0c79ac515e1..86f980de41b 100644 --- a/lib/libssl/src/doc/ssl/SSL_accept.pod +++ b/lib/libssl/src/doc/ssl/SSL_accept.pod @@ -37,6 +37,11 @@ nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. +When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it +is necessary to call SSL_set_accept_state() +before calling SSL_accept() to explicitly switch the B<ssl> to server +mode. + =head1 RETURN VALUES The following return values can occur: @@ -54,7 +59,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B<ret> to find out the reason. -=item -1 +=item E<lt>0 The TLS/SSL handshake was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. The shutdown was @@ -67,6 +72,8 @@ to find out the reason. =head1 SEE ALSO L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>, -L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)> +L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>, +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>, +L<SSL_CTX_new(3)|SSL_CTX_new(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_clear.pod b/lib/libssl/src/doc/ssl/SSL_clear.pod index 862fd8291df..8b735d81dcb 100644 --- a/lib/libssl/src/doc/ssl/SSL_clear.pod +++ b/lib/libssl/src/doc/ssl/SSL_clear.pod @@ -13,8 +13,17 @@ SSL_clear - reset SSL object to allow another connection =head1 DESCRIPTION Reset B<ssl> to allow another connection. All settings (method, ciphers, -BIOs) are kept. A completely negotiated B<SSL_SESSION> is not freed but left -untouched for the underlying B<SSL_CTX>. +BIOs) are kept. + +=head1 NOTES + +SSL_clear is used to prepare an SSL object for a new connection. While all +settings are kept, a side effect is the handling of the current SSL session. +If a session is still B<open>, it is considered bad and will be removed +from the session cache, as required by RFC2246. A session is considered open, +if L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection +or at least L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was used to +set the SSL_SENT_SHUTDOWN state. =head1 RETURN VALUES @@ -34,6 +43,7 @@ The SSL_clear() operation was successful. =back L<SSL_new(3)|SSL_new(3)>, L<SSL_free(3)|SSL_free(3)>, -L<ssl(3)|ssl(3)> +L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, +L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<ssl(3)|ssl(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_connect.pod b/lib/libssl/src/doc/ssl/SSL_connect.pod index debe41744f0..bcc167745b8 100644 --- a/lib/libssl/src/doc/ssl/SSL_connect.pod +++ b/lib/libssl/src/doc/ssl/SSL_connect.pod @@ -34,6 +34,11 @@ nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. +When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it +is necessary to call L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> +before calling SSL_connect() to explicitly switch the B<ssl> to client +mode. + =head1 RETURN VALUES The following return values can occur: @@ -51,7 +56,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B<ret> to find out the reason. -=item -1 +=item E<lt>0 The TLS/SSL handshake was not successful, because a fatal error occurred either at the protocol level or a connection failure occurred. The shutdown was @@ -64,6 +69,8 @@ to find out the reason. =head1 SEE ALSO L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_accept(3)|SSL_accept(3)>, -L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)> +L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>, +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>, +L<SSL_CTX_new(3)|SSL_CTX_new(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_free.pod b/lib/libssl/src/doc/ssl/SSL_free.pod index f3f0c345f8a..2d4f8b6168b 100644 --- a/lib/libssl/src/doc/ssl/SSL_free.pod +++ b/lib/libssl/src/doc/ssl/SSL_free.pod @@ -16,18 +16,29 @@ SSL_free() decrements the reference count of B<ssl>, and removes the SSL structure pointed to by B<ssl> and frees up the allocated memory if the the reference count has reached 0. -It also calls the free()ing procedures for indirectly affected items, if +=head1 NOTES + +SSL_free() also calls the free()ing procedures for indirectly affected items, if applicable: the buffering BIO, the read and write BIOs, cipher lists specially created for this B<ssl>, the B<SSL_SESSION>. Do not explicitly free these indirectly freed up items before or after calling SSL_free(), as trying to free things twice may lead to program failure. +The ssl session has reference counts from two users: the SSL object, for +which the reference count is removed by SSL_free() and the internal +session cache. If the session is considered bad, because +L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection +and L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was not used to set the +SSL_SENT_SHUTDOWN state, the session will also be removed +from the session cache as required by RFC2246. + =head1 RETURN VALUES SSL_free() does not provide diagnostic information. L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>, +L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, L<ssl(3)|ssl(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_get_error.pod b/lib/libssl/src/doc/ssl/SSL_get_error.pod index d85b5642582..fefaf619369 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_error.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_error.pod @@ -14,8 +14,8 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation SSL_get_error() returns a result code (suitable for the C "switch" statement) for a preceding call to SSL_connect(), SSL_accept(), -SSL_read(), or SSL_write() on B<ssl>. The value returned by that -TLS/SSL I/O function must be passed to SSL_get_error() in parameter +SSL_read(), SSL_peek(), or SSL_write() on B<ssl>. The value returned by +that TLS/SSL I/O function must be passed to SSL_get_error() in parameter B<ret>. In addition to B<ssl> and B<ret>, SSL_get_error() inspects the @@ -48,16 +48,26 @@ has been closed. =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE The operation did not complete; the same TLS/SSL I/O function should be -called again later. There will be protocol progress if, by then, the -underlying B<BIO> has data available for reading (if the result code is -B<SSL_ERROR_WANT_READ>) or allows writing data (B<SSL_ERROR_WANT_WRITE>). -For socket B<BIO>s (e.g. when SSL_set_fd() was used) this means that -select() or poll() on the underlying socket can be used to find out -when the TLS/SSL I/O function should be retried. +called again later. If, by then, the underlying B<BIO> has data +available for reading (if the result code is B<SSL_ERROR_WANT_READ>) +or allows writing data (B<SSL_ERROR_WANT_WRITE>), then some TLS/SSL +protocol progress will take place, i.e. at least part of an TLS/SSL +record will be read or written. Note that the retry may again lead to +a B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE> condition. +There is no fixed upper limit for the number of iterations that +may be necessary until progress becomes visible at application +protocol level. + +For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or +poll() on the underlying socket can be used to find out when the +TLS/SSL I/O function should be retried. Caveat: Any TLS/SSL I/O function can lead to either of -B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>, i.e. SSL_read() -may want to write data and SSL_write() may want to read data. +B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. In particular, +SSL_read() or SSL_peek() may want to write data and SSL_write() may want +to read data. This is mainly because TLS/SSL handshakes may occur at any +time during the protocol (initiated by either the client or the server); +SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes. =item SSL_ERROR_WANT_X509_LOOKUP diff --git a/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod b/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod index e93e8206faf..390ce0b41b5 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod @@ -15,7 +15,7 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates forming the certificate chain of the peer. If called on the client side, the stack also contains the peer's certificate; if called on the server -side, the peer's certificate must be obtained seperately using +side, the peer's certificate must be obtained separately using L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>. If the peer did not present a certificate, NULL is returned. diff --git a/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod b/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod index 79c089aa517..1102c7fba90 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod @@ -23,7 +23,7 @@ to check the verification state. The reference count of the X509 object is incremented by one, so that it will not be destroyed when the session containing the peer certificate is -freed. The X509 object must be explicitely freed using X509_free(). +freed. The X509 object must be explicitly freed using X509_free(). =head1 RETURN VALUES diff --git a/lib/libssl/src/doc/ssl/SSL_get_session.pod b/lib/libssl/src/doc/ssl/SSL_get_session.pod index aff41fb9cf6..a0266e2ac63 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_session.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_session.pod @@ -16,14 +16,30 @@ SSL_get_session - retrieve TLS/SSL session data SSL_get_session() returns a pointer to the B<SSL_SESSION> actually used in B<ssl>. The reference count of the B<SSL_SESSION> is not incremented, so -that the pointer can become invalid when the B<ssl> is freed and -SSL_SESSION_free() is implicitly called. +that the pointer can become invalid by other operations. SSL_get0_session() is the same as SSL_get_session(). SSL_get1_session() is the same as SSL_get_session(), but the reference count of the B<SSL_SESSION> is incremented by one. +=head1 NOTES + +The ssl session contains all information required to re-establish the +connection without a new handshake. + +SSL_get0_session() returns a pointer to the actual session. As the +reference counter is not incremented, the pointer is only valid while +the connection is in use. If L<SSL_clear(3)|SSL_clear(3)> or +L<SSL_free(3)|SSL_free(3)> is called, the session may be removed completely +(if considered bad), and the pointer obtained will become invalid. Even +if the session is valid, it can be removed at any time due to timeout +during L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>. + +If the data is to be kept, SSL_get1_session() will increment the reference +count and the session will stay in memory until explicitly freed with +L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, regardless of its state. + =head1 RETURN VALUES The following return values can occur: @@ -43,6 +59,7 @@ The return value points to the data of an SSL session. =head1 SEE ALSO L<ssl(3)|ssl(3)>, L<SSL_free(3)|SSL_free(3)>, +L<SSL_clear(3)|SSL_clear(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod b/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod index 4d66236a05e..e6bac9c35a8 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod @@ -19,7 +19,7 @@ X509 certificate presented by the peer, if any. SSL_get_verify_result() can only return one error code while the verification of a certificate can fail because of many reasons at the same time. Only -the last verification error that occured during the processing is available +the last verification error that occurred during the processing is available from SSL_get_verify_result(). The verification result is part of the established session and is restored @@ -28,7 +28,7 @@ when a session is reused. =head1 BUGS If no peer certificate was presented, the returned result code is -X509_V_OK. This is because no verification error occured, it does however +X509_V_OK. This is because no verification error occurred, it does however not indicate success. SSL_get_verify_result() is only useful in connection with L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>. diff --git a/lib/libssl/src/doc/ssl/SSL_new.pod b/lib/libssl/src/doc/ssl/SSL_new.pod index 8e8638fa956..3b084e867d0 100644 --- a/lib/libssl/src/doc/ssl/SSL_new.pod +++ b/lib/libssl/src/doc/ssl/SSL_new.pod @@ -37,6 +37,7 @@ The return value points to an allocated SSL structure. =head1 SEE ALSO L<SSL_free(3)|SSL_free(3)>, L<SSL_clear(3)|SSL_clear(3)>, +L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<ssl(3)|ssl(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_pending.pod b/lib/libssl/src/doc/ssl/SSL_pending.pod index 744e1855e15..b4c48598b25 100644 --- a/lib/libssl/src/doc/ssl/SSL_pending.pod +++ b/lib/libssl/src/doc/ssl/SSL_pending.pod @@ -25,6 +25,19 @@ L<SSL_read(3)|SSL_read(3)>. The number of bytes pending is returned. +=head1 BUGS + +SSL_pending() takes into account only bytes from the TLS/SSL record +that is currently being processed (if any). If the B<SSL> object's +I<read_ahead> flag is set, additional protocol bytes may have been +read containing more TLS/SSL records; these are ignored by +SSL_pending(). + +Up to OpenSSL 0.9.6, SSL_pending() does not check if the record type +of pending data is application data. + +=head1 SEE ALSO + L<SSL_read(3)|SSL_read(3)>, L<ssl(3)|ssl(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_read.pod b/lib/libssl/src/doc/ssl/SSL_read.pod index 072dc26cf28..7db5ee0a22a 100644 --- a/lib/libssl/src/doc/ssl/SSL_read.pod +++ b/lib/libssl/src/doc/ssl/SSL_read.pod @@ -8,7 +8,7 @@ SSL_read - read bytes from a TLS/SSL connection. #include <openssl/ssl.h> - int SSL_read(SSL *ssl, char *buf, int num); + int SSL_read(SSL *ssl, void *buf, int num); =head1 DESCRIPTION @@ -18,17 +18,29 @@ buffer B<buf>. =head1 NOTES If necessary, SSL_read() will negotiate a TLS/SSL session, if -not already explicitly performed by SSL_connect() or SSL_accept(). If the +not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or +L<SSL_accept(3)|SSL_accept(3)>. If the peer requests a re-negotiation, it will be performed transparently during the SSL_read() operation. The behaviour of SSL_read() depends on the underlying BIO. +For the transparent negotiation to succeed, the B<ssl> must have been +initialized to client or server mode. This is not the case if a generic +method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state() +must be used before the first call to an SSL_read() or +L<SSL_write(3)|SSL_write(3)> function. + If the underlying BIO is B<blocking>, SSL_read() will only return, once the -read operation has been finished or an error occurred. +read operation has been finished or an error occurred, except when a +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the +L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call. If the underlying BIO is B<non-blocking>, SSL_read() will also return when the underlying BIO could not satisfy the needs of SSL_read() -to continue the operation. In this case a call to SSL_get_error() with the +to continue the operation. In this case a call to +L<SSL_get_error(3)|SSL_get_error(3)> with the return value of SSL_read() will yield B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a call to SSL_read() can also cause write operations! The calling process @@ -61,7 +73,7 @@ The read operation was not successful, probably because no data was available. Call SSL_get_error() with the return value B<ret> to find out, whether an error occurred. -=item -1 +=item E<lt>0 The read operation was not successful, because either an error occurred or action must be taken by the calling process. Call SSL_get_error() with the @@ -72,6 +84,9 @@ return value B<ret> to find out the reason. =head1 SEE ALSO L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_write(3)|SSL_write(3)>, +L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>, +L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)> +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_set_session.pod b/lib/libssl/src/doc/ssl/SSL_set_session.pod index 9f78d9e434a..c4f7878579d 100644 --- a/lib/libssl/src/doc/ssl/SSL_set_session.pod +++ b/lib/libssl/src/doc/ssl/SSL_set_session.pod @@ -40,6 +40,7 @@ The operation succeeded. =head1 SEE ALSO -L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> +L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_shutdown.pod b/lib/libssl/src/doc/ssl/SSL_shutdown.pod index 20e273bd4d5..7988dd3c90b 100644 --- a/lib/libssl/src/doc/ssl/SSL_shutdown.pod +++ b/lib/libssl/src/doc/ssl/SSL_shutdown.pod @@ -12,9 +12,17 @@ SSL_shutdown - shut down a TLS/SSL connection =head1 DESCRIPTION -SSL_shutdown() shuts down an active TLS/SSL connection. It sends the shutdown -alert to the peer. The behaviour of SSL_shutdown() depends on the underlying -BIO. +SSL_shutdown() shuts down an active TLS/SSL connection. It sends the +"close notify" shutdown alert to the peer. + +=head1 NOTES + +SSL_shutdown() tries to send the "close notify" shutdown alert to the peer. +Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and +a currently open session is considered closed and good and will be kept in the +session cache for further reuse. + +The behaviour of SSL_shutdown() depends on the underlying BIO. If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the handshake has been finished or an error occurred. @@ -57,6 +65,8 @@ Call SSL_get_error() with the return value B<ret> to find out the reason. =head1 SEE ALSO L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>, -L<SSL_accept(3)|SSL_accept(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)> +L<SSL_accept(3)|SSL_accept(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, +L<SSL_clear(3)|SSL_clear(3), L<SSL_free(3)|SSL_free(3)>, +L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_write.pod b/lib/libssl/src/doc/ssl/SSL_write.pod index db67c187e0e..be1ad76d3b4 100644 --- a/lib/libssl/src/doc/ssl/SSL_write.pod +++ b/lib/libssl/src/doc/ssl/SSL_write.pod @@ -2,13 +2,13 @@ =head1 NAME -SSL_read - write bytes to a TLS/SSL connection. +SSL_write - write bytes to a TLS/SSL connection. =head1 SYNOPSIS #include <openssl/ssl.h> - int SSL_write(SSL *ssl, char *buf, int num); + int SSL_write(SSL *ssl, const void *buf, int num); =head1 DESCRIPTION @@ -18,20 +18,32 @@ B<ssl> connection. =head1 NOTES If necessary, SSL_write() will negotiate a TLS/SSL session, if -not already explicitly performed by SSL_connect() or SSL_accept(). If the +not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or +L<SSL_accept(3)|SSL_accept(3)>. If the peer requests a re-negotiation, it will be performed transparently during the SSL_write() operation. The behaviour of SSL_write() depends on the underlying BIO. +For the transparent negotiation to succeed, the B<ssl> must have been +initialized to client or server mode. This is not the case if a generic +method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state() +must be used before the first call to an L<SSL_read(3)|SSL_read(3)> +or SSL_write() function. + If the underlying BIO is B<blocking>, SSL_write() will only return, once the -write operation has been finished or an error occurred. +write operation has been finished or an error occurred, except when a +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the +L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call. If the underlying BIO is B<non-blocking>, SSL_write() will also return, when the underlying BIO could not satisfy the needs of SSL_write() -to continue the operation. In this case a call to SSL_get_error() with the +to continue the operation. In this case a call to +L<SSL_get_error(3)|SSL_get_error(3)> with the return value of SSL_write() will yield B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a -call to SSL_write() can also cause write operations! The calling process +call to SSL_write() can also cause read operations! The calling process then must repeat the call after taking appropriate action to satisfy the needs of SSL_write(). The action depends on the underlying BIO. When using a non-blocking socket, nothing is to be done, but select() can be used to check @@ -60,9 +72,9 @@ bytes actually written to the TLS/SSL connection. The write operation was not successful. Call SSL_get_error() with the return value B<ret> to find out, whether an error occurred. -=item -1 +=item E<lt>0 -The read operation was not successful, because either an error occurred +The write operation was not successful, because either an error occurred or action must be taken by the calling process. Call SSL_get_error() with the return value B<ret> to find out the reason. @@ -71,6 +83,9 @@ return value B<ret> to find out the reason. =head1 SEE ALSO L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_read(3)|SSL_read(3)>, +L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>, +L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)> +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)> =cut diff --git a/lib/libssl/src/doc/ssl/ssl.pod b/lib/libssl/src/doc/ssl/ssl.pod index 7787376f7bc..16292a05f22 100644 --- a/lib/libssl/src/doc/ssl/ssl.pod +++ b/lib/libssl/src/doc/ssl/ssl.pod @@ -13,6 +13,69 @@ The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API which is documented here. +At first the library must be initialized; see +L<SSL_library_init(3)|SSL_library_init(3)>. + +Then an B<SSL_CTX> object is created as a framework to establish +TLS/SSL enabled connections (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>). +Various options regarding certificates, algorithms etc. can be set +in this object. + +When a network connection has been created, it can be assigned to an +B<SSL> object. After the B<SSL> object has been created using +L<SSL_new(3)|SSL_new(3)>, L<SSL_set_fd(3)|SSL_set_fd(3)> or +L<SSL_set_bio(3)|SSL_set_bio(3)> can be used to associate the network +connection with the object. + +Then the TLS/SSL handshake is performed using +L<SSL_accept(3)|SSL_accept(3)> or L<SSL_connect(3)|SSL_connect(3)> +respectively. +L<SSL_read(3)|SSL_read(3)> and L<SSL_write(3)|SSL_write(3)> are used +to read and write data on the TLS/SSL connection. +L<SSL_shutdown(3)|SSL_shutdown(3)> can be used to shut down the +TLS/SSL connection. + +=head1 DATA STRUCTURES + +Currently the OpenSSL B<ssl> library functions deals with the following data +structures: + +=over 4 + +=item B<SSL_METHOD> (SSL Method) + +That's a dispatch structure describing the internal B<ssl> library +methods/functions which implement the various protocol versions (SSLv1, SSLv2 +and TLSv1). It's needed to create an B<SSL_CTX>. + +=item B<SSL_CIPHER> (SSL Cipher) + +This structure holds the algorithm information for a particular cipher which +are a core part of the SSL/TLS protocol. The available ciphers are configured +on a B<SSL_CTX> basis and the actually used ones are then part of the +B<SSL_SESSION>. + +=item B<SSL_CTX> (SSL Context) + +That's the global context structure which is created by a server or client +once per program life-time and which holds mainly default values for the +B<SSL> structures which are later created for the connections. + +=item B<SSL_SESSION> (SSL Session) + +This is a structure containing the current TLS/SSL session details for a +connection: B<SSL_CIPHER>s, client and server certificates, keys, etc. + +=item B<SSL> (SSL Connection) + +That's the main SSL/TLS structure which is created by a server or client per +established connection. This actually is the core structure in the SSL API. +Under run-time the application usually deals with this structure which has +links to mostly all other structures. + +=back + + =head1 HEADER FILES Currently the OpenSSL B<ssl> library provides the following C header files @@ -55,46 +118,6 @@ it's already included by ssl.h>. =back -=head1 DATA STRUCTURES - -Currently the OpenSSL B<ssl> library functions deals with the following data -structures: - -=over 4 - -=item B<SSL_METHOD> (SSL Method) - -That's a dispatch structure describing the internal B<ssl> library -methods/functions which implement the various protocol versions (SSLv1, SSLv2 -and TLSv1). It's needed to create an B<SSL_CTX>. - -=item B<SSL_CIPHER> (SSL Cipher) - -This structure holds the algorithm information for a particular cipher which -are a core part of the SSL/TLS protocol. The available ciphers are configured -on a B<SSL_CTX> basis and the actually used ones are then part of the -B<SSL_SESSION>. - -=item B<SSL_CTX> (SSL Context) - -That's the global context structure which is created by a server or client -once per program life-time and which holds mainly default values for the -B<SSL> structures which are later created for the connections. - -=item B<SSL_SESSION> (SSL Session) - -This is a structure containing the current TLS/SSL session details for a -connection: B<SSL_CIPHER>s, client and server certificates, keys, etc. - -=item B<SSL> (SSL Connection) - -That's the main SSL/TLS structure which is created by a server or client per -established connection. This actually is the core structure in the SSL API. -Under run-time the application usually deals with this structure which has -links to mostly all other structures. - -=back - =head1 API FUNCTIONS Currently the OpenSSL B<ssl> library exports 214 API functions. @@ -521,11 +544,11 @@ connection defined in the B<SSL> structure. =item long B<SSL_num_renegotiations>(SSL *ssl); -=item int B<SSL_peek>(SSL *ssl, char *buf, int num); +=item int B<SSL_peek>(SSL *ssl, void *buf, int num); =item int B<SSL_pending>(SSL *ssl); -=item int B<SSL_read>(SSL *ssl, char *buf, int num); +=item int B<SSL_read>(SSL *ssl, void *buf, int num); =item int B<SSL_renegotiate>(SSL *ssl); @@ -617,7 +640,7 @@ connection defined in the B<SSL> structure. =item int B<SSL_want_x509_lookup>(s); -=item int B<SSL_write>(SSL *ssl, char *buf, int num); +=item int B<SSL_write>(SSL *ssl, const void *buf, int num); =back @@ -625,20 +648,53 @@ connection defined in the B<SSL> structure. L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>, L<SSL_accept(3)|SSL_accept(3)>, L<SSL_clear(3)|SSL_clear(3)>, -L<SSL_connect(3)|SSL_connect(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>, +L<SSL_connect(3)|SSL_connect(3)>, +L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>, +L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>, +L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>, +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>, +L<SSL_CTX_get_ex_new_index(3)|SSL_CTX_get_ex_new_index(3)>, +L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>, +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> +L<SSL_CTX_new(3)|SSL_CTX_new(3)>, +L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>, +L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>, +L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>, +L<SSL_CTX_sessions(3)|SSL_CTX_sessions(3)>, +L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, +L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>, +L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, +L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, +L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>, L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>, +L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, +L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, +L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, -L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_get_fd(3)|SSL_get_fd(3)>, +L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, +L<SSL_get_error(3)|SSL_get_error(3)>, +L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>, +L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>, +L<SSL_get_fd(3)|SSL_get_fd(3)>, L<SSL_get_peer_cert_chain(3)|SSL_get_peer_cert_chain(3)>, L<SSL_get_rbio(3)|SSL_get_rbio(3)>, L<SSL_get_session(3)|SSL_get_session(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, -L<SSL_library_init(3)|SSL_library_init(3)>, L<SSL_new(3)|SSL_new(3)>, +L<SSL_get_version(3)|SSL_get_version(3)>, +L<SSL_library_init(3)|SSL_library_init(3)>, +L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>, +L<SSL_new(3)|SSL_new(3)>, L<SSL_read(3)|SSL_read(3)>, L<SSL_set_bio(3)|SSL_set_bio(3)>, +L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>, L<SSL_set_fd(3)|SSL_set_fd(3)>, L<SSL_pending(3)|SSL_pending(3)>, L<SSL_set_session(3)|SSL_set_session(3)>, +L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_write(3)|SSL_write(3)>, -L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> +L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, +L<SSL_SESSION_get_ex_new_index(3)|SSL_SESSION_get_ex_new_index(3)>, +L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>, +L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/ssleay.txt b/lib/libssl/src/doc/ssleay.txt index 3e964c2e9ae..fab8d42c422 100644 --- a/lib/libssl/src/doc/ssleay.txt +++ b/lib/libssl/src/doc/ssleay.txt @@ -5743,7 +5743,7 @@ strucutre but also the private key and certificate associated with EXAMPLES. -So lets play at being a wierd SSL server. +So lets play at being a weird SSL server. /* setup a context */ ctx=SSL_CTX_new(); diff --git a/lib/libssl/src/e_os.h b/lib/libssl/src/e_os.h index 318e83edb58..fc61e0e00bf 100644 --- a/lib/libssl/src/e_os.h +++ b/lib/libssl/src/e_os.h @@ -340,12 +340,14 @@ extern HINSTANCE _hInstance; # if defined(VMS) && !defined(__DECC) # include <socket.h> # include <in.h> +# include <inet.h> # else # include <sys/socket.h> # ifdef FILIO_H # include <sys/filio.h> /* Added for FIONBIO under unixware */ # endif # include <netinet/in.h> +# include <arpa/inet.h> # endif # if defined(NeXT) || defined(_NEXT_SOURCE) diff --git a/lib/libssl/src/ms/16all.bat b/lib/libssl/src/ms/16all.bat index e57e177177b..62ccf789634 100644 --- a/lib/libssl/src/ms/16all.bat +++ b/lib/libssl/src/ms/16all.bat @@ -1,10 +1,13 @@ set OPTS=no_asm perl Configure VC-WIN16 +perl util\mkfiles.pl >MINFO perl util\mk1mf.pl %OPTS% debug VC-WIN16 >d16.mak perl util\mk1mf.pl %OPTS% VC-WIN16 >16.mak perl util\mk1mf.pl %OPTS% debug dll VC-WIN16 >d16dll.mak perl util\mk1mf.pl %OPTS% dll VC-WIN16 >16dll.mak +perl util\mkdef.pl 16 libeay > ms\libeay32.def +perl util\mkdef.pl 16 ssleay > ms\ssleay32.def nmake -f d16.mak nmake -f 16.mak diff --git a/lib/libssl/src/ms/32all.bat b/lib/libssl/src/ms/32all.bat index d1f014c4e0f..09f47059ad6 100644 --- a/lib/libssl/src/ms/32all.bat +++ b/lib/libssl/src/ms/32all.bat @@ -1,10 +1,13 @@ set OPTS=no-asm perl Configure VC-WIN32 +perl util\mkfiles.pl >MINFO perl util\mk1mf.pl %OPTS% debug VC-WIN32 >d32.mak perl util\mk1mf.pl %OPTS% VC-WIN32 >32.mak perl util\mk1mf.pl %OPTS% debug dll VC-WIN32 >d32dll.mak perl util\mk1mf.pl %OPTS% dll VC-WIN32 >32dll.mak +perl util\mkdef.pl 32 libeay > ms\libeay32.def +perl util\mkdef.pl 32 ssleay > ms\ssleay32.def nmake -f d32.mak nmake -f 32.mak diff --git a/lib/libssl/src/ms/test.bat b/lib/libssl/src/ms/test.bat index ef37beaa223..8f691942832 100644 --- a/lib/libssl/src/ms/test.bat +++ b/lib/libssl/src/ms/test.bat @@ -1,4 +1,4 @@ -@echo=off
+@echo off
set test=..\ms
set opath=%PATH%
diff --git a/lib/libssl/src/openssl.spec b/lib/libssl/src/openssl.spec index 1c8f4e9d817..d00e461e37b 100644 --- a/lib/libssl/src/openssl.spec +++ b/lib/libssl/src/openssl.spec @@ -1,15 +1,15 @@ %define libmaj 0 %define libmin 9 %define librel 6 -#%define librev +%define librev a Release: 1 %define openssldir /var/ssl Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl-engine -Version: %{libmaj}.%{libmin}.%{librel} -#Version: %{libmaj}.%{libmin}.%{librel}%{librev} +#Version: %{libmaj}.%{libmin}.%{librel} +Version: %{libmaj}.%{libmin}.%{librel}%{librev} Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz Copyright: Freely distributable Group: System Environment/Libraries @@ -105,7 +105,7 @@ LD_LIBRARY_PATH=`pwd` make test %install rm -rf $RPM_BUILD_ROOT -make install MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT" +make MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT" install # Rename manpages for x in $RPM_BUILD_ROOT/usr/man/man*/* @@ -119,19 +119,6 @@ install -m644 libRSAglue.a $RPM_BUILD_ROOT/usr/lib # Make backwards-compatibility symlink to ssleay ln -s /usr/bin/openssl $RPM_BUILD_ROOT/usr/bin/ssleay -# Install shared libs -install -m644 libcrypto.a $RPM_BUILD_ROOT/usr/lib -#!#install -m755 libcrypto.so.%{libmaj}.%{libmin}.%{librel} $RPM_BUILD_ROOT/usr/lib -install -m644 libssl.a $RPM_BUILD_ROOT/usr/lib -#!#install -m755 libssl.so.%{libmaj}.%{libmin}.%{librel} $RPM_BUILD_ROOT/usr/lib -( - cd $RPM_BUILD_ROOT/usr/lib - #!#ln -s libcrypto.so.%{libmaj}.%{libmin}.%{librel} libcrypto.so.%{libmaj} - #!#ln -s libcrypto.so.%{libmaj}.%{libmin}.%{librel} libcrypto.so - #!#ln -s libssl.so.%{libmaj}.%{libmin}.%{librel} libssl.so.%{libmaj} - #!#ln -s libssl.so.%{libmaj}.%{libmin}.%{librel} libssl.so -) - %clean rm -rf $RPM_BUILD_ROOT @@ -169,6 +156,21 @@ ldconfig ldconfig %changelog +* Thu Mar 22 2001 Richard Levitte <richard@levitte.org> +- Removed redundant subsection that re-installed libcrypto.a and libssl.a + as well. +* Thu Mar 15 2001 Jeremiah Johnson <jjohnson@penguincomputing.com> +- Removed redundant subsection that re-installed libcrypto.so.0.9.6 and + libssl.so.0.9.6. As well as the subsection that created symlinks for + these. make install handles all this. +* Sat Oct 21 2000 Horms <horms@vergenet.net> +- Make sure symlinks are created by using -f flag to ln. + Otherwise some .so libraries are copied rather than + linked in the resulting binary RPM. This causes the package + to be larger than neccessary and makes ldconfig complain. +* Fri Oct 13 2000 Horms <horms@vergenet.net> +- Make defattr is set for files in all packages so packages built as + non-root will still be installed with files owned by root. * Thu Sep 14 2000 Richard Levitte <richard@levitte.org> - Changed to adapt to the new (supported) way of making shared libraries - Installs all static libraries, not just libRSAglue.a diff --git a/lib/libssl/src/rsaref/Makefile.ssl b/lib/libssl/src/rsaref/Makefile.ssl index a17e38f9a5a..861193d39c1 100644 --- a/lib/libssl/src/rsaref/Makefile.ssl +++ b/lib/libssl/src/rsaref/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/ssl/Makefile.ssl b/lib/libssl/src/ssl/Makefile.ssl index ad8da5c4be0..cfb627d29a5 100644 --- a/lib/libssl/src/ssl/Makefile.ssl +++ b/lib/libssl/src/ssl/Makefile.ssl @@ -55,7 +55,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/lib/libssl/src/ssl/s23_lib.c b/lib/libssl/src/ssl/s23_lib.c index dded7a19c5a..ad2d8dadf75 100644 --- a/lib/libssl/src/ssl/s23_lib.c +++ b/lib/libssl/src/ssl/s23_lib.c @@ -63,6 +63,7 @@ static int ssl23_num_ciphers(void ); static SSL_CIPHER *ssl23_get_cipher(unsigned int u); static int ssl23_read(SSL *s, void *buf, int len); +static int ssl23_peek(SSL *s, void *buf, int len); static int ssl23_write(SSL *s, const void *buf, int len); static long ssl23_default_timeout(void ); static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); @@ -77,7 +78,7 @@ static SSL_METHOD SSLv23_data= { ssl_undefined_function, ssl_undefined_function, ssl23_read, - (int (*)(struct ssl_st *, char *, int))ssl_undefined_function, + ssl23_peek, ssl23_write, ssl_undefined_function, ssl_undefined_function, @@ -169,13 +170,6 @@ static int ssl23_read(SSL *s, void *buf, int len) { int n; -#if 0 - if (s->shutdown & SSL_RECEIVED_SHUTDOWN) - { - s->rwstate=SSL_NOTHING; - return(0); - } -#endif clear_sys_error(); if (SSL_in_init(s) && (!s->in_handshake)) { @@ -195,17 +189,33 @@ static int ssl23_read(SSL *s, void *buf, int len) } } -static int ssl23_write(SSL *s, const void *buf, int len) +static int ssl23_peek(SSL *s, void *buf, int len) { int n; -#if 0 - if (s->shutdown & SSL_SENT_SHUTDOWN) + clear_sys_error(); + if (SSL_in_init(s) && (!s->in_handshake)) + { + n=s->handshake_func(s); + if (n < 0) return(n); + if (n == 0) + { + SSLerr(SSL_F_SSL23_PEEK,SSL_R_SSL_HANDSHAKE_FAILURE); + return(-1); + } + return(SSL_peek(s,buf,len)); + } + else { - s->rwstate=SSL_NOTHING; - return(0); + ssl_undefined_function(s); + return(-1); } -#endif + } + +static int ssl23_write(SSL *s, const void *buf, int len) + { + int n; + clear_sys_error(); if (SSL_in_init(s) && (!s->in_handshake)) { diff --git a/lib/libssl/src/ssl/s23_meth.c b/lib/libssl/src/ssl/s23_meth.c index b52ca1d58b3..40684311db3 100644 --- a/lib/libssl/src/ssl/s23_meth.c +++ b/lib/libssl/src/ssl/s23_meth.c @@ -64,7 +64,7 @@ static SSL_METHOD *ssl23_get_method(int ver); static SSL_METHOD *ssl23_get_method(int ver) { if (ver == SSL2_VERSION) - return(SSLv23_method()); + return(SSLv2_method()); else if (ver == SSL3_VERSION) return(SSLv3_method()); else if (ver == TLS1_VERSION) diff --git a/lib/libssl/src/ssl/s2_clnt.c b/lib/libssl/src/ssl/s2_clnt.c index 47dd09c286f..28d6d652961 100644 --- a/lib/libssl/src/ssl/s2_clnt.c +++ b/lib/libssl/src/ssl/s2_clnt.c @@ -921,6 +921,7 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data) goto err; } ERR_clear_error(); /* but we keep s->verify_result */ + s->session->verify_result = s->verify_result; /* server's cert for this session */ sc=ssl_sess_cert_new(); diff --git a/lib/libssl/src/ssl/s2_lib.c b/lib/libssl/src/ssl/s2_lib.c index 129ed89d970..a590dbfa5ca 100644 --- a/lib/libssl/src/ssl/s2_lib.c +++ b/lib/libssl/src/ssl/s2_lib.c @@ -260,7 +260,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u) int ssl2_pending(SSL *s) { - return(s->s2->ract_data_length); + return SSL_in_init(s) ? 0 : s->s2->ract_data_length; } int ssl2_new(SSL *s) @@ -270,10 +270,16 @@ int ssl2_new(SSL *s) if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err; memset(s2,0,sizeof *s2); +#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2 +# error "assertion failed" +#endif + if ((s2->rbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; + /* wbuf needs one byte more because when using two-byte headers, + * we leave the first byte unused in do_ssl_write (s2_pkt.c) */ if ((s2->wbuf=OPENSSL_malloc( - SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; + SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err; s->s2=s2; ssl2_clear(s); diff --git a/lib/libssl/src/ssl/s2_pkt.c b/lib/libssl/src/ssl/s2_pkt.c index 56662f29fac..f2f46ff377c 100644 --- a/lib/libssl/src/ssl/s2_pkt.c +++ b/lib/libssl/src/ssl/s2_pkt.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include "ssl_locl.h" #ifndef NO_SSL2 @@ -66,23 +119,12 @@ static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend); static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len); static int write_pending(SSL *s, const unsigned char *buf, unsigned int len); static int ssl_mt_error(int n); -int ssl2_peek(SSL *s, char *buf, int len) - { - int ret; - ret=ssl2_read(s,buf,len); - if (ret > 0) - { - s->s2->ract_data_length+=ret; - s->s2->ract_data-=ret; - } - return(ret); - } -/* SSL_read - +/* SSL 2.0 imlementation for SSL_read/SSL_peek - * This routine will return 0 to len bytes, decrypted etc if required. */ -int ssl2_read(SSL *s, void *buf, int len) +static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) { int n; unsigned char mac[MAX_MAC_SIZE]; @@ -90,14 +132,14 @@ int ssl2_read(SSL *s, void *buf, int len) int i; unsigned int mac_size=0; -ssl2_read_again: + ssl2_read_again: if (SSL_in_init(s) && !s->in_handshake) { n=s->handshake_func(s); if (n < 0) return(n); if (n == 0) { - SSLerr(SSL_F_SSL2_READ,SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE); return(-1); } } @@ -114,13 +156,22 @@ ssl2_read_again: n=len; memcpy(buf,s->s2->ract_data,(unsigned int)n); - s->s2->ract_data_length-=n; - s->s2->ract_data+=n; - if (s->s2->ract_data_length == 0) - s->rstate=SSL_ST_READ_HEADER; + if (!peek) + { + s->s2->ract_data_length-=n; + s->s2->ract_data+=n; + if (s->s2->ract_data_length == 0) + s->rstate=SSL_ST_READ_HEADER; + } + return(n); } + /* s->s2->ract_data_length == 0 + * + * Fill the buffer, then goto ssl2_read_again. + */ + if (s->rstate == SSL_ST_READ_HEADER) { if (s->first_packet) @@ -133,7 +184,7 @@ ssl2_read_again: (p[2] == SSL2_MT_CLIENT_HELLO) || (p[2] == SSL2_MT_SERVER_HELLO)))) { - SSLerr(SSL_F_SSL2_READ,SSL_R_NON_SSLV2_INITIAL_PACKET); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET); return(-1); } } @@ -211,48 +262,49 @@ ssl2_read_again: (unsigned int)mac_size) != 0) || (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) { - SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_MAC_DECODE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); return(-1); } } INC32(s->s2->read_sequence); /* expect next number */ /* s->s2->ract_data is now available for processing */ -#if 1 - /* How should we react when a packet containing 0 - * bytes is received? (Note that SSLeay/OpenSSL itself - * never sends such packets; see ssl2_write.) - * Returning 0 would be interpreted by the caller as - * indicating EOF, so it's not a good idea. - * Instead, we just continue reading. Note that using - * select() for blocking sockets *never* guarantees + /* Possibly the packet that we just read had 0 actual data bytes. + * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.) + * In this case, returning 0 would be interpreted by the caller + * as indicating EOF, so it's not a good idea. Instead, we just + * continue reading; thus ssl2_read_internal may have to process + * multiple packets before it can return. + * + * [Note that using select() for blocking sockets *never* guarantees * that the next SSL_read will not block -- the available - * data may contain incomplete packets, and except for SSL 2 - * renegotiation can confuse things even more. */ + * data may contain incomplete packets, and except for SSL 2, + * renegotiation can confuse things even more.] */ goto ssl2_read_again; /* This should really be - * "return ssl2_read(s,buf,len)", - * but that would allow for - * denial-of-service attacks if a - * C compiler is used that does not - * recognize end-recursion. */ -#else - /* If a 0 byte packet was sent, return 0, otherwise - * we play havoc with people using select with - * blocking sockets. Let them handle a packet at a time, - * they should really be using non-blocking sockets. */ - if (s->s2->ract_data_length == 0) - return(0); - return(ssl2_read(s,buf,len)); -#endif + * "return ssl2_read(s,buf,len)", + * but that would allow for + * denial-of-service attacks if a + * C compiler is used that does not + * recognize end-recursion. */ } else { - SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_STATE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE); return(-1); } } +int ssl2_read(SSL *s, void *buf, int len) + { + return ssl2_read_internal(s, buf, len, 0); + } + +int ssl2_peek(SSL *s, void *buf, int len) + { + return ssl2_read_internal(s, buf, len, 1); + } + static int read_n(SSL *s, unsigned int n, unsigned int max, unsigned int extend) { @@ -483,6 +535,9 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) { bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx); j=len+mac_size; + /* Two-byte headers allow for a larger record length than + * three-byte headers, but we can't use them if we need + * padding or if we have to set the escape bit. */ if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) && (!s->s2->escape)) { @@ -498,25 +553,39 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) } else if ((bs <= 1) && (!s->s2->escape)) { - /* len=len; */ + /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus + * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */ s->s2->three_byte_header=0; p=0; } - else /* 3 byte header */ + else /* we may have to use a 3 byte header */ { - /*len=len; */ + /* If s->s2->escape is not set, then + * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus + * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */ p=(j%bs); p=(p == 0)?0:(bs-p); if (s->s2->escape) + { s->s2->three_byte_header=1; + if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) + j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER; + } else s->s2->three_byte_header=(p == 0)?0:1; } } + + /* Now + * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + * holds, and if s->s2->three_byte_header is set, then even + * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER. + */ + /* mac_size is the number of MAC bytes * len is the number of data bytes we are going to send * p is the number of padding bytes - * if p == 0, it is a 2 byte header */ + * (if it is a two-byte header, then p == 0) */ s->s2->wlength=len; s->s2->padding=p; diff --git a/lib/libssl/src/ssl/s3_both.c b/lib/libssl/src/ssl/s3_both.c index d92c164b0fa..10d8d3b15af 100644 --- a/lib/libssl/src/ssl/s3_both.c +++ b/lib/libssl/src/ssl/s3_both.c @@ -365,7 +365,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) while (s->init_num < 4) { i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num], - 4 - s->init_num); + 4 - s->init_num, 0); if (i <= 0) { s->rwstate=SSL_READING; @@ -434,7 +434,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) n=s->s3->tmp.message_size; while (n > 0) { - i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n); + i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0); if (i <= 0) { s->rwstate=SSL_READING; diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c index 62040f9f1d0..eec45cfa485 100644 --- a/lib/libssl/src/ssl/s3_clnt.c +++ b/lib/libssl/src/ssl/s3_clnt.c @@ -815,6 +815,7 @@ static int ssl3_get_server_certificate(SSL *s) X509_free(s->session->peer); CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); s->session->peer=x; + s->session->verify_result = s->verify_result; x=NULL; ret=1; diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c index 012a4b87407..9f52c39ca97 100644 --- a/lib/libssl/src/ssl/s3_enc.c +++ b/lib/libssl/src/ssl/s3_enc.c @@ -504,7 +504,10 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send) EVP_DigestFinal( &md_ctx,md,&md_size); for (i=7; i>=0; i--) - if (++seq[i]) break; + { + ++seq[i]; + if (seq[i] != 0) break; + } return(md_size); } diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c index cee2021b6b0..c32c06de328 100644 --- a/lib/libssl/src/ssl/s3_lib.c +++ b/lib/libssl/src/ssl/s3_lib.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include <stdio.h> #include <openssl/md5.h> @@ -638,10 +691,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u) return(NULL); } -/* The problem is that it may not be the correct record type */ int ssl3_pending(SSL *s) { - return(s->s3->rrec.length); + return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; } int ssl3_new(SSL *s) @@ -1189,7 +1241,7 @@ int ssl3_shutdown(SSL *s) else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ - ssl3_read_bytes(s,0,NULL,0); + ssl3_read_bytes(s,0,NULL,0,0); } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && @@ -1252,14 +1304,14 @@ int ssl3_write(SSL *s, const void *buf, int len) return(ret); } -int ssl3_read(SSL *s, void *buf, int len) +static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) { int ret; clear_sys_error(); if (s->s3->renegotiate) ssl3_renegotiate_check(s); s->s3->in_read_app_data=1; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); if ((ret == -1) && (s->s3->in_read_app_data == 0)) { /* ssl3_read_bytes decided to call s->handshake_func, which @@ -1269,7 +1321,7 @@ int ssl3_read(SSL *s, void *buf, int len) * by resetting 'in_read_app_data', strangely); so disable * handshake processing and try to read application data again. */ s->in_handshake++; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); s->in_handshake--; } else @@ -1278,26 +1330,14 @@ int ssl3_read(SSL *s, void *buf, int len) return(ret); } -int ssl3_peek(SSL *s, char *buf, int len) +int ssl3_read(SSL *s, void *buf, int len) { - SSL3_RECORD *rr; - int n; - - rr= &(s->s3->rrec); - if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA)) - { - n=ssl3_read(s,buf,1); - if (n <= 0) return(n); - rr->length++; - rr->off--; - } + return ssl3_read_internal(s, buf, len, 0); + } - if ((unsigned int)len > rr->length) - n=rr->length; - else - n=len; - memcpy(buf,&(rr->data[rr->off]),(unsigned int)n); - return(n); +int ssl3_peek(SSL *s, void *buf, int len) + { + return ssl3_read_internal(s, buf, len, 1); } int ssl3_renegotiate(SSL *s) diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c index 14140798539..9ab76604a64 100644 --- a/lib/libssl/src/ssl/s3_pkt.c +++ b/lib/libssl/src/ssl/s3_pkt.c @@ -704,7 +704,7 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, * Application data protocol * none of our business */ -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { int al,i,j,ret; unsigned int n; @@ -715,7 +715,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) if (!ssl3_setup_buffers(s)) return(-1); - if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) + if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) || + (peek && (type != SSL3_RT_APPLICATION_DATA))) { SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR); return -1; @@ -728,6 +729,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) unsigned char *dst = buf; unsigned int k; + /* peek == 0 */ n = 0; while ((len > 0) && (s->s3->handshake_fragment_len > 0)) { @@ -763,7 +765,7 @@ start: * s->s3->rrec.length, - number of bytes. */ rr = &(s->s3->rrec); - /* get new packet */ + /* get new packet if necessary */ if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { ret=ssl3_get_record(s); @@ -781,7 +783,8 @@ start: goto err; } - /* If the other end has shutdown, throw anything we read away */ + /* If the other end has shut down, throw anything we read away + * (even in 'peek' mode) */ if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { rr->length=0; @@ -810,12 +813,15 @@ start: n = (unsigned int)len; memcpy(buf,&(rr->data[rr->off]),n); - rr->length-=n; - rr->off+=n; - if (rr->length == 0) + if (!peek) { - s->rstate=SSL_ST_READ_HEADER; - rr->off=0; + rr->length-=n; + rr->off+=n; + if (rr->length == 0) + { + s->rstate=SSL_ST_READ_HEADER; + rr->off=0; + } } return(n); } diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h index fdbdc70ba72..9de9e611abd 100644 --- a/lib/libssl/src/ssl/ssl.h +++ b/lib/libssl/src/ssl/ssl.h @@ -206,7 +206,7 @@ typedef struct ssl_method_st int (*ssl_accept)(SSL *s); int (*ssl_connect)(SSL *s); int (*ssl_read)(SSL *s,void *buf,int len); - int (*ssl_peek)(SSL *s,char *buf,int len); + int (*ssl_peek)(SSL *s,void *buf,int len); int (*ssl_write)(SSL *s,const void *buf,int len); int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); @@ -1061,9 +1061,9 @@ int SSL_set_trust(SSL *s, int trust); void SSL_free(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); -int SSL_read(SSL *ssl,char *buf,int num); -int SSL_peek(SSL *ssl,char *buf,int num); -int SSL_write(SSL *ssl,const char *buf,int num); +int SSL_read(SSL *ssl,void *buf,int num); +int SSL_peek(SSL *ssl,void *buf,int num); +int SSL_write(SSL *ssl,const void *buf,int num); long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg); long SSL_callback_ctrl(SSL *, int, void (*)()); long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg); @@ -1178,7 +1178,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void ); #define SSL_CTX_get_read_ahead(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) #define SSL_CTX_set_read_ahead(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL) + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL) /* NB: the keylength is only applicable when is_export is true */ #ifndef NO_RSA @@ -1209,6 +1209,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ +void ERR_load_SSL_strings(void); /* Error codes for the SSL functions. */ @@ -1233,12 +1234,15 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL23_CONNECT 117 #define SSL_F_SSL23_GET_CLIENT_HELLO 118 #define SSL_F_SSL23_GET_SERVER_HELLO 119 +#define SSL_F_SSL23_PEEK 237 #define SSL_F_SSL23_READ 120 #define SSL_F_SSL23_WRITE 121 #define SSL_F_SSL2_ACCEPT 122 #define SSL_F_SSL2_CONNECT 123 #define SSL_F_SSL2_ENC_INIT 124 +#define SSL_F_SSL2_PEEK 234 #define SSL_F_SSL2_READ 125 +#define SSL_F_SSL2_READ_INTERNAL 236 #define SSL_F_SSL2_SET_CERTIFICATE 126 #define SSL_F_SSL2_WRITE 127 #define SSL_F_SSL3_ACCEPT 128 @@ -1263,6 +1267,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL3_GET_SERVER_DONE 145 #define SSL_F_SSL3_GET_SERVER_HELLO 146 #define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147 +#define SSL_F_SSL3_PEEK 235 #define SSL_F_SSL3_READ_BYTES 148 #define SSL_F_SSL3_READ_N 149 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 @@ -1559,4 +1564,3 @@ int SSL_COMP_add_compression_method(int id,char *cm); } #endif #endif - diff --git a/lib/libssl/src/ssl/ssl2.h b/lib/libssl/src/ssl/ssl2.h index df7d03c18f7..f8b56afb6b2 100644 --- a/lib/libssl/src/ssl/ssl2.h +++ b/lib/libssl/src/ssl/ssl2.h @@ -134,11 +134,11 @@ extern "C" { /* Upper/Lower Bounds */ #define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 #ifdef MPE -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u #else -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ #endif -#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/ +#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */ #define SSL2_CHALLENGE_LENGTH 16 /*#define SSL2_CHALLENGE_LENGTH 32 */ diff --git a/lib/libssl/src/ssl/ssl_algs.c b/lib/libssl/src/ssl/ssl_algs.c index a91ee6d22e4..dde8918fe0e 100644 --- a/lib/libssl/src/ssl/ssl_algs.c +++ b/lib/libssl/src/ssl/ssl_algs.c @@ -88,9 +88,13 @@ int SSL_library_init(void) #ifndef NO_SHA EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif #if !defined(NO_SHA) && !defined(NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); #endif /* If you want support for phased out ciphers, add the following */ diff --git a/lib/libssl/src/ssl/ssl_cert.c b/lib/libssl/src/ssl/ssl_cert.c index c26df62c207..27e7fcc60ae 100644 --- a/lib/libssl/src/ssl/ssl_cert.c +++ b/lib/libssl/src/ssl/ssl_cert.c @@ -271,7 +271,9 @@ CERT *ssl_cert_dup(CERT *cert) return(ret); +#ifndef NO_DH /* avoid 'unreferenced label' warning if NO_DH is defined */ err: +#endif #ifndef NO_RSA if (ret->rsa_tmp != NULL) RSA_free(ret->rsa_tmp); diff --git a/lib/libssl/src/ssl/ssl_err.c b/lib/libssl/src/ssl/ssl_err.c index 17b4caf528a..1ae33334079 100644 --- a/lib/libssl/src/ssl/ssl_err.c +++ b/lib/libssl/src/ssl/ssl_err.c @@ -86,12 +86,15 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL23_CONNECT,0), "SSL23_CONNECT"}, {ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0), "SSL23_GET_CLIENT_HELLO"}, {ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0), "SSL23_GET_SERVER_HELLO"}, +{ERR_PACK(0,SSL_F_SSL23_PEEK,0), "SSL23_PEEK"}, {ERR_PACK(0,SSL_F_SSL23_READ,0), "SSL23_READ"}, {ERR_PACK(0,SSL_F_SSL23_WRITE,0), "SSL23_WRITE"}, {ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"}, {ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"}, {ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"}, +{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"}, {ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"}, +{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"}, {ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"}, {ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"}, {ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"}, @@ -116,6 +119,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"}, {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"}, {ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"}, +{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"}, {ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"}, {ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"}, {ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"}, diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index 635b25062e8..1fe85b6cb75 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -119,7 +119,9 @@ int SSL_clear(SSL *s) s->client_version=s->version; s->rwstate=SSL_NOTHING; s->rstate=SSL_ST_READ_HEADER; +#if 0 s->read_ahead=s->ctx->read_ahead; +#endif if (s->init_buf != NULL) { @@ -229,6 +231,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; s->options=ctx->options; s->mode=ctx->mode; + s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */ SSL_clear(s); CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data); @@ -705,7 +708,7 @@ long SSL_get_default_timeout(SSL *s) return(s->method->get_timeout()); } -int SSL_read(SSL *s,char *buf,int num) +int SSL_read(SSL *s,void *buf,int num) { if (s->handshake_func == 0) { @@ -721,8 +724,14 @@ int SSL_read(SSL *s,char *buf,int num) return(s->method->ssl_read(s,buf,num)); } -int SSL_peek(SSL *s,char *buf,int num) +int SSL_peek(SSL *s,void *buf,int num) { + if (s->handshake_func == 0) + { + SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); + return -1; + } + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { return(0); @@ -730,7 +739,7 @@ int SSL_peek(SSL *s,char *buf,int num) return(s->method->ssl_peek(s,buf,num)); } -int SSL_write(SSL *s,const char *buf,int num) +int SSL_write(SSL *s,const void *buf,int num) { if (s->handshake_func == 0) { @@ -1676,6 +1685,10 @@ SSL *SSL_dup(SSL *s) if (s->cert != NULL) { + if (ret->cert != NULL) + { + ssl_cert_free(ret->cert); + } ret->cert = ssl_cert_dup(s->cert); if (ret->cert == NULL) goto err; diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index d70fff4627d..516d3cc5ae2 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #ifndef HEADER_SSL_LOCL_H #define HEADER_SSL_LOCL_H @@ -463,7 +516,7 @@ void ssl2_free(SSL *s); int ssl2_accept(SSL *s); int ssl2_connect(SSL *s); int ssl2_read(SSL *s, void *buf, int len); -int ssl2_peek(SSL *s, char *buf, int len); +int ssl2_peek(SSL *s, void *buf, int len); int ssl2_write(SSL *s, const void *buf, int len); int ssl2_shutdown(SSL *s); void ssl2_clear(SSL *s); @@ -494,7 +547,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u); int ssl3_renegotiate(SSL *ssl); int ssl3_renegotiate_check(SSL *ssl); int ssl3_dispatch_alert(SSL *s); -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len); +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2, const char *sender, int slen,unsigned char *p); @@ -511,7 +564,7 @@ void ssl3_free(SSL *s); int ssl3_accept(SSL *s); int ssl3_connect(SSL *s); int ssl3_read(SSL *s, void *buf, int len); -int ssl3_peek(SSL *s,char *buf, int len); +int ssl3_peek(SSL *s, void *buf, int len); int ssl3_write(SSL *s, const void *buf, int len); int ssl3_shutdown(SSL *s); void ssl3_clear(SSL *s); diff --git a/lib/libssl/src/ssl/ssl_sess.c b/lib/libssl/src/ssl/ssl_sess.c index 416def8908e..7064262def8 100644 --- a/lib/libssl/src/ssl/ssl_sess.c +++ b/lib/libssl/src/ssl/ssl_sess.c @@ -508,6 +508,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) if (s->session != NULL) SSL_SESSION_free(s->session); s->session=session; + s->verify_result = s->session->verify_result; /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ ret=1; } diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c index 0d34357eb47..d10a23af8eb 100644 --- a/lib/libssl/src/ssl/t1_enc.c +++ b/lib/libssl/src/ssl/t1_enc.c @@ -572,7 +572,10 @@ printf("rec="); #endif for (i=7; i>=0; i--) - if (++seq[i]) break; + { + ++seq[i]; + if (seq[i] != 0) break; + } #ifdef TLS_DEBUG {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } diff --git a/lib/libssl/src/test/Makefile.ssl b/lib/libssl/src/test/Makefile.ssl index b961dabc3cc..9c7b7dd1588 100644 --- a/lib/libssl/src/test/Makefile.ssl +++ b/lib/libssl/src/test/Makefile.ssl @@ -192,7 +192,7 @@ test_bn: @./$(BNTEST) >tmp.bntest @echo quit >>tmp.bntest @echo "running bc" - @bc tmp.bntest 2>&1 | $(PERL) -e 'while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"' + @<tmp.bntest sh -c "`sh ./bctest || true`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' @echo 'test a^b%c implementations' ./$(EXPTEST) @@ -241,7 +241,7 @@ dclean: mv -f Makefile.new $(MAKEFILE) clean: - rm -f .rnd tmp.bntest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log + rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log $(DLIBSSL): (cd ../ssl; $(MAKE)) diff --git a/lib/libssl/src/tools/c_rehash.in b/lib/libssl/src/tools/c_rehash.in index baec7c14ff4..26db8999d8c 100644 --- a/lib/libssl/src/tools/c_rehash.in +++ b/lib/libssl/src/tools/c_rehash.in @@ -117,7 +117,12 @@ sub link_hash_cert { } $hash .= ".$suffix"; print "$fname => $hash\n"; - symlink $fname, $hash; + $symlink_exists=eval {symlink("",""); 1}; + if ($symlink_exists) { + symlink $fname, $hash; + } else { + system ("cp", $fname, $hash); + } $hashlist{$hash} = $fprint; } @@ -142,7 +147,12 @@ sub link_hash_crl { } $hash .= ".r$suffix"; print "$fname => $hash\n"; - symlink $fname, $hash; + $symlink_exists=eval {symlink("",""); 1}; + if ($symlink_exists) { + symlink $fname, $hash; + } else { + system ("cp", $fname, $hash); + } $hashlist{$hash} = $fprint; } diff --git a/lib/libssl/src/util/clean-depend.pl b/lib/libssl/src/util/clean-depend.pl index af676af7514..0193e726fee 100644 --- a/lib/libssl/src/util/clean-depend.pl +++ b/lib/libssl/src/util/clean-depend.pl @@ -15,8 +15,8 @@ while(<STDIN>) { my ($file,$deps)=/^(.*): (.*)$/; next if !defined $deps; my @deps=split ' ',$deps; - @deps=grep(!/^\/usr\/include/,@deps); - @deps=grep(!/^\/usr\/lib\/gcc-lib/,@deps); + @deps=grep(!/^\//,@deps); + @deps=grep(!/^\\$/,@deps); push @{$files{$file}},@deps; } diff --git a/lib/libssl/src/util/libeay.num b/lib/libssl/src/util/libeay.num index e8eebbf50c4..84ae840804a 100644 --- a/lib/libssl/src/util/libeay.num +++ b/lib/libssl/src/util/libeay.num @@ -301,8 +301,8 @@ EVP_des_ede_cfb 308 EXIST::FUNCTION:DES EVP_des_ede_ofb 309 EXIST::FUNCTION:DES EVP_des_ofb 310 EXIST::FUNCTION:DES EVP_desx_cbc 311 EXIST::FUNCTION:DES -EVP_dss 312 EXIST::FUNCTION:DSA -EVP_dss1 313 EXIST::FUNCTION:DSA +EVP_dss 312 EXIST::FUNCTION:DSA,SHA +EVP_dss1 313 EXIST::FUNCTION:DSA,SHA EVP_enc_null 314 EXIST::FUNCTION: EVP_get_cipherbyname 315 EXIST::FUNCTION: EVP_get_digestbyname 316 EXIST::FUNCTION: @@ -779,7 +779,7 @@ des_ede3_cfb64_encrypt 786 EXIST::FUNCTION:DES des_ede3_ofb64_encrypt 787 EXIST::FUNCTION:DES des_enc_read 788 EXIST::FUNCTION:DES des_enc_write 789 EXIST::FUNCTION:DES -des_encrypt 790 EXIST::FUNCTION:DES +des_encrypt1 790 EXIST::FUNCTION:DES des_encrypt2 791 EXIST::FUNCTION:DES des_encrypt3 792 EXIST::FUNCTION:DES des_fcrypt 793 EXIST::FUNCTION:DES @@ -926,7 +926,7 @@ PKCS7_add_signature 938 EXIST::FUNCTION: PKCS7_cert_from_signer_info 939 EXIST::FUNCTION: PKCS7_get_signer_info 940 EXIST::FUNCTION: EVP_delete_alias 941 NOEXIST::FUNCTION: -EVP_mdc2 942 EXIST::FUNCTION: +EVP_mdc2 942 EXIST::FUNCTION:MDC2 PEM_read_bio_RSAPublicKey 943 EXIST::FUNCTION:RSA PEM_write_bio_RSAPublicKey 944 EXIST::FUNCTION:RSA d2i_RSAPublicKey_bio 945 EXIST::FUNCTION:RSA @@ -1870,61 +1870,64 @@ X509_keyid_set1 2460 EXIST::FUNCTION: BIO_next 2461 EXIST::FUNCTION: DSO_METHOD_vms 2462 EXIST::FUNCTION: BIO_f_linebuffer 2463 EXIST:VMS:FUNCTION: -ERR_load_ENGINE_strings 2464 EXIST::FUNCTION: -ENGINE_set_DSA 2465 EXIST::FUNCTION: -ENGINE_get_finish_function 2466 EXIST::FUNCTION: -ENGINE_get_default_RSA 2467 EXIST::FUNCTION: -ENGINE_get_BN_mod_exp 2468 EXIST::FUNCTION: -DSA_get_default_openssl_method 2469 EXIST::FUNCTION:DSA -ENGINE_set_DH 2470 EXIST::FUNCTION: -ENGINE_set_default_BN_mod_exp_crt 2471 EXIST:!VMS:FUNCTION: -ENGINE_set_def_BN_mod_exp_crt 2471 EXIST:VMS:FUNCTION: -ENGINE_init 2472 EXIST::FUNCTION: -DH_get_default_openssl_method 2473 EXIST::FUNCTION:DH -RSA_set_default_openssl_method 2474 EXIST::FUNCTION:RSA -ENGINE_finish 2475 EXIST::FUNCTION: -ENGINE_load_public_key 2476 EXIST::FUNCTION: -ENGINE_get_DH 2477 EXIST::FUNCTION: -ENGINE_ctrl 2478 EXIST::FUNCTION: -ENGINE_get_init_function 2479 EXIST::FUNCTION: -ENGINE_set_init_function 2480 EXIST::FUNCTION: -ENGINE_set_default_DSA 2481 EXIST::FUNCTION: -ENGINE_get_name 2482 EXIST::FUNCTION: -ENGINE_get_last 2483 EXIST::FUNCTION: -ENGINE_get_prev 2484 EXIST::FUNCTION: -ENGINE_get_default_DH 2485 EXIST::FUNCTION: -ENGINE_get_RSA 2486 EXIST::FUNCTION: -ENGINE_set_default 2487 EXIST::FUNCTION: -ENGINE_get_RAND 2488 EXIST::FUNCTION: -ENGINE_get_first 2489 EXIST::FUNCTION: -ENGINE_by_id 2490 EXIST::FUNCTION: -ENGINE_set_finish_function 2491 EXIST::FUNCTION: -ENGINE_get_default_BN_mod_exp_crt 2492 EXIST:!VMS:FUNCTION: -ENGINE_get_def_BN_mod_exp_crt 2492 EXIST:VMS:FUNCTION: -RSA_get_default_openssl_method 2493 EXIST::FUNCTION:RSA -ENGINE_set_RSA 2494 EXIST::FUNCTION: -ENGINE_load_private_key 2495 EXIST::FUNCTION: -ENGINE_set_default_RAND 2496 EXIST::FUNCTION: -ENGINE_set_BN_mod_exp 2497 EXIST::FUNCTION: -ENGINE_remove 2498 EXIST::FUNCTION: -ENGINE_free 2499 EXIST::FUNCTION: -ENGINE_get_BN_mod_exp_crt 2500 EXIST::FUNCTION: -ENGINE_get_next 2501 EXIST::FUNCTION: -ENGINE_set_name 2502 EXIST::FUNCTION: -ENGINE_get_default_DSA 2503 EXIST::FUNCTION: -ENGINE_set_default_BN_mod_exp 2504 EXIST::FUNCTION: -ENGINE_set_default_RSA 2505 EXIST::FUNCTION: -ENGINE_get_default_RAND 2506 EXIST::FUNCTION: -ENGINE_get_default_BN_mod_exp 2507 EXIST::FUNCTION: -ENGINE_set_RAND 2508 EXIST::FUNCTION: -ENGINE_set_id 2509 EXIST::FUNCTION: -ENGINE_set_BN_mod_exp_crt 2510 EXIST::FUNCTION: -ENGINE_set_default_DH 2511 EXIST::FUNCTION: -ENGINE_new 2512 EXIST::FUNCTION: -ENGINE_get_id 2513 EXIST::FUNCTION: -DSA_set_default_openssl_method 2514 EXIST::FUNCTION:DSA -ENGINE_add 2515 EXIST::FUNCTION: -DH_set_default_openssl_method 2516 EXIST::FUNCTION:DH -ENGINE_get_DSA 2517 EXIST::FUNCTION: -ENGINE_get_ctrl_function 2518 EXIST::FUNCTION: -ENGINE_set_ctrl_function 2519 EXIST::FUNCTION: +BN_bntest_rand 2464 EXIST::FUNCTION: +OPENSSL_issetugid 2465 EXIST::FUNCTION: +BN_rand_range 2466 EXIST::FUNCTION: +ERR_load_ENGINE_strings 2467 EXIST::FUNCTION: +ENGINE_set_DSA 2468 EXIST::FUNCTION: +ENGINE_get_finish_function 2469 EXIST::FUNCTION: +ENGINE_get_default_RSA 2470 EXIST::FUNCTION: +ENGINE_get_BN_mod_exp 2471 EXIST::FUNCTION: +DSA_get_default_openssl_method 2472 EXIST::FUNCTION:DSA +ENGINE_set_DH 2473 EXIST::FUNCTION: +ENGINE_set_default_BN_mod_exp_crt 2474 EXIST:!VMS:FUNCTION: +ENGINE_set_def_BN_mod_exp_crt 2474 EXIST:VMS:FUNCTION: +ENGINE_init 2475 EXIST::FUNCTION: +DH_get_default_openssl_method 2476 EXIST::FUNCTION:DH +RSA_set_default_openssl_method 2477 EXIST::FUNCTION:RSA +ENGINE_finish 2478 EXIST::FUNCTION: +ENGINE_load_public_key 2479 EXIST::FUNCTION: +ENGINE_get_DH 2480 EXIST::FUNCTION: +ENGINE_ctrl 2481 EXIST::FUNCTION: +ENGINE_get_init_function 2482 EXIST::FUNCTION: +ENGINE_set_init_function 2483 EXIST::FUNCTION: +ENGINE_set_default_DSA 2484 EXIST::FUNCTION: +ENGINE_get_name 2485 EXIST::FUNCTION: +ENGINE_get_last 2486 EXIST::FUNCTION: +ENGINE_get_prev 2487 EXIST::FUNCTION: +ENGINE_get_default_DH 2488 EXIST::FUNCTION: +ENGINE_get_RSA 2489 EXIST::FUNCTION: +ENGINE_set_default 2490 EXIST::FUNCTION: +ENGINE_get_RAND 2491 EXIST::FUNCTION: +ENGINE_get_first 2492 EXIST::FUNCTION: +ENGINE_by_id 2493 EXIST::FUNCTION: +ENGINE_set_finish_function 2494 EXIST::FUNCTION: +ENGINE_get_default_BN_mod_exp_crt 2495 EXIST:!VMS:FUNCTION: +ENGINE_get_def_BN_mod_exp_crt 2495 EXIST:VMS:FUNCTION: +RSA_get_default_openssl_method 2496 EXIST::FUNCTION:RSA +ENGINE_set_RSA 2497 EXIST::FUNCTION: +ENGINE_load_private_key 2498 EXIST::FUNCTION: +ENGINE_set_default_RAND 2499 EXIST::FUNCTION: +ENGINE_set_BN_mod_exp 2500 EXIST::FUNCTION: +ENGINE_remove 2501 EXIST::FUNCTION: +ENGINE_free 2502 EXIST::FUNCTION: +ENGINE_get_BN_mod_exp_crt 2503 EXIST::FUNCTION: +ENGINE_get_next 2504 EXIST::FUNCTION: +ENGINE_set_name 2505 EXIST::FUNCTION: +ENGINE_get_default_DSA 2506 EXIST::FUNCTION: +ENGINE_set_default_BN_mod_exp 2507 EXIST::FUNCTION: +ENGINE_set_default_RSA 2508 EXIST::FUNCTION: +ENGINE_get_default_RAND 2509 EXIST::FUNCTION: +ENGINE_get_default_BN_mod_exp 2510 EXIST::FUNCTION: +ENGINE_set_RAND 2511 EXIST::FUNCTION: +ENGINE_set_id 2512 EXIST::FUNCTION: +ENGINE_set_BN_mod_exp_crt 2513 EXIST::FUNCTION: +ENGINE_set_default_DH 2514 EXIST::FUNCTION: +ENGINE_new 2515 EXIST::FUNCTION: +ENGINE_get_id 2516 EXIST::FUNCTION: +DSA_set_default_openssl_method 2517 EXIST::FUNCTION:DSA +ENGINE_add 2518 EXIST::FUNCTION: +DH_set_default_openssl_method 2519 EXIST::FUNCTION:DH +ENGINE_get_DSA 2520 EXIST::FUNCTION: +ENGINE_get_ctrl_function 2521 EXIST::FUNCTION: +ENGINE_set_ctrl_function 2522 EXIST::FUNCTION: diff --git a/lib/libssl/src/util/mkdef.pl b/lib/libssl/src/util/mkdef.pl index cc41a1813e5..ba453358cf9 100644 --- a/lib/libssl/src/util/mkdef.pl +++ b/lib/libssl/src/util/mkdef.pl @@ -119,7 +119,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-rc4$/) { $no_rc4=1; } elsif (/^no-rc5$/) { $no_rc5=1; } elsif (/^no-idea$/) { $no_idea=1; } - elsif (/^no-des$/) { $no_des=1; } + elsif (/^no-des$/) { $no_des=1; $no_mdc2=1; } elsif (/^no-bf$/) { $no_bf=1; } elsif (/^no-cast$/) { $no_cast=1; } elsif (/^no-md2$/) { $no_md2=1; } @@ -705,7 +705,8 @@ EOF } else { (my $n, my $i) = split /\\/, $nums{$s}; my %pf = (); - my @p = split(/,/, ($i =~ /^.*?:(.*?):/,$1)); + my @p = split(/,/, ($i =~ /^[^:]*:([^:]*):/,$1)); + my @a = split(/,/, ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1)); # @p_purged must contain hardware platforms only my @p_purged = (); foreach $ptmp (@p) { @@ -727,7 +728,26 @@ EOF || (!$negatives && ($rsaref || !grep(/^RSAREF$/,@p))) || ($negatives - && (!$rsaref || !grep(/^!RSAREF$/,@p))))) { + && (!$rsaref || !grep(/^!RSAREF$/,@p)))) + && (!@a || (!$no_rc2 || !grep(/^RC2$/,@a))) + && (!@a || (!$no_rc4 || !grep(/^RC4$/,@a))) + && (!@a || (!$no_rc5 || !grep(/^RC5$/,@a))) + && (!@a || (!$no_idea || !grep(/^IDEA$/,@a))) + && (!@a || (!$no_des || !grep(/^DES$/,@a))) + && (!@a || (!$no_bf || !grep(/^BF$/,@a))) + && (!@a || (!$no_cast || !grep(/^CAST$/,@a))) + && (!@a || (!$no_md2 || !grep(/^MD2$/,@a))) + && (!@a || (!$no_md4 || !grep(/^MD4$/,@a))) + && (!@a || (!$no_md5 || !grep(/^MD5$/,@a))) + && (!@a || (!$no_sha || !grep(/^SHA$/,@a))) + && (!@a || (!$no_ripemd || !grep(/^RIPEMD$/,@a))) + && (!@a || (!$no_mdc2 || !grep(/^MDC2$/,@a))) + && (!@a || (!$no_rsa || !grep(/^RSA$/,@a))) + && (!@a || (!$no_dsa || !grep(/^DSA$/,@a))) + && (!@a || (!$no_dh || !grep(/^DH$/,@a))) + && (!@a || (!$no_hmac || !grep(/^HMAC$/,@a))) + && (!@a || (!$no_fp_api || !grep(/^FP_API$/,@a))) + ) { printf OUT " %s%-40s@%d\n",($W32)?"":"_",$s,$n; # } else { # print STDERR "DEBUG: \"$sym\" (@p):", diff --git a/lib/libssl/src/util/mklink.pl b/lib/libssl/src/util/mklink.pl index d7b997ada72..9e9c9a51467 100644 --- a/lib/libssl/src/util/mklink.pl +++ b/lib/libssl/src/util/mklink.pl @@ -48,8 +48,13 @@ foreach $dirname (@from_path) { my $to = join('/', @to_path); my $file; +$symlink_exists=eval {symlink("",""); 1}; foreach $file (@files) { my $err = ""; - symlink("$to/$file", "$from/$file") or $err = " [$!]"; + if ($symlink_exists) { + symlink("$to/$file", "$from/$file") or $err = " [$!]"; + } else { + system ("cp", "$file", "$from/$file") and $err = " [$!]"; + } print $file . " => $from/$file$err\n"; } diff --git a/lib/libssl/src/util/pod2man.pl b/lib/libssl/src/util/pod2man.pl index f5ec0767ed4..c6b64add602 100644 --- a/lib/libssl/src/util/pod2man.pl +++ b/lib/libssl/src/util/pod2man.pl @@ -416,6 +416,8 @@ if ($name ne 'something') { warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n" } else { + $n[0] =~ s/\n/ /; + $n[1] =~ s/\n/ /; %namedesc = @n; } } diff --git a/lib/libssl/ssl/shlib_version b/lib/libssl/ssl/shlib_version index 890c57389b5..3066b9771e7 100644 --- a/lib/libssl/ssl/shlib_version +++ b/lib/libssl/ssl/shlib_version @@ -1,2 +1,2 @@ -major=4 -minor=1 +major=5 +minor=0 |