diff options
49 files changed, 303 insertions, 175 deletions
diff --git a/lib/libssl/src/CHANGES b/lib/libssl/src/CHANGES index c888c56c263..04d332e338b 100644 --- a/lib/libssl/src/CHANGES +++ b/lib/libssl/src/CHANGES @@ -2,11 +2,51 @@ OpenSSL CHANGES _______________ - Changes between 0.9.8i and 0.9.8j [07 Jan 2009] + Changes between 0.9.8j and 0.9.8k [25 Mar 2009] - *) Properly check EVP_VerifyFinal() and similar return values - (CVE-2008-5077). - [Ben Laurie, Bodo Moeller, Google Security Team] + *) Don't set val to NULL when freeing up structures, it is freed up by + underlying code. If sizeof(void *) > sizeof(long) this can result in + zeroing past the valid field. (CVE-2009-0789) + [Paolo Ganci <Paolo.Ganci@AdNovum.CH>] + + *) Fix bug where return value of CMS_SignerInfo_verify_content() was not + checked correctly. This would allow some invalid signed attributes to + appear to verify correctly. (CVE-2009-0591) + [Ivan Nestlerode <inestlerode@us.ibm.com>] + + *) Reject UniversalString and BMPString types with invalid lengths. This + prevents a crash in ASN1_STRING_print_ex() which assumes the strings have + a legal length. (CVE-2009-0590) + [Steve Henson] + + *) Set S/MIME signing as the default purpose rather than setting it + unconditionally. This allows applications to override it at the store + level. + [Steve Henson] + + *) Permit restricted recursion of ASN1 strings. This is needed in practice + to handle some structures. + [Steve Henson] + + *) Improve efficiency of mem_gets: don't search whole buffer each time + for a '\n' + [Jeremy Shapiro <jnshapir@us.ibm.com>] + + *) New -hex option for openssl rand. + [Matthieu Herrb] + + *) Print out UTF8String and NumericString when parsing ASN1. + [Steve Henson] + + *) Support NumericString type for name components. + [Steve Henson] + + *) Allow CC in the environment to override the automatically chosen + compiler. Note that nothing is done to ensure flags work with the + chosen compiler. + [Ben Laurie] + + Changes between 0.9.8i and 0.9.8j [07 Jan 2009] *) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). diff --git a/lib/libssl/src/Configure b/lib/libssl/src/Configure index 09b58f21137..c6dbfae4829 100644 --- a/lib/libssl/src/Configure +++ b/lib/libssl/src/Configure @@ -101,6 +101,11 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta # SHA512_ASM sha512_block is implemented in assembler # AES_ASM ASE_[en|de]crypt is implemented in assembler +# Minimum warning options... any contributions to OpenSSL should at least get +# past these. + +my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED"; + my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; # MD2_CHAR slags pentium pros @@ -154,15 +159,15 @@ my %table=( "debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::bn86-elf.o co86-elf.o", "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", -"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::", +"debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::", "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll", -"debug-steve64", "gcc:-m64 -DL_ENDIAN -DTERMIO -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DOPENSSL_NO_DEPRECATED -g -pedantic -Wall -Werror -Wno-long-long -Wsign-compare -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-steve32", "gcc:-m32 -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DOPENSSL_NO_DEPRECATED -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", -"debug-steve-opt", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -O3 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared", "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -948,6 +953,10 @@ print "Configuring for $target\n"; my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); my $cc = $fields[$idx_cc]; +# Allow environment CC to override compiler... +if($ENV{CC}) { + $cc = $ENV{CC}; +} my $cflags = $fields[$idx_cflags]; my $unistd = $fields[$idx_unistd]; my $thread_cflag = $fields[$idx_thread_cflag]; @@ -1048,7 +1057,6 @@ foreach (sort (keys %disabled)) print "\n"; } - my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds; $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys()); @@ -1443,6 +1451,8 @@ while (<IN>) } } $sdirs = 0 unless /\\$/; + s/fips // if (/^DIRS=/ && !$fips); + s/engines // if (/^DIRS=/ && $disabled{"engine"}); s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; s/^MINOR=.*/MINOR=$minor/; diff --git a/lib/libssl/src/FAQ b/lib/libssl/src/FAQ index ce71246fb82..942a671f2c3 100644 --- a/lib/libssl/src/FAQ +++ b/lib/libssl/src/FAQ @@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.8j was released on Jan 7th, 2009. +OpenSSL 0.9.8k was released on Mar 25th, 2009. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: diff --git a/lib/libssl/src/Makefile b/lib/libssl/src/Makefile index fe0fe168430..57d742e4d40 100644 --- a/lib/libssl/src/Makefile +++ b/lib/libssl/src/Makefile @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.8j +VERSION=0.9.8k MAJOR=0 MINOR=9.8 SHLIB_VERSION_NUMBER=0.9.8 @@ -133,7 +133,7 @@ FIPSCANLIB= BASEADDR=0xFB00000 -DIRS= crypto fips ssl engines apps test tools +DIRS= crypto ssl engines apps test tools SHLIBDIRS= crypto ssl # dirs in crypto to build @@ -506,6 +506,9 @@ links: @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @set -e; target=links; $(RECURSIVE_BUILD_CMD) + @if [ -z "$(FIPSCANLIB)" ]; then \ + set -e; target=links; dir=fips ; $(BUILD_CMD) ; \ + fi gentests: @(cd test && echo "generating dummy tests (if needed)..." && \ diff --git a/lib/libssl/src/Makefile.org b/lib/libssl/src/Makefile.org index 4be7dad7d67..d1b56b2f580 100644 --- a/lib/libssl/src/Makefile.org +++ b/lib/libssl/src/Makefile.org @@ -504,6 +504,9 @@ links: @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @set -e; target=links; $(RECURSIVE_BUILD_CMD) + @if [ -z "$(FIPSCANLIB)" ]; then \ + set -e; target=links; dir=fips ; $(BUILD_CMD) ; \ + fi gentests: @(cd test && echo "generating dummy tests (if needed)..." && \ diff --git a/lib/libssl/src/NEWS b/lib/libssl/src/NEWS index 322c3848f21..37156fc5935 100644 --- a/lib/libssl/src/NEWS +++ b/lib/libssl/src/NEWS @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k: + + o Fix various build issues. + o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789) + Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j: o Fix security issue (CVE-2008-5077) diff --git a/lib/libssl/src/README b/lib/libssl/src/README index b3baac4a369..99a6a7b4bf6 100644 --- a/lib/libssl/src/README +++ b/lib/libssl/src/README @@ -1,5 +1,5 @@ - OpenSSL 0.9.8j + OpenSSL 0.9.8k Copyright (c) 1998-2008 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/lib/libssl/src/apps/apps.c b/lib/libssl/src/apps/apps.c index 367eb177e17..498722a5a25 100644 --- a/lib/libssl/src/apps/apps.c +++ b/lib/libssl/src/apps/apps.c @@ -2428,7 +2428,7 @@ static void readbn(BIGNUM **bn, BIO *bconn) int l; l = BIO_gets(bconn, buf, sizeof buf); - assert(l >= 0); + assert(l > 0); assert(buf[l-1] == '\n'); buf[l-1] = '\0'; BN_hex2bn(bn, buf); diff --git a/lib/libssl/src/apps/ca.c b/lib/libssl/src/apps/ca.c index d74a8bcfcff..df0a0cb19da 100644 --- a/lib/libssl/src/apps/ca.c +++ b/lib/libssl/src/apps/ca.c @@ -83,7 +83,7 @@ # else # include <unixlib.h> # endif -# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) +# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM) # include <sys/file.h> # endif #endif diff --git a/lib/libssl/src/apps/dhparam.c b/lib/libssl/src/apps/dhparam.c index 5725a20d075..04bd57c6e8a 100644 --- a/lib/libssl/src/apps/dhparam.c +++ b/lib/libssl/src/apps/dhparam.c @@ -505,7 +505,7 @@ bad: printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n"); printf("\t\t{ DH_free(dh); return(NULL); }\n"); if (dh->length) - printf("\tdh->length = %d;\n", dh->length); + printf("\tdh->length = %ld;\n", dh->length); printf("\treturn(dh);\n\t}\n"); OPENSSL_free(data); } diff --git a/lib/libssl/src/apps/enc.c b/lib/libssl/src/apps/enc.c index 47c6eb604df..f4f9a4c4a4e 100644 --- a/lib/libssl/src/apps/enc.c +++ b/lib/libssl/src/apps/enc.c @@ -533,7 +533,8 @@ bad: BIO_printf(bio_err,"invalid hex iv value\n"); goto end; } - if ((hiv == NULL) && (str == NULL)) + if ((hiv == NULL) && (str == NULL) + && EVP_CIPHER_iv_length(cipher) != 0) { /* No IV was explicitly set and no IV was generated * during EVP_BytesToKey. Hence the IV is undefined, diff --git a/lib/libssl/src/apps/engine.c b/lib/libssl/src/apps/engine.c index 1d0dd9bfbc4..17bd81fb79b 100644 --- a/lib/libssl/src/apps/engine.c +++ b/lib/libssl/src/apps/engine.c @@ -252,7 +252,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent /* Now decide on the output */ if(xpos == 0) /* Do an indent */ - xpos = BIO_printf(bio_out, indent); + xpos = BIO_puts(bio_out, indent); else /* Otherwise prepend a ", " */ xpos += BIO_printf(bio_out, ", "); @@ -263,7 +263,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent (xpos + (int)strlen(name) > line_wrap)) { BIO_printf(bio_out, "\n"); - xpos = BIO_printf(bio_out, indent); + xpos = BIO_puts(bio_out, indent); } xpos += BIO_printf(bio_out, "%s", name); } diff --git a/lib/libssl/src/apps/rand.c b/lib/libssl/src/apps/rand.c index fa35505c187..44a1d46a03c 100644 --- a/lib/libssl/src/apps/rand.c +++ b/lib/libssl/src/apps/rand.c @@ -68,8 +68,8 @@ /* -out file - write to file * -rand file:file - PRNG seed files - * -base64 - encode output - * -hex - hex encode output + * -base64 - base64 encode output + * -hex - hex encode output * num - write 'num' bytes */ @@ -172,7 +172,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-engine e - use engine e, possibly a hardware device.\n"); #endif BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, "-base64 - encode output\n"); + BIO_printf(bio_err, "-base64 - base64 encode output\n"); BIO_printf(bio_err, "-hex - hex encode output\n"); goto err; } @@ -225,13 +225,15 @@ int MAIN(int argc, char **argv) goto err; if (!hex) BIO_write(out, buf, chunk); - else { - int i; + else + { for (i = 0; i < chunk; i++) BIO_printf(out, "%02x", buf[i]); - } + } num -= chunk; } + if (hex) + BIO_puts(out, "\n"); (void)BIO_flush(out); app_RAND_write_file(NULL, bio_err); diff --git a/lib/libssl/src/apps/x509.c b/lib/libssl/src/apps/x509.c index d904d340218..6debce4419e 100644 --- a/lib/libssl/src/apps/x509.c +++ b/lib/libssl/src/apps/x509.c @@ -114,7 +114,7 @@ static const char *x509_usage[]={ " -alias - output certificate alias\n", " -noout - no certificate output\n", " -ocspid - print OCSP hash values for the subject name and public key\n", -" -ocspurl - print OCSP Responder URL(s)\n", +" -ocsp_uri - print OCSP Responder URL(s)\n", " -trustout - output a \"trusted\" certificate\n", " -clrtrust - clear all trusted purposes\n", " -clrreject - clear all rejected purposes\n", diff --git a/lib/libssl/src/config b/lib/libssl/src/config index dde9275b76b..68e7ea17374 100644 --- a/lib/libssl/src/config +++ b/lib/libssl/src/config @@ -29,7 +29,7 @@ EXE="" for i do case "$i" in --d*) PREFIX="debug-";; +-d) PREFIX="debug-";; -t*) TEST="true";; -h*) TEST="true"; cat <<EOF Usage: config [options] @@ -399,11 +399,8 @@ exit 0 # this is where the translation occurs into SSLeay terms # --------------------------------------------------------------------------- -# figure out if gcc is available and if so we use it otherwise -# we fallback to whatever cc does on the system GCCVER=`(gcc -dumpversion) 2>/dev/null` if [ "$GCCVER" != "" ]; then - CC=gcc # then strip off whatever prefix egcs prepends the number with... # Hopefully, this will work for any future prefixes as well. GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'` @@ -412,8 +409,17 @@ if [ "$GCCVER" != "" ]; then # major and minor version numbers. # peak single digit before and after first dot, e.g. 2.95.1 gives 29 GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'` -else - CC=cc +fi + +# Only set CC if not supplied already +if [ -z "$CC" ]; then +# figure out if gcc is available and if so we use it otherwise +# we fallback to whatever cc does on the system + if [ "$GCCVER" != "" ]; then + CC=gcc + else + CC=cc + fi fi GCCVER=${GCCVER:-0} if [ "$SYSTEM" = "HP-UX" ];then diff --git a/lib/libssl/src/crypto/asn1/asn1.h b/lib/libssl/src/crypto/asn1/asn1.h index 424cd348bb5..e3385226d4a 100644 --- a/lib/libssl/src/crypto/asn1/asn1.h +++ b/lib/libssl/src/crypto/asn1/asn1.h @@ -612,6 +612,7 @@ typedef struct BIT_STRING_BITNAME_st { B_ASN1_GENERALIZEDTIME #define B_ASN1_PRINTABLE \ + B_ASN1_NUMERICSTRING| \ B_ASN1_PRINTABLESTRING| \ B_ASN1_T61STRING| \ B_ASN1_IA5STRING| \ @@ -1217,6 +1218,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1306,6 +1308,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 diff --git a/lib/libssl/src/crypto/asn1/asn1_err.c b/lib/libssl/src/crypto/asn1/asn1_err.c index f8a3e2e6cd0..5f5de98eed5 100644 --- a/lib/libssl/src/crypto/asn1/asn1_err.c +++ b/lib/libssl/src/crypto/asn1/asn1_err.c @@ -195,6 +195,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, +{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, @@ -284,6 +285,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, +{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, diff --git a/lib/libssl/src/crypto/asn1/asn1_par.c b/lib/libssl/src/crypto/asn1/asn1_par.c index 501b62a4b19..8657f73d66a 100644 --- a/lib/libssl/src/crypto/asn1/asn1_par.c +++ b/lib/libssl/src/crypto/asn1/asn1_par.c @@ -213,6 +213,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse (tag == V_ASN1_T61STRING) || (tag == V_ASN1_IA5STRING) || (tag == V_ASN1_VISIBLESTRING) || + (tag == V_ASN1_NUMERICSTRING) || + (tag == V_ASN1_UTF8STRING) || (tag == V_ASN1_UTCTIME) || (tag == V_ASN1_GENERALIZEDTIME)) { diff --git a/lib/libssl/src/crypto/asn1/asn_mime.c b/lib/libssl/src/crypto/asn1/asn_mime.c index bc80b20d632..d8d9e76cc06 100644 --- a/lib/libssl/src/crypto/asn1/asn_mime.c +++ b/lib/libssl/src/crypto/asn1/asn_mime.c @@ -152,7 +152,6 @@ static ASN1_VALUE *b64_read_asn1(BIO *bio, const ASN1_ITEM *it) static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs) { - const EVP_MD *md; int i, have_unknown = 0, write_comma, md_nid; have_unknown = 0; write_comma = 0; @@ -162,7 +161,6 @@ static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs) BIO_write(out, ",", 1); write_comma = 1; md_nid = OBJ_obj2nid(sk_X509_ALGOR_value(mdalgs, i)->algorithm); - md = EVP_get_digestbynid(md_nid); switch(md_nid) { case NID_sha1: diff --git a/lib/libssl/src/crypto/asn1/tasn_dec.c b/lib/libssl/src/crypto/asn1/tasn_dec.c index ced641698eb..48bc1c0d4d0 100644 --- a/lib/libssl/src/crypto/asn1/tasn_dec.c +++ b/lib/libssl/src/crypto/asn1/tasn_dec.c @@ -69,7 +69,7 @@ static int asn1_check_eoc(const unsigned char **in, long len); static int asn1_find_end(const unsigned char **in, long len, char inf); static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, - char inf, int tag, int aclass); + char inf, int tag, int aclass, int depth); static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); @@ -611,7 +611,6 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, err: ASN1_template_free(val, tt); - *val = NULL; return 0; } @@ -758,7 +757,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, err: ASN1_template_free(val, tt); - *val = NULL; return 0; } @@ -878,7 +876,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, * internally irrespective of the type. So instead just check * for UNIVERSAL class and ignore the tag. */ - if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) + if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) { free_cont = 1; goto err; @@ -1012,6 +1010,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if (!*pval) { @@ -1128,8 +1138,18 @@ static int asn1_find_end(const unsigned char **in, long len, char inf) * if it is indefinite length. */ +#ifndef ASN1_MAX_STRING_NEST +/* This determines how many levels of recursion are permitted in ASN1 + * string types. If it is not limited stack overflows can occur. If set + * to zero no recursion is allowed at all. Although zero should be adequate + * examples exist that require a value of 1. So 5 should be more than enough. + */ +#define ASN1_MAX_STRING_NEST 5 +#endif + + static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, - char inf, int tag, int aclass) + char inf, int tag, int aclass, int depth) { const unsigned char *p, *q; long plen; @@ -1171,13 +1191,15 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, /* If indefinite length constructed update max length */ if (cst) { -#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS - if (!asn1_collect(buf, &p, plen, ininf, tag, aclass)) + if (depth >= ASN1_MAX_STRING_NEST) + { + ASN1err(ASN1_F_ASN1_COLLECT, + ASN1_R_NESTED_ASN1_STRING); + return 0; + } + if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, + depth + 1)) return 0; -#else - ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING); - return 0; -#endif } else if (plen && !collect_data(buf, &p, plen)) return 0; diff --git a/lib/libssl/src/crypto/bio/bss_mem.c b/lib/libssl/src/crypto/bio/bss_mem.c index a4edb711aec..e7ab9cb3a3f 100644 --- a/lib/libssl/src/crypto/bio/bss_mem.c +++ b/lib/libssl/src/crypto/bio/bss_mem.c @@ -284,6 +284,7 @@ static int mem_gets(BIO *bp, char *buf, int size) BIO_clear_retry_flags(bp); j=bm->length; + if ((size-1) < j) j=size-1; if (j <= 0) { *buf='\0'; @@ -292,17 +293,18 @@ static int mem_gets(BIO *bp, char *buf, int size) p=bm->data; for (i=0; i<j; i++) { - if (p[i] == '\n') break; - } - if (i == j) - { - BIO_set_retry_read(bp); - /* return(-1); change the semantics 0.6.6a */ + if (p[i] == '\n') + { + i++; + break; + } } - else - i++; - /* i is the max to copy */ - if ((size-1) < i) i=size-1; + + /* + * i is now the max num of bytes to copy, either j or up to + * and including the first newline + */ + i=mem_read(bp,buf,i); if (i > 0) buf[i]='\0'; ret=i; diff --git a/lib/libssl/src/crypto/bio/bss_sock.c b/lib/libssl/src/crypto/bio/bss_sock.c index 472dd75821c..30c3ceab468 100644 --- a/lib/libssl/src/crypto/bio/bss_sock.c +++ b/lib/libssl/src/crypto/bio/bss_sock.c @@ -60,6 +60,9 @@ #include <errno.h> #define USE_SOCKETS #include "cryptlib.h" + +#ifndef OPENSSL_NO_SOCK + #include <openssl/bio.h> #ifdef WATT32 @@ -300,3 +303,5 @@ int BIO_sock_non_fatal_error(int err) } return(0); } + +#endif /* #ifndef OPENSSL_NO_SOCK */ diff --git a/lib/libssl/src/crypto/cms/cms_smime.c b/lib/libssl/src/crypto/cms/cms_smime.c index b9463f9abbc..f35883aa22b 100644 --- a/lib/libssl/src/crypto/cms/cms_smime.c +++ b/lib/libssl/src/crypto/cms/cms_smime.c @@ -298,7 +298,7 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si, CMS_R_STORE_INIT_ERROR); goto err; } - X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_SMIME_SIGN); + X509_STORE_CTX_set_default(&ctx, "smime_sign"); if (crls) X509_STORE_CTX_set0_crls(&ctx, crls); @@ -425,7 +425,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { si = sk_CMS_SignerInfo_value(sinfos, i); - if (!CMS_SignerInfo_verify_content(si, cmsbio)) + if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0) { CMSerr(CMS_F_CMS_VERIFY, CMS_R_CONTENT_VERIFY_ERROR); diff --git a/lib/libssl/src/crypto/conf/conf_mod.c b/lib/libssl/src/crypto/conf/conf_mod.c index e286378cb19..ee9c677d9bd 100644 --- a/lib/libssl/src/crypto/conf/conf_mod.c +++ b/lib/libssl/src/crypto/conf/conf_mod.c @@ -588,7 +588,7 @@ int CONF_parse_list(const char *list_, int sep, int nospc, { if (nospc) { - while(isspace((unsigned char)*lstart)) + while(*lstart && isspace((unsigned char)*lstart)) lstart++; } p = strchr(lstart, sep); diff --git a/lib/libssl/src/crypto/crypto-lib.com b/lib/libssl/src/crypto/crypto-lib.com index db9c882fb08..e72af90822b 100644 --- a/lib/libssl/src/crypto/crypto-lib.com +++ b/lib/libssl/src/crypto/crypto-lib.com @@ -169,7 +169,7 @@ $ LIB_SHA = "sha_dgst,sha1dgst,sha_one,sha1_one,sha256,sha512" $ LIB_MDC2 = "mdc2dgst,mdc2_one" $ LIB_HMAC = "hmac" $ LIB_RIPEMD = "rmd_dgst,rmd_one" -$ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ - +$ LIB_DES = "des_lib,set_key,ecb_enc,cbc_enc,"+ - "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ - "enc_read,enc_writ,ofb64enc,"+ - "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ - @@ -191,7 +191,7 @@ $ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ - "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ - "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ - "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ - - "bn_depr,bn_const" + "bn_depr,bn_x931p,bn_const,bn_opt" $ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ - "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ - "ec2_smpl,ec2_mult" @@ -211,7 +211,7 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ - "tb_cipher,tb_digest,"+ - "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,eng_padlock" $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,"+ - - "aes_ctr,aes_ige" + "aes_ctr,aes_ige,aes_wrap" $ LIB_BUFFER = "buffer,buf_str,buf_err" $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - "bss_mem,bss_null,bss_fd,"+ - @@ -246,7 +246,7 @@ $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ - $ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ - "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ - "f_int,f_string,n_pkey,"+ - - "f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ - + "f_enum,a_hdr,x_pkey,a_bool,x_exten,asn_mime,"+ - "asn1_gen,asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ - "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid" $ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ - diff --git a/lib/libssl/src/crypto/dh/dh.h b/lib/libssl/src/crypto/dh/dh.h index 0a39742773c..10475ac4b3c 100644 --- a/lib/libssl/src/crypto/dh/dh.h +++ b/lib/libssl/src/crypto/dh/dh.h @@ -122,7 +122,7 @@ struct dh_st int version; BIGNUM *p; BIGNUM *g; - int length; /* optional */ + long length; /* optional */ BIGNUM *pub_key; /* g^x */ BIGNUM *priv_key; /* x */ @@ -238,8 +238,6 @@ void ERR_load_DH_strings(void); #define DH_R_KEY_SIZE_TOO_SMALL 104 #define DH_R_MODULUS_TOO_LARGE 103 #define DH_R_NO_PRIVATE_VALUE 100 -#define DH_R_INVALID_PUBKEY 102 -#define DH_R_MODULUS_TOO_LARGE 103 #ifdef __cplusplus } diff --git a/lib/libssl/src/crypto/dh/dh_err.c b/lib/libssl/src/crypto/dh/dh_err.c index b364362fcae..13263c81c1b 100644 --- a/lib/libssl/src/crypto/dh/dh_err.c +++ b/lib/libssl/src/crypto/dh/dh_err.c @@ -90,8 +90,6 @@ static ERR_STRING_DATA DH_str_reasons[]= {ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, {ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DH_R_NO_PRIVATE_VALUE) ,"no private value"}, -{ERR_REASON(DH_R_INVALID_PUBKEY) ,"invalid public key"}, -{ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {0,NULL} }; diff --git a/lib/libssl/src/crypto/evp/evp_test.c b/lib/libssl/src/crypto/evp/evp_test.c index bb6f02c2e9f..436be20bf10 100644 --- a/lib/libssl/src/crypto/evp/evp_test.c +++ b/lib/libssl/src/crypto/evp/evp_test.c @@ -220,18 +220,18 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, test1_exit(7); } - if(outl+outl2 != cn) + if(outl+outl2 != pn) { fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", - outl+outl2,cn); + outl+outl2,pn); test1_exit(8); } - if(memcmp(out,plaintext,cn)) + if(memcmp(out,plaintext,pn)) { fprintf(stderr,"Plaintext mismatch\n"); - hexdump(stderr,"Got",out,cn); - hexdump(stderr,"Expected",plaintext,cn); + hexdump(stderr,"Got",out,pn); + hexdump(stderr,"Expected",plaintext,pn); test1_exit(9); } } diff --git a/lib/libssl/src/crypto/opensslv.h b/lib/libssl/src/crypto/opensslv.h index 09687b5136a..c6207f76b2c 100644 --- a/lib/libssl/src/crypto/opensslv.h +++ b/lib/libssl/src/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x009080afL +#define OPENSSL_VERSION_NUMBER 0x009080bfL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8j-fips 07 Jan 2009" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k-fips 25 Mar 2009" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8j 07 Jan 2009" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k 25 Mar 2009" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/lib/libssl/src/crypto/pem/pem.h b/lib/libssl/src/crypto/pem/pem.h index 6f8e01544bb..6c193f1cbfa 100644 --- a/lib/libssl/src/crypto/pem/pem.h +++ b/lib/libssl/src/crypto/pem/pem.h @@ -215,7 +215,9 @@ typedef struct pem_ctx_st #define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/ #define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/ +#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) /**/ #define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) /**/ +#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) /**/ #else @@ -355,6 +357,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \ #define DECLARE_PEM_read_fp(name, type) /**/ #define DECLARE_PEM_write_fp(name, type) /**/ +#define DECLARE_PEM_write_fp_const(name, type) /**/ #define DECLARE_PEM_write_cb_fp(name, type) /**/ #else @@ -392,6 +395,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \ #define DECLARE_PEM_read_bio(name, type) /**/ #define DECLARE_PEM_write_bio(name, type) /**/ +#define DECLARE_PEM_write_bio_const(name, type) /**/ #define DECLARE_PEM_write_cb_bio(name, type) /**/ #endif diff --git a/lib/libssl/src/crypto/pkcs12/p12_crt.c b/lib/libssl/src/crypto/pkcs12/p12_crt.c index e863de52cef..9522342fa5e 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_crt.c +++ b/lib/libssl/src/crypto/pkcs12/p12_crt.c @@ -170,6 +170,9 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, p12 = PKCS12_add_safes(safes, 0); + if (!p12) + goto err; + sk_PKCS7_pop_free(safes, PKCS7_free); safes = NULL; diff --git a/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/lib/libssl/src/crypto/pkcs7/pk7_smime.c index c34db1d6fed..fd18ec3d95c 100644 --- a/lib/libssl/src/crypto/pkcs7/pk7_smime.c +++ b/lib/libssl/src/crypto/pkcs7/pk7_smime.c @@ -229,8 +229,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, sk_X509_free(signers); return 0; } - X509_STORE_CTX_set_purpose(&cert_ctx, - X509_PURPOSE_SMIME_SIGN); + X509_STORE_CTX_set_default(&cert_ctx, "smime_sign"); } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) { PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB); sk_X509_free(signers); diff --git a/lib/libssl/src/crypto/rand/rand_unix.c b/lib/libssl/src/crypto/rand/rand_unix.c index 964d25833cd..58c61730946 100644 --- a/lib/libssl/src/crypto/rand/rand_unix.c +++ b/lib/libssl/src/crypto/rand/rand_unix.c @@ -226,7 +226,7 @@ int RAND_poll(void) t.tv_sec = 0; t.tv_usec = usec; - if (FD_SETSIZE > 0 && fd >= FD_SETSIZE) + if (FD_SETSIZE > 0 && (unsigned)fd >= FD_SETSIZE) { /* can't use select, so just try to read once anyway */ try_read = 1; diff --git a/lib/libssl/src/crypto/rand/randfile.c b/lib/libssl/src/crypto/rand/randfile.c index f63fbc17319..d108353bbc2 100644 --- a/lib/libssl/src/crypto/rand/randfile.c +++ b/lib/libssl/src/crypto/rand/randfile.c @@ -261,7 +261,7 @@ const char *RAND_file_name(char *buf, size_t size) struct stat sb; #endif - if (issetugid() == 0) + if (OPENSSL_issetugid() == 0) s=getenv("RANDFILE"); if (s != NULL && *s && strlen(s) + 1 < size) { @@ -270,7 +270,7 @@ const char *RAND_file_name(char *buf, size_t size) } else { - if (issetugid() == 0) + if (OPENSSL_issetugid() == 0) s=getenv("HOME"); #ifdef DEFAULT_HOME if (s == NULL) diff --git a/lib/libssl/src/crypto/symhacks.h b/lib/libssl/src/crypto/symhacks.h index 6cfb5fe4794..8728e6124da 100644 --- a/lib/libssl/src/crypto/symhacks.h +++ b/lib/libssl/src/crypto/symhacks.h @@ -62,6 +62,10 @@ VAX. */ #ifdef OPENSSL_SYS_VMS +/* Hack a long name in crypto/cryptlib.c */ +#undef int_CRYPTO_set_do_dynlock_callback +#define int_CRYPTO_set_do_dynlock_callback int_CRYPTO_set_do_dynlock_cb + /* Hack a long name in crypto/ex_data.c */ #undef CRYPTO_get_ex_data_implementation #define CRYPTO_get_ex_data_implementation CRYPTO_get_ex_data_impl diff --git a/lib/libssl/src/crypto/ui/ui_lib.c b/lib/libssl/src/crypto/ui/ui_lib.c index 7ab249c3be3..ac0100808f5 100644 --- a/lib/libssl/src/crypto/ui/ui_lib.c +++ b/lib/libssl/src/crypto/ui/ui_lib.c @@ -90,6 +90,7 @@ UI *UI_new_method(const UI_METHOD *method) ret->strings=NULL; ret->user_data=NULL; + ret->flags=0; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data); return ret; } diff --git a/lib/libssl/src/crypto/x509/x509_cmp.c b/lib/libssl/src/crypto/x509/x509_cmp.c index e4c682fc44e..2faf92514a2 100644 --- a/lib/libssl/src/crypto/x509/x509_cmp.c +++ b/lib/libssl/src/crypto/x509/x509_cmp.c @@ -288,7 +288,8 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) if (!(nabit & STR_TYPE_CMP) || !(nbbit & STR_TYPE_CMP)) return j; - j = asn1_string_memcmp(na->value, nb->value); + if (!asn1_string_memcmp(na->value, nb->value)) + j = 0; } else if (na->value->type == V_ASN1_PRINTABLESTRING) j=nocase_spacenorm_cmp(na->value, nb->value); diff --git a/lib/libssl/src/crypto/x509v3/v3_addr.c b/lib/libssl/src/crypto/x509v3/v3_addr.c index a37f844d3c2..efdf7c3ba75 100644 --- a/lib/libssl/src/crypto/x509v3/v3_addr.c +++ b/lib/libssl/src/crypto/x509v3/v3_addr.c @@ -61,7 +61,7 @@ #include <stdio.h> #include <stdlib.h> -#include <assert.h> + #include "cryptlib.h" #include <openssl/conf.h> #include <openssl/asn1.h> @@ -128,7 +128,7 @@ static int length_from_afi(const unsigned afi) /* * Extract the AFI from an IPAddressFamily. */ -unsigned v3_addr_get_afi(const IPAddressFamily *f) +unsigned int v3_addr_get_afi(const IPAddressFamily *f) { return ((f != NULL && f->addressFamily != NULL && @@ -147,7 +147,7 @@ static void addr_expand(unsigned char *addr, const int length, const unsigned char fill) { - assert(bs->length >= 0 && bs->length <= length); + OPENSSL_assert(bs->length >= 0 && bs->length <= length); if (bs->length > 0) { memcpy(addr, bs->data, bs->length); if ((bs->flags & 7) != 0) { @@ -190,6 +190,8 @@ static int i2r_address(BIO *out, BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); if (i < 16) BIO_puts(out, ":"); + if (i == 0) + BIO_puts(out, ":"); break; default: for (i = 0; i < bs->length; i++) @@ -243,7 +245,7 @@ static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method, int i; for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - const unsigned afi = v3_addr_get_afi(f); + const unsigned int afi = v3_addr_get_afi(f); switch (afi) { case IANA_AFI_IPV4: BIO_printf(out, "%*sIPv4", indent, ""); @@ -453,7 +455,7 @@ static int make_addressRange(IPAddressOrRange **result, if ((aor = IPAddressOrRange_new()) == NULL) return 0; aor->type = IPAddressOrRange_addressRange; - assert(aor->u.addressRange == NULL); + OPENSSL_assert(aor->u.addressRange == NULL); if ((aor->u.addressRange = IPAddressRange_new()) == NULL) goto err; if (aor->u.addressRange->min == NULL && @@ -522,7 +524,7 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { f = sk_IPAddressFamily_value(addr, i); - assert(f->addressFamily->data != NULL); + OPENSSL_assert(f->addressFamily->data != NULL); if (f->addressFamily->length == keylen && !memcmp(f->addressFamily->data, key, keylen)) return f; @@ -654,7 +656,7 @@ static void extract_min_max(IPAddressOrRange *aor, unsigned char *max, int length) { - assert(aor != NULL && min != NULL && max != NULL); + OPENSSL_assert(aor != NULL && min != NULL && max != NULL); switch (aor->type) { case IPAddressOrRange_addressPrefix: addr_expand(min, aor->u.addressPrefix, length, 0x00); @@ -880,7 +882,7 @@ int v3_addr_canonize(IPAddrBlocks *addr) } (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); sk_IPAddressFamily_sort(addr); - assert(v3_addr_is_canonical(addr)); + OPENSSL_assert(v3_addr_is_canonical(addr)); return 1; } @@ -1127,7 +1129,10 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) for (i = 0; i < sk_IPAddressFamily_num(a); i++) { IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); int j = sk_IPAddressFamily_find(b, fa); - IPAddressFamily *fb = sk_IPAddressFamily_value(b, j); + IPAddressFamily *fb; + fb = sk_IPAddressFamily_value(b, j); + if (fb == NULL) + return 0; if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, fa->ipAddressChoice->u.addressesOrRanges, length_from_afi(v3_addr_get_afi(fb)))) @@ -1164,9 +1169,9 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, int i, j, ret = 1; X509 *x = NULL; - assert(chain != NULL && sk_X509_num(chain) > 0); - assert(ctx != NULL || ext != NULL); - assert(ctx == NULL || ctx->verify_cb != NULL); + OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); + OPENSSL_assert(ctx != NULL || ext != NULL); + OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); /* * Figure out where to start. If we don't have an extension to @@ -1178,7 +1183,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, } else { i = 0; x = sk_X509_value(chain, i); - assert(x != NULL); + OPENSSL_assert(x != NULL); if ((ext = x->rfc3779_addr) == NULL) goto done; } @@ -1197,7 +1202,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, */ for (i++; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); - assert(x != NULL); + OPENSSL_assert(x != NULL); if (!v3_addr_is_canonical(x->rfc3779_addr)) validation_err(X509_V_ERR_INVALID_EXTENSION); if (x->rfc3779_addr == NULL) { diff --git a/lib/libssl/src/crypto/x509v3/v3_cpols.c b/lib/libssl/src/crypto/x509v3/v3_cpols.c index 95596055ab4..ad0506d75c8 100644 --- a/lib/libssl/src/crypto/x509v3/v3_cpols.c +++ b/lib/libssl/src/crypto/x509v3/v3_cpols.c @@ -181,7 +181,11 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, pol = POLICYINFO_new(); pol->policyid = pobj; } - sk_POLICYINFO_push(pols, pol); + if (!sk_POLICYINFO_push(pols, pol)){ + POLICYINFO_free(pol); + X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); + goto err; + } } sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); return pols; @@ -447,3 +451,4 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); } +IMPLEMENT_STACK_OF(X509_POLICY_NODE) diff --git a/lib/libssl/src/doc/apps/rand.pod b/lib/libssl/src/doc/apps/rand.pod index 75745ca0023..d1d213ef43c 100644 --- a/lib/libssl/src/doc/apps/rand.pod +++ b/lib/libssl/src/doc/apps/rand.pod @@ -10,6 +10,7 @@ B<openssl rand> [B<-out> I<file>] [B<-rand> I<file(s)>] [B<-base64>] +[B<-hex>] I<num> =head1 DESCRIPTION @@ -41,6 +42,10 @@ all others. Perform base64 encoding on the output. +=item B<-hex> + +Show the output as a hex string. + =back =head1 SEE ALSO diff --git a/lib/libssl/src/doc/apps/x509.pod b/lib/libssl/src/doc/apps/x509.pod index a925da41f16..f43c1752350 100644 --- a/lib/libssl/src/doc/apps/x509.pod +++ b/lib/libssl/src/doc/apps/x509.pod @@ -155,7 +155,7 @@ outputs the "hash" of the certificate issuer name. =item B<-hash> -synonym for "-hash" for backward compatibility reasons. +synonym for "-subject_hash" for backward compatibility reasons. =item B<-subject> diff --git a/lib/libssl/src/ms/do_masm.bat b/lib/libssl/src/ms/do_masm.bat index 8c22256b32f..a8575321f9b 100644 --- a/lib/libssl/src/ms/do_masm.bat +++ b/lib/libssl/src/ms/do_masm.bat @@ -1,74 +1,70 @@ -@echo off - -SET ASMOPTS=-DOPENSSL_IA32_SSE2 -echo Generating x86 for MASM assember - -echo Bignum -cd crypto\bn\asm -perl bn-586.pl win32 %ASMOPTS% > bn_win32.asm -perl co-586.pl win32 %ASMOPTS% > co_win32.asm -perl mo-586.pl win32 %ASMOPTS% > mt_win32.asm -cd ..\..\.. - -echo AES -cd crypto\aes\asm -perl aes-586.pl win32 %ASMOPTS% > a_win32.asm -cd ..\..\.. - -echo DES -cd crypto\des\asm -perl des-586.pl win32 %ASMOPTS% > d_win32.asm -cd ..\..\.. - -echo "crypt(3)" - -cd crypto\des\asm -perl crypt586.pl win32 %ASMOPTS% > y_win32.asm -cd ..\..\.. - -echo Blowfish - -cd crypto\bf\asm -perl bf-586.pl win32 %ASMOPTS% > b_win32.asm -cd ..\..\.. - -echo CAST5 -cd crypto\cast\asm -perl cast-586.pl win32 %ASMOPTS% > c_win32.asm -cd ..\..\.. - -echo RC4 -cd crypto\rc4\asm -perl rc4-586.pl win32 %ASMOPTS% > r4_win32.asm -cd ..\..\.. - -echo MD5 -cd crypto\md5\asm -perl md5-586.pl win32 %ASMOPTS% > m5_win32.asm -cd ..\..\.. - -echo SHA1 -cd crypto\sha\asm -perl sha1-586.pl win32 %ASMOPTS% > s1_win32.asm -perl sha512-sse2.pl win32 %ASMOPTS% > sha512-sse2.asm -cd ..\..\.. - -echo RIPEMD160 -cd crypto\ripemd\asm -perl rmd-586.pl win32 %ASMOPTS% > rm_win32.asm -cd ..\..\.. - -echo RC5\32 -cd crypto\rc5\asm -perl rc5-586.pl win32 %ASMOPTS% > r5_win32.asm -cd ..\..\.. - -echo CPU-ID -cd crypto -perl x86cpuid.pl win32 %ASMOPTS% > cpu_win32.asm -cd .. - -echo on +@SET ASMOPTS=-DOPENSSL_IA32_SSE2 +@echo Generating x86 for MASM assember + +@echo Bignum +@cd crypto\bn\asm +@perl bn-586.pl win32 %ASMOPTS% > bn_win32.asm +@perl co-586.pl win32 %ASMOPTS% > co_win32.asm +@perl mo-586.pl win32 %ASMOPTS% > mt_win32.asm +@cd ..\..\.. + +@echo AES +@cd crypto\aes\asm +@perl aes-586.pl win32 %ASMOPTS% > a_win32.asm +@cd ..\..\.. + +@echo DES +@cd crypto\des\asm +@perl des-586.pl win32 %ASMOPTS% > d_win32.asm +@cd ..\..\.. + +@echo "crypt(3)" + +@cd crypto\des\asm +@perl crypt586.pl win32 %ASMOPTS% > y_win32.asm +@cd ..\..\.. + +@echo Blowfish + +@cd crypto\bf\asm +@perl bf-586.pl win32 %ASMOPTS% > b_win32.asm +@cd ..\..\.. + +@echo CAST5 +@cd crypto\cast\asm +@perl cast-586.pl win32 %ASMOPTS% > c_win32.asm +@cd ..\..\.. + +@echo RC4 +@cd crypto\rc4\asm +@perl rc4-586.pl win32 %ASMOPTS% > r4_win32.asm +@cd ..\..\.. + +@echo MD5 +@cd crypto\md5\asm +@perl md5-586.pl win32 %ASMOPTS% > m5_win32.asm +@cd ..\..\.. + +@echo SHA1 +@cd crypto\sha\asm +@perl sha1-586.pl win32 %ASMOPTS% > s1_win32.asm +@perl sha512-sse2.pl win32 %ASMOPTS% > sha512-sse2.asm +@cd ..\..\.. + +@echo RIPEMD160 +@cd crypto\ripemd\asm +@perl rmd-586.pl win32 %ASMOPTS% > rm_win32.asm +@cd ..\..\.. + +@echo RC5\32 +@cd crypto\rc5\asm +@perl rc5-586.pl win32 %ASMOPTS% > r5_win32.asm +@cd ..\..\.. + +@echo CPU-ID +@cd crypto +@perl x86cpuid.pl win32 %ASMOPTS% > cpu_win32.asm +@cd .. perl util\mkfiles.pl >MINFO perl util\mk1mf.pl VC-WIN32 >ms\nt.mak diff --git a/lib/libssl/src/openssl.spec b/lib/libssl/src/openssl.spec index 6008c3c9c83..329e3925b74 100644 --- a/lib/libssl/src/openssl.spec +++ b/lib/libssl/src/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 8 -%define librev j +%define librev k Release: 1 %define openssldir /var/ssl diff --git a/lib/libssl/src/ssl/ssl_ciph.c b/lib/libssl/src/ssl/ssl_ciph.c index 4116fd12f1a..e9c9a083065 100644 --- a/lib/libssl/src/ssl/ssl_ciph.c +++ b/lib/libssl/src/ssl/ssl_ciph.c @@ -1355,7 +1355,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) comp->method=cm; load_builtin_compressions(); if (ssl_comp_methods - && !sk_SSL_COMP_find(ssl_comp_methods,comp)) + && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0) { OPENSSL_free(comp); MemCheck_on(); diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index 1ac7d6f951c..1a961a9e9e8 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -510,6 +510,8 @@ void SSL_free(SSL *s) if (s->ctx) SSL_CTX_free(s->ctx); #ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_hostname) + OPENSSL_free(s->tlsext_hostname); if (s->initial_ctx) SSL_CTX_free(s->initial_ctx); if (s->tlsext_ocsp_exts) sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, diff --git a/lib/libssl/src/test/Makefile b/lib/libssl/src/test/Makefile index 73d64440b15..228ee368cd7 100644 --- a/lib/libssl/src/test/Makefile +++ b/lib/libssl/src/test/Makefile @@ -404,6 +404,8 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ elif [ -n "$(FIPSCANLIB)" ]; then \ FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ + else \ + LIBRARIES="$(LIBCRYPTO)"; \ fi; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ diff --git a/lib/libssl/src/util/domd b/lib/libssl/src/util/domd index 691be7a440a..560ebeaf820 100644 --- a/lib/libssl/src/util/domd +++ b/lib/libssl/src/util/domd @@ -22,7 +22,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then done sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp - gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp + ${CC:-gcc} -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new rm -f Makefile.tmp else diff --git a/lib/libssl/src/util/libeay.num b/lib/libssl/src/util/libeay.num index 0eb54ddc891..74eb337227b 100644 --- a/lib/libssl/src/util/libeay.num +++ b/lib/libssl/src/util/libeay.num @@ -3667,7 +3667,8 @@ CRYPTO_set_mem_info_functions 4053 EXIST::FUNCTION: RSA_X931_generate_key_ex 4054 EXIST::FUNCTION:RSA int_ERR_set_state_func 4055 EXIST:OPENSSL_FIPS:FUNCTION: int_EVP_MD_set_engine_callbacks 4056 EXIST:OPENSSL_FIPS:FUNCTION:ENGINE -int_CRYPTO_set_do_dynlock_callback 4057 EXIST::FUNCTION: +int_CRYPTO_set_do_dynlock_callback 4057 EXIST:!VMS:FUNCTION: +int_CRYPTO_set_do_dynlock_cb 4057 EXIST:VMS:FUNCTION: FIPS_rng_stick 4058 EXIST:OPENSSL_FIPS:FUNCTION: EVP_CIPHER_CTX_set_flags 4059 EXIST::FUNCTION: BN_X931_generate_prime_ex 4060 EXIST::FUNCTION: diff --git a/lib/libssl/src/util/pl/VC-32.pl b/lib/libssl/src/util/pl/VC-32.pl index 166785db8d3..8eb3c6c4bdc 100644 --- a/lib/libssl/src/util/pl/VC-32.pl +++ b/lib/libssl/src/util/pl/VC-32.pl @@ -164,7 +164,7 @@ if ($FLAVOR =~ /NT/) $ex_libs="unicows.lib $ex_libs"; } # static library stuff -$mklib='lib'; +$mklib='lib /nologo'; $ranlib=''; $plib=""; $libp=".lib"; @@ -184,7 +184,7 @@ if ($nasm) { $asm.=' /Zi' if $debug; $afile='/Fo'; } else { - $asm='ml /Cp /coff /c /Cx'; + $asm='ml /nologo /Cp /coff /c /Cx'; $asm.=" /Zi" if $debug; $afile='/Fo'; } @@ -404,7 +404,7 @@ sub do_link_rule if ($standalone == 1) { $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t"; - $ret.= "$mwex advapi32.lib " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild); + $ret.= "\$(EX_LIBS) " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild); $ret.="$files $libs\n<<\n"; } elsif ($standalone == 2) |