diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index b8630792adf1..4a0363a1c2dd 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -1,6483 +1,6528 @@ OpenSSL CHANGES _______________ + Changes between 0.9.7c and 0.9.7d [17 Mar 2004] + + *) Fix null-pointer assignment in do_change_cipher_spec() revealed + by using the Codenomicon TLS Test Tool (CAN-2004-0079) + [Joe Orton, Steve Henson] + + *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites + (CAN-2004-0112) + [Joe Orton, Steve Henson] + + *) Make it possible to have multiple active certificates with the same + subject in the CA index file. This is done only if the keyword + 'unique_subject' is set to 'no' in the main CA section (default + if 'CA_default') of the configuration file. The value is saved + with the database itself in a separate index attribute file, + named like the index file with '.attr' appended to the name. + [Richard Levitte] + + *) X509 verify fixes. Disable broken certificate workarounds when + X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if + keyUsage extension present. Don't accept CRLs with unhandled critical + extensions: since verify currently doesn't process CRL extensions this + rejects a CRL with *any* critical extensions. Add new verify error codes + for these cases. + [Steve Henson] + + *) When creating an OCSP nonce use an OCTET STRING inside the extnValue. + A clarification of RFC2560 will require the use of OCTET STRINGs and + some implementations cannot handle the current raw format. Since OpenSSL + copies and compares OCSP nonces as opaque blobs without any attempt at + parsing them this should not create any compatibility issues. + [Steve Henson] + + *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when + calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without + this HMAC (and other) operations are several times slower than OpenSSL + < 0.9.7. + [Steve Henson] + + *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). + [Peter Sylvester ] + + *) Use the correct content when signing type "other". + [Steve Henson] + Changes between 0.9.7b and 0.9.7c [30 Sep 2003] *) Fix various bugs revealed by running the NISCC test suite: Stop out of bounds reads in the ASN1 code when presented with invalid tags (CAN-2003-0543 and CAN-2003-0544). Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545). If verify callback ignores invalid public key errors don't try to check certificate signature with the NULL public key. [Steve Henson] *) New -ignore_err option in ocsp application to stop the server exiting on the first error in a request. [Steve Henson] *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate if the server requested one: as stated in TLS 1.0 and SSL 3.0 specifications. [Steve Henson] *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional extra data after the compression methods not only for TLS 1.0 but also for SSL 3.0 (as required by the specification). [Bodo Moeller; problem pointed out by Matthias Loepfe] *) Change X509_certificate_type() to mark the key as exported/exportable when it's 512 *bits* long, not 512 bytes. [Richard Levitte] *) Change AES_cbc_encrypt() so it outputs exact multiple of blocks during encryption. [Richard Levitte] *) Various fixes to base64 BIO and non blocking I/O. On write flushes were not handled properly if the BIO retried. On read data was not being buffered properly and had various logic bugs. This also affects blocking I/O when the data being decoded is a certain size. [Steve Henson] *) Various S/MIME bugfixes and compatibility changes: output correct application/pkcs7 MIME type if PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening of files as .eml work). Correctly handle very long lines in MIME parser. [Steve Henson] Changes between 0.9.7a and 0.9.7b [10 Apr 2003] *) Countermeasure against the Klima-Pokorny-Rosa extension of Bleichbacher's attack on PKCS #1 v1.5 padding: treat a protocol version number mismatch like a decryption error in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] *) Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). Make RSA blinding thread-safe by remembering the creator's thread ID in rsa->blinding and having all other threads use local one-time blinding factors (this requires more computation than sharing rsa->blinding, but avoids excessive locking; and if an RSA object is not shared between threads, blinding will still be very fast). [Bodo Moeller] *) Fixed a typo bug that would cause ENGINE_set_default() to set an ENGINE as defaults for all supported algorithms irrespective of the 'flags' parameter. 'flags' is now honoured, so applications should make sure they are passing it correctly. [Geoff Thorpe] *) Target "mingw" now allows native Windows code to be generated in the Cygwin environment as well as with the MinGW compiler. [Ulf Moeller] Changes between 0.9.7 and 0.9.7a [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by performing a MAC computation even if incorrrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CAN-2003-0078) [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion)] *) Make the no-err option work as intended. The intention with no-err is not to have the whole error stack handling routines removed from libcrypto, it's only intended to remove all the function name and reason texts, thereby removing some of the footprint that may not be interesting if those errors aren't displayed anyway. NOTE: it's still possible for any application or module to have it's own set of error texts inserted. The routines are there, just not used by default when no-err is given. [Richard Levitte] *) Add support for FreeBSD on IA64. [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] *) Adjust DES_cbc_cksum() so it returns the same value as the MIT Kerberos function mit_des_cbc_cksum(). Before this change, the value returned by DES_cbc_cksum() was like the one from mit_des_cbc_cksum(), except the bytes were swapped. [Kevin Greaney and Richard Levitte] *) Allow an application to disable the automatic SSL chain building. Before this a rather primitive chain build was always performed in ssl3_output_cert_chain(): an application had no way to send the correct chain if the automatic operation produced an incorrect result. Now the chain builder is disabled if either: 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. The reasoning behind this is that an application would not want the auto chain building to take place if extra chain certificates are present and it might also want a means of sending no additional certificates (for example the chain has two certificates and the root is omitted). [Steve Henson] *) Add the possibility to build without the ENGINE framework. [Steven Reddie via Richard Levitte] *) Under Win32 gmtime() can return NULL: check return value in OPENSSL_gmtime(). Add error code for case where gmtime() fails. [Steve Henson] *) DSA routines: under certain error conditions uninitialized BN objects could be freed. Solution: make sure initialization is performed early enough. (Reported and fix supplied by Ivan D Nestlerode , Nils Larsch via PR#459) [Lutz Jaenicke] *) Another fix for SSLv2 session ID handling: the session ID was incorrectly checked on reconnect on the client side, therefore session resumption could still fail with a "ssl session id is different" error. This behaviour is masked when SSL_OP_ALL is used due to SSL_OP_MICROSOFT_SESS_ID_BUG being set. Behaviour observed by Crispin Flowerday as followup to PR #377. [Lutz Jaenicke] *) IA-32 assembler support enhancements: unified ELF targets, support for SCO/Caldera platforms, fix for Cygwin shared build. [Andy Polyakov] *) Add support for FreeBSD on sparc64. As a consequence, support for FreeBSD on non-x86 processors is separate from x86 processors on the config script, much like the NetBSD support. [Richard Levitte & Kris Kennaway ] Changes between 0.9.6h and 0.9.7 [31 Dec 2002] [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after OpenSSL 0.9.7.] *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED code (06) was taken as the first octet of the session ID and the last octet was ignored consequently. As a result SSLv2 client side session caching could not have worked due to the session ID mismatch between client and server. Behaviour observed by Crispin Flowerday as PR #377. [Lutz Jaenicke] *) Change the declaration of needed Kerberos libraries to use EX_LIBS instead of the special (and badly supported) LIBKRB5. LIBKRB5 is removed entirely. [Richard Levitte] *) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it seems that in spite of existing for more than a year, many application author have done nothing to provide the necessary callbacks, which means that this particular engine will not work properly anywhere. This is a very unfortunate situation which forces us, in the name of usability, to give the hw_ncipher.c a static lock, which is part of libcrypto. NOTE: This is for the 0.9.7 series ONLY. This hack will never appear in 0.9.8 or later. We EXPECT application authors to have dealt properly with this when 0.9.8 is released (unless we actually make such changes in the libcrypto locking code that changes will have to be made anyway). [Richard Levitte] *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content octets have been read, EOF or an error occurs. Without this change some truncated ASN1 structures will not produce an error. [Steve Henson] *) Disable Heimdal support, since it hasn't been fully implemented. Still give the possibility to force the use of Heimdal, but with warnings and a request that patches get sent to openssl-dev. [Richard Levitte] *) Add the VC-CE target, introduce the WINCE sysname, and add INSTALL.WCE and appropriate conditionals to make it build. [Steven Reddie via Richard Levitte] *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and cygssl-x.y.z.dll, where x, y and z are the major, minor and edit numbers of the version. [Corinna Vinschen and Richard Levitte] *) Introduce safe string copy and catenation functions (BUF_strlcpy() and BUF_strlcat()). [Ben Laurie (CHATS) and Richard Levitte] *) Avoid using fixed-size buffers for one-line DNs. [Ben Laurie (CHATS)] *) Add BUF_MEM_grow_clean() to avoid information leakage when resizing buffers containing secrets, and use where appropriate. [Ben Laurie (CHATS)] *) Avoid using fixed size buffers for configuration file location. [Ben Laurie (CHATS)] *) Avoid filename truncation for various CA files. [Ben Laurie (CHATS)] *) Use sizeof in preference to magic numbers. [Ben Laurie (CHATS)] *) Avoid filename truncation in cert requests. [Ben Laurie (CHATS)] *) Add assertions to check for (supposedly impossible) buffer overflows. [Ben Laurie (CHATS)] *) Don't cache truncated DNS entries in the local cache (this could potentially lead to a spoofing attack). [Ben Laurie (CHATS)] *) Fix various buffers to be large enough for hex/decimal representations in a platform independent manner. [Ben Laurie (CHATS)] *) Add CRYPTO_realloc_clean() to avoid information leakage when resizing buffers containing secrets, and use where appropriate. [Ben Laurie (CHATS)] *) Add BIO_indent() to avoid much slightly worrying code to do indents. [Ben Laurie (CHATS)] *) Convert sprintf()/BIO_puts() to BIO_printf(). [Ben Laurie (CHATS)] *) buffer_gets() could terminate with the buffer only half full. Fixed. [Ben Laurie (CHATS)] *) Add assertions to prevent user-supplied crypto functions from overflowing internal buffers by having large block sizes, etc. [Ben Laurie (CHATS)] *) New OPENSSL_assert() macro (similar to assert(), but enabled unconditionally). [Ben Laurie (CHATS)] *) Eliminate unused copy of key in RC4. [Ben Laurie (CHATS)] *) Eliminate unused and incorrectly sized buffers for IV in pem.h. [Ben Laurie (CHATS)] *) Fix off-by-one error in EGD path. [Ben Laurie (CHATS)] *) If RANDFILE path is too long, ignore instead of truncating. [Ben Laurie (CHATS)] *) Eliminate unused and incorrectly sized X.509 structure CBCParameter. [Ben Laurie (CHATS)] *) Eliminate unused and dangerous function knumber(). [Ben Laurie (CHATS)] *) Eliminate unused and dangerous structure, KSSL_ERR. [Ben Laurie (CHATS)] *) Protect against overlong session ID context length in an encoded session object. Since these are local, this does not appear to be exploitable. [Ben Laurie (CHATS)] *) Change from security patch (see 0.9.6e below) that did not affect the 0.9.6 release series: Remote buffer overflow in SSL3 protocol - an attacker could supply an oversized master key in Kerberos-enabled versions. (CAN-2002-0657) [Ben Laurie (CHATS)] *) Change the SSL kerb5 codes to match RFC 2712. [Richard Levitte] *) Make -nameopt work fully for req and add -reqopt switch. [Michael Bell , Steve Henson] *) The "block size" for block ciphers in CFB and OFB mode should be 1. [Steve Henson, reported by Yngve Nysaeter Pettersen ] *) Make sure tests can be performed even if the corresponding algorithms have been removed entirely. This was also the last step to make OpenSSL compilable with DJGPP under all reasonable conditions. [Richard Levitte, Doug Kaufman ] *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT to allow version independent disabling of normally unselected ciphers, which may be activated as a side-effect of selecting a single cipher. (E.g., cipher list string "RSA" enables ciphersuites that are left out of "ALL" because they do not provide symmetric encryption. "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) [Lutz Jaenicke, Bodo Moeller] *) Add appropriate support for separate platform-dependent build directories. The recommended way to make a platform-dependent build directory is the following (tested on Linux), maybe with some local tweaks: # Place yourself outside of the OpenSSL source tree. In # this example, the environment variable OPENSSL_SOURCE # is assumed to contain the absolute OpenSSL source directory. mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" cd objtree/"`uname -s`-`uname -r`-`uname -m`" (cd $OPENSSL_SOURCE; find . -type f) | while read F; do mkdir -p `dirname $F` ln -s $OPENSSL_SOURCE/$F $F done To be absolutely sure not to disturb the source tree, a "make clean" is a good thing. If it isn't successfull, don't worry about it, it probably means the source directory is very clean. [Richard Levitte] *) Make sure any ENGINE control commands make local copies of string pointers passed to them whenever necessary. Otherwise it is possible the caller may have overwritten (or deallocated) the original string data when a later ENGINE operation tries to use the stored values. [Götz Babin-Ebell ] *) Improve diagnostics in file reading and command-line digests. [Ben Laurie aided and abetted by Solar Designer ] *) Add AES modes CFB and OFB to the object database. Correct an error in AES-CFB decryption. [Richard Levitte] *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this allows existing EVP_CIPHER_CTX structures to be reused after calling EVP_*Final(). This behaviour is used by encryption BIOs and some applications. This has the side effect that applications must explicitly clean up cipher contexts with EVP_CIPHER_CTX_cleanup() or they will leak memory. [Steve Henson] *) Check the values of dna and dnb in bn_mul_recursive before calling bn_mul_comba (a non zero value means the a or b arrays do not contain n2 elements) and fallback to bn_mul_normal if either is not zero. [Steve Henson] *) Fix escaping of non-ASCII characters when using the -subj option of the "openssl req" command line tool. (Robert Joop ) [Lutz Jaenicke] *) Make object definitions compliant to LDAP (RFC2256): SN is the short form for "surname", serialNumber has no short form. Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; therefore remove "mail" short name for "internet 7". The OID for unique identifiers in X509 certificates is x500UniqueIdentifier, not uniqueIdentifier. Some more OID additions. (Michael Bell ) [Lutz Jaenicke] *) Add an "init" command to the ENGINE config module and auto initialize ENGINEs. Without any "init" command the ENGINE will be initialized after all ctrl commands have been executed on it. If init=1 the ENGINE is initailized at that point (ctrls before that point are run on the uninitialized ENGINE and after on the initialized one). If init=0 then the ENGINE will not be iniatialized at all. [Steve Henson] *) Fix the 'app_verify_callback' interface so that the user-defined argument is actually passed to the callback: In the SSL_CTX_set_cert_verify_callback() prototype, the callback declaration has been changed from int (*cb)() into int (*cb)(X509_STORE_CTX *,void *); in ssl_verify_cert_chain (ssl/ssl_cert.c), the call i=s->ctx->app_verify_callback(&ctx) has been changed into i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). To update applications using SSL_CTX_set_cert_verify_callback(), a dummy argument can be added to their callback functions. [D. K. Smetters ] *) Added the '4758cca' ENGINE to support IBM 4758 cards. [Maurice Gittens , touchups by Geoff Thorpe] *) Add and OPENSSL_LOAD_CONF define which will cause OpenSSL_add_all_algorithms() to load the openssl.cnf config file. This allows older applications to transparently support certain OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. Two new functions OPENSSL_add_all_algorithms_noconf() which will never load the config file and OPENSSL_add_all_algorithms_conf() which will always load it have also been added. [Steve Henson] *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. Adjust NIDs and EVP layer. [Stephen Sprunk and Richard Levitte] *) Config modules support in openssl utility. Most commands now load modules from the config file, though in a few (such as version) this isn't done because it couldn't be used for anything. In the case of ca and req the config file used is the same as the utility itself: that is the -config command line option can be used to specify an alternative file. [Steve Henson] *) Move default behaviour from OPENSSL_config(). If appname is NULL use "openssl_conf" if filename is NULL use default openssl config file. [Steve Henson] *) Add an argument to OPENSSL_config() to allow the use of an alternative config section name. Add a new flag to tolerate a missing config file and move code to CONF_modules_load_file(). [Steve Henson] *) Support for crypto accelerator cards from Accelerated Encryption Processing, www.aep.ie. (Use engine 'aep') The support was copied from 0.9.6c [engine] and adapted/corrected to work with the new engine framework. [AEP Inc. and Richard Levitte] *) Support for SureWare crypto accelerator cards from Baltimore Technologies. (Use engine 'sureware') The support was copied from 0.9.6c [engine] and adapted to work with the new engine framework. [Richard Levitte] *) Have the CHIL engine fork-safe (as defined by nCipher) and actually make the newer ENGINE framework commands for the CHIL engine work. [Toomas Kiisk and Richard Levitte] *) Make it possible to produce shared libraries on ReliantUNIX. [Robert Dahlem via Richard Levitte] *) Add the configuration target debug-linux-ppro. Make 'openssl rsa' use the general key loading routines implemented in apps.c, and make those routines able to handle the key format FORMAT_NETSCAPE and the variant FORMAT_IISSGC. [Toomas Kiisk via Richard Levitte] *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). [Toomas Kiisk via Richard Levitte] *) Add -keyform to rsautl, and document -engine. [Richard Levitte, inspired by Toomas Kiisk ] *) Change BIO_new_file (crypto/bio/bss_file.c) to use new BIO_R_NO_SUCH_FILE error code rather than the generic ERR_R_SYS_LIB error code if fopen() fails with ENOENT. [Ben Laurie] *) Add new functions ERR_peek_last_error ERR_peek_last_error_line ERR_peek_last_error_line_data. These are similar to ERR_peek_error ERR_peek_error_line ERR_peek_error_line_data, but report on the latest error recorded rather than the first one still in the error queue. [Ben Laurie, Bodo Moeller] *) default_algorithms option in ENGINE config module. This allows things like: default_algorithms = ALL default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS [Steve Henson] *) Prelminary ENGINE config module. [Steve Henson] *) New experimental application configuration code. [Steve Henson] *) Change the AES code to follow the same name structure as all other symmetric ciphers, and behave the same way. Move everything to the directory crypto/aes, thereby obsoleting crypto/rijndael. [Stephen Sprunk and Richard Levitte] *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. [Ben Laurie and Theo de Raadt] *) Add option to output public keys in req command. [Massimiliano Pala madwolf@openca.org] *) Use wNAFs in EC_POINTs_mul() for improved efficiency (up to about 10% better than before for P-192 and P-224). [Bodo Moeller] *) New functions/macros SSL_CTX_set_msg_callback(ctx, cb) SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_set_msg_callback(ssl, cb) SSL_set_msg_callback_arg(ssl, arg) to request calling a callback function void cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) whenever a protocol message has been completely received (write_p == 0) or sent (write_p == 1). Here 'version' is the protocol version according to which the SSL library interprets the current protocol message (SSL2_VERSION, SSL3_VERSION, or TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or the content type as defined in the SSL 3.0/TLS 1.0 protocol specification (change_cipher_spec(20), alert(21), handshake(22)). 'buf' and 'len' point to the actual message, 'ssl' to the SSL object, and 'arg' is the application-defined value set by SSL[_CTX]_set_msg_callback_arg(). 'openssl s_client' and 'openssl s_server' have new '-msg' options to enable a callback that displays all protocol messages. [Bodo Moeller] *) Change the shared library support so shared libraries are built as soon as the corresponding static library is finished, and thereby get openssl and the test programs linked against the shared library. This still only happens when the keyword "shard" has been given to the configuration scripts. NOTE: shared library support is still an experimental thing, and backward binary compatibility is still not guaranteed. ["Maciej W. Rozycki" and Richard Levitte] *) Add support for Subject Information Access extension. [Peter Sylvester ] *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero additional bytes when new memory had to be allocated, not just when reusing an existing buffer. [Bodo Moeller] *) New command line and configuration option 'utf8' for the req command. This allows field values to be specified as UTF8 strings. [Steve Henson] *) Add -multi and -mr options to "openssl speed" - giving multiple parallel runs for the former and machine-readable output for the latter. [Ben Laurie] *) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion of the e-mail address in the DN (i.e., it will go into a certificate extension only). The new configuration file option 'email_in_dn = no' has the same effect. [Massimiliano Pala madwolf@openca.org] *) Change all functions with names starting with des_ to be starting with DES_ instead. Add wrappers that are compatible with libdes, but are named _ossl_old_des_*. Finally, add macros that map the des_* symbols to the corresponding _ossl_old_des_* if libdes compatibility is desired. If OpenSSL 0.9.6c compatibility is desired, the des_* symbols will be mapped to DES_*, with one exception. Since we provide two compatibility mappings, the user needs to define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes compatibility is desired. The default (i.e., when that macro isn't defined) is OpenSSL 0.9.6c compatibility. There are also macros that enable and disable the support of old des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those are defined, the default will apply: to support the old des routines. In either case, one must include openssl/des.h to get the correct definitions. Do not try to just include openssl/des_old.h, that won't work. NOTE: This is a major break of an old API into a new one. Software authors are encouraged to switch to the DES_ style functions. Some time in the future, des_old.h and the libdes compatibility functions will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the default), and then completely removed. [Richard Levitte] *) Test for certificates which contain unsupported critical extensions. If such a certificate is found during a verify operation it is rejected by default: this behaviour can be overridden by either handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function X509_supported_extension() has also been added which returns 1 if a particular extension is supported. [Steve Henson] *) Modify the behaviour of EVP cipher functions in similar way to digests to retain compatibility with existing code. [Steve Henson] *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain compatibility with existing code. In particular the 'ctx' parameter does not have to be to be initialized before the call to EVP_DigestInit() and it is tidied up after a call to EVP_DigestFinal(). New function EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function EVP_MD_CTX_copy() changed to not require the destination to be initialized valid and new function EVP_MD_CTX_copy_ex() added which requires the destination to be valid. Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). [Steve Henson] *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it so that complete 'Handshake' protocol structures are kept in memory instead of overwriting 'msg_type' and 'length' with 'body' data. [Bodo Moeller] *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. [Massimo Santin via Richard Levitte] *) Major restructuring to the underlying ENGINE code. This includes reduction of linker bloat, separation of pure "ENGINE" manipulation (initialisation, etc) from functionality dealing with implementations of specific crypto iterfaces. This change also introduces integrated support for symmetric ciphers and digest implementations - so ENGINEs can now accelerate these by providing EVP_CIPHER and EVP_MD implementations of their own. This is detailed in crypto/engine/README as it couldn't be adequately described here. However, there are a few API changes worth noting - some RSA, DSA, DH, and RAND functions that were changed in the original introduction of ENGINE code have now reverted back - the hooking from this code to ENGINE is now a good deal more passive and at run-time, operations deal directly with RSA_METHODs, DSA_METHODs (etc) as they did before, rather than dereferencing through an ENGINE pointer any more. Also, the ENGINE functions dealing with BN_MOD_EXP[_CRT] handlers have been removed - they were not being used by the framework as there is no concept of a BIGNUM_METHOD and they could not be generalised to the new 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, ENGINE_cpy() has been removed as it cannot be consistently defined in the new code. [Geoff Thorpe] *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. [Steve Henson] *) Change mkdef.pl to sort symbols that get the same entry number, and make sure the automatically generated functions ERR_load_* become part of libeay.num as well. [Richard Levitte] *) New function SSL_renegotiate_pending(). This returns true once renegotiation has been requested (either SSL_renegotiate() call or HelloRequest/ClientHello receveived from the peer) and becomes false once a handshake has been completed. (For servers, SSL_renegotiate() followed by SSL_do_handshake() sends a HelloRequest, but does not ensure that a handshake takes place. SSL_renegotiate_pending() is useful for checking if the client has followed the request.) [Bodo Moeller] *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. By default, clients may request session resumption even during renegotiation (if session ID contexts permit); with this option, session resumption is possible only in the first handshake. SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes more bits available for options that should not be part of SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). [Bodo Moeller] *) Add some demos for certificate and certificate request creation. [Steve Henson] *) Make maximum certificate chain size accepted from the peer application settable (SSL*_get/set_max_cert_list()), as proposed by "Douglas E. Engert" . [Lutz Jaenicke] *) Add support for shared libraries for Unixware-7 (Boyd Lynn Gerber ). [Lutz Jaenicke] *) Add a "destroy" handler to ENGINEs that allows structural cleanup to be done prior to destruction. Use this to unload error strings from ENGINEs that load their own error strings. NB: This adds two new API functions to "get" and "set" this destroy handler in an ENGINE. [Geoff Thorpe] *) Alter all existing ENGINE implementations (except "openssl" and "openbsd") to dynamically instantiate their own error strings. This makes them more flexible to be built both as statically-linked ENGINEs and self-contained shared-libraries loadable via the "dynamic" ENGINE. Also, add stub code to each that makes building them as self-contained shared-libraries easier (see README.ENGINE). [Geoff Thorpe] *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE implementations into applications that are completely implemented in self-contained shared-libraries. The "dynamic" ENGINE exposes control commands that can be used to configure what shared-library to load and to control aspects of the way it is handled. Also, made an update to the README.ENGINE file that brings its information up-to-date and provides some information and instructions on the "dynamic" ENGINE (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). [Geoff Thorpe] *) Make it possible to unload ranges of ERR strings with a new "ERR_unload_strings" function. [Geoff Thorpe] *) Add a copy() function to EVP_MD. [Ben Laurie] *) Make EVP_MD routines take a context pointer instead of just the md_data void pointer. [Ben Laurie] *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates that the digest can only process a single chunk of data (typically because it is provided by a piece of hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application is only going to provide a single chunk of data, and hence the framework needn't accumulate the data for oneshot drivers. [Ben Laurie] *) As with "ERR", make it possible to replace the underlying "ex_data" functions. This change also alters the storage and management of global ex_data state - it's now all inside ex_data.c and all "class" code (eg. RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class index counters. The API functions that use this state have been changed to take a "class_index" rather than pointers to the class's local STACK and counter, and there is now an API function to dynamically create new classes. This centralisation allows us to (a) plug a lot of the thread-safety problems that existed, and (b) makes it possible to clean up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) such data would previously have always leaked in application code and workarounds were in place to make the memory debugging turn a blind eye to it. Application code that doesn't use this new function will still leak as before, but their memory debugging output will announce it now rather than letting it slide. Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now has a return value to indicate success or failure. [Geoff Thorpe] *) Make it possible to replace the underlying "ERR" functions such that the global state (2 LHASH tables and 2 locks) is only used by the "default" implementation. This change also adds two functions to "get" and "set" the implementation prior to it being automatically set the first time any other ERR function takes place. Ie. an application can call "get", pass the return value to a module it has just loaded, and that module can call its own "set" function using that value. This means the module's "ERR" operations will use (and modify) the error state in the application and not in its own statically linked copy of OpenSSL code. [Geoff Thorpe] *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment reference counts. This performs normal REF_PRINT/REF_CHECK macros on the operation, and provides a more encapsulated way for external code (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code to use these functions rather than manually incrementing the counts. Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". [Geoff Thorpe] *) Add EVP test program. [Ben Laurie] *) Add symmetric cipher support to ENGINE. Expect the API to change! [Ben Laurie] *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). These allow a CRL to be built without having to access X509_CRL fields directly. Modify 'ca' application to use new functions. [Steve Henson] *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended bug workarounds. Rollback attack detection is a security feature. The problem will only arise on OpenSSL servers when TLSv1 is not available (sslv3_server_method() or SSL_OP_NO_TLSv1). Software authors not wanting to support TLSv1 will have special reasons for their choice and can explicitly enable this option. [Bodo Moeller, Lutz Jaenicke] *) Rationalise EVP so it can be extended: don't include a union of cipher/digest structures, add init/cleanup functions for EVP_MD_CTX (similar to those existing for EVP_CIPHER_CTX). Usage example: EVP_MD_CTX md; EVP_MD_CTX_init(&md); /* new function call */ EVP_DigestInit(&md, EVP_sha1()); EVP_DigestUpdate(&md, in, len); EVP_DigestFinal(&md, out, NULL); EVP_MD_CTX_cleanup(&md); /* new function call */ [Ben Laurie] *) Make DES key schedule conform to the usual scheme, as well as correcting its structure. This means that calls to DES functions now have to pass a pointer to a des_key_schedule instead of a plain des_key_schedule (which was actually always a pointer anyway): E.g., des_key_schedule ks; des_set_key_checked(..., &ks); des_ncbc_encrypt(..., &ks, ...); (Note that a later change renames 'des_...' into 'DES_...'.) [Ben Laurie] *) Initial reduction of linker bloat: the use of some functions, such as PEM causes large amounts of unused functions to be linked in due to poor organisation. For example pem_all.c contains every PEM function which has a knock on effect of linking in large amounts of (unused) ASN1 code. Grouping together similar functions and splitting unrelated functions prevents this. [Steve Henson] *) Cleanup of EVP macros. [Ben Laurie] *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the correct _ecb suffix. [Ben Laurie] *) Add initial OCSP responder support to ocsp application. The revocation information is handled using the text based index use by the ca application. The responder can either handle requests generated internally, supplied in files (for example via a CGI script) or using an internal minimal server. [Steve Henson] *) Add configuration choices to get zlib compression for TLS. [Richard Levitte] *) Changes to Kerberos SSL for RFC 2712 compliance: 1. Implemented real KerberosWrapper, instead of just using KRB5 AP_REQ message. [Thanks to Simon Wilkinson ] 2. Implemented optional authenticator field of KerberosWrapper. Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, and authenticator structs; see crypto/krb5/. Generalized Kerberos calls to support multiple Kerberos libraries. [Vern Staats , Jeffrey Altman via Richard Levitte] *) Cause 'openssl speed' to use fully hard-coded DSA keys as it already does with RSA. testdsa.h now has 'priv_key/pub_key' values for each of the key sizes rather than having just parameters (and 'speed' generating keys each time). [Geoff Thorpe] *) Speed up EVP routines. Before: encrypt type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k decrypt des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k After: encrypt des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k decrypt des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Ben Laurie] *) Added the OS2-EMX target. ["Brian Havard" and Richard Levitte] *) Rewrite apps to use NCONF routines instead of the old CONF. New functions to support NCONF routines in extension code. New function CONF_set_nconf() to allow functions which take an NCONF to also handle the old LHASH structure: this means that the old CONF compatible routines can be retained (in particular wrt extensions) without having to duplicate the code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. [Steve Henson] *) Enhance the general user interface with mechanisms for inner control and with possibilities to have yes/no kind of prompts. [Richard Levitte] *) Change all calls to low level digest routines in the library and applications to use EVP. Add missing calls to HMAC_cleanup() and don't assume HMAC_CTX can be copied using memcpy(). [Verdon Walker , Steve Henson] *) Add the possibility to control engines through control names but with arbitrary arguments instead of just a string. Change the key loaders to take a UI_METHOD instead of a callback function pointer. NOTE: this breaks binary compatibility with earlier versions of OpenSSL [engine]. Adapt the nCipher code for these new conditions and add a card insertion callback. [Richard Levitte] *) Enhance the general user interface with mechanisms to better support dialog box interfaces, application-defined prompts, the possibility to use defaults (for example default passwords from somewhere else) and interrupts/cancellations. [Richard Levitte] *) Tidy up PKCS#12 attribute handling. Add support for the CSP name attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. [Steve Henson] *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also tidy up some unnecessarily weird code in 'sk_new()'). [Geoff, reported by Diego Tartara ] *) Change the key loading routines for ENGINEs to use the same kind callback (pem_password_cb) as all other routines that need this kind of callback. [Richard Levitte] *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with 256 bit (=32 byte) keys. Of course seeding with more entropy bytes than this minimum value is recommended. [Lutz Jaenicke] *) New random seeder for OpenVMS, using the system process statistics that are easily reachable. [Richard Levitte] *) Windows apparently can't transparently handle global variables defined in DLLs. Initialisations such as: const ASN1_ITEM *it = &ASN1_INTEGER_it; wont compile. This is used by the any applications that need to declare their own ASN1 modules. This was fixed by adding the option EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly needed for static libraries under Win32. [Steve Henson] *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle setting of purpose and trust fields. New X509_STORE trust and purpose functions and tidy up setting in other SSL functions. [Steve Henson] *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE structure. These are inherited by X509_STORE_CTX when it is initialised. This allows various defaults to be set in the X509_STORE structure (such as flags for CRL checking and custom purpose or trust settings) for functions which only use X509_STORE_CTX internally such as S/MIME. Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and trust settings if they are not set in X509_STORE. This allows X509_STORE purposes and trust (in S/MIME for example) to override any set by default. Add command line options for CRL checking to smime, s_client and s_server applications. [Steve Henson] *) Initial CRL based revocation checking. If the CRL checking flag(s) are set then the CRL is looked up in the X509_STORE structure and its validity and signature checked, then if the certificate is found in the CRL the verify fails with a revoked error. Various new CRL related callbacks added to X509_STORE_CTX structure. Command line options added to 'verify' application to support this. This needs some additional work, such as being able to handle multiple CRLs with different times, extension based lookup (rather than just by subject name) and ultimately more complete V2 CRL extension handling. [Steve Henson] *) Add a general user interface API (crypto/ui/). This is designed to replace things like des_read_password and friends (backward compatibility functions using this new API are provided). The purpose is to remove prompting functions from the DES code section as well as provide for prompting through dialog boxes in a window system and the like. [Richard Levitte] *) Add "ex_data" support to ENGINE so implementations can add state at a per-structure level rather than having to store it globally. [Geoff] *) Make it possible for ENGINE structures to be copied when retrieved by ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. This causes the "original" ENGINE structure to act like a template, analogous to the RSA vs. RSA_METHOD type of separation. Because of this operational state can be localised to each ENGINE structure, despite the fact they all share the same "methods". New ENGINE structures returned in this case have no functional references and the return value is the single structural reference. This matches the single structural reference returned by ENGINE_by_id() normally, when it is incremented on the pre-existing ENGINE structure. [Geoff] *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this needs to match any other type at all we need to manually clear the tag cache. [Steve Henson] *) Changes to the "openssl engine" utility to include; - verbosity levels ('-v', '-vv', and '-vvv') that provide information about an ENGINE's available control commands. - executing control commands from command line arguments using the '-pre' and '-post' switches. '-post' is only used if '-t' is specified and the ENGINE is successfully initialised. The syntax for the individual commands are colon-separated, for example; openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so [Geoff] *) New dynamic control command support for ENGINEs. ENGINEs can now declare their own commands (numbers), names (strings), descriptions, and input types for run-time discovery by calling applications. A subset of these commands are implicitly classed as "executable" depending on their input type, and only these can be invoked through the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this can be based on user input, config files, etc). The distinction is that "executable" commands cannot return anything other than a boolean result and can only support numeric or string input, whereas some discoverable commands may only be for direct use through ENGINE_ctrl(), eg. supporting the exchange of binary data, function pointers, or other custom uses. The "executable" commands are to support parameterisations of ENGINE behaviour that can be unambiguously defined by ENGINEs and used consistently across any OpenSSL-based application. Commands have been added to all the existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow control over shared-library paths without source code alterations. [Geoff] *) Changed all ENGINE implementations to dynamically allocate their ENGINEs rather than declaring them statically. Apart from this being necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, this also allows the implementations to compile without using the internal engine_int.h header. [Geoff] *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a 'const' value. Any code that should be able to modify a RAND_METHOD should already have non-const pointers to it (ie. they should only modify their own ones). [Geoff] *) Made a variety of little tweaks to the ENGINE code. - "atalla" and "ubsec" string definitions were moved from header files to C code. "nuron" string definitions were placed in variables rather than hard-coded - allowing parameterisation of these values later on via ctrl() commands. - Removed unused "#if 0"'d code. - Fixed engine list iteration code so it uses ENGINE_free() to release structural references. - Constified the RAND_METHOD element of ENGINE structures. - Constified various get/set functions as appropriate and added missing functions (including a catch-all ENGINE_cpy that duplicates all ENGINE values onto a new ENGINE except reference counts/state). - Removed NULL parameter checks in get/set functions. Setting a method or function to NULL is a way of cancelling out a previously set value. Passing a NULL ENGINE parameter is just plain stupid anyway and doesn't justify the extra error symbols and code. - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for flags from engine_int.h to engine.h. - Changed prototypes for ENGINE handler functions (init(), finish(), ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. [Geoff] *) Implement binary inversion algorithm for BN_mod_inverse in addition to the algorithm using long division. The binary algorithm can be used only if the modulus is odd. On 32-bit systems, it is faster only for relatively small moduli (roughly 20-30% for 128-bit moduli, roughly 5-15% for 256-bit moduli), so we use it only for moduli up to 450 bits. In 64-bit environments, the binary algorithm appears to be advantageous for much longer moduli; here we use it for moduli up to 2048 bits. [Bodo Moeller] *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code could not support the combine flag in choice fields. [Steve Henson] *) Add a 'copy_extensions' option to the 'ca' utility. This copies extensions from a certificate request to the certificate. [Steve Henson] *) Allow multiple 'certopt' and 'nameopt' options to be separated by commas. Add 'namopt' and 'certopt' options to the 'ca' config file: this allows the display of the certificate about to be signed to be customised, to allow certain fields to be included or excluded and extension details. The old system didn't display multicharacter strings properly, omitted fields not in the policy and couldn't display additional details such as extensions. [Steve Henson] *) Function EC_POINTs_mul for multiple scalar multiplication of an arbitrary number of elliptic curve points \sum scalars[i]*points[i], optionally including the generator defined for the EC_GROUP: scalar*generator + \sum scalars[i]*points[i]. EC_POINT_mul is a simple wrapper function for the typical case that the point list has just one item (besides the optional generator). [Bodo Moeller] *) First EC_METHODs for curves over GF(p): EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr operations and provides various method functions that can also operate with faster implementations of modular arithmetic. EC_GFp_mont_method() reuses most functions that are part of EC_GFp_simple_method, but uses Montgomery arithmetic. [Bodo Moeller; point addition and point doubling implementation directly derived from source code provided by Lenka Fibikova ] *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, crypto/ec/ec_lib.c): Curves are EC_GROUP objects (with an optional group generator) based on EC_METHODs that are built into the library. Points are EC_POINT objects based on EC_GROUP objects. Most of the framework would be able to handle curves over arbitrary finite fields, but as there are no obvious types for fields other than GF(p), some functions are limited to that for now. [Bodo Moeller] *) Add the -HTTP option to s_server. It is similar to -WWW, but requires that the file contains a complete HTTP response. [Richard Levitte] *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl change the def and num file printf format specifier from "%-40sXXX" to "%-39s XXX". The latter will always guarantee a space after the field while the former will cause them to run together if the field is 40 of more characters long. [Steve Henson] *) Constify the cipher and digest 'method' functions and structures and modify related functions to take constant EVP_MD and EVP_CIPHER pointers. [Steve Henson] *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them in . Also further increase BN_CTX_NUM to 32. [Bodo Moeller] *) Modify EVP_Digest*() routines so they now return values. Although the internal software routines can never fail additional hardware versions might. [Steve Henson] *) Clean up crypto/err/err.h and change some error codes to avoid conflicts: Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 (= ERR_R_PKCS7_LIB); it is now 64 instead of 32. ASN1 error codes ERR_R_NESTED_ASN1_ERROR ... ERR_R_MISSING_ASN1_EOS were 4 .. 9, conflicting with ERR_LIB_RSA (= ERR_R_RSA_LIB) ... ERR_LIB_PEM (= ERR_R_PEM_LIB). They are now 58 .. 63 (i.e., just below ERR_R_FATAL). Add new error code 'ERR_R_INTERNAL_ERROR'. [Bodo Moeller] *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock suffices. [Bodo Moeller] *) New option '-subj arg' for 'openssl req' and 'openssl ca'. This sets the subject name for a new request or supersedes the subject name in a given request. Formats that can be parsed are 'CN=Some Name, OU=myOU, C=IT' and 'CN=Some Name/OU=myOU/C=IT'. Add options '-batch' and '-verbose' to 'openssl req'. [Massimiliano Pala ] *) Introduce the possibility to access global variables through functions on platform were that's the best way to handle exporting global variables in shared libraries. To enable this functionality, one must configure with "EXPORT_VAR_AS_FN" or defined the C macro "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter is normally done by Configure or something similar). To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL in the source file (foo.c) like this: OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; OPENSSL_IMPLEMENT_GLOBAL(double,bar); To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: OPENSSL_DECLARE_GLOBAL(int,foo); #define foo OPENSSL_GLOBAL_REF(foo) OPENSSL_DECLARE_GLOBAL(double,bar); #define bar OPENSSL_GLOBAL_REF(bar) The #defines are very important, and therefore so is including the header file everywhere where the defined globals are used. The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition of ASN.1 items, but that structure is a bit different. The largest change is in util/mkdef.pl which has been enhanced with better and easier to understand logic to choose which symbols should go into the Windows .def files as well as a number of fixes and code cleanup (among others, algorithm keywords are now sorted lexicographically to avoid constant rewrites). [Richard Levitte] *) In BN_div() keep a copy of the sign of 'num' before writing the result to 'rm' because if rm==num the value will be overwritten and produce the wrong result if 'num' is negative: this caused problems with BN_mod() and BN_nnmod(). [Steve Henson] *) Function OCSP_request_verify(). This checks the signature on an OCSP request and verifies the signer certificate. The signer certificate is just checked for a generic purpose and OCSP request trust settings. [Steve Henson] *) Add OCSP_check_validity() function to check the validity of OCSP responses. OCSP responses are prepared in real time and may only be a few seconds old. Simply checking that the current time lies between thisUpdate and nextUpdate max reject otherwise valid responses caused by either OCSP responder or client clock inaccuracy. Instead we allow thisUpdate and nextUpdate to fall within a certain period of the current time. The age of the response can also optionally be checked. Two new options -validity_period and -status_age added to ocsp utility. [Steve Henson] *) If signature or public key algorithm is unrecognized print out its OID rather that just UNKNOWN. [Steve Henson] *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate ID to be generated from the issuer certificate alone which can then be passed to OCSP_id_issuer_cmp(). [Steve Henson] *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new ASN1 modules to export functions returning ASN1_ITEM pointers instead of the ASN1_ITEM structures themselves. This adds several new macros which allow the underlying ASN1 function/structure to be accessed transparently. As a result code should not use ASN1_ITEM references directly (such as &X509_it) but instead use the relevant macros (such as ASN1_ITEM_rptr(X509)). This option is to allow use of the new ASN1 code on platforms where exporting structures is problematical (for example in shared libraries) but exporting functions returning pointers to structures is not. [Steve Henson] *) Add support for overriding the generation of SSL/TLS session IDs. These callbacks can be registered either in an SSL_CTX or per SSL. The purpose of this is to allow applications to control, if they wish, the arbitrary values chosen for use as session IDs, particularly as it can be useful for session caching in multiple-server environments. A command-line switch for testing this (and any client code that wishes to use such a feature) has been added to "s_server". [Geoff Thorpe, Lutz Jaenicke] *) Modify mkdef.pl to recognise and parse preprocessor conditionals of the form '#if defined(...) || defined(...) || ...' and '#if !defined(...) && !defined(...) && ...'. This also avoids the growing number of special cases it was previously handling. [Richard Levitte] *) Make all configuration macros available for application by making sure they are available in opensslconf.h, by giving them names starting with "OPENSSL_" to avoid conflicts with other packages and by making sure e_os2.h will cover all platform-specific cases together with opensslconf.h. Additionally, it is now possible to define configuration/platform- specific names (called "system identities"). In the C code, these are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another macro with the name beginning with "OPENSSL_SYS_", which is determined from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on what is available. [Richard Levitte] *) New option -set_serial to 'req' and 'x509' this allows the serial number to use to be specified on the command line. Previously self signed certificates were hard coded with serial number 0 and the CA options of 'x509' had to use a serial number in a file which was auto incremented. [Steve Henson] *) New options to 'ca' utility to support V2 CRL entry extensions. Currently CRL reason, invalidity date and hold instruction are supported. Add new CRL extensions to V3 code and some new objects. [Steve Henson] *) New function EVP_CIPHER_CTX_set_padding() this is used to disable standard block padding (aka PKCS#5 padding) in the EVP API, which was previously mandatory. This means that the data is not padded in any way and so the total length much be a multiple of the block size, otherwise an error occurs. [Steve Henson] *) Initial (incomplete) OCSP SSL support. [Steve Henson] *) New function OCSP_parse_url(). This splits up a URL into its host, port and path components: primarily to parse OCSP URLs. New -url option to ocsp utility. [Steve Henson] *) New nonce behavior. The return value of OCSP_check_nonce() now reflects the various checks performed. Applications can decide whether to tolerate certain situations such as an absent nonce in a response when one was present in a request: the ocsp application just prints out a warning. New function OCSP_add1_basic_nonce() this is to allow responders to include a nonce in a response even if the request is nonce-less. [Steve Henson] *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are skipped when using openssl x509 multiple times on a single input file, e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) ] *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates passed by the function are trusted implicitly. If any of them signed the response then it is assumed to be valid and is not verified. [Steve Henson] *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT to data. This was previously part of the PKCS7 ASN1 code. This was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. [Steve Henson, reported by Kenneth R. Robinette ] *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 routines: without these tracing memory leaks is very painful. Fix leaks in PKCS12 and PKCS7 routines. [Steve Henson] *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). Previously it initialised the 'type' argument to V_ASN1_UTCTIME which effectively meant GeneralizedTime would never be used. Now it is initialised to -1 but X509_time_adj() now has to check the value and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. [Steve Henson, reported by Kenneth R. Robinette ] *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously result in a zero length in the ASN1_INTEGER structure which was not consistent with the structure when d2i_ASN1_INTEGER() was used and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() where it did not print out a minus for negative ASN1_INTEGER. [Steve Henson] *) Add summary printout to ocsp utility. The various functions which convert status values to strings have been renamed to: OCSP_response_status_str(), OCSP_cert_status_str() and OCSP_crl_reason_str() and are no longer static. New options to verify nonce values and to disable verification. OCSP response printout format cleaned up. [Steve Henson] *) Add additional OCSP certificate checks. These are those specified in RFC2560. This consists of two separate checks: the CA of the certificate being checked must either be the OCSP signer certificate or the issuer of the OCSP signer certificate. In the latter case the OCSP signer certificate must contain the OCSP signing extended key usage. This check is performed by attempting to match the OCSP signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash in the OCSP_CERTID structures of the response. [Steve Henson] *) Initial OCSP certificate verification added to OCSP_basic_verify() and related routines. This uses the standard OpenSSL certificate verify routines to perform initial checks (just CA validity) and to obtain the certificate chain. Then additional checks will be performed on the chain. Currently the root CA is checked to see if it is explicitly trusted for OCSP signing. This is used to set a root CA as a global signing root: that is any certificate that chains to that CA is an acceptable OCSP signing certificate. [Steve Henson] *) New '-extfile ...' option to 'openssl ca' for reading X.509v3 extensions from a separate configuration file. As when reading extensions from the main configuration file, the '-extensions ...' option may be used for specifying the section to use. [Massimiliano Pala ] *) New OCSP utility. Allows OCSP requests to be generated or read. The request can be sent to a responder and the output parsed, outputed or printed in text form. Not complete yet: still needs to check the OCSP response validity. [Steve Henson] *) New subcommands for 'openssl ca': 'openssl ca -status ' prints the status of the cert with the given serial number (according to the index file). 'openssl ca -updatedb' updates the expiry status of certificates in the index file. [Massimiliano Pala ] *) New '-newreq-nodes' command option to CA.pl. This is like '-newreq', but calls 'openssl req' with the '-nodes' option so that the resulting key is not encrypted. [Damien Miller ] *) New configuration for the GNU Hurd. [Jonathan Bartlett via Richard Levitte] *) Initial code to implement OCSP basic response verify. This is currently incomplete. Currently just finds the signer's certificate and verifies the signature on the response. [Steve Henson] *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in value of OPENSSLDIR. This is available via the new '-d' option to 'openssl version', and is also included in 'openssl version -a'. [Bodo Moeller] *) Allowing defining memory allocation callbacks that will be given file name and line number information in additional arguments (a const char* and an int). The basic functionality remains, as well as the original possibility to just replace malloc(), realloc() and free() by functions that do not know about these additional arguments. To register and find out the current settings for extended allocation functions, the following functions are provided: CRYPTO_set_mem_ex_functions CRYPTO_set_locked_mem_ex_functions CRYPTO_get_mem_ex_functions CRYPTO_get_locked_mem_ex_functions These work the same way as CRYPTO_set_mem_functions and friends. CRYPTO_get_[locked_]mem_functions now writes 0 where such an extended allocation function is enabled. Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where a conventional allocation function is enabled. [Richard Levitte, Bodo Moeller] *) Finish off removing the remaining LHASH function pointer casts. There should no longer be any prototype-casting required when using the LHASH abstraction, and any casts that remain are "bugs". See the callback types and macros at the head of lhash.h for details (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). [Geoff Thorpe] *) Add automatic query of EGD sockets in RAND_poll() for the unix variant. If /dev/[u]random devices are not available or do not return enough entropy, EGD style sockets (served by EGD or PRNGD) will automatically be queried. The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and /etc/entropy will be queried once each in this sequence, quering stops when enough entropy was collected without querying more sockets. [Lutz Jaenicke] *) Change the Unix RAND_poll() variant to be able to poll several random devices, as specified by DEVRANDOM, until a sufficient amount of data has been collected. We spend at most 10 ms on each file (select timeout) and read in non-blocking mode. DEVRANDOM now defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" (previously it was just the string "/dev/urandom"), so on typical platforms the 10 ms delay will never occur. Also separate out the Unix variant to its own file, rand_unix.c. For VMS, there's a currently-empty rand_vms.c. [Richard Levitte] *) Move OCSP client related routines to ocsp_cl.c. These provide utility functions which an application needing to issue a request to an OCSP responder and analyse the response will typically need: as opposed to those which an OCSP responder itself would need which will be added later. OCSP_request_sign() signs an OCSP request with an API similar to PKCS7_sign(). OCSP_response_status() returns status of OCSP response. OCSP_response_get1_basic() extracts basic response from response. OCSP_resp_find_status(): finds and extracts status information from an OCSP_CERTID structure (which will be created when the request structure is built). These are built from lower level functions which work on OCSP_SINGLERESP structures but wont normally be used unless the application wishes to examine extensions in the OCSP response for example. Replace nonce routines with a pair of functions. OCSP_request_add1_nonce() adds a nonce value and optionally generates a random value. OCSP_check_nonce() checks the validity of the nonce in an OCSP response. [Steve Henson] *) Change function OCSP_request_add() to OCSP_request_add0_id(). This doesn't copy the supplied OCSP_CERTID and avoids the need to free up the newly created id. Change return type to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. This can then be used to add extensions to the request. Deleted OCSP_request_new(), since most of its functionality is now in OCSP_REQUEST_new() (and the case insensitive name clash) apart from the ability to set the request name which will be added elsewhere. [Steve Henson] *) Update OCSP API. Remove obsolete extensions argument from various functions. Extensions are now handled using the new OCSP extension code. New simple OCSP HTTP function which can be used to send requests and parse the response. [Steve Henson] *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN uses the special reorder version of SET OF to sort the attributes and reorder them to match the encoded order. This resolves a long standing problem: a verify on a PKCS7 structure just after signing it used to fail because the attribute order did not match the encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: it uses the received order. This is necessary to tolerate some broken software that does not order SET OF. This is handled by encoding as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) to produce the required SET OF. [Steve Henson] *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header files to get correct declarations of the ASN.1 item variables. [Richard Levitte] *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: asn1_check_tlen() would sometimes attempt to use 'ctx' when it was NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant ASN1_ITEM and no wrapper functions. [Steve Henson] *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These replace the old function pointer based I/O routines. Change most of the *_d2i_bio() and *_d2i_fp() functions to use these. [Steve Henson] *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor lines, recognice more "algorithms" that can be deselected, and make it complain about algorithm deselection that isn't recognised. [Richard Levitte] *) New ASN1 functions to handle dup, sign, verify, digest, pack and unpack operations in terms of ASN1_ITEM. Modify existing wrappers to use new functions. Add NO_ASN1_OLD which can be set to remove some old style ASN1 functions: this can be used to determine if old code will still work when these eventually go away. [Steve Henson] *) New extension functions for OCSP structures, these follow the same conventions as certificates and CRLs. [Steve Henson] *) New function X509V3_add1_i2d(). This automatically encodes and adds an extension. Its behaviour can be customised with various flags to append, replace or delete. Various wrappers added for certifcates and CRLs. [Steve Henson] *) Fix to avoid calling the underlying ASN1 print routine when an extension cannot be parsed. Correct a typo in the OCSP_SERVICELOC extension. Tidy up print OCSP format. [Steve Henson] *) Make mkdef.pl parse some of the ASN1 macros and add apropriate entries for variables. [Steve Henson] *) Add functionality to apps/openssl.c for detecting locking problems: As the program is single-threaded, all we have to do is register a locking callback using an array for storing which locks are currently held by the program. [Bodo Moeller] *) Use a lock around the call to CRYPTO_get_ex_new_index() in SSL_get_ex_data_X509_STORE_idx(), which is used in ssl_verify_cert_chain() and thus can be called at any time during TLS/SSL handshakes so that thread-safety is essential. Unfortunately, the ex_data design is not at all suited for multi-threaded use, so it probably should be abolished. [Bodo Moeller] *) Added Broadcom "ubsec" ENGINE to OpenSSL. [Broadcom, tweaked and integrated by Geoff Thorpe] *) Move common extension printing code to new function X509V3_print_extensions(). Reorganise OCSP print routines and implement some needed OCSP ASN1 functions. Add OCSP extensions. [Steve Henson] *) New function X509_signature_print() to remove duplication in some print routines. [Steve Henson] *) Add a special meaning when SET OF and SEQUENCE OF flags are both set (this was treated exactly the same as SET OF previously). This is used to reorder the STACK representing the structure to match the encoding. This will be used to get round a problem where a PKCS7 structure which was signed could not be verified because the STACK order did not reflect the encoded order. [Steve Henson] *) Reimplement the OCSP ASN1 module using the new code. [Steve Henson] *) Update the X509V3 code to permit the use of an ASN1_ITEM structure for its ASN1 operations. The old style function pointers still exist for now but they will eventually go away. [Steve Henson] *) Merge in replacement ASN1 code from the ASN1 branch. This almost completely replaces the old ASN1 functionality with a table driven encoder and decoder which interprets an ASN1_ITEM structure describing the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is largely maintained. Almost all of the old asn1_mac.h macro based ASN1 has also been converted to the new form. [Steve Henson] *) Change BN_mod_exp_recp so that negative moduli are tolerated (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set so that BN_mod_exp_mont and BN_mod_exp_mont_word work for negative moduli. [Bodo Moeller] *) Fix BN_uadd and BN_usub: Always return non-negative results instead of not touching the result's sign bit. [Bodo Moeller] *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be set. [Bodo Moeller] *) Changed the LHASH code to use prototypes for callbacks, and created macros to declare and implement thin (optionally static) functions that provide type-safety and avoid function pointer casting for the type-specific callbacks. [Geoff Thorpe] *) Added Kerberos Cipher Suites to be used with TLS, as written in RFC 2712. [Veers Staats , Jeffrey Altman , via Richard Levitte] *) Reformat the FAQ so the different questions and answers can be divided in sections depending on the subject. [Richard Levitte] *) Have the zlib compression code load ZLIB.DLL dynamically under Windows. [Richard Levitte] *) New function BN_mod_sqrt for computing square roots modulo a prime (using the probabilistic Tonelli-Shanks algorithm unless p == 3 (mod 4) or p == 5 (mod 8), which are cases that can be handled deterministically). [Lenka Fibikova , Bodo Moeller] *) Make BN_mod_inverse faster by explicitly handling small quotients in the Euclid loop. (Speed gain about 20% for small moduli [256 or 512 bits], about 30% for larger ones [1024 or 2048 bits].) [Bodo Moeller] *) New function BN_kronecker. [Bodo Moeller] *) Fix BN_gcd so that it works on negative inputs; the result is positive unless both parameters are zero. Previously something reasonably close to an infinite loop was possible because numbers could be growing instead of shrinking in the implementation of Euclid's algorithm. [Bodo Moeller] *) Fix BN_is_word() and BN_is_one() macros to take into account the sign of the number in question. Fix BN_is_word(a,w) to work correctly for w == 0. The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) because its test if the absolute value of 'a' equals 'w'. Note that BN_abs_is_word does *not* handle w == 0 reliably; it exists mostly for use in the implementations of BN_is_zero(), BN_is_one(), and BN_is_word(). [Bodo Moeller] *) New function BN_swap. [Bodo Moeller] *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that the exponentiation functions are more likely to produce reasonable results on negative inputs. [Bodo Moeller] *) Change BN_mod_mul so that the result is always non-negative. Previously, it could be negative if one of the factors was negative; I don't think anyone really wanted that behaviour. [Bodo Moeller] *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c (except for exponentiation, which stays in crypto/bn/bn_exp.c, and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c) and add new functions: BN_nnmod BN_mod_sqr BN_mod_add BN_mod_add_quick BN_mod_sub BN_mod_sub_quick BN_mod_lshift1 BN_mod_lshift1_quick BN_mod_lshift BN_mod_lshift_quick These functions always generate non-negative results. BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r such that |m| < r < 0, BN_nnmod will output rem + |m| instead). BN_mod_XXX_quick(r, a, [b,] m) generates the same result as BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b] be reduced modulo m. [Lenka Fibikova , Bodo Moeller] #if 0 The following entry accidentily appeared in the CHANGES file distributed with OpenSSL 0.9.7. The modifications described in it do *not* apply to OpenSSL 0.9.7. *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there was actually never needed) and in BN_mul(). The removal in BN_mul() required a small change in bn_mul_part_recursive() and the addition of the functions bn_cmp_part_words(), bn_sub_part_words() and bn_add_part_words(), which do the same thing as bn_cmp_words(), bn_sub_words() and bn_add_words() except they take arrays with differing sizes. [Richard Levitte] #endif *) In 'openssl passwd', verify passwords read from the terminal unless the '-salt' option is used (which usually means that verification would just waste user's time since the resulting hash is going to be compared with some given password hash) or the new '-noverify' option is used. This is an incompatible change, but it does not affect non-interactive use of 'openssl passwd' (passwords on the command line, '-stdin' option, '-in ...' option) and thus should not cause any problems. [Bodo Moeller] *) Remove all references to RSAref, since there's no more need for it. [Richard Levitte] *) Make DSO load along a path given through an environment variable (SHLIB_PATH) with shl_load(). [Richard Levitte] *) Constify the ENGINE code as a result of BIGNUM constification. Also constify the RSA code and most things related to it. In a few places, most notable in the depth of the ASN.1 code, ugly casts back to non-const were required (to be solved at a later time) [Richard Levitte] *) Make it so the openssl application has all engines loaded by default. [Richard Levitte] *) Constify the BIGNUM routines a little more. [Richard Levitte] *) Add the following functions: ENGINE_load_cswift() ENGINE_load_chil() ENGINE_load_atalla() ENGINE_load_nuron() ENGINE_load_builtin_engines() That way, an application can itself choose if external engines that are built-in in OpenSSL shall ever be used or not. The benefit is that applications won't have to be linked with libdl or other dso libraries unless it's really needed. Changed 'openssl engine' to load all engines on demand. Changed the engine header files to avoid the duplication of some declarations (they differed!). [Richard Levitte] *) 'openssl engine' can now list capabilities. [Richard Levitte] *) Better error reporting in 'openssl engine'. [Richard Levitte] *) Never call load_dh_param(NULL) in s_server. [Bodo Moeller] *) Add engine application. It can currently list engines by name and identity, and test if they are actually available. [Richard Levitte] *) Improve RPM specification file by forcing symbolic linking and making sure the installed documentation is also owned by root.root. [Damien Miller ] *) Give the OpenSSL applications more possibilities to make use of keys (public as well as private) handled by engines. [Richard Levitte] *) Add OCSP code that comes from CertCo. [Richard Levitte] *) Add VMS support for the Rijndael code. [Richard Levitte] *) Added untested support for Nuron crypto accelerator. [Ben Laurie] *) Add support for external cryptographic devices. This code was previously distributed separately as the "engine" branch. [Geoff Thorpe, Richard Levitte] *) Rework the filename-translation in the DSO code. It is now possible to have far greater control over how a "name" is turned into a filename depending on the operating environment and any oddities about the different shared library filenames on each system. [Geoff Thorpe] *) Support threads on FreeBSD-elf in Configure. [Richard Levitte] *) Fix for SHA1 assembly problem with MASM: it produces warnings about corrupt line number information when assembling with debugging information. This is caused by the overlapping of two sections. [Bernd Matthes , Steve Henson] *) NCONF changes. NCONF_get_number() has no error checking at all. As a replacement, NCONF_get_number_e() is defined (_e for "error checking") and is promoted strongly. The old NCONF_get_number is kept around for binary backward compatibility. Make it possible for methods to load from something other than a BIO, by providing a function pointer that is given a name instead of a BIO. For example, this could be used to load configuration data from an LDAP server. [Richard Levitte] *) Fix for non blocking accept BIOs. Added new I/O special reason BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs with non blocking I/O was not possible because no retry code was implemented. Also added new SSL code SSL_WANT_ACCEPT to cover this case. [Steve Henson] *) Added the beginnings of Rijndael support. [Ben Laurie] *) Fix for bug in DirectoryString mask setting. Add support for X509_NAME_print_ex() in 'req' and X509_print_ex() function to allow certificate printing to more controllable, additional 'certopt' option to 'x509' to allow new printing options to be set. [Steve Henson] *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] Changes between 0.9.6j and 0.9.6k [30 Sep 2003] *) Fix various bugs revealed by running the NISCC test suite: Stop out of bounds reads in the ASN1 code when presented with invalid tags (CAN-2003-0543 and CAN-2003-0544). If verify callback ignores invalid public key errors don't try to check certificate signature with the NULL public key. [Steve Henson] *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate if the server requested one: as stated in TLS 1.0 and SSL 3.0 specifications. [Steve Henson] *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional extra data after the compression methods not only for TLS 1.0 but also for SSL 3.0 (as required by the specification). [Bodo Moeller; problem pointed out by Matthias Loepfe] *) Change X509_certificate_type() to mark the key as exported/exportable when it's 512 *bits* long, not 512 bytes. [Richard Levitte] Changes between 0.9.6i and 0.9.6j [10 Apr 2003] *) Countermeasure against the Klima-Pokorny-Rosa extension of Bleichbacher's attack on PKCS #1 v1.5 padding: treat a protocol version number mismatch like a decryption error in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] *) Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). Make RSA blinding thread-safe by remembering the creator's thread ID in rsa->blinding and having all other threads use local one-time blinding factors (this requires more computation than sharing rsa->blinding, but avoids excessive locking; and if an RSA object is not shared between threads, blinding will still be very fast). [Bodo Moeller] Changes between 0.9.6h and 0.9.6i [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by performing a MAC computation even if incorrrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CAN-2003-0078) [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion)] Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of memory from it's contents. This is done with a counter that will place alternating values in each byte. This can be used to solve two issues: 1) the removal of calls to memset() by highly optimizing compilers, and 2) cleansing with other values than 0, since those can be read through on certain media, for example a swap space on disk. [Geoff Thorpe] *) Bugfix: client side session caching did not work with external caching, because the session->cipher setting was not restored when reloading from the external cache. This problem was masked, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. (Found by Steve Haslam .) [Lutz Jaenicke] *) Fix client_certificate (ssl/s2_clnt.c): The permissible total length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. [Zeev Lieber ] *) Undo an undocumented change introduced in 0.9.6e which caused repeated calls to OpenSSL_add_all_ciphers() and OpenSSL_add_all_digests() to be ignored, even after calling EVP_cleanup(). [Richard Levitte] *) Change the default configuration reader to deal with last line not being properly terminated. [Richard Levitte] *) Change X509_NAME_cmp() so it applies the special rules on handling DN values that are of type PrintableString, as well as RDNs of type emailAddress where the value has the type ia5String. [stefank@valicert.com via Richard Levitte] *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be the bitwise-OR of the two for use by the majority of applications wanting this behaviour, and update the docs. The documented behaviour and actual behaviour were inconsistent and had been changing anyway, so this is more a bug-fix than a behavioural change. [Geoff Thorpe, diagnosed by Nadav Har'El] *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). [Bodo Moeller] *) Fix initialization code race conditions in SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), ssl2_get_cipher_by_char(), ssl3_get_cipher_by_char(). [Patrick McCormick , Bodo Moeller] *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after the cached sessions are flushed, as the remove_cb() might use ex_data contents. Bug found by Sam Varshavchik (see [openssl.org #212]). [Geoff Thorpe, Lutz Jaenicke] *) Fix typo in OBJ_txt2obj which incorrectly passed the content length, instead of the encoding length to d2i_ASN1_OBJECT. [Steve Henson] Changes between 0.9.6f and 0.9.6g [9 Aug 2002] *) [In 0.9.6g-engine release:] Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall'). [Lynn Gazis ] Changes between 0.9.6e and 0.9.6f [8 Aug 2002] *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX and get fix the header length calculation. [Florian Weimer , Alon Kantor (and others), Steve Henson] *) Use proper error handling instead of 'assertions' in buffer overflow checks added in 0.9.6e. This prevents DoS (the assertions could call abort()). [Arne Ansper , Bodo Moeller] Changes between 0.9.6d and 0.9.6e [30 Jul 2002] *) Add various sanity checks to asn1_get_length() to reject the ASN1 length bytes if they exceed sizeof(long), will appear negative or the content length exceeds the length of the supplied buffer. [Steve Henson, Adi Stav , James Yonan ] *) Fix cipher selection routines: ciphers without encryption had no flags for the cipher strength set and where therefore not handled correctly by the selection routines (PR #130). [Lutz Jaenicke] *) Fix EVP_dsa_sha macro. [Nils Larsch] *) New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure that was added in OpenSSL 0.9.6d. As the countermeasure turned out to be incompatible with some broken SSL implementations, the new option is part of SSL_OP_ALL. SSL_OP_ALL is usually employed when compatibility with weird SSL implementations is desired (e.g. '-bugs' option to 's_client' and 's_server'), so the new option is automatically set in many applications. [Bodo Moeller] *) Changes in security patch: Changes marked "(CHATS)" were sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. *) Add various sanity checks to asn1_get_length() to reject the ASN1 length bytes if they exceed sizeof(long), will appear negative or the content length exceeds the length of the supplied buffer. (CAN-2002-0659) [Steve Henson, Adi Stav , James Yonan ] *) Assertions for various potential buffer overflows, not known to happen in practice. [Ben Laurie (CHATS)] *) Various temporary buffers to hold ASCII versions of integers were too small for 64 bit platforms. (CAN-2002-0655) [Matthew Byng-Maddick and Ben Laurie (CHATS)> *) Remote buffer overflow in SSL3 protocol - an attacker could supply an oversized session ID to a client. (CAN-2002-0656) [Ben Laurie (CHATS)] *) Remote buffer overflow in SSL2 protocol - an attacker could supply an oversized client master key. (CAN-2002-0656) [Ben Laurie (CHATS)] Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not encoded as NULL) with id-dsa-with-sha1. [Nils Larsch ; problem pointed out by Bodo Moeller] *) Check various X509_...() return values in apps/req.c. [Nils Larsch ] *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: an end-of-file condition would erronously be flagged, when the CRLF was just at the end of a processed block. The bug was discovered when processing data through a buffering memory BIO handing the data to a BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov and Nedelcho Stanev. [Lutz Jaenicke] *) Implement a countermeasure against a vulnerability recently found in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment before application data chunks to avoid the use of known IVs with data potentially chosen by the attacker. [Bodo Moeller] *) Fix length checks in ssl3_get_client_hello(). [Bodo Moeller] *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently to prevent ssl3_read_internal() from incorrectly assuming that ssl3_read_bytes() found application data while handshake processing was enabled when in fact s->s3->in_read_app_data was merely automatically cleared during the initial handshake. [Bodo Moeller; problem pointed out by Arne Ansper ] *) Fix object definitions for Private and Enterprise: they were not recognized in their shortname (=lowercase) representation. Extend obj_dat.pl to issue an error when using undefined keywords instead of silently ignoring the problem (Svenning Sorensen ). [Lutz Jaenicke] *) Fix DH_generate_parameters() so that it works for 'non-standard' generators, i.e. generators other than 2 and 5. (Previously, the code did not properly initialise the 'add' and 'rem' values to BN_generate_prime().) In the new general case, we do not insist that 'generator' is actually a primitive root: This requirement is rather pointless; a generator of the order-q subgroup is just as good, if not better. [Bodo Moeller] *) Map new X509 verification errors to alerts. Discovered and submitted by Tom Wu . [Lutz Jaenicke] *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from returning non-zero before the data has been completely received when using non-blocking I/O. [Bodo Moeller; problem pointed out by John Hughes] *) Some of the ciphers missed the strength entry (SSL_LOW etc). [Ben Laurie, Lutz Jaenicke] *) Fix bug in SSL_clear(): bad sessions were not removed (found by Yoram Zahavi ). [Lutz Jaenicke] *) Add information about CygWin 1.3 and on, and preserve proper configuration for the versions before that. [Corinna Vinschen and Richard Levitte] *) Make removal from session cache (SSL_CTX_remove_session()) more robust: check whether we deal with a copy of a session and do not delete from the cache in this case. Problem reported by "Izhar Shoshani Levi" . [Lutz Jaenicke] *) Do not store session data into the internal session cache, if it is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP flag is set). Proposed by Aslam . [Lutz Jaenicke] *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested value is 0. [Richard Levitte] *) [In 0.9.6d-engine release:] Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). [Toomas Kiisk via Richard Levitte] *) Add the configuration target linux-s390x. [Neale Ferguson via Richard Levitte] *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag variable as an indication that a ClientHello message has been received. As the flag value will be lost between multiple invocations of ssl3_accept when using non-blocking I/O, the function may not be aware that a handshake has actually taken place, thus preventing a new session from being added to the session cache. To avoid this problem, we now set s->new_session to 2 instead of using a local variable. [Lutz Jaenicke, Bodo Moeller] *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) if the SSL_R_LENGTH_MISMATCH error is detected. [Geoff Thorpe, Bodo Moeller] *) New 'shared_ldflag' column in Configure platform table. [Richard Levitte] *) Fix EVP_CIPHER_mode macro. ["Dan S. Camper" ] *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown type, we must throw them away by setting rr->length to 0. [D P Chang ] Changes between 0.9.6b and 0.9.6c [21 dec 2001] *) Fix BN_rand_range bug pointed out by Dominikus Scherkl . (The previous implementation worked incorrectly for those cases where range = 10..._2 and 3*range is two bits longer than range.) [Bodo Moeller] *) Only add signing time to PKCS7 structures if it is not already present. [Steve Henson] *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", OBJ_ld_ce should be OBJ_id_ce. Also some ip-pda OIDs in crypto/objects/objects.txt were incorrect (cf. RFC 3039). [Matt Cooper, Frederic Giudicelli, Bodo Moeller] *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() returns early because it has nothing to do. [Andy Schneider ] *) [In 0.9.6c-engine release:] Fix mutex callback return values in crypto/engine/hw_ncipher.c. [Andy Schneider ] *) [In 0.9.6c-engine release:] Add support for Cryptographic Appliance's keyserver technology. (Use engine 'keyclient') [Cryptographic Appliances and Geoff Thorpe] *) Add a configuration entry for OS/390 Unix. The C compiler 'c89' is called via tools/c89.sh because arguments have to be rearranged (all '-L' options must appear before the first object modules). [Richard Shapiro ] *) [In 0.9.6c-engine release:] Add support for Broadcom crypto accelerator cards, backported from 0.9.7. [Broadcom, Nalin Dahyabhai , Mark Cox] *) [In 0.9.6c-engine release:] Add support for SureWare crypto accelerator cards from Baltimore Technologies. (Use engine 'sureware') [Baltimore Technologies and Mark Cox] *) [In 0.9.6c-engine release:] Add support for crypto accelerator cards from Accelerated Encryption Processing, www.aep.ie. (Use engine 'aep') [AEP Inc. and Mark Cox] *) Add a configuration entry for gcc on UnixWare. [Gary Benson ] *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake messages are stored in a single piece (fixed-length part and variable-length part combined) and fix various bugs found on the way. [Bodo Moeller] *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() instead. BIO_gethostbyname() does not know what timeouts are appropriate, so entries would stay in cache even when they have become invalid. [Bodo Moeller; problem pointed out by Rich Salz *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when faced with a pathologically small ClientHello fragment that does not contain client_version: Instead of aborting with an error, simply choose the highest available protocol version (i.e., TLS 1.0 unless it is disabled). In practice, ClientHello messages are never sent like this, but this change gives us strictly correct behaviour at least for TLS. [Bodo Moeller] *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() never resets s->method to s->ctx->method when called from within one of the SSL handshake functions. [Bodo Moeller; problem pointed out by Niko Baric] *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert (sent using the client's version number) if client_version is smaller than the protocol version in use. Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the client will at least see that alert. [Bodo Moeller] *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation correctly. [Bodo Moeller] *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a client receives HelloRequest while in a handshake. [Bodo Moeller; bug noticed by Andy Schneider ] *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C should end in 'break', not 'goto end' which circuments various cleanups done in state SSL_ST_OK. But session related stuff must be disabled for SSL_ST_OK in the case that we just sent a HelloRequest. Also avoid some overhead by not calling ssl_init_wbio_buffer() before just sending a HelloRequest. [Bodo Moeller, Eric Rescorla ] *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't reveal whether illegal block cipher padding was found or a MAC verification error occured. (Neither SSLerr() codes nor alerts are directly visible to potential attackers, but the information may leak via logfiles.) Similar changes are not required for the SSL 2.0 implementation because the number of padding bytes is sent in clear for SSL 2.0, and the extra bytes are just ignored. However ssl/s2_pkt.c failed to verify that the purported number of padding bytes is in the legal range. [Bodo Moeller] *) Add OpenUNIX-8 support including shared libraries (Boyd Lynn Gerber ). [Lutz Jaenicke] *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid 'wristwatch attack' using huge encoding parameters (cf. James H. Manger's CRYPTO 2001 paper). Note that the RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use encoding parameters and hence was not vulnerable. [Bodo Moeller] *) BN_sqr() bug fix. [Ulf Möller, reported by Jim Ellis ] *) Rabin-Miller test analyses assume uniformly distributed witnesses, so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() followed by modular reduction. [Bodo Moeller; pointed out by Adam Young ] *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() equivalent based on BN_pseudo_rand() instead of BN_rand(). [Bodo Moeller] *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). This function was broken, as the check for a new client hello message to handle SGC did not allow these large messages. (Tracked down by "Douglas E. Engert" .) [Lutz Jaenicke] *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). [Lutz Jaenicke] *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" ). [Lutz Jaenicke] *) Rework the configuration and shared library support for Tru64 Unix. The configuration part makes use of modern compiler features and still retains old compiler behavior for those that run older versions of the OS. The shared library support part includes a variant that uses the RPATH feature, and is available through the special configuration target "alpha-cc-rpath", which will never be selected automatically. [Tim Mooney via Richard Levitte] *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() with the same message size as in ssl3_get_certificate_request(). Otherwise, if no ServerKeyExchange message occurs, CertificateRequest messages might inadvertently be reject as too long. [Petr Lampa ] *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). [Andy Polyakov] *) Modified SSL library such that the verify_callback that has been set specificly for an SSL object with SSL_set_verify() is actually being used. Before the change, a verify_callback set with this function was ignored and the verify_callback() set in the SSL_CTX at the time of the call was used. New function X509_STORE_CTX_set_verify_cb() introduced to allow the necessary settings. [Lutz Jaenicke] *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c explicitly to NULL, as at least on Solaris 8 this seems not always to be done automatically (in contradiction to the requirements of the C standard). This made problems when used from OpenSSH. [Lutz Jaenicke] *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored dh->length and always used BN_rand_range(priv_key, dh->p). BN_rand_range() is not necessary for Diffie-Hellman, and this specific range makes Diffie-Hellman unnecessarily inefficient if dh->length (recommended exponent length) is much smaller than the length of dh->p. We could use BN_rand_range() if the order of the subgroup was stored in the DH structure, but we only have dh->length. So switch back to BN_rand(priv_key, l, ...) where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 otherwise. [Bodo Moeller] *) In RSA_eay_public_encrypt RSA_eay_private_decrypt RSA_eay_private_encrypt (signing) RSA_eay_public_decrypt (signature verification) (default implementations for RSA_public_encrypt, RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), always reject numbers >= n. [Bodo Moeller] *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 to synchronize access to 'locking_thread'. This is necessary on systems where access to 'locking_thread' (an 'unsigned long' variable) is not atomic. [Bodo Moeller] *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID *before* setting the 'crypto_lock_rand' flag. The previous code had a race condition if 0 is a valid thread ID. [Travis Vitek ] *) Add support for shared libraries under Irix. [Albert Chin-A-Young ] *) Add configuration option to build on Linux on both big-endian and little-endian MIPS. [Ralf Baechle ] *) Add the possibility to create shared libraries on HP-UX. [Richard Levitte] Changes between 0.9.6a and 0.9.6b [9 Jul 2001] *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) to avoid a SSLeay/OpenSSL PRNG weakness pointed out by Markku-Juhani O. Saarinen : PRNG state recovery was possible based on the output of one PRNG request appropriately sized to gain knowledge on 'md' followed by enough consecutive 1-byte PRNG requests to traverse all of 'state'. 1. When updating 'md_local' (the current thread's copy of 'md') during PRNG output generation, hash all of the previous 'md_local' value, not just the half used for PRNG output. 2. Make the number of bytes from 'state' included into the hash independent from the number of PRNG bytes requested. The first measure alone would be sufficient to avoid Markku-Juhani's attack. (Actually it had never occurred to me that the half of 'md_local' used for chaining was the half from which PRNG output bytes were taken -- I had always assumed that the secret half would be used.) The second measure makes sure that additional data from 'state' is never mixed into 'md_local' in small portions; this heuristically further strengthens the PRNG. [Bodo Moeller] *) Fix crypto/bn/asm/mips3.s. [Andy Polyakov] *) When only the key is given to "enc", the IV is undefined. Print out an error message in this case. [Lutz Jaenicke] *) Handle special case when X509_NAME is empty in X509 printing routines. [Steve Henson] *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are positive and less than q. [Bodo Moeller] *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is used: it isn't thread safe and the add_lock_callback should handle that itself. [Paul Rose ] *) Verify that incoming data obeys the block size in ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). [Bodo Moeller] *) Fix OAEP check. [Ulf Möller, Bodo Möller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 when fixing the server behaviour for backwards-compatible 'client hello' messages. (Note that the attack is impractical against SSL 3.0 and TLS 1.0 anyway because length and version checking means that the probability of guessing a valid ciphertext is around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 paper.) Before 0.9.5, the countermeasure (hide the error by generating a random 'decryption result') did not work properly because ERR_clear_error() was missing, meaning that SSL_get_error() would detect the supposedly ignored error. Both problems are now fixed. [Bodo Moeller] *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 (previously it was 1024). [Bodo Moeller] *) Fix for compatibility mode trust settings: ignore trust settings unless some valid trust or reject settings are present. [Steve Henson] *) Fix for blowfish EVP: its a variable length cipher. [Steve Henson] *) Fix various bugs related to DSA S/MIME verification. Handle missing parameters in DSA public key structures and return an error in the DSA routines if parameters are absent. [Steve Henson] *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" in the current directory if neither $RANDFILE nor $HOME was set. RAND_file_name() in 0.9.6a returned NULL in this case. This has caused some confusion to Windows users who haven't defined $HOME. Thus RAND_file_name() is changed again: e_os.h can define a DEFAULT_HOME, which will be used if $HOME is not set. For Windows, we use "C:"; on other platforms, we still require environment variables. *) Move 'if (!initialized) RAND_poll()' into regions protected by CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids having multiple threads call RAND_poll() concurrently. [Bodo Moeller] *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a combination of a flag and a thread ID variable. Otherwise while one thread is in ssleay_rand_bytes (which sets the flag), *other* threads can enter ssleay_add_bytes without obeying the CRYPTO_LOCK_RAND lock (and may even illegally release the lock that they do not hold after the first thread unsets add_do_not_lock). [Bodo Moeller] *) Change bctest again: '-x' expressions are not available in all versions of 'test'. [Bodo Moeller] Changes between 0.9.6 and 0.9.6a [5 Apr 2001] *) Fix a couple of memory leaks in PKCS7_dataDecode() [Steve Henson, reported by Heyun Zheng ] *) Change Configure and Makefiles to provide EXE_EXT, which will contain the default extension for executables, if any. Also, make the perl scripts that use symlink() to test if it really exists and use "cp" if it doesn't. All this made OpenSSL compilable and installable in CygWin. [Richard Levitte] *) Fix for asn1_GetSequence() for indefinite length constructed data. If SEQUENCE is length is indefinite just set c->slen to the total amount of data available. [Steve Henson, reported by shige@FreeBSD.org] [This change does not apply to 0.9.7.] *) Change bctest to avoid here-documents inside command substitution (workaround for FreeBSD /bin/sh bug). For compatibility with Ultrix, avoid shell functions (introduced in the bctest version that searches along $PATH). [Bodo Moeller] *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes with des_encrypt() defined on some operating systems, like Solaris and UnixWare. [Richard Levitte] *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: On the Importance of Eliminating Errors in Cryptographic Computations, J. Cryptology 14 (2001) 2, 101-119, http://theory.stanford.edu/~dabo/papers/faults.ps.gz). [Ulf Moeller] *) MIPS assembler BIGNUM division bug fix. [Andy Polyakov] *) Disabled incorrect Alpha assembler code. [Richard Levitte] *) Fix PKCS#7 decode routines so they correctly update the length after reading an EOC for the EXPLICIT tag. [Steve Henson] [This change does not apply to 0.9.7.] *) Fix bug in PKCS#12 key generation routines. This was triggered if a 3DES key was generated with a 0 initial byte. Include PKCS12_BROKEN_KEYGEN compilation option to retain the old (but broken) behaviour. [Steve Henson] *) Enhance bctest to search for a working bc along $PATH and print it when found. [Tim Rice via Richard Levitte] *) Fix memory leaks in err.c: free err_data string if necessary; don't write to the wrong index in ERR_set_error_data. [Bodo Moeller] *) Implement ssl23_peek (analogous to ssl23_read), which previously did not exist. [Bodo Moeller] *) Replace rdtsc with _emit statements for VC++ version 5. [Jeremy Cooper ] *) Make it possible to reuse SSLv2 sessions. [Richard Levitte] *) In copy_email() check for >= 0 as a return value for X509_NAME_get_index_by_NID() since 0 is a valid index. [Steve Henson reported by Massimiliano Pala ] *) Avoid coredump with unsupported or invalid public keys by checking if X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when PKCS7_verify() fails with non detached data. [Steve Henson] *) Don't use getenv in library functions when run as setuid/setgid. New function OPENSSL_issetugid(). [Ulf Moeller] *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c) due to incorrect handling of multi-threading: 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). 3. Count how many times MemCheck_off() has been called so that nested use can be treated correctly. This also avoids inband-signalling in the previous code (which relied on the assumption that thread ID 0 is impossible). [Bodo Moeller] *) Add "-rand" option also to s_client and s_server. [Lutz Jaenicke] *) Fix CPU detection on Irix 6.x. [Kurt Hockenbury and "Bruce W. Forsberg" ] *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME was empty. [Steve Henson] [This change does not apply to 0.9.7.] *) Use the cached encoding of an X509_NAME structure rather than copying it. This is apparently the reason for the libsafe "errors" but the code is actually correct. [Steve Henson] *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent Bleichenbacher's DSA attack. Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits to be set and top=0 forces the highest bit to be set; top=-1 is new and leaves the highest bit random. [Ulf Moeller, Bodo Moeller] *) In the NCONF_...-based implementations for CONF_... queries (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using a temporary CONF structure with the data component set to NULL (which gives segmentation faults in lh_retrieve). Instead, use NULL for the CONF pointer in CONF_get_string and CONF_get_number (which may use environment variables) and directly return NULL from CONF_get_section. [Bodo Moeller] *) Fix potential buffer overrun for EBCDIC. [Ulf Moeller] *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign keyUsage if basicConstraints absent for a CA. [Steve Henson] *) Make SMIME_write_PKCS7() write mail header values with a format that is more generally accepted (no spaces before the semicolon), since some programs can't parse those values properly otherwise. Also make sure BIO's that break lines after each write do not create invalid headers. [Richard Levitte] *) Make the CRL encoding routines work with empty SEQUENCE OF. The macros previously used would not encode an empty SEQUENCE OF and break the signature. [Steve Henson] [This change does not apply to 0.9.7.] *) Zero the premaster secret after deriving the master secret in DH ciphersuites. [Steve Henson] *) Add some EVP_add_digest_alias registrations (as found in OpenSSL_add_all_digests()) to SSL_library_init() aka OpenSSL_add_ssl_algorithms(). This provides improved compatibility with peers using X.509 certificates with unconventional AlgorithmIdentifier OIDs. [Bodo Moeller] *) Fix for Irix with NO_ASM. ["Bruce W. Forsberg" ] *) ./config script fixes. [Ulf Moeller, Richard Levitte] *) Fix 'openssl passwd -1'. [Bodo Moeller] *) Change PKCS12_key_gen_asc() so it can cope with non null terminated strings whose length is passed in the passlen parameter, for example from PEM callbacks. This was done by adding an extra length parameter to asc2uni(). [Steve Henson, reported by ] *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn call failed, free the DSA structure. [Bodo Moeller] *) Fix to uni2asc() to cope with zero length Unicode strings. These are present in some PKCS#12 files. [Steve Henson] *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits when writing a 32767 byte record. [Bodo Moeller; problem reported by Eric Day ] *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. (RSA objects have a reference count access to which is protected by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], so they are meant to be shared between threads.) [Bodo Moeller, Geoff Thorpe; original patch submitted by "Reddie, Steven" ] *) Fix a deadlock in CRYPTO_mem_leaks(). [Bodo Moeller] *) Use better test patterns in bntest. [Ulf Möller] *) rand_win.c fix for Borland C. [Ulf Möller] *) BN_rshift bugfix for n == 0. [Bodo Moeller] *) Add a 'bctest' script that checks for some known 'bc' bugs so that 'make test' does not abort just because 'bc' is broken. [Bodo Moeller] *) Store verify_result within SSL_SESSION also for client side to avoid potential security hole. (Re-used sessions on the client side always resulted in verify_result==X509_V_OK, not using the original result of the server certificate verification.) [Lutz Jaenicke] *) Fix ssl3_pending: If the record in s->s3->rrec is not of type SSL3_RT_APPLICATION_DATA, return 0. Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. [Bodo Moeller] *) Fix SSL_peek: Both ssl2_peek and ssl3_peek, which were totally broken in earlier releases, have been re-implemented by renaming the previous implementations of ssl2_read and ssl3_read to ssl2_read_internal and ssl3_read_internal, respectively, and adding 'peek' parameters to them. The new ssl[23]_{read,peek} functions are calls to ssl[23]_read_internal with the 'peek' flag set appropriately. A 'peek' parameter has also been added to ssl3_read_bytes, which does the actual work for ssl3_read_internal. [Bodo Moeller] *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling the method-specific "init()" handler. Also clean up ex_data after calling the method-specific "finish()" handler. Previously, this was happening the other way round. [Geoff Thorpe] *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. The previous value, 12, was not always sufficient for BN_mod_exp(). [Bodo Moeller] *) Make sure that shared libraries get the internal name engine with the full version number and not just 0. This should mark the shared libraries as not backward compatible. Of course, this should be changed again when we can guarantee backward binary compatibility. [Richard Levitte] *) Fix typo in get_cert_by_subject() in by_dir.c [Jean-Marc Desperrier ] *) Rework the system to generate shared libraries: - Make note of the expected extension for the shared libraries and if there is a need for symbolic links from for example libcrypto.so.0 to libcrypto.so.0.9.7. There is extended info in Configure for that. - Make as few rebuilds of the shared libraries as possible. - Still avoid linking the OpenSSL programs with the shared libraries. - When installing, install the shared libraries separately from the static ones. [Richard Levitte] *) Fix SSL_CTX_set_read_ahead macro to actually use its argument. Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new and not in SSL_clear because the latter is also used by the accept/connect functions; previously, the settings made by SSL_set_read_ahead would be lost during the handshake. [Bodo Moeller; problems reported by Anders Gertz ] *) Correct util/mkdef.pl to be selective about disabled algorithms. Previously, it would create entries for disableed algorithms no matter what. [Richard Levitte] *) Added several new manual pages for SSL_* function. [Lutz Jaenicke] Changes between 0.9.5a and 0.9.6 [24 Sep 2000] *) In ssl23_get_client_hello, generate an error message when faced with an initial SSL 3.0/TLS record that is too small to contain the first two bytes of the ClientHello message, i.e. client_version. (Note that this is a pathologic case that probably has never happened in real life.) The previous approach was to use the version number from the record header as a substitute; but our protocol choice should not depend on that one because it is not authenticated by the Finished messages. [Bodo Moeller] *) More robust randomness gathering functions for Windows. [Jeffrey Altman ] *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is not set then we don't setup the error code for issuer check errors to avoid possibly overwriting other errors which the callback does handle. If an application does set the flag then we assume it knows what it is doing and can handle the new informational codes appropriately. [Steve Henson] *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for a general "ANY" type, as such it should be able to decode anything including tagged types. However it didn't check the class so it would wrongly interpret tagged types in the same way as their universal counterpart and unknown types were just rejected. Changed so that the tagged and unknown types are handled in the same way as a SEQUENCE: that is the encoding is stored intact. There is also a new type "V_ASN1_OTHER" which is used when the class is not universal, in this case we have no idea what the actual type is so we just lump them all together. [Steve Henson] *) On VMS, stdout may very well lead to a file that is written to in a record-oriented fashion. That means that every write() will write a separate record, which will be read separately by the programs trying to read from it. This can be very confusing. The solution is to put a BIO filter in the way that will buffer text until a linefeed is reached, and then write everything a line at a time, so every record written will be an actual line, not chunks of lines and not (usually doesn't happen, but I've seen it once) several lines in one record. BIO_f_linebuffer() is the answer. Currently, it's a VMS-only method, because that's where it has been tested well enough. [Richard Levitte] *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery, it can return incorrect results. (Note: The buggy variant was not enabled in OpenSSL 0.9.5a, but it was in 0.9.6-beta[12].) [Bodo Moeller] *) Disable the check for content being present when verifying detached signatures in pk7_smime.c. Some versions of Netscape (wrongly) include zero length content when signing messages. [Steve Henson] *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR BIO_ctrl (for BIO pairs). [Bodo Möller] *) Add DSO method for VMS. [Richard Levitte] *) Bug fix: Montgomery multiplication could produce results with the wrong sign. [Ulf Möller] *) Add RPM specification openssl.spec and modify it to build three packages. The default package contains applications, application documentation and run-time libraries. The devel package contains include files, static libraries and function documentation. The doc package contains the contents of the doc directory. The original openssl.spec was provided by Damien Miller . [Richard Levitte] *) Add a large number of documentation files for many SSL routines. [Lutz Jaenicke ] *) Add a configuration entry for Sony News 4. [NAKAJI Hiroyuki ] *) Don't set the two most significant bits to one when generating a random number < q in the DSA library. [Ulf Möller] *) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if the underlying transport is blocking) if a handshake took place. (The default behaviour is needed by applications such as s_client and s_server that use select() to determine when to use SSL_read; but for applications that know in advance when to expect data, it just makes things more complicated.) [Bodo Moeller] *) Add RAND_egd_bytes(), which gives control over the number of bytes read from EGD. [Ben Laurie] *) Add a few more EBCDIC conditionals that make `req' and `x509' work better on such systems. [Martin Kraemer ] *) Add two demo programs for PKCS12_parse() and PKCS12_create(). Update PKCS12_parse() so it copies the friendlyName and the keyid to the certificates aux info. [Steve Henson] *) Fix bug in PKCS7_verify() which caused an infinite loop if there was more than one signature. [Sven Uszpelkat ] *) Major change in util/mkdef.pl to include extra information about each symbol, as well as presentig variables as well as functions. This change means that there's n more need to rebuild the .num files when some algorithms are excluded. [Richard Levitte] *) Allow the verify time to be set by an application, rather than always using the current time. [Steve Henson] *) Phase 2 verify code reorganisation. The certificate verify code now looks up an issuer certificate by a number of criteria: subject name, authority key id and key usage. It also verifies self signed certificates by the same criteria. The main comparison function is X509_check_issued() which performs these checks. Lot of changes were necessary in order to support this without completely rewriting the lookup code. Authority and subject key identifier are now cached. The LHASH 'certs' is X509_STORE has now been replaced by a STACK_OF(X509_OBJECT). This is mainly because an LHASH can't store or retrieve multiple objects with the same hash value. As a result various functions (which were all internal use only) have changed to handle the new X509_STORE structure. This will break anything that messed round with X509_STORE internally. The functions X509_STORE_add_cert() now checks for an exact match, rather than just subject name. The X509_STORE API doesn't directly support the retrieval of multiple certificates matching a given criteria, however this can be worked round by performing a lookup first (which will fill the cache with candidate certificates) and then examining the cache for matches. This is probably the best we can do without throwing out X509_LOOKUP entirely (maybe later...). The X509_VERIFY_CTX structure has been enhanced considerably. All certificate lookup operations now go via a get_issuer() callback. Although this currently uses an X509_STORE it can be replaced by custom lookups. This is a simple way to bypass the X509_STORE hackery necessary to make this work and makes it possible to use more efficient techniques in future. A very simple version which uses a simple STACK for its trusted certificate store is also provided using X509_STORE_CTX_trusted_stack(). The verify_cb() and verify() callbacks now have equivalents in the X509_STORE_CTX structure. X509_STORE_CTX also has a 'flags' field which can be used to customise the verify behaviour. [Steve Henson] *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which excludes S/MIME capabilities. [Steve Henson] *) When a certificate request is read in keep a copy of the original encoding of the signed data and use it when outputing again. Signatures then use the original encoding rather than a decoded, encoded version which may cause problems if the request is improperly encoded. [Steve Henson] *) For consistency with other BIO_puts implementations, call buffer_write(b, ...) directly in buffer_puts instead of calling BIO_write(b, ...). In BIO_puts, increment b->num_write as in BIO_write. [Peter.Sylvester@EdelWeb.fr] *) Fix BN_mul_word for the case where the word is 0. (We have to use BN_zero, we may not return a BIGNUM with an array consisting of words set to zero.) [Bodo Moeller] *) Avoid calling abort() from within the library when problems are detected, except if preprocessor symbols have been defined (such as REF_CHECK, BN_DEBUG etc.). [Bodo Moeller] *) New openssl application 'rsautl'. This utility can be used for low level RSA operations. DER public key BIO/fp routines also added. [Steve Henson] *) New Configure entry and patches for compiling on QNX 4. [Andreas Schneider ] *) A demo state-machine implementation was sponsored by Nuron (http://www.nuron.com/) and is now available in demos/state_machine. [Ben Laurie] *) New options added to the 'dgst' utility for signature generation and verification. [Steve Henson] *) Unrecognized PKCS#7 content types are now handled via a catch all ASN1_TYPE structure. This allows unsupported types to be stored as a "blob" and an application can encode and decode it manually. [Steve Henson] *) Fix various signed/unsigned issues to make a_strex.c compile under VC++. [Oscar Jacobsson ] *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct length if passed a buffer. ASN1_INTEGER_to_BN failed if passed a NULL BN and its argument was negative. [Steve Henson, pointed out by Sven Heiberg ] *) Modification to PKCS#7 encoding routines to output definite length encoding. Since currently the whole structures are in memory there's not real point in using indefinite length constructed encoding. However if OpenSSL is compiled with the flag PKCS7_INDEFINITE_ENCODING the old form is used. [Steve Henson] *) Added BIO_vprintf() and BIO_vsnprintf(). [Richard Levitte] *) Added more prefixes to parse for in the the strings written through a logging bio, to cover all the levels that are available through syslog. The prefixes are now: PANIC, EMERG, EMR => LOG_EMERG ALERT, ALR => LOG_ALERT CRIT, CRI => LOG_CRIT ERROR, ERR => LOG_ERR WARNING, WARN, WAR => LOG_WARNING NOTICE, NOTE, NOT => LOG_NOTICE INFO, INF => LOG_INFO DEBUG, DBG => LOG_DEBUG and as before, if none of those prefixes are present at the beginning of the string, LOG_ERR is chosen. On Win32, the LOG_* levels are mapped according to this: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE LOG_WARNING => EVENTLOG_WARNING_TYPE LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE [Richard Levitte] *) Made it possible to reconfigure with just the configuration argument "reconf" or "reconfigure". The command line arguments are stored in Makefile.ssl in the variable CONFIGURE_ARGS, and are retrieved from there when reconfiguring. [Richard Levitte] *) MD4 implemented. [Assar Westerlund , Richard Levitte] *) Add the arguments -CAfile and -CApath to the pkcs12 utility. [Richard Levitte] *) The obj_dat.pl script was messing up the sorting of object names. The reason was that it compared the quoted version of strings as a result "OCSP" > "OCSP Signing" because " > SPACE. Changed script to store unquoted versions of names and add quotes on output. It was also omitting some names from the lookup table if they were given a default value (that is if SN is missing it is given the same value as LN and vice versa), these are now added on the grounds that if an object has a name we should be able to look it up. Finally added warning output when duplicate short or long names are found. [Steve Henson] *) Changes needed for Tandem NSK. [Scott Uroff ] *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in RSA_padding_check_SSLv23(), special padding was never detected and thus the SSL 3.0/TLS 1.0 countermeasure against protocol version rollback attacks was not effective. In s23_clnt.c, don't use special rollback-attack detection padding (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the client; similarly, in s23_srvr.c, don't do the rollback check if SSL 2.0 is the only protocol enabled in the server. [Bodo Moeller] *) Make it possible to get hexdumps of unprintable data with 'openssl asn1parse'. By implication, the functions ASN1_parse_dump() and BIO_dump_indent() are added. [Richard Levitte] *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() these print out strings and name structures based on various flags including RFC2253 support and proper handling of multibyte characters. Added options to the 'x509' utility to allow the various flags to be set. [Steve Henson] *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. Also change the functions X509_cmp_current_time() and X509_gmtime_adj() work with an ASN1_TIME structure, this will enable certificates using GeneralizedTime in validity dates to be checked. [Steve Henson] *) Make the NEG_PUBKEY_BUG code (which tolerates invalid negative public key encodings) on by default, NO_NEG_PUBKEY_BUG can be set to disable it. [Steve Henson] *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT content octets. An i2c_ASN1_OBJECT is unnecessary because the encoding can be trivially obtained from the structure. [Steve Henson] *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock), not read locks (CRYPTO_r_[un]lock). [Bodo Moeller] *) A first attempt at creating official support for shared libraries through configuration. I've kept it so the default is static libraries only, and the OpenSSL programs are always statically linked for now, but there are preparations for dynamic linking in place. This has been tested on Linux and Tru64. [Richard Levitte] *) Randomness polling function for Win9x, as described in: Peter Gutmann, Software Generation of Practically Strong Random Numbers. [Ulf Möller] *) Fix so PRNG is seeded in req if using an already existing DSA key. [Steve Henson] *) New options to smime application. -inform and -outform allow alternative formats for the S/MIME message including PEM and DER. The -content option allows the content to be specified separately. This should allow things like Netscape form signing output easier to verify. [Steve Henson] *) Fix the ASN1 encoding of tags using the 'long form'. [Steve Henson] *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT STRING types. These convert content octets to and from the underlying type. The actual tag and length octets are already assumed to have been read in and checked. These are needed because all other string types have virtually identical handling apart from the tag. By having versions of the ASN1 functions that just operate on content octets IMPLICIT tagging can be handled properly. It also allows the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED and ASN1_INTEGER are identical apart from the tag. [Steve Henson] *) Change the handling of OID objects as follows: - New object identifiers are inserted in objects.txt, following the syntax given in objects.README. - objects.pl is used to process obj_mac.num and create a new obj_mac.h. - obj_dat.pl is used to create a new obj_dat.h, using the data in obj_mac.h. This is currently kind of a hack, and the perl code in objects.pl isn't very elegant, but it works as I intended. The simplest way to check that it worked correctly is to look in obj_dat.h and check the array nid_objs and make sure the objects haven't moved around (this is important!). Additions are OK, as well as consistent name changes. [Richard Levitte] *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). [Bodo Moeller] *) Addition of the command line parameter '-rand file' to 'openssl req'. The given file adds to whatever has already been seeded into the random pool through the RANDFILE configuration file option or environment variable, or the default random state file. [Richard Levitte] *) mkstack.pl now sorts each macro group into lexical order. Previously the output order depended on the order the files appeared in the directory, resulting in needless rewriting of safestack.h . [Steve Henson] *) Patches to make OpenSSL compile under Win32 again. Mostly work arounds for the VC++ problem that it treats func() as func(void). Also stripped out the parts of mkdef.pl that added extra typesafe functions: these no longer exist. [Steve Henson] *) Reorganisation of the stack code. The macros are now all collected in safestack.h . Each macro is defined in terms of a "stack macro" of the form SKM_(type, a, b). The DEBUG_SAFESTACK is now handled in terms of function casts, this has the advantage of retaining type safety without the use of additional functions. If DEBUG_SAFESTACK is not defined then the non typesafe macros are used instead. Also modified the mkstack.pl script to handle the new form. Needs testing to see if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK the default if no major problems. Similar behaviour for ASN1_SET_OF and PKCS12_STACK_OF. [Steve Henson] *) When some versions of IIS use the 'NET' form of private key the key derivation algorithm is different. Normally MD5(password) is used as a 128 bit RC4 key. In the modified case MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same as the old Netscape_RSA functions except they have an additional 'sgckey' parameter which uses the modified algorithm. Also added an -sgckey command line option to the rsa utility. Thanks to Adrian Peck for posting details of the modified algorithm to openssl-dev. [Steve Henson] *) The evp_local.h macros were using 'c.##kname' which resulted in invalid expansion on some systems (SCO 5.0.5 for example). Corrected to 'c.kname'. [Phillip Porch ] *) New X509_get1_email() and X509_REQ_get1_email() functions that return a STACK of email addresses from a certificate or request, these look in the subject name and the subject alternative name extensions and omit any duplicate addresses. [Steve Henson] *) Re-implement BN_mod_exp2_mont using independent (and larger) windows. This makes DSA verification about 2 % faster. [Bodo Moeller] *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5 (meaning that now 2^5 values will be precomputed, which is only 4 KB plus overhead for 1024 bit moduli). This makes exponentiations about 0.5 % faster for 1024 bit exponents (as measured by "openssl speed rsa2048"). [Bodo Moeller] *) Rename memory handling macros to avoid conflicts with other software: Malloc => OPENSSL_malloc Malloc_locked => OPENSSL_malloc_locked Realloc => OPENSSL_realloc Free => OPENSSL_free [Richard Levitte] *) New function BN_mod_exp_mont_word for small bases (roughly 15% faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange). [Bodo Moeller] *) CygWin32 support. [John Jarvie ] *) The type-safe stack code has been rejigged. It is now only compiled in when OpenSSL is configured with the DEBUG_SAFESTACK option and by default all type-specific stack functions are "#define"d back to standard stack functions. This results in more streamlined output but retains the type-safety checking possibilities of the original approach. [Geoff Thorpe] *) The STACK code has been cleaned up, and certain type declarations that didn't make a lot of sense have been brought in line. This has also involved a cleanup of sorts in safestack.h to more correctly map type-safe stack functions onto their plain stack counterparts. This work has also resulted in a variety of "const"ifications of lots of the code, especially "_cmp" operations which should normally be prototyped with "const" parameters anyway. [Geoff Thorpe] *) When generating bytes for the first time in md_rand.c, 'stir the pool' by seeding with STATE_SIZE dummy bytes (with zero entropy count). (The PRNG state consists of two parts, the large pool 'state' and 'md', where all of 'md' is used each time the PRNG is used, but 'state' is used only indexed by a cyclic counter. As entropy may not be well distributed from the beginning, 'md' is important as a chaining variable. However, the output function chains only half of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains all of 'md', and seeding with STATE_SIZE dummy bytes will result in all of 'state' being rewritten, with the new values depending on virtually all of 'md'. This overcomes the 80 bit limitation.) [Bodo Moeller] *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when the handshake is continued after ssl_verify_cert_chain(); otherwise, if SSL_VERIFY_NONE is set, remaining error codes can lead to 'unexplainable' connection aborts later. [Bodo Moeller; problem tracked down by Lutz Jaenicke] *) Major EVP API cipher revision. Add hooks for extra EVP features. This allows various cipher parameters to be set in the EVP interface. Support added for variable key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and setting of RC2 and RC5 parameters. Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length ciphers. Remove lots of duplicated code from the EVP library. For example *every* cipher init() function handles the 'iv' in the same way according to the cipher mode. They also all do nothing if the 'key' parameter is NULL and for CFB and OFB modes they zero ctx->num. New functionality allows removal of S/MIME code RC2 hack. Most of the routines have the same form and so can be declared in terms of macros. By shifting this to the top level EVP_CipherInit() it can be removed from all individual ciphers. If the cipher wants to handle IVs or keys differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT flags. Change lots of functions like EVP_EncryptUpdate() to now return a value: although software versions of the algorithms cannot fail any installed hardware versions can. [Steve Henson] *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if this option is set, tolerate broken clients that send the negotiated protocol version number instead of the requested protocol version number. [Bodo Moeller] *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag; i.e. non-zero for export ciphersuites, zero otherwise. Previous versions had this flag inverted, inconsistent with rsa_tmp_cb (..._TMP_RSA_CB). [Bodo Moeller; problem reported by Amit Chopra] *) Add missing DSA library text string. Work around for some IIS key files with invalid SEQUENCE encoding. [Steve Henson] *) Add a document (doc/standards.txt) that list all kinds of standards and so on that are implemented in OpenSSL. [Richard Levitte] *) Enhance c_rehash script. Old version would mishandle certificates with the same subject name hash and wouldn't handle CRLs at all. Added -fingerprint option to crl utility, to support new c_rehash features. [Steve Henson] *) Eliminate non-ANSI declarations in crypto.h and stack.h. [Ulf Möller] *) Fix for SSL server purpose checking. Server checking was rejecting certificates which had extended key usage present but no ssl client purpose. [Steve Henson, reported by Rene Grosser ] *) Make PKCS#12 code work with no password. The PKCS#12 spec is a little unclear about how a blank password is handled. Since the password in encoded as a BMPString with terminating double NULL a zero length password would end up as just the double NULL. However no password at all is different and is handled differently in the PKCS#12 key generation code. NS treats a blank password as zero length. MSIE treats it as no password on export: but it will try both on import. We now do the same: PKCS12_parse() tries zero length and no password if the password is set to "" or NULL (NULL is now a valid password: it wasn't before) as does the pkcs12 application. [Steve Henson] *) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use perror when PEM_read_bio_X509_REQ fails, the error message must be obtained from the error queue. [Bodo Moeller] *) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing it in ERR_remove_state if appropriate, and change ERR_get_state accordingly to avoid race conditions (this is necessary because thread_hash is no longer constant once set). [Bodo Moeller] *) Bugfix for linux-elf makefile.one. [Ulf Möller] *) RSA_get_default_method() will now cause a default RSA_METHOD to be chosen if one doesn't exist already. Previously this was only set during a call to RSA_new() or RSA_new_method(NULL) meaning it was possible for RSA_get_default_method() to return NULL. [Geoff Thorpe] *) Added native name translation to the existing DSO code that will convert (if the flag to do so is set) filenames that are sufficiently small and have no path information into a canonical native form. Eg. "blah" converted to "libblah.so" or "blah.dll" etc. [Geoff Thorpe] *) New function ERR_error_string_n(e, buf, len) which is like ERR_error_string(e, buf), but writes at most 'len' bytes including the 0 terminator. For ERR_error_string_n, 'buf' may not be NULL. [Damien Miller , Bodo Moeller] *) CONF library reworked to become more general. A new CONF configuration file reader "class" is implemented as well as a new functions (NCONF_*, for "New CONF") to handle it. The now old CONF_* functions are still there, but are reimplemented to work in terms of the new functions. Also, a set of functions to handle the internal storage of the configuration data is provided to make it easier to write new configuration file reader "classes" (I can definitely see something reading a configuration file in XML format, for example), called _CONF_*, or "the configuration storage API"... The new configuration file reading functions are: NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio, NCONF_get_section, NCONF_get_string, NCONF_get_numbre NCONF_default, NCONF_WIN32 NCONF_dump_fp, NCONF_dump_bio NCONF_default and NCONF_WIN32 are method (or "class") choosers, NCONF_new creates a new CONF object. This works in the same way as other interfaces in OpenSSL, like the BIO interface. NCONF_dump_* dump the internal storage of the configuration file, which is useful for debugging. All other functions take the same arguments as the old CONF_* functions wth the exception of the first that must be a `CONF *' instead of a `LHASH *'. To make it easer to use the new classes with the old CONF_* functions, the function CONF_set_default_method is provided. [Richard Levitte] *) Add '-tls1' option to 'openssl ciphers', which was already mentioned in the documentation but had not been implemented. (This option is not yet really useful because even the additional experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.) [Bodo Moeller] *) Initial DSO code added into libcrypto for letting OpenSSL (and OpenSSL-based applications) load shared libraries and bind to them in a portable way. [Geoff Thorpe, with contributions from Richard Levitte] Changes between 0.9.5 and 0.9.5a [1 Apr 2000] *) Make sure _lrotl and _lrotr are only used with MSVC. *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status (the default implementation of RAND_status). *) Rename openssl x509 option '-crlext', which was added in 0.9.5, to '-clrext' (= clear extensions), as intended and documented. [Bodo Moeller; inconsistency pointed out by Michael Attili ] *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length was larger than the MD block size. [Steve Henson, pointed out by Yost William ] *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set() using the passed key: if the passed key was a private key the result of X509_print(), for example, would be to print out all the private key components. [Steve Henson] *) des_quad_cksum() byte order bug fix. [Ulf Möller, using the problem description in krb4-0.9.7, where the solution is attributed to Derrick J Brashear ] *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly discouraged. [Steve Henson, pointed out by Brian Korver ] *) For easily testing in shell scripts whether some command 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX' returns with exit code 0 iff no command of the given name is available. 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases, the output goes to stdout and nothing is printed to stderr. Additional arguments are always ignored. Since for each cipher there is a command of the same name, the 'no-cipher' compilation switches can be tested this way. ('openssl no-XXX' is not able to detect pseudo-commands such as 'quit', 'list-XXX-commands', or 'no-XXX' itself.) [Bodo Moeller] *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration. [Bodo Moeller] *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE is set; it will be thrown away anyway because each handshake creates its own key. ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition to parameters -- in previous versions (since OpenSSL 0.9.3) the 'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining you effectivly got SSL_OP_SINGLE_DH_USE when using this macro. [Bodo Moeller] *) New s_client option -ign_eof: EOF at stdin is ignored, and 'Q' and 'R' lose their special meanings (quit/renegotiate). This is part of what -quiet does; unlike -quiet, -ign_eof does not suppress any output. [Richard Levitte] *) Add compatibility options to the purpose and trust code. The purpose X509_PURPOSE_ANY is "any purpose" which automatically accepts a certificate or CA, this was the previous behaviour, with all the associated security issues. X509_TRUST_COMPAT is the old trust behaviour: only and automatically trust self signed roots in certificate store. A new trust setting X509_TRUST_DEFAULT is used to specify that a purpose has no associated trust setting and it should instead use the value in the default purpose. [Steve Henson] *) Fix the PKCS#8 DSA private key code so it decodes keys again and fix a memory leak. [Steve Henson] *) In util/mkerr.pl (which implements 'make errors'), preserve reason strings from the previous version of the .c file, as the default to have only downcase letters (and digits) in automatically generated reasons codes is not always appropriate. [Bodo Moeller] *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table using strerror. Previously, ERR_reason_error_string() returned library names as reason strings for SYSerr; but SYSerr is a special case where small numbers are errno values, not library numbers. [Bodo Moeller] *) Add '-dsaparam' option to 'openssl dhparam' application. This converts DSA parameters into DH parameters. (When creating parameters, DSA_generate_parameters is used.) [Bodo Moeller] *) Include 'length' (recommended exponent length) in C code generated by 'openssl dhparam -C'. [Bodo Moeller] *) The second argument to set_label in perlasm was already being used so couldn't be used as a "file scope" flag. Moved to third argument which was free. [Steve Henson] *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes instead of RAND_bytes for encryption IVs and salts. [Bodo Moeller] *) Include RAND_status() into RAND_METHOD instead of implementing it only for md_rand.c Otherwise replacing the PRNG by calling RAND_set_rand_method would be impossible. [Bodo Moeller] *) Don't let DSA_generate_key() enter an infinite loop if the random number generation fails. [Bodo Moeller] *) New 'rand' application for creating pseudo-random output. [Bodo Moeller] *) Added configuration support for Linux/IA64 [Rolf Haberrecker ] *) Assembler module support for Mingw32. [Ulf Möller] *) Shared library support for HPUX (in shlib/). [Lutz Jaenicke and Anonymous] *) Shared library support for Solaris gcc. [Lutz Behnke ] Changes between 0.9.4 and 0.9.5 [28 Feb 2000] *) PKCS7_encrypt() was adding text MIME headers twice because they were added manually and by SMIME_crlf_copy(). [Steve Henson] *) In bntest.c don't call BN_rand with zero bits argument. [Steve Henson, pointed out by Andrew W. Gray ] *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] case was implemented. This caused BN_div_recp() to fail occasionally. [Ulf Möller] *) Add an optional second argument to the set_label() in the perl assembly language builder. If this argument exists and is set to 1 it signals that the assembler should use a symbol whose scope is the entire file, not just the current function. This is needed with MASM which uses the format label:: for this scope. [Steve Henson, pointed out by Peter Runestig ] *) Change the ASN1 types so they are typedefs by default. Before almost all types were #define'd to ASN1_STRING which was causing STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING) for example. [Steve Henson] *) Change names of new functions to the new get1/get0 naming convention: After 'get1', the caller owns a reference count and has to call ..._free; 'get0' returns a pointer to some data structure without incrementing reference counters. (Some of the existing 'get' functions increment a reference counter, some don't.) Similarly, 'set1' and 'add1' functions increase reference counters or duplicate objects. [Steve Henson] *) Allow for the possibility of temp RSA key generation failure: the code used to assume it always worked and crashed on failure. [Steve Henson] *) Fix potential buffer overrun problem in BIO_printf(). [Ulf Möller, using public domain code by Patrick Powell; problem pointed out by David Sacerdote ] *) Support EGD . New functions RAND_egd() and RAND_status(). In the command line application, the EGD socket can be specified like a seed file using RANDFILE or -rand. [Ulf Möller] *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. Some CAs (e.g. Verisign) distribute certificates in this form. [Steve Henson] *) Remove the SSL_ALLOW_ADH compile option and set the default cipher list to exclude them. This means that no special compilation option is needed to use anonymous DH: it just needs to be included in the cipher list. [Steve Henson] *) Change the EVP_MD_CTX_type macro so its meaning consistent with EVP_MD_type. The old functionality is available in a new macro called EVP_MD_md(). Change code that uses it and update docs. [Steve Henson] *) ..._ctrl functions now have corresponding ..._callback_ctrl functions where the 'void *' argument is replaced by a function pointer argument. Previously 'void *' was abused to point to functions, which works on many platforms, but is not correct. As these functions are usually called by macros defined in OpenSSL header files, most source code should work without changes. [Richard Levitte] *) (which is created by Configure) now contains sections with information on -D... compiler switches used for compiling the library so that applications can see them. To enable one of these sections, a pre-processor symbol OPENSSL_..._DEFINES must be defined. E.g., #define OPENSSL_ALGORITHM_DEFINES #include defines all pertinent NO_ symbols, such as NO_IDEA, NO_RSA, etc. [Richard Levitte, Ulf and Bodo Möller] *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS record layer. [Bodo Moeller] *) Change the 'other' type in certificate aux info to a STACK_OF X509_ALGOR. Although not an AlgorithmIdentifier as such it has the required ASN1 format: arbitrary types determined by an OID. [Steve Henson] *) Add some PEM_write_X509_REQ_NEW() functions and a command line argument to 'req'. This is not because the function is newer or better than others it just uses the work 'NEW' in the certificate request header lines. Some software needs this. [Steve Henson] *) Reorganise password command line arguments: now passwords can be obtained from various sources. Delete the PEM_cb function and make it the default behaviour: i.e. if the callback is NULL and the usrdata argument is not NULL interpret it as a null terminated pass phrase. If usrdata and the callback are NULL then the pass phrase is prompted for as usual. [Steve Henson] *) Add support for the Compaq Atalla crypto accelerator. If it is installed, the support is automatically enabled. The resulting binaries will autodetect the card and use it if present. [Ben Laurie and Compaq Inc.] *) Work around for Netscape hang bug. This sends certificate request and server done in one record. Since this is perfectly legal in the SSL/TLS protocol it isn't a "bug" option and is on by default. See the bugs/SSLv3 entry for more info. [Steve Henson] *) HP-UX tune-up: new unified configs, HP C compiler bug workaround. [Andy Polyakov] *) Add -rand argument to smime and pkcs12 applications and read/write of seed file. [Steve Henson] *) New 'passwd' tool for crypt(3) and apr1 password hashes. [Bodo Moeller] *) Add command line password options to the remaining applications. [Steve Henson] *) Bug fix for BN_div_recp() for numerators with an even number of bits. [Ulf Möller] *) More tests in bntest.c, and changed test_bn output. [Ulf Möller] *) ./config recognizes MacOS X now. [Andy Polyakov] *) Bug fix for BN_div() when the first words of num and divsor are equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0). [Ulf Möller] *) Add support for various broken PKCS#8 formats, and command line options to produce them. [Steve Henson] *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to get temporary BIGNUMs from a BN_CTX. [Ulf Möller] *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() for p == 0. [Ulf Möller] *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and include a #define from the old name to the new. The original intent was that statically linked binaries could for example just call SSLeay_add_all_ciphers() to just add ciphers to the table and not link with digests. This never worked becayse SSLeay_add_all_digests() and SSLeay_add_all_ciphers() were in the same source file so calling one would link with the other. They are now in separate source files. [Steve Henson] *) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'. [Steve Henson] *) Use a less unusual form of the Miller-Rabin primality test (it used a binary algorithm for exponentiation integrated into the Miller-Rabin loop, our standard modexp algorithms are faster). [Bodo Moeller] *) Support for the EBCDIC character set completed. [Martin Kraemer ] *) Source code cleanups: use const where appropriate, eliminate casts, use void * instead of char * in lhash. [Ulf Möller] *) Bugfix: ssl3_send_server_key_exchange was not restartable (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of this the server could overwrite ephemeral keys that the client has already seen). [Bodo Moeller] *) Turn DSA_is_prime into a macro that calls BN_is_prime, using 50 iterations of the Rabin-Miller test. DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 iterations of the Rabin-Miller test as required by the appendix to FIPS PUB 186[-1]) instead of DSA_is_prime. As BN_is_prime_fasttest includes trial division, DSA parameter generation becomes much faster. This implies a change for the callback functions in DSA_is_prime and DSA_generate_parameters: The callback function is called once for each positive witness in the Rabin-Miller test, not just occasionally in the inner loop; and the parameters to the callback function now provide an iteration count for the outer loop rather than for the current invocation of the inner loop. DSA_generate_parameters additionally can call the callback function with an 'iteration count' of -1, meaning that a candidate has passed the trial division test (when q is generated from an application-provided seed, trial division is skipped). [Bodo Moeller] *) New function BN_is_prime_fasttest that optionally does trial division before starting the Rabin-Miller test and has an additional BN_CTX * argument (whereas BN_is_prime always has to allocate at least one BN_CTX). 'callback(1, -1, cb_arg)' is called when a number has passed the trial division stage. [Bodo Moeller] *) Fix for bug in CRL encoding. The validity dates weren't being handled as ASN1_TIME. [Steve Henson] *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file. [Steve Henson] *) New function BN_pseudo_rand(). [Ulf Möller] *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) bignum version of BN_from_montgomery() with the working code from SSLeay 0.9.0 (the word based version is faster anyway), and clean up the comments. [Ulf Möller] *) Avoid a race condition in s2_clnt.c (function get_server_hello) that made it impossible to use the same SSL_SESSION data structure in SSL2 clients in multiple threads. [Bodo Moeller] *) The return value of RAND_load_file() no longer counts bytes obtained by stat(). RAND_load_file(..., -1) is new and uses the complete file to seed the PRNG (previously an explicit byte count was required). [Ulf Möller, Bodo Möller] *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes used (char *) instead of (void *) and had casts all over the place. [Steve Henson] *) Make BN_generate_prime() return NULL on error if ret!=NULL. [Ulf Möller] *) Retain source code compatibility for BN_prime_checks macro: BN_is_prime(..., BN_prime_checks, ...) now uses BN_prime_checks_for_size to determine the appropriate number of Rabin-Miller iterations. [Ulf Möller] *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to DH_CHECK_P_NOT_SAFE_PRIME. (Check if this is true? OpenPGP calls them "strong".) [Ulf Möller] *) Merge the functionality of "dh" and "gendh" programs into a new program "dhparam". The old programs are retained for now but will handle DH keys (instead of parameters) in future. [Steve Henson] *) Make the ciphers, s_server and s_client programs check the return values when a new cipher list is set. [Steve Henson] *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit ciphers. Before when the 56bit ciphers were enabled the sorting was wrong. The syntax for the cipher sorting has been extended to support sorting by cipher-strength (using the strength_bits hard coded in the tables). The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). Fix a bug in the cipher-command parser: when supplying a cipher command string with an "undefined" symbol (neither command nor alphanumeric [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now an error is flagged. Due to the strength-sorting extension, the code of the ssl_create_cipher_list() function was completely rearranged. I hope that the readability was also increased :-) [Lutz Jaenicke ] *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1 for the first serial number and places 2 in the serial number file. This avoids problems when the root CA is created with serial number zero and the first user certificate has the same issuer name and serial number as the root CA. [Steve Henson] *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses the new code. Add documentation for this stuff. [Steve Henson] *) Changes to X509_ATTRIBUTE utilities. These have been renamed from X509_*() to X509at_*() on the grounds that they don't handle X509 structures and behave in an analagous way to the X509v3 functions: they shouldn't be called directly but wrapper functions should be used instead. So we also now have some wrapper functions that call the X509at functions when passed certificate requests. (TO DO: similar things can be done with PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other things. Some of these need some d2i or i2d and print functionality because they handle more complex structures.) [Steve Henson] *) Add missing #ifndefs that caused missing symbols when building libssl as a shared library without RSA. Use #ifndef NO_SSL2 instead of NO_RSA in ssl/s2*.c. [Kris Kennaway , modified by Ulf Möller] *) Precautions against using the PRNG uninitialized: RAND_bytes() now has a return value which indicates the quality of the random data (1 = ok, 0 = not seeded). Also an error is recorded on the thread's error queue. New function RAND_pseudo_bytes() generates output that is guaranteed to be unique but not unpredictable. RAND_add is like RAND_seed, but takes an extra argument for an entropy estimate (RAND_seed always assumes full entropy). [Ulf Möller] *) Do more iterations of Rabin-Miller probable prime test (specifically, 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes instead of only 2 for all lengths; see BN_prime_checks_for_size definition in crypto/bn/bn_prime.c for the complete table). This guarantees a false-positive rate of at most 2^-80 for random input. [Bodo Moeller] *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. [Bodo Moeller] *) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain in the 0.9.5 release), this returns the chain from an X509_CTX structure with a dup of the stack and all the X509 reference counts upped: so the stack will exist after X509_CTX_cleanup() has been called. Modify pkcs12.c to use this. Also make SSL_SESSION_print() print out the verify return code. [Steve Henson] *) Add manpage for the pkcs12 command. Also change the default behaviour so MAC iteration counts are used unless the new -nomaciter option is used. This improves file security and only older versions of MSIE (4.0 for example) need it. [Steve Henson] *) Honor the no-xxx Configure options when creating .DEF files. [Ulf Möller] *) Add PKCS#10 attributes to field table: challengePassword, unstructuredName and unstructuredAddress. These are taken from draft PKCS#9 v2.0 but are compatible with v1.2 provided no international characters are used. More changes to X509_ATTRIBUTE code: allow the setting of types based on strings. Remove the 'loc' parameter when adding attributes because these will be a SET OF encoding which is sorted in ASN1 order. [Steve Henson] *) Initial changes to the 'req' utility to allow request generation automation. This will allow an application to just generate a template file containing all the field values and have req construct the request. Initial support for X509_ATTRIBUTE handling. Stacks of these are used all over the place including certificate requests and PKCS#7 structures. They are currently handled manually where necessary with some primitive wrappers for PKCS#7. The new functions behave in a manner analogous to the X509 extension functions: they allow attributes to be looked up by NID and added. Later something similar to the X509V3 code would be desirable to automatically handle the encoding, decoding and printing of the more complex types. The string types like challengePassword can be handled by the string table functions. Also modified the multi byte string table handling. Now there is a 'global mask' which masks out certain types. The table itself can use the flag STABLE_NO_MASK to ignore the mask setting: this is useful when for example there is only one permissible type (as in countryName) and using the mask might result in no valid types at all. [Steve Henson] *) Clean up 'Finished' handling, and add functions SSL_get_finished and SSL_get_peer_finished to allow applications to obtain the latest Finished messages sent to the peer or expected from the peer, respectively. (SSL_get_peer_finished is usually the Finished message actually received from the peer, otherwise the protocol will be aborted.) As the Finished message are message digests of the complete handshake (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can be used for external authentication procedures when the authentication provided by SSL/TLS is not desired or is not enough. [Bodo Moeller] *) Enhanced support for Alpha Linux is added. Now ./config checks if the host supports BWX extension and if Compaq C is present on the $PATH. Just exploiting of the BWX extension results in 20-30% performance kick for some algorithms, e.g. DES and RC4 to mention a couple. Compaq C in turn generates ~20% faster code for MD5 and SHA1. [Andy Polyakov] *) Add support for MS "fast SGC". This is arguably a violation of the SSL3/TLS protocol. Netscape SGC does two handshakes: the first with weak crypto and after checking the certificate is SGC a second one with strong crypto. MS SGC stops the first handshake after receiving the server certificate message and sends a second client hello. Since a server will typically do all the time consuming operations before expecting any further messages from the client (server key exchange is the most expensive) there is little difference between the two. To get OpenSSL to support MS SGC we have to permit a second client hello message after we have sent server done. In addition we have to reset the MAC if we do get this second client hello. [Steve Henson] *) Add a function 'd2i_AutoPrivateKey()' this will automatically decide if a DER encoded private key is RSA or DSA traditional format. Changed d2i_PrivateKey_bio() to use it. This is only needed for the "traditional" format DER encoded private key. Newer code should use PKCS#8 format which has the key type encoded in the ASN1 structure. Added DER private key support to pkcs8 application. [Steve Henson] *) SSL 3/TLS 1 servers now don't request certificates when an anonymous ciphersuites has been selected (as required by the SSL 3/TLS 1 specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT is set, we interpret this as a request to violate the specification (the worst that can happen is a handshake failure, and 'correct' behaviour would result in a handshake failure anyway). [Bodo Moeller] *) In SSL_CTX_add_session, take into account that there might be multiple SSL_SESSION structures with the same session ID (e.g. when two threads concurrently obtain them from an external cache). The internal cache can handle only one SSL_SESSION with a given ID, so if there's a conflict, we now throw out the old one to achieve consistency. [Bodo Moeller] *) Add OIDs for idea and blowfish in CBC mode. This will allow both to be used in PKCS#5 v2.0 and S/MIME. Also add checking to some routines that use cipher OIDs: some ciphers do not have OIDs defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for example. [Steve Henson] *) Simplify the trust setting structure and code. Now we just have two sequences of OIDs for trusted and rejected settings. These will typically have values the same as the extended key usage extension and any application specific purposes. The trust checking code now has a default behaviour: it will just check for an object with the same NID as the passed id. Functions can be provided to override either the default behaviour or the behaviour for a given id. SSL client, server and email already have functions in place for compatibility: they check the NID and also return "trusted" if the certificate is self signed. [Steve Henson] *) Add d2i,i2d bio/fp functions for PrivateKey: these convert the traditional format into an EVP_PKEY structure. [Steve Henson] *) Add a password callback function PEM_cb() which either prompts for a password if usr_data is NULL or otherwise assumes it is a null terminated password. Allow passwords to be passed on command line environment or config files in a few more utilities. [Steve Henson] *) Add a bunch of DER and PEM functions to handle PKCS#8 format private keys. Add some short names for PKCS#8 PBE algorithms and allow them to be specified on the command line for the pkcs8 and pkcs12 utilities. Update documentation. [Steve Henson] *) Support for ASN1 "NULL" type. This could be handled before by using ASN1_TYPE but there wasn't any function that would try to read a NULL and produce an error if it couldn't. For compatibility we also have ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and don't allocate anything because they don't need to. [Steve Henson] *) Initial support for MacOS is now provided. Examine INSTALL.MacOS for details. [Andy Polyakov, Roy Woods ] *) Rebuild of the memory allocation routines used by OpenSSL code and possibly others as well. The purpose is to make an interface that provide hooks so anyone can build a separate set of allocation and deallocation routines to be used by OpenSSL, for example memory pool implementations, or something else, which was previously hard since Malloc(), Realloc() and Free() were defined as macros having the values malloc, realloc and free, respectively (except for Win32 compilations). The same is provided for memory debugging code. OpenSSL already comes with functionality to find memory leaks, but this gives people a chance to debug other memory problems. With these changes, a new set of functions and macros have appeared: CRYPTO_set_mem_debug_functions() [F] CRYPTO_get_mem_debug_functions() [F] CRYPTO_dbg_set_options() [F] CRYPTO_dbg_get_options() [F] CRYPTO_malloc_debug_init() [M] The memory debug functions are NULL by default, unless the library is compiled with CRYPTO_MDEBUG or friends is defined. If someone wants to debug memory anyway, CRYPTO_malloc_debug_init() (which gives the standard debugging functions that come with OpenSSL) or CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions provided by the library user) must be used. When the standard debugging functions are used, CRYPTO_dbg_set_options can be used to request additional information: CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting the CRYPTO_MDEBUG_xxx macro when compiling the library. Also, things like CRYPTO_set_mem_functions will always give the expected result (the new set of functions is used for allocation and deallocation) at all times, regardless of platform and compiler options. To finish it up, some functions that were never use in any other way than through macros have a new API and new semantic: CRYPTO_dbg_malloc() CRYPTO_dbg_realloc() CRYPTO_dbg_free() All macros of value have retained their old syntax. [Richard Levitte and Bodo Moeller] *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the ordering of SMIMECapabilities wasn't in "strength order" and there was a missing NULL in the AlgorithmIdentifier for the SHA1 signature algorithm. [Steve Henson] *) Some ASN1 types with illegal zero length encoding (INTEGER, ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. [Frans Heymans , modified by Steve Henson] *) Merge in my S/MIME library for OpenSSL. This provides a simple S/MIME API on top of the PKCS#7 code, a MIME parser (with enough functionality to handle multipart/signed properly) and a utility called 'smime' to call all this stuff. This is based on code I originally wrote for Celo who have kindly allowed it to be included in OpenSSL. [Steve Henson] *) Add variants des_set_key_checked and des_set_key_unchecked of des_set_key (aka des_key_sched). Global variable des_check_key decides which of these is called by des_set_key; this way des_check_key behaves as it always did, but applications and the library itself, which was buggy for des_check_key == 1, have a cleaner way to pick the version they need. [Bodo Moeller] *) New function PKCS12_newpass() which changes the password of a PKCS12 structure. [Steve Henson] *) Modify X509_TRUST and X509_PURPOSE so it also uses a static and dynamic mix. In both cases the ids can be used as an index into the table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() functions so they accept a list of the field values and the application doesn't need to directly manipulate the X509_TRUST structure. [Steve Henson] *) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't need initialising. [Steve Henson] *) Modify the way the V3 extension code looks up extensions. This now works in a similar way to the object code: we have some "standard" extensions in a static table which is searched with OBJ_bsearch() and the application can add dynamic ones if needed. The file crypto/x509v3/ext_dat.h now has the info: this file needs to be updated whenever a new extension is added to the core code and kept in ext_nid order. There is a simple program 'tabtest.c' which checks this. New extensions are not added too often so this file can readily be maintained manually. There are two big advantages in doing things this way. The extensions can be looked up immediately and no longer need to be "added" using X509V3_add_standard_extensions(): this function now does nothing. [Side note: I get *lots* of email saying the extension code doesn't work because people forget to call this function] Also no dynamic allocation is done unless new extensions are added: so if we don't add custom extensions there is no need to call X509V3_EXT_cleanup(). [Steve Henson] *) Modify enc utility's salting as follows: make salting the default. Add a magic header, so unsalted files fail gracefully instead of just decrypting to garbage. This is because not salting is a big security hole, so people should be discouraged from doing it. [Ben Laurie] *) Fixes and enhancements to the 'x509' utility. It allowed a message digest to be passed on the command line but it only used this parameter when signing a certificate. Modified so all relevant operations are affected by the digest parameter including the -fingerprint and -x509toreq options. Also -x509toreq choked if a DSA key was used because it didn't fix the digest. [Steve Henson] *) Initial certificate chain verify code. Currently tests the untrusted certificates for consistency with the verify purpose (which is set when the X509_STORE_CTX structure is set up) and checks the pathlength. There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: this is because it will reject chains with invalid extensions whereas every previous version of OpenSSL and SSLeay made no checks at all. Trust code: checks the root CA for the relevant trust settings. Trust settings have an initial value consistent with the verify purpose: e.g. if the verify purpose is for SSL client use it expects the CA to be trusted for SSL client use. However the default value can be changed to permit custom trust settings: one example of this would be to only trust certificates from a specific "secure" set of CAs. Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions which should be used for version portability: especially since the verify structure is likely to change more often now. SSL integration. Add purpose and trust to SSL_CTX and SSL and functions to set them. If not set then assume SSL clients will verify SSL servers and vice versa. Two new options to the verify program: -untrusted allows a set of untrusted certificates to be passed in and -purpose which sets the intended purpose of the certificate. If a purpose is set then the new chain verify code is used to check extension consistency. [Steve Henson] *) Support for the authority information access extension. [Steve Henson] *) Modify RSA and DSA PEM read routines to transparently handle PKCS#8 format private keys. New *_PUBKEY_* functions that handle public keys in a format compatible with certificate SubjectPublicKeyInfo structures. Unfortunately there were already functions called *_PublicKey_* which used various odd formats so these are retained for compatibility: however the DSA variants were never in a public release so they have been deleted. Changed dsa/rsa utilities to handle the new format: note no releases ever handled public keys so we should be OK. The primary motivation for this change is to avoid the same fiasco that dogs private keys: there are several incompatible private key formats some of which are standard and some OpenSSL specific and require various evil hacks to allow partial transparent handling and even then it doesn't work with DER formats. Given the option anything other than PKCS#8 should be dumped: but the other formats have to stay in the name of compatibility. With public keys and the benefit of hindsight one standard format is used which works with EVP_PKEY, RSA or DSA structures: though it clearly returns an error if you try to read the wrong kind of key. Added a -pubkey option to the 'x509' utility to output the public key. Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() (renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*()) that do the same as the EVP_PKEY_assign_*() except they up the reference count of the added key (they don't "swallow" the supplied key). [Steve Henson] *) Fixes to crypto/x509/by_file.c the code to read in certificates and CRLs would fail if the file contained no certificates or no CRLs: added a new function to read in both types and return the number read: this means that if none are read it will be an error. The DER versions of the certificate and CRL reader would always fail because it isn't possible to mix certificates and CRLs in DER format without choking one or the other routine. Changed this to just read a certificate: this is the best we can do. Also modified the code in apps/verify.c to take notice of return codes: it was previously attempting to read in certificates from NULL pointers and ignoring any errors: this is one reason why the cert and CRL reader seemed to work. It doesn't check return codes from the default certificate routines: these may well fail if the certificates aren't installed. [Steve Henson] *) Code to support otherName option in GeneralName. [Steve Henson] *) First update to verify code. Change the verify utility so it warns if it is passed a self signed certificate: for consistency with the normal behaviour. X509_verify has been modified to it will now verify a self signed certificate if *exactly* the same certificate appears in the store: it was previously impossible to trust a single self signed certificate. This means that: openssl verify ss.pem now gives a warning about a self signed certificate but openssl verify -CAfile ss.pem ss.pem is OK. [Steve Henson] *) For servers, store verify_result in SSL_SESSION data structure (and add it to external session representation). This is needed when client certificate verifications fails, but an application-provided verification callback (set by SSL_CTX_set_cert_verify_callback) allows accepting the session anyway (i.e. leaves x509_store_ctx->error != X509_V_OK but returns 1): When the session is reused, we have to set ssl->verify_result to the appropriate error code to avoid security holes. [Bodo Moeller, problem pointed out by Lutz Jaenicke] *) Fix a bug in the new PKCS#7 code: it didn't consider the case in PKCS7_dataInit() where the signed PKCS7 structure didn't contain any existing data because it was being created. [Po-Cheng Chen , slightly modified by Steve Henson] *) Add a salt to the key derivation routines in enc.c. This forms the first 8 bytes of the encrypted file. Also add a -S option to allow a salt to be input on the command line. [Steve Henson] *) New function X509_cmp(). Oddly enough there wasn't a function to compare two certificates. We do this by working out the SHA1 hash and comparing that. X509_cmp() will be needed by the trust code. [Steve Henson] *) SSL_get1_session() is like SSL_get_session(), but increments the reference count in the SSL_SESSION returned. [Geoff Thorpe ] *) Fix for 'req': it was adding a null to request attributes. Also change the X509_LOOKUP and X509_INFO code to handle certificate auxiliary information. [Steve Henson] *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document the 'enc' command. [Steve Henson] *) Add the possibility to add extra information to the memory leak detecting output, to form tracebacks, showing from where each allocation was originated: CRYPTO_push_info("constant string") adds the string plus current file name and line number to a per-thread stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info() is like calling CYRPTO_pop_info() until the stack is empty. Also updated memory leak detection code to be multi-thread-safe. [Richard Levitte] *) Add options -text and -noout to pkcs7 utility and delete the encryption options which never did anything. Update docs. [Steve Henson] *) Add options to some of the utilities to allow the pass phrase to be included on either the command line (not recommended on OSes like Unix) or read from the environment. Update the manpages and fix a few bugs. [Steve Henson] *) Add a few manpages for some of the openssl commands. [Steve Henson] *) Fix the -revoke option in ca. It was freeing up memory twice, leaking and not finding already revoked certificates. [Steve Henson] *) Extensive changes to support certificate auxiliary information. This involves the use of X509_CERT_AUX structure and X509_AUX functions. An X509_AUX function such as PEM_read_X509_AUX() can still read in a certificate file in the usual way but it will also read in any additional "auxiliary information". By doing things this way a fair degree of compatibility can be retained: existing certificates can have this information added using the new 'x509' options. Current auxiliary information includes an "alias" and some trust settings. The trust settings will ultimately be used in enhanced certificate chain verification routines: currently a certificate can only be trusted if it is self signed and then it is trusted for all purposes. [Steve Henson] *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). The problem was that one of the replacement routines had not been working since SSLeay releases. For now the offending routine has been replaced with non-optimised assembler. Even so, this now gives around 95% performance improvement for 1024 bit RSA signs. [Mark Cox] *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 handling. Most clients have the effective key size in bits equal to the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. A few however don't do this and instead use the size of the decrypted key to determine the RC2 key length and the AlgorithmIdentifier to determine the effective key length. In this case the effective key length can still be 40 bits but the key length can be 168 bits for example. This is fixed by manually forcing an RC2 key into the EVP_PKEY structure because the EVP code can't currently handle unusual RC2 key sizes: it always assumes the key length and effective key length are equal. [Steve Henson] *) Add a bunch of functions that should simplify the creation of X509_NAME structures. Now you should be able to do: X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); and have it automatically work out the correct field type and fill in the structures. The more adventurous can try: X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); and it will (hopefully) work out the correct multibyte encoding. [Steve Henson] *) Change the 'req' utility to use the new field handling and multibyte copy routines. Before the DN field creation was handled in an ad hoc way in req, ca, and x509 which was rather broken and didn't support BMPStrings or UTF8Strings. Since some software doesn't implement BMPStrings or UTF8Strings yet, they can be enabled using the config file using the dirstring_type option. See the new comment in the default openssl.cnf for more info. [Steve Henson] *) Make crypto/rand/md_rand.c more robust: - Assure unique random numbers after fork(). - Make sure that concurrent threads access the global counter and md serializably so that we never lose entropy in them or use exactly the same state in multiple threads. Access to the large state is not always serializable because the additional locking could be a performance killer, and md should be large enough anyway. [Bodo Moeller] *) New file apps/app_rand.c with commonly needed functionality for handling the random seed file. Use the random seed file in some applications that previously did not: ca, dsaparam -genkey (which also ignored its '-rand' option), s_client, s_server, x509 (when signing). Except on systems with /dev/urandom, it is crucial to have a random seed file at least for key creation, DSA signing, and for DH exchanges; for RSA signatures we could do without one. gendh and gendsa (unlike genrsa) used to read only the first byte of each file listed in the '-rand' option. The function as previously found in genrsa is now in app_rand.c and is used by all programs that support '-rand'. [Bodo Moeller] *) In RAND_write_file, use mode 0600 for creating files; don't just chmod when it may be too late. [Bodo Moeller] *) Report an error from X509_STORE_load_locations when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. [Bill Perry] *) New function ASN1_mbstring_copy() this copies a string in either ASCII, Unicode, Universal (4 bytes per character) or UTF8 format into an ASN1_STRING type. A mask of permissible types is passed and it chooses the "minimal" type to use or an error if not type is suitable. [Steve Henson] *) Add function equivalents to the various macros in asn1.h. The old macros are retained with an M_ prefix. Code inside the library can use the M_ macros. External code (including the openssl utility) should *NOT* in order to be "shared library friendly". [Steve Henson] *) Add various functions that can check a certificate's extensions to see if it usable for various purposes such as SSL client, server or S/MIME and CAs of these types. This is currently VERY EXPERIMENTAL but will ultimately be used for certificate chain verification. Also added a -purpose flag to x509 utility to print out all the purposes. [Steve Henson] *) Add a CRYPTO_EX_DATA to X509 certificate structure and associated functions. [Steve Henson] *) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search for, obtain and decode and extension and obtain its critical flag. This allows all the necessary extension code to be handled in a single function call. [Steve Henson] *) RC4 tune-up featuring 30-40% performance improvement on most RISC platforms. See crypto/rc4/rc4_enc.c for further details. [Andy Polyakov] *) New -noout option to asn1parse. This causes no output to be produced its main use is when combined with -strparse and -out to extract data from a file (which may not be in ASN.1 format). [Steve Henson] *) Fix for pkcs12 program. It was hashing an invalid certificate pointer when producing the local key id. [Richard Levitte ] *) New option -dhparam in s_server. This allows a DH parameter file to be stated explicitly. If it is not stated then it tries the first server certificate file. The previous behaviour hard coded the filename "server.pem". [Steve Henson] *) Add -pubin and -pubout options to the rsa and dsa commands. These allow a public key to be input or output. For example: openssl rsa -in key.pem -pubout -out pubkey.pem Also added necessary DSA public key functions to handle this. [Steve Henson] *) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained in the message. This was handled by allowing X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. [Steve Henson, reported by Sampo Kellomaki ] *) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null to the end of the strings whereas this didn't. This would cause problems if strings read with d2i_ASN1_bytes() were later modified. [Steve Henson, reported by Arne Ansper ] *) Fix for base64 decode bug. When a base64 bio reads only one line of data and it contains EOF it will end up returning an error. This is caused by input 46 bytes long. The cause is due to the way base64 BIOs find the start of base64 encoded data. They do this by trying a trial decode on each line until they find one that works. When they do a flag is set and it starts again knowing it can pass all the data directly through the decoder. Unfortunately it doesn't reset the context it uses. This means that if EOF is reached an attempt is made to pass two EOFs through the context and this causes the resulting error. This can also cause other problems as well. As is usual with these problems it takes *ages* to find and the fix is trivial: move one line. [Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ] *) Ugly workaround to get s_client and s_server working under Windows. The old code wouldn't work because it needed to select() on sockets and the tty (for keypresses and to see if data could be written). Win32 only supports select() on sockets so we select() with a 1s timeout on the sockets and then see if any characters are waiting to be read, if none are present then we retry, we also assume we can always write data to the tty. This isn't nice because the code then blocks until we've received a complete line of data and it is effectively polling the keyboard at 1s intervals: however it's quite a bit better than not working at all :-) A dedicated Windows application might handle this with an event loop for example. [Steve Henson] *) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions will be called when RSA_sign() and RSA_verify() are used. This is useful if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. For this to work properly RSA_public_decrypt() and RSA_private_encrypt() should *not* be used: RSA_sign() and RSA_verify() must be used instead. This necessitated the support of an extra signature type NID_md5_sha1 for SSL signatures and modifications to the SSL library to use it instead of calling RSA_public_decrypt() and RSA_private_encrypt(). [Steve Henson] *) Add new -verify -CAfile and -CApath options to the crl program, these will lookup a CRL issuers certificate and verify the signature in a similar way to the verify program. Tidy up the crl program so it no longer accesses structures directly. Make the ASN1 CRL parsing a bit less strict. It will now permit CRL extensions even if it is not a V2 CRL: this will allow it to tolerate some broken CRLs. [Steve Henson] *) Initialize all non-automatic variables each time one of the openssl sub-programs is started (this is necessary as they may be started multiple times from the "OpenSSL>" prompt). [Lennart Bang, Bodo Moeller] *) Preliminary compilation option RSA_NULL which disables RSA crypto without removing all other RSA functionality (this is what NO_RSA does). This is so (for example) those in the US can disable those operations covered by the RSA patent while allowing storage and parsing of RSA keys and RSA key generation. [Steve Henson] *) Non-copying interface to BIO pairs. (still largely untested) [Bodo Moeller] *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive ASCII string. This was handled independently in various places before. [Steve Henson] *) New functions UTF8_getc() and UTF8_putc() that parse and generate UTF8 strings a character at a time. [Steve Henson] *) Use client_version from client hello to select the protocol (s23_srvr.c) and for RSA client key exchange verification (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. [Bodo Moeller] *) Add various utility functions to handle SPKACs, these were previously handled by poking round in the structure internals. Added new function NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to print, verify and generate SPKACs. Based on an original idea from Massimiliano Pala but extensively modified. [Steve Henson] *) RIPEMD160 is operational on all platforms and is back in 'make test'. [Andy Polyakov] *) Allow the config file extension section to be overwritten on the command line. Based on an original idea from Massimiliano Pala . The new option is called -extensions and can be applied to ca, req and x509. Also -reqexts to override the request extensions in req and -crlexts to override the crl extensions in ca. [Steve Henson] *) Add new feature to the SPKAC handling in ca. Now you can include the same field multiple times by preceding it by "XXXX." for example: 1.OU="Unit name 1" 2.OU="Unit name 2" this is the same syntax as used in the req config file. [Steve Henson] *) Allow certificate extensions to be added to certificate requests. These are specified in a 'req_extensions' option of the req section of the config file. They can be printed out with the -text option to req but are otherwise ignored at present. [Steve Henson] *) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first data read consists of only the final block it would not decrypted because EVP_CipherUpdate() would correctly report zero bytes had been decrypted. A misplaced 'break' also meant the decrypted final block might not be copied until the next read. [Steve Henson] *) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added a few extra parameters to the DH structure: these will be useful if for example we want the value of 'q' or implement X9.42 DH. [Steve Henson] *) Initial support for DSA_METHOD. This is based on the RSA_METHOD and provides hooks that allow the default DSA functions or functions on a "per key" basis to be replaced. This allows hardware acceleration and hardware key storage to be handled without major modification to the library. Also added low level modexp hooks and CRYPTO_EX structure and associated functions. [Steve Henson] *) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO as "read only": it can't be written to and the buffer it points to will not be freed. Reading from a read only BIO is much more efficient than a normal memory BIO. This was added because there are several times when an area of memory needs to be read from a BIO. The previous method was to create a memory BIO and write the data to it, this results in two copies of the data and an O(n^2) reading algorithm. There is a new function BIO_new_mem_buf() which creates a read only memory BIO from an area of memory. Also modified the PKCS#7 routines to use read only memory BIOs. [Steve Henson] *) Bugfix: ssl23_get_client_hello did not work properly when called in state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, but a retry condition occured while trying to read the rest. [Bodo Moeller] *) The PKCS7_ENC_CONTENT_new() function was setting the content type as NID_pkcs7_encrypted by default: this was wrong since this should almost always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle the encrypted data type: this is a more sensible place to put it and it allows the PKCS#12 code to be tidied up that duplicated this functionality. [Steve Henson] *) Changed obj_dat.pl script so it takes its input and output files on the command line. This should avoid shell escape redirection problems under Win32. [Steve Henson] *) Initial support for certificate extension requests, these are included in things like Xenroll certificate requests. Included functions to allow extensions to be obtained and added. [Steve Henson] *) -crlf option to s_client and s_server for sending newlines as CRLF (as required by many protocols). [Bodo Moeller] Changes between 0.9.3a and 0.9.4 [09 Aug 1999] *) Install libRSAglue.a when OpenSSL is built with RSAref. [Ralf S. Engelschall] *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. [Andrija Antonijevic ] *) Fix -startdate and -enddate (which was missing) arguments to 'ca' program. [Steve Henson] *) New function DSA_dup_DH, which duplicates DSA parameters/keys as DH parameters/keys (q is lost during that conversion, but the resulting DH parameters contain its length). For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is much faster than DH_generate_parameters (which creates parameters where p = 2*q + 1), and also the smaller q makes DH computations much more efficient (160-bit exponentiation instead of 1024-bit exponentiation); so this provides a convenient way to support DHE ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of utter importance to use SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); or SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); when such DH parameters are used, because otherwise small subgroup attacks may become possible! [Bodo Moeller] *) Avoid memory leak in i2d_DHparams. [Bodo Moeller] *) Allow the -k option to be used more than once in the enc program: this allows the same encrypted message to be read by multiple recipients. [Steve Henson] *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts an ASN1_OBJECT to a text string. If the "no_name" parameter is set then it will always use the numerical form of the OID, even if it has a short or long name. [Steve Henson] *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp method only got called if p,q,dmp1,dmq1,iqmp components were present, otherwise bn_mod_exp was called. In the case of hardware keys for example no private key components need be present and it might store extra data in the RSA structure, which cannot be accessed from bn_mod_exp. By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for private key operations. [Steve Henson] *) Added support for SPARC Linux. [Andy Polyakov] *) pem_password_cb function type incompatibly changed from typedef int pem_password_cb(char *buf, int size, int rwflag); to ....(char *buf, int size, int rwflag, void *userdata); so that applications can pass data to their callbacks: The PEM[_ASN1]_{read,write}... functions and macros now take an additional void * argument, which is just handed through whenever the password callback is called. [Damien Miller ; tiny changes by Bodo Moeller] New function SSL_CTX_set_default_passwd_cb_userdata. Compatibility note: As many C implementations push function arguments onto the stack in reverse order, the new library version is likely to interoperate with programs that have been compiled with the old pem_password_cb definition (PEM_whatever takes some data that happens to be on the stack as its last argument, and the callback just ignores this garbage); but there is no guarantee whatsoever that this will work. *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused problems not only on Windows, but also on some Unix platforms. To avoid problematic command lines, these definitions are now in an auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). [Bodo Moeller] *) MIPS III/IV assembler module is reimplemented. [Andy Polyakov] *) More DES library cleanups: remove references to srand/rand and delete an unused file. [Ulf Möller] *) Add support for the the free Netwide assembler (NASM) under Win32, since not many people have MASM (ml) and it can be hard to obtain. This is currently experimental but it seems to work OK and pass all the tests. Check out INSTALL.W32 for info. [Steve Henson] *) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections without temporary keys kept an extra copy of the server key, and connections with temporary keys did not free everything in case of an error. [Bodo Moeller] *) New function RSA_check_key and new openssl rsa option -check for verifying the consistency of RSA keys. [Ulf Moeller, Bodo Moeller] *) Various changes to make Win32 compile work: 1. Casts to avoid "loss of data" warnings in p5_crpt2.c 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned comparison" warnings. 3. Add sk__sort to DEF file generator and do make update. [Steve Henson] *) Add a debugging option to PKCS#5 v2 key generation function: when you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and derived keys are printed to stderr. [Steve Henson] *) Copy the flags in ASN1_STRING_dup(). [Roman E. Pavlov ] *) The x509 application mishandled signing requests containing DSA keys when the signing key was also DSA and the parameters didn't match. It was supposed to omit the parameters when they matched the signing key: the verifying software was then supposed to automatically use the CA's parameters if they were absent from the end user certificate. Omitting parameters is no longer recommended. The test was also the wrong way round! This was probably due to unusual behaviour in EVP_cmp_parameters() which returns 1 if the parameters match. This meant that parameters were omitted when they *didn't* match and the certificate was useless. Certificates signed with 'ca' didn't have this bug. [Steve Henson, reported by Doug Erickson ] *) Memory leak checking (-DCRYPTO_MDEBUG) had some problems. The interface is as follows: Applications can use CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); "off" is now the default. The library internally uses CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() to disable memory-checking temporarily. Some inconsistent states that previously were possible (and were even the default) are now avoided. -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time with each memory chunk allocated; this is occasionally more helpful than just having a counter. -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future extensions. [Bodo Moeller] *) Introduce "mode" for SSL structures (with defaults in SSL_CTX), which largely parallels "options", but is for changing API behaviour, whereas "options" are about protocol behaviour. Initial "mode" flags are: SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when a single record has been written. SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write retries use the same buffer location. (But all of the contents must be copied!) [Bodo Moeller] *) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options worked. *) Fix problems with no-hmac etc. [Ulf Möller, pointed out by Brian Wellington ] *) New functions RSA_get_default_method(), RSA_set_method() and RSA_get_method(). These allows replacement of RSA_METHODs without having to mess around with the internals of an RSA structure. [Steve Henson] *) Fix memory leaks in DSA_do_sign and DSA_is_prime. Also really enable memory leak checks in openssl.c and in some test programs. [Chad C. Mulligan, Bodo Moeller] *) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess up the length of negative integers. This has now been simplified to just store the length when it is first determined and use it later, rather than trying to keep track of where data is copied and updating it to point to the end. [Steve Henson, reported by Brien Wheeler ] *) Add a new function PKCS7_signatureVerify. This allows the verification of a PKCS#7 signature but with the signing certificate passed to the function itself. This contrasts with PKCS7_dataVerify which assumes the certificate is present in the PKCS#7 structure. This isn't always the case: certificates can be omitted from a PKCS#7 structure and be distributed by "out of band" means (such as a certificate database). [Steve Henson] *) Complete the PEM_* macros with DECLARE_PEM versions to replace the function prototypes in pem.h, also change util/mkdef.pl to add the necessary function names. [Steve Henson] *) mk1mf.pl (used by Windows builds) did not properly read the options set by Configure in the top level Makefile, and Configure was not even able to write more than one option correctly. Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. [Bodo Moeller] *) New functions CONF_load_bio() and CONF_load_fp() to allow a config file to be loaded from a BIO or FILE pointer. The BIO version will for example allow memory BIOs to contain config info. [Steve Henson] *) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS. Whoever hopes to achieve shared-library compatibility across versions must use this, not the compile-time macro. (Exercise 0.9.4: Which is the minimum library version required by such programs?) Note: All this applies only to multi-threaded programs, others don't need locks. [Bodo Moeller] *) Add missing case to s3_clnt.c state machine -- one of the new SSL tests through a BIO pair triggered the default case, i.e. SSLerr(...,SSL_R_UNKNOWN_STATE). [Bodo Moeller] *) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications can use the SSL library even if none of the specific BIOs is appropriate. [Bodo Moeller] *) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value for the encoded length. [Jeon KyoungHo ] *) Add initial documentation of the X509V3 functions. [Steve Henson] *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey() that are equivalent to PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more secure PKCS#8 private key format with a high iteration count. [Steve Henson] *) Fix determination of Perl interpreter: A perl or perl5 _directory_ in $PATH was also accepted as the interpreter. [Ralf S. Engelschall] *) Fix demos/sign/sign.c: well there wasn't anything strictly speaking wrong with it but it was very old and did things like calling PEM_ASN1_read() directly and used MD5 for the hash not to mention some unusual formatting. [Steve Henson] *) Fix demos/selfsign.c: it used obsolete and deleted functions, changed to use the new extension code. [Steve Henson] *) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c with macros. This should make it easier to change their form, add extra arguments etc. Fix a few PEM prototypes which didn't have cipher as a constant. [Steve Henson] *) Add to configuration table a new entry that can specify an alternative name for unistd.h (for pre-POSIX systems); we need this for NeXTstep, according to Mark Crispin . [Bodo Moeller] #if 0 *) DES CBC did not update the IV. Weird. [Ben Laurie] #else des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does. Changing the behaviour of the former might break existing programs -- where IV updating is needed, des_ncbc_encrypt can be used. #endif *) When bntest is run from "make test" it drives bc to check its calculations, as well as internally checking them. If an internal check fails, it needs to cause bc to give a non-zero result or make test carries on without noticing the failure. Fixed. [Ben Laurie] *) DES library cleanups. [Ulf Möller] *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit ciphers. NOTE: although the key derivation function has been verified against some published test vectors it has not been extensively tested yet. Added a -v2 "cipher" option to pkcs8 application to allow the use of v2.0. [Steve Henson] *) Instead of "mkdir -p", which is not fully portable, use new Perl script "util/mkdir-p.pl". [Bodo Moeller] *) Rewrite the way password based encryption (PBE) is handled. It used to assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms but doesn't apply to PKCS#5 v2.0 where it can be something else. Now the 'parameter' field of the AlgorithmIdentifier is passed to the underlying key generation function so it must do its own ASN1 parsing. This has also changed the EVP_PBE_CipherInit() function which now has a 'parameter' argument instead of literal salt and iteration count values and the function EVP_PBE_ALGOR_CipherInit() has been deleted. [Steve Henson] *) Support for PKCS#5 v1.5 compatible password based encryption algorithms and PKCS#8 functionality. New 'pkcs8' application linked to openssl. Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE KEY" because this clashed with PKCS#8 unencrypted string. Since this value was just used as a "magic string" and not used directly its value doesn't matter. [Steve Henson] *) Introduce some semblance of const correctness to BN. Shame C doesn't support mutable. [Ben Laurie] *) "linux-sparc64" configuration (ultrapenguin). [Ray Miller ] "linux-sparc" configuration. [Christian Forster ] *) config now generates no-xxx options for missing ciphers. [Ulf Möller] *) Support the EBCDIC character set (work in progress). File ebcdic.c not yet included because it has a different license. [Martin Kraemer ] *) Support BS2000/OSD-POSIX. [Martin Kraemer ] *) Make callbacks for key generation use void * instead of char *. [Ben Laurie] *) Make S/MIME samples compile (not yet tested). [Ben Laurie] *) Additional typesafe stacks. [Ben Laurie] *) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x). [Bodo Moeller] Changes between 0.9.3 and 0.9.3a [29 May 1999] *) New configuration variant "sco5-gcc". *) Updated some demos. [Sean O Riordain, Wade Scholine] *) Add missing BIO_free at exit of pkcs12 application. [Wu Zhigang] *) Fix memory leak in conf.c. [Steve Henson] *) Updates for Win32 to assembler version of MD5. [Steve Henson] *) Set #! path to perl in apps/der_chop to where we found it instead of using a fixed path. [Bodo Moeller] *) SHA library changes for irix64-mips4-cc. [Andy Polyakov] *) Improvements for VMS support. [Richard Levitte] Changes between 0.9.2b and 0.9.3 [24 May 1999] *) Bignum library bug fix. IRIX 6 passes "make test" now! This also avoids the problems with SC4.2 and unpatched SC5. [Andy Polyakov ] *) New functions sk_num, sk_value and sk_set to replace the previous macros. These are required because of the typesafe stack would otherwise break existing code. If old code used a structure member which used to be STACK and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with sk_num or sk_value it would produce an error because the num, data members are not present in STACK_OF. Now it just produces a warning. sk_set replaces the old method of assigning a value to sk_value (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code that does this will no longer work (and should use sk_set instead) but this could be regarded as a "questionable" behaviour anyway. [Steve Henson] *) Fix most of the other PKCS#7 bugs. The "experimental" code can now correctly handle encrypted S/MIME data. [Steve Henson] *) Change type of various DES function arguments from des_cblock (which means, in function argument declarations, pointer to char) to des_cblock * (meaning pointer to array with 8 char elements), which allows the compiler to do more typechecking; it was like that back in SSLeay, but with lots of ugly casts. Introduce new type const_des_cblock. [Bodo Moeller] *) Reorganise the PKCS#7 library and get rid of some of the more obvious problems: find RecipientInfo structure that matches recipient certificate and initialise the ASN1 structures properly based on passed cipher. [Steve Henson] *) Belatedly make the BN tests actually check the results. [Ben Laurie] *) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion to and from BNs: it was completely broken. New compilation option NEG_PUBKEY_BUG to allow for some broken certificates that encode public key elements as negative integers. [Steve Henson] *) Reorganize and speed up MD5. [Andy Polyakov ] *) VMS support. [Richard Levitte ] *) New option -out to asn1parse to allow the parsed structure to be output to a file. This is most useful when combined with the -strparse option to examine the output of things like OCTET STRINGS. [Steve Henson] *) Make SSL library a little more fool-proof by not requiring any longer that SSL_set_{accept,connect}_state be called before SSL_{accept,connect} may be used (SSL_set_..._state is omitted in many applications because usually everything *appeared* to work as intended anyway -- now it really works as intended). [Bodo Moeller] *) Move openssl.cnf out of lib/. [Ulf Möller] *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ [Ralf S. Engelschall] *) Various fixes to the EVP and PKCS#7 code. It may now be able to handle PKCS#7 enveloped data properly. [Sebastian Akerman , modified by Steve] *) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of copying pointers. The cert_st handling is changed by this in various ways (and thus what used to be known as ctx->default_cert is now called ctx->cert, since we don't resort to s->ctx->[default_]cert any longer when s->cert does not give us what we need). ssl_cert_instantiate becomes obsolete by this change. As soon as we've got the new code right (possibly it already is?), we have solved a couple of bugs of the earlier code where s->cert was used as if it could not have been shared with other SSL structures. Note that using the SSL API in certain dirty ways now will result in different behaviour than observed with earlier library versions: Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx) does not influence s as it used to. In order to clean up things more thoroughly, inside SSL_SESSION we don't use CERT any longer, but a new structure SESS_CERT that holds per-session data (if available); currently, this is the peer's certificate chain and, for clients, the server's certificate and temporary key. CERT holds only those values that can have meaningful defaults in an SSL_CTX. [Bodo Moeller] *) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure from the internal representation. Various PKCS#7 fixes: remove some evil casts and set the enc_dig_alg field properly based on the signing key type. [Steve Henson] *) Allow PKCS#12 password to be set from the command line or the environment. Let 'ca' get its config file name from the environment variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' and 'x509'). [Steve Henson] *) Allow certificate policies extension to use an IA5STRING for the organization field. This is contrary to the PKIX definition but VeriSign uses it and IE5 only recognises this form. Document 'x509' extension option. [Steve Henson] *) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, without disallowing inline assembler and the like for non-pedantic builds. [Ben Laurie] *) Support Borland C++ builder. [Janez Jere , modified by Ulf Möller] *) Support Mingw32. [Ulf Möller] *) SHA-1 cleanups and performance enhancements. [Andy Polyakov ] *) Sparc v8plus assembler for the bignum library. [Andy Polyakov ] *) Accept any -xxx and +xxx compiler options in Configure. [Ulf Möller] *) Update HPUX configuration. [Anonymous] *) Add missing sk__unshift() function to safestack.h [Ralf S. Engelschall] *) New function SSL_CTX_use_certificate_chain_file that sets the "extra_cert"s in addition to the certificate. (This makes sense only for "PEM" format files, as chains as a whole are not DER-encoded.) [Bodo Moeller] *) Support verify_depth from the SSL API. x509_vfy.c had what can be considered an off-by-one-error: Its depth (which was not part of the external interface) was actually counting the number of certificates in a chain; now it really counts the depth. [Bodo Moeller] *) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used instead of X509err, which often resulted in confusing error messages since the error codes are not globally unique (e.g. an alleged error in ssl3_accept when a certificate didn't match the private key). *) New function SSL_CTX_set_session_id_context that allows to set a default value (so that you don't need SSL_set_session_id_context for each connection using the SSL_CTX). [Bodo Moeller] *) OAEP decoding bug fix. [Ulf Möller] *) Support INSTALL_PREFIX for package builders, as proposed by David Harris. [Bodo Moeller] *) New Configure options "threads" and "no-threads". For systems where the proper compiler options are known (currently Solaris and Linux), "threads" is the default. [Bodo Moeller] *) New script util/mklink.pl as a faster substitute for util/mklink.sh. [Bodo Moeller] *) Install various scripts to $(OPENSSLDIR)/misc, not to $(INSTALLTOP)/bin -- they shouldn't clutter directories such as /usr/local/bin. [Bodo Moeller] *) "make linux-shared" to build shared libraries. [Niels Poppe ] *) New Configure option no- (rsa, idea, rc5, ...). [Ulf Möller] *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for extension adding in x509 utility. [Steve Henson] *) Remove NOPROTO sections and error code comments. [Ulf Möller] *) Partial rewrite of the DEF file generator to now parse the ANSI prototypes. [Steve Henson] *) New Configure options --prefix=DIR and --openssldir=DIR. [Ulf Möller] *) Complete rewrite of the error code script(s). It is all now handled by one script at the top level which handles error code gathering, header rewriting and C source file generation. It should be much better than the old method: it now uses a modified version of Ulf's parser to read the ANSI prototypes in all header files (thus the old K&R definitions aren't needed for error creation any more) and do a better job of translating function codes into names. The old 'ASN1 error code imbedded in a comment' is no longer necessary and it doesn't use .err files which have now been deleted. Also the error code call doesn't have to appear all on one line (which resulted in some large lines...). [Steve Henson] *) Change #include filenames from to . [Bodo Moeller] *) Change behaviour of ssl2_read when facing length-0 packets: Don't return 0 (which usually indicates a closed connection), but continue reading. [Bodo Moeller] *) Fix some race conditions. [Bodo Moeller] *) Add support for CRL distribution points extension. Add Certificate Policies and CRL distribution points documentation. [Steve Henson] *) Move the autogenerated header file parts to crypto/opensslconf.h. [Ulf Möller] *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 8 of keying material. Merlin has also confirmed interop with this fix between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. [Merlin Hughes ] *) Fix lots of warnings. [Richard Levitte ] *) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if the directory spec didn't end with a LIST_SEPARATOR_CHAR. [Richard Levitte ] *) Fix problems with sizeof(long) == 8. [Andy Polyakov ] *) Change functions to ANSI C. [Ulf Möller] *) Fix typos in error codes. [Martin Kraemer , Ulf Möller] *) Remove defunct assembler files from Configure. [Ulf Möller] *) SPARC v8 assembler BIGNUM implementation. [Andy Polyakov ] *) Support for Certificate Policies extension: both print and set. Various additions to support the r2i method this uses. [Steve Henson] *) A lot of constification, and fix a bug in X509_NAME_oneline() that could return a const string when you are expecting an allocated buffer. [Ben Laurie] *) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE types DirectoryString and DisplayText. [Steve Henson] *) Add code to allow r2i extensions to access the configuration database, add an LHASH database driver and add several ctx helper functions. [Steve Henson] *) Fix an evil bug in bn_expand2() which caused various BN functions to fail when they extended the size of a BIGNUM. [Steve Henson] *) Various utility functions to handle SXNet extension. Modify mkdef.pl to support typesafe stack. [Steve Henson] *) Fix typo in SSL_[gs]et_options(). [Nils Frostberg ] *) Delete various functions and files that belonged to the (now obsolete) old X509V3 handling code. [Steve Henson] *) New Configure option "rsaref". [Ulf Möller] *) Don't auto-generate pem.h. [Bodo Moeller] *) Introduce type-safe ASN.1 SETs. [Ben Laurie] *) Convert various additional casted stacks to type-safe STACK_OF() variants. [Ben Laurie, Ralf S. Engelschall, Steve Henson] *) Introduce type-safe STACKs. This will almost certainly break lots of code that links with OpenSSL (well at least cause lots of warnings), but fear not: the conversion is trivial, and it eliminates loads of evil casts. A few STACKed things have been converted already. Feel free to convert more. In the fullness of time, I'll do away with the STACK type altogether. [Ben Laurie] *) Add `openssl ca -revoke ' facility which revokes a certificate specified in by updating the entry in the index.txt file. This way one no longer has to edit the index.txt file manually for revoking a certificate. The -revoke option does the gory details now. [Massimiliano Pala , Ralf S. Engelschall] *) Fix `openssl crl -noout -text' combination where `-noout' killed the `-text' option at all and this way the `-noout -text' combination was inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'. [Ralf S. Engelschall] *) Make sure a corresponding plain text error message exists for the X509_V_ERR_CERT_REVOKED/23 error number which can occur when a verify callback function determined that a certificate was revoked. [Ralf S. Engelschall] *) Bugfix: In test/testenc, don't test "openssl " for ciphers that were excluded, e.g. by -DNO_IDEA. Also, test all available cipers including rc5, which was forgotten until now. In order to let the testing shell script know which algorithms are available, a new (up to now undocumented) command "openssl list-cipher-commands" is used. [Bodo Moeller] *) Bugfix: s_client occasionally would sleep in select() when it should have checked SSL_pending() first. [Bodo Moeller] *) New functions DSA_do_sign and DSA_do_verify to provide access to the raw DSA values prior to ASN.1 encoding. [Ulf Möller] *) Tweaks to Configure [Niels Poppe ] *) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, yet... [Steve Henson] *) New variables $(RANLIB) and $(PERL) in the Makefiles. [Ulf Möller] *) New config option to avoid instructions that are illegal on the 80386. The default code is faster, but requires at least a 486. [Ulf Möller] *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and SSL2_SERVER_VERSION (not used at all) macros, which are now the same as SSL2_VERSION anyway. [Bodo Moeller] *) New "-showcerts" option for s_client. [Bodo Moeller] *) Still more PKCS#12 integration. Add pkcs12 application to openssl application. Various cleanups and fixes. [Steve Henson] *) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and modify error routines to work internally. Add error codes and PBE init to library startup routines. [Steve Henson] *) Further PKCS#12 integration. Added password based encryption, PKCS#8 and packing functions to asn1 and evp. Changed function names and error codes along the way. [Steve Henson] *) PKCS12 integration: and so it begins... First of several patches to slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 objects to objects.h [Steve Henson] *) Add a new 'indent' option to some X509V3 extension code. Initial ASN1 and display support for Thawte strong extranet extension. [Steve Henson] *) Add LinuxPPC support. [Jeff Dubrule ] *) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to bn_div_words in alpha.s. [Hannes Reinecke and Ben Laurie] *) Make sure the RSA OAEP test is skipped under -DRSAref because OAEP isn't supported when OpenSSL is built with RSAref. [Ulf Moeller ] *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h so they no longer are missing under -DNOPROTO. [Soren S. Jorvang ] Changes between 0.9.1c and 0.9.2b [22 Mar 1999] *) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still doesn't work when the session is reused. Coming soon! [Ben Laurie] *) Fix a security hole, that allows sessions to be reused in the wrong context thus bypassing client cert protection! All software that uses client certs and session caches in multiple contexts NEEDS PATCHING to allow session reuse! A fuller solution is in the works. [Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)] *) Some more source tree cleanups (removed obsolete files crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed permission on "config" script to be executable) and a fix for the INSTALL document. [Ulf Moeller ] *) Remove some legacy and erroneous uses of malloc, free instead of Malloc, Free. [Lennart Bang , with minor changes by Steve] *) Make rsa_oaep_test return non-zero on error. [Ulf Moeller ] *) Add support for native Solaris shared libraries. Configure solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice if someone would make that last step automatic. [Matthias Loepfe ] *) ctx_size was not built with the right compiler during "make links". Fixed. [Ben Laurie] *) Change the meaning of 'ALL' in the cipher list. It now means "everything except NULL ciphers". This means the default cipher list will no longer enable NULL ciphers. They need to be specifically enabled e.g. with the string "DEFAULT:eNULL". [Steve Henson] *) Fix to RSA private encryption routines: if p < q then it would occasionally produce an invalid result. This will only happen with externally generated keys because OpenSSL (and SSLeay) ensure p > q. [Steve Henson] *) Be less restrictive and allow also `perl util/perlpath.pl /path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin', because this way one can also use an interpreter named `perl5' (which is usually the name of Perl 5.xxx on platforms where an Perl 4.x is still installed as `perl'). [Matthias Loepfe ] *) Let util/clean-depend.pl work also with older Perl 5.00x versions. [Matthias Loepfe ] *) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add advapi32.lib to Win32 build and change the pem test comparision to fc.exe (thanks to Ulrich Kroener for the suggestion). Fix misplaced ASNI prototypes and declarations in evp.h and crypto/des/ede_cbcm_enc.c. [Steve Henson] *) DES quad checksum was broken on big-endian architectures. Fixed. [Ben Laurie] *) Comment out two functions in bio.h that aren't implemented. Fix up the Win32 test batch file so it (might) work again. The Win32 test batch file is horrible: I feel ill.... [Steve Henson] *) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected in e_os.h. Audit of header files to check ANSI and non ANSI sections: 10 functions were absent from non ANSI section and not exported from Windows DLLs. Fixed up libeay.num for new functions. [Steve Henson] *) Make `openssl version' output lines consistent. [Ralf S. Engelschall] *) Fix Win32 symbol export lists for BIO functions: Added BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data to ms/libeay{16,32}.def. [Ralf S. Engelschall] *) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled fine under Unix and passes some trivial tests I've now added. But the whole stuff is horribly incomplete, so a README.1ST with a disclaimer was added to make sure no one expects that this stuff really works in the OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and openssl_bio.xs. [Ralf S. Engelschall] *) Fix the generation of two part addresses in perl. [Kenji Miyake , integrated by Ben Laurie] *) Add config entry for Linux on MIPS. [John Tobey ] *) Make links whenever Configure is run, unless we are on Windoze. [Ben Laurie] *) Permit extensions to be added to CRLs using crl_section in openssl.cnf. Currently only issuerAltName and AuthorityKeyIdentifier make any sense in CRLs. [Steve Henson] *) Add a useful kludge to allow package maintainers to specify compiler and other platforms details on the command line without having to patch the Configure script everytime: One now can use ``perl Configure :
'', i.e. platform ids are allowed to have details appended to them (seperated by colons). This is treated as there would be a static pre-configured entry in Configure's %table under key with value
and ``perl Configure '' is called. So, when you want to perform a quick test-compile under FreeBSD 3.1 with pgcc and without assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"'' now, which overrides the FreeBSD-elf entry on-the-fly. [Ralf S. Engelschall] *) Disable new TLS1 ciphersuites by default: they aren't official yet. [Ben Laurie] *) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified on the `perl Configure ...' command line. This way one can compile OpenSSL libraries with Position Independent Code (PIC) which is needed for linking it into DSOs. [Ralf S. Engelschall] *) Remarkably, export ciphers were totally broken and no-one had noticed! Fixed. [Ben Laurie] *) Cleaned up the LICENSE document: The official contact for any license questions now is the OpenSSL core team under openssl-core@openssl.org. And add a paragraph about the dual-license situation to make sure people recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply to the OpenSSL toolkit. [Ralf S. Engelschall] *) General source tree makefile cleanups: Made `making xxx in yyy...' display consistent in the source tree and replaced `/bin/rm' by `rm'. Additonally cleaned up the `make links' target: Remove unnecessary semicolons, subsequent redundant removes, inline point.sh into mklink.sh to speed processing and no longer clutter the display with confusing stuff. Instead only the actually done links are displayed. [Ralf S. Engelschall] *) Permit null encryption ciphersuites, used for authentication only. It used to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this. It is now necessary to set SSL_FORBID_ENULL to prevent the use of null encryption. [Ben Laurie] *) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder signed attributes when verifying signatures (this would break them), the detached data encoding was wrong and public keys obtained using X509_get_pubkey() weren't freed. [Steve Henson] *) Add text documentation for the BUFFER functions. Also added a work around to a Win95 console bug. This was triggered by the password read stuff: the last character typed gets carried over to the next fread(). If you were generating a new cert request using 'req' for example then the last character of the passphrase would be CR which would then enter the first field as blank. [Steve Henson] *) Added the new `Includes OpenSSL Cryptography Software' button as doc/openssl_button.{gif,html} which is similar in style to the old SSLeay button and can be used by applications based on OpenSSL to show the relationship to the OpenSSL project. [Ralf S. Engelschall] *) Remove confusing variables in function signatures in files ssl/ssl_lib.c and ssl/ssl.h. [Lennart Bong ] *) Don't install bss_file.c under PREFIX/include/ [Lennart Bong ] *) Get the Win32 compile working again. Modify mkdef.pl so it can handle functions that return function pointers and has support for NT specific stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various #ifdef WIN32 and WINNTs sprinkled about the place and some changes from unsigned to signed types: this was killing the Win32 compile. [Steve Henson] *) Add new certificate file to stack functions, SSL_add_dir_cert_subjects_to_stack() and SSL_add_file_cert_subjects_to_stack(). These largely supplant SSL_load_client_CA_file(), and can be used to add multiple certs easily to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). This means that Apache-SSL and similar packages don't have to mess around to add as many CAs as they want to the preferred list. [Ben Laurie] *) Experiment with doxygen documentation. Currently only partially applied to ssl/ssl_lib.c. See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with openssl.doxy as the configuration file. [Ben Laurie] *) Get rid of remaining C++-style comments which strict C compilers hate. [Ralf S. Engelschall, pointed out by Carlos Amengual] *) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not compiled in by default: it has problems with large keys. [Steve Henson] *) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and DH private keys and/or callback functions which directly correspond to their SSL_CTX_xxx() counterparts but work on a per-connection basis. This is needed for applications which have to configure certificates on a per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis (e.g. s_server). For the RSA certificate situation is makes no difference, but for the DSA certificate situation this fixes the "no shared cipher" problem where the OpenSSL cipher selection procedure failed because the temporary keys were not overtaken from the context and the API provided no way to reconfigure them. The new functions now let applications reconfigure the stuff and they are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new non-public-API function ssl_cert_instantiate() is used as a helper function and also to reduce code redundancy inside ssl_rsa.c. [Ralf S. Engelschall] *) Move s_server -dcert and -dkey options out of the undocumented feature area because they are useful for the DSA situation and should be recognized by the users. [Ralf S. Engelschall] *) Fix the cipher decision scheme for export ciphers: the export bits are *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within SSL_EXP_MASK. So, the original variable has to be used instead of the already masked variable. [Richard Levitte ] *) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c [Richard Levitte ] *) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal() from `int' to `unsigned int' because it's a length and initialized by EVP_DigestFinal() which expects an `unsigned int *'. [Richard Levitte ] *) Don't hard-code path to Perl interpreter on shebang line of Configure script. Instead use the usual Shell->Perl transition trick. [Ralf S. Engelschall] *) Make `openssl x509 -noout -modulus' functional also for DSA certificates (in addition to RSA certificates) to match the behaviour of `openssl dsa -noout -modulus' as it's already the case for `openssl rsa -noout -modulus'. For RSA the -modulus is the real "modulus" while for DSA currently the public key is printed (a decision which was already done by `openssl dsa -modulus' in the past) which serves a similar purpose. Additionally the NO_RSA no longer completely removes the whole -modulus option; it now only avoids using the RSA stuff. Same applies to NO_DSA now, too. [Ralf S. Engelschall] *) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested BIO. See the source (crypto/evp/bio_ok.c) for more info. [Arne Ansper ] *) Dump the old yucky req code that tried (and failed) to allow raw OIDs to be added. Now both 'req' and 'ca' can use new objects defined in the config file. [Steve Henson] *) Add cool BIO that does syslog (or event log on NT). [Arne Ansper , integrated by Ben Laurie] *) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. [Ben Laurie] *) Add preliminary config info for new extension code. [Steve Henson] *) Make RSA_NO_PADDING really use no padding. [Ulf Moeller ] *) Generate errors when private/public key check is done. [Ben Laurie] *) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support for some CRL extensions and new objects added. [Steve Henson] *) Really fix the ASN1 IMPLICIT bug this time... Partial support for private key usage extension and fuller support for authority key id. [Steve Henson] *) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved padding method for RSA, which is recommended for new applications in PKCS #1 v2.0 (RFC 2437, October 1998). OAEP (Optimal Asymmetric Encryption Padding) has better theoretical foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure against Bleichbacher's attack on RSA. [Ulf Moeller , reformatted, corrected and integrated by Ben Laurie] *) Updates to the new SSL compression code [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] *) Fix so that the version number in the master secret, when passed via RSA, checks that if TLS was proposed, but we roll back to SSLv3 (because the server will not accept higher), that the version number is 0x03,0x01, not 0x03,0x00 [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c [Steve Henson] *) Support for RAW extensions where an arbitrary extension can be created by including its DER encoding. See apps/openssl.cnf for an example. [Steve Henson] *) Make sure latest Perl versions don't interpret some generated C array code as Perl array code in the crypto/err/err_genc.pl script. [Lars Weber <3weber@informatik.uni-hamburg.de>] *) Modify ms/do_ms.bat to not generate assembly language makefiles since not many people have the assembler. Various Win32 compilation fixes and update to the INSTALL.W32 file with (hopefully) more accurate Win32 build instructions. [Steve Henson] *) Modify configure script 'Configure' to automatically create crypto/date.h file under Win32 and also build pem.h from pem.org. New script util/mkfiles.pl to create the MINFO file on environments that can't do a 'make files': perl util/mkfiles.pl >MINFO should work. [Steve Henson] *) Major rework of DES function declarations, in the pursuit of correctness and purity. As a result, many evil casts evaporated, and some weirdness, too. You may find this causes warnings in your code. Zapping your evil casts will probably fix them. Mostly. [Ben Laurie] *) Fix for a typo in asn1.h. Bug fix to object creation script obj_dat.pl. It considered a zero in an object definition to mean "end of object": none of the objects in objects.h have any zeros so it wasn't spotted. [Steve Henson, reported by Erwann ABALEA ] *) Add support for Triple DES Cipher Block Chaining with Output Feedback Masking (CBCM). In the absence of test vectors, the best I have been able to do is check that the decrypt undoes the encrypt, so far. Send me test vectors if you have them. [Ben Laurie] *) Correct calculation of key length for export ciphers (too much space was allocated for null ciphers). This has not been tested! [Ben Laurie] *) Modifications to the mkdef.pl for Win32 DEF file creation. The usage message is now correct (it understands "crypto" and "ssl" on its command line). There is also now an "update" option. This will update the util/ssleay.num and util/libeay.num files with any new functions. If you do a: perl util/mkdef.pl crypto ssl update it will update them. [Steve Henson] *) Overhauled the Perl interface (perl/*): - ported BN stuff to OpenSSL's different BN library - made the perl/ source tree CVS-aware - renamed the package from SSLeay to OpenSSL (the files still contain their history because I've copied them in the repository) - removed obsolete files (the test scripts will be replaced by better Test::Harness variants in the future) [Ralf S. Engelschall] *) First cut for a very conservative source tree cleanup: 1. merge various obsolete readme texts into doc/ssleay.txt where we collect the old documents and readme texts. 2. remove the first part of files where I'm already sure that we no longer need them because of three reasons: either they are just temporary files which were left by Eric or they are preserved original files where I've verified that the diff is also available in the CVS via "cvs diff -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for the crypto/md/ stuff). [Ralf S. Engelschall] *) More extension code. Incomplete support for subject and issuer alt name, issuer and authority key id. Change the i2v function parameters and add an extra 'crl' parameter in the X509V3_CTX structure: guess what that's for :-) Fix to ASN1 macro which messed up IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. [Steve Henson] *) Preliminary support for ENUMERATED type. This is largely copied from the INTEGER code. [Steve Henson] *) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] *) Make sure `make rehash' target really finds the `openssl' program. [Ralf S. Engelschall, Matthias Loepfe ] *) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd like to hear about it if this slows down other processors. [Ben Laurie] *) Add CygWin32 platform information to Configure script. [Alan Batie ] *) Fixed ms/32all.bat script: `no_asm' -> `no-asm' [Rainer W. Gerling ] *) New program nseq to manipulate netscape certificate sequences [Steve Henson] *) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a few typos. [Steve Henson] *) Fixes to BN code. Previously the default was to define BN_RECURSION but the BN code had some problems that would cause failures when doing certificate verification and some other functions. [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] *) Add ASN1 and PEM code to support netscape certificate sequences. [Steve Henson] *) Add ASN1 and PEM code to support netscape certificate sequences. [Steve Henson] *) Add several PKIX and private extended key usage OIDs. [Steve Henson] *) Modify the 'ca' program to handle the new extension code. Modify openssl.cnf for new extension format, add comments. [Steve Henson] *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' and add a sample to openssl.cnf so req -x509 now adds appropriate CA extensions. [Steve Henson] *) Continued X509 V3 changes. Add to other makefiles, integrate with the error code, add initial support to X509_print() and x509 application. [Steve Henson] *) Takes a deep breath and start addding X509 V3 extension support code. Add files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this stuff is currently isolated and isn't even compiled yet. [Steve Henson] *) Continuing patches for GeneralizedTime. Fix up certificate and CRL ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. Removed the versions check from X509 routines when loading extensions: this allows certain broken certificates that don't set the version properly to be processed. [Steve Henson] *) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which can still be regenerated with "make depend". [Ben Laurie] *) Spelling mistake in C version of CAST-128. [Ben Laurie, reported by Jeremy Hylton ] *) Changes to the error generation code. The perl script err-code.pl now reads in the old error codes and retains the old numbers, only adding new ones if necessary. It also only changes the .err files if new codes are added. The makefiles have been modified to only insert errors when needed (to avoid needlessly modifying header files). This is done by only inserting errors if the .err file is newer than the auto generated C file. To rebuild all the error codes from scratch (the old behaviour) either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl or delete all the .err files. [Steve Henson] *) CAST-128 was incorrectly implemented for short keys. The C version has been fixed, but is untested. The assembler versions are also fixed, but new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing to regenerate it if needed. [Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun Hagino ] *) File was opened incorrectly in randfile.c. [Ulf Möller ] *) Beginning of support for GeneralizedTime. d2i, i2d, check and print functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or GeneralizedTime. ASN1_TIME is the proper type used in certificates et al: it's just almost always a UTCTime. Note this patch adds new error codes so do a "make errors" if there are problems. [Steve Henson] *) Correct Linux 1 recognition in config. [Ulf Möller ] *) Remove pointless MD5 hash when using DSA keys in ca. [Anonymous ] *) Generate an error if given an empty string as a cert directory. Also generate an error if handed NULL (previously returned 0 to indicate an error, but didn't set one). [Ben Laurie, reported by Anonymous ] *) Add prototypes to SSL methods. Make SSL_write's buffer const, at last. [Ben Laurie] *) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct parameters. This was causing a warning which killed off the Win32 compile. [Steve Henson] *) Remove C++ style comments from crypto/bn/bn_local.h. [Neil Costigan ] *) The function OBJ_txt2nid was broken. It was supposed to return a nid based on a text string, looking up short and long names and finally "dot" format. The "dot" format stuff didn't work. Added new function OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the OID is not part of the table. [Steve Henson] *) Add prototypes to X509 lookup/verify methods, fixing a bug in X509_LOOKUP_by_alias(). [Ben Laurie] *) Sort openssl functions by name. [Ben Laurie] *) Get the gendsa program working (hopefully) and add it to app list. Remove encryption from sample DSA keys (in case anyone is interested the password was "1234"). [Steve Henson] *) Make _all_ *_free functions accept a NULL pointer. [Frans Heymans ] *) If a DH key is generated in s3_srvr.c, don't blow it by trying to use NULL pointers. [Anonymous ] *) s_server should send the CAfile as acceptable CAs, not its own cert. [Bodo Moeller <3moeller@informatik.uni-hamburg.de>] *) Don't blow it for numeric -newkey arguments to apps/req. [Bodo Moeller <3moeller@informatik.uni-hamburg.de>] *) Temp key "for export" tests were wrong in s3_srvr.c. [Anonymous ] *) Add prototype for temp key callback functions SSL_CTX_set_tmp_{rsa,dh}_callback(). [Ben Laurie] *) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). [Steve Henson] *) X509_name_add_entry() freed the wrong thing after an error. [Arne Ansper ] *) rsa_eay.c would attempt to free a NULL context. [Arne Ansper ] *) BIO_s_socket() had a broken should_retry() on Windoze. [Arne Ansper ] *) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. [Arne Ansper ] *) Make sure the already existing X509_STORE->depth variable is initialized in X509_STORE_new(), but document the fact that this variable is still unused in the certificate verification process. [Ralf S. Engelschall] *) Fix the various library and apps files to free up pkeys obtained from X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. [Steve Henson] *) Fix reference counting in X509_PUBKEY_get(). This makes demos/maurice/example2.c work, amongst others, probably. [Steve Henson and Ben Laurie] *) First cut of a cleanup for apps/. First the `ssleay' program is now named `openssl' and second, the shortcut symlinks for the `openssl ' are no longer created. This way we have a single and consistent command line interface `openssl ', similar to `cvs '. [Ralf S. Engelschall, Paul Sutton and Ben Laurie] *) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey BIT STRING wrapper always have zero unused bits. [Steve Henson] *) Add CA.pl, perl version of CA.sh, add extended key usage OID. [Steve Henson] *) Make the top-level INSTALL documentation easier to understand. [Paul Sutton] *) Makefiles updated to exit if an error occurs in a sub-directory make (including if user presses ^C) [Paul Sutton] *) Make Montgomery context stuff explicit in RSA data structure. [Ben Laurie] *) Fix build order of pem and err to allow for generated pem.h. [Ben Laurie] *) Fix renumbering bug in X509_NAME_delete_entry(). [Ben Laurie] *) Enhanced the err-ins.pl script so it makes the error library number global and can add a library name. This is needed for external ASN1 and other error libraries. [Steve Henson] *) Fixed sk_insert which never worked properly. [Steve Henson] *) Fix ASN1 macros so they can handle indefinite length construted EXPLICIT tags. Some non standard certificates use these: they can now be read in. [Steve Henson] *) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) into a single doc/ssleay.txt bundle. This way the information is still preserved but no longer messes up this directory. Now it's new room for the new set of documenation files. [Ralf S. Engelschall] *) SETs were incorrectly DER encoded. This was a major pain, because they shared code with SEQUENCEs, which aren't coded the same. This means that almost everything to do with SETs or SEQUENCEs has either changed name or number of arguments. [Ben Laurie, based on a partial fix by GP Jayan ] *) Fix test data to work with the above. [Ben Laurie] *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but was already fixed by Eric for 0.9.1 it seems. [Ben Laurie - pointed out by Ulf Möller ] *) Autodetect FreeBSD3. [Ben Laurie] *) Fix various bugs in Configure. This affects the following platforms: nextstep ncr-scde unixware-2.0 unixware-2.0-pentium sco5-cc. [Ben Laurie] *) Eliminate generated files from CVS. Reorder tests to regenerate files before they are needed. [Ben Laurie] *) Generate Makefile.ssl from Makefile.org (to keep CVS happy). [Ben Laurie] Changes between 0.9.1b and 0.9.1c [23-Dec-1998] *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and changed SSLeay to OpenSSL in version strings. [Ralf S. Engelschall] *) Some fixups to the top-level documents. [Paul Sutton] *) Fixed the nasty bug where rsaref.h was not found under compile-time because the symlink to include/ was missing. [Ralf S. Engelschall] *) Incorporated the popular no-RSA/DSA-only patches which allow to compile a RSA-free SSLeay. [Andrew Cooke / Interrader Ldt., Ralf S. Engelschall] *) Fixed nasty rehash problem under `make -f Makefile.ssl links' when "ssleay" is still not found. [Ralf S. Engelschall] *) Added more platforms to Configure: Cray T3E, HPUX 11, [Ralf S. Engelschall, Beckmann ] *) Updated the README file. [Ralf S. Engelschall] *) Added various .cvsignore files in the CVS repository subdirs to make a "cvs update" really silent. [Ralf S. Engelschall] *) Recompiled the error-definition header files and added missing symbols to the Win32 linker tables. [Ralf S. Engelschall] *) Cleaned up the top-level documents; o new files: CHANGES and LICENSE o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay o merged COPYRIGHT into LICENSE o removed obsolete TODO file o renamed MICROSOFT to INSTALL.W32 [Ralf S. Engelschall] *) Removed dummy files from the 0.9.1b source tree: crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f [Ralf S. Engelschall] *) Added various platform portability fixes. [Mark J. Cox] *) The Genesis of the OpenSSL rpject: We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. Young and Tim J. Hudson created while they were working for C2Net until summer 1998. [The OpenSSL Project] Changes between 0.9.0b and 0.9.1b [not released] *) Updated a few CA certificates under certs/ [Eric A. Young] *) Changed some BIGNUM api stuff. [Eric A. Young] *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, DGUX x86, Linux Alpha, etc. [Eric A. Young] *) New COMP library [crypto/comp/] for SSL Record Layer Compression: RLE (dummy implemented) and ZLIB (really implemented when ZLIB is available). [Eric A. Young] *) Add -strparse option to asn1pars program which parses nested binary structures [Dr Stephen Henson ] *) Added "oid_file" to ssleay.cnf for "ca" and "req" programs. [Eric A. Young] *) DSA fix for "ca" program. [Eric A. Young] *) Added "-genkey" option to "dsaparam" program. [Eric A. Young] *) Added RIPE MD160 (rmd160) message digest. [Eric A. Young] *) Added -a (all) option to "ssleay version" command. [Eric A. Young] *) Added PLATFORM define which is the id given to Configure. [Eric A. Young] *) Added MemCheck_XXXX functions to crypto/mem.c for memory checking. [Eric A. Young] *) Extended the ASN.1 parser routines. [Eric A. Young] *) Extended BIO routines to support REUSEADDR, seek, tell, etc. [Eric A. Young] *) Added a BN_CTX to the BN library. [Eric A. Young] *) Fixed the weak key values in DES library [Eric A. Young] *) Changed API in EVP library for cipher aliases. [Eric A. Young] *) Added support for RC2/64bit cipher. [Eric A. Young] *) Converted the lhash library to the crypto/mem.c functions. [Eric A. Young] *) Added more recognized ASN.1 object ids. [Eric A. Young] *) Added more RSA padding checks for SSL/TLS. [Eric A. Young] *) Added BIO proxy/filter functionality. [Eric A. Young] *) Added extra_certs to SSL_CTX which can be used send extra CA certificates to the client in the CA cert chain sending process. It can be configured with SSL_CTX_add_extra_chain_cert(). [Eric A. Young] *) Now Fortezza is denied in the authentication phase because this is key exchange mechanism is not supported by SSLeay at all. [Eric A. Young] *) Additional PKCS1 checks. [Eric A. Young] *) Support the string "TLSv1" for all TLS v1 ciphers. [Eric A. Young] *) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the ex_data index of the SSL context in the X509_STORE_CTX ex_data. [Eric A. Young] *) Fixed a few memory leaks. [Eric A. Young] *) Fixed various code and comment typos. [Eric A. Young] *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 bytes sent in the client random. [Edward Bishop ] diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 61331dbb517f..4e7883c17abf 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -1,1672 +1,1673 @@ : eval 'exec perl -S $0 ${1+"$@"}' if $running_under_some_shell; ## ## Configure -- OpenSSL source tree configuration script ## require 5.000; use strict; # see INSTALL for instructions. my $usage="Usage: Configure [no- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; # Options: # # --openssldir install OpenSSL in OPENSSLDIR (Default: DIR/ssl if the # --prefix option is given; /usr/local/ssl otherwise) # --prefix prefix for the OpenSSL include, lib and bin directories # (Default: the OPENSSLDIR directory) # # --install_prefix Additional prefix for package builders (empty by # default). This needn't be set in advance, you can # just as well use "make INSTALL_PREFIX=/whatever install". # # --with-krb5-dir Declare where Kerberos 5 lives. The libraries are expected # to live in the subdirectory lib/ and the header files in # include/. A value is required. # --with-krb5-lib Declare where the Kerberos 5 libraries live. A value is # required. # (Default: KRB5_DIR/lib) # --with-krb5-include Declare where the Kerberos 5 header files live. A # value is required. # (Default: KRB5_DIR/include) # --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently # supported values are "MIT" and "Heimdal". A value is required. # # --test-sanity Make a number of sanity checks on the data in this file. # This is a debugging tool for OpenSSL developers. # # no-engine do not compile in any engine code. # no-hw-xxx do not compile support for specific crypto hardware. # Generic OpenSSL-style methods relating to this support # are always compiled but return NULL if the hardware # support isn't compiled. # no-hw do not compile support for any crypto hardware. # [no-]threads [don't] try to create a library that is suitable for # multithreaded applications (default is "threads" if we # know how to do it) # [no-]shared [don't] try to create shared libraries when supported. # no-asm do not use assembler # no-dso do not compile in any native shared-library methods. This # will ensure that all methods just return NULL. # no-krb5 do not compile in any KRB5 library or code. # [no-]zlib [don't] compile support for zlib compression. # zlib-dynamic Like "zlib", but the zlib library is expected to be a shared # library and will be loaded in run-time by the OpenSSL library. # 386 generate 80386 code # no- build without specified algorithm (rsa, idea, rc5, ...) # - + compiler options are passed through # # DEBUG_SAFESTACK use type-safe stacks to enforce type-safety on stack items # provided to stack calls. Generates unique stack functions for # each possible stack type. # DES_PTR use pointer lookup vs arrays in the DES in crypto/des/des_locl.h # DES_RISC1 use different DES_ENCRYPT macro that helps reduce register # dependancies but needs to more registers, good for RISC CPU's # DES_RISC2 A different RISC variant. # DES_UNROLL unroll the inner DES loop, sometimes helps, somtimes hinders. # DES_INT use 'int' instead of 'long' for DES_LONG in crypto/des/des.h # This is used on the DEC Alpha where long is 8 bytes # and int is 4 # BN_LLONG use the type 'long long' in crypto/bn/bn.h # MD2_CHAR use 'char' instead of 'int' for MD2_INT in crypto/md2/md2.h # MD2_LONG use 'long' instead of 'int' for MD2_INT in crypto/md2/md2.h # IDEA_SHORT use 'short' instead of 'int' for IDEA_INT in crypto/idea/idea.h # IDEA_LONG use 'long' instead of 'int' for IDEA_INT in crypto/idea/idea.h # RC2_SHORT use 'short' instead of 'int' for RC2_INT in crypto/rc2/rc2.h # RC2_LONG use 'long' instead of 'int' for RC2_INT in crypto/rc2/rc2.h # RC4_CHAR use 'char' instead of 'int' for RC4_INT in crypto/rc4/rc4.h # RC4_LONG use 'long' instead of 'int' for RC4_INT in crypto/rc4/rc4.h # RC4_INDEX define RC4_INDEX in crypto/rc4/rc4_locl.h. This turns on # array lookups instead of pointer use. # RC4_CHUNK enables code that handles data aligned at long (natural CPU # word) boundary. # RC4_CHUNK_LL enables code that handles data aligned at long long boundary # (intended for 64-bit CPUs running 32-bit OS). # BF_PTR use 'pointer arithmatic' for Blowfish (unsafe on Alpha). # BF_PTR2 intel specific version (generic version is more efficient). # MD5_ASM use some extra md5 assember, # SHA1_ASM use some extra sha1 assember, must define L_ENDIAN for x86 # RMD160_ASM use some extra ripemd160 assember, my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; # MD2_CHAR slags pentium pros my $x86_gcc_opts="RC4_INDEX MD2_INT"; # MODIFY THESE PARAMETERS IF YOU ARE GOING TO USE THE 'util/speed.sh SCRIPT # Don't worry about these normally my $tcc="cc"; my $tflags="-fast -Xa"; my $tbn_mul=""; my $tlib="-lnsl -lsocket"; #$bits1="SIXTEEN_BIT "; #$bits2="THIRTY_TWO_BIT "; my $bits1="THIRTY_TWO_BIT "; my $bits2="SIXTY_FOUR_BIT "; my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm/bx86-elf.o:asm/mx86-elf.o:asm/sx86-elf.o:asm/cx86-elf.o:asm/rx86-elf.o:asm/rm86-elf.o:asm/r586-elf.o"; my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o"; my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o"; my $mips3_irix_asm="asm/mips3.o::::::::"; # There seems to be boundary faults in asm/alpha.s. #my $alpha_asm="asm/alpha.o::::::::"; my $alpha_asm="::::::::"; # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1. # So the md5_locl.h file has an undef B_ENDIAN if sun is defined #config-string $cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags my %table=( # File 'TABLE' (created by 'make TABLE') contains the data from this list, # formatted for better readability. #"b", "${tcc}:${tflags}::${tlib}:${bits1}:${tbn_mul}::", #"bl-4c-2c", "${tcc}:${tflags}::${tlib}:${bits1}BN_LLONG RC4_CHAR MD2_CHAR:${tbn_mul}::", #"bl-4c-ri", "${tcc}:${tflags}::${tlib}:${bits1}BN_LLONG RC4_CHAR RC4_INDEX:${tbn_mul}::", #"b2-is-ri-dp", "${tcc}:${tflags}::${tlib}:${bits2}IDEA_SHORT RC4_INDEX DES_PTR:${tbn_mul}::", # Our development configs "purify", "purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::", "debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::", "debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o", "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::", "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn", -"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "dist", "cc:-O::(unknown)::::::", # Basic configs that should work on any (32 and less bit) box "gcc", "gcc:-O3::(unknown):::BN_LLONG:::", "cc", "cc:-O::(unknown)::::::", #### Solaris x86 with GNU C setups # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it # here because whenever GNU C instantiates an assembler template it # surrounds it with #APP #NO_APP comment pair which (at least Solaris # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic" # error message. "solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Solaris x86 with Sun C setups "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with GNU C setups "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc "solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8 # but keep the assembler modules. "solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### "debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with Sun C setups # DO NOT use /xO[34] on sparc with SC3.0. It is broken, and will not pass the tests "solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2. # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8 # SC5.0 note: Compiler common patch 107357-01 or later is required! "solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs", #### "debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Linux setups "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::", # Ray Miller has patiently # assisted with debugging of following two configs. "linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # it's a real mess with -mcpu=ultrasparc option under Linux, but # -Wa,-Av8plus should do the trick no matter what. "linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # GCC 3.1 is a requirement "linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # Sunos configs, assuming sparc for the gcc one. ##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:::", "sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::", #### IRIX 5.x configs # -mips2 flag is added by ./config when appropriate. "irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### IRIX 6.x configs # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke -# './Configure irix-[g]cc' manually. +# './Configure irix-cc -o32' manually. # -mips4 flag is added by ./config when appropriate. -"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # N64 ABI builds. -"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Unified HP-UX ANSI C configs. # Special notes: # - Originally we were optimizing at +O4 level. It should be noted # that the only difference between +O3 and +O4 is global inter- # procedural analysis. As it has to be performed during the link # stage the compiler leaves behind certain pseudo-code in lib*.a # which might be release or even patch level specific. Generating # the machine code for and analyzing the *whole* program appears # to be *extremely* memory demanding while the performance gain is # actually questionable. The situation is intensified by the default # HP-UX data set size limit (infamous 'maxdsiz' tunable) of 64MB # which is way too low for +O4. In other words, doesn't +O3 make # more sense? # - Keep in mind that the HP compiler by default generates code # suitable for execution on the host you're currently compiling at. # If the toolkit is ment to be used on various PA-RISC processors # consider './config +DAportable'. # - +DD64 is chosen in favour of +DA2.0W because it's ment to be # compatible with *future* releases. # - If you run ./Configure hpux-parisc-[g]cc manually don't forget to # pass -D_REENTRANT on HP-UX 10 and later. # - -DMD32_XARRAY triggers workaround for compiler bug we ran into in # 32-bit message digests. (For the moment of this writing) HP C # doesn't seem to "digest" too many local variables (they make "him" # chew forever:-). For more details look-up MD32_XARRAY comment in # crypto/sha/sha_lcl.h. # # #!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", # Since there is mention of this in shlib/hpux10-cc.sh "hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # 64bit PARISC for GCC without optimization, which seems to make problems. # Submitted by "hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # IA-64 targets "hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # Frank Geurts has patiently assisted with # with debugging of the following config. "hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # More attempts at unified 10.X and 11.X targets for HP C compiler. # # Chris Ruemmler # Kevin Steves "hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # Isn't the line below meaningless? HP-UX cc optimizes for host by default. # hpux-parisc1_0-cc with +DAportable flag would make more sense. "hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # HPUX 9.X config. # Don't use the bundled cc. It is broken. Use HP ANSI C if possible, or # egcs. gcc 2.8.1 is also broken. "hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # If hpux-cc fails (e.g. during "make test"), try the next one; otherwise, # please report your OS and compiler version to the openssl-bugs@openssl.org # mailing list. "hpux-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # If hpux-gcc fails, try this one: "hpux-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # HPUX 9.X on Motorola 68k platforms with gcc "hpux-m68k-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):::BN_LLONG DES_PTR DES_UNROLL:::::::::::::", # HPUX 10.X config. Supports threads. "hpux10-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG): "hpux10-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux10-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # If hpux10-gcc fails, try this one: "hpux10-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # HPUX 11.X from www.globus.org. # Only works on PA-RISC 2.0 cpus, and not optimized. Why? #"hpux11-32bit-cc","cc:+DA2.0 -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT:::DES_PTR DES_UNROLL DES_RISC1:::", #"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::", # Use unified settings above instead. #### HP MPE/iX http://jazz.external.hp.com/src/openssl/ "MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):MPE:-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", #### PARISC Linux setups "linux-parisc","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::", # Dec Alpha, OSF/1 - the alpha164-cc is historical, for the conversion # from the older DEC C Compiler to the newer compiler. It's now the # same as the preferred entry, alpha-cc. If you are still using the # older compiler (you're at 3.x or earlier, or perhaps very early 4.x) # you should use `alphaold-cc'. # # "What's in a name? That which we call a rose # By any other word would smell as sweet." # # - William Shakespeare, "Romeo & Juliet", Act II, scene II. # # For OSF/1 3.2b and earlier, and Digital UNIX 3.2c - 3.2g, with the # vendor compiler, use alphaold-cc. # For Digital UNIX 4.0 - 4.0e, with the vendor compiler, use alpha-cc. # For Tru64 UNIX 4.f - current, with the vendor compiler, use alpha-cc. # # There's also an alternate target available (which `config' will never # select) called alpha-cc-rpath. This target builds an RPATH into the # shared libraries, which is very convenient on Tru64 since binaries # linked against that shared library will automatically inherit that RPATH, # and hence know where to look for the openssl libraries, even if they're in # an odd place. # # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version # "alpha-gcc","gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", "alphaold-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", "alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so", "alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so", "alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared-rpath:::.so", # # This probably belongs in a different section. # "FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Alpha Linux with GNU C and Compaq C setups # Special notes: # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you # ought to run './Configure linux-alpha+bwx-gcc' manually, do # complement the command line with -mcpu=ev56, -mcpu=ev6 or whatever # which is appropriate. # - If you use ccc keep in mind that -fast implies -arch host and the # compiler is free to issue instructions which gonna make elder CPU # choke. If you wish to build "blended" toolkit, add -arch generic # *after* -fast and invoke './Configure linux-alpha-ccc' manually. # # # "linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", # assembler versions -- currently defunct: ##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer:::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}", # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the # bn86-elf.o file file since it is hand tweaked assembler. "linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-pentium", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ppro", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-k6", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "linux-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::", "linux-s390", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-ecc", "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD-sparc64","gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD-ia64","gcc:-DL_ENDIAN -DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64-cpp.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown):::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}", "bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "nextstep", "cc:-O -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", "nextstep3.3", "cc:-O3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # NCR MP-RAS UNIX ver 02.03.01 "ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl -lc89:${x86_gcc_des} ${x86_gcc_opts}:::", # QNX 4 "qnx4", "cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:", # QNX 6 "qnx6", "cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:", # Linux on ARM "linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # SCO/Caldera targets. # # Originally we had like unixware-*, unixware-*-pentium, unixware-*-p6, etc. # Now we only have blended unixware-* as it's the only one used by ./config. # If you want to optimize for particular microarchitecture, bypass ./config # and './Configure unixware-7 -Kpentium_pro' or whatever appropriate. # Note that not all targets include assembler support. Mostly because of # lack of motivation to support out-of-date platforms with out-of-date # compiler drivers and assemblers. Tim Rice has # patiently assisted to debug most of it. # # UnixWare 2.0x fails destest with -O "unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::", "unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::", "unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "sco3-gcc", "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... # SCO 5 - Ben Laurie says the -O breaks the SCO cc. "sco5-cc", "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # IBM's AIX. "aix-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::", "aix-gcc", "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::", "aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::", "aix43-gcc", "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:", "aix64-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64", # # Cray T90 and similar (SDSC) # It's Big-endian, but the algorithms work properly when B_ENDIAN is NOT # defined. The T90 ints and longs are 8 bytes long, and apparently the # B_ENDIAN code assumes 4 byte ints. Fortunately, the non-B_ENDIAN and # non L_ENDIAN code aligns the bytes in each word correctly. # # The BIT_FIELD_LIMITS define is to avoid two fatal compiler errors: #'Taking the address of a bit field is not allowed. ' #'An expression with bit field exists as the operand of "sizeof" ' # (written by Wayne Schroeder ) # # j90 is considered the base machine type for unicos machines, # so this configuration is now called "cray-j90" ... "cray-j90", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG DES_INT:::", # # Cray T3E (Research Center Juelich, beckman@acl.lanl.gov) # # The BIT_FIELD_LIMITS define was written for the C90 (it seems). I added # another use. Basically, the problem is that the T3E uses some bit fields # for some st_addr stuff, and then sizeof and address-of fails # I could not use the ams/alpha.o option because the Cray assembler, 'cam' # did not like it. "cray-t3e", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:::", # DGUX, 88100. "dgux-R3-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):::RC4_INDEX DES_UNROLL:::", "dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lnsl -lsocket:RC4_INDEX DES_UNROLL:::", "dgux-R4-x86-gcc", "gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown)::-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", # Sinix/ReliantUNIX RM400 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g */ "ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "SINIX","cc:-O::(unknown):SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::", "SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown)::-lucb:RC4_INDEX RC4_CHAR:::", # SIEMENS BS2000/OSD: an EBCDIC-based mainframe "BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown)::-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::", # OS/390 Unix an EBCDIC-based Unix system on IBM mainframe # You need to compile using the c89.sh wrapper in the tools directory, because the # IBM compiler does not like the -L switch after any object modules. # "OS390-Unix","c89.sh:-O -DB_ENDIAN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H -D_ALL_SOURCE::(unknown):::THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::", # Windows NT, Microsoft Visual C++ 4.0 "VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32", "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32", "VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32", "VC-WIN16","cl:::(unknown):WIN16::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", "VC-W31-16","cl:::(unknown):WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", "VC-W31-32","cl::::WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", "VC-MSDOS","cl:::(unknown):MSDOS::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", # Borland C++ 4.5 "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN::::::::::win32", "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::", # MinGW "mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll", # UWIN "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", # Cygwin "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll", # DJGPP "DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::", # Ultrix from Bernhard Simon "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::", "ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::::::", # K&R C is no longer supported; you need gcc on old Ultrix installations ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::", # Some OpenBSD from Bob Beck "OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-alpha", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-i386", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-m68k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-m88k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-mips", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-powerpc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-sparc64", "gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-vax", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "OpenBSD-hppa", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ##### MacOS X (a.k.a. Rhapsody or Darwin) setup "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", "darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", "darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", ##### A/UX "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", ##### Sony NEWS-OS 4.x "newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::", ##### GNU Hurd "hurd-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC", ##### OS/2 EMX "OS2-EMX", "gcc::::::::", ##### VxWorks for various targets "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::", "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::", "vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::", "vxworks-ppc860","ccppc:-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::", "vxworks-mipsle","ccmips:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r::::::::::::::::ranlibmips:", ##### Compaq Non-Stop Kernel (Tandem) "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::", ); my @WinTargets=qw(VC-NT VC-CE VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32 BC-16 Mingw32 OS2-EMX); my $idx = 0; my $idx_cc = $idx++; my $idx_cflags = $idx++; my $idx_unistd = $idx++; my $idx_thread_cflag = $idx++; my $idx_sys_id = $idx++; my $idx_lflags = $idx++; my $idx_bn_ops = $idx++; my $idx_bn_obj = $idx++; my $idx_des_obj = $idx++; my $idx_bf_obj = $idx++; my $idx_md5_obj = $idx++; my $idx_sha1_obj = $idx++; my $idx_cast_obj = $idx++; my $idx_rc4_obj = $idx++; my $idx_rmd160_obj = $idx++; my $idx_rc5_obj = $idx++; my $idx_dso_scheme = $idx++; my $idx_shared_target = $idx++; my $idx_shared_cflag = $idx++; my $idx_shared_ldflag = $idx++; my $idx_shared_extension = $idx++; my $idx_ranlib = $idx++; my $idx_arflags = $idx++; my $prefix=""; my $openssldir=""; my $exe_ext=""; my $install_prefix=""; my $no_threads=0; my $no_shared=1; my $zlib=0; my $no_krb5=0; my $threads=0; my $no_asm=0; my $no_dso=0; my @skip=(); my $Makefile="Makefile.ssl"; my $des_locl="crypto/des/des_locl.h"; my $des ="crypto/des/des.h"; my $bn ="crypto/bn/bn.h"; my $md2 ="crypto/md2/md2.h"; my $rc4 ="crypto/rc4/rc4.h"; my $rc4_locl="crypto/rc4/rc4_locl.h"; my $idea ="crypto/idea/idea.h"; my $rc2 ="crypto/rc2/rc2.h"; my $bf ="crypto/bf/bf_locl.h"; my $bn_asm ="bn_asm.o"; my $des_enc="des_enc.o fcrypt_b.o"; my $bf_enc ="bf_enc.o"; my $cast_enc="c_enc.o"; my $rc4_enc="rc4_enc.o"; my $rc5_enc="rc5_enc.o"; my $md5_obj=""; my $sha1_obj=""; my $rmd160_obj=""; my $processor=""; my $default_ranlib; my $perl; my $no_ssl2=0; my $no_ssl3=0; my $no_tls1=0; my $no_md5=0; my $no_sha=0; my $no_rsa=0; my $no_dh=0; $default_ranlib= &which("ranlib") or $default_ranlib="true"; $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl") or $perl="perl"; &usage if ($#ARGV < 0); my $flags; my $depflags; my $openssl_algorithm_defines; my $openssl_thread_defines; my $openssl_sys_defines=""; my $openssl_other_defines; my $libs; my $libkrb5=""; my $target; my $options; my $symlink; my $make_depend=0; my %withargs=(); my @argvcopy=@ARGV; my $argvstring=""; my $argv_unprocessed=1; while($argv_unprocessed) { $flags=""; $depflags=""; $openssl_algorithm_defines=""; $openssl_thread_defines=""; $openssl_sys_defines=""; $openssl_other_defines=""; $libs=""; $target=""; $options=""; $symlink=1; $argv_unprocessed=0; $argvstring=join(' ',@argvcopy); PROCESS_ARGS: foreach (@argvcopy) { s /^-no-/no-/; # some people just can't read the instructions if (/^--test-sanity$/) { exit(&test_sanity()); } elsif (/^no-asm$/) { $no_asm=1; $flags .= "-DOPENSSL_NO_ASM "; $openssl_other_defines .= "#define OPENSSL_NO_ASM\n"; } elsif (/^no-err$/) { $flags .= "-DOPENSSL_NO_ERR "; $openssl_other_defines .= "#define OPENSSL_NO_ERR\n"; } elsif (/^no-hw-(.+)$/) { my $hw=$1; $hw =~ tr/[a-z]/[A-Z]/; $flags .= "-DOPENSSL_NO_HW_$hw "; $openssl_other_defines .= "#define OPENSSL_NO_HW_$hw\n"; } elsif (/^no-hw$/) { $flags .= "-DOPENSSL_NO_HW "; $openssl_other_defines .= "#define OPENSSL_NO_HW\n"; } elsif (/^no-dso$/) { $no_dso=1; } elsif (/^no-krb5$/) { $no_krb5=1; } elsif (/^no-threads$/) { $no_threads=1; } elsif (/^threads$/) { $threads=1; } elsif (/^no-shared$/) { $no_shared=1; } elsif (/^shared$/ || /^-shared$/ || /^--shared$/) { $no_shared=0; } elsif (/^no-zlib$/) { $zlib=0; } elsif (/^zlib$/) { $zlib=1; } elsif (/^zlib-dynamic$/) { $zlib=2; } elsif (/^no-symlinks$/) { $symlink=0; } elsif (/^no-ssl$/) { $no_ssl2 = $no_ssl3 = 1; } elsif (/^no-ssl2$/) { $no_ssl2 = 1; } elsif (/^no-ssl3$/) { $no_ssl3 = 1; } elsif (/^no-tls1?$/) { $no_tls1 = 1; } elsif (/^no-(.+)$/) { my $algo=$1; push @skip,$algo; $algo =~ tr/[a-z]/[A-Z]/; $flags .= "-DOPENSSL_NO_$algo "; $depflags .= "-DOPENSSL_NO_$algo "; $openssl_algorithm_defines .= "#define OPENSSL_NO_$algo\n"; if ($algo eq "RIJNDAEL") { push @skip, "aes"; $flags .= "-DOPENSSL_NO_AES "; $depflags .= "-DOPENSSL_NO_AES "; $openssl_algorithm_defines .= "#define OPENSSL_NO_AES\n"; } if ($algo eq "DES") { push @skip, "mdc2"; $options .= " no-mdc2"; $flags .= "-DOPENSSL_NO_MDC2 "; $depflags .= "-DOPENSSL_NO_MDC2 "; $openssl_algorithm_defines .= "#define OPENSSL_NO_MDC2\n"; } if ($algo eq "MD5") { $no_md5 = 1; } if ($algo eq "SHA") { $no_sha = 1; } if ($algo eq "RSA") { $no_rsa = 1; } if ($algo eq "DH") { $no_dh = 1; } } elsif (/^reconfigure/ || /^reconf/) { if (open(IN,"<$Makefile")) { while () { chop; if (/^CONFIGURE_ARGS=(.*)/) { $argvstring=$1; @argvcopy=split(' ',$argvstring); die "Incorrect data to reconfigure, please do a normal configuration\n" if (grep(/^reconf/,@argvcopy)); print "Reconfiguring with: $argvstring\n"; $argv_unprocessed=1; close(IN); last PROCESS_ARGS; } } close(IN); } die "Insufficient data to reconfigure, please do a normal configuration\n"; } elsif (/^386$/) { $processor=386; } elsif (/^rsaref$/) { # No RSAref support any more since it's not needed. # The check for the option is there so scripts aren't # broken } elsif (/^[-+]/) { if (/^-[lL](.*)$/) { $libs.=$_." "; } elsif (/^-[^-]/ or /^\+/) { $flags.=$_." "; } elsif (/^--prefix=(.*)$/) { $prefix=$1; } elsif (/^--openssldir=(.*)$/) { $openssldir=$1; } elsif (/^--install.prefix=(.*)$/) { $install_prefix=$1; } elsif (/^--with-krb5-(dir|lib|include|flavor)=(.*)$/) { $withargs{"krb5-".$1}=$2; } else { print STDERR $usage; exit(1); } } elsif ($_ =~ /^([^:]+):(.+)$/) { eval "\$table{\$1} = \"$2\""; # allow $xxx constructs in the string $target=$1; } else { die "target already defined - $target\n" if ($target ne ""); $target=$_; } unless ($_ eq $target) { if ($options eq "") { $options = $_; } else { $options .= " ".$_; } } } } $no_ssl3=1 if ($no_md5 || $no_sha); $no_ssl3=1 if ($no_rsa && $no_dh); $no_ssl2=1 if ($no_md5); $no_ssl2=1 if ($no_rsa); $no_tls1=1 if ($no_md5 || $no_sha); $no_tls1=1 if ($no_dh); if ($no_ssl2) { push @skip,"SSL2"; $flags .= "-DOPENSSL_NO_SSL2 "; $depflags .= "-DOPENSSL_NO_SSL2 "; $openssl_algorithm_defines .= "#define OPENSSL_NO_SSL2\n"; } if ($no_ssl3) { push @skip,"SSL3"; $flags .= "-DOPENSSL_NO_SSL3 "; $depflags .= "-DOPENSSL_NO_SSL3 "; $openssl_algorithm_defines .= "#define OPENSSL_NO_SSL3\n"; } if ($no_tls1) { push @skip,"TLS1"; $flags .= "-DOPENSSL_NO_TLS1 "; $depflags .= "-DOPENSSL_NO_TLS1 "; $openssl_algorithm_defines .= "#define OPENSSL_NO_TLS1\n"; } if ($target eq "TABLE") { foreach $target (sort keys %table) { print_table_entry($target); } exit 0; } if ($target eq "LIST") { foreach (sort keys %table) { print; print "\n"; } exit 0; } if ($target =~ m/^CygWin32(-.*)$/) { $target = "Cygwin".$1; } print "Configuring for $target\n"; &usage if (!defined($table{$target})); my $IsWindows=scalar grep /^$target$/,@WinTargets; $exe_ext=".exe" if ($target eq "Cygwin"); $exe_ext=".exe" if ($target eq "DJGPP"); $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq ""); $prefix=$openssldir if $prefix eq ""; chop $openssldir if $openssldir =~ /\/$/; chop $prefix if $prefix =~ /\/$/; $openssldir=$prefix . "/ssl" if $openssldir eq ""; $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; print "IsWindows=$IsWindows\n"; my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); my $cc = $fields[$idx_cc]; my $cflags = $fields[$idx_cflags]; my $unistd = $fields[$idx_unistd]; my $thread_cflag = $fields[$idx_thread_cflag]; my $sys_id = $fields[$idx_sys_id]; my $lflags = $fields[$idx_lflags]; my $bn_ops = $fields[$idx_bn_ops]; my $bn_obj = $fields[$idx_bn_obj]; my $des_obj = $fields[$idx_des_obj]; my $bf_obj = $fields[$idx_bf_obj]; $md5_obj = $fields[$idx_md5_obj]; $sha1_obj = $fields[$idx_sha1_obj]; my $cast_obj = $fields[$idx_cast_obj]; my $rc4_obj = $fields[$idx_rc4_obj]; $rmd160_obj = $fields[$idx_rmd160_obj]; my $rc5_obj = $fields[$idx_rc5_obj]; my $dso_scheme = $fields[$idx_dso_scheme]; my $shared_target = $fields[$idx_shared_target]; my $shared_cflag = $fields[$idx_shared_cflag]; my $shared_ldflag = $fields[$idx_shared_ldflag]; my $shared_extension = $fields[$idx_shared_extension]; my $ranlib = $fields[$idx_ranlib]; my $arflags = $fields[$idx_arflags]; my $no_shared_warn=0; $cflags="$flags$cflags" if ($flags ne ""); # Kerberos settings. The flavor must be provided from outside, either through # the script "config" or manually. if ($no_krb5 || !defined($withargs{"krb5-flavor"}) || $withargs{"krb5-flavor"} eq "") { $cflags="-DOPENSSL_NO_KRB5 $cflags"; $options.=" no-krb5" unless $no_krb5; $openssl_algorithm_defines .= "#define OPENSSL_NO_KRB5\n"; } else { my ($lresolv, $lpath, $lext); if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/) { die "Sorry, Heimdal is currently not supported\n"; } ##### HACK to force use of Heimdal. ##### WARNING: Since we don't really have adequate support for Heimdal, ##### using this will break the build. You'll have to make ##### changes to the source, and if you do, please send ##### patches to openssl-dev@openssl.org if ($withargs{"krb5-flavor"} =~ /^force-[Hh]eimdal$/) { warn "Heimdal isn't really supported. Your build WILL break\n"; warn "If you fix the problems, please send a patch to openssl-dev\@openssl.org\n"; $withargs{"krb5-dir"} = "/usr/heimdal" if $withargs{"krb5-dir"} eq ""; $withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}. "/lib -lgssapi -lkrb5 -lcom_err" if $withargs{"krb5-lib"} eq ""; $cflags="-DKRB5_HEIMDAL $cflags"; } if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]/) { $withargs{"krb5-dir"} = "/usr/kerberos" if $withargs{"krb5-dir"} eq ""; $withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}. "/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto" if $withargs{"krb5-lib"} eq ""; $cflags="-DKRB5_MIT $cflags"; $withargs{"krb5-flavor"} =~ s/^[Mm][Ii][Tt][._-]*//; if ($withargs{"krb5-flavor"} =~ /^1[._-]*[01]/) { $cflags="-DKRB5_MIT_OLD11 $cflags"; } } LRESOLV: foreach $lpath ("/lib", "/usr/lib") { foreach $lext ("a", "so") { $lresolv = "$lpath/libresolv.$lext"; last LRESOLV if (-r "$lresolv"); $lresolv = ""; } } $withargs{"krb5-lib"} .= " -lresolv" if ("$lresolv" ne ""); $withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include" if $withargs{"krb5-include"} eq "" && $withargs{"krb5-dir"} ne ""; } # The DSO code currently always implements all functions so that no # applications will have to worry about that from a compilation point # of view. However, the "method"s may return zero unless that platform # has support compiled in for them. Currently each method is enabled # by a define "DSO_" ... we translate the "dso_scheme" config # string entry into using the following logic; my $dso_cflags; if (!$no_dso && $dso_scheme ne "") { $dso_scheme =~ tr/[a-z]/[A-Z]/; if ($dso_scheme eq "DLFCN") { $dso_cflags = "-DDSO_DLFCN -DHAVE_DLFCN_H"; } elsif ($dso_scheme eq "DLFCN_NO_H") { $dso_cflags = "-DDSO_DLFCN"; } else { $dso_cflags = "-DDSO_$dso_scheme"; } $cflags = "$dso_cflags $cflags"; } my $thread_cflags; my $thread_defines; if ($thread_cflag ne "(unknown)" && !$no_threads) { # If we know how to do it, support threads by default. $threads = 1; } if ($thread_cflag eq "(unknown)") { # If the user asked for "threads", hopefully they also provided # any system-dependent compiler options that are necessary. $thread_cflags="-DOPENSSL_THREADS $cflags" ; $thread_defines .= "#define OPENSSL_THREADS\n"; } else { $thread_cflags="-DOPENSSL_THREADS $thread_cflag $cflags"; $thread_defines .= "#define OPENSSL_THREADS\n"; # my $def; # foreach $def (split ' ',$thread_cflag) # { # if ($def =~ s/^-D// && $def !~ /^_/) # { # $thread_defines .= "#define $def\n"; # } # } } $lflags="$libs$lflags" if ($libs ne ""); if ($no_asm) { $bn_obj=$des_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj=""; $sha1_obj=$md5_obj=$rmd160_obj=""; } if (!$no_shared) { $cast_obj=""; # CAST assembler is not PIC } if ($threads) { $cflags=$thread_cflags; $openssl_thread_defines .= $thread_defines; } if ($zlib) { $cflags = "-DZLIB $cflags"; $cflags = "-DZLIB_SHARED $cflags" if $zlib == 2; $lflags = "$lflags -lz" if $zlib == 1; } # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org my $shared_mark = ""; if ($shared_target eq "") { $no_shared_warn = 1 if !$no_shared; $no_shared = 1; } if (!$no_shared) { if ($shared_cflag ne "") { $cflags = "$shared_cflag $cflags"; } } if ($sys_id ne "") { $cflags="-DOPENSSL_SYSNAME_$sys_id $cflags"; $openssl_sys_defines="#define OPENSSL_SYSNAME_$sys_id\n"; } if ($ranlib eq "") { $ranlib = $default_ranlib; } #my ($bn1)=split(/\s+/,$bn_obj); #$bn1 = "" unless defined $bn1; #$bn1=$bn_asm unless ($bn1 =~ /\.o$/); #$bn_obj="$bn1"; $bn_obj = $bn_asm unless $bn_obj ne ""; $des_obj=$des_enc unless ($des_obj =~ /\.o$/); $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); $cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/); $rc4_obj=$rc4_enc unless ($rc4_obj =~ /\.o$/); $rc5_obj=$rc5_enc unless ($rc5_obj =~ /\.o$/); if ($sha1_obj =~ /\.o$/) { # $sha1_obj=$sha1_enc; $cflags.=" -DSHA1_ASM"; } if ($md5_obj =~ /\.o$/) { # $md5_obj=$md5_enc; $cflags.=" -DMD5_ASM"; } if ($rmd160_obj =~ /\.o$/) { # $rmd160_obj=$rmd160_enc; $cflags.=" -DRMD160_ASM"; } # "Stringify" the C flags string. This permits it to be made part of a string # and works as well on command lines. $cflags =~ s/([\\\"])/\\\1/g; my $version = "unknown"; my $major = "unknown"; my $minor = "unknown"; my $shlib_version_number = "unknown"; my $shlib_version_history = "unknown"; my $shlib_major = "unknown"; my $shlib_minor = "unknown"; open(IN,') { $version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /; $shlib_version_number=$1 if /SHLIB_VERSION_NUMBER *"([^"]+)"/; $shlib_version_history=$1 if /SHLIB_VERSION_HISTORY *"([^"]*)"/; } close(IN); if ($shlib_version_history ne "") { $shlib_version_history .= ":"; } if ($version =~ /(^[0-9]*)\.([0-9\.]*)/) { $major=$1; $minor=$2; } if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/) { $shlib_major=$1; $shlib_minor=$2; } open(IN,'$Makefile.new") || die "unable to create $Makefile.new:$!\n"; print OUT "### Generated automatically from Makefile.org by Configure.\n\n"; my $sdirs=0; while () { chop; $sdirs = 1 if /^SDIRS=/; if ($sdirs) { my $dir; foreach $dir (@skip) { s/([ ])$dir /\1/; } } $sdirs = 0 unless /\\$/; s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; s/^MINOR=.*/MINOR=$minor/; s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/; s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/; s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/; s/^SHLIB_MINOR=.*/SHLIB_MINOR=$shlib_minor/; s/^SHLIB_EXT=.*/SHLIB_EXT=$shared_extension/; s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/; s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/; s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/; s/^PLATFORM=.*$/PLATFORM=$target/; s/^OPTIONS=.*$/OPTIONS=$options/; s/^CONFIGURE_ARGS=.*$/CONFIGURE_ARGS=$argvstring/; s/^CC=.*$/CC= $cc/; s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc"; s/^CFLAG=.*$/CFLAG= $cflags/; s/^DEPFLAG=.*$/DEPFLAG= $depflags/; s/^EX_LIBS=.*$/EX_LIBS= $lflags/; s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/; s/^BN_ASM=.*$/BN_ASM= $bn_obj/; s/^DES_ENC=.*$/DES_ENC= $des_obj/; s/^BF_ENC=.*$/BF_ENC= $bf_obj/; s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/; s/^RC4_ENC=.*$/RC4_ENC= $rc4_obj/; s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/; s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/; s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/; s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/; s/^PROCESSOR=.*/PROCESSOR= $processor/; s/^RANLIB=.*/RANLIB= $ranlib/; s/^ARFLAGS=.*/ARFLAGS= $arflags/; s/^PERL=.*/PERL= $perl/; s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/; s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/) { my $sotmp = $1; s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/; } elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.dylib$/) { s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.dylib/; } elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; } elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) { s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/; } s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/; print OUT $_."\n"; } close(IN); close(OUT); rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile; rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n"; print "CC =$cc\n"; print "CFLAG =$cflags\n"; print "EX_LIBS =$lflags\n"; print "BN_ASM =$bn_obj\n"; print "DES_ENC =$des_obj\n"; print "BF_ENC =$bf_obj\n"; print "CAST_ENC =$cast_obj\n"; print "RC4_ENC =$rc4_obj\n"; print "RC5_ENC =$rc5_obj\n"; print "MD5_OBJ_ASM =$md5_obj\n"; print "SHA1_OBJ_ASM =$sha1_obj\n"; print "RMD160_OBJ_ASM=$rmd160_obj\n"; print "PROCESSOR =$processor\n"; print "RANLIB =$ranlib\n"; print "ARFLAGS =$arflags\n"; print "PERL =$perl\n"; print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n" if $withargs{"krb5-include"} ne ""; my $des_ptr=0; my $des_risc1=0; my $des_risc2=0; my $des_unroll=0; my $bn_ll=0; my $def_int=2; my $rc4_int=$def_int; my $md2_int=$def_int; my $idea_int=$def_int; my $rc2_int=$def_int; my $rc4_idx=0; my $rc4_chunk=0; my $bf_ptr=0; my @type=("char","short","int","long"); my ($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0); my $export_var_as_fn=0; my $des_int; foreach (sort split(/\s+/,$bn_ops)) { $des_ptr=1 if /DES_PTR/; $des_risc1=1 if /DES_RISC1/; $des_risc2=1 if /DES_RISC2/; $des_unroll=1 if /DES_UNROLL/; $des_int=1 if /DES_INT/; $bn_ll=1 if /BN_LLONG/; $rc4_int=0 if /RC4_CHAR/; $rc4_int=3 if /RC4_LONG/; $rc4_idx=1 if /RC4_INDEX/; $rc4_chunk=1 if /RC4_CHUNK/; $rc4_chunk=2 if /RC4_CHUNK_LL/; $md2_int=0 if /MD2_CHAR/; $md2_int=3 if /MD2_LONG/; $idea_int=1 if /IDEA_SHORT/; $idea_int=3 if /IDEA_LONG/; $rc2_int=1 if /RC2_SHORT/; $rc2_int=3 if /RC2_LONG/; $bf_ptr=1 if $_ eq "BF_PTR"; $bf_ptr=2 if $_ eq "BF_PTR2"; ($b64l,$b64,$b32,$b16,$b8)=(0,1,0,0,0) if /SIXTY_FOUR_BIT/; ($b64l,$b64,$b32,$b16,$b8)=(1,0,0,0,0) if /SIXTY_FOUR_BIT_LONG/; ($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0) if /THIRTY_TWO_BIT/; ($b64l,$b64,$b32,$b16,$b8)=(0,0,0,1,0) if /SIXTEEN_BIT/; ($b64l,$b64,$b32,$b16,$b8)=(0,0,0,0,1) if /EIGHT_BIT/; $export_var_as_fn=1 if /EXPORT_VAR_AS_FN/; } open(IN,'crypto/opensslconf.h.new') || die "unable to create crypto/opensslconf.h.new:$!\n"; print OUT "/* opensslconf.h */\n"; print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n"; print OUT "/* OpenSSL was configured with the following options: */\n"; my $openssl_algorithm_defines_trans = $openssl_algorithm_defines; $openssl_algorithm_defines_trans =~ s/^\s*#\s*define\s+OPENSSL_(.*)/# if defined(OPENSSL_$1) \&\& !defined($1)\n# define $1\n# endif/mg; $openssl_algorithm_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg; $openssl_algorithm_defines = " /* no ciphers excluded */\n" if $openssl_algorithm_defines eq ""; $openssl_thread_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg; $openssl_sys_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg; $openssl_other_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg; print OUT $openssl_sys_defines; print OUT "#ifndef OPENSSL_DOING_MAKEDEPEND\n\n"; print OUT $openssl_algorithm_defines; print OUT "\n#endif /* OPENSSL_DOING_MAKEDEPEND */\n"; print OUT $openssl_thread_defines; print OUT $openssl_other_defines,"\n"; print OUT "/* The OPENSSL_NO_* macros are also defined as NO_* if the application\n"; print OUT " asks for it. This is a transient feature that is provided for those\n"; print OUT " who haven't had the time to do the appropriate changes in their\n"; print OUT " applications. */\n"; print OUT "#ifdef OPENSSL_ALGORITHM_DEFINES\n"; print OUT $openssl_algorithm_defines_trans; print OUT "#endif\n\n"; while () { if (/^#define\s+OPENSSLDIR/) { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" if $export_var_as_fn; printf OUT "#%s OPENSSL_EXPORT_VAR_AS_FUNCTION\n", ($export_var_as_fn)?"define":"undef"; } elsif (/^#define\s+OPENSSL_UNISTD/) { $unistd = "" if $unistd eq ""; print OUT "#define OPENSSL_UNISTD $unistd\n"; } elsif (/^#((define)|(undef))\s+SIXTY_FOUR_BIT_LONG/) { printf OUT "#%s SIXTY_FOUR_BIT_LONG\n",($b64l)?"define":"undef"; } elsif (/^#((define)|(undef))\s+SIXTY_FOUR_BIT/) { printf OUT "#%s SIXTY_FOUR_BIT\n",($b64)?"define":"undef"; } elsif (/^#((define)|(undef))\s+THIRTY_TWO_BIT/) { printf OUT "#%s THIRTY_TWO_BIT\n",($b32)?"define":"undef"; } elsif (/^#((define)|(undef))\s+SIXTEEN_BIT/) { printf OUT "#%s SIXTEEN_BIT\n",($b16)?"define":"undef"; } elsif (/^#((define)|(undef))\s+EIGHT_BIT/) { printf OUT "#%s EIGHT_BIT\n",($b8)?"define":"undef"; } elsif (/^#((define)|(undef))\s+BN_LLONG\s*$/) { printf OUT "#%s BN_LLONG\n",($bn_ll)?"define":"undef"; } elsif (/^\#define\s+DES_LONG\s+.*/) { printf OUT "#define DES_LONG unsigned %s\n", ($des_int)?'int':'long'; } elsif (/^\#(define|undef)\s+DES_PTR/) { printf OUT "#%s DES_PTR\n",($des_ptr)?'define':'undef'; } elsif (/^\#(define|undef)\s+DES_RISC1/) { printf OUT "#%s DES_RISC1\n",($des_risc1)?'define':'undef'; } elsif (/^\#(define|undef)\s+DES_RISC2/) { printf OUT "#%s DES_RISC2\n",($des_risc2)?'define':'undef'; } elsif (/^\#(define|undef)\s+DES_UNROLL/) { printf OUT "#%s DES_UNROLL\n",($des_unroll)?'define':'undef'; } elsif (/^#define\s+RC4_INT\s/) { printf OUT "#define RC4_INT unsigned %s\n",$type[$rc4_int]; } elsif (/^#undef\s+RC4_CHUNK/) { printf OUT "#undef RC4_CHUNK\n" if $rc4_chunk==0; printf OUT "#define RC4_CHUNK unsigned long\n" if $rc4_chunk==1; printf OUT "#define RC4_CHUNK unsigned long long\n" if $rc4_chunk==2; } elsif (/^#((define)|(undef))\s+RC4_INDEX/) { printf OUT "#%s RC4_INDEX\n",($rc4_idx)?"define":"undef"; } elsif (/^#(define|undef)\s+I386_ONLY/) { printf OUT "#%s I386_ONLY\n", ($processor == 386)? "define":"undef"; } elsif (/^#define\s+MD2_INT\s/) { printf OUT "#define MD2_INT unsigned %s\n",$type[$md2_int]; } elsif (/^#define\s+IDEA_INT\s/) {printf OUT "#define IDEA_INT unsigned %s\n",$type[$idea_int];} elsif (/^#define\s+RC2_INT\s/) {printf OUT "#define RC2_INT unsigned %s\n",$type[$rc2_int];} elsif (/^#(define|undef)\s+BF_PTR/) { printf OUT "#undef BF_PTR\n" if $bf_ptr == 0; printf OUT "#define BF_PTR\n" if $bf_ptr == 1; printf OUT "#define BF_PTR2\n" if $bf_ptr == 2; } else { print OUT $_; } } close(IN); close(OUT); rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h"; rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n"; # Fix the date print "SIXTY_FOUR_BIT_LONG mode\n" if $b64l; print "SIXTY_FOUR_BIT mode\n" if $b64; print "THIRTY_TWO_BIT mode\n" if $b32; print "SIXTEEN_BIT mode\n" if $b16; print "EIGHT_BIT mode\n" if $b8; print "DES_PTR used\n" if $des_ptr; print "DES_RISC1 used\n" if $des_risc1; print "DES_RISC2 used\n" if $des_risc2; print "DES_UNROLL used\n" if $des_unroll; print "DES_INT used\n" if $des_int; print "BN_LLONG mode\n" if $bn_ll; print "RC4 uses u$type[$rc4_int]\n" if $rc4_int != $def_int; print "RC4_INDEX mode\n" if $rc4_idx; print "RC4_CHUNK is undefined\n" if $rc4_chunk==0; print "RC4_CHUNK is unsigned long\n" if $rc4_chunk==1; print "RC4_CHUNK is unsigned long long\n" if $rc4_chunk==2; print "MD2 uses u$type[$md2_int]\n" if $md2_int != $def_int; print "IDEA uses u$type[$idea_int]\n" if $idea_int != $def_int; print "RC2 uses u$type[$rc2_int]\n" if $rc2_int != $def_int; print "BF_PTR used\n" if $bf_ptr == 1; print "BF_PTR2 used\n" if $bf_ptr == 2; if($IsWindows) { open (OUT,">crypto/buildinf.h") || die "Can't open buildinf.h"; printf OUT < 78) { print STDERR "\n"; $k=length($i); } print STDERR $i . " "; } foreach $i (sort keys %table) { next if $i !~ /^debug/; $k += length($i) + 1; if ($k > 78) { print STDERR "\n"; $k=length($i); } print STDERR $i . " "; } print STDERR "\n\nNOTE: If in doubt, on Unix-ish systems use './config'.\n"; exit(1); } sub which { my($name)=@_; my $path; foreach $path (split /:/, $ENV{PATH}) { if (-f "$path/$name" and -x _) { return "$path/$name" unless ($name eq "perl" and system("$path/$name -e " . '\'exit($]<5.0);\'')); } } } sub dofile { my $f; my $p; my %m; my @a; my $k; my $ff; ($f,$p,%m)=@_; open(IN,"<$f.in") || open(IN,"<$f") || die "unable to open $f:$!\n"; @a=; close(IN); foreach $k (keys %m) { grep(/$k/ && ($_=sprintf($m{$k}."\n",$p)),@a); } open(OUT,">$f.new") || die "unable to open $f.new:$!\n"; print OUT @a; close(OUT); rename($f,"$f.bak") || die "unable to rename $f\n" if -e $f; rename("$f.new",$f) || die "unable to rename $f.new\n"; } sub print_table_entry { my $target = shift; (my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags, my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj, my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj, my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag, my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags)= split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); print < fail with a certificate verify error? * Why can I only use weak ciphers when I connect to a server using OpenSSL? * How can I create DSA certificates? * Why can't I make an SSL connection using a DSA certificate? * How can I remove the passphrase on a private key? * Why can't I use OpenSSL certificates with SSL client authentication? * Why does my browser give a warning about a mismatched hostname? * How do I install a CA certificate into a browser? * Why is OpenSSL x509 DN output not conformant to RFC2253? [BUILD] Questions about building and testing OpenSSL * Why does the linker complain about undefined symbols? * Why does the OpenSSL test fail with "bc: command not found"? * Why does the OpenSSL test fail with "bc: 1 no implemented"? * Why does the OpenSSL test fail with "bc: stack empty"? * Why does the OpenSSL compilation fail on Alpha Tru64 Unix? * Why does the OpenSSL compilation fail with "ar: command not found"? * Why does the OpenSSL compilation fail on Win32 with VC++? * What is special about OpenSSL on Redhat? * Why does the OpenSSL compilation fail on MacOS X? * Why does the OpenSSL test suite fail on MacOS X? * Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]? * Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"? [PROG] Questions about programming with OpenSSL * Is OpenSSL thread-safe? * I've compiled a program under Windows and it crashes: why? * How do I read or write a DER encoded buffer using the ASN1 functions? * I've tried using and I get errors why? * I've called and it fails, why? * I just get a load of numbers for the error output, what do they mean? * Why do I get errors about unknown algorithms? * Why can't the OpenSSH configure script detect OpenSSL? * Can I use OpenSSL's SSL library with non-blocking I/O? * Why doesn't my server application receive a client certificate? * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier? =============================================================================== [MISC] ======================================================================== * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.7c was released on September 30, 2003. +OpenSSL 0.9.7d was released on March 17, 2004. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at , or get it by anonymous CVS access. * Where is the documentation? OpenSSL is a library that provides cryptographic functionality to applications such as secure web servers. Be sure to read the documentation of the application you want to use. The INSTALL file explains how to install this library. OpenSSL includes a command line utility that can be used to perform a variety of cryptographic functions. It is described in the openssl(1) manpage. Documentation for developers is currently being written. A few manual pages already are available; overviews over libcrypto and libssl are given in the crypto(3) and ssl(3) manpages. The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a different directory if you specified one as described in INSTALL). In addition, you can read the most current versions at . For information on parts of libcrypto that are not yet documented, you might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's predecessor, at . Much of this still applies to OpenSSL. There is some documentation about certificate extensions and PKCS#12 in doc/openssl.txt The original SSLeay documentation is included in OpenSSL as doc/ssleay.txt. It may be useful when none of the other resources help, but please note that it reflects the obsolete version SSLeay 0.6.6. * How can I contact the OpenSSL developers? The README file describes how to submit bug reports and patches to OpenSSL. Information on the OpenSSL mailing lists is available from . * Where can I get a compiled version of OpenSSL? +You can finder pointers to binary distributions in +http://www.openssl.org/related/binaries.html . + Some applications that use OpenSSL are distributed in binary form. When using such an application, you don't need to install OpenSSL yourself; the application will include the required parts (e.g. DLLs). -If you want to install OpenSSL on a Windows system and you don't have +If you want to build OpenSSL on a Windows system and you don't have a C compiler, read the "Mingw32" section of INSTALL.W32 for information on how to obtain and install the free GNU C compiler. A number of Linux and *BSD distributions include OpenSSL. * Why aren't tools like 'autoconf' and 'libtool' used? autoconf will probably be used in future OpenSSL versions. If it was less Unix-centric, it might have been used much earlier. * What is an 'engine' version? With version 0.9.6 OpenSSL was extended to interface to external crypto hardware. This was realized in a special release '0.9.6-engine'. With version 0.9.7 (not yet released) the changes were merged into the main development line, so that the special release is no longer necessary. * How do I check the authenticity of the OpenSSL distribution? We provide MD5 digests and ASC signatures of each tarball. Use MD5 to check that a tarball from a mirror site is identical: md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5 You can check authenticity using pgp or gpg. You need the OpenSSL team member public key used to sign it (download it from a key server). Then just do: pgp TARBALL.asc [LEGAL] ======================================================================= * Do I need patent licenses to use OpenSSL? The patents section of the README file lists patents that may apply to you if you want to use OpenSSL. For information on intellectual property rights, please consult a lawyer. The OpenSSL team does not offer legal advice. You can configure OpenSSL so as not to use RC5 and IDEA by using ./config no-rc5 no-idea * Can I use OpenSSL with GPL software? On many systems including the major Linux and BSD distributions, yes (the GPL does not place restrictions on using libraries that are part of the normal operating system distribution). On other systems, the situation is less clear. Some GPL software copyright holders claim that you infringe on their rights if you use OpenSSL with their software on operating systems that don't normally include OpenSSL. If you develop open source software that uses OpenSSL, you may find it useful to choose an other license than the GPL, or state explicitly that "This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed." If you are using GPL software developed by others, you may want to ask the copyright holder for permission to use their software with OpenSSL. [USER] ======================================================================== * Why do I get a "PRNG not seeded" error message? Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness device" (/dev/urandom or /dev/random) that serves this purpose. All OpenSSL versions try to use /dev/urandom by default; starting with version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not available. On other systems, applications have to call the RAND_add() or RAND_seed() function with appropriate data before generating keys or performing public key encryption. (These functions initialize the pseudo-random number generator, PRNG.) Some broken applications do not do this. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the random number generator has not been seeded with at least 128 bits of randomness. If this error occurs and is not discussed in the documentation of the application you are using, please contact the author of that application; it is likely that it never worked correctly. OpenSSL 0.9.5 and later make the error visible by refusing to perform potentially insecure encryption. If you are using Solaris 8, you can add /dev/urandom and /dev/random devices by installing patch 112438 (Sparc) or 112439 (x86), which are available via the Patchfinder at (Solaris 9 includes these devices by default). For /dev/random support for earlier Solaris versions, see Sun's statement at (the SUNWski package is available in patch 105710). On systems without /dev/urandom and /dev/random, it is a good idea to use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for details. Starting with version 0.9.7, OpenSSL will automatically look for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and /etc/entropy. Most components of the openssl command line utility automatically try to seed the random number generator from a file. The name of the default seeding file is determined as follows: If environment variable RANDFILE is set, then it names the seeding file. Otherwise if environment variable HOME is set, then the seeding file is $HOME/.rnd. If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will use file .rnd in the current directory while OpenSSL 0.9.6a uses no default seeding file at all. OpenSSL 0.9.6b and later will behave similarly to 0.9.6a, but will use a default of "C:\" for HOME on Windows systems if the environment variable has not been set. If the default seeding file does not exist or is too short, the "PRNG not seeded" error message may occur. The openssl command line utility will write back a new state to the default seeding file (and create this file if necessary) unless there was no sufficient seeding. Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. Use the "-rand" option of the OpenSSL command line tools instead. The $RANDFILE environment variable and $HOME/.rnd are only used by the OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application. * Why do I get an "unable to write 'random state'" error message? Sometimes the openssl command line utility does not abort with a "PRNG not seeded" error message, but complains that it is "unable to write 'random state'". This message refers to the default seeding file (see previous answer). A possible reason is that no default filename is known because neither RANDFILE nor HOME is set. (Versions up to 0.9.6 used file ".rnd" in the current directory in this case, but this has changed with 0.9.6a.) * How do I create certificates or certificate requests? Check out the CA.pl(1) manual page. This provides a simple wrapper round the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check out the manual pages for the individual utilities and the certificate extensions documentation (currently in doc/openssl.txt). * Why can't I create certificate requests? You typically get the error: unable to find 'distinguished_name' in config problems making Certificate Request This is because it can't find the configuration file. Check out the DIAGNOSTICS section of req(1) for more information. * Why does fail with a certificate verify error? This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information. * Why can I only use weak ciphers when I connect to a server using OpenSSL? This is almost certainly because you are using an old "export grade" browser which only supports weak encryption. Upgrade your browser to support 128 bit ciphers. * How can I create DSA certificates? Check the CA.pl(1) manual page for a DSA certificate example. * Why can't I make an SSL connection to a server using a DSA certificate? Typically you'll see a message saying there are no shared ciphers when the same setup works fine with an RSA certificate. There are two possible causes. The client may not support connections to DSA servers most web browsers (including Netscape and MSIE) only support connections to servers supporting RSA cipher suites. The other cause is that a set of DH parameters has not been supplied to the server. DH parameters can be created with the dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: check the source to s_server in apps/s_server.c for an example. * How can I remove the passphrase on a private key? Firstly you should be really *really* sure you want to do this. Leaving a private key unencrypted is a major security risk. If you decide that you do have to do this check the EXAMPLES sections of the rsa(1) and dsa(1) manual pages. * Why can't I use OpenSSL certificates with SSL client authentication? What will typically happen is that when a server requests authentication it will either not include your certificate or tell you that you have no client certificates (Netscape) or present you with an empty list box (MSIE). The reason for this is that when a server requests a client certificate it includes a list of CAs names which it will accept. Browsers will only let you select certificates from the list on the grounds that there is little point presenting a certificate which the server will reject. The solution is to add the relevant CA certificate to your servers "trusted CA list". How you do this depends on the server software in uses. You can print out the servers list of acceptable CAs using the OpenSSL s_client tool: openssl s_client -connect www.some.host:443 -prexit If your server only requests certificates on certain URLs then you may need to manually issue an HTTP GET command to get the list when s_client connects: GET /some/page/needing/a/certificate.html If your CA does not appear in the list then this confirms the problem. * Why does my browser give a warning about a mismatched hostname? Browsers expect the server's hostname to match the value in the commonName (CN) field of the certificate. If it does not then you get a warning. * How do I install a CA certificate into a browser? The usual way is to send the DER encoded certificate to the browser as MIME type application/x-x509-ca-cert, for example by clicking on an appropriate link. On MSIE certain extensions such as .der or .cacert may also work, or you can import the certificate using the certificate import wizard. You can convert a certificate to DER form using the command: openssl x509 -in ca.pem -outform DER -out ca.der Occasionally someone suggests using a command such as: openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem DO NOT DO THIS! This command will give away your CAs private key and reduces its security to zero: allowing anyone to forge certificates in whatever name they choose. * Why is OpenSSL x509 DN output not conformant to RFC2253? The ways to print out the oneline format of the DN (Distinguished Name) have been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex() interface, the "-nameopt" option could be introduded. See the manual page of the "openssl x509" commandline tool for details. The old behaviour has however been left as default for the sake of compatibility. [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? Maybe the compilation was interrupted, and make doesn't notice that something is missing. Run "make clean; make". If you used ./Configure instead of ./config, make sure that you selected the right target. File formats may differ slightly between OS versions (for example sparcv8/sparcv9, or a.out/elf). In case you get errors about the following symbols, use the config option "no-asm", as described in INSTALL: BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt, CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt, RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words, bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4, bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3, des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3, des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order If none of these helps, you may want to try using the current snapshot. If the problem persists, please submit a bug report. * Why does the OpenSSL test fail with "bc: command not found"? You didn't install "bc", the Unix calculator. If you want to run the tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. * Why does the OpenSSL test fail with "bc: 1 no implemented"? On some SCO installations or versions, bc has a bug that gets triggered when you run the test suite (using "make test"). The message returned is "bc: 1 not implemented". The best way to deal with this is to find another implementation of bc and compile/install it. GNU bc (see http://www.gnu.org/software/software.html for download instructions) can be safely used, for example. * Why does the OpenSSL test fail with "bc: stack empty"? On some DG/ux versions, bc seems to have a too small stack for calculations that the OpenSSL bntest throws at it. This gets triggered when you run the test suite (using "make test"). The message returned is "bc: stack empty". The best way to deal with this is to find another implementation of bc and compile/install it. GNU bc (see http://www.gnu.org/software/software.html for download instructions) can be safely used, for example. * Why does the OpenSSL compilation fail on Alpha Tru64 Unix? On some Alpha installations running Tru64 Unix and Compaq C, the compilation of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual memory to continue compilation.' As far as the tests have shown, this may be a compiler bug. What happens is that it eats up a lot of resident memory to build something, probably a table. The problem is clearly in the optimization code, because if one eliminates optimization completely (-O0), the compilation goes through (and the compiler consumes about 2MB of resident memory instead of 240MB or whatever one's limit is currently). There are three options to solve this problem: 1. set your current data segment size soft limit higher. Experience shows that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of kbytes to set the limit to. 2. If you have a hard limit that is lower than what you need and you can't get it changed, you can compile all of OpenSSL with -O0 as optimization level. This is however not a very nice thing to do for those who expect to get the best result from OpenSSL. A bit more complicated solution is the following: ----- snip:start ----- make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ sed -e 's/ -O[0-9] / -O0 /'`" rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` make ----- snip:end ----- This will only compile sha_dgst.c with -O0, the rest with the optimization level chosen by the configuration process. When the above is done, do the test and installation and you're set. * Why does the OpenSSL compilation fail with "ar: command not found"? Getting this message is quite usual on Solaris 2, because Sun has hidden away 'ar' and other development commands in directories that aren't in $PATH by default. One of those directories is '/usr/ccs/bin'. The quickest way to fix this is to do the following (it assumes you use sh or any sh-compatible shell): ----- snip:start ----- PATH=${PATH}:/usr/ccs/bin; export PATH ----- snip:end ----- and then redo the compilation. What you should really do is make sure '/usr/ccs/bin' is permanently in your $PATH, for example through your '.profile' (again, assuming you use a sh-compatible shell). * Why does the OpenSSL compilation fail on Win32 with VC++? Sometimes, you may get reports from VC++ command line (cl) that it can't find standard include files like stdio.h and other weirdnesses. One possible cause is that the environment isn't correctly set up. To solve that problem for VC++ versions up to 6, one should run VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++ installation directory (somewhere under 'Program Files'). For VC++ version 7 (and up?), which is also called VS.NET, the file is called VSVARS32.BAT instead. This needs to be done prior to running NMAKE, and the changes are only valid for the current DOS session. * What is special about OpenSSL on Redhat? Red Hat Linux (release 7.0 and later) include a preinstalled limited version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2 is disabled in this version. The same may apply to other Linux distributions. Users may therefore wish to install more or all of the features left out. To do this you MUST ensure that you do not overwrite the openssl that is in /usr/bin on your Red Hat machine. Several packages depend on this file, including sendmail and ssh. /usr/local/bin is a good alternative choice. The libraries that come with Red Hat 7.0 onwards have different names and so are not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and /lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and /lib/libcrypto.so.2 respectively). Please note that we have been advised by Red Hat attempting to recompile the openssl rpm with all the cryptography enabled will not work. All other packages depend on the original Red Hat supplied openssl package. It is also worth noting that due to the way Red Hat supplies its packages, updates to openssl on each distribution never change the package version, only the build number. For example, on Red Hat 7.1, the latest openssl package has version number 0.9.6 and build number 9 even though it contains all the relevant updates in packages up to and including 0.9.6b. A possible way around this is to persuade Red Hat to produce a non-US version of Red Hat Linux. FYI: Patent numbers and expiry dates of US patents: MDC-2: 4,908,861 13/03/2007 IDEA: 5,214,703 25/05/2010 RC5: 5,724,428 03/03/2015 * Why does the OpenSSL compilation fail on MacOS X? If the failure happens when trying to build the "openssl" binary, with a large number of undefined symbols, it's very probable that you have OpenSSL 0.9.6b delivered with the operating system (you can find out by running '/usr/bin/openssl version') and that you were trying to build OpenSSL 0.9.7 or newer. The problem is that the loader ('ld') in MacOS X has a misfeature that's quite difficult to go around. Look in the file PROBLEMS for a more detailed explanation and for possible solutions. * Why does the OpenSSL test suite fail on MacOS X? If the failure happens when running 'make test' and the RC4 test fails, it's very probable that you have OpenSSL 0.9.6b delivered with the operating system (you can find out by running '/usr/bin/openssl version') and that you were trying to build OpenSSL 0.9.6d. The problem is that the loader ('ld') in MacOS X has a misfeature that's quite difficult to go around and has linked the programs "openssl" and the test programs with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the libraries you just built. Look in the file PROBLEMS for a more detailed explanation and for possible solutions. * Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]? Failure in BN_sqr test is most likely caused by a failure to configure the toolkit for current platform or lack of support for the platform in question. Run './config -t' and './apps/openssl version -p'. Do these platform identifiers match? If they don't, then you most likely failed to run ./config and you're hereby advised to do so before filing a bug report. If ./config itself fails to run, then it's most likely problem with your local environment and you should turn to your system administrator (or similar). If identifiers match (and/or no alternative identifier is suggested by ./config script), then the platform is unsupported. There might or might not be a workaround. Most notably on SPARC64 platforms with GNU C compiler you should be able to produce a working build by running './config -m32'. I understand that -m32 might not be what you want/need, but the build should be operational. For further details turn to . * Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"? As of 0.9.7 assembler routines were overhauled for position independence of the machine code, which is essential for shared library support. For some reason OpenBSD is equipped with an out-of-date GNU assembler which finds the new code offensive. To work around the problem, configure with no-asm (and sacrifice a great deal of performance) or patch your assembler according to . For your convenience a pre-compiled replacement binary is provided at . Reportedly elder *BSD a.out platforms also suffer from this problem and remedy should be same. Provided binary is statically linked and should be working across wider range of *BSD branches, not just OpenBSD. [PROG] ======================================================================== * Is OpenSSL thread-safe? Yes (with limitations: an SSL connection may not concurrently be used by multiple threads). On Windows and many Unix systems, OpenSSL automatically uses the multi-threaded versions of the standard libraries. If your platform is not one of these, consult the INSTALL file. Multi-threaded applications must provide two callback functions to OpenSSL. This is described in the threads(3) manpage. * I've compiled a program under Windows and it crashes: why? This is usually because you've missed the comment in INSTALL.W32. Your application must link against the same version of the Win32 C-Runtime against which your openssl libraries were linked. The default version for OpenSSL is /MD - "Multithreaded DLL". If you are using Microsoft Visual C++'s IDE (Visual Studio), in many cases, your new project most likely defaulted to "Debug Singlethreaded" - /ML. This is NOT interchangeable with /MD and your program will crash, typically on the first BIO related read or write operation. For each of the six possible link stage configurations within Win32, your application must link against the same by which OpenSSL was built. If you are using MS Visual C++ (Studio) this can be changed by: 1. Select Settings... from the Project Menu. 2. Select the C/C++ Tab. 3. Select "Code Generation from the "Category" drop down list box 4. Select the Appropriate library (see table below) from the "Use run-time library" drop down list box. Perform this step for both your debug and release versions of your application (look at the top left of the settings panel to change between the two) Single Threaded /ML - MS VC++ often defaults to this for the release version of a new project. Debug Single Threaded /MLd - MS VC++ often defaults to this for the debug version of a new project. Multithreaded /MT Debug Multithreaded /MTd Multithreaded DLL /MD - OpenSSL defaults to this. Debug Multithreaded DLL /MDd Note that debug and release libraries are NOT interchangeable. If you built OpenSSL with /MD your application must use /MD and cannot use /MDd. * How do I read or write a DER encoded buffer using the ASN1 functions? You have two options. You can either use a memory BIO in conjunction with the i2d_XXX_bio() or d2i_XXX_bio() functions or you can use the i2d_XXX(), d2i_XXX() functions directly. Since these are often the cause of grief here are some code fragments using PKCS7 as an example: unsigned char *buf, *p; int len; len = i2d_PKCS7(p7, NULL); buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */ p = buf; i2d_PKCS7(p7, &p); At this point buf contains the len bytes of the DER encoding of p7. The opposite assumes we already have len bytes in buf: unsigned char *p; p = buf; p7 = d2i_PKCS7(NULL, &p, len); At this point p7 contains a valid PKCS7 structure of NULL if an error occurred. If an error occurred ERR_print_errors(bio) should give more information. The reason for the temporary variable 'p' is that the ASN1 functions increment the passed pointer so it is ready to read or write the next structure. This is often a cause of problems: without the temporary variable the buffer pointer is changed to point just after the data that has been read or written. This may well be uninitialized data and attempts to free the buffer will have unpredictable results because it no longer points to the same address. * I've tried using and I get errors why? This usually happens when you try compiling something using the PKCS#12 macros with a C++ compiler. There is hardly ever any need to use the PKCS#12 macros in a program, it is much easier to parse and create PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions documented in doc/openssl.txt and with examples in demos/pkcs12. The 'pkcs12' application has to use the macros because it prints out debugging information. * I've called and it fails, why? Before submitting a report or asking in one of the mailing lists, you should try to determine the cause. In particular, you should call ERR_print_errors() or ERR_print_errors_fp() after the failed call and see if the message helps. Note that the problem may occur earlier than you think -- you should check for errors after every call where it is possible, otherwise the actual problem may be hidden because some OpenSSL functions clear the error state. * I just get a load of numbers for the error output, what do they mean? The actual format is described in the ERR_print_errors() manual page. You should call the function ERR_load_crypto_strings() before hand and the message will be output in text form. If you can't do this (for example it is a pre-compiled binary) you can use the errstr utility on the error code itself (the hex digits after the second colon). * Why do I get errors about unknown algorithms? This can happen under several circumstances such as reading in an encrypted private key or attempting to decrypt a PKCS#12 file. The cause is forgetting to load OpenSSL's table of algorithms with OpenSSL_add_all_algorithms(). See the manual page for more information. * Why can't the OpenSSH configure script detect OpenSSL? Several reasons for problems with the automatic detection exist. OpenSSH requires at least version 0.9.5a of the OpenSSL libraries. Sometimes the distribution has installed an older version in the system locations that is detected instead of a new one installed. The OpenSSL library might have been compiled for another CPU or another mode (32/64 bits). Permissions might be wrong. The general answer is to check the config.log file generated when running the OpenSSH configure script. It should contain the detailed information on why the OpenSSL library was not detected or considered incompatible. * Can I use OpenSSL's SSL library with non-blocking I/O? Yes; make sure to read the SSL_get_error(3) manual page! A pitfall to avoid: Don't assume that SSL_read() will just read from the underlying transport or that SSL_write() will just write to it -- it is also possible that SSL_write() cannot do any useful work until there is data to read, or that SSL_read() cannot do anything until it is possible to send data. One reason for this is that the peer may request a new TLS/SSL handshake at any time during the protocol, requiring a bi-directional message exchange; both SSL_read() and SSL_write() will try to continue any pending handshake. * Why doesn't my server application receive a client certificate? Due to the TLS protocol definition, a client will only send a certificate, if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the SSL_CTX_set_verify() function to enable the use of client certificates. * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier? For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier versions, uniqueIdentifier was incorrectly used for X.509 certificates. The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier. Change your code to use the new name when compiling against OpenSSL 0.9.7. =============================================================================== diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE index dddb07842bb3..40277883a592 100644 --- a/crypto/openssl/LICENSE +++ b/crypto/openssl/LICENSE @@ -1,127 +1,127 @@ LICENSE ISSUES ============== The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License --------------- /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ Original SSLeay License ----------------------- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org index e80b22a32a18..a987a0298b20 100644 --- a/crypto/openssl/Makefile.org +++ b/crypto/openssl/Makefile.org @@ -1,882 +1,886 @@ ## ## Makefile for OpenSSL ## VERSION= MAJOR= MINOR= SHLIB_VERSION_NUMBER= SHLIB_VERSION_HISTORY= SHLIB_MAJOR= SHLIB_MINOR= SHLIB_EXT= PLATFORM=dist OPTIONS= CONFIGURE_ARGS= SHLIB_TARGET= # HERE indicates where this Makefile lives. This can be used to indicate # where sub-Makefiles are expected to be. Currently has very limited usage, # and should probably not be bothered with at all. HERE=. # INSTALL_PREFIX is for package builders so that they can configure # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/. # Normally it is left empty. INSTALL_PREFIX= INSTALLTOP=/usr/local/ssl # Do not edit this manually. Use Configure --openssldir=DIR do change this! OPENSSLDIR=/usr/local/ssl # NO_IDEA - Define to build without the IDEA algorithm # NO_RC4 - Define to build without the RC4 algorithm # NO_RC2 - Define to build without the RC2 algorithm # THREADS - Define when building with threads, you will probably also need any # system defines as well, i.e. _REENTERANT for Solaris 2.[34] # TERMIO - Define the termio terminal subsystem, needed if sgtty is missing. # TERMIOS - Define the termios terminal subsystem, Silicon Graphics. # LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3). # DEVRANDOM - Give this the value of the 'random device' if your OS supports # one. 32 bytes will be read from this when the random # number generator is initalised. # SSL_FORBID_ENULL - define if you want the server to be not able to use the # NULL encryption ciphers. # # LOCK_DEBUG - turns on lots of lock debug output :-) # REF_CHECK - turn on some xyz_free() assertions. # REF_PRINT - prints some stuff on structure free. # CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff # MFUNC - Make all Malloc/Free/Realloc calls call # CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to # call application defined callbacks via CRYPTO_set_mem_functions() # MD5_ASM needs to be defined to use the x86 assembler for MD5 # SHA1_ASM needs to be defined to use the x86 assembler for SHA1 # RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160 # Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8. It must # equal 4. # PKCS1_CHECK - pkcs1 tests. CC= gcc #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM CFLAG= -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM DEPFLAG= PEX_LIBS= EX_LIBS= EXE_EXT= ARFLAGS= AR=ar $(ARFLAGS) r RANLIB= ranlib PERL= perl TAR= tar TARFLAGS= --no-recursion MAKEDEPPROG=makedepend # We let the C compiler driver to take care of .s files. This is done in # order to be excused from maintaining a separate set of architecture # dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC # gcc, then the driver will automatically translate it to -xarch=v8plus # and pass it down to assembler. AS=$(CC) -c ASFLAG=$(CFLAG) # Set BN_ASM to bn_asm.o if you want to use the C version BN_ASM= bn_asm.o #BN_ASM= bn_asm.o #BN_ASM= asm/bn86-elf.o # elf, linux-elf #BN_ASM= asm/bn86-sol.o # solaris #BN_ASM= asm/bn86-out.o # a.out, FreeBSD #BN_ASM= asm/bn86bsdi.o # bsdi #BN_ASM= asm/alpha.o # DEC Alpha #BN_ASM= asm/pa-risc2.o # HP-UX PA-RISC #BN_ASM= asm/r3000.o # SGI MIPS cpu #BN_ASM= asm/sparc.o # Sun solaris/SunOS #BN_ASM= asm/bn-win32.o # Windows 95/NT #BN_ASM= asm/x86w16.o # 16 bit code for Windows 3.1/DOS #BN_ASM= asm/x86w32.o # 32 bit code for Windows 3.1 # For x86 assembler: Set PROCESSOR to 386 if you want to support # the 80386. PROCESSOR= # Set DES_ENC to des_enc.o if you want to use the C version #There are 4 x86 assember options. DES_ENC= asm/dx86-out.o asm/yx86-out.o #DES_ENC= des_enc.o fcrypt_b.o # C #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf #DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris #DES_ENC= asm/dx86-out.o asm/yx86-out.o # a.out, FreeBSD #DES_ENC= asm/dx86bsdi.o asm/yx86bsdi.o # bsdi # Set BF_ENC to bf_enc.o if you want to use the C version #There are 4 x86 assember options. BF_ENC= asm/bx86-out.o #BF_ENC= bf_enc.o #BF_ENC= asm/bx86-elf.o # elf #BF_ENC= asm/bx86-sol.o # solaris #BF_ENC= asm/bx86-out.o # a.out, FreeBSD #BF_ENC= asm/bx86bsdi.o # bsdi # Set CAST_ENC to c_enc.o if you want to use the C version #There are 4 x86 assember options. CAST_ENC= asm/cx86-out.o #CAST_ENC= c_enc.o #CAST_ENC= asm/cx86-elf.o # elf #CAST_ENC= asm/cx86-sol.o # solaris #CAST_ENC= asm/cx86-out.o # a.out, FreeBSD #CAST_ENC= asm/cx86bsdi.o # bsdi # Set RC4_ENC to rc4_enc.o if you want to use the C version #There are 4 x86 assember options. RC4_ENC= asm/rx86-out.o #RC4_ENC= rc4_enc.o #RC4_ENC= asm/rx86-elf.o # elf #RC4_ENC= asm/rx86-sol.o # solaris #RC4_ENC= asm/rx86-out.o # a.out, FreeBSD #RC4_ENC= asm/rx86bsdi.o # bsdi # Set RC5_ENC to rc5_enc.o if you want to use the C version #There are 4 x86 assember options. RC5_ENC= asm/r586-out.o #RC5_ENC= rc5_enc.o #RC5_ENC= asm/r586-elf.o # elf #RC5_ENC= asm/r586-sol.o # solaris #RC5_ENC= asm/r586-out.o # a.out, FreeBSD #RC5_ENC= asm/r586bsdi.o # bsdi # Also need MD5_ASM defined MD5_ASM_OBJ= asm/mx86-out.o #MD5_ASM_OBJ= asm/mx86-elf.o # elf #MD5_ASM_OBJ= asm/mx86-sol.o # solaris #MD5_ASM_OBJ= asm/mx86-out.o # a.out, FreeBSD #MD5_ASM_OBJ= asm/mx86bsdi.o # bsdi # Also need SHA1_ASM defined SHA1_ASM_OBJ= asm/sx86-out.o #SHA1_ASM_OBJ= asm/sx86-elf.o # elf #SHA1_ASM_OBJ= asm/sx86-sol.o # solaris #SHA1_ASM_OBJ= asm/sx86-out.o # a.out, FreeBSD #SHA1_ASM_OBJ= asm/sx86bsdi.o # bsdi # Also need RMD160_ASM defined RMD160_ASM_OBJ= asm/rm86-out.o #RMD160_ASM_OBJ= asm/rm86-elf.o # elf #RMD160_ASM_OBJ= asm/rm86-sol.o # solaris #RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD #RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi # KRB5 stuff KRB5_INCLUDES= LIBKRB5= # When we're prepared to use shared libraries in the programs we link here # we might set SHLIB_MARK to '$(SHARED_LIBS)'. SHLIB_MARK= DIRS= crypto ssl $(SHLIB_MARK) apps test tools SHLIBDIRS= crypto ssl # dirs in crypto to build SDIRS= \ md2 md4 md5 sha mdc2 hmac ripemd \ des rc2 rc4 rc5 idea bf cast \ bn ec rsa dsa dh dso engine aes \ buffer bio stack lhash rand err objects \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 # tests to perform. "alltests" is a special word indicating that all tests # should be performed. TESTS = alltests MAKEFILE= Makefile.ssl MAKE= make -f Makefile.ssl MANDIR=$(OPENSSLDIR)/man MAN1=1 MAN3=3 MANSUFFIX= SHELL=/bin/sh TOP= . ONEDIRS=out tmp EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS WDIRS= windows LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_LIBS= SHARED_LIBS_LINK_EXTS= SHARED_LDFLAGS= GENERAL= Makefile BASENAME= openssl NAME= $(BASENAME)-$(VERSION) TARFILE= $(NAME).tar WTARFILE= $(NAME)-win.tar EXHEADER= e_os2.h HEADER= e_os.h # When we're prepared to use shared libraries in the programs we link here # we might remove 'clean-shared' from the targets to perform at this stage all: Makefile.ssl sub_all openssl.pc sub_all: @for i in $(DIRS); \ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ else \ $(MAKE) $$i; \ fi; \ done; libcrypto$(SHLIB_EXT): libcrypto.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ $(MAKE) SHLIBDIRS=crypto build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi clean-shared: @for i in $(SHLIBDIRS); do \ if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ tmp="$(SHARED_LIBS_LINK_EXTS)"; \ for j in $${tmp:-x}; do \ ( set -x; rm -f lib$$i$$j ); \ done; \ fi; \ ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \ if [ "$(PLATFORM)" = "Cygwin" ]; then \ ( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \ fi; \ done link-shared: @if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ tmp="$(SHARED_LIBS_LINK_EXTS)"; \ for i in $(SHLIBDIRS); do \ prev=lib$$i$(SHLIB_EXT); \ for j in $${tmp:-x}; do \ ( set -x; \ rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \ prev=lib$$i$$j; \ done; \ done; \ fi build-shared: clean-shared do_$(SHLIB_TARGET) link-shared do_bsd-gcc-shared: do_gnu-shared do_linux-shared: do_gnu-shared do_gnu-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-Bsymbolic \ -Wl,--whole-archive lib$$i.a \ -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null # For Darwin AKA Mac OS/X (dyld) do_darwin-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \ lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \ -compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \ -install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \ libs="-l`basename $$i${SHLIB_EXT} .dylib` $$libs"; \ echo "" ; \ done do_cygwin-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \ -Wl,-Bsymbolic \ -Wl,--whole-archive lib$$i.a \ -Wl,--out-implib,lib$$i.dll.a \ -Wl,--no-whole-archive $$libs ) || exit 1; \ libs="-l$$i $$libs"; \ done # This assumes that GNU utilities are *not* used do_alpha-osf1-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used # The difference between alpha-osf1-shared and tru64-shared is the `-msym' # option passed to the linker. do_tru64-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -msym -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used # The difference between tru64-shared and tru64-shared-rpath is the # -rpath ${INSTALLTOP}/lib passed to the linker. do_tru64-shared-rpath: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -msym -o lib$$i.so \ -rpath ${INSTALLTOP}/lib \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used do_solaris-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ MINUSZ='-z '; \ (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \ set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \ -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \ $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # OpenServer 5 native compilers used do_svr3-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ OBJS="$${OBJS} `grep /$$obj allobjs`" ; \ done ; \ set -x; ${CC} ${SHARED_LDFLAGS} \ -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # UnixWare 7 and OpenUNIX 8 native compilers used do_svr5-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ SHARE_FLAG='-G'; \ (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \ find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ OBJS="$${OBJS} `grep /$$obj allobjs`" ; \ done ; \ set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \ ${CC} ${SHARED_LDFLAGS} \ $${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used do_irix-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ - ( set -x; ${CC} ${SHARED_LDFLAGS} \ + ( WHOLELIB="-all lib$$i.a -notall"; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \ + set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \ + $${WHOLELIB} $$libs ${EX_LIBS} -lc) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used # HP-UX includes the full pathname of libs we depend on, so we would get # ./libcrypto (with ./ as path information) compiled into libssl, hence # we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto # anyway. # The object modules are loaded from lib$i.a using the undocumented -Fl # option. # # WARNING: Until DSO is fixed to support a search path, we support SHLIB_PATH # by temporarily specifying "+s"! # do_hpux-shared: for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ +vnocompatwarnings \ -b -z +s \ -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Fl lib$$i.a -ldld -lc ) || exit 1; \ chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ done # This assumes that GNU utilities are *not* used # HP-UX includes the full pathname of libs we depend on, so we would get # ./libcrypto (with ./ as path information) compiled into libssl, hence # we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto # anyway. # # HP-UX in 64bit mode has "+s" enabled by default; it will search for # shared libraries along LD_LIBRARY_PATH _and_ SHLIB_PATH. # do_hpux64-shared: for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ -b -z \ -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +forceload lib$$i.a -ldl -lc ) || exit 1; \ chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ done # The following method is said to work on all platforms. Tests will # determine if that's how it's gong to be used. # This assumes that for all but GNU systems, GNU utilities are *not* used. # ALLSYMSFLAGS would be: # GNU systems: --whole-archive # Tru64 Unix: -all # Solaris: -z allextract # Irix: -all # HP/UX-32bit: -Fl # HP/UX-64bit: +forceload # AIX: -bnogc # SHAREDFLAGS would be: # GNU systems: -shared -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} # Tru64 Unix: -shared \ # -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" # Solaris: -G -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} # Irix: -shared -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} # HP/UX-32bit: +vnocompatwarnings -b -z +s \ # +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} # HP/UX-64bit: -b -z +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} # AIX: -G -bE:lib$$i.exp -bM:SRE # SHAREDCMD would be: # GNU systems: $(CC) # Tru64 Unix: $(CC) # Solaris: $(CC) # Irix: $(CC) # HP/UX-32bit: /usr/ccs/bin/ld # HP/UX-64bit: /usr/ccs/bin/ld # AIX: $(CC) ALLSYMSFLAG=-bnogc SHAREDFLAGS=${SHARED_LDFLAGS} -G -bE:lib$$i.exp -bM:SRE SHAREDCMD=$(CC) do_aix-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; \ ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \ ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \ $(SHAREDCMD) $(SHAREDFLAGS) \ -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} lib$$i.o \ $$libs ${EX_LIBS} ) ) \ || exit 1; \ libs="-l$$i $$libs"; \ done do_reliantunix-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ tmpdir=/tmp/openssl.$$$$ ; rm -rf $$tmpdir ; \ ( set -x; \ ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \ cd $$tmpdir || exit 1 ; ar x $$Opwd/lib$$i.a ; \ ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \ ) || exit 1; \ cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \ ) || exit 1; \ rm -rf $$tmpdir ; \ libs="-l$$i $$libs"; \ done openssl.pc: Makefile.ssl @ ( echo 'prefix=$(INSTALLTOP)'; \ echo 'exec_prefix=$${prefix}'; \ echo 'libdir=$${exec_prefix}/lib'; \ echo 'includedir=$${prefix}/include'; \ echo ''; \ echo 'Name: OpenSSL'; \ echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc Makefile.ssl: Makefile.org @echo "Makefile.ssl is older than Makefile.org." @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." @false libclean: rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib clean: libclean rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making clean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \ rm -f $(LIBS); \ fi; \ done; rm -f openssl.pc rm -f speed.* .pure rm -f $(TARFILE) @for i in $(ONEDIRS) ;\ do \ rm -fr $$i/*; \ done makefile.one: files $(PERL) util/mk1mf.pl >makefile.one; \ sh util/do_ms.sh files: $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making 'files' in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \ fi; \ done; links: @$(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @for i in $(DIRS); do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making links in $$i..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \ fi; \ done; gentests: @(cd test && echo "generating dummy tests (if needed)..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate ); dclean: rm -f *.bak @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making dclean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \ fi; \ done; rehash: rehash.time rehash.time: certs @(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \ export OPENSSL OPENSSL_DEBUG_MEMORY; \ LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ $(PERL) tools/c_rehash certs) touch rehash.time test: tests tests: rehash @(cd test && echo "testing..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests ); @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ apps/openssl version -a report: @$(PERL) util/selftest.pl depend: @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making dependencies $$i..." && \ $(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \ fi; \ done; lint: @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making lint $$i..." && \ $(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \ fi; \ done; tags: @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making tags $$i..." && \ $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \ fi; \ done; errors: $(PERL) util/mkerr.pl -recurse -write (cd crypto/engine; $(MAKE) PERL=$(PERL) errors) stacks: $(PERL) util/mkstack.pl -write util/libeay.num:: $(PERL) util/mkdef.pl crypto update util/ssleay.num:: $(PERL) util/mkdef.pl ssl update crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h $(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num $(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h TABLE: Configure (echo 'Output of `Configure TABLE'"':"; \ $(PERL) Configure TABLE) > TABLE update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE # Build distribution tar-file. As the list of files returned by "find" is # pretty long, on several platforms a "too many arguments" error or similar # would occur. Therefore the list of files is temporarily stored into a file # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. tar: find . -type d -print | xargs chmod 755 find . -type f -print | xargs chmod a+r find . -type f -perm -0100 -print | xargs chmod a+x find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \ $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ tardy --user_number=0 --user_name=openssl \ --group_number=0 --group_name=openssl \ --prefix=openssl-$(VERSION) - |\ gzip --best >../$(TARFILE).gz; \ rm -f ../$(TARFILE).list; \ ls -l ../$(TARFILE).gz tar-snap: @$(TAR) $(TARFLAGS) -cvf - \ `find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\ tardy --user_number=0 --user_name=openssl \ --group_number=0 --group_name=openssl \ --prefix=openssl-$(VERSION) - > ../$(TARFILE);\ ls -l ../$(TARFILE) dist: $(PERL) Configure dist @$(MAKE) dist_pem_h @$(MAKE) SDIRS='${SDIRS}' clean @$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar dist_pem_h: (cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean) install: all install_docs @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ $(INSTALL_PREFIX)$(OPENSSLDIR)/private \ $(INSTALL_PREFIX)$(OPENSSLDIR)/lib @for i in $(EXHEADER) ;\ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i; echo "installing $$i..."; \ $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' install ); \ fi; \ done @for i in $(LIBS) ;\ do \ if [ -f "$$i" ]; then \ ( echo installing $$i; \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi; \ done; @if [ -n "$(SHARED_LIBS)" ]; then \ tmp="$(SHARED_LIBS)"; \ for i in $${tmp:-x}; \ do \ if [ -f "$$i" -o -f "$$i.a" ]; then \ ( echo installing $$i; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ else \ c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \ cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ fi ); \ fi; \ done; \ ( here="`pwd`"; \ cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ set $(MAKE); \ $$1 -f $$here/Makefile link-shared ); \ if [ "$(INSTALLTOP)" != "/usr" ]; then \ echo 'OpenSSL shared libraries have been installed in:'; \ echo ' $(INSTALLTOP)'; \ echo ''; \ sed -e '1,/^$$/d' doc/openssl-shared.txt; \ fi; \ fi cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ $(INSTALL_PREFIX)$(MANDIR)/man1 \ $(INSTALL_PREFIX)$(MANDIR)/man3 \ $(INSTALL_PREFIX)$(MANDIR)/man5 \ $(INSTALL_PREFIX)$(MANDIR)/man7 @pod2man="`cd util; ./pod2mantest $(PERL)`"; \ here="`pwd`"; \ filecase=; \ if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \ filecase=-i; \ fi; \ for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ + grep -v "[ ]" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ done); \ done; \ for i in doc/crypto/*.pod doc/ssl/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ + grep -v "[ ]" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ done); \ done # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl index 2a74a3db04f4..c8155a7628f8 100644 --- a/crypto/openssl/Makefile.ssl +++ b/crypto/openssl/Makefile.ssl @@ -1,884 +1,888 @@ ### Generated automatically from Makefile.org by Configure. ## ## Makefile for OpenSSL ## -VERSION=0.9.7c +VERSION=0.9.7d MAJOR=0 MINOR=9.7 SHLIB_VERSION_NUMBER=0.9.7 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=0 SHLIB_MINOR=9.7 SHLIB_EXT= -PLATFORM=VC-WIN16 +PLATFORM=dist OPTIONS= no-krb5 -CONFIGURE_ARGS=VC-WIN16 +CONFIGURE_ARGS=dist SHLIB_TARGET= # HERE indicates where this Makefile lives. This can be used to indicate # where sub-Makefiles are expected to be. Currently has very limited usage, # and should probably not be bothered with at all. HERE=. # INSTALL_PREFIX is for package builders so that they can configure # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/. # Normally it is left empty. INSTALL_PREFIX= INSTALLTOP=/usr/local/ssl # Do not edit this manually. Use Configure --openssldir=DIR do change this! OPENSSLDIR=/usr/local/ssl # NO_IDEA - Define to build without the IDEA algorithm # NO_RC4 - Define to build without the RC4 algorithm # NO_RC2 - Define to build without the RC2 algorithm # THREADS - Define when building with threads, you will probably also need any # system defines as well, i.e. _REENTERANT for Solaris 2.[34] # TERMIO - Define the termio terminal subsystem, needed if sgtty is missing. # TERMIOS - Define the termios terminal subsystem, Silicon Graphics. # LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3). # DEVRANDOM - Give this the value of the 'random device' if your OS supports # one. 32 bytes will be read from this when the random # number generator is initalised. # SSL_FORBID_ENULL - define if you want the server to be not able to use the # NULL encryption ciphers. # # LOCK_DEBUG - turns on lots of lock debug output :-) # REF_CHECK - turn on some xyz_free() assertions. # REF_PRINT - prints some stuff on structure free. # CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff # MFUNC - Make all Malloc/Free/Realloc calls call # CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to # call application defined callbacks via CRYPTO_set_mem_functions() # MD5_ASM needs to be defined to use the x86 assembler for MD5 # SHA1_ASM needs to be defined to use the x86 assembler for SHA1 # RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160 # Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8. It must # equal 4. # PKCS1_CHECK - pkcs1 tests. -CC= cl +CC= cc #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -CFLAG= -DOPENSSL_SYSNAME_WIN16 -DOPENSSL_NO_KRB5 +CFLAG= -DOPENSSL_NO_KRB5 -O DEPFLAG= PEX_LIBS= EX_LIBS= EXE_EXT= ARFLAGS= AR=ar $(ARFLAGS) r RANLIB= /usr/bin/ranlib -PERL= /usr/local/bin/perl5 +PERL= /usr/local/bin/perl TAR= tar TARFLAGS= --no-recursion MAKEDEPPROG=makedepend # We let the C compiler driver to take care of .s files. This is done in # order to be excused from maintaining a separate set of architecture # dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC # gcc, then the driver will automatically translate it to -xarch=v8plus # and pass it down to assembler. AS=$(CC) -c ASFLAG=$(CFLAG) # Set BN_ASM to bn_asm.o if you want to use the C version BN_ASM= bn_asm.o #BN_ASM= bn_asm.o #BN_ASM= asm/bn86-elf.o # elf, linux-elf #BN_ASM= asm/bn86-sol.o # solaris #BN_ASM= asm/bn86-out.o # a.out, FreeBSD #BN_ASM= asm/bn86bsdi.o # bsdi #BN_ASM= asm/alpha.o # DEC Alpha #BN_ASM= asm/pa-risc2.o # HP-UX PA-RISC #BN_ASM= asm/r3000.o # SGI MIPS cpu #BN_ASM= asm/sparc.o # Sun solaris/SunOS #BN_ASM= asm/bn-win32.o # Windows 95/NT #BN_ASM= asm/x86w16.o # 16 bit code for Windows 3.1/DOS #BN_ASM= asm/x86w32.o # 32 bit code for Windows 3.1 # For x86 assembler: Set PROCESSOR to 386 if you want to support # the 80386. PROCESSOR= # Set DES_ENC to des_enc.o if you want to use the C version #There are 4 x86 assember options. DES_ENC= des_enc.o fcrypt_b.o #DES_ENC= des_enc.o fcrypt_b.o # C #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf #DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris #DES_ENC= asm/dx86-out.o asm/yx86-out.o # a.out, FreeBSD #DES_ENC= asm/dx86bsdi.o asm/yx86bsdi.o # bsdi # Set BF_ENC to bf_enc.o if you want to use the C version #There are 4 x86 assember options. BF_ENC= bf_enc.o #BF_ENC= bf_enc.o #BF_ENC= asm/bx86-elf.o # elf #BF_ENC= asm/bx86-sol.o # solaris #BF_ENC= asm/bx86-out.o # a.out, FreeBSD #BF_ENC= asm/bx86bsdi.o # bsdi # Set CAST_ENC to c_enc.o if you want to use the C version #There are 4 x86 assember options. CAST_ENC= c_enc.o #CAST_ENC= c_enc.o #CAST_ENC= asm/cx86-elf.o # elf #CAST_ENC= asm/cx86-sol.o # solaris #CAST_ENC= asm/cx86-out.o # a.out, FreeBSD #CAST_ENC= asm/cx86bsdi.o # bsdi # Set RC4_ENC to rc4_enc.o if you want to use the C version #There are 4 x86 assember options. RC4_ENC= rc4_enc.o #RC4_ENC= rc4_enc.o #RC4_ENC= asm/rx86-elf.o # elf #RC4_ENC= asm/rx86-sol.o # solaris #RC4_ENC= asm/rx86-out.o # a.out, FreeBSD #RC4_ENC= asm/rx86bsdi.o # bsdi # Set RC5_ENC to rc5_enc.o if you want to use the C version #There are 4 x86 assember options. RC5_ENC= rc5_enc.o #RC5_ENC= rc5_enc.o #RC5_ENC= asm/r586-elf.o # elf #RC5_ENC= asm/r586-sol.o # solaris #RC5_ENC= asm/r586-out.o # a.out, FreeBSD #RC5_ENC= asm/r586bsdi.o # bsdi # Also need MD5_ASM defined MD5_ASM_OBJ= #MD5_ASM_OBJ= asm/mx86-elf.o # elf #MD5_ASM_OBJ= asm/mx86-sol.o # solaris #MD5_ASM_OBJ= asm/mx86-out.o # a.out, FreeBSD #MD5_ASM_OBJ= asm/mx86bsdi.o # bsdi # Also need SHA1_ASM defined SHA1_ASM_OBJ= #SHA1_ASM_OBJ= asm/sx86-elf.o # elf #SHA1_ASM_OBJ= asm/sx86-sol.o # solaris #SHA1_ASM_OBJ= asm/sx86-out.o # a.out, FreeBSD #SHA1_ASM_OBJ= asm/sx86bsdi.o # bsdi # Also need RMD160_ASM defined RMD160_ASM_OBJ= #RMD160_ASM_OBJ= asm/rm86-elf.o # elf #RMD160_ASM_OBJ= asm/rm86-sol.o # solaris #RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD #RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi # KRB5 stuff KRB5_INCLUDES= LIBKRB5= # When we're prepared to use shared libraries in the programs we link here # we might set SHLIB_MARK to '$(SHARED_LIBS)'. SHLIB_MARK= DIRS= crypto ssl $(SHLIB_MARK) apps test tools SHLIBDIRS= crypto ssl # dirs in crypto to build SDIRS= \ md2 md4 md5 sha mdc2 hmac ripemd \ des rc2 rc4 rc5 idea bf cast \ bn ec rsa dsa dh dso engine aes \ buffer bio stack lhash rand err objects \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 # tests to perform. "alltests" is a special word indicating that all tests # should be performed. TESTS = alltests MAKEFILE= Makefile.ssl MAKE= make -f Makefile.ssl MANDIR=$(OPENSSLDIR)/man MAN1=1 MAN3=3 MANSUFFIX= SHELL=/bin/sh TOP= . ONEDIRS=out tmp EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS WDIRS= windows LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_LIBS= SHARED_LIBS_LINK_EXTS= SHARED_LDFLAGS= GENERAL= Makefile BASENAME= openssl NAME= $(BASENAME)-$(VERSION) TARFILE= $(NAME).tar WTARFILE= $(NAME)-win.tar EXHEADER= e_os2.h HEADER= e_os.h # When we're prepared to use shared libraries in the programs we link here # we might remove 'clean-shared' from the targets to perform at this stage all: Makefile.ssl sub_all openssl.pc sub_all: @for i in $(DIRS); \ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ else \ $(MAKE) $$i; \ fi; \ done; libcrypto$(SHLIB_EXT): libcrypto.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ $(MAKE) SHLIBDIRS=crypto build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi clean-shared: @for i in $(SHLIBDIRS); do \ if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ tmp="$(SHARED_LIBS_LINK_EXTS)"; \ for j in $${tmp:-x}; do \ ( set -x; rm -f lib$$i$$j ); \ done; \ fi; \ ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \ if [ "$(PLATFORM)" = "Cygwin" ]; then \ ( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \ fi; \ done link-shared: @if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ tmp="$(SHARED_LIBS_LINK_EXTS)"; \ for i in $(SHLIBDIRS); do \ prev=lib$$i$(SHLIB_EXT); \ for j in $${tmp:-x}; do \ ( set -x; \ rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \ prev=lib$$i$$j; \ done; \ done; \ fi build-shared: clean-shared do_$(SHLIB_TARGET) link-shared do_bsd-gcc-shared: do_gnu-shared do_linux-shared: do_gnu-shared do_gnu-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-Bsymbolic \ -Wl,--whole-archive lib$$i.a \ -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null # For Darwin AKA Mac OS/X (dyld) do_darwin-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \ lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \ -compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \ -install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \ libs="-l`basename $$i${SHLIB_EXT} .dylib` $$libs"; \ echo "" ; \ done do_cygwin-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \ -Wl,-Bsymbolic \ -Wl,--whole-archive lib$$i.a \ -Wl,--out-implib,lib$$i.dll.a \ -Wl,--no-whole-archive $$libs ) || exit 1; \ libs="-l$$i $$libs"; \ done # This assumes that GNU utilities are *not* used do_alpha-osf1-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used # The difference between alpha-osf1-shared and tru64-shared is the `-msym' # option passed to the linker. do_tru64-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -msym -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used # The difference between tru64-shared and tru64-shared-rpath is the # -rpath ${INSTALLTOP}/lib passed to the linker. do_tru64-shared-rpath: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -msym -o lib$$i.so \ -rpath ${INSTALLTOP}/lib \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used do_solaris-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ MINUSZ='-z '; \ (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \ set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \ -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \ $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # OpenServer 5 native compilers used do_svr3-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ OBJS="$${OBJS} `grep /$$obj allobjs`" ; \ done ; \ set -x; ${CC} ${SHARED_LDFLAGS} \ -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # UnixWare 7 and OpenUNIX 8 native compilers used do_svr5-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ SHARE_FLAG='-G'; \ (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \ find . -name "*.o" -print > allobjs ; \ OBJS= ; export OBJS ; \ for obj in `ar t lib$$i.a` ; do \ OBJS="$${OBJS} `grep /$$obj allobjs`" ; \ done ; \ set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \ ${CC} ${SHARED_LDFLAGS} \ $${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used do_irix-shared: if ${DETECT_GNU_LD}; then \ $(MAKE) do_gnu-shared; \ else \ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ - ( set -x; ${CC} ${SHARED_LDFLAGS} \ + ( WHOLELIB="-all lib$$i.a -notall"; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \ + set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \ + $${WHOLELIB} $$libs ${EX_LIBS} -lc) || exit 1; \ libs="-l$$i $$libs"; \ done; \ fi # This assumes that GNU utilities are *not* used # HP-UX includes the full pathname of libs we depend on, so we would get # ./libcrypto (with ./ as path information) compiled into libssl, hence # we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto # anyway. # The object modules are loaded from lib$i.a using the undocumented -Fl # option. # # WARNING: Until DSO is fixed to support a search path, we support SHLIB_PATH # by temporarily specifying "+s"! # do_hpux-shared: for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ +vnocompatwarnings \ -b -z +s \ -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Fl lib$$i.a -ldld -lc ) || exit 1; \ chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ done # This assumes that GNU utilities are *not* used # HP-UX includes the full pathname of libs we depend on, so we would get # ./libcrypto (with ./ as path information) compiled into libssl, hence # we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto # anyway. # # HP-UX in 64bit mode has "+s" enabled by default; it will search for # shared libraries along LD_LIBRARY_PATH _and_ SHLIB_PATH. # do_hpux64-shared: for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ -b -z \ -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +forceload lib$$i.a -ldl -lc ) || exit 1; \ chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ done # The following method is said to work on all platforms. Tests will # determine if that's how it's gong to be used. # This assumes that for all but GNU systems, GNU utilities are *not* used. # ALLSYMSFLAGS would be: # GNU systems: --whole-archive # Tru64 Unix: -all # Solaris: -z allextract # Irix: -all # HP/UX-32bit: -Fl # HP/UX-64bit: +forceload # AIX: -bnogc # SHAREDFLAGS would be: # GNU systems: -shared -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} # Tru64 Unix: -shared \ # -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" # Solaris: -G -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} # Irix: -shared -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} # HP/UX-32bit: +vnocompatwarnings -b -z +s \ # +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} # HP/UX-64bit: -b -z +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} # AIX: -G -bE:lib$$i.exp -bM:SRE # SHAREDCMD would be: # GNU systems: $(CC) # Tru64 Unix: $(CC) # Solaris: $(CC) # Irix: $(CC) # HP/UX-32bit: /usr/ccs/bin/ld # HP/UX-64bit: /usr/ccs/bin/ld # AIX: $(CC) ALLSYMSFLAG=-bnogc SHAREDFLAGS=${SHARED_LDFLAGS} -G -bE:lib$$i.exp -bM:SRE SHAREDCMD=$(CC) do_aix-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; \ ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \ ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \ $(SHAREDCMD) $(SHAREDFLAGS) \ -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} lib$$i.o \ $$libs ${EX_LIBS} ) ) \ || exit 1; \ libs="-l$$i $$libs"; \ done do_reliantunix-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ tmpdir=/tmp/openssl.$$$$ ; rm -rf $$tmpdir ; \ ( set -x; \ ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \ cd $$tmpdir || exit 1 ; ar x $$Opwd/lib$$i.a ; \ ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \ ) || exit 1; \ cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \ ) || exit 1; \ rm -rf $$tmpdir ; \ libs="-l$$i $$libs"; \ done openssl.pc: Makefile.ssl @ ( echo 'prefix=$(INSTALLTOP)'; \ echo 'exec_prefix=$${prefix}'; \ echo 'libdir=$${exec_prefix}/lib'; \ echo 'includedir=$${prefix}/include'; \ echo ''; \ echo 'Name: OpenSSL'; \ echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc Makefile.ssl: Makefile.org @echo "Makefile.ssl is older than Makefile.org." @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." @false libclean: rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib clean: libclean rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making clean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \ rm -f $(LIBS); \ fi; \ done; rm -f openssl.pc rm -f speed.* .pure rm -f $(TARFILE) @for i in $(ONEDIRS) ;\ do \ rm -fr $$i/*; \ done makefile.one: files $(PERL) util/mk1mf.pl >makefile.one; \ sh util/do_ms.sh files: $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making 'files' in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \ fi; \ done; links: @$(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @for i in $(DIRS); do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making links in $$i..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \ fi; \ done; gentests: @(cd test && echo "generating dummy tests (if needed)..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate ); dclean: rm -f *.bak @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making dclean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \ fi; \ done; rehash: rehash.time rehash.time: certs @(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \ export OPENSSL OPENSSL_DEBUG_MEMORY; \ LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ $(PERL) tools/c_rehash certs) touch rehash.time test: tests tests: rehash @(cd test && echo "testing..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests ); @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ apps/openssl version -a report: @$(PERL) util/selftest.pl depend: @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making dependencies $$i..." && \ $(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \ fi; \ done; lint: @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making lint $$i..." && \ $(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \ fi; \ done; tags: @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making tags $$i..." && \ $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \ fi; \ done; errors: $(PERL) util/mkerr.pl -recurse -write (cd crypto/engine; $(MAKE) PERL=$(PERL) errors) stacks: $(PERL) util/mkstack.pl -write util/libeay.num:: $(PERL) util/mkdef.pl crypto update util/ssleay.num:: $(PERL) util/mkdef.pl ssl update crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h $(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num $(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h TABLE: Configure (echo 'Output of `Configure TABLE'"':"; \ $(PERL) Configure TABLE) > TABLE update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE # Build distribution tar-file. As the list of files returned by "find" is # pretty long, on several platforms a "too many arguments" error or similar # would occur. Therefore the list of files is temporarily stored into a file # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. tar: find . -type d -print | xargs chmod 755 find . -type f -print | xargs chmod a+r find . -type f -perm -0100 -print | xargs chmod a+x find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \ $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ tardy --user_number=0 --user_name=openssl \ --group_number=0 --group_name=openssl \ --prefix=openssl-$(VERSION) - |\ gzip --best >../$(TARFILE).gz; \ rm -f ../$(TARFILE).list; \ ls -l ../$(TARFILE).gz tar-snap: @$(TAR) $(TARFLAGS) -cvf - \ `find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\ tardy --user_number=0 --user_name=openssl \ --group_number=0 --group_name=openssl \ --prefix=openssl-$(VERSION) - > ../$(TARFILE);\ ls -l ../$(TARFILE) dist: $(PERL) Configure dist @$(MAKE) dist_pem_h @$(MAKE) SDIRS='${SDIRS}' clean @$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar dist_pem_h: (cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean) install: all install_docs @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ $(INSTALL_PREFIX)$(OPENSSLDIR)/private \ $(INSTALL_PREFIX)$(OPENSSLDIR)/lib @for i in $(EXHEADER) ;\ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ (cd $$i; echo "installing $$i..."; \ $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' install ); \ fi; \ done @for i in $(LIBS) ;\ do \ if [ -f "$$i" ]; then \ ( echo installing $$i; \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi; \ done; @if [ -n "$(SHARED_LIBS)" ]; then \ tmp="$(SHARED_LIBS)"; \ for i in $${tmp:-x}; \ do \ if [ -f "$$i" -o -f "$$i.a" ]; then \ ( echo installing $$i; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ else \ c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \ cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ fi ); \ fi; \ done; \ ( here="`pwd`"; \ cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ set $(MAKE); \ $$1 -f $$here/Makefile link-shared ); \ if [ "$(INSTALLTOP)" != "/usr" ]; then \ echo 'OpenSSL shared libraries have been installed in:'; \ echo ' $(INSTALLTOP)'; \ echo ''; \ sed -e '1,/^$$/d' doc/openssl-shared.txt; \ fi; \ fi cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ $(INSTALL_PREFIX)$(MANDIR)/man1 \ $(INSTALL_PREFIX)$(MANDIR)/man3 \ $(INSTALL_PREFIX)$(MANDIR)/man5 \ $(INSTALL_PREFIX)$(MANDIR)/man7 @pod2man="`cd util; ./pod2mantest $(PERL)`"; \ here="`pwd`"; \ filecase=; \ if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \ filecase=-i; \ fi; \ for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ + grep -v "[ ]" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ done); \ done; \ for i in doc/crypto/*.pod doc/ssl/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ grep -v $$filecase "^$$fn\$$" | \ + grep -v "[ ]" | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ done); \ done # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index f0282ebb8755..4c1ba0a241f6 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -1,303 +1,311 @@ NEWS ==== This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d: + + o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug + o Security: Fix null-pointer assignment in do_change_cipher_spec() + o Allow multiple active certificates with same subject in CA index + o Multiple X590 verification fixes + o Speed up HMAC and other operations + Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c: o Security: fix various ASN1 parsing bugs. o New -ignore_err option to OCSP utility. o Various interop and bug fixes in S/MIME code. o SSL/TLS protocol fix for unrequested client certificates. Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b: o Security: counter the Klima-Pokorny-Rosa extension of Bleichbacher's attack o Security: make RSA blinding default. o Configuration: Irix fixes, AIX fixes, better mingw support. o Support for new platforms: linux-ia64-ecc. o Build: shared library support fixes. o ASN.1: treat domainComponent correctly. o Documentation: fixes and additions. Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a: o Security: Important security related bugfixes. o Enhanced compatibility with MIT Kerberos. o Can be built without the ENGINE framework. o IA32 assembler enhancements. o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. o Configuration: the no-err option now works properly. o SSL/TLS: now handles manual certificate chain building. o SSL/TLS: certain session ID malfunctions corrected. Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7: o New library section OCSP. o Complete rewrite of ASN1 code. o CRL checking in verify code and openssl utility. o Extension copying in 'ca' utility. o Flexible display options in 'ca' utility. o Provisional support for international characters with UTF8. o Support for external crypto devices ('engine') is no longer a separate distribution. o New elliptic curve library section. o New AES (Rijndael) library section. o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, Linux x86_64, Linux 64-bit on Sparc v9 o Extended support for some platforms: VxWorks o Enhanced support for shared libraries. o Now only builds PIC code when shared library support is requested. o Support for pkg-config. o Lots of new manuals. o Makes symbolic links to or copies of manuals to cover all described functions. o Change DES API to clean up the namespace (some applications link also against libdes providing similar functions having the same name). Provide macros for backward compatibility (will be removed in the future). o Unify handling of cryptographic algorithms (software and engine) to be available via EVP routines for asymmetric and symmetric ciphers. o NCONF: new configuration handling routines. o Change API to use more 'const' modifiers to improve error checking and help optimizers. o Finally remove references to RSAref. o Reworked parts of the BIGNUM code. o Support for new engines: Broadcom ubsec, Accelerated Encryption Processing, IBM 4758. o A few new engines added in the demos area. o Extended and corrected OID (object identifier) table. o PRNG: query at more locations for a random device, automatic query for EGD style random sources at several locations. o SSL/TLS: allow optional cipher choice according to server's preference. o SSL/TLS: allow server to explicitly set new session ids. o SSL/TLS: support Kerberos cipher suites (RFC2712). Only supports MIT Kerberos for now. o SSL/TLS: allow more precise control of renegotiations and sessions. o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: support AES cipher suites (RFC3268). Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k: o Security: fix various ASN1 parsing bugs. o SSL/TLS protocol fix for unrequested client certificates. Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j: o Security: counter the Klima-Pokorny-Rosa extension of Bleichbacher's attack o Security: make RSA blinding default. o Build: shared library support fixes. Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: o Important security related bugfixes. Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h: o New configuration targets for Tandem OSS and A/UX. o New OIDs for Microsoft attributes. o Better handling of SSL session caching. o Better comparison of distinguished names. o Better handling of shared libraries in a mixed GNU/non-GNU environment. o Support assembler code with Borland C. o Fixes for length problems. o Fixes for uninitialised variables. o Fixes for memory leaks, some unusual crashes and some race conditions. o Fixes for smaller building problems. o Updates of manuals, FAQ and other instructive documents. Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g: o Important building fixes on Unix. Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f: o Various important bugfixes. Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e: o Important security related bugfixes. o Various SSL/TLS library bugfixes. Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d: o Various SSL/TLS library bugfixes. o Fix DH parameter generation for 'non-standard' generators. Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c: o Various SSL/TLS library bugfixes. o BIGNUM library fixes. o RSA OAEP and random number generation fixes. o Object identifiers corrected and added. o Add assembler BN routines for IA64. o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, MIPS Linux; shared library support for Irix, HP-UX. o Add crypto accelerator support for AEP, Baltimore SureWare, Broadcom and Cryptographic Appliance's keyserver [in 0.9.6c-engine release]. Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: o Security fix: PRNG improvements. o Security fix: RSA OAEP check. o Security fix: Reinsert and fix countermeasure to Bleichbacher's attack. o MIPS bug fix in BIGNUM. o Bug fix in "openssl enc". o Bug fix in X.509 printing routine. o Bug fix in DSA verification routine and DSA S/MIME verification. o Bug fix to make PRNG thread-safe. o Bug fix in RAND_file_name(). o Bug fix in compatibility mode trust settings. o Bug fix in blowfish EVP. o Increase default size for BIO buffering filter. o Compatibility fixes in some scripts. Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: o Security fix: change behavior of OpenSSL to avoid using environment variables when running as root. o Security fix: check the result of RSA-CRT to reduce the possibility of deducing the private key from an incorrectly calculated signature. o Security fix: prevent Bleichenbacher's DSA attack. o Security fix: Zero the premaster secret after deriving the master secret in DH ciphersuites. o Reimplement SSL_peek(), which had various problems. o Compatibility fix: the function des_encrypt() renamed to des_encrypt1() to avoid clashes with some Unixen libc. o Bug fixes for Win32, HP/UX and Irix. o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and memory checking routines. o Bug fixes for RSA operations in threaded environments. o Bug fixes in misc. openssl applications. o Remove a few potential memory leaks. o Add tighter checks of BIGNUM routines. o Shared library support has been reworked for generality. o More documentation. o New function BN_rand_range(). o Add "-rand" option to openssl s_client and s_server. Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: o Some documentation for BIO and SSL libraries. o Enhanced chain verification using key identifiers. o New sign and verify options to 'dgst' application. o Support for DER and PEM encoded messages in 'smime' application. o New 'rsautl' application, low level RSA utility. o MD4 now included. o Bugfix for SSL rollback padding check. o Support for external crypto devices [1]. o Enhanced EVP interface. [1] The support for external crypto devices is currently a separate distribution. See the file README.ENGINE. Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a: o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 o Shared library support for HPUX and Solaris-gcc o Support of Linux/IA64 o Assembler support for Mingw32 o New 'rand' application o New way to check for existence of algorithms from scripts Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5: o S/MIME support in new 'smime' command o Documentation for the OpenSSL command line application o Automation of 'req' application o Fixes to make s_client, s_server work under Windows o Support for multiple fieldnames in SPKACs o New SPKAC command line utilty and associated library functions o Options to allow passwords to be obtained from various sources o New public key PEM format and options to handle it o Many other fixes and enhancements to command line utilities o Usable certificate chain verification o Certificate purpose checking o Certificate trust settings o Support of authority information access extension o Extensions in certificate requests o Simplified X509 name and attribute routines o Initial (incomplete) support for international character sets o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD o Read only memory BIOs and simplified creation function o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 record; allow fragmentation and interleaving of handshake and other data o TLS/SSL code now "tolerates" MS SGC o Work around for Netscape client certificate hang bug o RSA_NULL option that removes RSA patent code but keeps other RSA functionality o Memory leak detection now allows applications to add extra information via a per-thread stack o PRNG robustness improved o EGD support o BIGNUM library bug fixes o Faster DSA parameter generation o Enhanced support for Alpha Linux o Experimental MacOS support Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4: o Transparent support for PKCS#8 format private keys: these are used by several software packages and are more secure than the standard form o PKCS#5 v2.0 implementation o Password callbacks have a new void * argument for application data o Avoid various memory leaks o New pipe-like BIO that allows using the SSL library when actual I/O must be handled by the application (BIO pair) Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3: o Lots of enhancements and cleanups to the Configuration mechanism o RSA OEAP related fixes o Added `openssl ca -revoke' option for revoking a certificate o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs o Source tree cleanups: removed lots of obsolete files o Thawte SXNet, certificate policies and CRL distribution points extension support o Preliminary (experimental) S/MIME support o Support for ASN.1 UTF8String and VisibleString o Full integration of PKCS#12 code o Sparc assembler bignum implementation, optimized hash functions o Option to disable selected ciphers Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b: o Fixed a security hole related to session resumption o Fixed RSA encryption routines for the p < q case o "ALL" in cipher lists now means "everything except NULL ciphers" o Support for Triple-DES CBCM cipher o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA o First support for new TLSv1 ciphers o Added a few new BIOs (syslog BIO, reliable BIO) o Extended support for DSA certificate/keys. o Extended support for Certificate Signing Requests (CSR) o Initial support for X.509v3 extensions o Extended support for compression inside the SSL record layer o Overhauled Win32 builds o Cleanups and fixes to the Big Number (BN) library o Support for ASN.1 GeneralizedTime o Splitted ASN.1 SETs from SEQUENCEs o ASN1 and PEM support for Netscape Certificate Sequences o Overhauled Perl interface o Lots of source tree cleanups. o Lots of memory leak fixes. o Lots of bug fixes. Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c: o Integration of the popular NO_RSA/NO_DSA patches o Initial support for compression inside the SSL record layer o Added BIO proxy and filtering functionality o Extended Big Number (BN) library o Added RIPE MD160 message digest o Addeed support for RC2/64bit cipher o Extended ASN.1 parser routines o Adjustations of the source tree for CVS o Support for various new platforms diff --git a/crypto/openssl/README b/crypto/openssl/README index 65e3a124263b..f72a21036f9f 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,187 +1,187 @@ - OpenSSL 0.9.7c 30 Sep 2003 + OpenSSL 0.9.7d 17 Mar 2004 - Copyright (c) 1998-2003 The OpenSSL Project + Copyright (c) 1998-2004 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. DESCRIPTION ----------- The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. OpenSSL is based on the excellent SSLeay library developed from Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the OpenSSL license plus the SSLeay license) situation, which basically means that you are free to get and use it for commercial and non-commercial purposes as long as you fulfill the conditions of both licenses. OVERVIEW -------- The OpenSSL toolkit includes: libssl.a: Implementation of SSLv2, SSLv3, TLSv1 and the required code to support both SSLv2, SSLv3 and TLSv1 in the one server and client. libcrypto.a: General encryption and X.509 v1/v3 stuff needed by SSL/TLS but not actually logically part of it. It includes routines for the following: Ciphers libdes - EAY's libdes DES encryption package which has been floating around the net for a few years. It includes 15 'modes/variations' of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb; pcbc and a more general form of cfb and ofb) including desx in cbc mode, a fast crypt(3), and routines to read passwords from the keyboard. RC4 encryption, RC2 encryption - 4 different modes, ecb, cbc, cfb and ofb. Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb. IDEA encryption - 4 different modes, ecb, cbc, cfb and ofb. Digests MD5 and MD2 message digest algorithms, fast implementations, SHA (SHA-0) and SHA-1 message digest algorithms, MDC2 message digest. A DES based hash that is popular on smart cards. Public Key RSA encryption/decryption/generation. There is no limit on the number of bits. DSA encryption/decryption/generation. There is no limit on the number of bits. Diffie-Hellman key-exchange/key generation. There is no limit on the number of bits. X.509v3 certificates X509 encoding/decoding into/from binary ASN1 and a PEM based ASCII-binary encoding which supports encryption with a private key. Program to generate RSA and DSA certificate requests and to generate RSA and DSA certificates. Systems The normal digital envelope routines and base64 encoding. Higher level access to ciphers and digests by name. New ciphers can be loaded at run time. The BIO io system which is a simple non-blocking IO abstraction. Current methods supported are file descriptors, sockets, socket accept, socket connect, memory buffer, buffering, SSL client/server, file pointer, encryption, digest, non-blocking testing and null. Data structures A dynamically growing hashing system A simple stack. A Configuration loader that uses a format similar to MS .ini files. openssl: A command line tool that can be used for: Creation of RSA, DH and DSA key parameters Creation of X.509 certificates, CSRs and CRLs Calculation of Message Digests Encryption and Decryption with Ciphers SSL/TLS Client and Server Tests Handling of S/MIME signed or encrypted mail PATENTS ------- Various companies hold various patents for various algorithms in various locations around the world. _YOU_ are responsible for ensuring that your use of any algorithms is legal by checking if there are any patents in your country. The file contains some of the patents that we know about or are rumored to exist. This is not a definitive list. RSA Security holds software patents on the RC5 algorithm. If you intend to use this cipher, you must contact RSA Security for licensing conditions. Their web page is http://www.rsasecurity.com/. RC4 is a trademark of RSA Security, so use of this label should perhaps only be used with RSA Security's permission. The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy, Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should be contacted if that algorithm is to be used; their web page is http://www.ascom.ch/. INSTALLATION ------------ To install this package under a Unix derivative, read the INSTALL file. For a Win32 platform, read the INSTALL.W32 file. For OpenVMS systems, read INSTALL.VMS. Read the documentation in the doc/ directory. It is quite rough, but it lists the functions; you will probably have to look at the code to work out how to use them. Look at the example programs. PROBLEMS -------- For some platforms, there are some known problems that may affect the user or application author. We try to collect those in doc/PROBLEMS, with current thoughts on how they should be solved in a future of OpenSSL. SUPPORT ------- If you have any problems with OpenSSL then please take the following steps first: - Download the current snapshot from ftp://ftp.openssl.org/snapshot/ to see if the problem has already been addressed - Remove ASM versions of libraries - Remove compiler optimisation flags If you wish to report a bug then please include the following information in any bug report: - On Unix systems: Self-test report generated by 'make report' - On other systems: OpenSSL version: output of 'openssl version -a' OS Name, Version, Hardware platform Compiler Details (name, version) - Application Details (name, version) - Problem Description (steps that will reproduce the problem, if known) - Stack Traceback (if the application dumps core) Report the bug to the OpenSSL project via the Request Tracker (http://www.openssl.org/support/rt2.html) by mail to: openssl-bugs@openssl.org Note that mail to openssl-bugs@openssl.org is recorded in the publicly readable request tracker database and is forwarded to a public mailing list. Confidential mail may be sent to openssl-security@openssl.org (PGP key available from the key servers). HOW TO CONTRIBUTE TO OpenSSL ---------------------------- Development is coordinated on the openssl-dev mailing list (see http://www.openssl.org for information on subscribing). If you would like to submit a patch, send it to openssl-dev@openssl.org with the string "[PATCH]" in the subject. Please be sure to include a textual explanation of what your patch does. Note: For legal reasons, contributions from the US can be accepted only if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov; see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic] and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)). The preferred format for changes is "diff -u" output. You might generate it like this: # cd openssl-work # [your changes] # ./Configure dist; make clean # cd .. # diff -ur openssl-orig openssl-work > mydiffs.patch diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl index 669a016b8432..8b2ce7ea4248 100755 --- a/crypto/openssl/apps/CA.pl +++ b/crypto/openssl/apps/CA.pl @@ -1,173 +1,173 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes # things easier between now and when Eric is convinced to fix it :-) # # CA -newca ... will setup the right stuff # CA -newreq[-nodes] ... will generate a certificate request # CA -sign ... will sign the generated request and output # # At the end of that grab newreq.pem and newcert.pem (one has the key # and the other the certificate) and cat them together and that is what # you want/need ... I'll make even this a little cleaner later. # # # 12-Jan-96 tjh Added more things ... including CA -signcert which # converts a certificate to a request and then signs it. # 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG # environment variable so this can be driven from # a script. # 25-Jul-96 eay Cleaned up filenames some more. # 11-Jun-96 eay Fixed a few filename missmatches. # 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. # 18-Apr-96 tjh Original hacking # # Tim Hudson # tjh@cryptsoft.com # # 27-Apr-98 snh Translation into perl, fix existing CA bug. # # # Steve Henson # shenson@bigfoot.com # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; $DAYS="-days 365"; $REQ="openssl req $SSLEAY_CONFIG"; $CA="openssl ca $SSLEAY_CONFIG"; $VERIFY="openssl verify"; $X509="openssl x509"; $PKCS12="openssl pkcs12"; $CATOP="./demoCA"; $CAKEY="cakey.pem"; $CACERT="cacert.pem"; $DIRMODE = 0777; $RET = 0; foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; exit 0; } elsif (/^-newcert$/) { # create a certificate system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS"); $RET=$?; print "Certificate (and private key) is in newreq.pem\n" } elsif (/^-newreq$/) { # create a certificate request system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS"); $RET=$?; print "Request (and private key) is in newreq.pem\n"; } elsif (/^-newreq-nodes$/) { # create a certificate request system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS"); $RET=$?; print "Request (and private key) is in newreq.pem\n"; } elsif (/^-newca$/) { # if explicitly asked for or it doesn't exist then setup the # directory structure that Eric likes to manage things $NEW="1"; if ( "$NEW" || ! -f "${CATOP}/serial" ) { # create the directory hierarchy mkdir $CATOP, $DIRMODE; mkdir "${CATOP}/certs", $DIRMODE; mkdir "${CATOP}/crl", $DIRMODE ; mkdir "${CATOP}/newcerts", $DIRMODE; mkdir "${CATOP}/private", $DIRMODE; open OUT, ">${CATOP}/serial"; print OUT "01\n"; close OUT; open OUT, ">${CATOP}/index.txt"; close OUT; } if ( ! -f "${CATOP}/private/$CAKEY" ) { print "CA certificate filename (or enter to create)\n"; $FILE = ; chop $FILE; # ask user for existing CA certificate if ($FILE) { cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); $RET=$?; } else { print "Making CA certificate ...\n"; system ("$REQ -new -x509 -keyout " . "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS"); $RET=$?; } } } elsif (/^-pkcs12$/) { my $cname = $ARGV[1]; $cname = "My Certificate" unless defined $cname; system ("$PKCS12 -in newcert.pem -inkey newreq.pem " . "-certfile ${CATOP}/$CACERT -out newcert.p12 " . "-export -name \"$cname\""); $RET=$?; exit $RET; } elsif (/^-xsign$/) { system ("$CA -policy policy_anything -infiles newreq.pem"); $RET=$?; } elsif (/^(-sign|-signreq)$/) { system ("$CA -policy policy_anything -out newcert.pem " . "-infiles newreq.pem"); $RET=$?; print "Signed certificate is in newcert.pem\n"; } elsif (/^(-signCA)$/) { system ("$CA -policy policy_anything -out newcert.pem " . "-extensions v3_ca -infiles newreq.pem"); $RET=$?; print "Signed CA certificate is in newcert.pem\n"; } elsif (/^-signcert$/) { system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " . "-out tmp.pem"); system ("$CA -policy policy_anything -out newcert.pem " . "-infiles tmp.pem"); $RET = $?; print "Signed certificate is in newcert.pem\n"; } elsif (/^-verify$/) { if (shift) { foreach $j (@ARGV) { system ("$VERIFY -CAfile $CATOP/$CACERT $j"); $RET=$? if ($? != 0); } exit $RET; } else { system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem"); $RET=$?; exit 0; } } else { print STDERR "Unknown arg $_\n"; print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; exit 1; } } exit $RET; sub cp_pem { my ($infile, $outfile, $bound) = @_; open IN, $infile; open OUT, ">$outfile"; my $flag = 0; while () { $flag = 1 if (/^-----BEGIN.*$bound/) ; print OUT $_ if ($flag); if (/^-----END.*$bound/) { close IN; close OUT; return; } } } diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl index 90e71dee7666..7068286204b2 100644 --- a/crypto/openssl/apps/Makefile.ssl +++ b/crypto/openssl/apps/Makefile.ssl @@ -1,1146 +1,1146 @@ # # apps/Makefile.ssl # DIR= apps TOP= .. CC= cc INCLUDES= -I$(TOP) -I../include $(KRB5_INCLUDES) CFLAG= -g -static INSTALL_PREFIX= INSTALLTOP= /usr/local/ssl OPENSSLDIR= /usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl PERL= perl RM= rm -f # KRB5 stuff KRB5_INCLUDES= LIBKRB5= PEX_LIBS= EX_LIBS= EXE_EXT= SHLIB_TARGET= CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG) GENERAL=Makefile makeapps.com install.com DLIBCRYPTO=../libcrypto.a DLIBSSL=../libssl.a LIBCRYPTO=-L.. -lcrypto LIBSSL=-L.. -lssl PROGRAM= openssl SCRIPTS=CA.sh CA.pl der_chop EXE= $(PROGRAM)$(EXE_EXT) E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \ ca crl rsa rsautl dsa dsaparam \ x509 genrsa gendsa s_server s_client speed \ s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \ pkcs8 spkac smime rand engine ocsp PROGS= $(PROGRAM).c A_OBJ=apps.o A_SRC=apps.c S_OBJ= s_cb.o s_socket.o S_SRC= s_cb.c s_socket.c RAND_OBJ=app_rand.o RAND_SRC=app_rand.c E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o \ ca.o pkcs7.o crl2p7.o crl.o \ rsa.o rsautl.o dsa.o dsaparam.o \ x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \ s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \ ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \ pkcs7.c crl2p7.c crl.c \ rsa.c rsautl.c dsa.c dsaparam.c \ x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \ s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \ ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c ocsp.c SRC=$(E_SRC) EXHEADER= HEADER= apps.h progs.h s_apps.h \ testdsa.h testrsa.h \ $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: @(cd ..; $(MAKE) DIRS=$(DIR) all) all: exe exe: $(PROGRAM) req: sreq.o $(A_OBJ) $(DLIBCRYPTO) LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) sreq.o: req.c $(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO install: @for i in $(EXE); \ do \ (echo installing $$i; \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \ done; @for i in $(SCRIPTS); \ do \ (echo installing $$i; \ cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \ done @cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \ chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \ mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf tags: ctags $(SRC) tests: links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) rm -f req $(DLIBSSL): (cd ..; $(MAKE) DIRS=ssl all) $(DLIBCRYPTO): (cd ..; $(MAKE) DIRS=crypto all) $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) $(RM) $(PROGRAM) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \ fi -(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; \ LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ $(PERL) tools/c_rehash certs) progs.h: progs.pl $(PERL) progs.pl $(E_EXE) >progs.h $(RM) $(PROGRAM).o # DO NOT DELETE THIS LINE -- make depend depends on it. app_rand.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h app_rand.o: ../include/openssl/bio.h ../include/openssl/blowfish.h app_rand.o: ../include/openssl/bn.h ../include/openssl/buffer.h app_rand.o: ../include/openssl/cast.h ../include/openssl/conf.h app_rand.o: ../include/openssl/crypto.h ../include/openssl/des.h app_rand.o: ../include/openssl/des_old.h ../include/openssl/dh.h app_rand.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h app_rand.o: ../include/openssl/engine.h ../include/openssl/err.h app_rand.o: ../include/openssl/evp.h ../include/openssl/idea.h app_rand.o: ../include/openssl/lhash.h ../include/openssl/md2.h app_rand.o: ../include/openssl/md4.h ../include/openssl/md5.h app_rand.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h app_rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h app_rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h app_rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h app_rand.o: ../include/openssl/rc2.h ../include/openssl/rc4.h app_rand.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h app_rand.o: ../include/openssl/rsa.h ../include/openssl/safestack.h app_rand.o: ../include/openssl/sha.h ../include/openssl/stack.h app_rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h app_rand.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h app_rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h app_rand.c app_rand.o: apps.h apps.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h apps.o: ../include/openssl/bio.h ../include/openssl/blowfish.h apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h apps.o: ../include/openssl/cast.h ../include/openssl/conf.h apps.o: ../include/openssl/crypto.h ../include/openssl/des.h apps.o: ../include/openssl/des_old.h ../include/openssl/dh.h apps.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h apps.o: ../include/openssl/engine.h ../include/openssl/err.h apps.o: ../include/openssl/evp.h ../include/openssl/idea.h apps.o: ../include/openssl/lhash.h ../include/openssl/md2.h apps.o: ../include/openssl/md4.h ../include/openssl/md5.h apps.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h apps.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h apps.o: ../include/openssl/rand.h ../include/openssl/rc2.h apps.o: ../include/openssl/rc4.h ../include/openssl/rc5.h apps.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h apps.o: ../include/openssl/stack.h ../include/openssl/symhacks.h apps.o: ../include/openssl/txt_db.h ../include/openssl/ui.h apps.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h asn1pars.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h asn1pars.o: ../include/openssl/bio.h ../include/openssl/blowfish.h asn1pars.o: ../include/openssl/bn.h ../include/openssl/buffer.h asn1pars.o: ../include/openssl/cast.h ../include/openssl/conf.h asn1pars.o: ../include/openssl/crypto.h ../include/openssl/des.h asn1pars.o: ../include/openssl/des_old.h ../include/openssl/dh.h asn1pars.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h asn1pars.o: ../include/openssl/engine.h ../include/openssl/err.h asn1pars.o: ../include/openssl/evp.h ../include/openssl/idea.h asn1pars.o: ../include/openssl/lhash.h ../include/openssl/md2.h asn1pars.o: ../include/openssl/md4.h ../include/openssl/md5.h asn1pars.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h asn1pars.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h asn1pars.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h asn1pars.o: ../include/openssl/pem.h ../include/openssl/pem2.h asn1pars.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h asn1pars.o: ../include/openssl/rc2.h ../include/openssl/rc4.h asn1pars.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h asn1pars.o: ../include/openssl/rsa.h ../include/openssl/safestack.h asn1pars.o: ../include/openssl/sha.h ../include/openssl/stack.h asn1pars.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h asn1pars.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h asn1pars.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h asn1pars.o: asn1pars.c ca.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ca.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h ca.o: ../include/openssl/cast.h ../include/openssl/conf.h ca.o: ../include/openssl/crypto.h ../include/openssl/des.h ca.o: ../include/openssl/des_old.h ../include/openssl/dh.h ca.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ca.o: ../include/openssl/engine.h ../include/openssl/err.h ca.o: ../include/openssl/evp.h ../include/openssl/idea.h ca.o: ../include/openssl/lhash.h ../include/openssl/md2.h ca.o: ../include/openssl/md4.h ../include/openssl/md5.h ca.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ca.o: ../include/openssl/objects.h ../include/openssl/ocsp.h ca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ca.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ca.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ca.o: ../include/openssl/rand.h ../include/openssl/rc2.h ca.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ca.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ca.o: ../include/openssl/safestack.h ../include/openssl/sha.h ca.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ca.o: ../include/openssl/txt_db.h ../include/openssl/ui.h ca.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ca.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ca.c ciphers.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ciphers.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ciphers.o: ../include/openssl/bn.h ../include/openssl/buffer.h ciphers.o: ../include/openssl/cast.h ../include/openssl/comp.h ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h ciphers.o: ../include/openssl/des.h ../include/openssl/des_old.h ciphers.o: ../include/openssl/dh.h ../include/openssl/dsa.h ciphers.o: ../include/openssl/e_os2.h ../include/openssl/engine.h ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h ciphers.o: ../include/openssl/idea.h ../include/openssl/kssl.h ciphers.o: ../include/openssl/lhash.h ../include/openssl/md2.h ciphers.o: ../include/openssl/md4.h ../include/openssl/md5.h ciphers.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ciphers.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ciphers.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h ciphers.o: ../include/openssl/rc2.h ../include/openssl/rc4.h ciphers.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h ciphers.o: ../include/openssl/rsa.h ../include/openssl/safestack.h ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ciphers.o: ../include/openssl/txt_db.h ../include/openssl/ui.h ciphers.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ciphers.o: ../include/openssl/x509_vfy.h apps.h ciphers.c crl.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h crl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h crl.o: ../include/openssl/bn.h ../include/openssl/buffer.h crl.o: ../include/openssl/cast.h ../include/openssl/conf.h crl.o: ../include/openssl/crypto.h ../include/openssl/des.h crl.o: ../include/openssl/des_old.h ../include/openssl/dh.h crl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h crl.o: ../include/openssl/engine.h ../include/openssl/err.h crl.o: ../include/openssl/evp.h ../include/openssl/idea.h crl.o: ../include/openssl/lhash.h ../include/openssl/md2.h crl.o: ../include/openssl/md4.h ../include/openssl/md5.h crl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h crl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h crl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h crl.o: ../include/openssl/pem.h ../include/openssl/pem2.h crl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h crl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h crl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h crl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h crl.o: ../include/openssl/sha.h ../include/openssl/stack.h crl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h crl.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h crl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h crl.o: ../include/openssl/x509v3.h apps.h crl.c crl2p7.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h crl2p7.o: ../include/openssl/bio.h ../include/openssl/blowfish.h crl2p7.o: ../include/openssl/bn.h ../include/openssl/buffer.h crl2p7.o: ../include/openssl/cast.h ../include/openssl/conf.h crl2p7.o: ../include/openssl/crypto.h ../include/openssl/des.h crl2p7.o: ../include/openssl/des_old.h ../include/openssl/dh.h crl2p7.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h crl2p7.o: ../include/openssl/engine.h ../include/openssl/err.h crl2p7.o: ../include/openssl/evp.h ../include/openssl/idea.h crl2p7.o: ../include/openssl/lhash.h ../include/openssl/md2.h crl2p7.o: ../include/openssl/md4.h ../include/openssl/md5.h crl2p7.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h crl2p7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h crl2p7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h crl2p7.o: ../include/openssl/pem.h ../include/openssl/pem2.h crl2p7.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h crl2p7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h crl2p7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h crl2p7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h crl2p7.o: ../include/openssl/sha.h ../include/openssl/stack.h crl2p7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h crl2p7.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h crl2p7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h crl2p7.o: crl2p7.c dgst.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h dgst.o: ../include/openssl/bio.h ../include/openssl/blowfish.h dgst.o: ../include/openssl/bn.h ../include/openssl/buffer.h dgst.o: ../include/openssl/cast.h ../include/openssl/conf.h dgst.o: ../include/openssl/crypto.h ../include/openssl/des.h dgst.o: ../include/openssl/des_old.h ../include/openssl/dh.h dgst.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h dgst.o: ../include/openssl/engine.h ../include/openssl/err.h dgst.o: ../include/openssl/evp.h ../include/openssl/idea.h dgst.o: ../include/openssl/lhash.h ../include/openssl/md2.h dgst.o: ../include/openssl/md4.h ../include/openssl/md5.h dgst.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h dgst.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h dgst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h dgst.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h dgst.o: ../include/openssl/rc2.h ../include/openssl/rc4.h dgst.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h dgst.o: ../include/openssl/rsa.h ../include/openssl/safestack.h dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h dgst.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dgst.c dh.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h dh.o: ../include/openssl/bio.h ../include/openssl/blowfish.h dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h dh.o: ../include/openssl/cast.h ../include/openssl/conf.h dh.o: ../include/openssl/crypto.h ../include/openssl/des.h dh.o: ../include/openssl/des_old.h ../include/openssl/dh.h dh.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h dh.o: ../include/openssl/engine.h ../include/openssl/err.h dh.o: ../include/openssl/evp.h ../include/openssl/idea.h dh.o: ../include/openssl/lhash.h ../include/openssl/md2.h dh.o: ../include/openssl/md4.h ../include/openssl/md5.h dh.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h dh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h dh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h dh.o: ../include/openssl/pem.h ../include/openssl/pem2.h dh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h dh.o: ../include/openssl/rc2.h ../include/openssl/rc4.h dh.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h dh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h dh.o: ../include/openssl/sha.h ../include/openssl/stack.h dh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h dh.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dh.c dsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h dsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h dsa.o: ../include/openssl/cast.h ../include/openssl/conf.h dsa.o: ../include/openssl/crypto.h ../include/openssl/des.h dsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h dsa.o: ../include/openssl/engine.h ../include/openssl/err.h dsa.o: ../include/openssl/evp.h ../include/openssl/idea.h dsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h dsa.o: ../include/openssl/md4.h ../include/openssl/md5.h dsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h dsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h dsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h dsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h dsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h dsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h dsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h dsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h dsa.o: ../include/openssl/sha.h ../include/openssl/stack.h dsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h dsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h dsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dsa.c dsaparam.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h dsaparam.o: ../include/openssl/bio.h ../include/openssl/blowfish.h dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h dsaparam.o: ../include/openssl/cast.h ../include/openssl/conf.h dsaparam.o: ../include/openssl/crypto.h ../include/openssl/des.h dsaparam.o: ../include/openssl/des_old.h ../include/openssl/dh.h dsaparam.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h dsaparam.o: ../include/openssl/evp.h ../include/openssl/idea.h dsaparam.o: ../include/openssl/lhash.h ../include/openssl/md2.h dsaparam.o: ../include/openssl/md4.h ../include/openssl/md5.h dsaparam.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h dsaparam.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h dsaparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h dsaparam.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h dsaparam.o: ../include/openssl/rc2.h ../include/openssl/rc4.h dsaparam.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h dsaparam.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h dsaparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dsaparam.o: dsaparam.c enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h enc.o: ../include/openssl/cast.h ../include/openssl/conf.h enc.o: ../include/openssl/crypto.h ../include/openssl/des.h enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h enc.o: ../include/openssl/engine.h ../include/openssl/err.h enc.o: ../include/openssl/evp.h ../include/openssl/idea.h enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h enc.o: ../include/openssl/md4.h ../include/openssl/md5.h enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h enc.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h enc.o: ../include/openssl/sha.h ../include/openssl/stack.h enc.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h enc.c engine.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h engine.o: ../include/openssl/bio.h ../include/openssl/blowfish.h engine.o: ../include/openssl/bn.h ../include/openssl/buffer.h engine.o: ../include/openssl/cast.h ../include/openssl/comp.h engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h engine.o: ../include/openssl/des.h ../include/openssl/des_old.h engine.o: ../include/openssl/dh.h ../include/openssl/dsa.h engine.o: ../include/openssl/e_os2.h ../include/openssl/engine.h engine.o: ../include/openssl/err.h ../include/openssl/evp.h engine.o: ../include/openssl/idea.h ../include/openssl/kssl.h engine.o: ../include/openssl/lhash.h ../include/openssl/md2.h engine.o: ../include/openssl/md4.h ../include/openssl/md5.h engine.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h engine.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h engine.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h engine.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h engine.o: ../include/openssl/rc2.h ../include/openssl/rc4.h engine.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h engine.o: ../include/openssl/rsa.h ../include/openssl/safestack.h engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h engine.o: ../include/openssl/txt_db.h ../include/openssl/ui.h engine.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h engine.o: ../include/openssl/x509_vfy.h apps.h engine.c errstr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h errstr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h errstr.o: ../include/openssl/bn.h ../include/openssl/buffer.h errstr.o: ../include/openssl/cast.h ../include/openssl/comp.h errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h errstr.o: ../include/openssl/des.h ../include/openssl/des_old.h errstr.o: ../include/openssl/dh.h ../include/openssl/dsa.h errstr.o: ../include/openssl/e_os2.h ../include/openssl/engine.h errstr.o: ../include/openssl/err.h ../include/openssl/evp.h errstr.o: ../include/openssl/idea.h ../include/openssl/kssl.h errstr.o: ../include/openssl/lhash.h ../include/openssl/md2.h errstr.o: ../include/openssl/md4.h ../include/openssl/md5.h errstr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h errstr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h errstr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h errstr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h errstr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h errstr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h errstr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h errstr.o: ../include/openssl/txt_db.h ../include/openssl/ui.h errstr.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h errstr.o: ../include/openssl/x509_vfy.h apps.h errstr.c gendh.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h gendh.o: ../include/openssl/bio.h ../include/openssl/blowfish.h gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h gendh.o: ../include/openssl/cast.h ../include/openssl/conf.h gendh.o: ../include/openssl/crypto.h ../include/openssl/des.h gendh.o: ../include/openssl/des_old.h ../include/openssl/dh.h gendh.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h gendh.o: ../include/openssl/engine.h ../include/openssl/err.h gendh.o: ../include/openssl/evp.h ../include/openssl/idea.h gendh.o: ../include/openssl/lhash.h ../include/openssl/md2.h gendh.o: ../include/openssl/md4.h ../include/openssl/md5.h gendh.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h gendh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h gendh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h gendh.o: ../include/openssl/rc2.h ../include/openssl/rc4.h gendh.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h gendh.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h gendh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h gendh.c gendsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h gendsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h gendsa.o: ../include/openssl/cast.h ../include/openssl/conf.h gendsa.o: ../include/openssl/crypto.h ../include/openssl/des.h gendsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h gendsa.o: ../include/openssl/engine.h ../include/openssl/err.h gendsa.o: ../include/openssl/evp.h ../include/openssl/idea.h gendsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h gendsa.o: ../include/openssl/md4.h ../include/openssl/md5.h gendsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h gendsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h gendsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h gendsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h gendsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h gendsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h gendsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h gendsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h gendsa.o: ../include/openssl/sha.h ../include/openssl/stack.h gendsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h gendsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h gendsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h gendsa.o: gendsa.c genrsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h genrsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h genrsa.o: ../include/openssl/cast.h ../include/openssl/conf.h genrsa.o: ../include/openssl/crypto.h ../include/openssl/des.h genrsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h genrsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h genrsa.o: ../include/openssl/evp.h ../include/openssl/idea.h genrsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h genrsa.o: ../include/openssl/md4.h ../include/openssl/md5.h genrsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h genrsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h genrsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h genrsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h genrsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h genrsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h genrsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h genrsa.o: genrsa.c nseq.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h nseq.o: ../include/openssl/bio.h ../include/openssl/blowfish.h nseq.o: ../include/openssl/bn.h ../include/openssl/buffer.h nseq.o: ../include/openssl/cast.h ../include/openssl/conf.h nseq.o: ../include/openssl/crypto.h ../include/openssl/des.h nseq.o: ../include/openssl/des_old.h ../include/openssl/dh.h nseq.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h nseq.o: ../include/openssl/engine.h ../include/openssl/err.h nseq.o: ../include/openssl/evp.h ../include/openssl/idea.h nseq.o: ../include/openssl/lhash.h ../include/openssl/md2.h nseq.o: ../include/openssl/md4.h ../include/openssl/md5.h nseq.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h nseq.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h nseq.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h nseq.o: ../include/openssl/pem.h ../include/openssl/pem2.h nseq.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h nseq.o: ../include/openssl/rc2.h ../include/openssl/rc4.h nseq.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h nseq.o: ../include/openssl/rsa.h ../include/openssl/safestack.h nseq.o: ../include/openssl/sha.h ../include/openssl/stack.h nseq.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h nseq.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h nseq.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h nseq.c ocsp.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ocsp.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h ocsp.o: ../include/openssl/cast.h ../include/openssl/comp.h ocsp.o: ../include/openssl/conf.h ../include/openssl/crypto.h ocsp.o: ../include/openssl/des.h ../include/openssl/des_old.h ocsp.o: ../include/openssl/dh.h ../include/openssl/dsa.h ocsp.o: ../include/openssl/e_os2.h ../include/openssl/engine.h ocsp.o: ../include/openssl/err.h ../include/openssl/evp.h ocsp.o: ../include/openssl/idea.h ../include/openssl/kssl.h ocsp.o: ../include/openssl/lhash.h ../include/openssl/md2.h ocsp.o: ../include/openssl/md4.h ../include/openssl/md5.h ocsp.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ocsp.o: ../include/openssl/objects.h ../include/openssl/ocsp.h ocsp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ocsp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ocsp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ocsp.o: ../include/openssl/rand.h ../include/openssl/rc2.h ocsp.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ocsp.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h ocsp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ocsp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ocsp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h ocsp.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c openssl.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h openssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h openssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h openssl.o: ../include/openssl/cast.h ../include/openssl/comp.h openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h openssl.o: ../include/openssl/des.h ../include/openssl/des_old.h openssl.o: ../include/openssl/dh.h ../include/openssl/dsa.h openssl.o: ../include/openssl/e_os2.h ../include/openssl/engine.h openssl.o: ../include/openssl/err.h ../include/openssl/evp.h openssl.o: ../include/openssl/idea.h ../include/openssl/kssl.h openssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h openssl.o: ../include/openssl/md4.h ../include/openssl/md5.h openssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h openssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h openssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h openssl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h openssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h openssl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h openssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h openssl.o: ../include/openssl/txt_db.h ../include/openssl/ui.h openssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h openssl.o: ../include/openssl/x509_vfy.h apps.h openssl.c progs.h s_apps.h passwd.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h passwd.o: ../include/openssl/bio.h ../include/openssl/blowfish.h passwd.o: ../include/openssl/bn.h ../include/openssl/buffer.h passwd.o: ../include/openssl/cast.h ../include/openssl/conf.h passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h passwd.o: ../include/openssl/des_old.h ../include/openssl/dh.h passwd.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h passwd.o: ../include/openssl/engine.h ../include/openssl/err.h passwd.o: ../include/openssl/evp.h ../include/openssl/idea.h passwd.o: ../include/openssl/lhash.h ../include/openssl/md2.h passwd.o: ../include/openssl/md4.h ../include/openssl/md5.h passwd.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h passwd.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h passwd.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h passwd.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h passwd.o: ../include/openssl/rc2.h ../include/openssl/rc4.h passwd.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h passwd.o: ../include/openssl/rsa.h ../include/openssl/safestack.h passwd.o: ../include/openssl/sha.h ../include/openssl/stack.h passwd.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h passwd.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h passwd.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h passwd.o: passwd.c pkcs12.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h pkcs12.o: ../include/openssl/bio.h ../include/openssl/blowfish.h pkcs12.o: ../include/openssl/bn.h ../include/openssl/buffer.h pkcs12.o: ../include/openssl/cast.h ../include/openssl/conf.h pkcs12.o: ../include/openssl/crypto.h ../include/openssl/des.h pkcs12.o: ../include/openssl/des_old.h ../include/openssl/dh.h pkcs12.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h pkcs12.o: ../include/openssl/engine.h ../include/openssl/err.h pkcs12.o: ../include/openssl/evp.h ../include/openssl/idea.h pkcs12.o: ../include/openssl/lhash.h ../include/openssl/md2.h pkcs12.o: ../include/openssl/md4.h ../include/openssl/md5.h pkcs12.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h pkcs12.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h pkcs12.o: ../include/openssl/pem.h ../include/openssl/pem2.h pkcs12.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h pkcs12.o: ../include/openssl/rand.h ../include/openssl/rc2.h pkcs12.o: ../include/openssl/rc4.h ../include/openssl/rc5.h pkcs12.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h pkcs12.o: ../include/openssl/safestack.h ../include/openssl/sha.h pkcs12.o: ../include/openssl/stack.h ../include/openssl/symhacks.h pkcs12.o: ../include/openssl/txt_db.h ../include/openssl/ui.h pkcs12.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h pkcs12.o: ../include/openssl/x509_vfy.h apps.h pkcs12.c pkcs7.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h pkcs7.o: ../include/openssl/bio.h ../include/openssl/blowfish.h pkcs7.o: ../include/openssl/bn.h ../include/openssl/buffer.h pkcs7.o: ../include/openssl/cast.h ../include/openssl/conf.h pkcs7.o: ../include/openssl/crypto.h ../include/openssl/des.h pkcs7.o: ../include/openssl/des_old.h ../include/openssl/dh.h pkcs7.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h pkcs7.o: ../include/openssl/engine.h ../include/openssl/err.h pkcs7.o: ../include/openssl/evp.h ../include/openssl/idea.h pkcs7.o: ../include/openssl/lhash.h ../include/openssl/md2.h pkcs7.o: ../include/openssl/md4.h ../include/openssl/md5.h pkcs7.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h pkcs7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h pkcs7.o: ../include/openssl/pem.h ../include/openssl/pem2.h pkcs7.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h pkcs7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h pkcs7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h pkcs7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h pkcs7.o: ../include/openssl/sha.h ../include/openssl/stack.h pkcs7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h pkcs7.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h pkcs7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h pkcs7.c pkcs8.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h pkcs8.o: ../include/openssl/bio.h ../include/openssl/blowfish.h pkcs8.o: ../include/openssl/bn.h ../include/openssl/buffer.h pkcs8.o: ../include/openssl/cast.h ../include/openssl/conf.h pkcs8.o: ../include/openssl/crypto.h ../include/openssl/des.h pkcs8.o: ../include/openssl/des_old.h ../include/openssl/dh.h pkcs8.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h pkcs8.o: ../include/openssl/engine.h ../include/openssl/err.h pkcs8.o: ../include/openssl/evp.h ../include/openssl/idea.h pkcs8.o: ../include/openssl/lhash.h ../include/openssl/md2.h pkcs8.o: ../include/openssl/md4.h ../include/openssl/md5.h pkcs8.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h pkcs8.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h pkcs8.o: ../include/openssl/pem.h ../include/openssl/pem2.h pkcs8.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h pkcs8.o: ../include/openssl/rand.h ../include/openssl/rc2.h pkcs8.o: ../include/openssl/rc4.h ../include/openssl/rc5.h pkcs8.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h pkcs8.o: ../include/openssl/stack.h ../include/openssl/symhacks.h pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/ui.h pkcs8.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h pkcs8.o: ../include/openssl/x509_vfy.h apps.h pkcs8.c rand.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h rand.o: ../include/openssl/bio.h ../include/openssl/blowfish.h rand.o: ../include/openssl/bn.h ../include/openssl/buffer.h rand.o: ../include/openssl/cast.h ../include/openssl/conf.h rand.o: ../include/openssl/crypto.h ../include/openssl/des.h rand.o: ../include/openssl/des_old.h ../include/openssl/dh.h rand.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h rand.o: ../include/openssl/engine.h ../include/openssl/err.h rand.o: ../include/openssl/evp.h ../include/openssl/idea.h rand.o: ../include/openssl/lhash.h ../include/openssl/md2.h rand.o: ../include/openssl/md4.h ../include/openssl/md5.h rand.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h rand.o: ../include/openssl/rc2.h ../include/openssl/rc4.h rand.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h rand.o: ../include/openssl/rsa.h ../include/openssl/safestack.h rand.o: ../include/openssl/sha.h ../include/openssl/stack.h rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h rand.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h rand.c req.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h req.o: ../include/openssl/asn1.h ../include/openssl/bio.h req.o: ../include/openssl/blowfish.h ../include/openssl/bn.h req.o: ../include/openssl/buffer.h ../include/openssl/cast.h req.o: ../include/openssl/conf.h ../include/openssl/crypto.h req.o: ../include/openssl/des.h ../include/openssl/des_old.h req.o: ../include/openssl/dh.h ../include/openssl/dsa.h req.o: ../include/openssl/e_os2.h ../include/openssl/engine.h req.o: ../include/openssl/err.h ../include/openssl/evp.h req.o: ../include/openssl/idea.h ../include/openssl/lhash.h req.o: ../include/openssl/md2.h ../include/openssl/md4.h req.o: ../include/openssl/md5.h ../include/openssl/mdc2.h req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h req.o: ../include/openssl/rand.h ../include/openssl/rc2.h req.o: ../include/openssl/rc4.h ../include/openssl/rc5.h req.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h req.o: ../include/openssl/safestack.h ../include/openssl/sha.h req.o: ../include/openssl/stack.h ../include/openssl/symhacks.h req.o: ../include/openssl/txt_db.h ../include/openssl/ui.h req.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h rsa.o: ../include/openssl/cast.h ../include/openssl/conf.h rsa.o: ../include/openssl/crypto.h ../include/openssl/des.h rsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h rsa.o: ../include/openssl/engine.h ../include/openssl/err.h rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h rsa.o: ../include/openssl/md4.h ../include/openssl/md5.h rsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h rsa.o: ../include/openssl/sha.h ../include/openssl/stack.h rsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h rsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h rsa.c rsautl.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h rsautl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h rsautl.o: ../include/openssl/bn.h ../include/openssl/buffer.h rsautl.o: ../include/openssl/cast.h ../include/openssl/conf.h rsautl.o: ../include/openssl/crypto.h ../include/openssl/des.h rsautl.o: ../include/openssl/des_old.h ../include/openssl/dh.h rsautl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h rsautl.o: ../include/openssl/engine.h ../include/openssl/err.h rsautl.o: ../include/openssl/evp.h ../include/openssl/idea.h rsautl.o: ../include/openssl/lhash.h ../include/openssl/md2.h rsautl.o: ../include/openssl/md4.h ../include/openssl/md5.h rsautl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h rsautl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h rsautl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h rsautl.o: ../include/openssl/pem.h ../include/openssl/pem2.h rsautl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h rsautl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h rsautl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h rsautl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h rsautl.o: ../include/openssl/sha.h ../include/openssl/stack.h rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h rsautl.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h rsautl.o: rsautl.c s_cb.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s_cb.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_cb.o: ../include/openssl/cast.h ../include/openssl/comp.h s_cb.o: ../include/openssl/conf.h ../include/openssl/crypto.h s_cb.o: ../include/openssl/des.h ../include/openssl/des_old.h s_cb.o: ../include/openssl/dh.h ../include/openssl/dsa.h s_cb.o: ../include/openssl/e_os2.h ../include/openssl/engine.h s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h s_cb.o: ../include/openssl/idea.h ../include/openssl/kssl.h s_cb.o: ../include/openssl/lhash.h ../include/openssl/md2.h s_cb.o: ../include/openssl/md4.h ../include/openssl/md5.h s_cb.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s_cb.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s_cb.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h s_cb.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s_cb.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h s_cb.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_cb.o: ../include/openssl/txt_db.h ../include/openssl/ui.h s_cb.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s_cb.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_cb.c s_client.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s_client.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_client.o: ../include/openssl/cast.h ../include/openssl/comp.h s_client.o: ../include/openssl/conf.h ../include/openssl/crypto.h s_client.o: ../include/openssl/des.h ../include/openssl/des_old.h s_client.o: ../include/openssl/dh.h ../include/openssl/dsa.h s_client.o: ../include/openssl/e_os2.h ../include/openssl/engine.h s_client.o: ../include/openssl/err.h ../include/openssl/evp.h s_client.o: ../include/openssl/idea.h ../include/openssl/kssl.h s_client.o: ../include/openssl/lhash.h ../include/openssl/md2.h s_client.o: ../include/openssl/md4.h ../include/openssl/md5.h s_client.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s_client.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h s_client.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h s_client.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s_client.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h s_client.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_client.o: ../include/openssl/txt_db.h ../include/openssl/ui.h s_client.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s_client.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_client.c s_server.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s_server.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_server.o: ../include/openssl/cast.h ../include/openssl/comp.h s_server.o: ../include/openssl/conf.h ../include/openssl/crypto.h s_server.o: ../include/openssl/des.h ../include/openssl/des_old.h s_server.o: ../include/openssl/dh.h ../include/openssl/dsa.h s_server.o: ../include/openssl/e_os2.h ../include/openssl/engine.h s_server.o: ../include/openssl/err.h ../include/openssl/evp.h s_server.o: ../include/openssl/idea.h ../include/openssl/kssl.h s_server.o: ../include/openssl/lhash.h ../include/openssl/md2.h s_server.o: ../include/openssl/md4.h ../include/openssl/md5.h s_server.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s_server.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h s_server.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h s_server.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s_server.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h s_server.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s_server.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_server.c s_socket.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s_socket.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_socket.o: ../include/openssl/cast.h ../include/openssl/comp.h s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h s_socket.o: ../include/openssl/des.h ../include/openssl/des_old.h s_socket.o: ../include/openssl/dh.h ../include/openssl/dsa.h s_socket.o: ../include/openssl/e_os2.h ../include/openssl/engine.h s_socket.o: ../include/openssl/err.h ../include/openssl/evp.h s_socket.o: ../include/openssl/idea.h ../include/openssl/kssl.h s_socket.o: ../include/openssl/lhash.h ../include/openssl/md2.h s_socket.o: ../include/openssl/md4.h ../include/openssl/md5.h s_socket.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s_socket.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h s_socket.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s_socket.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h s_socket.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_socket.o: ../include/openssl/txt_db.h ../include/openssl/ui.h s_socket.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s_socket.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_socket.c s_time.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s_time.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_time.o: ../include/openssl/cast.h ../include/openssl/comp.h s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h s_time.o: ../include/openssl/des.h ../include/openssl/des_old.h s_time.o: ../include/openssl/dh.h ../include/openssl/dsa.h s_time.o: ../include/openssl/e_os2.h ../include/openssl/engine.h s_time.o: ../include/openssl/err.h ../include/openssl/evp.h s_time.o: ../include/openssl/idea.h ../include/openssl/kssl.h s_time.o: ../include/openssl/lhash.h ../include/openssl/md2.h s_time.o: ../include/openssl/md4.h ../include/openssl/md5.h s_time.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s_time.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s_time.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h s_time.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h s_time.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s_time.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h s_time.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_time.o: ../include/openssl/txt_db.h ../include/openssl/ui.h s_time.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s_time.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_time.c sess_id.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h sess_id.o: ../include/openssl/bio.h ../include/openssl/blowfish.h sess_id.o: ../include/openssl/bn.h ../include/openssl/buffer.h sess_id.o: ../include/openssl/cast.h ../include/openssl/comp.h sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h sess_id.o: ../include/openssl/des.h ../include/openssl/des_old.h sess_id.o: ../include/openssl/dh.h ../include/openssl/dsa.h sess_id.o: ../include/openssl/e_os2.h ../include/openssl/engine.h sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h sess_id.o: ../include/openssl/idea.h ../include/openssl/kssl.h sess_id.o: ../include/openssl/lhash.h ../include/openssl/md2.h sess_id.o: ../include/openssl/md4.h ../include/openssl/md5.h sess_id.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h sess_id.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h sess_id.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h sess_id.o: ../include/openssl/rc2.h ../include/openssl/rc4.h sess_id.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h sess_id.o: ../include/openssl/rsa.h ../include/openssl/safestack.h sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h sess_id.o: ../include/openssl/txt_db.h ../include/openssl/ui.h sess_id.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h sess_id.o: ../include/openssl/x509_vfy.h apps.h sess_id.c smime.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h smime.o: ../include/openssl/bio.h ../include/openssl/blowfish.h smime.o: ../include/openssl/bn.h ../include/openssl/buffer.h smime.o: ../include/openssl/cast.h ../include/openssl/conf.h smime.o: ../include/openssl/crypto.h ../include/openssl/des.h smime.o: ../include/openssl/des_old.h ../include/openssl/dh.h smime.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h smime.o: ../include/openssl/engine.h ../include/openssl/err.h smime.o: ../include/openssl/evp.h ../include/openssl/idea.h smime.o: ../include/openssl/lhash.h ../include/openssl/md2.h smime.o: ../include/openssl/md4.h ../include/openssl/md5.h smime.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h smime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h smime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h smime.o: ../include/openssl/pem.h ../include/openssl/pem2.h smime.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h smime.o: ../include/openssl/rc2.h ../include/openssl/rc4.h smime.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h smime.o: ../include/openssl/rsa.h ../include/openssl/safestack.h smime.o: ../include/openssl/sha.h ../include/openssl/stack.h smime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h smime.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h smime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h smime.c speed.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h speed.o: ../include/openssl/bio.h ../include/openssl/blowfish.h speed.o: ../include/openssl/bn.h ../include/openssl/buffer.h speed.o: ../include/openssl/cast.h ../include/openssl/conf.h speed.o: ../include/openssl/crypto.h ../include/openssl/des.h speed.o: ../include/openssl/des_old.h ../include/openssl/dh.h speed.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h speed.o: ../include/openssl/engine.h ../include/openssl/err.h speed.o: ../include/openssl/evp.h ../include/openssl/hmac.h speed.o: ../include/openssl/idea.h ../include/openssl/lhash.h speed.o: ../include/openssl/md2.h ../include/openssl/md4.h speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h speed.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h speed.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h speed.o: ../include/openssl/rand.h ../include/openssl/rc2.h speed.o: ../include/openssl/rc4.h ../include/openssl/rc5.h speed.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h speed.o: ../include/openssl/safestack.h ../include/openssl/sha.h speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h speed.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h speed.o: ../include/openssl/x509_vfy.h apps.h speed.c testdsa.h testrsa.h spkac.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h spkac.o: ../include/openssl/bio.h ../include/openssl/blowfish.h spkac.o: ../include/openssl/bn.h ../include/openssl/buffer.h spkac.o: ../include/openssl/cast.h ../include/openssl/conf.h spkac.o: ../include/openssl/crypto.h ../include/openssl/des.h spkac.o: ../include/openssl/des_old.h ../include/openssl/dh.h spkac.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h spkac.o: ../include/openssl/engine.h ../include/openssl/err.h spkac.o: ../include/openssl/evp.h ../include/openssl/idea.h spkac.o: ../include/openssl/lhash.h ../include/openssl/md2.h spkac.o: ../include/openssl/md4.h ../include/openssl/md5.h spkac.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h spkac.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h spkac.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h spkac.o: ../include/openssl/pem.h ../include/openssl/pem2.h spkac.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h spkac.o: ../include/openssl/rc2.h ../include/openssl/rc4.h spkac.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h spkac.o: ../include/openssl/rsa.h ../include/openssl/safestack.h spkac.o: ../include/openssl/sha.h ../include/openssl/stack.h spkac.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h spkac.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h spkac.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h spkac.c verify.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h verify.o: ../include/openssl/bio.h ../include/openssl/blowfish.h verify.o: ../include/openssl/bn.h ../include/openssl/buffer.h verify.o: ../include/openssl/cast.h ../include/openssl/conf.h verify.o: ../include/openssl/crypto.h ../include/openssl/des.h verify.o: ../include/openssl/des_old.h ../include/openssl/dh.h verify.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h verify.o: ../include/openssl/engine.h ../include/openssl/err.h verify.o: ../include/openssl/evp.h ../include/openssl/idea.h verify.o: ../include/openssl/lhash.h ../include/openssl/md2.h verify.o: ../include/openssl/md4.h ../include/openssl/md5.h verify.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h verify.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h verify.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h verify.o: ../include/openssl/pem.h ../include/openssl/pem2.h verify.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h verify.o: ../include/openssl/rc2.h ../include/openssl/rc4.h verify.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h verify.o: ../include/openssl/rsa.h ../include/openssl/safestack.h verify.o: ../include/openssl/sha.h ../include/openssl/stack.h verify.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h verify.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h verify.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h verify.o: ../include/openssl/x509v3.h apps.h verify.c version.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h version.o: ../include/openssl/bio.h ../include/openssl/blowfish.h version.o: ../include/openssl/bn.h ../include/openssl/buffer.h version.o: ../include/openssl/cast.h ../include/openssl/conf.h version.o: ../include/openssl/crypto.h ../include/openssl/des.h version.o: ../include/openssl/des_old.h ../include/openssl/dh.h version.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h version.o: ../include/openssl/engine.h ../include/openssl/err.h version.o: ../include/openssl/evp.h ../include/openssl/idea.h version.o: ../include/openssl/lhash.h ../include/openssl/md2.h version.o: ../include/openssl/md4.h ../include/openssl/md5.h version.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h version.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h version.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h version.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h version.o: ../include/openssl/rc2.h ../include/openssl/rc4.h version.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h version.o: ../include/openssl/rsa.h ../include/openssl/safestack.h version.o: ../include/openssl/sha.h ../include/openssl/stack.h version.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h version.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h version.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h version.o: version.c x509.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h x509.o: ../include/openssl/bio.h ../include/openssl/blowfish.h x509.o: ../include/openssl/bn.h ../include/openssl/buffer.h x509.o: ../include/openssl/cast.h ../include/openssl/conf.h x509.o: ../include/openssl/crypto.h ../include/openssl/des.h x509.o: ../include/openssl/des_old.h ../include/openssl/dh.h x509.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h x509.o: ../include/openssl/engine.h ../include/openssl/err.h x509.o: ../include/openssl/evp.h ../include/openssl/idea.h x509.o: ../include/openssl/lhash.h ../include/openssl/md2.h x509.o: ../include/openssl/md4.h ../include/openssl/md5.h x509.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h x509.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h x509.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h x509.o: ../include/openssl/pem.h ../include/openssl/pem2.h x509.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h x509.o: ../include/openssl/rc2.h ../include/openssl/rc4.h x509.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h x509.o: ../include/openssl/sha.h ../include/openssl/stack.h x509.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h x509.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h x509.o: ../include/openssl/x509v3.h apps.h x509.c diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c index 007e3e06c3e0..93a665e788a3 100644 --- a/crypto/openssl/apps/apps.c +++ b/crypto/openssl/apps/apps.c @@ -1,1424 +1,1975 @@ /* apps/apps.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef OPENSSL_NO_ENGINE #include #endif #ifdef OPENSSL_SYS_WINDOWS #define strcasecmp _stricmp #else # ifdef NO_STRINGS_H int strcasecmp(); # else # include # endif /* NO_STRINGS_H */ #endif #define NON_MAIN #include "apps.h" #undef NON_MAIN typedef struct { char *name; unsigned long flag; unsigned long mask; } NAME_EX_TBL; static UI_METHOD *ui_method = NULL; static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl); static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl); #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) /* Looks like this stuff is worth moving into separate function */ static EVP_PKEY * load_netscape_key(BIO *err, BIO *key, const char *file, const char *key_descrip, int format); #endif int app_init(long mesgwin); #ifdef undef /* never finished - probably never will be :-) */ int args_from_file(char *file, int *argc, char **argv[]) { FILE *fp; int num,i; unsigned int len; static char *buf=NULL; static char **arg=NULL; char *p; struct stat stbuf; if (stat(file,&stbuf) < 0) return(0); fp=fopen(file,"r"); if (fp == NULL) return(0); *argc=0; *argv=NULL; len=(unsigned int)stbuf.st_size; if (buf != NULL) OPENSSL_free(buf); buf=(char *)OPENSSL_malloc(len+1); if (buf == NULL) return(0); len=fread(buf,1,len,fp); if (len <= 1) return(0); buf[len]='\0'; i=0; for (p=buf; *p; p++) if (*p == '\n') i++; if (arg != NULL) OPENSSL_free(arg); arg=(char **)OPENSSL_malloc(sizeof(char *)*(i*2)); *argv=arg; num=0; p=buf; for (;;) { if (!*p) break; if (*p == '#') /* comment line */ { while (*p && (*p != '\n')) p++; continue; } /* else we have a line */ *(arg++)=p; num++; while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n'))) p++; if (!*p) break; if (*p == '\n') { *(p++)='\0'; continue; } /* else it is a tab or space */ p++; while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n'))) p++; if (!*p) break; if (*p == '\n') { p++; continue; } *(arg++)=p++; num++; while (*p && (*p != '\n')) p++; if (!*p) break; /* else *p == '\n' */ *(p++)='\0'; } *argc=num; return(1); } #endif int str2fmt(char *s) { if ((*s == 'D') || (*s == 'd')) return(FORMAT_ASN1); else if ((*s == 'T') || (*s == 't')) return(FORMAT_TEXT); else if ((*s == 'P') || (*s == 'p')) return(FORMAT_PEM); else if ((*s == 'N') || (*s == 'n')) return(FORMAT_NETSCAPE); else if ((*s == 'S') || (*s == 's')) return(FORMAT_SMIME); else if ((*s == '1') || (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0) || (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0)) return(FORMAT_PKCS12); else if ((*s == 'E') || (*s == 'e')) return(FORMAT_ENGINE); else return(FORMAT_UNDEF); } #if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16) void program_name(char *in, char *out, int size) { int i,n; char *p=NULL; n=strlen(in); /* find the last '/', '\' or ':' */ for (i=n-1; i>0; i--) { if ((in[i] == '/') || (in[i] == '\\') || (in[i] == ':')) { p= &(in[i+1]); break; } } if (p == NULL) p=in; n=strlen(p); /* strip off trailing .exe if present. */ if ((n > 4) && (p[n-4] == '.') && ((p[n-3] == 'e') || (p[n-3] == 'E')) && ((p[n-2] == 'x') || (p[n-2] == 'X')) && ((p[n-1] == 'e') || (p[n-1] == 'E'))) n-=4; if (n > size-1) n=size-1; for (i=0; i= 'A') && (p[i] <= 'Z')) out[i]=p[i]-'A'+'a'; else out[i]=p[i]; } out[n]='\0'; } #else #ifdef OPENSSL_SYS_VMS void program_name(char *in, char *out, int size) { char *p=in, *q; char *chars=":]>"; while(*chars != '\0') { q=strrchr(p,*chars); if (q > p) p = q + 1; chars++; } q=strrchr(p,'.'); if (q == NULL) q = p + strlen(p); strncpy(out,p,size-1); if (q-p >= size) { out[size-1]='\0'; } else { out[q-p]='\0'; } } #else void program_name(char *in, char *out, int size) { char *p; p=strrchr(in,'/'); if (p != NULL) p++; else p=in; BUF_strlcpy(out,p,size); } #endif #endif #ifdef OPENSSL_SYS_WIN32 int WIN32_rename(char *from, char *to) { #ifndef OPENSSL_SYS_WINCE /* Windows rename gives an error if 'to' exists, so delete it * first and ignore file not found errror */ if((remove(to) != 0) && (errno != ENOENT)) return -1; #undef rename return rename(from, to); #else /* convert strings to UNICODE */ { BOOL result = FALSE; WCHAR* wfrom; WCHAR* wto; int i; wfrom = malloc((strlen(from)+1)*2); wto = malloc((strlen(to)+1)*2); if (wfrom != NULL && wto != NULL) { for (i=0; i<(int)strlen(from)+1; i++) wfrom[i] = (short)from[i]; for (i=0; i<(int)strlen(to)+1; i++) wto[i] = (short)to[i]; result = MoveFile(wfrom, wto); } if (wfrom != NULL) free(wfrom); if (wto != NULL) free(wto); return result; } #endif } #endif #ifdef OPENSSL_SYS_VMS int VMS_strcasecmp(const char *str1, const char *str2) { while (*str1 && *str2) { int res = toupper(*str1) - toupper(*str2); if (res) return res < 0 ? -1 : 1; } if (*str1) return 1; if (*str2) return -1; return 0; } #endif int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]) { int num,len,i; char *p; *argc=0; *argv=NULL; len=strlen(buf); i=0; if (arg->count == 0) { arg->count=20; arg->data=(char **)OPENSSL_malloc(sizeof(char *)*arg->count); } for (i=0; icount; i++) arg->data[i]=NULL; num=0; p=buf; for (;;) { /* first scan over white space */ if (!*p) break; while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n'))) p++; if (!*p) break; /* The start of something good :-) */ if (num >= arg->count) { arg->count+=20; arg->data=(char **)OPENSSL_realloc(arg->data, sizeof(char *)*arg->count); if (argc == 0) return(0); } arg->data[num++]=p; /* now look for the end of this */ if ((*p == '\'') || (*p == '\"')) /* scan for closing quote */ { i= *(p++); arg->data[num-1]++; /* jump over quote */ while (*p && (*p != i)) p++; *p='\0'; } else { while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n'))) p++; if (*p == '\0') p--; else *p='\0'; } p++; } *argc=num; *argv=arg->data; return(1); } #ifndef APP_INIT int app_init(long mesgwin) { return(1); } #endif int dump_cert_text (BIO *out, X509 *x) { char *p; p=X509_NAME_oneline(X509_get_subject_name(x),NULL,0); BIO_puts(out,"subject="); BIO_puts(out,p); OPENSSL_free(p); p=X509_NAME_oneline(X509_get_issuer_name(x),NULL,0); BIO_puts(out,"\nissuer="); BIO_puts(out,p); BIO_puts(out,"\n"); OPENSSL_free(p); return 0; } static int ui_open(UI *ui) { return UI_method_get_opener(UI_OpenSSL())(ui); } static int ui_read(UI *ui, UI_STRING *uis) { if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD && UI_get0_user_data(ui)) { switch(UI_get_string_type(uis)) { case UIT_PROMPT: case UIT_VERIFY: { const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password; - if (password[0] != '\0') + if (password && password[0] != '\0') { UI_set_result(ui, uis, password); return 1; } } default: break; } } return UI_method_get_reader(UI_OpenSSL())(ui, uis); } static int ui_write(UI *ui, UI_STRING *uis) { if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD && UI_get0_user_data(ui)) { switch(UI_get_string_type(uis)) { case UIT_PROMPT: case UIT_VERIFY: { const char *password = ((PW_CB_DATA *)UI_get0_user_data(ui))->password; - if (password[0] != '\0') + if (password && password[0] != '\0') return 1; } default: break; } } return UI_method_get_writer(UI_OpenSSL())(ui, uis); } static int ui_close(UI *ui) { return UI_method_get_closer(UI_OpenSSL())(ui); } int setup_ui_method(void) { ui_method = UI_create_method("OpenSSL application user interface"); UI_method_set_opener(ui_method, ui_open); UI_method_set_reader(ui_method, ui_read); UI_method_set_writer(ui_method, ui_write); UI_method_set_closer(ui_method, ui_close); return 0; } void destroy_ui_method(void) { if(ui_method) { UI_destroy_method(ui_method); ui_method = NULL; } } int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) { UI *ui = NULL; int res = 0; const char *prompt_info = NULL; const char *password = NULL; PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp; if (cb_data) { if (cb_data->password) password = cb_data->password; if (cb_data->prompt_info) prompt_info = cb_data->prompt_info; } if (password) { res = strlen(password); if (res > bufsiz) res = bufsiz; memcpy(buf, password, res); return res; } ui = UI_new_method(ui_method); if (ui) { int ok = 0; char *buff = NULL; int ui_flags = 0; char *prompt = NULL; prompt = UI_construct_prompt(ui, "pass phrase", cb_data->prompt_info); ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD; UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0); if (ok >= 0) ok = UI_add_input_string(ui,prompt,ui_flags,buf, PW_MIN_LENGTH,BUFSIZ-1); if (ok >= 0 && verify) { buff = (char *)OPENSSL_malloc(bufsiz); ok = UI_add_verify_string(ui,prompt,ui_flags,buff, PW_MIN_LENGTH,BUFSIZ-1, buf); } if (ok >= 0) do { ok = UI_process(ui); } while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0)); if (buff) { OPENSSL_cleanse(buff,(unsigned int)bufsiz); OPENSSL_free(buff); } if (ok >= 0) res = strlen(buf); if (ok == -1) { BIO_printf(bio_err, "User interface error\n"); ERR_print_errors(bio_err); OPENSSL_cleanse(buf,(unsigned int)bufsiz); res = 0; } if (ok == -2) { BIO_printf(bio_err,"aborted!\n"); OPENSSL_cleanse(buf,(unsigned int)bufsiz); res = 0; } UI_free(ui); OPENSSL_free(prompt); } return res; } static char *app_get_pass(BIO *err, char *arg, int keepbio); int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2) { int same; if(!arg2 || !arg1 || strcmp(arg1, arg2)) same = 0; else same = 1; if(arg1) { *pass1 = app_get_pass(err, arg1, same); if(!*pass1) return 0; } else if(pass1) *pass1 = NULL; if(arg2) { *pass2 = app_get_pass(err, arg2, same ? 2 : 0); if(!*pass2) return 0; } else if(pass2) *pass2 = NULL; return 1; } static char *app_get_pass(BIO *err, char *arg, int keepbio) { char *tmp, tpass[APP_PASS_LEN]; static BIO *pwdbio = NULL; int i; if(!strncmp(arg, "pass:", 5)) return BUF_strdup(arg + 5); if(!strncmp(arg, "env:", 4)) { tmp = getenv(arg + 4); if(!tmp) { BIO_printf(err, "Can't read environment variable %s\n", arg + 4); return NULL; } return BUF_strdup(tmp); } if(!keepbio || !pwdbio) { if(!strncmp(arg, "file:", 5)) { pwdbio = BIO_new_file(arg + 5, "r"); if(!pwdbio) { BIO_printf(err, "Can't open file %s\n", arg + 5); return NULL; } } else if(!strncmp(arg, "fd:", 3)) { BIO *btmp; i = atoi(arg + 3); if(i >= 0) pwdbio = BIO_new_fd(i, BIO_NOCLOSE); if((i < 0) || !pwdbio) { BIO_printf(err, "Can't access file descriptor %s\n", arg + 3); return NULL; } /* Can't do BIO_gets on an fd BIO so add a buffering BIO */ btmp = BIO_new(BIO_f_buffer()); pwdbio = BIO_push(btmp, pwdbio); } else if(!strcmp(arg, "stdin")) { pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE); if(!pwdbio) { BIO_printf(err, "Can't open BIO for stdin\n"); return NULL; } } else { BIO_printf(err, "Invalid password argument \"%s\"\n", arg); return NULL; } } i = BIO_gets(pwdbio, tpass, APP_PASS_LEN); if(keepbio != 1) { BIO_free_all(pwdbio); pwdbio = NULL; } if(i <= 0) { BIO_printf(err, "Error reading password from BIO\n"); return NULL; } tmp = strchr(tpass, '\n'); if(tmp) *tmp = 0; return BUF_strdup(tpass); } int add_oid_section(BIO *err, CONF *conf) { char *p; STACK_OF(CONF_VALUE) *sktmp; CONF_VALUE *cnf; int i; if(!(p=NCONF_get_string(conf,NULL,"oid_section"))) { ERR_clear_error(); return 1; } if(!(sktmp = NCONF_get_section(conf, p))) { BIO_printf(err, "problem loading oid section %s\n", p); return 0; } for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) { cnf = sk_CONF_VALUE_value(sktmp, i); if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) { BIO_printf(err, "problem creating object %s=%s\n", cnf->name, cnf->value); return 0; } } return 1; } X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) { ASN1_HEADER *ah=NULL; BUF_MEM *buf=NULL; X509 *x=NULL; BIO *cert; if ((cert=BIO_new(BIO_s_file())) == NULL) { ERR_print_errors(err); goto end; } if (file == NULL) { setvbuf(stdin, NULL, _IONBF, 0); BIO_set_fp(cert,stdin,BIO_NOCLOSE); } else { if (BIO_read_filename(cert,file) <= 0) { BIO_printf(err, "Error opening %s %s\n", cert_descrip, file); ERR_print_errors(err); goto end; } } if (format == FORMAT_ASN1) x=d2i_X509_bio(cert,NULL); else if (format == FORMAT_NETSCAPE) { unsigned char *p,*op; int size=0,i; /* We sort of have to do it this way because it is sort of nice * to read the header first and check it, then * try to read the certificate */ buf=BUF_MEM_new(); for (;;) { if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10))) goto end; i=BIO_read(cert,&(buf->data[size]),1024*10); size+=i; if (i == 0) break; if (i < 0) { perror("reading certificate"); goto end; } } p=(unsigned char *)buf->data; op=p; /* First load the header */ if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL) goto end; if ((ah->header == NULL) || (ah->header->data == NULL) || (strncmp(NETSCAPE_CERT_HDR,(char *)ah->header->data, ah->header->length) != 0)) { BIO_printf(err,"Error reading header on certificate\n"); goto end; } /* header is ok, so now read the object */ p=op; ah->meth=X509_asn1_meth(); if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL) goto end; x=(X509 *)ah->data; ah->data=NULL; } else if (format == FORMAT_PEM) x=PEM_read_bio_X509_AUX(cert,NULL, (pem_password_cb *)password_callback, NULL); else if (format == FORMAT_PKCS12) { PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL); PKCS12_parse(p12, NULL, NULL, &x, NULL); PKCS12_free(p12); p12 = NULL; } else { BIO_printf(err,"bad input format specified for %s\n", cert_descrip); goto end; } end: if (x == NULL) { BIO_printf(err,"unable to load certificate\n"); ERR_print_errors(err); } if (ah != NULL) ASN1_HEADER_free(ah); if (cert != NULL) BIO_free(cert); if (buf != NULL) BUF_MEM_free(buf); return(x); } EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip) { BIO *key=NULL; EVP_PKEY *pkey=NULL; PW_CB_DATA cb_data; cb_data.password = pass; cb_data.prompt_info = file; if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { BIO_printf(err,"no keyfile specified\n"); goto end; } #ifndef OPENSSL_NO_ENGINE if (format == FORMAT_ENGINE) { if (!e) BIO_printf(bio_err,"no engine specified\n"); else pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data); goto end; } #endif key=BIO_new(BIO_s_file()); if (key == NULL) { ERR_print_errors(err); goto end; } if (file == NULL && maybe_stdin) { setvbuf(stdin, NULL, _IONBF, 0); BIO_set_fp(key,stdin,BIO_NOCLOSE); } else if (BIO_read_filename(key,file) <= 0) { BIO_printf(err, "Error opening %s %s\n", key_descrip, file); ERR_print_errors(err); goto end; } if (format == FORMAT_ASN1) { pkey=d2i_PrivateKey_bio(key, NULL); } else if (format == FORMAT_PEM) { pkey=PEM_read_bio_PrivateKey(key,NULL, (pem_password_cb *)password_callback, &cb_data); } #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC) pkey = load_netscape_key(err, key, file, key_descrip, format); #endif else if (format == FORMAT_PKCS12) { PKCS12 *p12 = d2i_PKCS12_bio(key, NULL); PKCS12_parse(p12, pass, &pkey, NULL, NULL); PKCS12_free(p12); p12 = NULL; } else { BIO_printf(err,"bad input format specified for key file\n"); goto end; } end: if (key != NULL) BIO_free(key); if (pkey == NULL) BIO_printf(err,"unable to load %s\n", key_descrip); return(pkey); } EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip) { BIO *key=NULL; EVP_PKEY *pkey=NULL; PW_CB_DATA cb_data; cb_data.password = pass; cb_data.prompt_info = file; if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { BIO_printf(err,"no keyfile specified\n"); goto end; } #ifndef OPENSSL_NO_ENGINE if (format == FORMAT_ENGINE) { if (!e) BIO_printf(bio_err,"no engine specified\n"); else pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data); goto end; } #endif key=BIO_new(BIO_s_file()); if (key == NULL) { ERR_print_errors(err); goto end; } if (file == NULL && maybe_stdin) { setvbuf(stdin, NULL, _IONBF, 0); BIO_set_fp(key,stdin,BIO_NOCLOSE); } else if (BIO_read_filename(key,file) <= 0) { BIO_printf(err, "Error opening %s %s\n", key_descrip, file); ERR_print_errors(err); goto end; } if (format == FORMAT_ASN1) { pkey=d2i_PUBKEY_bio(key, NULL); } else if (format == FORMAT_PEM) { pkey=PEM_read_bio_PUBKEY(key,NULL, (pem_password_cb *)password_callback, &cb_data); } #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC) pkey = load_netscape_key(err, key, file, key_descrip, format); #endif else { BIO_printf(err,"bad input format specified for key file\n"); goto end; } end: if (key != NULL) BIO_free(key); if (pkey == NULL) BIO_printf(err,"unable to load %s\n", key_descrip); return(pkey); } #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) static EVP_PKEY * load_netscape_key(BIO *err, BIO *key, const char *file, const char *key_descrip, int format) { EVP_PKEY *pkey; BUF_MEM *buf; RSA *rsa; const unsigned char *p; int size, i; buf=BUF_MEM_new(); pkey = EVP_PKEY_new(); size = 0; if (buf == NULL || pkey == NULL) goto error; for (;;) { if (!BUF_MEM_grow_clean(buf,size+1024*10)) goto error; i = BIO_read(key, &(buf->data[size]), 1024*10); size += i; if (i == 0) break; if (i < 0) { BIO_printf(err, "Error reading %s %s", key_descrip, file); goto error; } } p=(unsigned char *)buf->data; rsa = d2i_RSA_NET(NULL,&p,(long)size,NULL, (format == FORMAT_IISSGC ? 1 : 0)); if (rsa == NULL) goto error; BUF_MEM_free(buf); EVP_PKEY_set1_RSA(pkey, rsa); return pkey; error: BUF_MEM_free(buf); EVP_PKEY_free(pkey); return NULL; } #endif /* ndef OPENSSL_NO_RC4 */ STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) { BIO *certs; int i; STACK_OF(X509) *othercerts = NULL; STACK_OF(X509_INFO) *allcerts = NULL; X509_INFO *xi; PW_CB_DATA cb_data; cb_data.password = pass; cb_data.prompt_info = file; if((certs = BIO_new(BIO_s_file())) == NULL) { ERR_print_errors(err); goto end; } if (file == NULL) BIO_set_fp(certs,stdin,BIO_NOCLOSE); else { if (BIO_read_filename(certs,file) <= 0) { BIO_printf(err, "Error opening %s %s\n", cert_descrip, file); ERR_print_errors(err); goto end; } } if (format == FORMAT_PEM) { othercerts = sk_X509_new_null(); if(!othercerts) { sk_X509_free(othercerts); othercerts = NULL; goto end; } allcerts = PEM_X509_INFO_read_bio(certs, NULL, (pem_password_cb *)password_callback, &cb_data); for(i = 0; i < sk_X509_INFO_num(allcerts); i++) { xi = sk_X509_INFO_value (allcerts, i); if (xi->x509) { sk_X509_push(othercerts, xi->x509); xi->x509 = NULL; } } goto end; } else { BIO_printf(err,"bad input format specified for %s\n", cert_descrip); goto end; } end: if (othercerts == NULL) { BIO_printf(err,"unable to load certificates\n"); ERR_print_errors(err); } if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free); if (certs != NULL) BIO_free(certs); return(othercerts); } #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) /* Return error for unknown extensions */ #define X509V3_EXT_DEFAULT 0 /* Print error for unknown extensions */ #define X509V3_EXT_ERROR_UNKNOWN (1L << 16) /* ASN1 parse unknown extensions */ #define X509V3_EXT_PARSE_UNKNOWN (2L << 16) /* BIO_dump unknown extensions */ #define X509V3_EXT_DUMP_UNKNOWN (3L << 16) #define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \ X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION) int set_cert_ex(unsigned long *flags, const char *arg) { static const NAME_EX_TBL cert_tbl[] = { { "compatible", X509_FLAG_COMPAT, 0xffffffffl}, { "ca_default", X509_FLAG_CA, 0xffffffffl}, { "no_header", X509_FLAG_NO_HEADER, 0}, { "no_version", X509_FLAG_NO_VERSION, 0}, { "no_serial", X509_FLAG_NO_SERIAL, 0}, { "no_signame", X509_FLAG_NO_SIGNAME, 0}, { "no_validity", X509_FLAG_NO_VALIDITY, 0}, { "no_subject", X509_FLAG_NO_SUBJECT, 0}, { "no_issuer", X509_FLAG_NO_ISSUER, 0}, { "no_pubkey", X509_FLAG_NO_PUBKEY, 0}, { "no_extensions", X509_FLAG_NO_EXTENSIONS, 0}, { "no_sigdump", X509_FLAG_NO_SIGDUMP, 0}, { "no_aux", X509_FLAG_NO_AUX, 0}, { "no_attributes", X509_FLAG_NO_ATTRIBUTES, 0}, { "ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK}, { "ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, { "ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, { "ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, { NULL, 0, 0} }; return set_multi_opts(flags, arg, cert_tbl); } int set_name_ex(unsigned long *flags, const char *arg) { static const NAME_EX_TBL ex_tbl[] = { { "esc_2253", ASN1_STRFLGS_ESC_2253, 0}, { "esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0}, { "esc_msb", ASN1_STRFLGS_ESC_MSB, 0}, { "use_quote", ASN1_STRFLGS_ESC_QUOTE, 0}, { "utf8", ASN1_STRFLGS_UTF8_CONVERT, 0}, { "ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0}, { "show_type", ASN1_STRFLGS_SHOW_TYPE, 0}, { "dump_all", ASN1_STRFLGS_DUMP_ALL, 0}, { "dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0}, { "dump_der", ASN1_STRFLGS_DUMP_DER, 0}, { "compat", XN_FLAG_COMPAT, 0xffffffffL}, { "sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK}, { "sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK}, { "sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK}, { "sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK}, { "dn_rev", XN_FLAG_DN_REV, 0}, { "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK}, { "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK}, { "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK}, { "align", XN_FLAG_FN_ALIGN, 0}, { "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK}, { "space_eq", XN_FLAG_SPC_EQ, 0}, { "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0}, { "RFC2253", XN_FLAG_RFC2253, 0xffffffffL}, { "oneline", XN_FLAG_ONELINE, 0xffffffffL}, { "multiline", XN_FLAG_MULTILINE, 0xffffffffL}, { "ca_default", XN_FLAG_MULTILINE, 0xffffffffL}, { NULL, 0, 0} }; return set_multi_opts(flags, arg, ex_tbl); } int set_ext_copy(int *copy_type, const char *arg) { if (!strcasecmp(arg, "none")) *copy_type = EXT_COPY_NONE; else if (!strcasecmp(arg, "copy")) *copy_type = EXT_COPY_ADD; else if (!strcasecmp(arg, "copyall")) *copy_type = EXT_COPY_ALL; else return 0; return 1; } int copy_extensions(X509 *x, X509_REQ *req, int copy_type) { STACK_OF(X509_EXTENSION) *exts = NULL; X509_EXTENSION *ext, *tmpext; ASN1_OBJECT *obj; int i, idx, ret = 0; if (!x || !req || (copy_type == EXT_COPY_NONE)) return 1; exts = X509_REQ_get_extensions(req); for(i = 0; i < sk_X509_EXTENSION_num(exts); i++) { ext = sk_X509_EXTENSION_value(exts, i); obj = X509_EXTENSION_get_object(ext); idx = X509_get_ext_by_OBJ(x, obj, -1); /* Does extension exist? */ if (idx != -1) { /* If normal copy don't override existing extension */ if (copy_type == EXT_COPY_ADD) continue; /* Delete all extensions of same type */ do { tmpext = X509_get_ext(x, idx); X509_delete_ext(x, idx); X509_EXTENSION_free(tmpext); idx = X509_get_ext_by_OBJ(x, obj, -1); } while (idx != -1); } if (!X509_add_ext(x, ext, -1)) goto end; } ret = 1; end: sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); return ret; } static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl) { STACK_OF(CONF_VALUE) *vals; CONF_VALUE *val; int i, ret = 1; if(!arg) return 0; vals = X509V3_parse_list(arg); for (i = 0; i < sk_CONF_VALUE_num(vals); i++) { val = sk_CONF_VALUE_value(vals, i); if (!set_table_opts(flags, val->name, in_tbl)) ret = 0; } sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); return ret; } static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl) { char c; const NAME_EX_TBL *ptbl; c = arg[0]; if(c == '-') { c = 0; arg++; } else if (c == '+') { c = 1; arg++; } else c = 1; for(ptbl = in_tbl; ptbl->name; ptbl++) { if(!strcasecmp(arg, ptbl->name)) { *flags &= ~ptbl->mask; if(c) *flags |= ptbl->flag; else *flags &= ~ptbl->flag; return 1; } } return 0; } void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags) { char *buf; char mline = 0; int indent = 0; if(title) BIO_puts(out, title); if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mline = 1; indent = 4; } if(lflags == XN_FLAG_COMPAT) { buf = X509_NAME_oneline(nm, 0, 0); BIO_puts(out, buf); BIO_puts(out, "\n"); OPENSSL_free(buf); } else { if(mline) BIO_puts(out, "\n"); X509_NAME_print_ex(out, nm, indent, lflags); BIO_puts(out, "\n"); } } X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath) { X509_STORE *store; X509_LOOKUP *lookup; if(!(store = X509_STORE_new())) goto end; lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file()); if (lookup == NULL) goto end; if (CAfile) { if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { BIO_printf(bp, "Error loading file %s\n", CAfile); goto end; } } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); if (lookup == NULL) goto end; if (CApath) { if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) { BIO_printf(bp, "Error loading directory %s\n", CApath); goto end; } } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); ERR_clear_error(); return store; end: X509_STORE_free(store); return NULL; } #ifndef OPENSSL_NO_ENGINE /* Try to load an engine in a shareable library */ static ENGINE *try_load_engine(BIO *err, const char *engine, int debug) { ENGINE *e = ENGINE_by_id("dynamic"); if (e) { if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { ENGINE_free(e); e = NULL; } } return e; } ENGINE *setup_engine(BIO *err, const char *engine, int debug) { ENGINE *e = NULL; if (engine) { if(strcmp(engine, "auto") == 0) { BIO_printf(err,"enabling auto ENGINE support\n"); ENGINE_register_all_complete(); return NULL; } if((e = ENGINE_by_id(engine)) == NULL && (e = try_load_engine(err, engine, debug)) == NULL) { BIO_printf(err,"invalid engine \"%s\"\n", engine); ERR_print_errors(err); return NULL; } if (debug) { ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, err, 0); } ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1); if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { BIO_printf(err,"can't use that engine\n"); ERR_print_errors(err); ENGINE_free(e); return NULL; } BIO_printf(err,"engine \"%s\" set.\n", ENGINE_get_id(e)); /* Free our "structural" reference. */ ENGINE_free(e); } return e; } #endif int load_config(BIO *err, CONF *cnf) { if (!cnf) cnf = config; if (!cnf) return 1; OPENSSL_load_builtin_modules(); if (CONF_modules_load(cnf, NULL, 0) <= 0) { BIO_printf(err, "Error configuring OpenSSL\n"); ERR_print_errors(err); return 0; } return 1; } char *make_config_name() { const char *t=X509_get_default_cert_area(); + size_t len; char *p; - p=OPENSSL_malloc(strlen(t)+strlen(OPENSSL_CONF)+2); - strcpy(p,t); + len=strlen(t)+strlen(OPENSSL_CONF)+2; + p=OPENSSL_malloc(len); + BUF_strlcpy(p,t,len); #ifndef OPENSSL_SYS_VMS - strcat(p,"/"); + BUF_strlcat(p,"/",len); #endif - strcat(p,OPENSSL_CONF); + BUF_strlcat(p,OPENSSL_CONF,len); return p; } + +static unsigned long index_serial_hash(const char **a) + { + const char *n; + + n=a[DB_serial]; + while (*n == '0') n++; + return(lh_strhash(n)); + } + +static int index_serial_cmp(const char **a, const char **b) + { + const char *aa,*bb; + + for (aa=a[DB_serial]; *aa == '0'; aa++); + for (bb=b[DB_serial]; *bb == '0'; bb++); + return(strcmp(aa,bb)); + } + +static int index_name_qual(char **a) + { return(a[0][0] == 'V'); } + +static unsigned long index_name_hash(const char **a) + { return(lh_strhash(a[DB_name])); } + +int index_name_cmp(const char **a, const char **b) + { return(strcmp(a[DB_name], + b[DB_name])); } + +static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) +static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) +static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) +static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) + +#undef BSIZE +#define BSIZE 256 + +BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai) + { + BIO *in=NULL; + BIGNUM *ret=NULL; + MS_STATIC char buf[1024]; + ASN1_INTEGER *ai=NULL; + + ai=ASN1_INTEGER_new(); + if (ai == NULL) goto err; + + if ((in=BIO_new(BIO_s_file())) == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + + if (BIO_read_filename(in,serialfile) <= 0) + { + if (!create) + { + perror(serialfile); + goto err; + } + else + { + ASN1_INTEGER_set(ai,1); + ret=BN_new(); + if (ret == NULL) + BIO_printf(bio_err, "Out of memory\n"); + else + BN_one(ret); + } + } + else + { + if (!a2i_ASN1_INTEGER(in,ai,buf,1024)) + { + BIO_printf(bio_err,"unable to load number from %s\n", + serialfile); + goto err; + } + ret=ASN1_INTEGER_to_BN(ai,NULL); + if (ret == NULL) + { + BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); + goto err; + } + } + + if (ret && retai) + { + *retai = ai; + ai = NULL; + } + err: + if (in != NULL) BIO_free(in); + if (ai != NULL) ASN1_INTEGER_free(ai); + return(ret); + } + +int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai) + { + char buf[1][BSIZE]; + BIO *out = NULL; + int ret=0; + ASN1_INTEGER *ai=NULL; + int j; + + if (suffix == NULL) + j = strlen(serialfile); + else + j = strlen(serialfile) + strlen(suffix) + 1; + if (j >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + + if (suffix == NULL) + BUF_strlcpy(buf[0], serialfile, BSIZE); + else + { +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix); +#endif + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); +#endif + out=BIO_new(BIO_s_file()); + if (out == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + if (BIO_write_filename(out,buf[0]) <= 0) + { + perror(serialfile); + goto err; + } + + if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL) + { + BIO_printf(bio_err,"error converting serial to ASN.1 format\n"); + goto err; + } + i2a_ASN1_INTEGER(out,ai); + BIO_puts(out,"\n"); + ret=1; + if (retai) + { + *retai = ai; + ai = NULL; + } +err: + if (out != NULL) BIO_free_all(out); + if (ai != NULL) ASN1_INTEGER_free(ai); + return(ret); + } + +int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) + { + char buf[5][BSIZE]; + int i,j; + struct stat sb; + + i = strlen(serialfile) + strlen(old_suffix); + j = strlen(serialfile) + strlen(new_suffix); + if (i > j) j = i; + if (j + 1 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", + serialfile, new_suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", + serialfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", + serialfile, old_suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", + serialfile, old_suffix); +#endif + if (stat(serialfile,&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + serialfile, buf[1]); +#endif + if (rename(serialfile,buf[1]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + serialfile, buf[1]); + perror("reason"); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[0],serialfile); +#endif + if (rename(buf[0],serialfile) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[0],serialfile); + perror("reason"); + rename(buf[1],serialfile); + goto err; + } + return 1; + err: + return 0; + } + +CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) + { + CA_DB *retdb = NULL; + TXT_DB *tmpdb = NULL; + BIO *in = BIO_new(BIO_s_file()); + CONF *dbattr_conf = NULL; + char buf[1][BSIZE]; + long errorline= -1; + + if (in == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + if (BIO_read_filename(in,dbfile) <= 0) + { + perror(dbfile); + BIO_printf(bio_err,"unable to open '%s'\n",dbfile); + goto err; + } + if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL) + { + if (tmpdb != NULL) TXT_DB_free(tmpdb); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile); +#else + BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile); +#endif + dbattr_conf = NCONF_new(NULL); + if (NCONF_load(dbattr_conf,buf[0],&errorline) <= 0) + { + if (errorline > 0) + { + BIO_printf(bio_err, + "error on line %ld of db attribute file '%s'\n" + ,errorline,buf[0]); + goto err; + } + else + { + NCONF_free(dbattr_conf); + dbattr_conf = NULL; + } + } + + if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL) + { + fprintf(stderr, "Out of memory\n"); + goto err; + } + + retdb->db = tmpdb; + tmpdb = NULL; + if (db_attr) + retdb->attributes = *db_attr; + else + { + retdb->attributes.unique_subject = 1; + } + + if (dbattr_conf) + { + char *p = NCONF_get_string(dbattr_conf,NULL,"unique_subject"); + if (p) + { + BIO_printf(bio_err, "DEBUG[load_index]: unique_subject = \"%s\"\n", p); + switch(*p) + { + case 'f': /* false */ + case 'F': /* FALSE */ + case 'n': /* no */ + case 'N': /* NO */ + retdb->attributes.unique_subject = 0; + break; + case 't': /* true */ + case 'T': /* TRUE */ + case 'y': /* yes */ + case 'Y': /* YES */ + default: + retdb->attributes.unique_subject = 1; + break; + } + } + } + + err: + if (dbattr_conf) NCONF_free(dbattr_conf); + if (tmpdb) TXT_DB_free(tmpdb); + if (in) BIO_free_all(in); + return retdb; + } + +int index_index(CA_DB *db) + { + if (!TXT_DB_create_index(db->db, DB_serial, NULL, + LHASH_HASH_FN(index_serial_hash), + LHASH_COMP_FN(index_serial_cmp))) + { + BIO_printf(bio_err, + "error creating serial number index:(%ld,%ld,%ld)\n", + db->db->error,db->db->arg1,db->db->arg2); + return 0; + } + + if (db->attributes.unique_subject + && !TXT_DB_create_index(db->db, DB_name, index_name_qual, + LHASH_HASH_FN(index_name_hash), + LHASH_COMP_FN(index_name_cmp))) + { + BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", + db->db->error,db->db->arg1,db->db->arg2); + return 0; + } + return 1; + } + +int save_index(char *dbfile, char *suffix, CA_DB *db) + { + char buf[3][BSIZE]; + BIO *out = BIO_new(BIO_s_file()); + int j; + + if (out == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + + j = strlen(dbfile) + strlen(suffix); + if (j + 6 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile); +#else + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix); +#endif +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); +#endif + if (BIO_write_filename(out,buf[0]) <= 0) + { + perror(dbfile); + BIO_printf(bio_err,"unable to open '%s'\n", dbfile); + goto err; + } + j=TXT_DB_write(out,db->db); + if (j <= 0) goto err; + + BIO_free(out); + + out = BIO_new(BIO_s_file()); +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]); +#endif + if (BIO_write_filename(out,buf[1]) <= 0) + { + perror(buf[2]); + BIO_printf(bio_err,"unable to open '%s'\n", buf[2]); + goto err; + } + BIO_printf(out,"unique_subject = %s\n", + db->attributes.unique_subject ? "yes" : "no"); + BIO_free(out); + + return 1; + err: + return 0; + } + +int rotate_index(char *dbfile, char *new_suffix, char *old_suffix) + { + char buf[5][BSIZE]; + int i,j; + struct stat sb; + + i = strlen(dbfile) + strlen(old_suffix); + j = strlen(dbfile) + strlen(new_suffix); + if (i > j) j = i; + if (j + 6 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile); +#else + j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", + dbfile, new_suffix); +#else + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", + dbfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", + dbfile, new_suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", + dbfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", + dbfile, old_suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", + dbfile, old_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", + dbfile, old_suffix); +#else + j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", + dbfile, old_suffix); +#endif + if (stat(dbfile,&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + dbfile, buf[1]); +#endif + if (rename(dbfile,buf[1]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + dbfile, buf[1]); + perror("reason"); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[0],dbfile); +#endif + if (rename(buf[0],dbfile) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[0],dbfile); + perror("reason"); + rename(buf[1],dbfile); + goto err; + } + if (stat(buf[4],&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[4],buf[3]); +#endif + if (rename(buf[4],buf[3]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[4], buf[3]); + perror("reason"); + rename(dbfile,buf[0]); + rename(buf[1],dbfile); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[2],buf[4]); +#endif + if (rename(buf[2],buf[4]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[2],buf[4]); + perror("reason"); + rename(buf[3],buf[4]); + rename(dbfile,buf[0]); + rename(buf[1],dbfile); + goto err; + } + return 1; + err: + return 0; + } + +void free_index(CA_DB *db) + { + TXT_DB_free(db->db); + OPENSSL_free(db); + } diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h index c36b9d256657..8a9c4ab0a054 100644 --- a/crypto/openssl/apps/apps.h +++ b/crypto/openssl/apps/apps.h @@ -1,313 +1,344 @@ /* apps/apps.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #ifndef HEADER_APPS_H #define HEADER_APPS_H #include "e_os.h" #include #include #include #include #include #include #include #ifndef OPENSSL_NO_ENGINE #include #endif #include int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn); int app_RAND_write_file(const char *file, BIO *bio_e); /* When `file' is NULL, use defaults. * `bio_e' is for error messages. */ void app_RAND_allow_write_file(void); long app_RAND_load_files(char *file); /* `file' is a list of files to read, * separated by LIST_SEPARATOR_CHAR * (see e_os.h). The string is * destroyed! */ #ifdef OPENSSL_SYS_WIN32 #define rename(from,to) WIN32_rename((from),(to)) int WIN32_rename(char *oldname,char *newname); #endif /* VMS below version 7.0 doesn't have strcasecmp() */ #ifdef OPENSSL_SYS_VMS #define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2)) int VMS_strcasecmp(const char *str1, const char *str2); #endif #ifndef MONOLITH #define MAIN(a,v) main(a,v) #ifndef NON_MAIN CONF *config=NULL; BIO *bio_err=NULL; #else extern CONF *config; extern BIO *bio_err; #endif #else #define MAIN(a,v) PROG(a,v) extern CONF *config; extern char *default_config_file; extern BIO *bio_err; #endif #include #ifdef SIGPIPE #define do_pipe_sig() signal(SIGPIPE,SIG_IGN) #else #define do_pipe_sig() #endif #if defined(MONOLITH) && !defined(OPENSSL_C) # define apps_startup() \ do_pipe_sig() # define apps_shutdown() #else # ifndef OPENSSL_NO_ENGINE # if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ defined(OPENSSL_SYS_WIN32) # ifdef _O_BINARY # define apps_startup() \ do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) # else # define apps_startup() \ do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) # endif # else # define apps_startup() \ do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \ setup_ui_method(); } while(0) # endif # define apps_shutdown() \ do { CONF_modules_unload(1); destroy_ui_method(); \ EVP_cleanup(); ENGINE_cleanup(); \ CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ ERR_free_strings(); } while(0) # else # if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ defined(OPENSSL_SYS_WIN32) # ifdef _O_BINARY # define apps_startup() \ do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ setup_ui_method(); } while(0) # else # define apps_startup() \ do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ setup_ui_method(); } while(0) # endif # else # define apps_startup() \ do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ ERR_load_crypto_strings(); \ setup_ui_method(); } while(0) # endif # define apps_shutdown() \ do { CONF_modules_unload(1); destroy_ui_method(); \ EVP_cleanup(); \ CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ ERR_free_strings(); } while(0) # endif #endif typedef struct args_st { char **data; int count; } ARGS; #define PW_MIN_LENGTH 4 typedef struct pw_cb_data { const void *password; const char *prompt_info; } PW_CB_DATA; int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data); int setup_ui_method(void); void destroy_ui_method(void); int should_retry(int i); int args_from_file(char *file, int *argc, char **argv[]); int str2fmt(char *s); void program_name(char *in,char *out,int size); int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]); #ifdef HEADER_X509_H int dump_cert_text(BIO *out, X509 *x); void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags); #endif int set_cert_ex(unsigned long *flags, const char *arg); int set_name_ex(unsigned long *flags, const char *arg); int set_ext_copy(int *copy_type, const char *arg); int copy_extensions(X509 *x, X509_REQ *req, int copy_type); int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2); int add_oid_section(BIO *err, CONF *conf); X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip); EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip); STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); #ifndef OPENSSL_NO_ENGINE ENGINE *setup_engine(BIO *err, const char *engine, int debug); #endif int load_config(BIO *err, CONF *cnf); char *make_config_name(void); /* Functions defined in ca.c and also used in ocsp.c */ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str); -int make_serial_index(TXT_DB *db); + +#define DB_type 0 +#define DB_exp_date 1 +#define DB_rev_date 2 +#define DB_serial 3 /* index - unique */ +#define DB_file 4 +#define DB_name 5 /* index - unique when active and not disabled */ +#define DB_NUMBER 6 + +#define DB_TYPE_REV 'R' +#define DB_TYPE_EXP 'E' +#define DB_TYPE_VAL 'V' + +typedef struct db_attr_st + { + int unique_subject; + } DB_ATTR; +typedef struct ca_db_st + { + DB_ATTR attributes; + TXT_DB *db; + } CA_DB; + +BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai); +int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai); +int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix); +CA_DB *load_index(char *dbfile, DB_ATTR *dbattr); +int index_index(CA_DB *db); +int save_index(char *dbfile, char *suffix, CA_DB *db); +int rotate_index(char *dbfile, char *new_suffix, char *old_suffix); +void free_index(CA_DB *db); +int index_name_cmp(const char **a, const char **b); X509_NAME *do_subject(char *str, long chtype); #define FORMAT_UNDEF 0 #define FORMAT_ASN1 1 #define FORMAT_TEXT 2 #define FORMAT_PEM 3 #define FORMAT_NETSCAPE 4 #define FORMAT_PKCS12 5 #define FORMAT_SMIME 6 #define FORMAT_ENGINE 7 #define FORMAT_IISSGC 8 /* XXX this stupid macro helps us to avoid * adding yet another param to load_*key() */ #define EXT_COPY_NONE 0 #define EXT_COPY_ADD 1 #define EXT_COPY_ALL 2 #define NETSCAPE_CERT_HDR "certificate" #define APP_PASS_LEN 1024 #endif diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c index 83674154053a..7db40adf0436 100644 --- a/crypto/openssl/apps/asn1pars.c +++ b/crypto/openssl/apps/asn1pars.c @@ -1,337 +1,345 @@ /* apps/asn1pars.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* A nice addition from Dr Stephen Henson to * add the -strparse option which parses nested binary structures */ #include #include #include #include "apps.h" #include #include #include #include /* -inform arg - input format - default PEM (DER or PEM) * -in arg - input file - default stdin * -i - indent the details by depth * -offset - where in the file to start * -length - how many bytes to use * -oid file - extra oid description file */ #undef PROG #define PROG asn1parse_main int MAIN(int, char **); int MAIN(int argc, char **argv) { int i,badops=0,offset=0,ret=1,j; unsigned int length=0; long num,tmplen; BIO *in=NULL,*out=NULL,*b64=NULL, *derout = NULL; int informat,indent=0, noout = 0, dump = 0; char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL; unsigned char *tmpbuf; BUF_MEM *buf=NULL; STACK *osk=NULL; ASN1_TYPE *at=NULL; informat=FORMAT_PEM; apps_startup(); if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); if (!load_config(bio_err, NULL)) goto end; prog=argv[0]; argc--; argv++; if ((osk=sk_new_null()) == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); goto end; } while (argc >= 1) { if (strcmp(*argv,"-inform") == 0) { if (--argc < 1) goto bad; informat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-in") == 0) { if (--argc < 1) goto bad; infile= *(++argv); } else if (strcmp(*argv,"-out") == 0) { if (--argc < 1) goto bad; derfile= *(++argv); } else if (strcmp(*argv,"-i") == 0) { indent=1; } else if (strcmp(*argv,"-noout") == 0) noout = 1; else if (strcmp(*argv,"-oid") == 0) { if (--argc < 1) goto bad; oidfile= *(++argv); } else if (strcmp(*argv,"-offset") == 0) { if (--argc < 1) goto bad; offset= atoi(*(++argv)); } else if (strcmp(*argv,"-length") == 0) { if (--argc < 1) goto bad; length= atoi(*(++argv)); if (length == 0) goto bad; } else if (strcmp(*argv,"-dump") == 0) { dump= -1; } else if (strcmp(*argv,"-dlimit") == 0) { if (--argc < 1) goto bad; dump= atoi(*(++argv)); if (dump <= 0) goto bad; } else if (strcmp(*argv,"-strparse") == 0) { if (--argc < 1) goto bad; sk_push(osk,*(++argv)); } else { BIO_printf(bio_err,"unknown option %s\n",*argv); badops=1; break; } argc--; argv++; } if (badops) { bad: BIO_printf(bio_err,"%s [options] data[num]),BUFSIZ); if (i <= 0) break; num+=i; } str=buf->data; /* If any structs to parse go through in sequence */ if (sk_num(osk)) { tmpbuf=(unsigned char *)str; tmplen=num; for (i=0; ivalue.asn1_string->data; tmplen=at->value.asn1_string->length; } str=(char *)tmpbuf; num=tmplen; } - if (length == 0) length=(unsigned int)num; + if (offset >= num) + { + BIO_printf(bio_err, "Error: offset too large\n"); + goto end; + } + + num -= offset; + + if ((length == 0) || ((long)length > num)) length=(unsigned int)num; if(derout) { if(BIO_write(derout, str + offset, length) != (int)length) { BIO_printf(bio_err, "Error writing output\n"); ERR_print_errors(bio_err); goto end; } } if (!noout && !ASN1_parse_dump(out,(unsigned char *)&(str[offset]),length, indent,dump)) { ERR_print_errors(bio_err); goto end; } ret=0; end: BIO_free(derout); if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); if (b64 != NULL) BIO_free(b64); if (ret != 0) ERR_print_errors(bio_err); if (buf != NULL) BUF_MEM_free(buf); if (at != NULL) ASN1_TYPE_free(at); if (osk != NULL) sk_free(osk); OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index 7ed60c7a9ac1..2db61b1eae88 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -1,3337 +1,3080 @@ /* apps/ca.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* The PPKI stuff has been donated by Jeff Barber */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef OPENSSL_SYS_WINDOWS #define strcasecmp _stricmp #else # ifdef NO_STRINGS_H int strcasecmp(); # else # include # endif /* NO_STRINGS_H */ #endif #ifndef W_OK # ifdef OPENSSL_SYS_VMS # if defined(__DECC) # include # else # include # endif # elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) # include # endif #endif #include "apps.h" #ifndef W_OK # define F_OK 0 # define X_OK 1 # define W_OK 2 # define R_OK 4 #endif #undef PROG #define PROG ca_main #define BASE_SECTION "ca" #define CONFIG_FILE "openssl.cnf" #define ENV_DEFAULT_CA "default_ca" #define ENV_DIR "dir" #define ENV_CERTS "certs" #define ENV_CRL_DIR "crl_dir" #define ENV_CA_DB "CA_DB" #define ENV_NEW_CERTS_DIR "new_certs_dir" #define ENV_CERTIFICATE "certificate" #define ENV_SERIAL "serial" +#define ENV_CRLNUMBER "crlnumber" #define ENV_CRL "crl" #define ENV_PRIVATE_KEY "private_key" #define ENV_RANDFILE "RANDFILE" #define ENV_DEFAULT_DAYS "default_days" #define ENV_DEFAULT_STARTDATE "default_startdate" #define ENV_DEFAULT_ENDDATE "default_enddate" #define ENV_DEFAULT_CRL_DAYS "default_crl_days" #define ENV_DEFAULT_CRL_HOURS "default_crl_hours" #define ENV_DEFAULT_MD "default_md" #define ENV_DEFAULT_EMAIL_DN "email_in_dn" #define ENV_PRESERVE "preserve" #define ENV_POLICY "policy" #define ENV_EXTENSIONS "x509_extensions" #define ENV_CRLEXT "crl_extensions" #define ENV_MSIE_HACK "msie_hack" #define ENV_NAMEOPT "name_opt" #define ENV_CERTOPT "cert_opt" #define ENV_EXTCOPY "copy_extensions" #define ENV_DATABASE "database" -#define DB_type 0 -#define DB_exp_date 1 -#define DB_rev_date 2 -#define DB_serial 3 /* index - unique */ -#define DB_file 4 -#define DB_name 5 /* index - unique for active */ -#define DB_NUMBER 6 - -#define DB_TYPE_REV 'R' -#define DB_TYPE_EXP 'E' -#define DB_TYPE_VAL 'V' - /* Additional revocation information types */ #define REV_NONE 0 /* No addditional information */ #define REV_CRL_REASON 1 /* Value is CRL reason code */ #define REV_HOLD 2 /* Value is hold instruction */ #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */ #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */ static char *ca_usage[]={ "usage: ca args\n", "\n", " -verbose - Talk alot while doing things\n", " -config file - A config file\n", " -name arg - The particular CA definition to use\n", " -gencrl - Generate a new CRL\n", " -crldays days - Days is when the next CRL is due\n", " -crlhours hours - Hours is when the next CRL is due\n", " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n", " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n", " -days arg - number of days to certify the certificate for\n", " -md arg - md to use, one of md2, md5, sha or sha1\n", " -policy arg - The CA 'policy' to support\n", " -keyfile arg - private key file\n", " -keyform arg - private key file format (PEM or ENGINE)\n", " -key arg - key to decode the private key if it is encrypted\n", " -cert file - The CA certificate\n", " -in file - The input PEM encoded certificate request(s)\n", " -out file - Where to put the output file(s)\n", " -outdir dir - Where to put output certificates\n", " -infiles .... - The last argument, requests to process\n", " -spkac file - File contains DN and signed public key and challenge\n", " -ss_cert file - File contains a self signed cert to sign\n", " -preserveDN - Don't re-order the DN\n", " -noemailDN - Don't add the EMAIL field into certificate' subject\n", " -batch - Don't ask questions\n", " -msie_hack - msie modifications to handle all those universal strings\n", " -revoke file - Revoke a certificate (given in file)\n", " -subj arg - Use arg instead of request's subject\n", " -extensions .. - Extension section (override value in config file)\n", " -extfile file - Configuration file with X509v3 extentions to add\n", " -crlexts .. - CRL extension section (override value in config file)\n", #ifndef OPENSSL_NO_ENGINE " -engine e - use engine e, possibly a hardware device.\n", #endif " -status serial - Shows certificate status given the serial number\n", " -updatedb - Updates db for expired certificates\n", NULL }; #ifdef EFENCE extern int EF_PROTECT_FREE; extern int EF_PROTECT_BELOW; extern int EF_ALIGNMENT; #endif static void lookup_fail(char *name,char *tag); -static unsigned long index_serial_hash(const char **a); -static int index_serial_cmp(const char **a, const char **b); -static unsigned long index_name_hash(const char **a); -static int index_name_qual(char **a); -static int index_name_cmp(const char **a,const char **b); -static BIGNUM *load_serial(char *serialfile); -static int save_serial(char *serialfile, BIGNUM *serial); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, - const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db, + const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial, char *subj, int email_dn, + CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf,int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, ENGINE *e); static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial,char *subj, int email_dn, + CA_DB *db, BIGNUM *serial,char *subj, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *conf, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); -static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval); -static int get_certificate_status(const char *ser_status, TXT_DB *db); -static int do_updatedb(TXT_DB *db); +static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval); +static int get_certificate_status(const char *ser_status, CA_DB *db); +static int do_updatedb(CA_DB *db); static int check_time_format(char *str); char *make_revocation_str(int rev_type, char *rev_arg); int make_revoked(X509_REVOKED *rev, char *str); int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str); static CONF *conf=NULL; static CONF *extconf=NULL; static char *section=NULL; static int preserve=0; static int msie_hack=0; -static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) -static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) - int MAIN(int, char **); int MAIN(int argc, char **argv) { ENGINE *e = NULL; char *key=NULL,*passargin=NULL; int free_key = 0; int total=0; int total_done=0; int badops=0; int ret=1; int email_dn=1; int req=0; int verbose=0; int gencrl=0; int dorevoke=0; int doupdatedb=0; long crldays=0; long crlhours=0; long errorline= -1; char *configfile=NULL; char *md=NULL; char *policy=NULL; char *keyfile=NULL; char *certfile=NULL; int keyform=FORMAT_PEM; char *infile=NULL; char *spkac_file=NULL; char *ss_cert_file=NULL; char *ser_status=NULL; EVP_PKEY *pkey=NULL; int output_der = 0; char *outfile=NULL; char *outdir=NULL; char *serialfile=NULL; + char *crlnumberfile=NULL; char *extensions=NULL; char *extfile=NULL; char *subj=NULL; char *tmp_email_dn=NULL; char *crl_ext=NULL; int rev_type = REV_NONE; char *rev_arg = NULL; BIGNUM *serial=NULL; + BIGNUM *crlnumber=NULL; char *startdate=NULL; char *enddate=NULL; long days=0; int batch=0; int notext=0; unsigned long nameopt = 0, certopt = 0; int default_op = 1; int ext_copy = EXT_COPY_NONE; X509 *x509=NULL; X509 *x=NULL; BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL; char *dbfile=NULL; - TXT_DB *db=NULL; + CA_DB *db=NULL; X509_CRL *crl=NULL; X509_REVOKED *r=NULL; ASN1_TIME *tmptm; ASN1_INTEGER *tmpser; char **pp,*p,*f; int i,j; - long l; const EVP_MD *dgst=NULL; STACK_OF(CONF_VALUE) *attribs=NULL; STACK_OF(X509) *cert_sk=NULL; #undef BSIZE #define BSIZE 256 MS_STATIC char buf[3][BSIZE]; char *randfile=NULL; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; #endif char *tofree=NULL; + DB_ATTR db_attr; #ifdef EFENCE EF_PROTECT_FREE=1; EF_PROTECT_BELOW=1; EF_ALIGNMENT=0; #endif apps_startup(); conf = NULL; key = NULL; section = NULL; preserve=0; msie_hack=0; if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); argc--; argv++; while (argc >= 1) { if (strcmp(*argv,"-verbose") == 0) verbose=1; else if (strcmp(*argv,"-config") == 0) { if (--argc < 1) goto bad; configfile= *(++argv); } else if (strcmp(*argv,"-name") == 0) { if (--argc < 1) goto bad; section= *(++argv); } else if (strcmp(*argv,"-subj") == 0) { if (--argc < 1) goto bad; subj= *(++argv); /* preserve=1; */ } else if (strcmp(*argv,"-startdate") == 0) { if (--argc < 1) goto bad; startdate= *(++argv); } else if (strcmp(*argv,"-enddate") == 0) { if (--argc < 1) goto bad; enddate= *(++argv); } else if (strcmp(*argv,"-days") == 0) { if (--argc < 1) goto bad; days=atoi(*(++argv)); } else if (strcmp(*argv,"-md") == 0) { if (--argc < 1) goto bad; md= *(++argv); } else if (strcmp(*argv,"-policy") == 0) { if (--argc < 1) goto bad; policy= *(++argv); } else if (strcmp(*argv,"-keyfile") == 0) { if (--argc < 1) goto bad; keyfile= *(++argv); } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) goto bad; keyform=str2fmt(*(++argv)); } else if (strcmp(*argv,"-passin") == 0) { if (--argc < 1) goto bad; passargin= *(++argv); } else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; key= *(++argv); } else if (strcmp(*argv,"-cert") == 0) { if (--argc < 1) goto bad; certfile= *(++argv); } else if (strcmp(*argv,"-in") == 0) { if (--argc < 1) goto bad; infile= *(++argv); req=1; } else if (strcmp(*argv,"-out") == 0) { if (--argc < 1) goto bad; outfile= *(++argv); } else if (strcmp(*argv,"-outdir") == 0) { if (--argc < 1) goto bad; outdir= *(++argv); } else if (strcmp(*argv,"-notext") == 0) notext=1; else if (strcmp(*argv,"-batch") == 0) batch=1; else if (strcmp(*argv,"-preserveDN") == 0) preserve=1; else if (strcmp(*argv,"-noemailDN") == 0) email_dn=0; else if (strcmp(*argv,"-gencrl") == 0) gencrl=1; else if (strcmp(*argv,"-msie_hack") == 0) msie_hack=1; else if (strcmp(*argv,"-crldays") == 0) { if (--argc < 1) goto bad; crldays= atol(*(++argv)); } else if (strcmp(*argv,"-crlhours") == 0) { if (--argc < 1) goto bad; crlhours= atol(*(++argv)); } else if (strcmp(*argv,"-infiles") == 0) { argc--; argv++; req=1; break; } else if (strcmp(*argv, "-ss_cert") == 0) { if (--argc < 1) goto bad; ss_cert_file = *(++argv); req=1; } else if (strcmp(*argv, "-spkac") == 0) { if (--argc < 1) goto bad; spkac_file = *(++argv); req=1; } else if (strcmp(*argv,"-revoke") == 0) { if (--argc < 1) goto bad; infile= *(++argv); dorevoke=1; } else if (strcmp(*argv,"-extensions") == 0) { if (--argc < 1) goto bad; extensions= *(++argv); } else if (strcmp(*argv,"-extfile") == 0) { if (--argc < 1) goto bad; extfile= *(++argv); } else if (strcmp(*argv,"-status") == 0) { if (--argc < 1) goto bad; ser_status= *(++argv); } else if (strcmp(*argv,"-updatedb") == 0) { doupdatedb=1; } else if (strcmp(*argv,"-crlexts") == 0) { if (--argc < 1) goto bad; crl_ext= *(++argv); } else if (strcmp(*argv,"-crl_reason") == 0) { if (--argc < 1) goto bad; rev_arg = *(++argv); rev_type = REV_CRL_REASON; } else if (strcmp(*argv,"-crl_hold") == 0) { if (--argc < 1) goto bad; rev_arg = *(++argv); rev_type = REV_HOLD; } else if (strcmp(*argv,"-crl_compromise") == 0) { if (--argc < 1) goto bad; rev_arg = *(++argv); rev_type = REV_KEY_COMPROMISE; } else if (strcmp(*argv,"-crl_CA_compromise") == 0) { if (--argc < 1) goto bad; rev_arg = *(++argv); rev_type = REV_CA_COMPROMISE; } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } #endif else { bad: BIO_printf(bio_err,"unknown option %s\n",*argv); badops=1; break; } argc--; argv++; } if (badops) { for (pp=ca_usage; (*pp != NULL); pp++) BIO_printf(bio_err,"%s",*pp); goto err; } ERR_load_crypto_strings(); #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif /*****************************************************************/ tofree=NULL; if (configfile == NULL) configfile = getenv("OPENSSL_CONF"); if (configfile == NULL) configfile = getenv("SSLEAY_CONF"); if (configfile == NULL) { const char *s=X509_get_default_cert_area(); + size_t len; #ifdef OPENSSL_SYS_VMS - tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)); + len = strlen(s)+sizeof(CONFIG_FILE); + tofree=OPENSSL_malloc(len); strcpy(tofree,s); #else - tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1); - strcpy(tofree,s); - strcat(tofree,"/"); + len = strlen(s)+sizeof(CONFIG_FILE)+1; + tofree=OPENSSL_malloc(len); + BUF_strlcpy(tofree,s,len); + BUF_strlcat(tofree,"/",len); #endif - strcat(tofree,CONFIG_FILE); + BUF_strlcat(tofree,CONFIG_FILE,len); configfile=tofree; } BIO_printf(bio_err,"Using configuration from %s\n",configfile); conf = NCONF_new(NULL); if (NCONF_load(conf,configfile,&errorline) <= 0) { if (errorline <= 0) BIO_printf(bio_err,"error loading the config file '%s'\n", configfile); else BIO_printf(bio_err,"error on line %ld of config file '%s'\n" ,errorline,configfile); goto err; } if(tofree) { OPENSSL_free(tofree); tofree = NULL; } if (!load_config(bio_err, conf)) goto err; /* Lets get the config section we are using */ if (section == NULL) { section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA); if (section == NULL) { lookup_fail(BASE_SECTION,ENV_DEFAULT_CA); goto err; } } if (conf != NULL) { p=NCONF_get_string(conf,NULL,"oid_file"); if (p == NULL) ERR_clear_error(); if (p != NULL) { BIO *oid_bio; oid_bio=BIO_new_file(p,"r"); if (oid_bio == NULL) { /* BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); ERR_print_errors(bio_err); */ ERR_clear_error(); } else { OBJ_create_objects(oid_bio); BIO_free(oid_bio); } } if (!add_oid_section(bio_err,conf)) { ERR_print_errors(bio_err); goto err; } } randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE"); if (randfile == NULL) ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); + + db_attr.unique_subject = 1; + p = NCONF_get_string(conf, section, "unique_subject"); + if (p) + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p); +#endif + switch(*p) + { + case 'f': /* false */ + case 'F': /* FALSE */ + case 'n': /* no */ + case 'N': /* NO */ + db_attr.unique_subject = 0; + break; + case 't': /* true */ + case 'T': /* TRUE */ + case 'y': /* yes */ + case 'Y': /* YES */ + default: + db_attr.unique_subject = 1; + break; + } + } +#ifdef RL_DEBUG + else + BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p); +#endif +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n", + db_attr.unique_subject); +#endif in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); Sout=BIO_new(BIO_s_file()); Cout=BIO_new(BIO_s_file()); if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) { ERR_print_errors(bio_err); goto err; } /*****************************************************************/ /* report status of cert with serial number given on command line */ if (ser_status) { if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL) { lookup_fail(section,ENV_DATABASE); goto err; } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); + db = load_index(dbfile,&db_attr); if (db == NULL) goto err; - if (!make_serial_index(db)) - goto err; + if (!index_index(db)) goto err; if (get_certificate_status(ser_status,db) != 1) BIO_printf(bio_err,"Error verifying serial %s!\n", ser_status); goto err; } /*****************************************************************/ /* we definitely need a public key, so let's get it */ if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf, section,ENV_PRIVATE_KEY)) == NULL)) { lookup_fail(section,ENV_PRIVATE_KEY); goto err; } if (!key) { free_key = 1; if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) { BIO_printf(bio_err,"Error getting password\n"); goto err; } } pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key"); if (key) OPENSSL_cleanse(key,strlen(key)); if (pkey == NULL) { /* load_key() has already printed an appropriate message */ goto err; } /*****************************************************************/ /* we need a certificate */ if ((certfile == NULL) && ((certfile=NCONF_get_string(conf, section,ENV_CERTIFICATE)) == NULL)) { lookup_fail(section,ENV_CERTIFICATE); goto err; } x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e, "CA certificate"); if (x509 == NULL) goto err; if (!X509_check_private_key(x509,pkey)) { BIO_printf(bio_err,"CA certificate and CA private key do not match\n"); goto err; } f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE); if (f == NULL) ERR_clear_error(); if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) preserve=1; f=NCONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK); if (f == NULL) ERR_clear_error(); if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) msie_hack=1; f=NCONF_get_string(conf,section,ENV_NAMEOPT); if (f) { if (!set_name_ex(&nameopt, f)) { BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f); goto err; } default_op = 0; } else ERR_clear_error(); f=NCONF_get_string(conf,section,ENV_CERTOPT); if (f) { if (!set_cert_ex(&certopt, f)) { BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); goto err; } default_op = 0; } else ERR_clear_error(); f=NCONF_get_string(conf,section,ENV_EXTCOPY); if (f) { if (!set_ext_copy(&ext_copy, f)) { BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); goto err; } } else ERR_clear_error(); /*****************************************************************/ /* lookup where to write new certificates */ if ((outdir == NULL) && (req)) { struct stat sb; if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR)) == NULL) { BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n"); goto err; } #ifndef OPENSSL_SYS_VMS /* outdir is a directory spec, but access() for VMS demands a filename. In any case, stat(), below, will catch the problem if outdir is not a directory spec, and the fopen() or open() will catch an error if there is no write access. Presumably, this problem could also be solved by using the DEC C routines to convert the directory syntax to Unixly, and give that to access(). However, time's too short to do that just now. */ if (access(outdir,R_OK|W_OK|X_OK) != 0) { BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir); perror(outdir); goto err; } if (stat(outdir,&sb) != 0) { BIO_printf(bio_err,"unable to stat(%s)\n",outdir); perror(outdir); goto err; } #ifdef S_IFDIR if (!(sb.st_mode & S_IFDIR)) { BIO_printf(bio_err,"%s need to be a directory\n",outdir); perror(outdir); goto err; } #endif #endif } /*****************************************************************/ /* we need to load the database file */ if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL) { lookup_fail(section,ENV_DATABASE); goto err; } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); + db = load_index(dbfile, &db_attr); if (db == NULL) goto err; /* Lets check some fields */ - for (i=0; idata); i++) + for (i=0; idb->data); i++) { - pp=(char **)sk_value(db->data,i); + pp=(char **)sk_value(db->db->data,i); if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1); goto err; } if ((pp[DB_type][0] == DB_TYPE_REV) && !make_revoked(NULL, pp[DB_rev_date])) { BIO_printf(bio_err," in entry %d\n", i+1); goto err; } if (!check_time_format(pp[DB_exp_date])) { BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1); goto err; } p=pp[DB_serial]; j=strlen(p); if (*p == '-') { p++; j--; } if ((j&1) || (j < 2)) { BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j); goto err; } while (*p) { if (!( ((*p >= '0') && (*p <= '9')) || ((*p >= 'A') && (*p <= 'F')) || ((*p >= 'a') && (*p <= 'f'))) ) { BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p); goto err; } p++; } } if (verbose) { BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */ #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif - TXT_DB_write(out,db); + TXT_DB_write(out,db->db); BIO_printf(bio_err,"%d entries loaded from the database\n", - db->data->num); + db->db->data->num); BIO_printf(bio_err,"generating index\n"); } - if (!make_serial_index(db)) - goto err; - - if (!TXT_DB_create_index(db, DB_name, index_name_qual, - LHASH_HASH_FN(index_name_hash), - LHASH_COMP_FN(index_name_cmp))) - { - BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - goto err; - } + if (!index_index(db)) goto err; /*****************************************************************/ /* Update the db file for expired certificates */ if (doupdatedb) { if (verbose) BIO_printf(bio_err, "Updating %s ...\n", dbfile); i = do_updatedb(db); if (i == -1) { BIO_printf(bio_err,"Malloc failure\n"); goto err; } else if (i == 0) { if (verbose) BIO_printf(bio_err, "No entries found to mark expired\n"); } else { - out = BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile); -#else - j = BIO_snprintf(buf[0], sizeof buf[0], "%s-new", dbfile); -#endif - if (j < 0 || j >= sizeof buf[0]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n", - dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - - BIO_free(out); - out = NULL; -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile); -#else - j = BIO_snprintf(buf[1], sizeof buf[1], "%s-old", dbfile); -#endif - if (j < 0 || j >= sizeof buf[1]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } + if (!save_index(dbfile,"new",db)) goto err; + + if (!rotate_index(dbfile,"new","old")) goto err; if (verbose) BIO_printf(bio_err, "Done. %d entries marked as expired\n",i); } goto err; } /*****************************************************************/ /* Read extentions config file */ if (extfile) { extconf = NCONF_new(NULL); if (NCONF_load(extconf,extfile,&errorline) <= 0) { if (errorline <= 0) BIO_printf(bio_err, "ERROR: loading the config file '%s'\n", extfile); else BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n", errorline,extfile); ret = 1; goto err; } if (verbose) BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile); /* We can have sections in the ext file */ if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions"))) extensions = "default"; } /*****************************************************************/ if (req || gencrl) { if (outfile != NULL) { if (BIO_write_filename(Sout,outfile) <= 0) { perror(outfile); goto err; } } else { BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); Sout = BIO_push(tmpbio, Sout); } #endif } } if (req) { if ((md == NULL) && ((md=NCONF_get_string(conf, section,ENV_DEFAULT_MD)) == NULL)) { lookup_fail(section,ENV_DEFAULT_MD); goto err; } if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf, section,ENV_DEFAULT_EMAIL_DN)) != NULL )) { if(strcmp(tmp_email_dn,"no") == 0) email_dn=0; } if ((dgst=EVP_get_digestbyname(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); goto err; } if (verbose) BIO_printf(bio_err,"message digest is %s\n", OBJ_nid2ln(dgst->type)); if ((policy == NULL) && ((policy=NCONF_get_string(conf, section,ENV_POLICY)) == NULL)) { lookup_fail(section,ENV_POLICY); goto err; } if (verbose) BIO_printf(bio_err,"policy is %s\n",policy); if ((serialfile=NCONF_get_string(conf,section,ENV_SERIAL)) == NULL) { lookup_fail(section,ENV_SERIAL); goto err; } if (!extconf) { /* no '-extfile' option, so we look for extensions * in the main configuration file */ if (!extensions) { extensions=NCONF_get_string(conf,section, ENV_EXTENSIONS); if (!extensions) ERR_clear_error(); } if (extensions) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) { BIO_printf(bio_err, "Error Loading extension section %s\n", extensions); ret = 1; goto err; } } } if (startdate == NULL) { startdate=NCONF_get_string(conf,section, ENV_DEFAULT_STARTDATE); if (startdate == NULL) ERR_clear_error(); } if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate)) { BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n"); goto err; } if (startdate == NULL) startdate="today"; if (enddate == NULL) { enddate=NCONF_get_string(conf,section, ENV_DEFAULT_ENDDATE); if (enddate == NULL) ERR_clear_error(); } if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate)) { BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n"); goto err; } if (days == 0) { if(!NCONF_get_number(conf,section, ENV_DEFAULT_DAYS, &days)) days = 0; } if (!enddate && (days == 0)) { BIO_printf(bio_err,"cannot lookup how many days to certify for\n"); goto err; } - if ((serial=load_serial(serialfile)) == NULL) + if ((serial=load_serial(serialfile, 0, NULL)) == NULL) { BIO_printf(bio_err,"error while loading serial number\n"); goto err; } if (verbose) { if (BN_is_zero(serial)) BIO_printf(bio_err,"next serial number is 00\n"); else { if ((f=BN_bn2hex(serial)) == NULL) goto err; BIO_printf(bio_err,"next serial number is %s\n",f); OPENSSL_free(f); } } if ((attribs=NCONF_get_section(conf,policy)) == NULL) { BIO_printf(bio_err,"unable to find 'section' for %s\n",policy); goto err; } if ((cert_sk=sk_X509_new_null()) == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } if (spkac_file != NULL) { total++; j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db, serial,subj,email_dn,startdate,enddate,days,extensions, conf,verbose,certopt,nameopt,default_op,ext_copy); if (j < 0) goto err; if (j > 0) { total_done++; BIO_printf(bio_err,"\n"); if (!BN_add_word(serial,1)) goto err; if (!sk_X509_push(cert_sk,x)) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } if (outfile) { output_der = 1; batch = 1; } } } if (ss_cert_file != NULL) { total++; j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs, db,serial,subj,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, default_op, ext_copy, e); if (j < 0) goto err; if (j > 0) { total_done++; BIO_printf(bio_err,"\n"); if (!BN_add_word(serial,1)) goto err; if (!sk_X509_push(cert_sk,x)) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } } } if (infile != NULL) { total++; j=certify(&x,infile,pkey,x509,dgst,attribs,db, serial,subj,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, default_op, ext_copy); if (j < 0) goto err; if (j > 0) { total_done++; BIO_printf(bio_err,"\n"); if (!BN_add_word(serial,1)) goto err; if (!sk_X509_push(cert_sk,x)) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } } } for (i=0; i 0) { total_done++; BIO_printf(bio_err,"\n"); if (!BN_add_word(serial,1)) goto err; if (!sk_X509_push(cert_sk,x)) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } } } /* we have a stack of newly certified certificates * and a data base and serial number that need * updating */ if (sk_X509_num(cert_sk) > 0) { if (!batch) { BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total); (void)BIO_flush(bio_err); buf[0][0]='\0'; fgets(buf[0],10,stdin); if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) { BIO_printf(bio_err,"CERTIFICATION CANCELED\n"); ret=0; goto err; } } BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk)); - if(strlen(serialfile) > BSIZE-5 || strlen(dbfile) > BSIZE-5) - { - BIO_printf(bio_err,"file name too long\n"); - goto err; - } - - strcpy(buf[0],serialfile); - -#ifdef OPENSSL_SYS_VMS - strcat(buf[0],"-new"); -#else - strcat(buf[0],".new"); -#endif - - if (!save_serial(buf[0],serial)) goto err; + if (!save_serial(serialfile,"new",serial,NULL)) goto err; - strcpy(buf[1],dbfile); - -#ifdef OPENSSL_SYS_VMS - strcat(buf[1],"-new"); -#else - strcat(buf[1],".new"); -#endif - - if (BIO_write_filename(out,buf[1]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - l=TXT_DB_write(out,db); - if (l <= 0) goto err; + if (!save_index(dbfile, "new", db)) goto err; } if (verbose) BIO_printf(bio_err,"writing new certificates\n"); for (i=0; icert_info->serialNumber->length; p=(char *)x->cert_info->serialNumber->data; if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8)) { BIO_printf(bio_err,"certificate file name too long\n"); goto err; } strcpy(buf[2],outdir); #ifndef OPENSSL_SYS_VMS - strcat(buf[2],"/"); + BUF_strlcat(buf[2],"/",sizeof(buf[2])); #endif - n=(unsigned char *)&(buf[2][strlen(buf[2])]); + n=(char *)&(buf[2][strlen(buf[2])]); if (j > 0) { for (k=0; k= &(buf[2][sizeof(buf[2])])) + break; + BIO_snprintf(n, + &buf[2][0] + sizeof(buf[2]) - n, + "%02X",(unsigned char)*(p++)); n+=2; } } else { *(n++)='0'; *(n++)='0'; } *(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m'; *n='\0'; if (verbose) BIO_printf(bio_err,"writing %s\n",buf[2]); if (BIO_write_filename(Cout,buf[2]) <= 0) { perror(buf[2]); goto err; } write_new_certificate(Cout,x, 0, notext); write_new_certificate(Sout,x, output_der, notext); } if (sk_X509_num(cert_sk)) { /* Rename the database and the serial file */ - strncpy(buf[2],serialfile,BSIZE-4); - buf[2][BSIZE-4]='\0'; + if (!rotate_serial(serialfile,"new","old")) goto err; -#ifdef OPENSSL_SYS_VMS - strcat(buf[2],"-old"); -#else - strcat(buf[2],".old"); -#endif + if (!rotate_index(dbfile,"new","old")) goto err; - BIO_free(in); - BIO_free_all(out); - in=NULL; - out=NULL; - if (rename(serialfile,buf[2]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - serialfile,buf[2]); - perror("reason"); - goto err; - } - if (rename(buf[0],serialfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - buf[0],serialfile); - perror("reason"); - rename(buf[2],serialfile); - goto err; - } - - strncpy(buf[2],dbfile,BSIZE-4); - buf[2][BSIZE-4]='\0'; - -#ifdef OPENSSL_SYS_VMS - strcat(buf[2],"-old"); -#else - strcat(buf[2],".old"); -#endif - - if (rename(dbfile,buf[2]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - dbfile,buf[2]); - perror("reason"); - goto err; - } - if (rename(buf[1],dbfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - buf[1],dbfile); - perror("reason"); - rename(buf[2],dbfile); - goto err; - } BIO_printf(bio_err,"Data Base Updated\n"); } } /*****************************************************************/ if (gencrl) { int crl_v2 = 0; if (!crl_ext) { crl_ext=NCONF_get_string(conf,section,ENV_CRLEXT); if (!crl_ext) ERR_clear_error(); } if (crl_ext) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { BIO_printf(bio_err, "Error Loading CRL extension section %s\n", crl_ext); ret = 1; goto err; } } + if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER)) + != NULL) + if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL) + { + BIO_printf(bio_err,"error while loading CRL number\n"); + goto err; + } + if (!crldays && !crlhours) { if (!NCONF_get_number(conf,section, ENV_DEFAULT_CRL_DAYS, &crldays)) crldays = 0; if (!NCONF_get_number(conf,section, ENV_DEFAULT_CRL_HOURS, &crlhours)) crlhours = 0; } if ((crldays == 0) && (crlhours == 0)) { BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n"); goto err; } if (verbose) BIO_printf(bio_err,"making CRL\n"); if ((crl=X509_CRL_new()) == NULL) goto err; if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto err; tmptm = ASN1_TIME_new(); if (!tmptm) goto err; X509_gmtime_adj(tmptm,0); X509_CRL_set_lastUpdate(crl, tmptm); X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60); X509_CRL_set_nextUpdate(crl, tmptm); ASN1_TIME_free(tmptm); - for (i=0; idata); i++) + for (i=0; idb->data); i++) { - pp=(char **)sk_value(db->data,i); + pp=(char **)sk_value(db->db->data,i); if (pp[DB_type][0] == DB_TYPE_REV) { if ((r=X509_REVOKED_new()) == NULL) goto err; j = make_revoked(r, pp[DB_rev_date]); if (!j) goto err; if (j == 2) crl_v2 = 1; if (!BN_hex2bn(&serial, pp[DB_serial])) goto err; tmpser = BN_to_ASN1_INTEGER(serial, NULL); BN_free(serial); serial = NULL; if (!tmpser) goto err; X509_REVOKED_set_serialNumber(r, tmpser); ASN1_INTEGER_free(tmpser); X509_CRL_add0_revoked(crl,r); } } /* sort the data so it will be written in serial * number order */ X509_CRL_sort(crl); /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); if (md != NULL) { if ((dgst=EVP_get_digestbyname(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); goto err; } } else { #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); else #endif dgst=EVP_md5(); } /* Add any extensions asked for */ - if (crl_ext) + if (crl_ext || crlnumberfile != NULL) { X509V3_CTX crlctx; X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); X509V3_set_nconf(&crlctx, conf); - if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, - crl_ext, crl)) goto err; + if (crl_ext) + if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, + crl_ext, crl)) goto err; + if (crlnumberfile != NULL) + { + tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); + if (!tmpser) goto err; + X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0); + ASN1_INTEGER_free(tmpser); + crl_v2 = 1; + if (!BN_add_word(crlnumber,1)) goto err; + } } if (crl_ext || crl_v2) { if (!X509_CRL_set_version(crl, 1)) goto err; /* version 2 CRL */ } + + if (crlnumberfile != NULL) /* we have a CRL number that need updating */ + if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err; + if (!X509_CRL_sign(crl,pkey,dgst)) goto err; PEM_write_bio_X509_CRL(Sout,crl); + + if (crlnumberfile != NULL) /* Rename the crlnumber file */ + if (!rotate_serial(crlnumberfile,"new","old")) goto err; + } /*****************************************************************/ if (dorevoke) { if (infile == NULL) { BIO_printf(bio_err,"no input files\n"); goto err; } else { X509 *revcert; revcert=load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile); if (revcert == NULL) goto err; j=do_revoke(revcert,db, rev_type, rev_arg); if (j <= 0) goto err; X509_free(revcert); - if(strlen(dbfile) > BSIZE-5) - { - BIO_printf(bio_err,"filename too long\n"); - goto err; - } + if (!save_index(dbfile, "new", db)) goto err; + + if (!rotate_index(dbfile, "new", "old")) goto err; - strcpy(buf[0],dbfile); -#ifndef OPENSSL_SYS_VMS - strcat(buf[0],".new"); -#else - strcat(buf[0],"-new"); -#endif - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - BIO_free_all(out); - out = NULL; - BIO_free_all(in); - in = NULL; - strncpy(buf[1],dbfile,BSIZE-4); - buf[1][BSIZE-4]='\0'; -#ifndef OPENSSL_SYS_VMS - strcat(buf[1],".old"); -#else - strcat(buf[1],"-old"); -#endif - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } BIO_printf(bio_err,"Data Base Updated\n"); } } /*****************************************************************/ ret=0; err: if(tofree) OPENSSL_free(tofree); BIO_free_all(Cout); BIO_free_all(Sout); BIO_free_all(out); BIO_free_all(in); if (cert_sk) sk_X509_pop_free(cert_sk,X509_free); if (ret) ERR_print_errors(bio_err); app_RAND_write_file(randfile, bio_err); if (free_key && key) OPENSSL_free(key); BN_free(serial); - TXT_DB_free(db); + free_index(db); EVP_PKEY_free(pkey); X509_free(x509); X509_CRL_free(crl); NCONF_free(conf); OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); } static void lookup_fail(char *name, char *tag) { BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); } -static unsigned long index_serial_hash(const char **a) - { - const char *n; - - n=a[DB_serial]; - while (*n == '0') n++; - return(lh_strhash(n)); - } - -static int index_serial_cmp(const char **a, const char **b) - { - const char *aa,*bb; - - for (aa=a[DB_serial]; *aa == '0'; aa++); - for (bb=b[DB_serial]; *bb == '0'; bb++); - return(strcmp(aa,bb)); - } - -static unsigned long index_name_hash(const char **a) - { return(lh_strhash(a[DB_name])); } - -static int index_name_qual(char **a) - { return(a[0][0] == 'V'); } - -static int index_name_cmp(const char **a, const char **b) - { return(strcmp(a[DB_name], - b[DB_name])); } - -static BIGNUM *load_serial(char *serialfile) - { - BIO *in=NULL; - BIGNUM *ret=NULL; - MS_STATIC char buf[1024]; - ASN1_INTEGER *ai=NULL; - - if ((in=BIO_new(BIO_s_file())) == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - - if (BIO_read_filename(in,serialfile) <= 0) - { - perror(serialfile); - goto err; - } - ai=ASN1_INTEGER_new(); - if (ai == NULL) goto err; - if (!a2i_ASN1_INTEGER(in,ai,buf,1024)) - { - BIO_printf(bio_err,"unable to load number from %s\n", - serialfile); - goto err; - } - ret=ASN1_INTEGER_to_BN(ai,NULL); - if (ret == NULL) - { - BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); - goto err; - } -err: - if (in != NULL) BIO_free(in); - if (ai != NULL) ASN1_INTEGER_free(ai); - return(ret); - } - -static int save_serial(char *serialfile, BIGNUM *serial) - { - BIO *out; - int ret=0; - ASN1_INTEGER *ai=NULL; - - out=BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - if (BIO_write_filename(out,serialfile) <= 0) - { - perror(serialfile); - goto err; - } - - if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL) - { - BIO_printf(bio_err,"error converting serial to ASN.1 format\n"); - goto err; - } - i2a_ASN1_INTEGER(out,ai); - BIO_puts(out,"\n"); - ret=1; -err: - if (out != NULL) BIO_free_all(out); - if (ai != NULL) ASN1_INTEGER_free(ai); - return(ret); - } - static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) { X509_REQ *req=NULL; BIO *in=NULL; EVP_PKEY *pktmp=NULL; int ok= -1,i; in=BIO_new(BIO_s_file()); if (BIO_read_filename(in,infile) <= 0) { perror(infile); goto err; } if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL) { BIO_printf(bio_err,"Error reading certificate request in %s\n", infile); goto err; } if (verbose) X509_REQ_print(bio_err,req); BIO_printf(bio_err,"Check that the request matches the signature\n"); if ((pktmp=X509_REQ_get_pubkey(req)) == NULL) { BIO_printf(bio_err,"error unpacking public key\n"); goto err; } i=X509_REQ_verify(req,pktmp); EVP_PKEY_free(pktmp); if (i < 0) { ok=0; BIO_printf(bio_err,"Signature verification problems....\n"); goto err; } if (i == 0) { ok=0; BIO_printf(bio_err,"Signature did not match the certificate request\n"); goto err; } else BIO_printf(bio_err,"Signature ok\n"); ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn, startdate,enddate,days,batch,verbose,req,ext_sect,lconf, certopt, nameopt, default_op, ext_copy); err: if (req != NULL) X509_REQ_free(req); if (in != NULL) BIO_free(in); return(ok); } static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, ENGINE *e) { X509 *req=NULL; X509_REQ *rreq=NULL; EVP_PKEY *pktmp=NULL; int ok= -1,i; if ((req=load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL) goto err; if (verbose) X509_print(bio_err,req); BIO_printf(bio_err,"Check that the request matches the signature\n"); if ((pktmp=X509_get_pubkey(req)) == NULL) { BIO_printf(bio_err,"error unpacking public key\n"); goto err; } i=X509_verify(req,pktmp); EVP_PKEY_free(pktmp); if (i < 0) { ok=0; BIO_printf(bio_err,"Signature verification problems....\n"); goto err; } if (i == 0) { ok=0; BIO_printf(bio_err,"Signature did not match the certificate\n"); goto err; } else BIO_printf(bio_err,"Signature ok\n"); if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL) goto err; ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate, days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op, ext_copy); err: if (rreq != NULL) X509_REQ_free(rreq); if (req != NULL) X509_free(req); return(ok); } static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *lconf, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) { X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL; ASN1_UTCTIME *tm,*tmptm; ASN1_STRING *str,*str2; ASN1_OBJECT *obj; X509 *ret=NULL; X509_CINF *ci; X509_NAME_ENTRY *ne; X509_NAME_ENTRY *tne,*push; EVP_PKEY *pktmp; int ok= -1,i,j,last,nid; char *p; CONF_VALUE *cv; - char *row[DB_NUMBER],**rrow,**irow=NULL; + char *row[DB_NUMBER],**rrow=NULL,**irow=NULL; char buf[25]; tmptm=ASN1_UTCTIME_new(); if (tmptm == NULL) { BIO_printf(bio_err,"malloc error\n"); return(0); } for (i=0; ireq_info->enc.modified = 1; X509_NAME_free(n); } if (default_op) BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n"); name=X509_REQ_get_subject_name(req); for (i=0; iobject); if (str->type == V_ASN1_UNIVERSALSTRING) ASN1_UNIVERSALSTRING_to_string(str); if ((str->type == V_ASN1_IA5STRING) && (nid != NID_pkcs9_emailAddress)) str->type=V_ASN1_T61STRING; if ((nid == NID_pkcs9_emailAddress) && (str->type == V_ASN1_PRINTABLESTRING)) str->type=V_ASN1_IA5STRING; } /* If no EMAIL is wanted in the subject */ if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn)) continue; /* check some things */ if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (str->type != V_ASN1_IA5STRING)) { BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n"); goto err; } if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING)) { j=ASN1_PRINTABLE_type(str->data,str->length); if ( ((j == V_ASN1_T61STRING) && (str->type != V_ASN1_T61STRING)) || ((j == V_ASN1_IA5STRING) && (str->type == V_ASN1_PRINTABLESTRING))) { BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n"); goto err; } } if (default_op) old_entry_print(bio_err, obj, str); } /* Ok, now we check the 'policy' stuff. */ if ((subject=X509_NAME_new()) == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } /* take a copy of the issuer name before we mess with it. */ CAname=X509_NAME_dup(x509->cert_info->subject); if (CAname == NULL) goto err; str=str2=NULL; for (i=0; iname)) == NID_undef) { BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name); goto err; } obj=OBJ_nid2obj(j); last= -1; for (;;) { /* lookup the object in the supplied name list */ j=X509_NAME_get_index_by_OBJ(name,obj,last); if (j < 0) { if (last != -1) break; tne=NULL; } else { tne=X509_NAME_get_entry(name,j); } last=j; /* depending on the 'policy', decide what to do. */ push=NULL; if (strcmp(cv->value,"optional") == 0) { if (tne != NULL) push=tne; } else if (strcmp(cv->value,"supplied") == 0) { if (tne == NULL) { BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name); goto err; } else push=tne; } else if (strcmp(cv->value,"match") == 0) { int last2; if (tne == NULL) { BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name); goto err; } last2= -1; again2: j=X509_NAME_get_index_by_OBJ(CAname,obj,last2); if ((j < 0) && (last2 == -1)) { BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name); goto err; } if (j >= 0) { push=X509_NAME_get_entry(CAname,j); str=X509_NAME_ENTRY_get_data(tne); str2=X509_NAME_ENTRY_get_data(push); last2=j; if (ASN1_STRING_cmp(str,str2) != 0) goto again2; } if (j < 0) { BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data)); goto err; } } else { BIO_printf(bio_err,"%s:invalid type in 'policy' configuration\n",cv->value); goto err; } if (push != NULL) { if (!X509_NAME_add_entry(subject,push, -1, 0)) { if (push != NULL) X509_NAME_ENTRY_free(push); BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } } if (j < 0) break; } } if (preserve) { X509_NAME_free(subject); /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ subject=X509_NAME_dup(name); if (subject == NULL) goto err; } if (verbose) BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n"); /* Build the correct Subject if no e-mail is wanted in the subject */ /* and add it later on because of the method extensions are added (altName) */ if (email_dn) dn_subject = subject; else { X509_NAME_ENTRY *tmpne; /* Its best to dup the subject DN and then delete any email * addresses because this retains its structure. */ if (!(dn_subject = X509_NAME_dup(subject))) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } while((i = X509_NAME_get_index_by_NID(dn_subject, NID_pkcs9_emailAddress, -1)) >= 0) { tmpne = X509_NAME_get_entry(dn_subject, i); X509_NAME_delete_entry(dn_subject, i); X509_NAME_ENTRY_free(tmpne); } } if (BN_is_zero(serial)) row[DB_serial]=BUF_strdup("00"); else row[DB_serial]=BN_bn2hex(serial); if (row[DB_serial] == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } - rrow=TXT_DB_get_by_index(db,DB_name,row); - if (rrow != NULL) + if (db->attributes.unique_subject) { - BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n", - row[DB_name]); + rrow=TXT_DB_get_by_index(db->db,DB_name,row); + if (rrow != NULL) + { + BIO_printf(bio_err, + "ERROR:There is already a certificate for %s\n", + row[DB_name]); + } } - else + if (rrow == NULL) { - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow != NULL) { BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n", row[DB_serial]); BIO_printf(bio_err," check the database/serial_file for corruption\n"); } } if (rrow != NULL) { BIO_printf(bio_err, "The matching entry has the following details\n"); if (rrow[DB_type][0] == 'E') p="Expired"; else if (rrow[DB_type][0] == 'R') p="Revoked"; else if (rrow[DB_type][0] == 'V') p="Valid"; else p="\ninvalid type, Data base error\n"; BIO_printf(bio_err,"Type :%s\n",p);; if (rrow[DB_type][0] == 'R') { p=rrow[DB_exp_date]; if (p == NULL) p="undef"; BIO_printf(bio_err,"Was revoked on:%s\n",p); } p=rrow[DB_exp_date]; if (p == NULL) p="undef"; BIO_printf(bio_err,"Expires on :%s\n",p); p=rrow[DB_serial]; if (p == NULL) p="undef"; BIO_printf(bio_err,"Serial Number :%s\n",p); p=rrow[DB_file]; if (p == NULL) p="undef"; BIO_printf(bio_err,"File name :%s\n",p); p=rrow[DB_name]; if (p == NULL) p="undef"; BIO_printf(bio_err,"Subject Name :%s\n",p); ok= -1; /* This is now a 'bad' error. */ goto err; } /* We are now totally happy, lets make and sign the certificate */ if (verbose) BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n"); if ((ret=X509_new()) == NULL) goto err; ci=ret->cert_info; #ifdef X509_V3 /* Make it an X509 v3 certificate. */ if (!X509_set_version(ret,2)) goto err; #endif if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL) goto err; if (!X509_set_issuer_name(ret,X509_get_subject_name(x509))) goto err; if (strcmp(startdate,"today") == 0) X509_gmtime_adj(X509_get_notBefore(ret),0); else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate); if (enddate == NULL) X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days); else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate); if (!X509_set_subject_name(ret,subject)) goto err; pktmp=X509_REQ_get_pubkey(req); i = X509_set_pubkey(ret,pktmp); EVP_PKEY_free(pktmp); if (!i) goto err; /* Lets add the extensions, if there are any */ if (ext_sect) { X509V3_CTX ctx; if (ci->version == NULL) if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */ /* Free the current entries if any, there should not * be any I believe */ if (ci->extensions != NULL) sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free); ci->extensions = NULL; /* Initialize the context structure */ X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); if (extconf) { if (verbose) BIO_printf(bio_err, "Extra configuration file found\n"); /* Use the extconf configuration db LHASH */ X509V3_set_nconf(&ctx, extconf); /* Test the structure (needed?) */ /* X509V3_set_ctx_test(&ctx); */ /* Adds exts contained in the configuration file */ if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect,ret)) { BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect); ERR_print_errors(bio_err); goto err; } if (verbose) BIO_printf(bio_err, "Successfully added extensions from file.\n"); } else if (ext_sect) { /* We found extensions to be set from config file */ X509V3_set_nconf(&ctx, lconf); if(!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) { BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect); ERR_print_errors(bio_err); goto err; } if (verbose) BIO_printf(bio_err, "Successfully added extensions from config\n"); } } /* Copy extensions from request (if any) */ if (!copy_extensions(ret, req, ext_copy)) { BIO_printf(bio_err, "ERROR: adding extensions from request\n"); ERR_print_errors(bio_err); goto err; } /* Set the right value for the noemailDN option */ if( email_dn == 0 ) { if (!X509_set_subject_name(ret,dn_subject)) goto err; } if (!default_op) { BIO_printf(bio_err, "Certificate Details:\n"); /* Never print signature details because signature not present */ certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME; X509_print_ex(bio_err, ret, nameopt, certopt); } BIO_printf(bio_err,"Certificate is to be certified until "); ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret)); if (days) BIO_printf(bio_err," (%d days)",days); BIO_printf(bio_err, "\n"); if (!batch) { BIO_printf(bio_err,"Sign the certificate? [y/n]:"); (void)BIO_flush(bio_err); buf[0]='\0'; fgets(buf,sizeof(buf)-1,stdin); if (!((buf[0] == 'y') || (buf[0] == 'Y'))) { BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n"); ok=0; goto err; } } #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_free(pktmp); #endif if (!X509_sign(ret,pkey,dgst)) goto err; /* We now just add it to the database */ row[DB_type]=(char *)OPENSSL_malloc(2); tm=X509_get_notAfter(ret); row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1); memcpy(row[DB_exp_date],tm->data,tm->length); row[DB_exp_date][tm->length]='\0'; row[DB_rev_date]=NULL; /* row[DB_serial] done already */ row[DB_file]=(char *)OPENSSL_malloc(8); row[DB_name]=X509_NAME_oneline(X509_get_subject_name(ret),NULL,0); if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || (row[DB_file] == NULL) || (row[DB_name] == NULL)) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } - strcpy(row[DB_file],"unknown"); + BUF_strlcpy(row[DB_file],"unknown",8); row[DB_type][0]='V'; row[DB_type][1]='\0'; if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } for (i=0; idb,irow)) { BIO_printf(bio_err,"failed to update database\n"); - BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error); + BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); goto err; } ok=1; err: for (i=0; icert_info->serialNumber); BIO_puts(bp,"\n\n"); #endif if (!notext)X509_print(bp,x); PEM_write_bio_X509(bp,x); } static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) { STACK_OF(CONF_VALUE) *sk=NULL; LHASH *parms=NULL; X509_REQ *req=NULL; CONF_VALUE *cv=NULL; NETSCAPE_SPKI *spki = NULL; X509_REQ_INFO *ri; char *type,*buf; EVP_PKEY *pktmp=NULL; X509_NAME *n=NULL; X509_NAME_ENTRY *ne=NULL; int ok= -1,i,j; long errline; int nid; /* * Load input file into a hash table. (This is just an easy * way to read and parse the file, then put it into a convenient * STACK format). */ parms=CONF_load(NULL,infile,&errline); if (parms == NULL) { BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile); ERR_print_errors(bio_err); goto err; } sk=CONF_get_section(parms, "default"); if (sk_CONF_VALUE_num(sk) == 0) { BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); CONF_free(parms); goto err; } /* * Now create a dummy X509 request structure. We don't actually * have an X509 request, but we have many of the components * (a public key, various DN components). The idea is that we * put these components into the right X509 request structure * and we can use the same code as if you had a real X509 request. */ req=X509_REQ_new(); if (req == NULL) { ERR_print_errors(bio_err); goto err; } /* * Build up the subject name set. */ ri=req->req_info; n = ri->subject; for (i = 0; ; i++) { if (sk_CONF_VALUE_num(sk) <= i) break; cv=sk_CONF_VALUE_value(sk,i); type=cv->name; /* Skip past any leading X. X: X, etc to allow for * multiple instances */ for (buf = cv->name; *buf ; buf++) if ((*buf == ':') || (*buf == ',') || (*buf == '.')) { buf++; if (*buf) type = buf; break; } buf=cv->value; if ((nid=OBJ_txt2nid(type)) == NID_undef) { if (strcmp(type, "SPKAC") == 0) { spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); if (spki == NULL) { BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n"); ERR_print_errors(bio_err); goto err; } } continue; } /* if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0)) continue; */ j=ASN1_PRINTABLE_type((unsigned char *)buf,-1); if (fix_data(nid, &j) == 0) { BIO_printf(bio_err, "invalid characters in string %s\n",buf); goto err; } if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j, (unsigned char *)buf, strlen(buf))) == NULL) goto err; if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err; } if (spki == NULL) { BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n", infile); goto err; } /* * Now extract the key from the SPKI structure. */ BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n"); if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { BIO_printf(bio_err,"error unpacking SPKAC public key\n"); goto err; } j = NETSCAPE_SPKI_verify(spki, pktmp); if (j <= 0) { BIO_printf(bio_err,"signature verification failed on SPKAC public key\n"); goto err; } BIO_printf(bio_err,"Signature ok\n"); X509_REQ_set_pubkey(req,pktmp); EVP_PKEY_free(pktmp); ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate, days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op, ext_copy); err: if (req != NULL) X509_REQ_free(req); if (parms != NULL) CONF_free(parms); if (spki != NULL) NETSCAPE_SPKI_free(spki); if (ne != NULL) X509_NAME_ENTRY_free(ne); return(ok); } static int fix_data(int nid, int *type) { if (nid == NID_pkcs9_emailAddress) *type=V_ASN1_IA5STRING; if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING)) *type=V_ASN1_T61STRING; if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING)) *type=V_ASN1_T61STRING; if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING)) return(0); if (nid == NID_pkcs9_unstructuredName) *type=V_ASN1_IA5STRING; return(1); } static int check_time_format(char *str) { ASN1_UTCTIME tm; tm.data=(unsigned char *)str; tm.length=strlen(str); tm.type=V_ASN1_UTCTIME; return(ASN1_UTCTIME_check(&tm)); } -static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) +static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) { ASN1_UTCTIME *tm=NULL; char *row[DB_NUMBER],**rrow,**irow; char *rev_str = NULL; BIGNUM *bn = NULL; int ok=-1,i; for (i=0; idb,DB_serial,row); if (rrow == NULL) { - BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]); + BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]); /* We now just add it to the database */ row[DB_type]=(char *)OPENSSL_malloc(2); tm=X509_get_notAfter(x509); row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1); memcpy(row[DB_exp_date],tm->data,tm->length); row[DB_exp_date][tm->length]='\0'; row[DB_rev_date]=NULL; /* row[DB_serial] done already */ row[DB_file]=(char *)OPENSSL_malloc(8); /* row[DB_name] done already */ if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || (row[DB_file] == NULL)) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } - strcpy(row[DB_file],"unknown"); + BUF_strlcpy(row[DB_file],"unknown",8); row[DB_type][0]='V'; row[DB_type][1]='\0'; if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } for (i=0; idb,irow)) { BIO_printf(bio_err,"failed to update database\n"); - BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error); + BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); goto err; } /* Revoke Certificate */ ok = do_revoke(x509,db, type, value); goto err; } else if (index_name_cmp((const char **)row,(const char **)rrow)) { BIO_printf(bio_err,"ERROR:name does not match %s\n", row[DB_name]); goto err; } else if (rrow[DB_type][0]=='R') { BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n", row[DB_serial]); goto err; } else { BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]); rev_str = make_revocation_str(type, value); if (!rev_str) { BIO_printf(bio_err, "Error in revocation arguments\n"); goto err; } rrow[DB_type][0]='R'; rrow[DB_type][1]='\0'; rrow[DB_rev_date] = rev_str; } ok=1; err: for (i=0; idb,DB_serial,row); if (rrow == NULL) { BIO_printf(bio_err,"Serial %s not present in db.\n", row[DB_serial]); ok=-1; goto err; } else if (rrow[DB_type][0]=='V') { BIO_printf(bio_err,"%s=Valid (%c)\n", row[DB_serial], rrow[DB_type][0]); goto err; } else if (rrow[DB_type][0]=='R') { BIO_printf(bio_err,"%s=Revoked (%c)\n", row[DB_serial], rrow[DB_type][0]); goto err; } else if (rrow[DB_type][0]=='E') { BIO_printf(bio_err,"%s=Expired (%c)\n", row[DB_serial], rrow[DB_type][0]); goto err; } else if (rrow[DB_type][0]=='S') { BIO_printf(bio_err,"%s=Suspended (%c)\n", row[DB_serial], rrow[DB_type][0]); goto err; } else { BIO_printf(bio_err,"%s=Unknown (%c).\n", row[DB_serial], rrow[DB_type][0]); ok=-1; } err: for (i=0; i= 2000 */ char **rrow, *a_tm_s; a_tm = ASN1_UTCTIME_new(); /* get actual time and make a string */ a_tm = X509_gmtime_adj(a_tm, 0); a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1); if (a_tm_s == NULL) { cnt = -1; goto err; } memcpy(a_tm_s, a_tm->data, a_tm->length); a_tm_s[a_tm->length] = '\0'; if (strncmp(a_tm_s, "49", 2) <= 0) a_y2k = 1; else a_y2k = 0; - for (i = 0; i < sk_num(db->data); i++) + for (i = 0; i < sk_num(db->db->data); i++) { - rrow = (char **) sk_value(db->data, i); + rrow = (char **) sk_value(db->db->data, i); if (rrow[DB_type][0] == 'V') { /* ignore entries that are not valid */ if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) db_y2k = 1; else db_y2k = 0; if (db_y2k == a_y2k) { /* all on the same y2k side */ if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) { rrow[DB_type][0] = 'E'; rrow[DB_type][1] = '\0'; cnt++; BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); } } else if (db_y2k < a_y2k) { rrow[DB_type][0] = 'E'; rrow[DB_type][1] = '\0'; cnt++; BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); } } } err: ASN1_UTCTIME_free(a_tm); OPENSSL_free(a_tm_s); return (cnt); } static char *crl_reasons[] = { /* CRL reason strings */ "unspecified", "keyCompromise", "CACompromise", "affiliationChanged", "superseded", "cessationOfOperation", "certificateHold", "removeFromCRL", /* Additional pseudo reasons */ "holdInstruction", "keyTime", "CAkeyTime" }; #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *)) /* Given revocation information convert to a DB string. * The format of the string is: * revtime[,reason,extra]. Where 'revtime' is the * revocation time (the current time). 'reason' is the * optional CRL reason and 'extra' is any additional * argument */ char *make_revocation_str(int rev_type, char *rev_arg) { char *reason = NULL, *other = NULL, *str; ASN1_OBJECT *otmp; ASN1_UTCTIME *revtm = NULL; int i; switch (rev_type) { case REV_NONE: break; case REV_CRL_REASON: for (i = 0; i < 8; i++) { if (!strcasecmp(rev_arg, crl_reasons[i])) { reason = crl_reasons[i]; break; } } if (reason == NULL) { BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg); return NULL; } break; case REV_HOLD: /* Argument is an OID */ otmp = OBJ_txt2obj(rev_arg, 0); ASN1_OBJECT_free(otmp); if (otmp == NULL) { BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg); return NULL; } reason = "holdInstruction"; other = rev_arg; break; case REV_KEY_COMPROMISE: case REV_CA_COMPROMISE: /* Argument is the key compromise time */ if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) { BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg); return NULL; } other = rev_arg; if (rev_type == REV_KEY_COMPROMISE) reason = "keyTime"; else reason = "CAkeyTime"; break; } revtm = X509_gmtime_adj(NULL, 0); i = revtm->length + 1; if (reason) i += strlen(reason) + 1; if (other) i += strlen(other) + 1; str = OPENSSL_malloc(i); if (!str) return NULL; - strcpy(str, (char *)revtm->data); + BUF_strlcpy(str, (char *)revtm->data, i); if (reason) { - strcat(str, ","); - strcat(str, reason); + BUF_strlcat(str, ",", i); + BUF_strlcat(str, reason, i); } if (other) { - strcat(str, ","); - strcat(str, other); + BUF_strlcat(str, ",", i); + BUF_strlcat(str, other, i); } ASN1_UTCTIME_free(revtm); return str; } /* Convert revocation field to X509_REVOKED entry * return code: * 0 error * 1 OK * 2 OK and some extensions added (i.e. V2 CRL) */ int make_revoked(X509_REVOKED *rev, char *str) { char *tmp = NULL; int reason_code = -1; int i, ret = 0; ASN1_OBJECT *hold = NULL; ASN1_GENERALIZEDTIME *comp_time = NULL; ASN1_ENUMERATED *rtmp = NULL; ASN1_TIME *revDate = NULL; i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str); if (i == 0) goto err; if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) goto err; if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { rtmp = ASN1_ENUMERATED_new(); if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) goto err; if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) goto err; } if (rev && comp_time) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) goto err; } if (rev && hold) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) goto err; } if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) ret = 2; else ret = 1; err: if (tmp) OPENSSL_free(tmp); ASN1_OBJECT_free(hold); ASN1_GENERALIZEDTIME_free(comp_time); ASN1_ENUMERATED_free(rtmp); ASN1_TIME_free(revDate); return ret; } /* * subject is expected to be in the format /type0=value0/type1=value1/type2=... * where characters may be escaped by \ */ X509_NAME *do_subject(char *subject, long chtype) { size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */ char *buf = OPENSSL_malloc(buflen); size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */ char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *)); char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *)); char *sp = subject, *bp = buf; int i, ne_num = 0; X509_NAME *n = NULL; int nid; if (!buf || !ne_types || !ne_values) { BIO_printf(bio_err, "malloc error\n"); goto error; } if (*subject != '/') { BIO_printf(bio_err, "Subject does not start with '/'.\n"); goto error; } sp++; /* skip leading / */ while (*sp) { /* collect type */ ne_types[ne_num] = bp; while (*sp) { if (*sp == '\\') /* is there anything to escape in the type...? */ { if (*++sp) *bp++ = *sp++; else { BIO_printf(bio_err, "escape character at end of string\n"); goto error; } } else if (*sp == '=') { sp++; *bp++ = '\0'; break; } else *bp++ = *sp++; } if (!*sp) { BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num); goto error; } ne_values[ne_num] = bp; while (*sp) { if (*sp == '\\') { if (*++sp) *bp++ = *sp++; else { BIO_printf(bio_err, "escape character at end of string\n"); goto error; } } else if (*sp == '/') { sp++; break; } else *bp++ = *sp++; } *bp++ = '\0'; ne_num++; } if (!(n = X509_NAME_new())) goto error; for (i = 0; i < ne_num; i++) { if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef) { BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]); continue; } if (!*ne_values[i]) { BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]); continue; } if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,0)) goto error; } OPENSSL_free(ne_values); OPENSSL_free(ne_types); OPENSSL_free(buf); return n; error: X509_NAME_free(n); if (ne_values) OPENSSL_free(ne_values); if (ne_types) OPENSSL_free(ne_types); if (buf) OPENSSL_free(buf); return NULL; } int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str) { char buf[25],*pbuf, *p; int j; j=i2a_ASN1_OBJECT(bp,obj); pbuf=buf; for (j=22-j; j>0; j--) *(pbuf++)=' '; *(pbuf++)=':'; *(pbuf++)='\0'; BIO_puts(bp,buf); if (str->type == V_ASN1_PRINTABLESTRING) BIO_printf(bp,"PRINTABLE:'"); else if (str->type == V_ASN1_T61STRING) BIO_printf(bp,"T61STRING:'"); else if (str->type == V_ASN1_IA5STRING) BIO_printf(bp,"IA5STRING:'"); else if (str->type == V_ASN1_UNIVERSALSTRING) BIO_printf(bp,"UNIVERSALSTRING:'"); else BIO_printf(bp,"ASN.1 %2d:'",str->type); p=(char *)str->data; for (j=str->length; j>0; j--) { if ((*p >= ' ') && (*p <= '~')) BIO_printf(bp,"%c",*p); else if (*p & 0x80) BIO_printf(bp,"\\0x%02X",*p); else if ((unsigned char)*p == 0xf7) BIO_printf(bp,"^?"); else BIO_printf(bp,"^%c",*p+'@'); p++; } BIO_printf(bp,"'\n"); return 1; } int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str) { char *tmp = NULL; char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; int reason_code = -1; int i, ret = 0; ASN1_OBJECT *hold = NULL; ASN1_GENERALIZEDTIME *comp_time = NULL; tmp = BUF_strdup(str); p = strchr(tmp, ','); rtime_str = tmp; if (p) { *p = '\0'; p++; reason_str = p; p = strchr(p, ','); if (p) { *p = '\0'; arg_str = p + 1; } } if (prevtm) { *prevtm = ASN1_UTCTIME_new(); if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) { BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); goto err; } } if (reason_str) { for (i = 0; i < NUM_REASONS; i++) { if(!strcasecmp(reason_str, crl_reasons[i])) { reason_code = i; break; } } if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) { BIO_printf(bio_err, "invalid reason code %s\n", reason_str); goto err; } if (reason_code == 7) reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; else if (reason_code == 8) /* Hold instruction */ { if (!arg_str) { BIO_printf(bio_err, "missing hold instruction\n"); goto err; } reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; hold = OBJ_txt2obj(arg_str, 0); if (!hold) { BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); goto err; } if (phold) *phold = hold; } else if ((reason_code == 9) || (reason_code == 10)) { if (!arg_str) { BIO_printf(bio_err, "missing compromised time\n"); goto err; } comp_time = ASN1_GENERALIZEDTIME_new(); if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) { BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); goto err; } if (reason_code == 9) reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; else reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; } } if (preason) *preason = reason_code; if (pinvtm) *pinvtm = comp_time; else ASN1_GENERALIZEDTIME_free(comp_time); ret = 1; err: if (tmp) OPENSSL_free(tmp); if (!phold) ASN1_OBJECT_free(hold); if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time); return ret; } - -int make_serial_index(TXT_DB *db) - { - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) - { - BIO_printf(bio_err, - "error creating serial number index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - return 0; - } - return 1; - } diff --git a/crypto/openssl/apps/der_chop b/crypto/openssl/apps/der_chop index 2ee9d6bfd44b..9070b032fc38 100644 --- a/crypto/openssl/apps/der_chop +++ b/crypto/openssl/apps/der_chop @@ -1,305 +1,305 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # # der_chop ... this is one total hack that Eric is really not proud of # so don't look at it and don't ask for support # # The "documentation" for this (i.e. all the comments) are my fault --tjh # # This program takes the "raw" output of derparse/asn1parse and # converts it into tokens and then runs regular expression matches # to try to figure out what to grab to get the things that are needed # and it is possible that this will do the wrong thing as it is a *hack* # # SSLeay 0.5.2+ should have direct read support for x509 (via -inform NET) # [I know ... promises promises :-)] # # To convert a Netscape Certificate: # der_chop < ServerCert.der > cert.pem # To convert a Netscape Key (and encrypt it again to protect it) # rsa -inform NET -in ServerKey.der -des > key.pem # # 23-Apr-96 eay Added the extra ASN.1 string types, I still think this # is an evil hack. If nothing else the parsing should # be relative, not absolute. # 19-Apr-96 tjh hacked (with eay) into 0.5.x format # # Tim Hudson # tjh@cryptsoft.com # require 'getopts.pl'; $debug=0; # this was the 0.4.x way of doing things ... $cmd="derparse"; $x509_cmd="x509"; $crl_cmd="crl"; $rc4_cmd="rc4"; $md2_cmd="md2"; $md4_cmd="md4"; $rsa_cmd="rsa -des -inform der "; # this was the 0.5.x way of doing things ... $cmd="openssl asn1parse"; $x509_cmd="openssl x509"; $crl_cmd="openssl crl"; $rc4_cmd="openssl rc4"; $md2_cmd="openssl md2"; $md4_cmd="openssl md4"; $rsa_cmd="openssl rsa -des -inform der "; &Getopts('vd:') || die "usage:$0 [-v] [-d num] file"; $depth=($opt_d =~ /^\d+$/)?$opt_d:0; &init_der(); if ($#ARGV != -1) { foreach $file (@ARGV) { print STDERR "doing $file\n"; &dofile($file); } } else { $file="/tmp/a$$.DER"; open(OUT,">$file") || die "unable to open $file:$!\n"; for (;;) { $i=sysread(STDIN,$b,1024*10); last if ($i <= 0); $i=syswrite(OUT,$b,$i); } &dofile($file); unlink($file); } sub dofile { local($file)=@_; local(@p); $b=&load_file($file); @p=&load_file_parse($file); foreach $_ (@p) { ($off,$d,$hl,$len)=&parse_line($_); $d-=$depth; next if ($d != 0); next if ($len == 0); $o=substr($b,$off,$len+$hl); ($str,@data)=&der_str($o); print "$str\n" if ($opt_v); if ($str =~ /^$crl/) { open(OUT,"|$crl_cmd -inform d -hash -issuer") || die "unable to run $crl_cmd:$!\n"; print OUT $o; close(OUT); } elsif ($str =~ /^$x509/) { open(OUT,"|$x509_cmd -inform d -hash -subject -issuer") || die "unable to run $x509_cmd:$!\n"; print OUT $o; close(OUT); } elsif ($str =~ /^$rsa/) { ($type)=($data[3] =~ /OBJECT_IDENTIFIER :(.*)\s*$/); next unless ($type eq "rsaEncryption"); ($off,$d,$hl,$len)=&parse_line($data[5]); $os=substr($o,$off+$hl,$len); open(OUT,"|$rsa_cmd") || die "unable to run $rsa_cmd:$!\n"; print OUT $os; close(OUT); } elsif ($str =~ /^0G-1D-1G/) { ($off,$d,$hl,$len)=&parse_line($data[1]); $os=substr($o,$off+$hl,$len); print STDERR "<$os>\n" if $opt_v; &do_certificate($o,@data) if (($os eq "certificate") && ($str =! /^0G-1D-1G-2G-3F-3E-2D/)); &do_private_key($o,@data) if (($os eq "private-key") && ($str =! /^0G-1D-1G-2G-3F-3E-2D/)); } } } sub der_str { local($str)=@_; local(*OUT,*IN,@a,$t,$d,$ret); local($file)="/tmp/b$$.DER"; local(@ret); open(OUT,">$file"); print OUT $str; close(OUT); open(IN,"$cmd -inform 'd' -in $file |") || die "unable to run $cmd:$!\n"; $ret=""; while () { chop; push(@ret,$_); print STDERR "$_\n" if ($debug); @a=split(/\s*:\s*/); ($d)=($a[1] =~ /d=\s*(\d+)/); $a[2] =~ s/\s+$//; $t=$DER_s2i{$a[2]}; $ret.="$d$t-"; } close(IN); unlink($file); chop $ret; $ret =~ s/(-3H(-4G-5F-5[IJKMQRS])+)+/-NAME/g; $ret =~ s/(-3G-4B-4L)+/-RCERT/g; return($ret,@ret); } sub init_der { $crl= "0G-1G-2G-3F-3E-2G-NAME-2L-2L-2G-RCERT-1G-2F-2E-1C"; $x509="0G-1G-2B-2G-3F-3E-2G-NAME-2G-3L-3L-2G-NAME-2G-3G-4F-4E-3C-1G-2F-2E-1C"; $rsa= "0G-1B-1G-2F-2E-1D"; %DER_i2s=( # SSLeay 0.4.x has this list "A","EOC", "B","INTEGER", "C","BIT STRING", "D","OCTET STRING", "E","NULL", "F","OBJECT", "G","SEQUENCE", "H","SET", "I","PRINTABLESTRING", "J","T61STRING", "K","IA5STRING", "L","UTCTIME", "M","NUMERICSTRING", "N","VIDEOTEXSTRING", "O","GENERALIZEDTIME", "P","GRAPHICSTRING", "Q","ISO64STRING", "R","GENERALSTRING", "S","UNIVERSALSTRING", # SSLeay 0.5.x changed some things ... and I'm # leaving in the old stuff but adding in these # to handle the new as well --tjh # - Well I've just taken them out and added the extra new # ones :-) - eay ); foreach (keys %DER_i2s) { $DER_s2i{$DER_i2s{$_}}=$_; } } sub parse_line { local($_)=@_; return(/\s*(\d+):d=\s*(\d+)\s+hl=\s*(\d+)\s+l=\s*(\d+|inf)\s/); } # 0:d=0 hl=4 l=377 cons: univ: SEQUENCE # 4:d=1 hl=2 l= 11 prim: univ: OCTET_STRING # 17:d=1 hl=4 l=360 cons: univ: SEQUENCE # 21:d=2 hl=2 l= 12 cons: univ: SEQUENCE # 23:d=3 hl=2 l= 8 prim: univ: OBJECT_IDENTIFIER :rc4 # 33:d=3 hl=2 l= 0 prim: univ: NULL # 35:d=2 hl=4 l=342 prim: univ: OCTET_STRING sub do_private_key { local($data,@struct)=@_; local($file)="/tmp/b$$.DER"; local($off,$d,$hl,$len,$_,$b,@p,$s); ($type)=($struct[4] =~ /OBJECT_IDENTIFIER :(.*)\s*$/); if ($type eq "rc4") { ($off,$d,$hl,$len)=&parse_line($struct[6]); open(OUT,"|$rc4_cmd >$file") || die "unable to run $rc4_cmd:$!\n"; print OUT substr($data,$off+$hl,$len); close(OUT); $b=&load_file($file); unlink($file); ($s,@p)=&der_str($b); die "unknown rsa key type\n$s\n" if ($s ne '0G-1B-1G-2F-2E-1D'); local($off,$d,$hl,$len)=&parse_line($p[5]); $b=substr($b,$off+$hl,$len); ($s,@p)=&der_str($b); open(OUT,"|$rsa_cmd") || die "unable to run $rsa_cmd:$!\n"; print OUT $b; close(OUT); } else { print "'$type' is unknown\n"; exit(1); } } sub do_certificate { local($data,@struct)=@_; local($file)="/tmp/b$$.DER"; local($off,$d,$hl,$len,$_,$b,@p,$s); ($off,$d,$hl,$len)=&parse_line($struct[2]); $b=substr($data,$off,$len+$hl); open(OUT,"|$x509_cmd -inform d") || die "unable to run $x509_cmd:$!\n"; print OUT $b; close(OUT); } sub load_file { local($file)=@_; local(*IN,$r,$b,$i); $r=""; open(IN,"<$file") || die "unable to open $file:$!\n"; for (;;) { $i=sysread(IN,$b,10240); last if ($i <= 0); $r.=$b; } close(IN); return($r); } sub load_file_parse { local($file)=@_; local(*IN,$r,@ret,$_,$i,$n,$b); open(IN,"$cmd -inform d -in $file|") || die "unable to run der_parse\n"; while () { chop; push(@ret,$_); } return($r,@ret); } diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c index 47d1309b14c1..be25dafef704 100644 --- a/crypto/openssl/apps/dgst.c +++ b/crypto/openssl/apps/dgst.c @@ -1,445 +1,446 @@ /* apps/dgst.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "apps.h" #include #include #include #include #include #include #undef BUFSIZE #define BUFSIZE 1024*8 #undef PROG #define PROG dgst_main int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, const char *file); int MAIN(int, char **); int MAIN(int argc, char **argv) { ENGINE *e = NULL; unsigned char *buf=NULL; int i,err=0; const EVP_MD *md=NULL,*m; BIO *in=NULL,*inp; BIO *bmd=NULL; BIO *out = NULL; const char *name; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; int separator=0; int debug=0; int keyform=FORMAT_PEM; const char *outfile = NULL, *keyfile = NULL; const char *sigfile = NULL, *randfile = NULL; int out_bin = -1, want_pub = 0, do_verify = 0; EVP_PKEY *sigkey = NULL; unsigned char *sigbuf = NULL; int siglen = 0; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif apps_startup(); if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) { BIO_printf(bio_err,"out of memory\n"); goto end; } if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); if (!load_config(bio_err, NULL)) goto end; /* first check the program name */ program_name(argv[0],pname,sizeof pname); md=EVP_get_digestbyname(pname); argc--; argv++; while (argc > 0) { if ((*argv)[0] != '-') break; if (strcmp(*argv,"-c") == 0) separator=1; else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) break; randfile=*(++argv); } else if (strcmp(*argv,"-out") == 0) { if (--argc < 1) break; outfile=*(++argv); } else if (strcmp(*argv,"-sign") == 0) { if (--argc < 1) break; keyfile=*(++argv); } else if (strcmp(*argv,"-verify") == 0) { if (--argc < 1) break; keyfile=*(++argv); want_pub = 1; do_verify = 1; } else if (strcmp(*argv,"-prverify") == 0) { if (--argc < 1) break; keyfile=*(++argv); do_verify = 1; } else if (strcmp(*argv,"-signature") == 0) { if (--argc < 1) break; sigfile=*(++argv); } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) break; keyform=str2fmt(*(++argv)); } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) break; engine= *(++argv); } #endif else if (strcmp(*argv,"-hex") == 0) out_bin = 0; else if (strcmp(*argv,"-binary") == 0) out_bin = 1; else if (strcmp(*argv,"-d") == 0) debug=1; else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) md=m; else break; argc--; argv++; } if (md == NULL) md=EVP_md5(); if(do_verify && !sigfile) { BIO_printf(bio_err, "No signature to verify: use the -signature option\n"); err = 1; goto end; } if ((argc > 0) && (argv[0][0] == '-')) /* bad option */ { BIO_printf(bio_err,"unknown option '%s'\n",*argv); BIO_printf(bio_err,"options are\n"); BIO_printf(bio_err,"-c to output the digest with separating colons\n"); BIO_printf(bio_err,"-d to output debug info\n"); BIO_printf(bio_err,"-hex output as hex dump\n"); BIO_printf(bio_err,"-binary output in binary form\n"); BIO_printf(bio_err,"-sign file sign digest using private key in file\n"); BIO_printf(bio_err,"-verify file verify a signature using public key in file\n"); BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n"); BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n"); BIO_printf(bio_err,"-signature file signature to verify\n"); BIO_printf(bio_err,"-binary output in binary form\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); #endif BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n", LN_md5,LN_md5); BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n", LN_md4,LN_md4); BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n", LN_md2,LN_md2); BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n", LN_sha1,LN_sha1); BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n", LN_sha,LN_sha); BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n", LN_mdc2,LN_mdc2); BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n", LN_ripemd160,LN_ripemd160); err=1; goto end; } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif in=BIO_new(BIO_s_file()); bmd=BIO_new(BIO_f_md()); if (debug) { BIO_set_callback(in,BIO_debug_callback); /* needed for windows 3.1 */ BIO_set_callback_arg(in,bio_err); } if ((in == NULL) || (bmd == NULL)) { ERR_print_errors(bio_err); goto end; } if(out_bin == -1) { if(keyfile) out_bin = 1; else out_bin = 0; } if(randfile) app_RAND_load_file(randfile, bio_err, 0); if(outfile) { if(out_bin) out = BIO_new_file(outfile, "wb"); else out = BIO_new_file(outfile, "w"); } else { out = BIO_new_fp(stdout, BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } if(!out) { BIO_printf(bio_err, "Error opening output file %s\n", outfile ? outfile : "(stdout)"); ERR_print_errors(bio_err); goto end; } if(keyfile) { if (want_pub) sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL, e, "key file"); else sigkey = load_key(bio_err, keyfile, keyform, 0, NULL, e, "key file"); if (!sigkey) { /* load_[pub]key() has already printed an appropriate message */ goto end; } } if(sigfile && sigkey) { BIO *sigbio; sigbio = BIO_new_file(sigfile, "rb"); siglen = EVP_PKEY_size(sigkey); sigbuf = OPENSSL_malloc(siglen); if(!sigbio) { BIO_printf(bio_err, "Error opening signature file %s\n", sigfile); ERR_print_errors(bio_err); goto end; } siglen = BIO_read(sigbio, sigbuf, siglen); BIO_free(sigbio); if(siglen <= 0) { BIO_printf(bio_err, "Error reading signature file %s\n", sigfile); ERR_print_errors(bio_err); goto end; } } /* we use md as a filter, reading from 'in' */ BIO_set_md(bmd,md); inp=BIO_push(bmd,in); if (argc == 0) { BIO_set_fp(in,stdin,BIO_NOCLOSE); err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, siglen,"","(stdin)"); } else { name=OBJ_nid2sn(md->type); for (i=0; i 0) BIO_printf(out, "Verified OK\n"); else if(i == 0) { BIO_printf(out, "Verification Failure\n"); return 1; } else { BIO_printf(bio_err, "Error Verifying Data\n"); ERR_print_errors(bio_err); return 1; } return 0; } if(key) { EVP_MD_CTX *ctx; BIO_get_md_ctx(bp, &ctx); if(!EVP_SignFinal(ctx, buf, (unsigned int *)&len, key)) { BIO_printf(bio_err, "Error Signing Data\n"); ERR_print_errors(bio_err); return 1; } } else len=BIO_gets(bp,(char *)buf,BUFSIZE); if(binout) BIO_write(out, buf, len); else { BIO_write(out,title,strlen(title)); for (i=0; i #include #include #include "apps.h" #include #include #include #include #include #include #include #include int set_hex(char *in,unsigned char *out,int size); #undef SIZE #undef BSIZE #undef PROG #define SIZE (512) #define BSIZE (8*1024) #define PROG enc_main static void show_ciphers(const OBJ_NAME *name,void *bio_) { BIO *bio=bio_; static int n; if(!islower((unsigned char)*name->name)) return; BIO_printf(bio,"-%-25s",name->name); if(++n == 3) { BIO_printf(bio,"\n"); n=0; } else BIO_printf(bio," "); } int MAIN(int, char **); int MAIN(int argc, char **argv) { #ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; #endif static const char magic[]="Salted__"; char mbuf[sizeof magic-1]; char *strbuf=NULL; unsigned char *buff=NULL,*bufsize=NULL; int bsize=BSIZE,verbose=0; int ret=1,inl; int nopad = 0; unsigned char key[EVP_MAX_KEY_LENGTH],iv[EVP_MAX_IV_LENGTH]; unsigned char salt[PKCS5_SALT_LEN]; char *str=NULL, *passarg = NULL, *pass = NULL; char *hkey=NULL,*hiv=NULL,*hsalt = NULL; int enc=1,printkey=0,i,base64=0; int debug=0,olb64=0,nosalt=0; const EVP_CIPHER *cipher=NULL,*c; char *inf=NULL,*outf=NULL; BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; #endif apps_startup(); if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); if (!load_config(bio_err, NULL)) goto end; /* first check the program name */ program_name(argv[0],pname,sizeof pname); if (strcmp(pname,"base64") == 0) base64=1; cipher=EVP_get_cipherbyname(pname); if (!base64 && (cipher == NULL) && (strcmp(pname,"enc") != 0)) { BIO_printf(bio_err,"%s is an unknown cipher\n",pname); goto bad; } argc--; argv++; while (argc >= 1) { if (strcmp(*argv,"-e") == 0) enc=1; else if (strcmp(*argv,"-in") == 0) { if (--argc < 1) goto bad; inf= *(++argv); } else if (strcmp(*argv,"-out") == 0) { if (--argc < 1) goto bad; outf= *(++argv); } else if (strcmp(*argv,"-pass") == 0) { if (--argc < 1) goto bad; passarg= *(++argv); } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } #endif else if (strcmp(*argv,"-d") == 0) enc=0; else if (strcmp(*argv,"-p") == 0) printkey=1; else if (strcmp(*argv,"-v") == 0) verbose=1; else if (strcmp(*argv,"-nopad") == 0) nopad=1; else if (strcmp(*argv,"-salt") == 0) nosalt=0; else if (strcmp(*argv,"-nosalt") == 0) nosalt=1; else if (strcmp(*argv,"-debug") == 0) debug=1; else if (strcmp(*argv,"-P") == 0) printkey=2; else if (strcmp(*argv,"-A") == 0) olb64=1; else if (strcmp(*argv,"-a") == 0) base64=1; else if (strcmp(*argv,"-base64") == 0) base64=1; else if (strcmp(*argv,"-bufsize") == 0) { if (--argc < 1) goto bad; bufsize=(unsigned char *)*(++argv); } else if (strcmp(*argv,"-k") == 0) { if (--argc < 1) goto bad; str= *(++argv); } else if (strcmp(*argv,"-kfile") == 0) { static char buf[128]; FILE *infile; char *file; if (--argc < 1) goto bad; file= *(++argv); infile=fopen(file,"r"); if (infile == NULL) { BIO_printf(bio_err,"unable to read key from '%s'\n", file); goto bad; } buf[0]='\0'; fgets(buf,sizeof buf,infile); fclose(infile); i=strlen(buf); if ((i > 0) && ((buf[i-1] == '\n') || (buf[i-1] == '\r'))) buf[--i]='\0'; if ((i > 0) && ((buf[i-1] == '\n') || (buf[i-1] == '\r'))) buf[--i]='\0'; if (i < 1) { BIO_printf(bio_err,"zero length password\n"); goto bad; } str=buf; } else if (strcmp(*argv,"-K") == 0) { if (--argc < 1) goto bad; hkey= *(++argv); } else if (strcmp(*argv,"-S") == 0) { if (--argc < 1) goto bad; hsalt= *(++argv); } else if (strcmp(*argv,"-iv") == 0) { if (--argc < 1) goto bad; hiv= *(++argv); } else if ((argv[0][0] == '-') && ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) { cipher=c; } else if (strcmp(*argv,"-none") == 0) cipher=NULL; else { BIO_printf(bio_err,"unknown option '%s'\n",*argv); bad: BIO_printf(bio_err,"options are\n"); BIO_printf(bio_err,"%-14s input file\n","-in "); BIO_printf(bio_err,"%-14s output file\n","-out "); BIO_printf(bio_err,"%-14s pass phrase source\n","-pass "); BIO_printf(bio_err,"%-14s encrypt\n","-e"); BIO_printf(bio_err,"%-14s decrypt\n","-d"); BIO_printf(bio_err,"%-14s base64 encode/decode, depending on encryption flag\n","-a/-base64"); BIO_printf(bio_err,"%-14s key is the next argument\n","-k"); BIO_printf(bio_err,"%-14s key is the first line of the file argument\n","-kfile"); BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv"); BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]"); BIO_printf(bio_err,"%-14s buffer size\n","-bufsize "); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e"); #endif BIO_printf(bio_err,"Cipher Types\n"); OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, show_ciphers, bio_err); BIO_printf(bio_err,"\n"); goto end; } argc--; argv++; } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif if (bufsize != NULL) { unsigned long n; for (n=0; *bufsize; bufsize++) { i= *bufsize; if ((i <= '9') && (i >= '0')) n=n*10+i-'0'; else if (i == 'k') { n*=1024; bufsize++; break; } } if (*bufsize != '\0') { BIO_printf(bio_err,"invalid 'bufsize' specified.\n"); goto end; } /* It must be large enough for a base64 encoded line */ if (n < 80) n=80; bsize=(int)n; if (verbose) BIO_printf(bio_err,"bufsize=%d\n",bsize); } strbuf=OPENSSL_malloc(SIZE); buff=(unsigned char *)OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize)); if ((buff == NULL) || (strbuf == NULL)) { BIO_printf(bio_err,"OPENSSL_malloc failure %ld\n",(long)EVP_ENCODE_LENGTH(bsize)); goto end; } in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); if ((in == NULL) || (out == NULL)) { ERR_print_errors(bio_err); goto end; } if (debug) { BIO_set_callback(in,BIO_debug_callback); BIO_set_callback(out,BIO_debug_callback); BIO_set_callback_arg(in,bio_err); BIO_set_callback_arg(out,bio_err); } if (inf == NULL) BIO_set_fp(in,stdin,BIO_NOCLOSE); else { if (BIO_read_filename(in,inf) <= 0) { perror(inf); goto end; } } if(!str && passarg) { if(!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } str = pass; } if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) { for (;;) { char buf[200]; - sprintf(buf,"enter %s %s password:", - OBJ_nid2ln(EVP_CIPHER_nid(cipher)), - (enc)?"encryption":"decryption"); + BIO_snprintf(buf,sizeof buf,"enter %s %s password:", + OBJ_nid2ln(EVP_CIPHER_nid(cipher)), + (enc)?"encryption":"decryption"); strbuf[0]='\0'; i=EVP_read_pw_string((char *)strbuf,SIZE,buf,enc); if (i == 0) { if (strbuf[0] == '\0') { ret=1; goto end; } str=strbuf; break; } if (i < 0) { BIO_printf(bio_err,"bad password read\n"); goto end; } } } if (outf == NULL) { BIO_set_fp(out,stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else { if (BIO_write_filename(out,outf) <= 0) { perror(outf); goto end; } } rbio=in; wbio=out; if (base64) { if ((b64=BIO_new(BIO_f_base64())) == NULL) goto end; if (debug) { BIO_set_callback(b64,BIO_debug_callback); BIO_set_callback_arg(b64,bio_err); } if (olb64) BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); if (enc) wbio=BIO_push(b64,wbio); else rbio=BIO_push(b64,rbio); } if (cipher != NULL) { /* Note that str is NULL if a key was passed on the command * line, so we get no salt in that case. Is this a bug? */ if (str != NULL) { /* Salt handling: if encrypting generate a salt and * write to output BIO. If decrypting read salt from * input BIO. */ unsigned char *sptr; if(nosalt) sptr = NULL; else { if(enc) { if(hsalt) { if(!set_hex(hsalt,salt,sizeof salt)) { BIO_printf(bio_err, "invalid hex salt value\n"); goto end; } } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0) goto end; /* If -P option then don't bother writing */ if((printkey != 2) && (BIO_write(wbio,magic, sizeof magic-1) != sizeof magic-1 || BIO_write(wbio, (char *)salt, sizeof salt) != sizeof salt)) { BIO_printf(bio_err,"error writing output file\n"); goto end; } } else if(BIO_read(rbio,mbuf,sizeof mbuf) != sizeof mbuf || BIO_read(rbio, (unsigned char *)salt, sizeof salt) != sizeof salt) { BIO_printf(bio_err,"error reading input file\n"); goto end; } else if(memcmp(mbuf,magic,sizeof magic-1)) { BIO_printf(bio_err,"bad magic number\n"); goto end; } sptr = salt; } EVP_BytesToKey(cipher,EVP_md5(),sptr, (unsigned char *)str, strlen(str),1,key,iv); /* zero the complete buffer or the string * passed from the command line * bug picked up by * Larry J. Hughes Jr. */ if (str == strbuf) OPENSSL_cleanse(str,SIZE); else OPENSSL_cleanse(str,strlen(str)); } if ((hiv != NULL) && !set_hex(hiv,iv,sizeof iv)) { BIO_printf(bio_err,"invalid hex iv value\n"); goto end; } if ((hiv == NULL) && (str == NULL)) { /* No IV was explicitly set and no IV was generated * during EVP_BytesToKey. Hence the IV is undefined, * making correct decryption impossible. */ BIO_printf(bio_err, "iv undefined\n"); goto end; } if ((hkey != NULL) && !set_hex(hkey,key,sizeof key)) { BIO_printf(bio_err,"invalid hex key value\n"); goto end; } if ((benc=BIO_new(BIO_f_cipher())) == NULL) goto end; BIO_set_cipher(benc,cipher,key,iv,enc); if (nopad) { EVP_CIPHER_CTX *ctx; BIO_get_cipher_ctx(benc, &ctx); EVP_CIPHER_CTX_set_padding(ctx, 0); } if (debug) { BIO_set_callback(benc,BIO_debug_callback); BIO_set_callback_arg(benc,bio_err); } if (printkey) { if (!nosalt) { printf("salt="); for (i=0; ikey_len > 0) { printf("key="); for (i=0; ikey_len; i++) printf("%02X",key[i]); printf("\n"); } if (cipher->iv_len > 0) { printf("iv ="); for (i=0; iiv_len; i++) printf("%02X",iv[i]); printf("\n"); } if (printkey == 2) { ret=0; goto end; } } } /* Only encrypt/decrypt as we write the file */ if (benc != NULL) wbio=BIO_push(benc,wbio); for (;;) { inl=BIO_read(rbio,(char *)buff,bsize); if (inl <= 0) break; if (BIO_write(wbio,(char *)buff,inl) != inl) { BIO_printf(bio_err,"error writing output file\n"); goto end; } } if (!BIO_flush(wbio)) { BIO_printf(bio_err,"bad decrypt\n"); goto end; } ret=0; if (verbose) { BIO_printf(bio_err,"bytes read :%8ld\n",BIO_number_read(in)); BIO_printf(bio_err,"bytes written:%8ld\n",BIO_number_written(out)); } end: ERR_print_errors(bio_err); if (strbuf != NULL) OPENSSL_free(strbuf); if (buff != NULL) OPENSSL_free(buff); if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); if (benc != NULL) BIO_free(benc); if (b64 != NULL) BIO_free(b64); if(pass) OPENSSL_free(pass); apps_shutdown(); OPENSSL_EXIT(ret); } int set_hex(char *in, unsigned char *out, int size) { int i,n; unsigned char j; n=strlen(in); if (n > (size*2)) { BIO_printf(bio_err,"hex string is too long\n"); return(0); } memset(out,0,size); for (i=0; i= '0') && (j <= '9')) j-='0'; else if ((j >= 'A') && (j <= 'F')) j=j-'A'+10; else if ((j >= 'a') && (j <= 'f')) j=j-'a'+10; else { BIO_printf(bio_err,"non-hex digit\n"); return(0); } if (i&1) out[i/2]|=j; else out[i/2]=(j<<4); } return(1); } diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c index c3e1e8de1c38..12283d0aed67 100644 --- a/crypto/openssl/apps/engine.c +++ b/crypto/openssl/apps/engine.c @@ -1,529 +1,529 @@ /* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */ /* Written by Richard Levitte for the OpenSSL * project 2000. */ /* ==================================================================== * Copyright (c) 2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #ifndef OPENSSL_NO_ENGINE #include #include #include #ifdef OPENSSL_NO_STDIO #define APPS_WIN16 #endif #include "apps.h" #include #include #include #undef PROG #define PROG engine_main static char *engine_usage[]={ "usage: engine opts [engine ...]\n", " -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n", " -vv will additionally display each command's description\n", " -vvv will also add the input flags for each command\n", " -vvvv will also show internal input flags\n", " -c - for each engine, also list the capabilities\n", " -t - for each engine, check that they are really available\n", " -pre - runs command 'cmd' against the ENGINE before any attempts\n", " to load it (if -t is used)\n", " -post - runs command 'cmd' against the ENGINE after loading it\n", " (only used if -t is also provided)\n", " NB: -pre and -post will be applied to all ENGINEs supplied on the command\n", " line, or all supported ENGINEs if none are specified.\n", " Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n", " argument \"/lib/libdriver.so\".\n", NULL }; static void identity(void *ptr) { return; } static int append_buf(char **buf, const char *s, int *size, int step) { int l = strlen(s); if (*buf == NULL) { *size = step; *buf = OPENSSL_malloc(*size); if (*buf == NULL) return 0; **buf = '\0'; } if (**buf != '\0') l += 2; /* ", " */ if (strlen(*buf) + strlen(s) >= (unsigned int)*size) { *size += step; *buf = OPENSSL_realloc(*buf, *size); } if (*buf == NULL) return 0; if (**buf != '\0') - strcat(*buf, ", "); - strcat(*buf, s); + BUF_strlcat(*buf, ", ", *size); + BUF_strlcat(*buf, s, *size); return 1; } static int util_flags(BIO *bio_out, unsigned int flags, const char *indent) { int started = 0, err = 0; /* Indent before displaying input flags */ BIO_printf(bio_out, "%s%s(input flags): ", indent, indent); if(flags == 0) { BIO_printf(bio_out, "\n"); return 1; } /* If the object is internal, mark it in a way that shows instead of * having it part of all the other flags, even if it really is. */ if(flags & ENGINE_CMD_FLAG_INTERNAL) { BIO_printf(bio_out, "[Internal] "); } if(flags & ENGINE_CMD_FLAG_NUMERIC) { if(started) { BIO_printf(bio_out, "|"); err = 1; } BIO_printf(bio_out, "NUMERIC"); started = 1; } /* Now we check that no combinations of the mutually exclusive NUMERIC, * STRING, and NO_INPUT flags have been used. Future flags that can be * OR'd together with these would need to added after these to preserve * the testing logic. */ if(flags & ENGINE_CMD_FLAG_STRING) { if(started) { BIO_printf(bio_out, "|"); err = 1; } BIO_printf(bio_out, "STRING"); started = 1; } if(flags & ENGINE_CMD_FLAG_NO_INPUT) { if(started) { BIO_printf(bio_out, "|"); err = 1; } BIO_printf(bio_out, "NO_INPUT"); started = 1; } /* Check for unknown flags */ flags = flags & ~ENGINE_CMD_FLAG_NUMERIC & ~ENGINE_CMD_FLAG_STRING & ~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL; if(flags) { if(started) BIO_printf(bio_out, "|"); BIO_printf(bio_out, "<0x%04X>", flags); } if(err) BIO_printf(bio_out, " "); BIO_printf(bio_out, "\n"); return 1; } static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent) { static const int line_wrap = 78; int num; int ret = 0; char *name = NULL; char *desc = NULL; int flags; int xpos = 0; STACK *cmds = NULL; if(!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) || ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE, 0, NULL, NULL)) <= 0)) { #if 0 BIO_printf(bio_out, "%s\n", indent); #endif return 1; } cmds = sk_new_null(); if(!cmds) goto err; do { int len; /* Get the command input flags */ if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num, NULL, NULL)) < 0) goto err; if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) { /* Get the command name */ if((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num, NULL, NULL)) <= 0) goto err; if((name = OPENSSL_malloc(len + 1)) == NULL) goto err; if(ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name, NULL) <= 0) goto err; /* Get the command description */ if((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num, NULL, NULL)) < 0) goto err; if(len > 0) { if((desc = OPENSSL_malloc(len + 1)) == NULL) goto err; if(ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc, NULL) <= 0) goto err; } /* Now decide on the output */ if(xpos == 0) /* Do an indent */ xpos = BIO_printf(bio_out, indent); else /* Otherwise prepend a ", " */ xpos += BIO_printf(bio_out, ", "); if(verbose == 1) { /* We're just listing names, comma-delimited */ if((xpos > (int)strlen(indent)) && (xpos + (int)strlen(name) > line_wrap)) { BIO_printf(bio_out, "\n"); xpos = BIO_printf(bio_out, indent); } xpos += BIO_printf(bio_out, "%s", name); } else { /* We're listing names plus descriptions */ BIO_printf(bio_out, "%s: %s\n", name, (desc == NULL) ? "" : desc); /* ... and sometimes input flags */ if((verbose >= 3) && !util_flags(bio_out, flags, indent)) goto err; xpos = 0; } } OPENSSL_free(name); name = NULL; if(desc) { OPENSSL_free(desc); desc = NULL; } /* Move to the next command */ num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE, num, NULL, NULL); } while(num > 0); if(xpos > 0) BIO_printf(bio_out, "\n"); ret = 1; err: if(cmds) sk_pop_free(cmds, identity); if(name) OPENSSL_free(name); if(desc) OPENSSL_free(desc); return ret; } static void util_do_cmds(ENGINE *e, STACK *cmds, BIO *bio_out, const char *indent) { int loop, res, num = sk_num(cmds); if(num < 0) { BIO_printf(bio_out, "[Error]: internal stack error\n"); return; } for(loop = 0; loop < num; loop++) { char buf[256]; const char *cmd, *arg; cmd = sk_value(cmds, loop); res = 1; /* assume success */ /* Check if this command has no ":arg" */ if((arg = strstr(cmd, ":")) == NULL) { if(!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0)) res = 0; } else { if((int)(arg - cmd) > 254) { BIO_printf(bio_out,"[Error]: command name too long\n"); return; } memcpy(buf, cmd, (int)(arg - cmd)); buf[arg-cmd] = '\0'; arg++; /* Move past the ":" */ /* Call the command with the argument */ if(!ENGINE_ctrl_cmd_string(e, buf, arg, 0)) res = 0; } if(res) BIO_printf(bio_out, "[Success]: %s\n", cmd); else { BIO_printf(bio_out, "[Failure]: %s\n", cmd); ERR_print_errors(bio_out); } } } int MAIN(int, char **); int MAIN(int argc, char **argv) { int ret=1,i; char **pp; int verbose=0, list_cap=0, test_avail=0; ENGINE *e; STACK *engines = sk_new_null(); STACK *pre_cmds = sk_new_null(); STACK *post_cmds = sk_new_null(); int badops=1; BIO *bio_out=NULL; const char *indent = " "; apps_startup(); SSL_load_error_strings(); if (bio_err == NULL) bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; bio_out=BIO_new_fp(stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); bio_out = BIO_push(tmpbio, bio_out); } #endif argc--; argv++; while (argc >= 1) { if (strncmp(*argv,"-v",2) == 0) { if(strspn(*argv + 1, "v") < strlen(*argv + 1)) goto skip_arg_loop; if((verbose=strlen(*argv + 1)) > 4) goto skip_arg_loop; } else if (strcmp(*argv,"-c") == 0) list_cap=1; else if (strcmp(*argv,"-t") == 0) test_avail=1; else if (strcmp(*argv,"-pre") == 0) { argc--; argv++; sk_push(pre_cmds,*argv); } else if (strcmp(*argv,"-post") == 0) { argc--; argv++; sk_push(post_cmds,*argv); } else if ((strncmp(*argv,"-h",2) == 0) || (strcmp(*argv,"-?") == 0)) goto skip_arg_loop; else sk_push(engines,*argv); argc--; argv++; } /* Looks like everything went OK */ badops = 0; skip_arg_loop: if (badops) { for (pp=engine_usage; (*pp != NULL); pp++) BIO_printf(bio_err,"%s",*pp); goto end; } if (sk_num(engines) == 0) { for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) { sk_push(engines,(char *)ENGINE_get_id(e)); } } for (i=0; i 0) && !util_verbose(e, verbose, bio_out, indent)) goto end; ENGINE_free(e); } else ERR_print_errors(bio_err); } ret=0; end: ERR_print_errors(bio_err); sk_pop_free(engines, identity); sk_pop_free(pre_cmds, identity); sk_pop_free(post_cmds, identity); if (bio_out != NULL) BIO_free_all(bio_out); apps_shutdown(); OPENSSL_EXIT(ret); } #else # if PEDANTIC static void *dummy=&dummy; # endif #endif diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c index e5f186fd5ea8..856b797b532e 100644 --- a/crypto/openssl/apps/ocsp.c +++ b/crypto/openssl/apps/ocsp.c @@ -1,1253 +1,1227 @@ /* ocsp.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 2000. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #ifndef OPENSSL_NO_OCSP #include #include #include "apps.h" #include #include #include #include /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) -/* CA index.txt definitions */ -#define DB_type 0 -#define DB_exp_date 1 -#define DB_rev_date 2 -#define DB_serial 3 /* index - unique */ -#define DB_file 4 -#define DB_name 5 /* index - unique for active */ -#define DB_NUMBER 6 - -#define DB_TYPE_REV 'R' -#define DB_TYPE_EXP 'E' -#define DB_TYPE_VAL 'V' - static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, STACK *names, STACK_OF(OCSP_CERTID) *ids, long nsec, long maxage); -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db, +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays); -static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser); +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); #undef PROG #define PROG ocsp_main int MAIN(int, char **); int MAIN(int argc, char **argv) { ENGINE *e = NULL; char **args; char *host = NULL, *port = NULL, *path = "/"; char *reqin = NULL, *respin = NULL; char *reqout = NULL, *respout = NULL; char *signfile = NULL, *keyfile = NULL; char *rsignfile = NULL, *rkeyfile = NULL; char *outfile = NULL; int add_nonce = 1, noverify = 0, use_ssl = -1; OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; OCSP_BASICRESP *bs = NULL; X509 *issuer = NULL, *cert = NULL; X509 *signer = NULL, *rsigner = NULL; EVP_PKEY *key = NULL, *rkey = NULL; BIO *acbio = NULL, *cbio = NULL; BIO *derbio = NULL; BIO *out = NULL; int req_text = 0, resp_text = 0; long nsec = MAX_VALIDITY_PERIOD, maxage = -1; char *CAfile = NULL, *CApath = NULL; X509_STORE *store = NULL; SSL_CTX *ctx = NULL; STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; int ret = 1; int accept_count = -1; int badarg = 0; int i; int ignore_err = 0; STACK *reqnames = NULL; STACK_OF(OCSP_CERTID) *ids = NULL; X509 *rca_cert = NULL; char *ridx_filename = NULL; char *rca_filename = NULL; - TXT_DB *rdb = NULL; + CA_DB *rdb = NULL; int nmin = 0, ndays = -1; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; SSL_load_error_strings(); args = argv + 1; reqnames = sk_new_null(); ids = sk_OCSP_CERTID_new_null(); while (!badarg && *args && *args[0] == '-') { if (!strcmp(*args, "-out")) { if (args[1]) { args++; outfile = *args; } else badarg = 1; } else if (!strcmp(*args, "-url")) { if (args[1]) { args++; if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) { BIO_printf(bio_err, "Error parsing URL\n"); badarg = 1; } } else badarg = 1; } else if (!strcmp(*args, "-host")) { if (args[1]) { args++; host = *args; } else badarg = 1; } else if (!strcmp(*args, "-port")) { if (args[1]) { args++; port = *args; } else badarg = 1; } else if (!strcmp(*args, "-ignore_err")) ignore_err = 1; else if (!strcmp(*args, "-noverify")) noverify = 1; else if (!strcmp(*args, "-nonce")) add_nonce = 2; else if (!strcmp(*args, "-no_nonce")) add_nonce = 0; else if (!strcmp(*args, "-resp_no_certs")) rflags |= OCSP_NOCERTS; else if (!strcmp(*args, "-resp_key_id")) rflags |= OCSP_RESPID_KEY; else if (!strcmp(*args, "-no_certs")) sign_flags |= OCSP_NOCERTS; else if (!strcmp(*args, "-no_signature_verify")) verify_flags |= OCSP_NOSIGS; else if (!strcmp(*args, "-no_cert_verify")) verify_flags |= OCSP_NOVERIFY; else if (!strcmp(*args, "-no_chain")) verify_flags |= OCSP_NOCHAIN; else if (!strcmp(*args, "-no_cert_checks")) verify_flags |= OCSP_NOCHECKS; else if (!strcmp(*args, "-no_explicit")) verify_flags |= OCSP_NOEXPLICIT; else if (!strcmp(*args, "-trust_other")) verify_flags |= OCSP_TRUSTOTHER; else if (!strcmp(*args, "-no_intern")) verify_flags |= OCSP_NOINTERN; else if (!strcmp(*args, "-text")) { req_text = 1; resp_text = 1; } else if (!strcmp(*args, "-req_text")) req_text = 1; else if (!strcmp(*args, "-resp_text")) resp_text = 1; else if (!strcmp(*args, "-reqin")) { if (args[1]) { args++; reqin = *args; } else badarg = 1; } else if (!strcmp(*args, "-respin")) { if (args[1]) { args++; respin = *args; } else badarg = 1; } else if (!strcmp(*args, "-signer")) { if (args[1]) { args++; signfile = *args; } else badarg = 1; } else if (!strcmp (*args, "-VAfile")) { if (args[1]) { args++; verify_certfile = *args; verify_flags |= OCSP_TRUSTOTHER; } else badarg = 1; } else if (!strcmp(*args, "-sign_other")) { if (args[1]) { args++; sign_certfile = *args; } else badarg = 1; } else if (!strcmp(*args, "-verify_other")) { if (args[1]) { args++; verify_certfile = *args; } else badarg = 1; } else if (!strcmp (*args, "-CAfile")) { if (args[1]) { args++; CAfile = *args; } else badarg = 1; } else if (!strcmp (*args, "-CApath")) { if (args[1]) { args++; CApath = *args; } else badarg = 1; } else if (!strcmp (*args, "-validity_period")) { if (args[1]) { args++; nsec = atol(*args); if (nsec < 0) { BIO_printf(bio_err, "Illegal validity period %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp (*args, "-status_age")) { if (args[1]) { args++; maxage = atol(*args); if (maxage < 0) { BIO_printf(bio_err, "Illegal validity age %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp(*args, "-signkey")) { if (args[1]) { args++; keyfile = *args; } else badarg = 1; } else if (!strcmp(*args, "-reqout")) { if (args[1]) { args++; reqout = *args; } else badarg = 1; } else if (!strcmp(*args, "-respout")) { if (args[1]) { args++; respout = *args; } else badarg = 1; } else if (!strcmp(*args, "-path")) { if (args[1]) { args++; path = *args; } else badarg = 1; } else if (!strcmp(*args, "-issuer")) { if (args[1]) { args++; X509_free(issuer); issuer = load_cert(bio_err, *args, FORMAT_PEM, NULL, e, "issuer certificate"); if(!issuer) goto end; } else badarg = 1; } else if (!strcmp (*args, "-cert")) { if (args[1]) { args++; X509_free(cert); cert = load_cert(bio_err, *args, FORMAT_PEM, NULL, e, "certificate"); if(!cert) goto end; if(!add_ocsp_cert(&req, cert, issuer, ids)) goto end; if(!sk_push(reqnames, *args)) goto end; } else badarg = 1; } else if (!strcmp(*args, "-serial")) { if (args[1]) { args++; if(!add_ocsp_serial(&req, *args, issuer, ids)) goto end; if(!sk_push(reqnames, *args)) goto end; } else badarg = 1; } else if (!strcmp(*args, "-index")) { if (args[1]) { args++; ridx_filename = *args; } else badarg = 1; } else if (!strcmp(*args, "-CA")) { if (args[1]) { args++; rca_filename = *args; } else badarg = 1; } else if (!strcmp (*args, "-nmin")) { if (args[1]) { args++; nmin = atol(*args); if (nmin < 0) { BIO_printf(bio_err, "Illegal update period %s\n", *args); badarg = 1; } } if (ndays == -1) ndays = 0; else badarg = 1; } else if (!strcmp (*args, "-nrequest")) { if (args[1]) { args++; accept_count = atol(*args); if (accept_count < 0) { BIO_printf(bio_err, "Illegal accept count %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp (*args, "-ndays")) { if (args[1]) { args++; ndays = atol(*args); if (ndays < 0) { BIO_printf(bio_err, "Illegal update period %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp(*args, "-rsigner")) { if (args[1]) { args++; rsignfile = *args; } else badarg = 1; } else if (!strcmp(*args, "-rkey")) { if (args[1]) { args++; rkeyfile = *args; } else badarg = 1; } else if (!strcmp(*args, "-rother")) { if (args[1]) { args++; rcertfile = *args; } else badarg = 1; } else badarg = 1; args++; } /* Have we anything to do? */ if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1; if (badarg) { BIO_printf (bio_err, "OCSP utility\n"); BIO_printf (bio_err, "Usage ocsp [options]\n"); BIO_printf (bio_err, "where options are\n"); BIO_printf (bio_err, "-out file output filename\n"); BIO_printf (bio_err, "-issuer file issuer certificate\n"); BIO_printf (bio_err, "-cert file certificate to check\n"); BIO_printf (bio_err, "-serial n serial number to check\n"); BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n"); BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n"); BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n"); BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n"); BIO_printf (bio_err, "-req_text print text form of request\n"); BIO_printf (bio_err, "-resp_text print text form of response\n"); BIO_printf (bio_err, "-text print text form of request and response\n"); BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n"); BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n"); BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n"); BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n"); BIO_printf (bio_err, "-nonce add OCSP nonce to request\n"); BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n"); BIO_printf (bio_err, "-url URL OCSP responder URL\n"); BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n"); BIO_printf (bio_err, "-path path to use in OCSP request\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-VAfile file validator certificates file\n"); BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); BIO_printf (bio_err, "-noverify don't verify response at all\n"); BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n"); BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n"); BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n"); BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n"); BIO_printf (bio_err, "-no_chain don't chain verify response\n"); BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); BIO_printf (bio_err, "-port num port to run responder on\n"); BIO_printf (bio_err, "-index file certificate status index file\n"); BIO_printf (bio_err, "-CA file CA certificate\n"); BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n"); BIO_printf (bio_err, "-rkey file responder key to sign responses with\n"); BIO_printf (bio_err, "-rother file other certificates to include in response\n"); BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n"); BIO_printf (bio_err, "-nmin n number of minutes before next update\n"); BIO_printf (bio_err, "-ndays n number of days before next update\n"); BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); goto end; } if(outfile) out = BIO_new_file(outfile, "w"); else out = BIO_new_fp(stdout, BIO_NOCLOSE); if(!out) { BIO_printf(bio_err, "Error opening output file\n"); goto end; } if (!req && (add_nonce != 2)) add_nonce = 0; if (!req && reqin) { derbio = BIO_new_file(reqin, "rb"); if (!derbio) { BIO_printf(bio_err, "Error Opening OCSP request file\n"); goto end; } req = d2i_OCSP_REQUEST_bio(derbio, NULL); BIO_free(derbio); if(!req) { BIO_printf(bio_err, "Error reading OCSP request\n"); goto end; } } if (!req && port) { acbio = init_responder(port); if (!acbio) goto end; } if (rsignfile && !rdb) { if (!rkeyfile) rkeyfile = rsignfile; rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM, NULL, e, "responder certificate"); if (!rsigner) { BIO_printf(bio_err, "Error loading responder certificate\n"); goto end; } rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM, NULL, e, "CA certificate"); if (rcertfile) { rother = load_certs(bio_err, rcertfile, FORMAT_PEM, NULL, e, "responder other certificates"); if (!rother) goto end; } rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL, "responder private key"); if (!rkey) goto end; } if(acbio) BIO_printf(bio_err, "Waiting for OCSP client connections...\n"); redo_accept: if (acbio) { if (!do_responder(&req, &cbio, acbio, port)) goto end; if (!req) { resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); send_ocsp_response(cbio, resp); goto done_resp; } } if (!req && (signfile || reqout || host || add_nonce || ridx_filename)) { BIO_printf(bio_err, "Need an OCSP request for this operation!\n"); goto end; } if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1); if (signfile) { if (!keyfile) keyfile = signfile; signer = load_cert(bio_err, signfile, FORMAT_PEM, NULL, e, "signer certificate"); if (!signer) { BIO_printf(bio_err, "Error loading signer certificate\n"); goto end; } if (sign_certfile) { sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM, NULL, e, "signer certificates"); if (!sign_other) goto end; } key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL, "signer private key"); if (!key) goto end; if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags)) { BIO_printf(bio_err, "Error signing OCSP request\n"); goto end; } } if (req_text && req) OCSP_REQUEST_print(out, req, 0); if (reqout) { derbio = BIO_new_file(reqout, "wb"); if(!derbio) { BIO_printf(bio_err, "Error opening file %s\n", reqout); goto end; } i2d_OCSP_REQUEST_bio(derbio, req); BIO_free(derbio); } if (ridx_filename && (!rkey || !rsigner || !rca_cert)) { BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n"); goto end; } if (ridx_filename && !rdb) { - BIO *db_bio = NULL; - db_bio = BIO_new_file(ridx_filename, "r"); - if (!db_bio) - { - BIO_printf(bio_err, "Error opening index file %s\n", ridx_filename); - goto end; - } - rdb = TXT_DB_read(db_bio, DB_NUMBER); - BIO_free(db_bio); - if (!rdb) - { - BIO_printf(bio_err, "Error reading index file %s\n", ridx_filename); - goto end; - } - if (!make_serial_index(rdb)) - goto end; + rdb = load_index(ridx_filename, NULL); + if (!rdb) goto end; + if (!index_index(rdb)) goto end; } if (rdb) { i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays); if (cbio) send_ocsp_response(cbio, resp); } else if (host) { #ifndef OPENSSL_NO_SOCK cbio = BIO_new_connect(host); #else BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n"); goto end; #endif if (!cbio) { BIO_printf(bio_err, "Error creating connect BIO\n"); goto end; } if (port) BIO_set_conn_port(cbio, port); if (use_ssl == 1) { BIO *sbio; #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) ctx = SSL_CTX_new(SSLv23_client_method()); #elif !defined(OPENSSL_NO_SSL3) ctx = SSL_CTX_new(SSLv3_client_method()); #elif !defined(OPENSSL_NO_SSL2) ctx = SSL_CTX_new(SSLv2_client_method()); #else BIO_printf(bio_err, "SSL is disabled\n"); goto end; #endif SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); } if (BIO_do_connect(cbio) <= 0) { BIO_printf(bio_err, "Error connecting BIO\n"); goto end; } resp = OCSP_sendreq_bio(cbio, path, req); BIO_free_all(cbio); cbio = NULL; if (!resp) { BIO_printf(bio_err, "Error querying OCSP responsder\n"); goto end; } } else if (respin) { derbio = BIO_new_file(respin, "rb"); if (!derbio) { BIO_printf(bio_err, "Error Opening OCSP response file\n"); goto end; } resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); BIO_free(derbio); if(!resp) { BIO_printf(bio_err, "Error reading OCSP response\n"); goto end; } } else { ret = 0; goto end; } done_resp: if (respout) { derbio = BIO_new_file(respout, "wb"); if(!derbio) { BIO_printf(bio_err, "Error opening file %s\n", respout); goto end; } i2d_OCSP_RESPONSE_bio(derbio, resp); BIO_free(derbio); } i = OCSP_response_status(resp); if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { BIO_printf(out, "Responder Error: %s (%ld)\n", OCSP_response_status_str(i), i); if (ignore_err) goto redo_accept; ret = 0; goto end; } if (resp_text) OCSP_RESPONSE_print(out, resp, 0); /* If running as responder don't verify our own response */ if (cbio) { if (accept_count > 0) accept_count--; /* Redo if more connections needed */ if (accept_count) { BIO_free_all(cbio); cbio = NULL; OCSP_REQUEST_free(req); req = NULL; OCSP_RESPONSE_free(resp); resp = NULL; goto redo_accept; } goto end; } if (!store) store = setup_verify(bio_err, CAfile, CApath); if (!store) goto end; if (verify_certfile) { verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM, NULL, e, "validator certificate"); if (!verify_other) goto end; } bs = OCSP_response_get1_basic(resp); if (!bs) { BIO_printf(bio_err, "Error parsing response\n"); goto end; } if (!noverify) { if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) { if (i == -1) BIO_printf(bio_err, "WARNING: no nonce in response\n"); else { BIO_printf(bio_err, "Nonce Verify error\n"); goto end; } } i = OCSP_basic_verify(bs, verify_other, store, verify_flags); if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0); if(i <= 0) { BIO_printf(bio_err, "Response Verify Failure\n", i); ERR_print_errors(bio_err); } else BIO_printf(bio_err, "Response verify OK\n"); } if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage)) goto end; ret = 0; end: ERR_print_errors(bio_err); X509_free(signer); X509_STORE_free(store); EVP_PKEY_free(key); EVP_PKEY_free(rkey); X509_free(issuer); X509_free(cert); X509_free(rsigner); X509_free(rca_cert); - TXT_DB_free(rdb); + free_index(rdb); BIO_free_all(cbio); BIO_free_all(acbio); BIO_free(out); OCSP_REQUEST_free(req); OCSP_RESPONSE_free(resp); OCSP_BASICRESP_free(bs); sk_free(reqnames); sk_OCSP_CERTID_free(ids); sk_X509_pop_free(sign_other, X509_free); sk_X509_pop_free(verify_other, X509_free); if (use_ssl != -1) { OPENSSL_free(host); OPENSSL_free(port); OPENSSL_free(path); SSL_CTX_free(ctx); } OPENSSL_EXIT(ret); } static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; if(!issuer) { BIO_printf(bio_err, "No issuer certificate specified\n"); return 0; } if(!*req) *req = OCSP_REQUEST_new(); if(!*req) goto err; id = OCSP_cert_to_id(NULL, cert, issuer); if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err; if(!OCSP_request_add0_id(*req, id)) goto err; return 1; err: BIO_printf(bio_err, "Error Creating OCSP request\n"); return 0; } static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; X509_NAME *iname; ASN1_BIT_STRING *ikey; ASN1_INTEGER *sno; if(!issuer) { BIO_printf(bio_err, "No issuer certificate specified\n"); return 0; } if(!*req) *req = OCSP_REQUEST_new(); if(!*req) goto err; iname = X509_get_subject_name(issuer); ikey = X509_get0_pubkey_bitstr(issuer); sno = s2i_ASN1_INTEGER(NULL, serial); if(!sno) { BIO_printf(bio_err, "Error converting serial number %s\n", serial); return 0; } id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno); ASN1_INTEGER_free(sno); if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err; if(!OCSP_request_add0_id(*req, id)) goto err; return 1; err: BIO_printf(bio_err, "Error Creating OCSP request\n"); return 0; } static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, STACK *names, STACK_OF(OCSP_CERTID) *ids, long nsec, long maxage) { OCSP_CERTID *id; char *name; int i; int status, reason; ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids)) return 1; for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { id = sk_OCSP_CERTID_value(ids, i); name = sk_value(names, i); BIO_printf(out, "%s: ", name); if(!OCSP_resp_find_status(bs, id, &status, &reason, &rev, &thisupd, &nextupd)) { BIO_puts(out, "ERROR: No Status found.\n"); continue; } /* Check validity: if invalid write to output BIO so we * know which response this refers to. */ if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) { BIO_puts(out, "WARNING: Status times invalid.\n"); ERR_print_errors(out); } BIO_printf(out, "%s\n", OCSP_cert_status_str(status)); BIO_puts(out, "\tThis Update: "); ASN1_GENERALIZEDTIME_print(out, thisupd); BIO_puts(out, "\n"); if(nextupd) { BIO_puts(out, "\tNext Update: "); ASN1_GENERALIZEDTIME_print(out, nextupd); BIO_puts(out, "\n"); } if (status != V_OCSP_CERTSTATUS_REVOKED) continue; if (reason != -1) BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason)); BIO_puts(out, "\tRevocation Time: "); ASN1_GENERALIZEDTIME_print(out, rev); BIO_puts(out, "\n"); } return 1; } -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db, +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays) { ASN1_TIME *thisupd = NULL, *nextupd = NULL; OCSP_CERTID *cid, *ca_id = NULL; OCSP_BASICRESP *bs = NULL; int i, id_count, ret = 1; id_count = OCSP_request_onereq_count(req); if (id_count <= 0) { *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); goto end; } ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca); bs = OCSP_BASICRESP_new(); thisupd = X509_gmtime_adj(NULL, 0); if (ndays != -1) nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 ); /* Examine each certificate id in the request */ for (i = 0; i < id_count; i++) { OCSP_ONEREQ *one; ASN1_INTEGER *serial; char **inf; one = OCSP_request_onereq_get0(req, i); cid = OCSP_onereq_get0_id(one); /* Is this request about our CA? */ if (OCSP_id_issuer_cmp(ca_id, cid)) { OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); continue; } OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); inf = lookup_serial(db, serial); if (!inf) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_VAL) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_GOOD, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_REV) { ASN1_OBJECT *inst = NULL; ASN1_TIME *revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single; int reason = -1; unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]); single = OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_REVOKED, reason, revtm, thisupd, nextupd); if (invtm) OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); else if (inst) OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); ASN1_TIME_free(revtm); ASN1_GENERALIZEDTIME_free(invtm); } } OCSP_copy_nonce(bs, req); OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags); *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); end: ASN1_TIME_free(thisupd); ASN1_TIME_free(nextupd); OCSP_CERTID_free(ca_id); OCSP_BASICRESP_free(bs); return ret; } -static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser) +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) { int i; BIGNUM *bn = NULL; char *itmp, *row[DB_NUMBER],**rrow; for (i = 0; i < DB_NUMBER; i++) row[i] = NULL; bn = ASN1_INTEGER_to_BN(ser,NULL); if (BN_is_zero(bn)) itmp = BUF_strdup("00"); else itmp = BN_bn2hex(bn); row[DB_serial] = itmp; BN_free(bn); - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); OPENSSL_free(itmp); return rrow; } /* Quick and dirty OCSP server: read in and parse input request */ static BIO *init_responder(char *port) { BIO *acbio = NULL, *bufbio = NULL; bufbio = BIO_new(BIO_f_buffer()); if (!bufbio) goto err; #ifndef OPENSSL_NO_SOCK acbio = BIO_new_accept(port); #else BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n"); #endif if (!acbio) goto err; BIO_set_accept_bios(acbio, bufbio); bufbio = NULL; if (BIO_do_accept(acbio) <= 0) { BIO_printf(bio_err, "Error setting up accept BIO\n"); ERR_print_errors(bio_err); goto err; } return acbio; err: BIO_free_all(acbio); BIO_free(bufbio); return NULL; } static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port) { int have_post = 0, len; OCSP_REQUEST *req = NULL; char inbuf[1024]; BIO *cbio = NULL; if (BIO_do_accept(acbio) <= 0) { BIO_printf(bio_err, "Error accepting connection\n"); ERR_print_errors(bio_err); return 0; } cbio = BIO_pop(acbio); *pcbio = cbio; for(;;) { len = BIO_gets(cbio, inbuf, sizeof inbuf); if (len <= 0) return 1; /* Look for "POST" signalling start of query */ if (!have_post) { if(strncmp(inbuf, "POST", 4)) { BIO_printf(bio_err, "Invalid request\n"); return 1; } have_post = 1; } /* Look for end of headers */ if ((inbuf[0] == '\r') || (inbuf[0] == '\n')) break; } /* Try to read OCSP request */ req = d2i_OCSP_REQUEST_bio(cbio, NULL); if (!req) { BIO_printf(bio_err, "Error parsing OCSP request\n"); ERR_print_errors(bio_err); } *preq = req; return 1; } static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) { char http_resp[] = "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n" "Content-Length: %d\r\n\r\n"; if (!cbio) return 0; BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL)); i2d_OCSP_RESPONSE_bio(cbio, resp); BIO_flush(cbio); return 1; } #endif diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf index eca51c332280..854d1f164eb3 100644 --- a/crypto/openssl/apps/openssl.cnf +++ b/crypto/openssl/apps/openssl.cnf @@ -1,255 +1,260 @@ # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number +#crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AU countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Some-State localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Internet Widgits Pty Ltd # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c index 5136acdc5759..71192bdf749c 100644 --- a/crypto/openssl/apps/pkcs12.c +++ b/crypto/openssl/apps/pkcs12.c @@ -1,958 +1,958 @@ /* pkcs12.c */ #if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1) /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 1999. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include "apps.h" #include #include #include #include #define PROG pkcs12_main const EVP_CIPHER *enc; #define NOKEYS 0x1 #define NOCERTS 0x2 #define INFO 0x4 #define CLCERTS 0x8 #define CACERTS 0x10 int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain); int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass); int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, char *pass, int passlen, int options, char *pempass); int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass); int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name); void hex_prin(BIO *out, unsigned char *buf, int len); int alg_print(BIO *x, X509_ALGOR *alg); int cert_load(BIO *in, STACK_OF(X509) *sk); int MAIN(int, char **); int MAIN(int argc, char **argv) { ENGINE *e = NULL; char *infile=NULL, *outfile=NULL, *keyname = NULL; char *certfile=NULL; BIO *in=NULL, *out = NULL; char **args; char *name = NULL; char *csp_name = NULL; PKCS12 *p12 = NULL; char pass[50], macpass[50]; int export_cert = 0; int options = 0; int chain = 0; int badarg = 0; int iter = PKCS12_DEFAULT_ITER; int maciter = PKCS12_DEFAULT_ITER; int twopass = 0; int keytype = 0; int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1; int macver = 1; int noprompt = 0; STACK *canames = NULL; char *cpass = NULL, *mpass = NULL; char *passargin = NULL, *passargout = NULL, *passarg = NULL; char *passin = NULL, *passout = NULL; char *inrand = NULL; char *CApath = NULL, *CAfile = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif apps_startup(); enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; args = argv + 1; while (*args) { if (*args[0] == '-') { if (!strcmp (*args, "-nokeys")) options |= NOKEYS; else if (!strcmp (*args, "-keyex")) keytype = KEY_EX; else if (!strcmp (*args, "-keysig")) keytype = KEY_SIG; else if (!strcmp (*args, "-nocerts")) options |= NOCERTS; else if (!strcmp (*args, "-clcerts")) options |= CLCERTS; else if (!strcmp (*args, "-cacerts")) options |= CACERTS; else if (!strcmp (*args, "-noout")) options |= (NOKEYS|NOCERTS); else if (!strcmp (*args, "-info")) options |= INFO; else if (!strcmp (*args, "-chain")) chain = 1; else if (!strcmp (*args, "-twopass")) twopass = 1; else if (!strcmp (*args, "-nomacver")) macver = 0; else if (!strcmp (*args, "-descert")) cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; else if (!strcmp (*args, "-export")) export_cert = 1; else if (!strcmp (*args, "-des")) enc=EVP_des_cbc(); #ifndef OPENSSL_NO_IDEA else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc(); #endif else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc(); #ifndef OPENSSL_NO_AES else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc(); else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc(); else if (!strcmp(*args,"-aes256")) enc=EVP_aes_256_cbc(); #endif else if (!strcmp (*args, "-noiter")) iter = 1; else if (!strcmp (*args, "-maciter")) maciter = PKCS12_DEFAULT_ITER; else if (!strcmp (*args, "-nomaciter")) maciter = 1; else if (!strcmp (*args, "-nodes")) enc=NULL; else if (!strcmp (*args, "-certpbe")) { if (args[1]) { args++; cert_pbe=OBJ_txt2nid(*args); if(cert_pbe == NID_undef) { BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp (*args, "-keypbe")) { if (args[1]) { args++; key_pbe=OBJ_txt2nid(*args); if(key_pbe == NID_undef) { BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args); badarg = 1; } } else badarg = 1; } else if (!strcmp (*args, "-rand")) { if (args[1]) { args++; inrand = *args; } else badarg = 1; } else if (!strcmp (*args, "-inkey")) { if (args[1]) { args++; keyname = *args; } else badarg = 1; } else if (!strcmp (*args, "-certfile")) { if (args[1]) { args++; certfile = *args; } else badarg = 1; } else if (!strcmp (*args, "-name")) { if (args[1]) { args++; name = *args; } else badarg = 1; } else if (!strcmp (*args, "-CSP")) { if (args[1]) { args++; csp_name = *args; } else badarg = 1; } else if (!strcmp (*args, "-caname")) { if (args[1]) { args++; if (!canames) canames = sk_new_null(); sk_push(canames, *args); } else badarg = 1; } else if (!strcmp (*args, "-in")) { if (args[1]) { args++; infile = *args; } else badarg = 1; } else if (!strcmp (*args, "-out")) { if (args[1]) { args++; outfile = *args; } else badarg = 1; } else if (!strcmp(*args,"-passin")) { if (args[1]) { args++; passargin = *args; } else badarg = 1; } else if (!strcmp(*args,"-passout")) { if (args[1]) { args++; passargout = *args; } else badarg = 1; } else if (!strcmp (*args, "-password")) { if (args[1]) { args++; passarg = *args; noprompt = 1; } else badarg = 1; } else if (!strcmp(*args,"-CApath")) { if (args[1]) { args++; CApath = *args; } else badarg = 1; } else if (!strcmp(*args,"-CAfile")) { if (args[1]) { args++; CAfile = *args; } else badarg = 1; #ifndef OPENSSL_NO_ENGINE } else if (!strcmp(*args,"-engine")) { if (args[1]) { args++; engine = *args; } else badarg = 1; #endif } else badarg = 1; } else badarg = 1; args++; } if (badarg) { BIO_printf (bio_err, "Usage: pkcs12 [options]\n"); BIO_printf (bio_err, "where options are\n"); BIO_printf (bio_err, "-export output PKCS12 file\n"); BIO_printf (bio_err, "-chain add certificate chain\n"); BIO_printf (bio_err, "-inkey file private key if not infile\n"); BIO_printf (bio_err, "-certfile f add all certs in f\n"); BIO_printf (bio_err, "-CApath arg - PEM format directory of CA's\n"); BIO_printf (bio_err, "-CAfile arg - PEM format file of CA's\n"); BIO_printf (bio_err, "-name \"name\" use name as friendly name\n"); BIO_printf (bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n"); BIO_printf (bio_err, "-in infile input filename\n"); BIO_printf (bio_err, "-out outfile output filename\n"); BIO_printf (bio_err, "-noout don't output anything, just verify.\n"); BIO_printf (bio_err, "-nomacver don't verify MAC.\n"); BIO_printf (bio_err, "-nocerts don't output certificates.\n"); BIO_printf (bio_err, "-clcerts only output client certificates.\n"); BIO_printf (bio_err, "-cacerts only output CA certificates.\n"); BIO_printf (bio_err, "-nokeys don't output private keys.\n"); BIO_printf (bio_err, "-info give info about PKCS#12 structure.\n"); BIO_printf (bio_err, "-des encrypt private keys with DES\n"); BIO_printf (bio_err, "-des3 encrypt private keys with triple DES (default)\n"); #ifndef OPENSSL_NO_IDEA BIO_printf (bio_err, "-idea encrypt private keys with idea\n"); #endif #ifndef OPENSSL_NO_AES BIO_printf (bio_err, "-aes128, -aes192, -aes256\n"); BIO_printf (bio_err, " encrypt PEM output with cbc aes\n"); #endif BIO_printf (bio_err, "-nodes don't encrypt private keys\n"); BIO_printf (bio_err, "-noiter don't use encryption iteration\n"); BIO_printf (bio_err, "-maciter use MAC iteration\n"); BIO_printf (bio_err, "-twopass separate MAC, encryption passwords\n"); BIO_printf (bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); BIO_printf (bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); BIO_printf (bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); BIO_printf (bio_err, "-keyex set MS key exchange type\n"); BIO_printf (bio_err, "-keysig set MS key signature type\n"); BIO_printf (bio_err, "-password p set import/export password source\n"); BIO_printf (bio_err, "-passin p input file pass phrase source\n"); BIO_printf (bio_err, "-passout p output file pass phrase source\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n"); #endif BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); BIO_printf(bio_err, " the random number generator\n"); goto end; } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif if(passarg) { if(export_cert) passargout = passarg; else passargin = passarg; } if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } if(!cpass) { if(export_cert) cpass = passout; else cpass = passin; } if(cpass) { mpass = cpass; noprompt = 1; } else { cpass = pass; mpass = macpass; } if(export_cert || inrand) { app_RAND_load_file(NULL, bio_err, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err,"%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); } ERR_load_crypto_strings(); #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read files"); #endif if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE); else in = BIO_new_file(infile, "rb"); if (!in) { BIO_printf(bio_err, "Error opening input file %s\n", infile ? infile : ""); perror (infile); goto end; } #if 0 if (certfile) { if(!(certsin = BIO_new_file(certfile, "r"))) { BIO_printf(bio_err, "Can't open certificate file %s\n", certfile); perror (certfile); goto end; } } if (keyname) { if(!(inkey = BIO_new_file(keyname, "r"))) { BIO_printf(bio_err, "Can't key certificate file %s\n", keyname); perror (keyname); goto end; } } #endif #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("write files"); #endif if (!outfile) { out = BIO_new_fp(stdout, BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else out = BIO_new_file(outfile, "wb"); if (!out) { BIO_printf(bio_err, "Error opening output file %s\n", outfile ? outfile : ""); perror (outfile); goto end; } if (twopass) { #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read MAC password"); #endif if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) { BIO_printf (bio_err, "Can't read Password\n"); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif } if (export_cert) { EVP_PKEY *key = NULL; STACK_OF(PKCS12_SAFEBAG) *bags = NULL; STACK_OF(PKCS7) *safes = NULL; PKCS12_SAFEBAG *bag = NULL; PKCS8_PRIV_KEY_INFO *p8 = NULL; PKCS7 *authsafe = NULL; X509 *ucert = NULL; STACK_OF(X509) *certs=NULL; char *catmp = NULL; int i; unsigned char keyid[EVP_MAX_MD_SIZE]; unsigned int keyidlen = 0; #ifdef CRYPTO_MDEBUG CRYPTO_push_info("process -export_cert"); CRYPTO_push_info("reading private key"); #endif key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1, passin, e, "private key"); if (!key) { goto export_end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from input"); #endif /* Load in all certs in input file */ if(!(certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e, "certificates"))) { goto export_end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from input 2"); #endif for(i = 0; i < sk_X509_num(certs); i++) { ucert = sk_X509_value(certs, i); if(X509_check_private_key(ucert, key)) { X509_digest(ucert, EVP_sha1(), keyid, &keyidlen); break; } } if(!keyidlen) { ucert = NULL; BIO_printf(bio_err, "No certificate matches private key\n"); goto export_end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from certfile"); #endif bags = sk_PKCS12_SAFEBAG_new_null (); /* Add any more certificates asked for */ if (certfile) { STACK_OF(X509) *morecerts=NULL; if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM, NULL, e, "certificates from certfile"))) { goto export_end; } while(sk_X509_num(morecerts) > 0) { sk_X509_push(certs, sk_X509_shift(morecerts)); } sk_X509_free(morecerts); } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building chain"); #endif /* If chaining get chain from user cert */ if (chain) { int vret; STACK_OF(X509) *chain2; X509_STORE *store = X509_STORE_new(); if (!store) { BIO_printf (bio_err, "Memory allocation error\n"); goto export_end; } if (!X509_STORE_load_locations(store, CAfile, CApath)) X509_STORE_set_default_paths (store); vret = get_cert_chain (ucert, store, &chain2); X509_STORE_free(store); if (!vret) { /* Exclude verified certificate */ for (i = 1; i < sk_X509_num (chain2) ; i++) sk_X509_push(certs, sk_X509_value (chain2, i)); /* Free first certificate */ X509_free(sk_X509_value(chain2, 0)); sk_X509_free(chain2); } else { BIO_printf (bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); goto export_end; } } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building bags"); #endif /* We now have loads of certificates: include them all */ for(i = 0; i < sk_X509_num(certs); i++) { X509 *cert = NULL; cert = sk_X509_value(certs, i); bag = PKCS12_x5092certbag(cert); /* If it matches private key set id */ if(cert == ucert) { if(name) PKCS12_add_friendlyname(bag, name, -1); PKCS12_add_localkeyid(bag, keyid, keyidlen); } else if((catmp = sk_shift(canames))) PKCS12_add_friendlyname(bag, catmp, -1); sk_PKCS12_SAFEBAG_push(bags, bag); } sk_X509_pop_free(certs, X509_free); certs = NULL; #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("encrypting bags"); #endif if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) { BIO_printf (bio_err, "Can't read Password\n"); goto export_end; } - if (!twopass) strcpy(macpass, pass); + if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); /* Turn certbags into encrypted authsafe */ authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0, iter, bags); sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); bags = NULL; if (!authsafe) { ERR_print_errors (bio_err); goto export_end; } safes = sk_PKCS7_new_null (); sk_PKCS7_push (safes, authsafe); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building shrouded key bag"); #endif /* Make a shrouded key bag */ p8 = EVP_PKEY2PKCS8 (key); if(keytype) PKCS8_add_keyusage(p8, keytype); bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8); PKCS8_PRIV_KEY_INFO_free(p8); p8 = NULL; if (name) PKCS12_add_friendlyname (bag, name, -1); if(csp_name) PKCS12_add_CSPName_asc(bag, csp_name, -1); PKCS12_add_localkeyid (bag, keyid, keyidlen); bags = sk_PKCS12_SAFEBAG_new_null(); sk_PKCS12_SAFEBAG_push (bags, bag); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("encrypting shrouded key bag"); #endif /* Turn it into unencrypted safe bag */ authsafe = PKCS12_pack_p7data (bags); sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); bags = NULL; sk_PKCS7_push (safes, authsafe); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building pkcs12"); #endif p12 = PKCS12_init(NID_pkcs7_data); PKCS12_pack_authsafes(p12, safes); sk_PKCS7_pop_free(safes, PKCS7_free); safes = NULL; PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("writing pkcs12"); #endif i2d_PKCS12_bio (out, p12); ret = 0; export_end: #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_pop_info(); CRYPTO_push_info("process -export_cert: freeing"); #endif if (key) EVP_PKEY_free(key); if (certs) sk_X509_pop_free(certs, X509_free); if (safes) sk_PKCS7_pop_free(safes, PKCS7_free); if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif goto end; } if (!(p12 = d2i_PKCS12_bio (in, NULL))) { ERR_print_errors(bio_err); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_push_info("read import password"); #endif if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) { BIO_printf (bio_err, "Can't read Password\n"); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif - if (!twopass) strcpy(macpass, pass); + if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1); if(macver) { #ifdef CRYPTO_MDEBUG CRYPTO_push_info("verify MAC"); #endif /* If we enter empty password try no password first */ if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { /* If mac and crypto pass the same set it to NULL too */ if(!twopass) cpass = NULL; } else if (!PKCS12_verify_mac(p12, mpass, -1)) { BIO_printf (bio_err, "Mac verify error: invalid password?\n"); ERR_print_errors (bio_err); goto end; } BIO_printf (bio_err, "MAC verified OK\n"); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif } #ifdef CRYPTO_MDEBUG CRYPTO_push_info("output keys and certificates"); #endif if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) { BIO_printf(bio_err, "Error outputting keys and certificates\n"); ERR_print_errors (bio_err); goto end; } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif ret = 0; end: if (p12) PKCS12_free(p12); if(export_cert || inrand) app_RAND_write_file(NULL, bio_err); #ifdef CRYPTO_MDEBUG CRYPTO_remove_all_info(); #endif BIO_free(in); BIO_free_all(out); if (canames) sk_free(canames); if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); apps_shutdown(); OPENSSL_EXIT(ret); } int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass) { STACK_OF(PKCS7) *asafes; STACK_OF(PKCS12_SAFEBAG) *bags; int i, bagnid; PKCS7 *p7; if (!( asafes = PKCS12_unpack_authsafes(p12))) return 0; for (i = 0; i < sk_PKCS7_num (asafes); i++) { p7 = sk_PKCS7_value (asafes, i); bagnid = OBJ_obj2nid (p7->type); if (bagnid == NID_pkcs7_data) { bags = PKCS12_unpack_p7data(p7); if (options & INFO) BIO_printf (bio_err, "PKCS7 Data\n"); } else if (bagnid == NID_pkcs7_encrypted) { if (options & INFO) { BIO_printf(bio_err, "PKCS7 Encrypted data: "); alg_print(bio_err, p7->d.encrypted->enc_data->algorithm); } bags = PKCS12_unpack_p7encdata(p7, pass, passlen); } else continue; if (!bags) return 0; if (!dump_certs_pkeys_bags (out, bags, pass, passlen, options, pempass)) { sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free); return 0; } sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free); } sk_PKCS7_pop_free (asafes, PKCS7_free); return 1; } int dump_certs_pkeys_bags (BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, char *pass, int passlen, int options, char *pempass) { int i; for (i = 0; i < sk_PKCS12_SAFEBAG_num (bags); i++) { if (!dump_certs_pkeys_bag (out, sk_PKCS12_SAFEBAG_value (bags, i), pass, passlen, options, pempass)) return 0; } return 1; } int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass, int passlen, int options, char *pempass) { EVP_PKEY *pkey; PKCS8_PRIV_KEY_INFO *p8; X509 *x509; switch (M_PKCS12_bag_type(bag)) { case NID_keyBag: if (options & INFO) BIO_printf (bio_err, "Key bag\n"); if (options & NOKEYS) return 1; print_attribs (out, bag->attrib, "Bag Attributes"); p8 = bag->value.keybag; if (!(pkey = EVP_PKCS82PKEY (p8))) return 0; print_attribs (out, p8->attributes, "Key Attributes"); PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass); EVP_PKEY_free(pkey); break; case NID_pkcs8ShroudedKeyBag: if (options & INFO) { BIO_printf (bio_err, "Shrouded Keybag: "); alg_print (bio_err, bag->value.shkeybag->algor); } if (options & NOKEYS) return 1; print_attribs (out, bag->attrib, "Bag Attributes"); if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen))) return 0; if (!(pkey = EVP_PKCS82PKEY (p8))) { PKCS8_PRIV_KEY_INFO_free(p8); return 0; } print_attribs (out, p8->attributes, "Key Attributes"); PKCS8_PRIV_KEY_INFO_free(p8); PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass); EVP_PKEY_free(pkey); break; case NID_certBag: if (options & INFO) BIO_printf (bio_err, "Certificate bag\n"); if (options & NOCERTS) return 1; if (PKCS12_get_attr(bag, NID_localKeyID)) { if (options & CACERTS) return 1; } else if (options & CLCERTS) return 1; print_attribs (out, bag->attrib, "Bag Attributes"); if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate ) return 1; if (!(x509 = PKCS12_certbag2x509(bag))) return 0; dump_cert_text (out, x509); PEM_write_bio_X509 (out, x509); X509_free(x509); break; case NID_safeContentsBag: if (options & INFO) BIO_printf (bio_err, "Safe Contents bag\n"); print_attribs (out, bag->attrib, "Bag Attributes"); return dump_certs_pkeys_bags (out, bag->value.safes, pass, passlen, options, pempass); default: BIO_printf (bio_err, "Warning unsupported bag type: "); i2a_ASN1_OBJECT (bio_err, bag->type); BIO_printf (bio_err, "\n"); return 1; break; } return 1; } /* Given a single certificate return a verified chain or NULL if error */ /* Hope this is OK .... */ int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) { X509_STORE_CTX store_ctx; STACK_OF(X509) *chn; int i; /* FIXME: Should really check the return status of X509_STORE_CTX_init * for an error, but how that fits into the return value of this * function is less obvious. */ X509_STORE_CTX_init(&store_ctx, store, cert, NULL); if (X509_verify_cert(&store_ctx) <= 0) { i = X509_STORE_CTX_get_error (&store_ctx); goto err; } chn = X509_STORE_CTX_get1_chain(&store_ctx); i = 0; *chain = chn; err: X509_STORE_CTX_cleanup(&store_ctx); return i; } int alg_print (BIO *x, X509_ALGOR *alg) { PBEPARAM *pbe; unsigned char *p; p = alg->parameter->value.sequence->data; pbe = d2i_PBEPARAM (NULL, &p, alg->parameter->value.sequence->length); BIO_printf (bio_err, "%s, Iteration %d\n", OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), ASN1_INTEGER_get(pbe->iter)); PBEPARAM_free (pbe); return 0; } /* Load all certificates from a given file */ int cert_load(BIO *in, STACK_OF(X509) *sk) { int ret; X509 *cert; ret = 0; #ifdef CRYPTO_MDEBUG CRYPTO_push_info("cert_load(): reading one cert"); #endif while((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) { #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif ret = 1; sk_X509_push(sk, cert); #ifdef CRYPTO_MDEBUG CRYPTO_push_info("cert_load(): reading one cert"); #endif } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); #endif if(ret) ERR_clear_error(); return ret; } /* Generalised attribute print: handle PKCS#8 and bag attributes */ int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name) { X509_ATTRIBUTE *attr; ASN1_TYPE *av; char *value; int i, attr_nid; if(!attrlst) { BIO_printf(out, "%s: \n", name); return 1; } if(!sk_X509_ATTRIBUTE_num(attrlst)) { BIO_printf(out, "%s: \n", name); return 1; } BIO_printf(out, "%s\n", name); for(i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) { attr = sk_X509_ATTRIBUTE_value(attrlst, i); attr_nid = OBJ_obj2nid(attr->object); BIO_printf(out, " "); if(attr_nid == NID_undef) { i2a_ASN1_OBJECT (out, attr->object); BIO_printf(out, ": "); } else BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid)); if(sk_ASN1_TYPE_num(attr->value.set)) { av = sk_ASN1_TYPE_value(attr->value.set, 0); switch(av->type) { case V_ASN1_BMPSTRING: value = uni2asc(av->value.bmpstring->data, av->value.bmpstring->length); BIO_printf(out, "%s\n", value); OPENSSL_free(value); break; case V_ASN1_OCTET_STRING: hex_prin(out, av->value.octet_string->data, av->value.octet_string->length); BIO_printf(out, "\n"); break; case V_ASN1_BIT_STRING: hex_prin(out, av->value.bit_string->data, av->value.bit_string->length); BIO_printf(out, "\n"); break; default: BIO_printf(out, "\n", av->type); break; } } else BIO_printf(out, "\n"); } return 1; } void hex_prin(BIO *out, unsigned char *buf, int len) { int i; for (i = 0; i < len; i++) BIO_printf (out, "%02X ", buf[i]); } #endif diff --git a/crypto/openssl/apps/pkcs7.c b/crypto/openssl/apps/pkcs7.c index 6c58c67eb279..da4dbe7a07c0 100644 --- a/crypto/openssl/apps/pkcs7.c +++ b/crypto/openssl/apps/pkcs7.c @@ -1,315 +1,318 @@ /* apps/pkcs7.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include #include "apps.h" #include #include #include #include #include #include #undef PROG #define PROG pkcs7_main /* -inform arg - input format - default PEM (DER or PEM) * -outform arg - output format - default PEM * -in arg - input file - default stdin * -out arg - output file - default stdout * -print_certs */ int MAIN(int, char **); int MAIN(int argc, char **argv) { #ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; #endif PKCS7 *p7=NULL; int i,badops=0; BIO *in=NULL,*out=NULL; int informat,outformat; char *infile,*outfile,*prog; int print_certs=0,text=0,noout=0; int ret=1; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif apps_startup(); if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); + if (!load_config(bio_err, NULL)) + goto end; + infile=NULL; outfile=NULL; informat=FORMAT_PEM; outformat=FORMAT_PEM; prog=argv[0]; argc--; argv++; while (argc >= 1) { if (strcmp(*argv,"-inform") == 0) { if (--argc < 1) goto bad; informat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-outform") == 0) { if (--argc < 1) goto bad; outformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-in") == 0) { if (--argc < 1) goto bad; infile= *(++argv); } else if (strcmp(*argv,"-out") == 0) { if (--argc < 1) goto bad; outfile= *(++argv); } else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-text") == 0) text=1; else if (strcmp(*argv,"-print_certs") == 0) print_certs=1; #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } #endif else { BIO_printf(bio_err,"unknown option %s\n",*argv); badops=1; break; } argc--; argv++; } if (badops) { bad: BIO_printf(bio_err,"%s [options] outfile\n",prog); BIO_printf(bio_err,"where options are\n"); BIO_printf(bio_err," -inform arg input format - DER or PEM\n"); BIO_printf(bio_err," -outform arg output format - DER or PEM\n"); BIO_printf(bio_err," -in arg input file\n"); BIO_printf(bio_err," -out arg output file\n"); BIO_printf(bio_err," -print_certs print any certs or crl in the input\n"); BIO_printf(bio_err," -text print full details of certificates\n"); BIO_printf(bio_err," -noout don't output encoded data\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); #endif ret = 1; goto end; } ERR_load_crypto_strings(); #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); if ((in == NULL) || (out == NULL)) { ERR_print_errors(bio_err); goto end; } if (infile == NULL) BIO_set_fp(in,stdin,BIO_NOCLOSE); else { if (BIO_read_filename(in,infile) <= 0) if (in == NULL) { perror(infile); goto end; } } if (informat == FORMAT_ASN1) p7=d2i_PKCS7_bio(in,NULL); else if (informat == FORMAT_PEM) p7=PEM_read_bio_PKCS7(in,NULL,NULL,NULL); else { BIO_printf(bio_err,"bad input format specified for pkcs7 object\n"); goto end; } if (p7 == NULL) { BIO_printf(bio_err,"unable to load PKCS7 object\n"); ERR_print_errors(bio_err); goto end; } if (outfile == NULL) { BIO_set_fp(out,stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else { if (BIO_write_filename(out,outfile) <= 0) { perror(outfile); goto end; } } if (print_certs) { STACK_OF(X509) *certs=NULL; STACK_OF(X509_CRL) *crls=NULL; i=OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: certs=p7->d.sign->cert; crls=p7->d.sign->crl; break; case NID_pkcs7_signedAndEnveloped: certs=p7->d.signed_and_enveloped->cert; crls=p7->d.signed_and_enveloped->crl; break; default: break; } if (certs != NULL) { X509 *x; for (i=0; i #include #include #include #ifdef OPENSSL_NO_STDIO #define APPS_WIN16 #endif #include "apps.h" #include #include #include #include #include #include #include #include #include #include "../crypto/cryptlib.h" #define SECTION "req" #define BITS "default_bits" #define KEYFILE "default_keyfile" #define PROMPT "prompt" #define DISTINGUISHED_NAME "distinguished_name" #define ATTRIBUTES "attributes" #define V3_EXTENSIONS "x509_extensions" #define REQ_EXTENSIONS "req_extensions" #define STRING_MASK "string_mask" #define UTF8_IN "utf8" #define DEFAULT_KEY_LENGTH 512 #define MIN_KEY_LENGTH 384 #undef PROG #define PROG req_main /* -inform arg - input format - default PEM (DER or PEM) * -outform arg - output format - default PEM * -in arg - input file - default stdin * -out arg - output file - default stdout * -verify - check request signature * -noout - don't print stuff out. * -text - print out human readable text. * -nodes - no des encryption * -config file - Load configuration file. * -key file - make a request using key in file (or use it for verification). * -keyform arg - key file format. * -rand file(s) - load the file(s) into the PRNG. * -newkey - make a key and a request. * -modulus - print RSA modulus. * -pubkey - output Public Key. * -x509 - output a self signed X509 structure instead. * -asn1-kludge - output new certificate request in a format that some CA's * require. This format is wrong */ static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,char *dn,int attribs, unsigned long chtype); static int build_subject(X509_REQ *req, char *subj, unsigned long chtype); static int prompt_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect, STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs, unsigned long chtype); static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk, STACK_OF(CONF_VALUE) *attr, int attribs, unsigned long chtype); static int add_attribute_object(X509_REQ *req, char *text, char *def, char *value, int nid, int n_min, int n_max, unsigned long chtype); static int add_DN_object(X509_NAME *n, char *text, char *def, char *value, int nid,int n_min,int n_max, unsigned long chtype); #ifndef OPENSSL_NO_RSA static void MS_CALLBACK req_cb(int p,int n,void *arg); #endif static int req_check_len(int len,int n_min,int n_max); static int check_end(char *str, char *end); #ifndef MONOLITH static char *default_config_file=NULL; #endif static CONF *req_conf=NULL; static int batch=0; #define TYPE_RSA 1 #define TYPE_DSA 2 #define TYPE_DH 3 int MAIN(int, char **); int MAIN(int argc, char **argv) { ENGINE *e = NULL; #ifndef OPENSSL_NO_DSA DSA *dsa_params=NULL; #endif unsigned long nmflag = 0, reqflag = 0; int ex=1,x509=0,days=30; X509 *x509ss=NULL; X509_REQ *req=NULL; EVP_PKEY *pkey=NULL; int i=0,badops=0,newreq=0,verbose=0,pkey_type=TYPE_RSA; long newkey = -1; BIO *in=NULL,*out=NULL; int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0; char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif char *extensions = NULL; char *req_exts = NULL; const EVP_CIPHER *cipher=NULL; ASN1_INTEGER *serial = NULL; int modulus=0; char *inrand=NULL; char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; char *p; char *subj = NULL; const EVP_MD *md_alg=NULL,*digest=EVP_md5(); unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH char *to_free; long errline; #endif req_conf = NULL; #ifndef OPENSSL_NO_DES cipher=EVP_des_ede3_cbc(); #endif apps_startup(); if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); infile=NULL; outfile=NULL; informat=FORMAT_PEM; outformat=FORMAT_PEM; prog=argv[0]; argc--; argv++; while (argc >= 1) { if (strcmp(*argv,"-inform") == 0) { if (--argc < 1) goto bad; informat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-outform") == 0) { if (--argc < 1) goto bad; outformat=str2fmt(*(++argv)); } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } #endif else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; keyfile= *(++argv); } else if (strcmp(*argv,"-pubkey") == 0) { pubkey=1; } else if (strcmp(*argv,"-new") == 0) { newreq=1; } else if (strcmp(*argv,"-config") == 0) { if (--argc < 1) goto bad; template= *(++argv); } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) goto bad; keyform=str2fmt(*(++argv)); } else if (strcmp(*argv,"-in") == 0) { if (--argc < 1) goto bad; infile= *(++argv); } else if (strcmp(*argv,"-out") == 0) { if (--argc < 1) goto bad; outfile= *(++argv); } else if (strcmp(*argv,"-keyout") == 0) { if (--argc < 1) goto bad; keyout= *(++argv); } else if (strcmp(*argv,"-passin") == 0) { if (--argc < 1) goto bad; passargin= *(++argv); } else if (strcmp(*argv,"-passout") == 0) { if (--argc < 1) goto bad; passargout= *(++argv); } else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; inrand= *(++argv); } else if (strcmp(*argv,"-newkey") == 0) { int is_numeric; if (--argc < 1) goto bad; p= *(++argv); is_numeric = p[0] >= '0' && p[0] <= '9'; if (strncmp("rsa:",p,4) == 0 || is_numeric) { pkey_type=TYPE_RSA; if(!is_numeric) p+=4; newkey= atoi(p); } else #ifndef OPENSSL_NO_DSA if (strncmp("dsa:",p,4) == 0) { X509 *xtmp=NULL; EVP_PKEY *dtmp; pkey_type=TYPE_DSA; p+=4; if ((in=BIO_new_file(p,"r")) == NULL) { perror(p); goto end; } if ((dsa_params=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL) { ERR_clear_error(); (void)BIO_reset(in); if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) { BIO_printf(bio_err,"unable to load DSA parameters from file\n"); goto end; } if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end; if (dtmp->type == EVP_PKEY_DSA) dsa_params=DSAparams_dup(dtmp->pkey.dsa); EVP_PKEY_free(dtmp); X509_free(xtmp); if (dsa_params == NULL) { BIO_printf(bio_err,"Certificate does not contain DSA parameters\n"); goto end; } } BIO_free(in); newkey=BN_num_bits(dsa_params->p); in=NULL; } else #endif #ifndef OPENSSL_NO_DH if (strncmp("dh:",p,4) == 0) { pkey_type=TYPE_DH; p+=3; } else #endif pkey_type=TYPE_RSA; newreq=1; } else if (strcmp(*argv,"-batch") == 0) batch=1; else if (strcmp(*argv,"-newhdr") == 0) newhdr=1; else if (strcmp(*argv,"-modulus") == 0) modulus=1; else if (strcmp(*argv,"-verify") == 0) verify=1; else if (strcmp(*argv,"-nodes") == 0) nodes=1; else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-verbose") == 0) verbose=1; else if (strcmp(*argv,"-utf8") == 0) chtype = MBSTRING_UTF8; else if (strcmp(*argv,"-nameopt") == 0) { if (--argc < 1) goto bad; if (!set_name_ex(&nmflag, *(++argv))) goto bad; } else if (strcmp(*argv,"-reqopt") == 0) { if (--argc < 1) goto bad; if (!set_cert_ex(&reqflag, *(++argv))) goto bad; } else if (strcmp(*argv,"-subject") == 0) subject=1; else if (strcmp(*argv,"-text") == 0) text=1; else if (strcmp(*argv,"-x509") == 0) x509=1; else if (strcmp(*argv,"-asn1-kludge") == 0) kludge=1; else if (strcmp(*argv,"-no-asn1-kludge") == 0) kludge=0; else if (strcmp(*argv,"-subj") == 0) { if (--argc < 1) goto bad; subj= *(++argv); } else if (strcmp(*argv,"-days") == 0) { if (--argc < 1) goto bad; days= atoi(*(++argv)); if (days == 0) days=30; } else if (strcmp(*argv,"-set_serial") == 0) { if (--argc < 1) goto bad; serial = s2i_ASN1_INTEGER(NULL, *(++argv)); if (!serial) goto bad; } else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) { /* ok */ digest=md_alg; } else if (strcmp(*argv,"-extensions") == 0) { if (--argc < 1) goto bad; extensions = *(++argv); } else if (strcmp(*argv,"-reqexts") == 0) { if (--argc < 1) goto bad; req_exts = *(++argv); } else { BIO_printf(bio_err,"unknown option %s\n",*argv); badops=1; break; } argc--; argv++; } if (badops) { bad: BIO_printf(bio_err,"%s [options] outfile\n",prog); BIO_printf(bio_err,"where options are\n"); BIO_printf(bio_err," -inform arg input format - DER or PEM\n"); BIO_printf(bio_err," -outform arg output format - DER or PEM\n"); BIO_printf(bio_err," -in arg input file\n"); BIO_printf(bio_err," -out arg output file\n"); BIO_printf(bio_err," -text text form of request\n"); BIO_printf(bio_err," -pubkey output public key\n"); BIO_printf(bio_err," -noout do not output REQ\n"); BIO_printf(bio_err," -verify verify signature on REQ\n"); BIO_printf(bio_err," -modulus RSA modulus\n"); BIO_printf(bio_err," -nodes don't encrypt the output key\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device\n"); #endif BIO_printf(bio_err," -subject output the request's subject\n"); BIO_printf(bio_err," -passin private key password source\n"); BIO_printf(bio_err," -key file use the private key contained in file\n"); BIO_printf(bio_err," -keyform arg key file format\n"); BIO_printf(bio_err," -keyout arg file to send the key to\n"); BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," load the file (or the files in the directory) into\n"); BIO_printf(bio_err," the random number generator\n"); BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n"); BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n"); BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n"); BIO_printf(bio_err," -config file request template file.\n"); BIO_printf(bio_err," -subj arg set or modify request subject\n"); BIO_printf(bio_err," -new new request.\n"); BIO_printf(bio_err," -batch do not ask anything during request generation\n"); BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n"); BIO_printf(bio_err," -days number of days a certificate generated by -x509 is valid for.\n"); BIO_printf(bio_err," -set_serial serial number to use for a certificate generated by -x509.\n"); BIO_printf(bio_err," -newhdr output \"NEW\" in the header lines\n"); BIO_printf(bio_err," -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n"); BIO_printf(bio_err," have been reported as requiring\n"); BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n"); BIO_printf(bio_err," -reqexts .. specify request extension section (override value in config file)\n"); BIO_printf(bio_err," -utf8 input characters are UTF8 (default ASCII)\n"); BIO_printf(bio_err," -nameopt arg - various certificate name options\n"); BIO_printf(bio_err," -reqopt arg - various request text options\n\n"); goto end; } ERR_load_crypto_strings(); if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } #ifndef MONOLITH /* else this has happened in openssl.c (global `config') */ /* Lets load up our environment a little */ p=getenv("OPENSSL_CONF"); if (p == NULL) p=getenv("SSLEAY_CONF"); if (p == NULL) p=to_free=make_config_name(); default_config_file=p; config=NCONF_new(NULL); i=NCONF_load(config, p, &errline); #endif if (template != NULL) { long errline = -1; if( verbose ) BIO_printf(bio_err,"Using configuration from %s\n",template); req_conf=NCONF_new(NULL); i=NCONF_load(req_conf,template,&errline); if (i == 0) { BIO_printf(bio_err,"error on line %ld of %s\n",errline,template); goto end; } } else { req_conf=config; if( verbose ) BIO_printf(bio_err,"Using configuration from %s\n", default_config_file); if (req_conf == NULL) { BIO_printf(bio_err,"Unable to load config info\n"); } } if (req_conf != NULL) { if (!load_config(bio_err, req_conf)) goto end; p=NCONF_get_string(req_conf,NULL,"oid_file"); if (p == NULL) ERR_clear_error(); if (p != NULL) { BIO *oid_bio; oid_bio=BIO_new_file(p,"r"); if (oid_bio == NULL) { /* BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); ERR_print_errors(bio_err); */ } else { OBJ_create_objects(oid_bio); BIO_free(oid_bio); } } } if(!add_oid_section(bio_err, req_conf)) goto end; if (md_alg == NULL) { p=NCONF_get_string(req_conf,SECTION,"default_md"); if (p == NULL) ERR_clear_error(); if (p != NULL) { if ((md_alg=EVP_get_digestbyname(p)) != NULL) digest=md_alg; } } if (!extensions) { extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS); if (!extensions) ERR_clear_error(); } if (extensions) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); if(!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { BIO_printf(bio_err, "Error Loading extension section %s\n", extensions); goto end; } } if(!passin) { passin = NCONF_get_string(req_conf, SECTION, "input_password"); if (!passin) ERR_clear_error(); } if(!passout) { passout = NCONF_get_string(req_conf, SECTION, "output_password"); if (!passout) ERR_clear_error(); } p = NCONF_get_string(req_conf, SECTION, STRING_MASK); if (!p) ERR_clear_error(); if(p && !ASN1_STRING_set_default_mask_asc(p)) { BIO_printf(bio_err, "Invalid global string mask setting %s\n", p); goto end; } if (chtype != MBSTRING_UTF8) { p = NCONF_get_string(req_conf, SECTION, UTF8_IN); if (!p) ERR_clear_error(); else if (!strcmp(p, "yes")) chtype = MBSTRING_UTF8; } if(!req_exts) { req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); if (!req_exts) ERR_clear_error(); } if(req_exts) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); if(!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { BIO_printf(bio_err, "Error Loading request extension section %s\n", req_exts); goto end; } } in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); if ((in == NULL) || (out == NULL)) goto end; #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif if (keyfile != NULL) { pkey = load_key(bio_err, keyfile, keyform, 0, passin, e, "Private Key"); if (!pkey) { /* load_key() has already printed an appropriate message */ goto end; } if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) { char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE"); if (randfile == NULL) ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); } } if (newreq && (pkey == NULL)) { char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE"); if (randfile == NULL) ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); if (inrand) app_RAND_load_files(inrand); if (newkey <= 0) { if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey)) newkey=DEFAULT_KEY_LENGTH; } if (newkey < MIN_KEY_LENGTH) { BIO_printf(bio_err,"private key length is too short,\n"); BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey); goto end; } BIO_printf(bio_err,"Generating a %d bit %s private key\n", newkey,(pkey_type == TYPE_RSA)?"RSA":"DSA"); if ((pkey=EVP_PKEY_new()) == NULL) goto end; #ifndef OPENSSL_NO_RSA if (pkey_type == TYPE_RSA) { if (!EVP_PKEY_assign_RSA(pkey, RSA_generate_key(newkey,0x10001, req_cb,bio_err))) goto end; } else #endif #ifndef OPENSSL_NO_DSA if (pkey_type == TYPE_DSA) { if (!DSA_generate_key(dsa_params)) goto end; if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end; dsa_params=NULL; } #endif app_RAND_write_file(randfile, bio_err); if (pkey == NULL) goto end; if (keyout == NULL) { keyout=NCONF_get_string(req_conf,SECTION,KEYFILE); if (keyout == NULL) ERR_clear_error(); } if (keyout == NULL) { BIO_printf(bio_err,"writing new private key to stdout\n"); BIO_set_fp(out,stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else { BIO_printf(bio_err,"writing new private key to '%s'\n",keyout); if (BIO_write_filename(out,keyout) <= 0) { perror(keyout); goto end; } } p=NCONF_get_string(req_conf,SECTION,"encrypt_rsa_key"); if (p == NULL) { ERR_clear_error(); p=NCONF_get_string(req_conf,SECTION,"encrypt_key"); if (p == NULL) ERR_clear_error(); } if ((p != NULL) && (strcmp(p,"no") == 0)) cipher=NULL; if (nodes) cipher=NULL; i=0; loop: if (!PEM_write_bio_PrivateKey(out,pkey,cipher, NULL,0,NULL,passout)) { if ((ERR_GET_REASON(ERR_peek_error()) == PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) { ERR_clear_error(); i++; goto loop; } goto end; } BIO_printf(bio_err,"-----\n"); } if (!newreq) { /* Since we are using a pre-existing certificate * request, the kludge 'format' info should not be * changed. */ kludge= -1; if (infile == NULL) BIO_set_fp(in,stdin,BIO_NOCLOSE); else { if (BIO_read_filename(in,infile) <= 0) { perror(infile); goto end; } } if (informat == FORMAT_ASN1) req=d2i_X509_REQ_bio(in,NULL); else if (informat == FORMAT_PEM) req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL); else { BIO_printf(bio_err,"bad input format specified for X509 request\n"); goto end; } if (req == NULL) { BIO_printf(bio_err,"unable to load X509 request\n"); goto end; } } if (newreq || x509) { if (pkey == NULL) { BIO_printf(bio_err,"you need to specify a private key\n"); goto end; } #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif if (req == NULL) { req=X509_REQ_new(); if (req == NULL) { goto end; } i=make_REQ(req,pkey,subj,!x509, chtype); subj=NULL; /* done processing '-subj' option */ if ((kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) { sk_X509_ATTRIBUTE_free(req->req_info->attributes); req->req_info->attributes = NULL; } if (!i) { BIO_printf(bio_err,"problems making Certificate Request\n"); goto end; } } if (x509) { EVP_PKEY *tmppkey; X509V3_CTX ext_ctx; if ((x509ss=X509_new()) == NULL) goto end; /* Set version to V3 */ - if(!X509_set_version(x509ss, 2)) goto end; + if(extensions && !X509_set_version(x509ss, 2)) goto end; if (serial) { if (!X509_set_serialNumber(x509ss, serial)) goto end; } else { if (!ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L)) goto end; } if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end; if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end; if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end; if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end; tmppkey = X509_REQ_get_pubkey(req); if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end; EVP_PKEY_free(tmppkey); /* Set up V3 context struct */ X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0); X509V3_set_nconf(&ext_ctx, req_conf); /* Add extensions */ if(extensions && !X509V3_EXT_add_nconf(req_conf, &ext_ctx, extensions, x509ss)) { BIO_printf(bio_err, "Error Loading extension section %s\n", extensions); goto end; } if (!(i=X509_sign(x509ss,pkey,digest))) goto end; } else { X509V3_CTX ext_ctx; /* Set up V3 context struct */ X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); X509V3_set_nconf(&ext_ctx, req_conf); /* Add extensions */ if(req_exts && !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx, req_exts, req)) { BIO_printf(bio_err, "Error Loading extension section %s\n", req_exts); goto end; } if (!(i=X509_REQ_sign(req,pkey,digest))) goto end; } } if (subj && x509) { BIO_printf(bio_err, "Cannot modifiy certificate subject\n"); goto end; } if (subj && !x509) { if (verbose) { BIO_printf(bio_err, "Modifying Request's Subject\n"); print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), nmflag); } if (build_subject(req, subj, chtype) == 0) { BIO_printf(bio_err, "ERROR: cannot modify subject\n"); ex=1; goto end; } req->req_info->enc.modified = 1; if (verbose) { print_name(bio_err, "new subject=", X509_REQ_get_subject_name(req), nmflag); } } if (verify && !x509) { int tmp=0; if (pkey == NULL) { pkey=X509_REQ_get_pubkey(req); tmp=1; if (pkey == NULL) goto end; } i=X509_REQ_verify(req,pkey); if (tmp) { EVP_PKEY_free(pkey); pkey=NULL; } if (i < 0) { goto end; } else if (i == 0) { BIO_printf(bio_err,"verify failure\n"); ERR_print_errors(bio_err); } else /* if (i > 0) */ BIO_printf(bio_err,"verify OK\n"); } if (noout && !text && !modulus && !subject && !pubkey) { ex=0; goto end; } if (outfile == NULL) { BIO_set_fp(out,stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else { if ((keyout != NULL) && (strcmp(outfile,keyout) == 0)) i=(int)BIO_append_filename(out,outfile); else i=(int)BIO_write_filename(out,outfile); if (!i) { perror(outfile); goto end; } } if (pubkey) { EVP_PKEY *tpubkey; tpubkey=X509_REQ_get_pubkey(req); if (tpubkey == NULL) { BIO_printf(bio_err,"Error getting public key\n"); ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(out, tpubkey); EVP_PKEY_free(tpubkey); } if (text) { if (x509) X509_print_ex(out, x509ss, nmflag, reqflag); else X509_REQ_print_ex(out, req, nmflag, reqflag); } if(subject) { if(x509) print_name(out, "subject=", X509_get_subject_name(x509ss), nmflag); else print_name(out, "subject=", X509_REQ_get_subject_name(req), nmflag); } if (modulus) { EVP_PKEY *tpubkey; if (x509) tpubkey=X509_get_pubkey(x509ss); else tpubkey=X509_REQ_get_pubkey(req); if (tpubkey == NULL) { fprintf(stdout,"Modulus=unavailable\n"); goto end; } fprintf(stdout,"Modulus="); #ifndef OPENSSL_NO_RSA if (tpubkey->type == EVP_PKEY_RSA) BN_print(out,tpubkey->pkey.rsa->n); else #endif fprintf(stdout,"Wrong Algorithm type"); EVP_PKEY_free(tpubkey); fprintf(stdout,"\n"); } if (!noout && !x509) { if (outformat == FORMAT_ASN1) i=i2d_X509_REQ_bio(out,req); else if (outformat == FORMAT_PEM) { if(newhdr) i=PEM_write_bio_X509_REQ_NEW(out,req); else i=PEM_write_bio_X509_REQ(out,req); } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; } if (!i) { BIO_printf(bio_err,"unable to write X509 request\n"); goto end; } } if (!noout && x509 && (x509ss != NULL)) { if (outformat == FORMAT_ASN1) i=i2d_X509_bio(out,x509ss); else if (outformat == FORMAT_PEM) i=PEM_write_bio_X509(out,x509ss); else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; } if (!i) { BIO_printf(bio_err,"unable to write X509 certificate\n"); goto end; } } ex=0; end: #ifndef MONOLITH if(to_free) OPENSSL_free(to_free); #endif if (ex) { ERR_print_errors(bio_err); } if ((req_conf != NULL) && (req_conf != config)) NCONF_free(req_conf); BIO_free(in); BIO_free_all(out); EVP_PKEY_free(pkey); X509_REQ_free(req); X509_free(x509ss); ASN1_INTEGER_free(serial); if(passargin && passin) OPENSSL_free(passin); if(passargout && passout) OPENSSL_free(passout); OBJ_cleanup(); #ifndef OPENSSL_NO_DSA if (dsa_params != NULL) DSA_free(dsa_params); #endif apps_shutdown(); OPENSSL_EXIT(ex); } static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs, unsigned long chtype) { int ret=0,i; char no_prompt = 0; STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL; char *tmp, *dn_sect,*attr_sect; tmp=NCONF_get_string(req_conf,SECTION,PROMPT); if (tmp == NULL) ERR_clear_error(); if((tmp != NULL) && !strcmp(tmp, "no")) no_prompt = 1; dn_sect=NCONF_get_string(req_conf,SECTION,DISTINGUISHED_NAME); if (dn_sect == NULL) { BIO_printf(bio_err,"unable to find '%s' in config\n", DISTINGUISHED_NAME); goto err; } dn_sk=NCONF_get_section(req_conf,dn_sect); if (dn_sk == NULL) { BIO_printf(bio_err,"unable to get '%s' section\n",dn_sect); goto err; } attr_sect=NCONF_get_string(req_conf,SECTION,ATTRIBUTES); if (attr_sect == NULL) { ERR_clear_error(); attr_sk=NULL; } else { attr_sk=NCONF_get_section(req_conf,attr_sect); if (attr_sk == NULL) { BIO_printf(bio_err,"unable to get '%s' section\n",attr_sect); goto err; } } /* setup version number */ if (!X509_REQ_set_version(req,0L)) goto err; /* version 1 */ if (no_prompt) i = auto_info(req, dn_sk, attr_sk, attribs, chtype); else { if (subj) i = build_subject(req, subj, chtype); else i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype); } if(!i) goto err; if (!X509_REQ_set_pubkey(req,pkey)) goto err; ret=1; err: return(ret); } /* * subject is expected to be in the format /type0=value0/type1=value1/type2=... * where characters may be escaped by \ */ static int build_subject(X509_REQ *req, char *subject, unsigned long chtype) { X509_NAME *n; if (!(n = do_subject(subject, chtype))) return 0; if (!X509_REQ_set_subject_name(req, n)) { X509_NAME_free(n); return 0; } X509_NAME_free(n); return 1; } static int prompt_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect, STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs, unsigned long chtype) { int i; char *p,*q; char buf[100]; int nid; long n_min,n_max; char *type,*def,*value; CONF_VALUE *v; X509_NAME *subj; subj = X509_REQ_get_subject_name(req); if(!batch) { BIO_printf(bio_err,"You are about to be asked to enter information that will be incorporated\n"); BIO_printf(bio_err,"into your certificate request.\n"); BIO_printf(bio_err,"What you are about to enter is what is called a Distinguished Name or a DN.\n"); BIO_printf(bio_err,"There are quite a few fields but you can leave some blank\n"); BIO_printf(bio_err,"For some fields there will be a default value,\n"); BIO_printf(bio_err,"If you enter '.', the field will be left blank.\n"); BIO_printf(bio_err,"-----\n"); } if (sk_CONF_VALUE_num(dn_sk)) { i= -1; start: for (;;) { i++; if (sk_CONF_VALUE_num(dn_sk) <= i) break; v=sk_CONF_VALUE_value(dn_sk,i); p=q=NULL; type=v->name; if(!check_end(type,"_min") || !check_end(type,"_max") || !check_end(type,"_default") || !check_end(type,"_value")) continue; /* Skip past any leading X. X: X, etc to allow for * multiple instances */ for(p = v->name; *p ; p++) if ((*p == ':') || (*p == ',') || (*p == '.')) { p++; if(*p) type = p; break; } /* If OBJ not recognised ignore it */ if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start; - - if(strlen(v->name) > sizeof buf-9) + if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name) + >= sizeof buf) { BIO_printf(bio_err,"Name '%s' too long\n",v->name); return 0; } - sprintf(buf,"%s_default",v->name); if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) { ERR_clear_error(); def=""; } - sprintf(buf,"%s_value",v->name); + + BIO_snprintf(buf,sizeof buf,"%s_value",v->name); if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) { ERR_clear_error(); value=NULL; } - sprintf(buf,"%s_min",v->name); + BIO_snprintf(buf,sizeof buf,"%s_min",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min)) { ERR_clear_error(); n_min = -1; } - sprintf(buf,"%s_max",v->name); + BIO_snprintf(buf,sizeof buf,"%s_max",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max)) { ERR_clear_error(); n_max = -1; } if (!add_DN_object(subj,v->value,def,value,nid, n_min,n_max, chtype)) return 0; } if (X509_NAME_entry_count(subj) == 0) { BIO_printf(bio_err,"error, no objects specified in config file\n"); return 0; } if (attribs) { if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) && (!batch)) { BIO_printf(bio_err,"\nPlease enter the following 'extra' attributes\n"); BIO_printf(bio_err,"to be sent with your certificate request\n"); } i= -1; start2: for (;;) { i++; if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i)) break; v=sk_CONF_VALUE_value(attr_sk,i); type=v->name; if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start2; - if(strlen(v->name) > sizeof buf-9) + if (BIO_snprintf(buf,sizeof buf,"%s_default",type) + >= sizeof buf) { BIO_printf(bio_err,"Name '%s' too long\n",v->name); return 0; } - sprintf(buf,"%s_default",type); if ((def=NCONF_get_string(req_conf,attr_sect,buf)) == NULL) { ERR_clear_error(); def=""; } - sprintf(buf,"%s_value",type); + BIO_snprintf(buf,sizeof buf,"%s_value",type); if ((value=NCONF_get_string(req_conf,attr_sect,buf)) == NULL) { ERR_clear_error(); value=NULL; } - sprintf(buf,"%s_min",type); + BIO_snprintf(buf,sizeof buf,"%s_min",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min)) n_min = -1; - sprintf(buf,"%s_max",type); + BIO_snprintf(buf,sizeof buf,"%s_max",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max)) n_max = -1; if (!add_attribute_object(req, v->value,def,value,nid,n_min,n_max, chtype)) return 0; } } } else { BIO_printf(bio_err,"No template, please set one up.\n"); return 0; } return 1; } static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, STACK_OF(CONF_VALUE) *attr_sk, int attribs, unsigned long chtype) { int i; char *p,*q; char *type; CONF_VALUE *v; X509_NAME *subj; subj = X509_REQ_get_subject_name(req); for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) { v=sk_CONF_VALUE_value(dn_sk,i); p=q=NULL; type=v->name; /* Skip past any leading X. X: X, etc to allow for * multiple instances */ for(p = v->name; *p ; p++) #ifndef CHARSET_EBCDIC if ((*p == ':') || (*p == ',') || (*p == '.')) { #else if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.'])) { #endif p++; if(*p) type = p; break; } if (!X509_NAME_add_entry_by_txt(subj,type, chtype, (unsigned char *) v->value,-1,-1,0)) return 0; } if (!X509_NAME_entry_count(subj)) { BIO_printf(bio_err,"error, no objects specified in config file\n"); return 0; } if (attribs) { for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) { v=sk_CONF_VALUE_value(attr_sk,i); if(!X509_REQ_add1_attr_by_txt(req, v->name, chtype, (unsigned char *)v->value, -1)) return 0; } } return 1; } static int add_DN_object(X509_NAME *n, char *text, char *def, char *value, int nid, int n_min, int n_max, unsigned long chtype) { int i,ret=0; MS_STATIC char buf[1024]; start: if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def); (void)BIO_flush(bio_err); if(value != NULL) { - OPENSSL_assert(strlen(value) < sizeof buf-2); - strcpy(buf,value); - strcat(buf,"\n"); + BUF_strlcpy(buf,value,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); BIO_printf(bio_err,"%s\n",value); } else { buf[0]='\0'; if (!batch) { fgets(buf,sizeof buf,stdin); } else { buf[0] = '\n'; buf[1] = '\0'; } } if (buf[0] == '\0') return(0); else if (buf[0] == '\n') { if ((def == NULL) || (def[0] == '\0')) return(1); - strcpy(buf,def); - strcat(buf,"\n"); + BUF_strlcpy(buf,def,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); } else if ((buf[0] == '.') && (buf[1] == '\n')) return(1); i=strlen(buf); if (buf[i-1] != '\n') { BIO_printf(bio_err,"weird input :-(\n"); return(0); } buf[--i]='\0'; #ifdef CHARSET_EBCDIC ebcdic2ascii(buf, buf, i); #endif if(!req_check_len(i, n_min, n_max)) goto start; if (!X509_NAME_add_entry_by_NID(n,nid, chtype, (unsigned char *) buf, -1,-1,0)) goto err; ret=1; err: return(ret); } static int add_attribute_object(X509_REQ *req, char *text, char *def, char *value, int nid, int n_min, int n_max, unsigned long chtype) { int i; static char buf[1024]; start: if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def); (void)BIO_flush(bio_err); if (value != NULL) { - OPENSSL_assert(strlen(value) < sizeof buf-2); - strcpy(buf,value); - strcat(buf,"\n"); + BUF_strlcpy(buf,value,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); BIO_printf(bio_err,"%s\n",value); } else { buf[0]='\0'; if (!batch) { fgets(buf,sizeof buf,stdin); } else { buf[0] = '\n'; buf[1] = '\0'; } } if (buf[0] == '\0') return(0); else if (buf[0] == '\n') { if ((def == NULL) || (def[0] == '\0')) return(1); - strcpy(buf,def); - strcat(buf,"\n"); + BUF_strlcpy(buf,def,sizeof buf); + BUF_strlcat(buf,"\n",sizeof buf); } else if ((buf[0] == '.') && (buf[1] == '\n')) return(1); i=strlen(buf); if (buf[i-1] != '\n') { BIO_printf(bio_err,"weird input :-(\n"); return(0); } buf[--i]='\0'; #ifdef CHARSET_EBCDIC ebcdic2ascii(buf, buf, i); #endif if(!req_check_len(i, n_min, n_max)) goto start; if(!X509_REQ_add1_attr_by_NID(req, nid, chtype, (unsigned char *)buf, -1)) { BIO_printf(bio_err, "Error adding attribute\n"); ERR_print_errors(bio_err); goto err; } return(1); err: return(0); } #ifndef OPENSSL_NO_RSA static void MS_CALLBACK req_cb(int p, int n, void *arg) { char c='*'; if (p == 0) c='.'; if (p == 1) c='+'; if (p == 2) c='*'; if (p == 3) c='\n'; BIO_write((BIO *)arg,&c,1); (void)BIO_flush((BIO *)arg); #ifdef LINT p=n; #endif } #endif static int req_check_len(int len, int n_min, int n_max) { if ((n_min > 0) && (len < n_min)) { BIO_printf(bio_err,"string is too short, it needs to be at least %d bytes long\n",n_min); return(0); } if ((n_max >= 0) && (len > n_max)) { BIO_printf(bio_err,"string is too long, it needs to be less than %d bytes long\n",n_max); return(0); } return(1); } /* Check if the end of a string matches 'end' */ static int check_end(char *str, char *end) { int elen, slen; char *tmp; elen = strlen(end); slen = strlen(str); if(elen > slen) return 1; tmp = str + slen - elen; return strcmp(tmp, end); } diff --git a/crypto/openssl/apps/rsautl.c b/crypto/openssl/apps/rsautl.c index 5a6fd115f41b..5db6fe7cd74f 100644 --- a/crypto/openssl/apps/rsautl.c +++ b/crypto/openssl/apps/rsautl.c @@ -1,320 +1,330 @@ /* rsautl.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 2000. */ /* ==================================================================== * Copyright (c) 2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #ifndef OPENSSL_NO_RSA #include "apps.h" #include #include #include #define RSA_SIGN 1 #define RSA_VERIFY 2 #define RSA_ENCRYPT 3 #define RSA_DECRYPT 4 #define KEY_PRIVKEY 1 #define KEY_PUBKEY 2 #define KEY_CERT 3 static void usage(void); #undef PROG #define PROG rsautl_main int MAIN(int argc, char **); int MAIN(int argc, char **argv) { ENGINE *e = NULL; BIO *in = NULL, *out = NULL; char *infile = NULL, *outfile = NULL; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; #endif char *keyfile = NULL; char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY; int keyform = FORMAT_PEM; char need_priv = 0, badarg = 0, rev = 0; char hexdump = 0, asn1parse = 0; X509 *x; EVP_PKEY *pkey = NULL; RSA *rsa = NULL; unsigned char *rsa_in = NULL, *rsa_out = NULL, pad; + char *passargin = NULL, *passin = NULL; int rsa_inlen, rsa_outlen = 0; int keysize; int ret = 1; argc--; argv++; if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); pad = RSA_PKCS1_PADDING; while(argc >= 1) { if (!strcmp(*argv,"-in")) { if (--argc < 1) badarg = 1; infile= *(++argv); } else if (!strcmp(*argv,"-out")) { if (--argc < 1) badarg = 1; outfile= *(++argv); } else if(!strcmp(*argv, "-inkey")) { if (--argc < 1) badarg = 1; keyfile = *(++argv); + } else if (!strcmp(*argv,"-passin")) { + if (--argc < 1) badarg = 1; + passargin= *(++argv); } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) badarg = 1; keyform=str2fmt(*(++argv)); #ifndef OPENSSL_NO_ENGINE } else if(!strcmp(*argv, "-engine")) { if (--argc < 1) badarg = 1; engine = *(++argv); #endif } else if(!strcmp(*argv, "-pubin")) { key_type = KEY_PUBKEY; } else if(!strcmp(*argv, "-certin")) { key_type = KEY_CERT; } else if(!strcmp(*argv, "-asn1parse")) asn1parse = 1; else if(!strcmp(*argv, "-hexdump")) hexdump = 1; else if(!strcmp(*argv, "-raw")) pad = RSA_NO_PADDING; else if(!strcmp(*argv, "-oaep")) pad = RSA_PKCS1_OAEP_PADDING; else if(!strcmp(*argv, "-ssl")) pad = RSA_SSLV23_PADDING; else if(!strcmp(*argv, "-pkcs")) pad = RSA_PKCS1_PADDING; else if(!strcmp(*argv, "-sign")) { rsa_mode = RSA_SIGN; need_priv = 1; } else if(!strcmp(*argv, "-verify")) rsa_mode = RSA_VERIFY; else if(!strcmp(*argv, "-rev")) rev = 1; else if(!strcmp(*argv, "-encrypt")) rsa_mode = RSA_ENCRYPT; else if(!strcmp(*argv, "-decrypt")) { rsa_mode = RSA_DECRYPT; need_priv = 1; } else badarg = 1; if(badarg) { usage(); goto end; } argc--; argv++; } if(need_priv && (key_type != KEY_PRIVKEY)) { BIO_printf(bio_err, "A private key is needed for this operation\n"); goto end; } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif + if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } /* FIXME: seed PRNG only if needed */ app_RAND_load_file(NULL, bio_err, 0); switch(key_type) { case KEY_PRIVKEY: pkey = load_key(bio_err, keyfile, keyform, 0, - NULL, e, "Private Key"); + passin, e, "Private Key"); break; case KEY_PUBKEY: pkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL, e, "Public Key"); break; case KEY_CERT: x = load_cert(bio_err, keyfile, keyform, NULL, e, "Certificate"); if(x) { pkey = X509_get_pubkey(x); X509_free(x); } break; } if(!pkey) { return 1; } rsa = EVP_PKEY_get1_RSA(pkey); EVP_PKEY_free(pkey); if(!rsa) { BIO_printf(bio_err, "Error getting RSA key\n"); ERR_print_errors(bio_err); goto end; } if(infile) { if(!(in = BIO_new_file(infile, "rb"))) { BIO_printf(bio_err, "Error Reading Input File\n"); ERR_print_errors(bio_err); goto end; } } else in = BIO_new_fp(stdin, BIO_NOCLOSE); if(outfile) { if(!(out = BIO_new_file(outfile, "wb"))) { BIO_printf(bio_err, "Error Reading Output File\n"); ERR_print_errors(bio_err); goto end; } } else { out = BIO_new_fp(stdout, BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } keysize = RSA_size(rsa); rsa_in = OPENSSL_malloc(keysize * 2); rsa_out = OPENSSL_malloc(keysize); /* Read the input data */ rsa_inlen = BIO_read(in, rsa_in, keysize * 2); if(rsa_inlen <= 0) { BIO_printf(bio_err, "Error reading input Data\n"); exit(1); } if(rev) { int i; unsigned char ctmp; for(i = 0; i < rsa_inlen/2; i++) { ctmp = rsa_in[i]; rsa_in[i] = rsa_in[rsa_inlen - 1 - i]; rsa_in[rsa_inlen - 1 - i] = ctmp; } } switch(rsa_mode) { case RSA_VERIFY: rsa_outlen = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad); break; case RSA_SIGN: rsa_outlen = RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad); break; case RSA_ENCRYPT: rsa_outlen = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad); break; case RSA_DECRYPT: rsa_outlen = RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad); break; } if(rsa_outlen <= 0) { BIO_printf(bio_err, "RSA operation error\n"); ERR_print_errors(bio_err); goto end; } ret = 0; if(asn1parse) { if(!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) { ERR_print_errors(bio_err); } } else if(hexdump) BIO_dump(out, (char *)rsa_out, rsa_outlen); else BIO_write(out, rsa_out, rsa_outlen); end: RSA_free(rsa); BIO_free(in); BIO_free_all(out); if(rsa_in) OPENSSL_free(rsa_in); if(rsa_out) OPENSSL_free(rsa_out); + if(passin) OPENSSL_free(passin); return ret; } static void usage() { BIO_printf(bio_err, "Usage: rsautl [options]\n"); BIO_printf(bio_err, "-in file input file\n"); BIO_printf(bio_err, "-out file output file\n"); BIO_printf(bio_err, "-inkey file input key\n"); BIO_printf(bio_err, "-keyform arg private key format - default PEM\n"); BIO_printf(bio_err, "-pubin input is an RSA public\n"); BIO_printf(bio_err, "-certin input is a certificate carrying an RSA public key\n"); BIO_printf(bio_err, "-ssl use SSL v2 padding\n"); BIO_printf(bio_err, "-raw use no padding\n"); BIO_printf(bio_err, "-pkcs use PKCS#1 v1.5 padding (default)\n"); BIO_printf(bio_err, "-oaep use PKCS#1 OAEP\n"); BIO_printf(bio_err, "-sign sign with private key\n"); BIO_printf(bio_err, "-verify verify with public key\n"); BIO_printf(bio_err, "-encrypt encrypt with public key\n"); BIO_printf(bio_err, "-decrypt decrypt with private key\n"); BIO_printf(bio_err, "-hexdump hex dump output\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); + BIO_printf (bio_err, "-passin arg pass phrase source\n"); #endif } #endif diff --git a/crypto/openssl/apps/s_socket.c b/crypto/openssl/apps/s_socket.c index a88de6c8c85c..1867890966f6 100644 --- a/crypto/openssl/apps/s_socket.c +++ b/crypto/openssl/apps/s_socket.c @@ -1,555 +1,555 @@ /* apps/s_socket.c - socket-related functions used by s_client and s_server */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include #include #include /* With IPv6, it looks like Digital has mixed up the proper order of recursive header file inclusion, resulting in the compiler complaining that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is needed to have fileno() declared correctly... So let's define u_int */ #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) #define __U_INT typedef unsigned int u_int; #endif #define USE_SOCKETS #define NON_MAIN #include "apps.h" #undef USE_SOCKETS #undef NON_MAIN #include "s_apps.h" #include static struct hostent *GetHostByName(char *name); #ifdef OPENSSL_SYS_WINDOWS static void ssl_sock_cleanup(void); #endif static int ssl_sock_init(void); static int init_client_ip(int *sock,unsigned char ip[4], int port); static int init_server(int *sock, int port); static int init_server_long(int *sock, int port,char *ip); static int do_accept(int acc_sock, int *sock, char **host); static int host_ip(char *str, unsigned char ip[4]); #ifdef OPENSSL_SYS_WIN16 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */ #else #define SOCKET_PROTOCOL IPPROTO_TCP #endif #ifdef OPENSSL_SYS_WINDOWS static struct WSAData wsa_state; static int wsa_init_done=0; #ifdef OPENSSL_SYS_WIN16 static HWND topWnd=0; static FARPROC lpTopWndProc=NULL; static FARPROC lpTopHookProc=NULL; extern HINSTANCE _hInstance; /* nice global CRT provides */ static LONG FAR PASCAL topHookProc(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { if (hwnd == topWnd) { switch(message) { case WM_DESTROY: case WM_CLOSE: SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopWndProc); ssl_sock_cleanup(); break; } } return CallWindowProc(lpTopWndProc,hwnd,message,wParam,lParam); } static BOOL CALLBACK enumproc(HWND hwnd,LPARAM lParam) { topWnd=hwnd; return(FALSE); } #endif /* OPENSSL_SYS_WIN32 */ #endif /* OPENSSL_SYS_WINDOWS */ #ifdef OPENSSL_SYS_WINDOWS static void ssl_sock_cleanup(void) { if (wsa_init_done) { wsa_init_done=0; #ifndef OPENSSL_SYS_WINCE WSACancelBlockingCall(); #endif WSACleanup(); } } #endif static int ssl_sock_init(void) { #ifdef WATT32 extern int _watt_do_exit; _watt_do_exit = 0; dbug_init(); if (sock_init()) return (0); #elif defined(OPENSSL_SYS_WINDOWS) if (!wsa_init_done) { int err; #ifdef SIGINT signal(SIGINT,(void (*)(int))ssl_sock_cleanup); #endif wsa_init_done=1; memset(&wsa_state,0,sizeof(wsa_state)); if (WSAStartup(0x0101,&wsa_state)!=0) { err=WSAGetLastError(); BIO_printf(bio_err,"unable to start WINSOCK, error code=%d\n",err); return(0); } #ifdef OPENSSL_SYS_WIN16 EnumTaskWindows(GetCurrentTask(),enumproc,0L); lpTopWndProc=(FARPROC)GetWindowLong(topWnd,GWL_WNDPROC); lpTopHookProc=MakeProcInstance((FARPROC)topHookProc,_hInstance); SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopHookProc); #endif /* OPENSSL_SYS_WIN16 */ } #endif /* OPENSSL_SYS_WINDOWS */ return(1); } int init_client(int *sock, char *host, int port) { unsigned char ip[4]; short p=0; if (!host_ip(host,&(ip[0]))) { return(0); } if (p != 0) port=p; return(init_client_ip(sock,ip,port)); } static int init_client_ip(int *sock, unsigned char ip[4], int port) { unsigned long addr; struct sockaddr_in them; int s,i; if (!ssl_sock_init()) return(0); memset((char *)&them,0,sizeof(them)); them.sin_family=AF_INET; them.sin_port=htons((unsigned short)port); addr=(unsigned long) ((unsigned long)ip[0]<<24L)| ((unsigned long)ip[1]<<16L)| ((unsigned long)ip[2]<< 8L)| ((unsigned long)ip[3]); them.sin_addr.s_addr=htonl(addr); s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); if (s == INVALID_SOCKET) { perror("socket"); return(0); } #ifndef OPENSSL_SYS_MPE i=0; i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); if (i < 0) { perror("keepalive"); return(0); } #endif if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) { close(s); perror("connect"); return(0); } *sock=s; return(1); } int do_server(int port, int *ret, int (*cb)(), char *context) { int sock; char *name; int accept_socket; int i; if (!init_server(&accept_socket,port)) return(0); if (ret != NULL) { *ret=accept_socket; /* return(1);*/ } for (;;) { if (do_accept(accept_socket,&sock,&name) == 0) { SHUTDOWN(accept_socket); return(0); } i=(*cb)(name,sock, context); if (name != NULL) OPENSSL_free(name); SHUTDOWN2(sock); if (i < 0) { SHUTDOWN2(accept_socket); return(i); } } } static int init_server_long(int *sock, int port, char *ip) { int ret=0; struct sockaddr_in server; int s= -1,i; if (!ssl_sock_init()) return(0); memset((char *)&server,0,sizeof(server)); server.sin_family=AF_INET; server.sin_port=htons((unsigned short)port); if (ip == NULL) server.sin_addr.s_addr=INADDR_ANY; else /* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */ #ifndef BIT_FIELD_LIMITS memcpy(&server.sin_addr.s_addr,ip,4); #else memcpy(&server.sin_addr,ip,4); #endif s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); if (s == INVALID_SOCKET) goto err; #if defined SOL_SOCKET && defined SO_REUSEADDR { int j = 1; setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *) &j, sizeof j); } #endif if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1) { #ifndef OPENSSL_SYS_WINDOWS perror("bind"); #endif goto err; } /* Make it 128 for linux */ if (listen(s,128) == -1) goto err; i=0; *sock=s; ret=1; err: if ((ret == 0) && (s != -1)) { SHUTDOWN(s); } return(ret); } static int init_server(int *sock, int port) { return(init_server_long(sock, port, NULL)); } static int do_accept(int acc_sock, int *sock, char **host) { int ret,i; struct hostent *h1,*h2; static struct sockaddr_in from; int len; /* struct linger ling; */ if (!ssl_sock_init()) return(0); #ifndef OPENSSL_SYS_WINDOWS redoit: #endif memset((char *)&from,0,sizeof(from)); len=sizeof(from); /* Note: under VMS with SOCKETSHR the fourth parameter is currently * of type (int *) whereas under other systems it is (void *) if * you don't have a cast it will choke the compiler: if you do * have a cast then you can either go for (int *) or (void *). */ ret=accept(acc_sock,(struct sockaddr *)&from,(void *)&len); if (ret == INVALID_SOCKET) { #ifdef OPENSSL_SYS_WINDOWS i=WSAGetLastError(); BIO_printf(bio_err,"accept error %d\n",i); #else if (errno == EINTR) { /*check_timeout(); */ goto redoit; } fprintf(stderr,"errno=%d ",errno); perror("accept"); #endif return(0); } /* ling.l_onoff=1; ling.l_linger=0; i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling)); if (i < 0) { perror("linger"); return(0); } i=0; i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); if (i < 0) { perror("keepalive"); return(0); } */ if (host == NULL) goto end; #ifndef BIT_FIELD_LIMITS /* I should use WSAAsyncGetHostByName() under windows */ h1=gethostbyaddr((char *)&from.sin_addr.s_addr, sizeof(from.sin_addr.s_addr),AF_INET); #else h1=gethostbyaddr((char *)&from.sin_addr, sizeof(struct in_addr),AF_INET); #endif if (h1 == NULL) { BIO_printf(bio_err,"bad gethostbyaddr\n"); *host=NULL; /* return(0); */ } else { if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) { perror("OPENSSL_malloc"); return(0); } - strcpy(*host,h1->h_name); + BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); h2=GetHostByName(*host); if (h2 == NULL) { BIO_printf(bio_err,"gethostbyname failure\n"); return(0); } i=0; if (h2->h_addrtype != AF_INET) { BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); return(0); } } end: *sock=ret; return(1); } int extract_host_port(char *str, char **host_ptr, unsigned char *ip, short *port_ptr) { char *h,*p; h=str; p=strchr(str,':'); if (p == NULL) { BIO_printf(bio_err,"no port defined\n"); return(0); } *(p++)='\0'; if ((ip != NULL) && !host_ip(str,ip)) goto err; if (host_ptr != NULL) *host_ptr=h; if (!extract_port(p,port_ptr)) goto err; return(1); err: return(0); } static int host_ip(char *str, unsigned char ip[4]) { unsigned int in[4]; int i; if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4) { for (i=0; i<4; i++) if (in[i] > 255) { BIO_printf(bio_err,"invalid IP address\n"); goto err; } ip[0]=in[0]; ip[1]=in[1]; ip[2]=in[2]; ip[3]=in[3]; } else { /* do a gethostbyname */ struct hostent *he; if (!ssl_sock_init()) return(0); he=GetHostByName(str); if (he == NULL) { BIO_printf(bio_err,"gethostbyname failure\n"); goto err; } /* cast to short because of win16 winsock definition */ if ((short)he->h_addrtype != AF_INET) { BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); return(0); } ip[0]=he->h_addr_list[0][0]; ip[1]=he->h_addr_list[0][1]; ip[2]=he->h_addr_list[0][2]; ip[3]=he->h_addr_list[0][3]; } return(1); err: return(0); } int extract_port(char *str, short *port_ptr) { int i; struct servent *s; i=atoi(str); if (i != 0) *port_ptr=(unsigned short)i; else { s=getservbyname(str,"tcp"); if (s == NULL) { BIO_printf(bio_err,"getservbyname failure for %s\n",str); return(0); } *port_ptr=ntohs((unsigned short)s->s_port); } return(1); } #define GHBN_NUM 4 static struct ghbn_cache_st { char name[128]; struct hostent ent; unsigned long order; } ghbn_cache[GHBN_NUM]; static unsigned long ghbn_hits=0L; static unsigned long ghbn_miss=0L; static struct hostent *GetHostByName(char *name) { struct hostent *ret; int i,lowi=0; unsigned long low= (unsigned long)-1; for (i=0; i ghbn_cache[i].order) { low=ghbn_cache[i].order; lowi=i; } if (ghbn_cache[i].order > 0) { if (strncmp(name,ghbn_cache[i].name,128) == 0) break; } } if (i == GHBN_NUM) /* no hit*/ { ghbn_miss++; ret=gethostbyname(name); if (ret == NULL) return(NULL); /* else add to cache */ if(strlen(name) < sizeof ghbn_cache[0].name) { strcpy(ghbn_cache[lowi].name,name); memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent)); ghbn_cache[lowi].order=ghbn_miss+ghbn_hits; } return(ret); } else { ghbn_hits++; ret= &(ghbn_cache[i].ent); ghbn_cache[i].order=ghbn_miss+ghbn_hits; return(ret); } } diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c index 1ad16cd607d4..7d4705746578 100644 --- a/crypto/openssl/apps/s_time.c +++ b/crypto/openssl/apps/s_time.c @@ -1,721 +1,721 @@ /* apps/s_time.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #define NO_SHUTDOWN /*----------------------------------------- s_time - SSL client connection timer program Written and donated by Larry Streepy -----------------------------------------*/ #include #include #include #define USE_SOCKETS #include "apps.h" #ifdef OPENSSL_NO_STDIO #define APPS_WIN16 #endif #include #include #include #include "s_apps.h" #include #ifdef WIN32_STUFF #include "winmain.h" #include "wintext.h" #endif #if !defined(OPENSSL_SYS_MSDOS) #include OPENSSL_UNISTD #endif #if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) #define TIMES #endif #ifndef _IRIX #include #endif #ifdef TIMES #include #include #endif /* Depending on the VMS version, the tms structure is perhaps defined. The __TMS macro will show if it was. If it wasn't defined, we should undefine TIMES, since that tells the rest of the program how things should be handled. -- Richard Levitte */ #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS) #undef TIMES #endif #if !defined(TIMES) && !defined(OPENSSL_SYS_VXWORKS) #include #endif #if defined(sun) || defined(__ultrix) #define _POSIX_SOURCE #include #include #endif /* The following if from times(3) man page. It may need to be changed */ #ifndef HZ # ifdef _SC_CLK_TCK # define HZ ((double)sysconf(_SC_CLK_TCK)) # else # ifndef CLK_TCK # ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ # define HZ 100.0 # else /* _BSD_CLK_TCK_ */ # define HZ ((double)_BSD_CLK_TCK_) # endif # else /* CLK_TCK */ # define HZ ((double)CLK_TCK) # endif # endif #endif #undef PROG #define PROG s_time_main #undef ioctl #define ioctl ioctlsocket #define SSL_CONNECT_NAME "localhost:4433" /*#define TEST_CERT "client.pem" */ /* no default cert. */ #undef BUFSIZZ #define BUFSIZZ 1024*10 #define MYBUFSIZ 1024*8 #undef min #undef max #define min(a,b) (((a) < (b)) ? (a) : (b)) #define max(a,b) (((a) > (b)) ? (a) : (b)) #undef SECONDS #define SECONDS 30 extern int verify_depth; extern int verify_error; static void s_time_usage(void); static int parseArgs( int argc, char **argv ); static SSL *doConnection( SSL *scon ); static void s_time_init(void); /*********************************************************************** * Static data declarations */ /* static char *port=PORT_STR;*/ static char *host=SSL_CONNECT_NAME; static char *t_cert_file=NULL; static char *t_key_file=NULL; static char *CApath=NULL; static char *CAfile=NULL; static char *tm_cipher=NULL; static int tm_verify = SSL_VERIFY_NONE; static int maxTime = SECONDS; static SSL_CTX *tm_ctx=NULL; static SSL_METHOD *s_time_meth=NULL; static char *s_www_path=NULL; static long bytes_read=0; static int st_bugs=0; static int perform=0; #ifdef FIONBIO static int t_nbio=0; #endif #ifdef OPENSSL_SYS_WIN32 static int exitNow = 0; /* Set when it's time to exit main */ #endif static void s_time_init(void) { host=SSL_CONNECT_NAME; t_cert_file=NULL; t_key_file=NULL; CApath=NULL; CAfile=NULL; tm_cipher=NULL; tm_verify = SSL_VERIFY_NONE; maxTime = SECONDS; tm_ctx=NULL; s_time_meth=NULL; s_www_path=NULL; bytes_read=0; st_bugs=0; perform=0; #ifdef FIONBIO t_nbio=0; #endif #ifdef OPENSSL_SYS_WIN32 exitNow = 0; /* Set when it's time to exit main */ #endif } /*********************************************************************** * usage - display usage message */ static void s_time_usage(void) { static char umsg[] = "\ -time arg - max number of seconds to collect data, default %d\n\ -verify arg - turn on peer certificate verification, arg == depth\n\ -cert arg - certificate file to use, PEM format assumed\n\ -key arg - RSA file to use, PEM format assumed, key is in cert file\n\ file if not specified by this option\n\ -CApath arg - PEM format directory of CA's\n\ -CAfile arg - PEM format file of CA's\n\ -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; printf( "usage: s_time \n\n" ); printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME); #ifdef FIONBIO printf("-nbio - Run with non-blocking IO\n"); printf("-ssl2 - Just use SSLv2\n"); printf("-ssl3 - Just use SSLv3\n"); printf("-bugs - Turn on SSL bug compatibility\n"); printf("-new - Just time new connections\n"); printf("-reuse - Just time connection reuse\n"); printf("-www page - Retrieve 'page' from the site\n"); #endif printf( umsg,SECONDS ); } /*********************************************************************** * parseArgs - Parse command line arguments and initialize data * * Returns 0 if ok, -1 on bad args */ static int parseArgs(int argc, char **argv) { int badop = 0; verify_depth=0; verify_error=X509_V_OK; argc--; argv++; while (argc >= 1) { if (strcmp(*argv,"-connect") == 0) { if (--argc < 1) goto bad; host= *(++argv); } #if 0 else if( strcmp(*argv,"-host") == 0) { if (--argc < 1) goto bad; host= *(++argv); } else if( strcmp(*argv,"-port") == 0) { if (--argc < 1) goto bad; port= *(++argv); } #endif else if (strcmp(*argv,"-reuse") == 0) perform=2; else if (strcmp(*argv,"-new") == 0) perform=1; else if( strcmp(*argv,"-verify") == 0) { tm_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); BIO_printf(bio_err,"verify depth is %d\n",verify_depth); } else if( strcmp(*argv,"-cert") == 0) { if (--argc < 1) goto bad; t_cert_file= *(++argv); } else if( strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; t_key_file= *(++argv); } else if( strcmp(*argv,"-CApath") == 0) { if (--argc < 1) goto bad; CApath= *(++argv); } else if( strcmp(*argv,"-CAfile") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); } else if( strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; tm_cipher= *(++argv); } #ifdef FIONBIO else if(strcmp(*argv,"-nbio") == 0) { t_nbio=1; } #endif else if(strcmp(*argv,"-www") == 0) { if (--argc < 1) goto bad; s_www_path= *(++argv); if(strlen(s_www_path) > MYBUFSIZ-100) { BIO_printf(bio_err,"-www option too long\n"); badop=1; } } else if(strcmp(*argv,"-bugs") == 0) st_bugs=1; #ifndef OPENSSL_NO_SSL2 else if(strcmp(*argv,"-ssl2") == 0) s_time_meth=SSLv2_client_method(); #endif #ifndef OPENSSL_NO_SSL3 else if(strcmp(*argv,"-ssl3") == 0) s_time_meth=SSLv3_client_method(); #endif else if( strcmp(*argv,"-time") == 0) { if (--argc < 1) goto bad; maxTime= atoi(*(++argv)); } else { BIO_printf(bio_err,"unknown option %s\n",*argv); badop=1; break; } argc--; argv++; } if (perform == 0) perform=3; if(badop) { bad: s_time_usage(); return -1; } return 0; /* Valid args */ } /*********************************************************************** * TIME - time functions */ #define START 0 #define STOP 1 static double tm_Time_F(int s) { static double ret; #ifdef TIMES static struct tms tstart,tend; if(s == START) { times(&tstart); return(0); } else { times(&tend); ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; return((ret == 0.0)?1e-6:ret); } #elif defined(OPENSSL_SYS_VXWORKS) { static unsigned long tick_start, tick_end; if( s == START ) { tick_start = tickGet(); return 0; } else { tick_end = tickGet(); ret = (double)(tick_end - tick_start) / (double)sysClkRateGet(); return((ret == 0.0)?1e-6:ret); } } #else /* !times() */ static struct timeb tstart,tend; long i; if(s == START) { ftime(&tstart); return(0); } else { ftime(&tend); i=(long)tend.millitm-(long)tstart.millitm; ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; return((ret == 0.0)?1e-6:ret); } #endif } /*********************************************************************** * MAIN - main processing area for client * real name depends on MONOLITH */ int MAIN(int, char **); int MAIN(int argc, char **argv) { double totalTime = 0.0; int nConn = 0; SSL *scon=NULL; long finishtime=0; int ret=1,i; MS_STATIC char buf[1024*8]; int ver; apps_startup(); s_time_init(); if (bio_err == NULL) bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) s_time_meth=SSLv23_client_method(); #elif !defined(OPENSSL_NO_SSL3) s_time_meth=SSLv3_client_method(); #elif !defined(OPENSSL_NO_SSL2) s_time_meth=SSLv2_client_method(); #endif /* parse the command line arguments */ if( parseArgs( argc, argv ) < 0 ) goto end; OpenSSL_add_ssl_algorithms(); if ((tm_ctx=SSL_CTX_new(s_time_meth)) == NULL) return(1); SSL_CTX_set_quiet_shutdown(tm_ctx,1); if (st_bugs) SSL_CTX_set_options(tm_ctx,SSL_OP_ALL); SSL_CTX_set_cipher_list(tm_ctx,tm_cipher); if(!set_cert_stuff(tm_ctx,t_cert_file,t_key_file)) goto end; SSL_load_error_strings(); if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(tm_ctx))) { /* BIO_printf(bio_err,"error setting default verify locations\n"); */ ERR_print_errors(bio_err); /* goto end; */ } if (tm_cipher == NULL) tm_cipher = getenv("SSL_CIPHER"); if (tm_cipher == NULL ) { fprintf( stderr, "No CIPHER specified\n" ); } if (!(perform & 1)) goto next; printf( "Collecting connection statistics for %d seconds\n", maxTime ); /* Loop and time how long it takes to make connections */ bytes_read=0; finishtime=(long)time(NULL)+maxTime; tm_Time_F(START); for (;;) { if (finishtime < (long)time(NULL)) break; #ifdef WIN32_STUFF if( flushWinMsgs(0) == -1 ) goto end; if( waitingToDie || exitNow ) /* we're dead */ goto end; #endif if( (scon = doConnection( NULL )) == NULL ) goto end; if (s_www_path != NULL) { - sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); + BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); SSL_write(scon,buf,strlen(buf)); while ((i=SSL_read(scon,buf,sizeof(buf))) > 0) bytes_read+=i; } #ifdef NO_SHUTDOWN SSL_set_shutdown(scon,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); #else SSL_shutdown(scon); #endif SHUTDOWN2(SSL_get_fd(scon)); nConn += 1; if (SSL_session_reused(scon)) ver='r'; else { ver=SSL_version(scon); if (ver == TLS1_VERSION) ver='t'; else if (ver == SSL3_VERSION) ver='3'; else if (ver == SSL2_VERSION) ver='2'; else ver='*'; } fputc(ver,stdout); fflush(stdout); SSL_free( scon ); scon=NULL; } totalTime += tm_Time_F(STOP); /* Add the time for this iteration */ i=(int)((long)time(NULL)-finishtime+maxTime); printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read); printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn); /* Now loop and time connections using the same session id over and over */ next: if (!(perform & 2)) goto end; printf( "\n\nNow timing with session id reuse.\n" ); /* Get an SSL object so we can reuse the session id */ if( (scon = doConnection( NULL )) == NULL ) { fprintf( stderr, "Unable to get connection\n" ); goto end; } if (s_www_path != NULL) { - sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); + BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); SSL_write(scon,buf,strlen(buf)); while (SSL_read(scon,buf,sizeof(buf)) > 0) ; } #ifdef NO_SHUTDOWN SSL_set_shutdown(scon,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); #else SSL_shutdown(scon); #endif SHUTDOWN2(SSL_get_fd(scon)); nConn = 0; totalTime = 0.0; finishtime=(long)time(NULL)+maxTime; printf( "starting\n" ); bytes_read=0; tm_Time_F(START); for (;;) { if (finishtime < (long)time(NULL)) break; #ifdef WIN32_STUFF if( flushWinMsgs(0) == -1 ) goto end; if( waitingToDie || exitNow ) /* we're dead */ goto end; #endif if( (doConnection( scon )) == NULL ) goto end; if (s_www_path) { - sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); + BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path); SSL_write(scon,buf,strlen(buf)); while ((i=SSL_read(scon,buf,sizeof(buf))) > 0) bytes_read+=i; } #ifdef NO_SHUTDOWN SSL_set_shutdown(scon,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); #else SSL_shutdown(scon); #endif SHUTDOWN2(SSL_get_fd(scon)); nConn += 1; if (SSL_session_reused(scon)) ver='r'; else { ver=SSL_version(scon); if (ver == TLS1_VERSION) ver='t'; else if (ver == SSL3_VERSION) ver='3'; else if (ver == SSL2_VERSION) ver='2'; else ver='*'; } fputc(ver,stdout); fflush(stdout); } totalTime += tm_Time_F(STOP); /* Add the time for this iteration*/ printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read); printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn); ret=0; end: if (scon != NULL) SSL_free(scon); if (tm_ctx != NULL) { SSL_CTX_free(tm_ctx); tm_ctx=NULL; } apps_shutdown(); OPENSSL_EXIT(ret); } /*********************************************************************** * doConnection - make a connection * Args: * scon = earlier ssl connection for session id, or NULL * Returns: * SSL * = the connection pointer. */ static SSL *doConnection(SSL *scon) { BIO *conn; SSL *serverCon; int width, i; fd_set readfds; if ((conn=BIO_new(BIO_s_connect())) == NULL) return(NULL); /* BIO_set_conn_port(conn,port);*/ BIO_set_conn_hostname(conn,host); if (scon == NULL) serverCon=SSL_new(tm_ctx); else { serverCon=scon; SSL_set_connect_state(serverCon); } SSL_set_bio(serverCon,conn,conn); #if 0 if( scon != NULL ) SSL_set_session(serverCon,SSL_get_session(scon)); #endif /* ok, lets connect */ for(;;) { i=SSL_connect(serverCon); if (BIO_sock_should_retry(i)) { BIO_printf(bio_err,"DELAY\n"); i=SSL_get_fd(serverCon); width=i+1; FD_ZERO(&readfds); FD_SET(i,&readfds); /* Note: under VMS with SOCKETSHR the 2nd parameter * is currently of type (int *) whereas under other * systems it is (void *) if you don't have a cast it * will choke the compiler: if you do have a cast then * you can either go for (int *) or (void *). */ select(width,(void *)&readfds,NULL,NULL,NULL); continue; } break; } if(i <= 0) { BIO_printf(bio_err,"ERROR\n"); if (verify_error != X509_V_OK) BIO_printf(bio_err,"verify error:%s\n", X509_verify_cert_error_string(verify_error)); else ERR_print_errors(bio_err); if (scon == NULL) SSL_free(serverCon); return NULL; } return serverCon; } diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c index ec55b4188cb4..24122000092a 100644 --- a/crypto/openssl/apps/speed.c +++ b/crypto/openssl/apps/speed.c @@ -1,1951 +1,1958 @@ /* apps/speed.c -*- mode:C; c-file-style: "eay" -*- */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* most of this code has been pilfered from my libdes speed.c program */ #ifndef OPENSSL_NO_SPEED #undef SECONDS #define SECONDS 3 #define RSA_SECONDS 10 #define DSA_SECONDS 10 /* 11-Sep-92 Andrew Daviel Support for Silicon Graphics IRIX added */ /* 06-Apr-92 Luke Brennan Support for VMS and add extra signal calls */ #undef PROG #define PROG speed_main #include #include #include #include #include #include "apps.h" #ifdef OPENSSL_NO_STDIO #define APPS_WIN16 #endif #include #include #include #include #include #if !defined(OPENSSL_SYS_MSDOS) #include OPENSSL_UNISTD #endif #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(OPENSSL_SYS_MACOSX) # define USE_TOD #elif !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) # define TIMES #endif #if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(OPENSSL_SYS_MPE) && !defined(__NetBSD__) && !defined(OPENSSL_SYS_VXWORKS) /* FIXME */ # define TIMEB #endif #ifndef _IRIX # include #endif #ifdef TIMES # include # include #endif #ifdef USE_TOD # include # include #endif /* Depending on the VMS version, the tms structure is perhaps defined. The __TMS macro will show if it was. If it wasn't defined, we should undefine TIMES, since that tells the rest of the program how things should be handled. -- Richard Levitte */ #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS) #undef TIMES #endif #ifdef TIMEB #include #endif #if !defined(TIMES) && !defined(TIMEB) && !defined(USE_TOD) && !defined(OPENSSL_SYS_VXWORKS) #error "It seems neither struct tms nor struct timeb is supported in this platform!" #endif #if defined(sun) || defined(__ultrix) #define _POSIX_SOURCE #include #include #endif #ifndef OPENSSL_NO_DES #include #endif #ifndef OPENSSL_NO_AES #include #endif #ifndef OPENSSL_NO_MD2 #include #endif #ifndef OPENSSL_NO_MDC2 #include #endif #ifndef OPENSSL_NO_MD4 #include #endif #ifndef OPENSSL_NO_MD5 #include #endif #ifndef OPENSSL_NO_HMAC #include #endif #include #ifndef OPENSSL_NO_SHA #include #endif #ifndef OPENSSL_NO_RIPEMD #include #endif #ifndef OPENSSL_NO_RC4 #include #endif #ifndef OPENSSL_NO_RC5 #include #endif #ifndef OPENSSL_NO_RC2 #include #endif #ifndef OPENSSL_NO_IDEA #include #endif #ifndef OPENSSL_NO_BF #include #endif #ifndef OPENSSL_NO_CAST #include #endif #ifndef OPENSSL_NO_RSA #include #include "./testrsa.h" #endif #include #ifndef OPENSSL_NO_DSA #include "./testdsa.h" #endif /* The following if from times(3) man page. It may need to be changed */ #ifndef HZ # if defined(_SC_CLK_TCK) \ && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000) # define HZ ((double)sysconf(_SC_CLK_TCK)) # else # ifndef CLK_TCK # ifndef _BSD_CLK_TCK_ /* FreeBSD hack */ # define HZ 100.0 # else /* _BSD_CLK_TCK_ */ # define HZ ((double)_BSD_CLK_TCK_) # endif # else /* CLK_TCK */ # define HZ ((double)CLK_TCK) # endif # endif #endif #if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_OS2) # define HAVE_FORK 1 #endif #undef BUFSIZE #define BUFSIZE ((long)1024*8+1) int run=0; static char ftime_used = 0, times_used = 0, gettimeofday_used = 0, getrusage_used = 0; static int mr=0; static int usertime=1; static double Time_F(int s); static void print_message(const char *s,long num,int length); static void pkey_print_message(char *str,char *str2,long num,int bits,int sec); static void print_result(int alg,int run_no,int count,double time_used); #ifdef HAVE_FORK static int do_multi(int multi); #endif #define ALGOR_NUM 19 #define SIZE_NUM 5 #define RSA_NUM 4 #define DSA_NUM 3 static const char *names[ALGOR_NUM]={ "md2","mdc2","md4","md5","hmac(md5)","sha1","rmd160","rc4", "des cbc","des ede3","idea cbc", "rc2 cbc","rc5-32/12 cbc","blowfish cbc","cast cbc", "aes-128 cbc","aes-192 cbc","aes-256 cbc"}; static double results[ALGOR_NUM][SIZE_NUM]; static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; static double rsa_results[RSA_NUM][2]; static double dsa_results[DSA_NUM][2]; #ifdef SIGALRM #if defined(__STDC__) || defined(sgi) || defined(_AIX) #define SIGRETTYPE void #else #define SIGRETTYPE int #endif static SIGRETTYPE sig_done(int sig); static SIGRETTYPE sig_done(int sig) { signal(SIGALRM,sig_done); run=0; #ifdef LINT sig=sig; #endif } #endif #define START 0 #define STOP 1 static double Time_F(int s) { double ret; #ifdef USE_TOD if(usertime) { static struct rusage tstart,tend; getrusage_used = 1; if (s == START) { getrusage(RUSAGE_SELF,&tstart); return(0); } else { long i; getrusage(RUSAGE_SELF,&tend); i=(long)tend.ru_utime.tv_usec-(long)tstart.ru_utime.tv_usec; ret=((double)(tend.ru_utime.tv_sec-tstart.ru_utime.tv_sec)) +((double)i)/1000000.0; return((ret < 0.001)?0.001:ret); } } else { static struct timeval tstart,tend; long i; gettimeofday_used = 1; if (s == START) { gettimeofday(&tstart,NULL); return(0); } else { gettimeofday(&tend,NULL); i=(long)tend.tv_usec-(long)tstart.tv_usec; ret=((double)(tend.tv_sec-tstart.tv_sec))+((double)i)/1000000.0; return((ret < 0.001)?0.001:ret); } } #else /* ndef USE_TOD */ # ifdef TIMES if (usertime) { static struct tms tstart,tend; times_used = 1; if (s == START) { times(&tstart); return(0); } else { times(&tend); ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; return((ret < 1e-3)?1e-3:ret); } } # endif /* times() */ # if defined(TIMES) && defined(TIMEB) else # endif # ifdef OPENSSL_SYS_VXWORKS { static unsigned long tick_start, tick_end; if( s == START ) { tick_start = tickGet(); return 0; } else { tick_end = tickGet(); ret = (double)(tick_end - tick_start) / (double)sysClkRateGet(); return((ret < 0.001)?0.001:ret); } } # elif defined(TIMEB) { static struct timeb tstart,tend; long i; ftime_used = 1; if (s == START) { ftime(&tstart); return(0); } else { ftime(&tend); i=(long)tend.millitm-(long)tstart.millitm; ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; return((ret < 0.001)?0.001:ret); } } # endif #endif } int MAIN(int, char **); int MAIN(int argc, char **argv) { #ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; #endif unsigned char *buf=NULL,*buf2=NULL; int mret=1; long count=0,save_count=0; int i,j,k; #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) long rsa_count; #endif #ifndef OPENSSL_NO_RSA unsigned rsa_num; #endif unsigned char md[EVP_MAX_MD_SIZE]; #ifndef OPENSSL_NO_MD2 unsigned char md2[MD2_DIGEST_LENGTH]; #endif #ifndef OPENSSL_NO_MDC2 unsigned char mdc2[MDC2_DIGEST_LENGTH]; #endif #ifndef OPENSSL_NO_MD4 unsigned char md4[MD4_DIGEST_LENGTH]; #endif #ifndef OPENSSL_NO_MD5 unsigned char md5[MD5_DIGEST_LENGTH]; unsigned char hmac[MD5_DIGEST_LENGTH]; #endif #ifndef OPENSSL_NO_SHA unsigned char sha[SHA_DIGEST_LENGTH]; #endif #ifndef OPENSSL_NO_RIPEMD unsigned char rmd160[RIPEMD160_DIGEST_LENGTH]; #endif #ifndef OPENSSL_NO_RC4 RC4_KEY rc4_ks; #endif #ifndef OPENSSL_NO_RC5 RC5_32_KEY rc5_ks; #endif #ifndef OPENSSL_NO_RC2 RC2_KEY rc2_ks; #endif #ifndef OPENSSL_NO_IDEA IDEA_KEY_SCHEDULE idea_ks; #endif #ifndef OPENSSL_NO_BF BF_KEY bf_ks; #endif #ifndef OPENSSL_NO_CAST CAST_KEY cast_ks; #endif static const unsigned char key16[16]= {0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0, 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12}; static const unsigned char key24[24]= {0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0, 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12, 0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34}; static const unsigned char key32[32]= {0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0, 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12, 0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34, 0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34,0x56}; #ifndef OPENSSL_NO_AES #define MAX_BLOCK_SIZE 128 #else #define MAX_BLOCK_SIZE 64 #endif unsigned char DES_iv[8]; unsigned char iv[MAX_BLOCK_SIZE/8]; #ifndef OPENSSL_NO_DES DES_cblock *buf_as_des_cblock = NULL; static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0}; static DES_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12}; static DES_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34}; DES_key_schedule sch; DES_key_schedule sch2; DES_key_schedule sch3; #endif #ifndef OPENSSL_NO_AES AES_KEY aes_ks1, aes_ks2, aes_ks3; #endif #define D_MD2 0 #define D_MDC2 1 #define D_MD4 2 #define D_MD5 3 #define D_HMAC 4 #define D_SHA1 5 #define D_RMD160 6 #define D_RC4 7 #define D_CBC_DES 8 #define D_EDE3_DES 9 #define D_CBC_IDEA 10 #define D_CBC_RC2 11 #define D_CBC_RC5 12 #define D_CBC_BF 13 #define D_CBC_CAST 14 #define D_CBC_128_AES 15 #define D_CBC_192_AES 16 #define D_CBC_256_AES 17 #define D_EVP 18 double d=0.0; long c[ALGOR_NUM][SIZE_NUM]; #define R_DSA_512 0 #define R_DSA_1024 1 #define R_DSA_2048 2 #define R_RSA_512 0 #define R_RSA_1024 1 #define R_RSA_2048 2 #define R_RSA_4096 3 #ifndef OPENSSL_NO_RSA RSA *rsa_key[RSA_NUM]; long rsa_c[RSA_NUM][2]; static unsigned int rsa_bits[RSA_NUM]={512,1024,2048,4096}; static unsigned char *rsa_data[RSA_NUM]= {test512,test1024,test2048,test4096}; static int rsa_data_length[RSA_NUM]={ sizeof(test512),sizeof(test1024), sizeof(test2048),sizeof(test4096)}; #endif #ifndef OPENSSL_NO_DSA DSA *dsa_key[DSA_NUM]; long dsa_c[DSA_NUM][2]; static unsigned int dsa_bits[DSA_NUM]={512,1024,2048}; #endif int rsa_doit[RSA_NUM]; int dsa_doit[DSA_NUM]; int doit[ALGOR_NUM]; int pr_header=0; const EVP_CIPHER *evp_cipher=NULL; const EVP_MD *evp_md=NULL; int decrypt=0; #ifdef HAVE_FORK int multi=0; #endif #ifndef TIMES usertime=-1; #endif apps_startup(); memset(results, 0, sizeof(results)); #ifndef OPENSSL_NO_DSA memset(dsa_key,0,sizeof(dsa_key)); #endif if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); if (!load_config(bio_err, NULL)) goto end; #ifndef OPENSSL_NO_RSA memset(rsa_key,0,sizeof(rsa_key)); for (i=0; i 0) && (strcmp(*argv,"-elapsed") == 0)) { usertime = 0; j--; /* Otherwise, -elapsed gets confused with an algorithm. */ } else if ((argc > 0) && (strcmp(*argv,"-evp") == 0)) { argc--; argv++; if(argc == 0) { BIO_printf(bio_err,"no EVP given\n"); goto end; } evp_cipher=EVP_get_cipherbyname(*argv); if(!evp_cipher) { evp_md=EVP_get_digestbyname(*argv); } if(!evp_cipher && !evp_md) { BIO_printf(bio_err,"%s is an unknown cipher or digest\n",*argv); goto end; } doit[D_EVP]=1; } else if (argc > 0 && !strcmp(*argv,"-decrypt")) { decrypt=1; j--; /* Otherwise, -elapsed gets confused with an algorithm. */ } #ifndef OPENSSL_NO_ENGINE else if ((argc > 0) && (strcmp(*argv,"-engine") == 0)) { argc--; argv++; if(argc == 0) { BIO_printf(bio_err,"no engine given\n"); goto end; } e = setup_engine(bio_err, *argv, 0); /* j will be increased again further down. We just don't want speed to confuse an engine with an algorithm, especially when none is given (which means all of them should be run) */ j--; } #endif #ifdef HAVE_FORK else if ((argc > 0) && (strcmp(*argv,"-multi") == 0)) { argc--; argv++; if(argc == 0) { BIO_printf(bio_err,"no multi count given\n"); goto end; } multi=atoi(argv[0]); if(multi <= 0) { BIO_printf(bio_err,"bad multi count\n"); goto end; } j--; /* Otherwise, -mr gets confused with an algorithm. */ } #endif else if (argc > 0 && !strcmp(*argv,"-mr")) { mr=1; j--; /* Otherwise, -mr gets confused with an algorithm. */ } else #ifndef OPENSSL_NO_MD2 if (strcmp(*argv,"md2") == 0) doit[D_MD2]=1; else #endif #ifndef OPENSSL_NO_MDC2 if (strcmp(*argv,"mdc2") == 0) doit[D_MDC2]=1; else #endif #ifndef OPENSSL_NO_MD4 if (strcmp(*argv,"md4") == 0) doit[D_MD4]=1; else #endif #ifndef OPENSSL_NO_MD5 if (strcmp(*argv,"md5") == 0) doit[D_MD5]=1; else #endif #ifndef OPENSSL_NO_MD5 if (strcmp(*argv,"hmac") == 0) doit[D_HMAC]=1; else #endif #ifndef OPENSSL_NO_SHA if (strcmp(*argv,"sha1") == 0) doit[D_SHA1]=1; else if (strcmp(*argv,"sha") == 0) doit[D_SHA1]=1; else #endif #ifndef OPENSSL_NO_RIPEMD if (strcmp(*argv,"ripemd") == 0) doit[D_RMD160]=1; else if (strcmp(*argv,"rmd160") == 0) doit[D_RMD160]=1; else if (strcmp(*argv,"ripemd160") == 0) doit[D_RMD160]=1; else #endif #ifndef OPENSSL_NO_RC4 if (strcmp(*argv,"rc4") == 0) doit[D_RC4]=1; else #endif #ifndef OPENSSL_NO_DES if (strcmp(*argv,"des-cbc") == 0) doit[D_CBC_DES]=1; else if (strcmp(*argv,"des-ede3") == 0) doit[D_EDE3_DES]=1; else #endif #ifndef OPENSSL_NO_AES if (strcmp(*argv,"aes-128-cbc") == 0) doit[D_CBC_128_AES]=1; else if (strcmp(*argv,"aes-192-cbc") == 0) doit[D_CBC_192_AES]=1; else if (strcmp(*argv,"aes-256-cbc") == 0) doit[D_CBC_256_AES]=1; else #endif #ifndef OPENSSL_NO_RSA #if 0 /* was: #ifdef RSAref */ if (strcmp(*argv,"rsaref") == 0) { RSA_set_default_openssl_method(RSA_PKCS1_RSAref()); j--; } else #endif #ifndef RSA_NULL if (strcmp(*argv,"openssl") == 0) { RSA_set_default_method(RSA_PKCS1_SSLeay()); j--; } else #endif #endif /* !OPENSSL_NO_RSA */ if (strcmp(*argv,"dsa512") == 0) dsa_doit[R_DSA_512]=2; else if (strcmp(*argv,"dsa1024") == 0) dsa_doit[R_DSA_1024]=2; else if (strcmp(*argv,"dsa2048") == 0) dsa_doit[R_DSA_2048]=2; else if (strcmp(*argv,"rsa512") == 0) rsa_doit[R_RSA_512]=2; else if (strcmp(*argv,"rsa1024") == 0) rsa_doit[R_RSA_1024]=2; else if (strcmp(*argv,"rsa2048") == 0) rsa_doit[R_RSA_2048]=2; else if (strcmp(*argv,"rsa4096") == 0) rsa_doit[R_RSA_4096]=2; else #ifndef OPENSSL_NO_RC2 if (strcmp(*argv,"rc2-cbc") == 0) doit[D_CBC_RC2]=1; else if (strcmp(*argv,"rc2") == 0) doit[D_CBC_RC2]=1; else #endif #ifndef OPENSSL_NO_RC5 if (strcmp(*argv,"rc5-cbc") == 0) doit[D_CBC_RC5]=1; else if (strcmp(*argv,"rc5") == 0) doit[D_CBC_RC5]=1; else #endif #ifndef OPENSSL_NO_IDEA if (strcmp(*argv,"idea-cbc") == 0) doit[D_CBC_IDEA]=1; else if (strcmp(*argv,"idea") == 0) doit[D_CBC_IDEA]=1; else #endif #ifndef OPENSSL_NO_BF if (strcmp(*argv,"bf-cbc") == 0) doit[D_CBC_BF]=1; else if (strcmp(*argv,"blowfish") == 0) doit[D_CBC_BF]=1; else if (strcmp(*argv,"bf") == 0) doit[D_CBC_BF]=1; else #endif #ifndef OPENSSL_NO_CAST if (strcmp(*argv,"cast-cbc") == 0) doit[D_CBC_CAST]=1; else if (strcmp(*argv,"cast") == 0) doit[D_CBC_CAST]=1; else if (strcmp(*argv,"cast5") == 0) doit[D_CBC_CAST]=1; else #endif #ifndef OPENSSL_NO_DES if (strcmp(*argv,"des") == 0) { doit[D_CBC_DES]=1; doit[D_EDE3_DES]=1; } else #endif #ifndef OPENSSL_NO_AES if (strcmp(*argv,"aes") == 0) { doit[D_CBC_128_AES]=1; doit[D_CBC_192_AES]=1; doit[D_CBC_256_AES]=1; } else #endif #ifndef OPENSSL_NO_RSA if (strcmp(*argv,"rsa") == 0) { rsa_doit[R_RSA_512]=1; rsa_doit[R_RSA_1024]=1; rsa_doit[R_RSA_2048]=1; rsa_doit[R_RSA_4096]=1; } else #endif #ifndef OPENSSL_NO_DSA if (strcmp(*argv,"dsa") == 0) { dsa_doit[R_DSA_512]=1; dsa_doit[R_DSA_1024]=1; + dsa_doit[R_DSA_2048]=1; } else #endif { BIO_printf(bio_err,"Error: bad option or value\n"); BIO_printf(bio_err,"\n"); BIO_printf(bio_err,"Available values:\n"); #ifndef OPENSSL_NO_MD2 BIO_printf(bio_err,"md2 "); #endif #ifndef OPENSSL_NO_MDC2 BIO_printf(bio_err,"mdc2 "); #endif #ifndef OPENSSL_NO_MD4 BIO_printf(bio_err,"md4 "); #endif #ifndef OPENSSL_NO_MD5 BIO_printf(bio_err,"md5 "); #ifndef OPENSSL_NO_HMAC BIO_printf(bio_err,"hmac "); #endif #endif #ifndef OPENSSL_NO_SHA1 BIO_printf(bio_err,"sha1 "); #endif #ifndef OPENSSL_NO_RIPEMD160 BIO_printf(bio_err,"rmd160"); #endif #if !defined(OPENSSL_NO_MD2) || !defined(OPENSSL_NO_MDC2) || \ !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \ !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) BIO_printf(bio_err,"\n"); #endif #ifndef OPENSSL_NO_IDEA BIO_printf(bio_err,"idea-cbc "); #endif #ifndef OPENSSL_NO_RC2 BIO_printf(bio_err,"rc2-cbc "); #endif #ifndef OPENSSL_NO_RC5 BIO_printf(bio_err,"rc5-cbc "); #endif #ifndef OPENSSL_NO_BF BIO_printf(bio_err,"bf-cbc"); #endif #if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_RC2) || \ !defined(OPENSSL_NO_BF) || !defined(OPENSSL_NO_RC5) BIO_printf(bio_err,"\n"); #endif #ifndef OPENSSL_NO_DES BIO_printf(bio_err,"des-cbc des-ede3 "); #endif #ifndef OPENSSL_NO_AES BIO_printf(bio_err,"aes-128-cbc aes-192-cbc aes-256-cbc "); #endif #ifndef OPENSSL_NO_RC4 BIO_printf(bio_err,"rc4"); #endif BIO_printf(bio_err,"\n"); #ifndef OPENSSL_NO_RSA BIO_printf(bio_err,"rsa512 rsa1024 rsa2048 rsa4096\n"); #endif #ifndef OPENSSL_NO_DSA BIO_printf(bio_err,"dsa512 dsa1024 dsa2048\n"); #endif #ifndef OPENSSL_NO_IDEA BIO_printf(bio_err,"idea "); #endif #ifndef OPENSSL_NO_RC2 BIO_printf(bio_err,"rc2 "); #endif #ifndef OPENSSL_NO_DES BIO_printf(bio_err,"des "); #endif #ifndef OPENSSL_NO_AES BIO_printf(bio_err,"aes "); #endif #ifndef OPENSSL_NO_RSA BIO_printf(bio_err,"rsa "); #endif #ifndef OPENSSL_NO_BF BIO_printf(bio_err,"blowfish"); #endif #if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_RC2) || \ !defined(OPENSSL_NO_DES) || !defined(OPENSSL_NO_RSA) || \ !defined(OPENSSL_NO_BF) || !defined(OPENSSL_NO_AES) BIO_printf(bio_err,"\n"); #endif BIO_printf(bio_err,"\n"); BIO_printf(bio_err,"Available options:\n"); #if defined(TIMES) || defined(USE_TOD) BIO_printf(bio_err,"-elapsed measure time in real time instead of CPU user time.\n"); #endif #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); #endif BIO_printf(bio_err,"-evp e use EVP e.\n"); BIO_printf(bio_err,"-decrypt time decryption instead of encryption (only EVP).\n"); BIO_printf(bio_err,"-mr produce machine readable output.\n"); #ifdef HAVE_FORK BIO_printf(bio_err,"-multi n run n benchmarks in parallel.\n"); #endif goto end; } argc--; argv++; j++; } #ifdef HAVE_FORK if(multi && do_multi(multi)) goto show_res; #endif if (j == 0) { for (i=0; in)); BN_print(bio_err,rsa_key[i]->e); BIO_printf(bio_err,"\n"); } #endif } #endif #ifndef OPENSSL_NO_DSA dsa_key[0]=get_dsa512(); dsa_key[1]=get_dsa1024(); dsa_key[2]=get_dsa2048(); #endif #ifndef OPENSSL_NO_DES DES_set_key_unchecked(&key,&sch); DES_set_key_unchecked(&key2,&sch2); DES_set_key_unchecked(&key3,&sch3); #endif #ifndef OPENSSL_NO_AES AES_set_encrypt_key(key16,128,&aes_ks1); AES_set_encrypt_key(key24,192,&aes_ks2); AES_set_encrypt_key(key32,256,&aes_ks3); #endif #ifndef OPENSSL_NO_IDEA idea_set_encrypt_key(key16,&idea_ks); #endif #ifndef OPENSSL_NO_RC4 RC4_set_key(&rc4_ks,16,key16); #endif #ifndef OPENSSL_NO_RC2 RC2_set_key(&rc2_ks,16,key16,128); #endif #ifndef OPENSSL_NO_RC5 RC5_32_set_key(&rc5_ks,16,key16,12); #endif #ifndef OPENSSL_NO_BF BF_set_key(&bf_ks,16,key16); #endif #ifndef OPENSSL_NO_CAST CAST_set_key(&cast_ks,16,key16); #endif #ifndef OPENSSL_NO_RSA memset(rsa_c,0,sizeof(rsa_c)); #endif #ifndef SIGALRM #ifndef OPENSSL_NO_DES BIO_printf(bio_err,"First we calculate the approximate speed ...\n"); count=10; do { long i; count*=2; Time_F(START); for (i=count; i; i--) DES_ecb_encrypt(buf_as_des_cblock,buf_as_des_cblock, &sch,DES_ENCRYPT); d=Time_F(STOP); } while (d <3); save_count=count; c[D_MD2][0]=count/10; c[D_MDC2][0]=count/10; c[D_MD4][0]=count; c[D_MD5][0]=count; c[D_HMAC][0]=count; c[D_SHA1][0]=count; c[D_RMD160][0]=count; c[D_RC4][0]=count*5; c[D_CBC_DES][0]=count; c[D_EDE3_DES][0]=count/3; c[D_CBC_IDEA][0]=count; c[D_CBC_RC2][0]=count; c[D_CBC_RC5][0]=count; c[D_CBC_BF][0]=count; c[D_CBC_CAST][0]=count; + c[D_CBC_128_AES][0]=count; + c[D_CBC_192_AES][0]=count; + c[D_CBC_256_AES][0]=count; for (i=1; inid); /* -O3 -fschedule-insns messes up an * optimization here! names[D_EVP] * somehow becomes NULL */ print_message(names[D_EVP],save_count, lengths[j]); EVP_CIPHER_CTX_init(&ctx); if(decrypt) EVP_DecryptInit_ex(&ctx,evp_cipher,NULL,key16,iv); else EVP_EncryptInit_ex(&ctx,evp_cipher,NULL,key16,iv); Time_F(START); if(decrypt) for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) EVP_DecryptUpdate(&ctx,buf,&outl,buf,lengths[j]); else for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) EVP_EncryptUpdate(&ctx,buf,&outl,buf,lengths[j]); if(decrypt) EVP_DecryptFinal_ex(&ctx,buf,&outl); else EVP_EncryptFinal_ex(&ctx,buf,&outl); d=Time_F(STOP); EVP_CIPHER_CTX_cleanup(&ctx); } if (evp_md) { names[D_EVP]=OBJ_nid2ln(evp_md->type); print_message(names[D_EVP],save_count, lengths[j]); Time_F(START); for (count=0,run=1; COND(save_count*4*lengths[0]/lengths[j]); count++) EVP_Digest(buf,lengths[j],&(md[0]),NULL,evp_md,NULL); d=Time_F(STOP); } print_result(D_EVP,j,count,d); } } RAND_pseudo_bytes(buf,36); #ifndef OPENSSL_NO_RSA for (j=0; j 1 ? "," : ""), (times_used ? "times" : ""), (ftime_used + times_used + gettimeofday_used > 1 ? "," : ""), (gettimeofday_used ? "gettimeofday" : ""), (ftime_used + times_used + gettimeofday_used + getrusage_used > 1 ? "," : ""), (getrusage_used ? "getrusage" : "")); } if (pr_header) { if(mr) fprintf(stdout,"+H"); else { fprintf(stdout,"The 'numbers' are in 1000s of bytes per second processed.\n"); fprintf(stdout,"type "); } for (j=0; j 10000 && !mr) fprintf(stdout," %11.2fk",results[k][j]/1e3); else fprintf(stdout,mr ? ":%.2f" : " %11.2f ",results[k][j]); } fprintf(stdout,"\n"); } #ifndef OPENSSL_NO_RSA j=1; for (k=0; k #include #include #include #ifdef OPENSSL_NO_STDIO #define APPS_WIN16 #endif #include "apps.h" #include #include #include #include #include #include #include #include #include #undef PROG #define PROG x509_main #undef POSTFIX #define POSTFIX ".srl" #define DEF_DAYS 30 static char *x509_usage[]={ "usage: x509 args\n", " -inform arg - input format - default PEM (one of DER, NET or PEM)\n", " -outform arg - output format - default PEM (one of DER, NET or PEM)\n", " -keyform arg - private key format - default PEM\n", " -CAform arg - CA format - default PEM\n", " -CAkeyform arg - CA key format - default PEM\n", " -in arg - input file - default stdin\n", " -out arg - output file - default stdout\n", " -passin arg - private key password source\n", " -serial - print serial number value\n", " -hash - print hash value\n", " -subject - print subject DN\n", " -issuer - print issuer DN\n", " -email - print email address(es)\n", " -startdate - notBefore field\n", " -enddate - notAfter field\n", " -purpose - print out certificate purposes\n", " -dates - both Before and After dates\n", " -modulus - print the RSA key modulus\n", " -pubkey - output the public key\n", " -fingerprint - print the certificate fingerprint\n", " -alias - output certificate alias\n", " -noout - no certificate output\n", " -ocspid - print OCSP hash values for the subject name and public key\n", " -trustout - output a \"trusted\" certificate\n", " -clrtrust - clear all trusted purposes\n", " -clrreject - clear all rejected purposes\n", " -addtrust arg - trust certificate for a given purpose\n", " -addreject arg - reject certificate for a given purpose\n", " -setalias arg - set certificate alias\n", " -days arg - How long till expiry of a signed certificate - def 30 days\n", " -checkend arg - check whether the cert expires in the next arg seconds\n", " exit 1 if so, 0 if not\n", " -signkey arg - self sign cert with arg\n", " -x509toreq - output a certification request object\n", " -req - input is a certificate request, sign and output.\n", " -CA arg - set the CA certificate, must be PEM format.\n", " -CAkey arg - set the CA key, must be PEM format\n", " missing, it is assumed to be in the CA file.\n", " -CAcreateserial - create serial number file if it does not exist\n", " -CAserial arg - serial file\n", " -set_serial - serial number to use\n", " -text - print the certificate in text form\n", " -C - print out C code forms\n", " -md2/-md5/-sha1/-mdc2 - digest to use\n", " -extfile - configuration file with X509V3 extensions to add\n", " -extensions - section from config file with X509V3 extensions to add\n", " -clrext - delete extensions before signing and input certificate\n", " -nameopt arg - various certificate name options\n", #ifndef OPENSSL_NO_ENGINE " -engine e - use engine e, possibly a hardware device.\n", #endif " -certopt arg - various certificate text options\n", NULL }; static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx); static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest, CONF *conf, char *section); static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest, X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial, int create,int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); static int reqfile=0; int MAIN(int, char **); int MAIN(int argc, char **argv) { ENGINE *e = NULL; int ret=1; X509_REQ *req=NULL; X509 *x=NULL,*xca=NULL; ASN1_OBJECT *objtmp; EVP_PKEY *Upkey=NULL,*CApkey=NULL; ASN1_INTEGER *sno = NULL; int i,num,badops=0; BIO *out=NULL; BIO *STDout=NULL; STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; int informat,outformat,keyformat,CAformat,CAkeyformat; char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; char *CAkeyfile=NULL,*CAserial=NULL; char *alias=NULL; int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0; int ocspid=0; int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; int C=0; int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0; int pprint = 0; char **pp; X509_STORE *ctx=NULL; X509_REQ *rq=NULL; int fingerprint=0; char buf[256]; const EVP_MD *md_alg,*digest=EVP_md5(); CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; int checkend=0,checkoffset=0; unsigned long nmflag = 0, certflag = 0; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif reqfile=0; apps_startup(); if (bio_err == NULL) bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; STDout=BIO_new_fp(stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); STDout = BIO_push(tmpbio, STDout); } #endif informat=FORMAT_PEM; outformat=FORMAT_PEM; keyformat=FORMAT_PEM; CAformat=FORMAT_PEM; CAkeyformat=FORMAT_PEM; ctx=X509_STORE_new(); if (ctx == NULL) goto end; X509_STORE_set_verify_cb_func(ctx,callb); argc--; argv++; num=0; while (argc >= 1) { if (strcmp(*argv,"-inform") == 0) { if (--argc < 1) goto bad; informat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-outform") == 0) { if (--argc < 1) goto bad; outformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) goto bad; keyformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-req") == 0) { reqfile=1; need_rand = 1; } else if (strcmp(*argv,"-CAform") == 0) { if (--argc < 1) goto bad; CAformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-CAkeyform") == 0) { if (--argc < 1) goto bad; CAkeyformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-days") == 0) { if (--argc < 1) goto bad; days=atoi(*(++argv)); if (days == 0) { BIO_printf(STDout,"bad number of days\n"); goto bad; } } else if (strcmp(*argv,"-passin") == 0) { if (--argc < 1) goto bad; passargin= *(++argv); } else if (strcmp(*argv,"-extfile") == 0) { if (--argc < 1) goto bad; extfile= *(++argv); } else if (strcmp(*argv,"-extensions") == 0) { if (--argc < 1) goto bad; extsect= *(++argv); } else if (strcmp(*argv,"-in") == 0) { if (--argc < 1) goto bad; infile= *(++argv); } else if (strcmp(*argv,"-out") == 0) { if (--argc < 1) goto bad; outfile= *(++argv); } else if (strcmp(*argv,"-signkey") == 0) { if (--argc < 1) goto bad; keyfile= *(++argv); sign_flag= ++num; need_rand = 1; } else if (strcmp(*argv,"-CA") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); CA_flag= ++num; need_rand = 1; } else if (strcmp(*argv,"-CAkey") == 0) { if (--argc < 1) goto bad; CAkeyfile= *(++argv); } else if (strcmp(*argv,"-CAserial") == 0) { if (--argc < 1) goto bad; CAserial= *(++argv); } else if (strcmp(*argv,"-set_serial") == 0) { if (--argc < 1) goto bad; if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv)))) goto bad; } else if (strcmp(*argv,"-addtrust") == 0) { if (--argc < 1) goto bad; if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { BIO_printf(bio_err, "Invalid trust object value %s\n", *argv); goto bad; } if (!trust) trust = sk_ASN1_OBJECT_new_null(); sk_ASN1_OBJECT_push(trust, objtmp); trustout = 1; } else if (strcmp(*argv,"-addreject") == 0) { if (--argc < 1) goto bad; if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { BIO_printf(bio_err, "Invalid reject object value %s\n", *argv); goto bad; } if (!reject) reject = sk_ASN1_OBJECT_new_null(); sk_ASN1_OBJECT_push(reject, objtmp); trustout = 1; } else if (strcmp(*argv,"-setalias") == 0) { if (--argc < 1) goto bad; alias= *(++argv); trustout = 1; } else if (strcmp(*argv,"-certopt") == 0) { if (--argc < 1) goto bad; if (!set_cert_ex(&certflag, *(++argv))) goto bad; } else if (strcmp(*argv,"-nameopt") == 0) { if (--argc < 1) goto bad; if (!set_name_ex(&nmflag, *(++argv))) goto bad; } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } #endif else if (strcmp(*argv,"-C") == 0) C= ++num; else if (strcmp(*argv,"-email") == 0) email= ++num; else if (strcmp(*argv,"-serial") == 0) serial= ++num; else if (strcmp(*argv,"-modulus") == 0) modulus= ++num; else if (strcmp(*argv,"-pubkey") == 0) pubkey= ++num; else if (strcmp(*argv,"-x509toreq") == 0) x509req= ++num; else if (strcmp(*argv,"-text") == 0) text= ++num; else if (strcmp(*argv,"-hash") == 0) hash= ++num; else if (strcmp(*argv,"-subject") == 0) subject= ++num; else if (strcmp(*argv,"-issuer") == 0) issuer= ++num; else if (strcmp(*argv,"-fingerprint") == 0) fingerprint= ++num; else if (strcmp(*argv,"-dates") == 0) { startdate= ++num; enddate= ++num; } else if (strcmp(*argv,"-purpose") == 0) pprint= ++num; else if (strcmp(*argv,"-startdate") == 0) startdate= ++num; else if (strcmp(*argv,"-enddate") == 0) enddate= ++num; else if (strcmp(*argv,"-checkend") == 0) { if (--argc < 1) goto bad; checkoffset=atoi(*(++argv)); checkend=1; } else if (strcmp(*argv,"-noout") == 0) noout= ++num; else if (strcmp(*argv,"-trustout") == 0) trustout= 1; else if (strcmp(*argv,"-clrtrust") == 0) clrtrust= ++num; else if (strcmp(*argv,"-clrreject") == 0) clrreject= ++num; else if (strcmp(*argv,"-alias") == 0) aliasout= ++num; else if (strcmp(*argv,"-CAcreateserial") == 0) CA_createserial= ++num; else if (strcmp(*argv,"-clrext") == 0) clrext = 1; #if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */ else if (strcmp(*argv,"-crlext") == 0) { BIO_printf(bio_err,"use -clrext instead of -crlext\n"); clrext = 1; } #endif else if (strcmp(*argv,"-ocspid") == 0) ocspid= ++num; else if ((md_alg=EVP_get_digestbyname(*argv + 1))) { /* ok */ digest=md_alg; } else { BIO_printf(bio_err,"unknown option %s\n",*argv); badops=1; break; } argc--; argv++; } if (badops) { bad: for (pp=x509_usage; (*pp != NULL); pp++) BIO_printf(bio_err,"%s",*pp); goto end; } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif if (need_rand) app_RAND_load_file(NULL, bio_err, 0); ERR_load_crypto_strings(); if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } if (!X509_STORE_set_default_paths(ctx)) { ERR_print_errors(bio_err); goto end; } if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { CAkeyfile=CAfile; } else if ((CA_flag) && (CAkeyfile == NULL)) { BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n"); goto end; } if (extfile) { long errorline = -1; X509V3_CTX ctx2; extconf = NCONF_new(NULL); if (!NCONF_load(extconf, extfile,&errorline)) { if (errorline <= 0) BIO_printf(bio_err, "error loading the config file '%s'\n", extfile); else BIO_printf(bio_err, "error on line %ld of config file '%s'\n" ,errorline,extfile); goto end; } if (!extsect) { extsect = NCONF_get_string(extconf, "default", "extensions"); if (!extsect) { ERR_clear_error(); extsect = "default"; } } X509V3_set_ctx_test(&ctx2); X509V3_set_nconf(&ctx2, extconf); if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { BIO_printf(bio_err, "Error Loading extension section %s\n", extsect); ERR_print_errors(bio_err); goto end; } } if (reqfile) { EVP_PKEY *pkey; X509_CINF *ci; BIO *in; if (!sign_flag && !CA_flag) { BIO_printf(bio_err,"We need a private key to sign with\n"); goto end; } in=BIO_new(BIO_s_file()); if (in == NULL) { ERR_print_errors(bio_err); goto end; } if (infile == NULL) BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT); else { if (BIO_read_filename(in,infile) <= 0) { perror(infile); BIO_free(in); goto end; } } req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL); BIO_free(in); if (req == NULL) { ERR_print_errors(bio_err); goto end; } if ( (req->req_info == NULL) || (req->req_info->pubkey == NULL) || (req->req_info->pubkey->public_key == NULL) || (req->req_info->pubkey->public_key->data == NULL)) { BIO_printf(bio_err,"The certificate request appears to corrupted\n"); BIO_printf(bio_err,"It does not contain a public key\n"); goto end; } if ((pkey=X509_REQ_get_pubkey(req)) == NULL) { BIO_printf(bio_err,"error unpacking public key\n"); goto end; } i=X509_REQ_verify(req,pkey); EVP_PKEY_free(pkey); if (i < 0) { BIO_printf(bio_err,"Signature verification error\n"); ERR_print_errors(bio_err); goto end; } if (i == 0) { BIO_printf(bio_err,"Signature did not match the certificate request\n"); goto end; } else BIO_printf(bio_err,"Signature ok\n"); print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); if ((x=X509_new()) == NULL) goto end; ci=x->cert_info; if (sno) { if (!X509_set_serialNumber(x, sno)) goto end; } else if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end; if (!X509_set_issuer_name(x,req->req_info->subject)) goto end; if (!X509_set_subject_name(x,req->req_info->subject)) goto end; X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); pkey = X509_REQ_get_pubkey(req); X509_set_pubkey(x,pkey); EVP_PKEY_free(pkey); } else x=load_cert(bio_err,infile,informat,NULL,e,"Certificate"); if (x == NULL) goto end; if (CA_flag) { xca=load_cert(bio_err,CAfile,CAformat,NULL,e,"CA Certificate"); if (xca == NULL) goto end; } if (!noout || text) { OBJ_create("2.99999.3", "SET.ex3","SET x509v3 extension 3"); out=BIO_new(BIO_s_file()); if (out == NULL) { ERR_print_errors(bio_err); goto end; } if (outfile == NULL) { BIO_set_fp(out,stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else { if (BIO_write_filename(out,outfile) <= 0) { perror(outfile); goto end; } } } if (alias) X509_alias_set1(x, (unsigned char *)alias, -1); if (clrtrust) X509_trust_clear(x); if (clrreject) X509_reject_clear(x); if (trust) { for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { objtmp = sk_ASN1_OBJECT_value(trust, i); X509_add1_trust_object(x, objtmp); } } if (reject) { for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { objtmp = sk_ASN1_OBJECT_value(reject, i); X509_add1_reject_object(x, objtmp); } } if (num) { for (i=1; i<=num; i++) { if (issuer == i) { print_name(STDout, "issuer= ", X509_get_issuer_name(x), nmflag); } else if (subject == i) { print_name(STDout, "subject= ", X509_get_subject_name(x), nmflag); } else if (serial == i) { BIO_printf(STDout,"serial="); i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber); BIO_printf(STDout,"\n"); } else if (email == i) { int j; STACK *emlst; emlst = X509_get1_email(x); for (j = 0; j < sk_num(emlst); j++) BIO_printf(STDout, "%s\n", sk_value(emlst, j)); X509_email_free(emlst); } else if (aliasout == i) { unsigned char *alstr; alstr = X509_alias_get0(x, NULL); if (alstr) BIO_printf(STDout,"%s\n", alstr); else BIO_puts(STDout,"\n"); } else if (hash == i) { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); } else if (pprint == i) { X509_PURPOSE *ptmp; int j; BIO_printf(STDout, "Certificate purposes:\n"); for (j = 0; j < X509_PURPOSE_get_count(); j++) { ptmp = X509_PURPOSE_get0(j); purpose_print(STDout, x, ptmp); } } else if (modulus == i) { EVP_PKEY *pkey; pkey=X509_get_pubkey(x); if (pkey == NULL) { BIO_printf(bio_err,"Modulus=unavailable\n"); ERR_print_errors(bio_err); goto end; } BIO_printf(STDout,"Modulus="); #ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) BN_print(STDout,pkey->pkey.rsa->n); else #endif #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) BN_print(STDout,pkey->pkey.dsa->pub_key); else #endif BIO_printf(STDout,"Wrong Algorithm type"); BIO_printf(STDout,"\n"); EVP_PKEY_free(pkey); } else if (pubkey == i) { EVP_PKEY *pkey; pkey=X509_get_pubkey(x); if (pkey == NULL) { BIO_printf(bio_err,"Error getting public key\n"); ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(STDout, pkey); EVP_PKEY_free(pkey); } else if (C == i) { unsigned char *d; char *m; int y,z; X509_NAME_oneline(X509_get_subject_name(x), buf,sizeof buf); BIO_printf(STDout,"/* subject:%s */\n",buf); m=X509_NAME_oneline( X509_get_issuer_name(x),buf, sizeof buf); BIO_printf(STDout,"/* issuer :%s */\n",buf); z=i2d_X509(x,NULL); m=OPENSSL_malloc(z); d=(unsigned char *)m; z=i2d_X509_NAME(X509_get_subject_name(x),&d); BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z); d=(unsigned char *)m; for (y=0; ytype == EVP_PKEY_DSA) digest=EVP_dss1(); #endif assert(need_rand); if (!sign(x,Upkey,days,clrext,digest, extconf, extsect)) goto end; } else if (CA_flag == i) { BIO_printf(bio_err,"Getting CA Private Key\n"); if (CAkeyfile != NULL) { CApkey=load_key(bio_err, CAkeyfile, CAkeyformat, 0, passin, e, "CA Private Key"); if (CApkey == NULL) goto end; } #ifndef OPENSSL_NO_DSA if (CApkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, CApkey, CAserial,CA_createserial,days, clrext, extconf, extsect, sno)) goto end; } else if (x509req == i) { EVP_PKEY *pk; BIO_printf(bio_err,"Getting request Private Key\n"); if (keyfile == NULL) { BIO_printf(bio_err,"no request key file specified\n"); goto end; } else { pk=load_key(bio_err, keyfile, FORMAT_PEM, 0, passin, e, "request key"); if (pk == NULL) goto end; } BIO_printf(bio_err,"Generating certificate request\n"); #ifndef OPENSSL_NO_DSA if (pk->type == EVP_PKEY_DSA) digest=EVP_dss1(); #endif rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); if (rq == NULL) { ERR_print_errors(bio_err); goto end; } if (!noout) { X509_REQ_print(out,rq); PEM_write_bio_X509_REQ(out,rq); } noout=1; } else if (ocspid == i) { X509_ocspid_print(out, x); } } } if (checkend) { time_t tnow=time(NULL); if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1) { BIO_printf(out,"Certificate will expire\n"); ret=1; } else { BIO_printf(out,"Certificate will not expire\n"); ret=0; } goto end; } if (noout) { ret=0; goto end; } if (outformat == FORMAT_ASN1) i=i2d_X509_bio(out,x); else if (outformat == FORMAT_PEM) { if (trustout) i=PEM_write_bio_X509_AUX(out,x); else i=PEM_write_bio_X509(out,x); } else if (outformat == FORMAT_NETSCAPE) { ASN1_HEADER ah; ASN1_OCTET_STRING os; os.data=(unsigned char *)NETSCAPE_CERT_HDR; os.length=strlen(NETSCAPE_CERT_HDR); ah.header= &os; ah.data=(char *)x; ah.meth=X509_asn1_meth(); /* no macro for this one yet */ i=ASN1_i2d_bio(i2d_ASN1_HEADER,out,(unsigned char *)&ah); } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; } if (!i) { BIO_printf(bio_err,"unable to write certificate\n"); ERR_print_errors(bio_err); goto end; } ret=0; end: if (need_rand) app_RAND_write_file(NULL, bio_err); OBJ_cleanup(); NCONF_free(extconf); BIO_free_all(out); BIO_free_all(STDout); X509_STORE_free(ctx); X509_REQ_free(req); X509_free(x); X509_free(xca); EVP_PKEY_free(Upkey); EVP_PKEY_free(CApkey); X509_REQ_free(rq); ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); if (passin) OPENSSL_free(passin); apps_shutdown(); OPENSSL_EXIT(ret); } -static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create) +static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create) { char *buf = NULL, *p; - MS_STATIC char buf2[1024]; - ASN1_INTEGER *bs = NULL, *bs2 = NULL; - BIO *io = NULL; + ASN1_INTEGER *bs = NULL; BIGNUM *serial = NULL; + size_t len; - buf=OPENSSL_malloc( ((serialfile == NULL) - ?(strlen(CAfile)+strlen(POSTFIX)+1) - :(strlen(serialfile)))+1); + len = ((serialfile == NULL) + ?(strlen(CAfile)+strlen(POSTFIX)+1) + :(strlen(serialfile)))+1; + buf=OPENSSL_malloc(len); if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; } if (serialfile == NULL) { - strcpy(buf,CAfile); + BUF_strlcpy(buf,CAfile,len); for (p=buf; *p; p++) if (*p == '.') { *p='\0'; break; } - strcat(buf,POSTFIX); + BUF_strlcat(buf,POSTFIX,len); } else - strcpy(buf,serialfile); + BUF_strlcpy(buf,serialfile,len); serial=BN_new(); bs=ASN1_INTEGER_new(); if ((serial == NULL) || (bs == NULL)) { ERR_print_errors(bio_err); goto end; } - io=BIO_new(BIO_s_file()); - if (io == NULL) - { - ERR_print_errors(bio_err); - goto end; - } - - if (BIO_read_filename(io,buf) <= 0) - { - if (!create) - { - perror(buf); - goto end; - } - else - { - ASN1_INTEGER_set(bs,1); - BN_one(serial); - } - } - else - { - if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2)) - { - BIO_printf(bio_err,"unable to load serial number from %s\n",buf); - ERR_print_errors(bio_err); - goto end; - } - else - { - serial=BN_bin2bn(bs->data,bs->length,serial); - if (serial == NULL) - { - BIO_printf(bio_err,"error converting bin 2 bn"); - goto end; - } - } - } + serial = load_serial(buf, create, NULL); + if (serial == NULL) goto end; if (!BN_add_word(serial,1)) { BIO_printf(bio_err,"add_word failure\n"); goto end; } - if (!(bs2 = BN_to_ASN1_INTEGER(serial, NULL))) - { BIO_printf(bio_err,"error converting bn 2 asn1_integer\n"); goto end; } - if (BIO_write_filename(io,buf) <= 0) - { - BIO_printf(bio_err,"error attempting to write serial number file\n"); - perror(buf); - goto end; - } - i2a_ASN1_INTEGER(io,bs2); - BIO_puts(io,"\n"); - BIO_free(io); - if (buf) OPENSSL_free(buf); - ASN1_INTEGER_free(bs2); - BN_free(serial); - io=NULL; - return bs; + if (!save_serial(buf, NULL, serial, &bs)) goto end; - end: + end: if (buf) OPENSSL_free(buf); - BIO_free(io); - ASN1_INTEGER_free(bs); BN_free(serial); - return NULL; - + return bs; } static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create, int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno) { int ret=0; ASN1_INTEGER *bs=NULL; X509_STORE_CTX xsc; EVP_PKEY *upkey; upkey = X509_get_pubkey(xca); EVP_PKEY_copy_parameters(upkey,pkey); EVP_PKEY_free(upkey); if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL)) { BIO_printf(bio_err,"Error initialising X509 store\n"); goto end; } if (sno) bs = sno; - else if (!(bs = load_serial(CAfile, serialfile, create))) + else if (!(bs = x509_load_serial(CAfile, serialfile, create))) goto end; /* if (!X509_STORE_add_cert(ctx,x)) goto end;*/ /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); if (!reqfile && !X509_verify_cert(&xsc)) goto end; if (!X509_check_private_key(xca,pkey)) { BIO_printf(bio_err,"CA certificate and CA private key do not match\n"); goto end; } if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end; if (!X509_set_serialNumber(x,bs)) goto end; if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL) goto end; /* hardwired expired */ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) goto end; if (clrext) { while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } if (conf) { X509V3_CTX ctx2; X509_set_version(x,2); /* version 3 certificate */ X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); X509V3_set_nconf(&ctx2, conf); if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end; } if (!X509_sign(x,pkey,digest)) goto end; ret=1; end: X509_STORE_CTX_cleanup(&xsc); if (!ret) ERR_print_errors(bio_err); if (!sno) ASN1_INTEGER_free(bs); return ret; } static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx) { int err; X509 *err_cert; /* it is ok to use a self signed certificate * This case will catch both the initial ok == 0 and the * final ok == 1 calls to this function */ err=X509_STORE_CTX_get_error(ctx); if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) return 1; /* BAD we should have gotten an error. Normally if everything * worked X509_STORE_CTX_get_error(ctx) will still be set to * DEPTH_ZERO_SELF_.... */ if (ok) { BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n"); return 0; } else { err_cert=X509_STORE_CTX_get_current_cert(ctx); print_name(bio_err, NULL, X509_get_subject_name(err_cert),0); BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n", err,X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(err)); return 1; } } /* self sign */ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, CONF *conf, char *section) { EVP_PKEY *pktmp; pktmp = X509_get_pubkey(x); EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_save_parameters(pktmp,1); EVP_PKEY_free(pktmp); if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err; if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err; /* Lets just make it 12:00am GMT, Jan 1 1970 */ /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ /* 28 days to be certified */ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) goto err; if (!X509_set_pubkey(x,pkey)) goto err; if (clrext) { while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } if (conf) { X509V3_CTX ctx; X509_set_version(x,2); /* version 3 certificate */ X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err; } if (!X509_sign(x,pkey,digest)) goto err; return 1; err: ERR_print_errors(bio_err); return 0; } static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) { int id, i, idret; char *pname; id = X509_PURPOSE_get_id(pt); pname = X509_PURPOSE_get0_name(pt); for (i = 0; i < 2; i++) { idret = X509_check_purpose(cert, id, i); BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); if (idret == 1) BIO_printf(bio, "Yes\n"); else if (idret == 0) BIO_printf(bio, "No\n"); else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret); } return 1; } diff --git a/crypto/openssl/certs/vsign3.pem b/crypto/openssl/certs/expired/vsign3.pem similarity index 100% copy from crypto/openssl/certs/vsign3.pem copy to crypto/openssl/certs/expired/vsign3.pem diff --git a/crypto/openssl/certs/vsign3.pem b/crypto/openssl/certs/vsign3.pem index aa5bb4c1f32b..4b8c0251cb7b 100644 --- a/crypto/openssl/certs/vsign3.pem +++ b/crypto/openssl/certs/vsign3.pem @@ -1,18 +1,17 @@ subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority notBefore=Jan 29 00:00:00 1996 GMT -notAfter=Jan 7 23:59:59 2004 GMT +notAfter=Aug 1 23:59:59 2028 GMT -----BEGIN CERTIFICATE----- -MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ -BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh -c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05 -NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD -VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp -bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB -jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo -RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4 -rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN -BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp -STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH -ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ -pA== +MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG +A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz +cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 +MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV +BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt +YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE +BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is +I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G +CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do +lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc +AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -----END CERTIFICATE----- diff --git a/crypto/openssl/config b/crypto/openssl/config index b3bd96bbfcb6..25a3703c1fe0 100755 --- a/crypto/openssl/config +++ b/crypto/openssl/config @@ -1,854 +1,855 @@ #!/bin/sh # # OpenSSL config: determine the operating system and run ./Configure # # "config -h" for usage information. # # this is a merge of minarch and GuessOS from the Apache Group. # Originally written by Tim Hudson . # Original Apache Group comments on GuessOS # Simple OS/Platform guesser. Similar to config.guess but # much, much smaller. Since it was developed for use with # Apache, it follows under Apache's regular licensing # with one specific addition: Any changes or additions # to this script should be Emailed to the Apache # group (apache@apache.org) in general and to # Jim Jagielski (jim@jaguNET.com) in specific. # # Be as similar to the output of config.guess/config.sub # as possible. PREFIX="" SUFFIX="" TEST="false" # pick up any command line args to config for i do case "$i" in -d*) PREFIX="debug-";; -t*) TEST="true";; -h*) TEST="true"; cat </dev/null` || MACHINE="unknown" RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown" SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown" VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown" # Now test for ISC and SCO, since it is has a braindamaged uname. # # We need to work around FreeBSD 1.1.5.1 ( XREL=`uname -X 2>/dev/null | grep "^Release" | awk '{print $3}'` if [ "x$XREL" != "x" ]; then if [ -f /etc/kconfig ]; then case "$XREL" in 4.0|4.1) echo "${MACHINE}-whatever-isc4"; exit 0 ;; esac else case "$XREL" in 3.2v4.2) echo "whatever-whatever-sco3"; exit 0 ;; 3.2v5.0*) echo "whatever-whatever-sco5"; exit 0 ;; 4.2MP) case "x${VERSION}" in x2.0*) echo "whatever-whatever-unixware20"; exit 0 ;; x2.1*) echo "whatever-whatever-unixware21"; exit 0 ;; x2*) echo "whatever-whatever-unixware2"; exit 0 ;; esac ;; 4.2) echo "i386-whatever-unixware1"; exit 0 ;; 5) case "x${VERSION}" in # We hardcode i586 in place of ${MACHINE} for the # following reason. The catch is that even though Pentium # is minimum requirement for platforms in question, # ${MACHINE} gets always assigned to i386. Now, problem # with i386 is that it makes ./config pass 386 to # ./Configure, which in turn makes make generate # inefficient SHA-1 (for this moment) code. x7*) echo "i586-sco-unixware7"; exit 0 ;; x8*) echo "i586-unkn-OpenUNIX${VERSION}"; exit 0 ;; esac ;; esac fi fi # Now we simply scan though... In most cases, the SYSTEM info is enough # case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in MPE/iX:*) MACHINE=`echo "$MACHINE" | sed -e 's/-/_/g'` echo "parisc-hp-MPE/iX"; exit 0 ;; A/UX:*) echo "m68k-apple-aux3"; exit 0 ;; AIX:[3456789]:4:*) echo "${MACHINE}-ibm-aix43"; exit 0 ;; AIX:*:[56789]:*) echo "${MACHINE}-ibm-aix43"; exit 0 ;; AIX:*) echo "${MACHINE}-ibm-aix"; exit 0 ;; dgux:*) echo "${MACHINE}-dg-dgux"; exit 0 ;; HI-UX:*) echo "${MACHINE}-hi-hiux"; exit 0 ;; HP-UX:*) HPUXVER=`echo ${RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "$HPUXVER" in 1[0-9].*) # HPUX 10 and 11 targets are unified - echo "${MACHINE}-hp-hpux10"; exit 0 + echo "${MACHINE}-hp-hpux1x"; exit 0 ;; *) echo "${MACHINE}-hp-hpux"; exit 0 ;; esac ;; IRIX:5.*) echo "mips2-sgi-irix"; exit 0 ;; IRIX:6.*) echo "mips3-sgi-irix"; exit 0 ;; IRIX64:*) echo "mips4-sgi-irix64"; exit 0 ;; Linux:[2-9].*) echo "${MACHINE}-whatever-linux2"; exit 0 ;; Linux:1.*) echo "${MACHINE}-whatever-linux1"; exit 0 ;; GNU*) echo "hurd-x86"; exit 0; ;; LynxOS:*) echo "${MACHINE}-lynx-lynxos"; exit 0 ;; BSD/OS:4.*) # BSD/OS always says 386 echo "i486-whatever-bsdi4"; exit 0 ;; BSD/386:*:*:*486*|BSD/OS:*:*:*:*486*) case `/sbin/sysctl -n hw.model` in Pentium*) echo "i586-whatever-bsdi"; exit 0 ;; *) echo "i386-whatever-bsdi"; exit 0 ;; esac; ;; BSD/386:*|BSD/OS:*) echo "${MACHINE}-whatever-bsdi"; exit 0 ;; FreeBSD:*:*:*386*) VERS=`echo ${RELEASE} | sed -e 's/[-(].*//'` MACH=`sysctl -n hw.model` ARCH='whatever' case ${MACH} in *386* ) MACH="i386" ;; *486* ) MACH="i486" ;; Pentium\ II*) MACH="i686" ;; Pentium* ) MACH="i586" ;; * ) MACH="$MACHINE" ;; esac case ${MACH} in i[0-9]86 ) ARCH="pc" ;; esac echo "${MACH}-${ARCH}-freebsd${VERS}"; exit 0 ;; FreeBSD:*) echo "${MACHINE}-whatever-freebsd"; exit 0 ;; NetBSD:*:*:*386*) echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 ;; NetBSD:*) echo "${MACHINE}-whatever-netbsd"; exit 0 ;; OpenBSD:*) echo "${MACHINE}-whatever-openbsd"; exit 0 ;; OpenUNIX:*) echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0 ;; OSF1:*:*:*alpha*) OSFMAJOR=`echo ${RELEASE}| sed -e 's/^V\([0-9]*\)\..*$/\1/'` case "$OSFMAJOR" in 4|5) echo "${MACHINE}-dec-tru64"; exit 0 ;; 1|2|3) echo "${MACHINE}-dec-osf"; exit 0 ;; *) echo "${MACHINE}-dec-osf"; exit 0 ;; esac ;; QNX:*) case "$RELEASE" in 4*) echo "${MACHINE}-whatever-qnx4" ;; 6*) echo "${MACHINE}-whatever-qnx6" ;; *) echo "${MACHINE}-whatever-qnx" ;; esac exit 0 ;; Paragon*:*:*:*) echo "i860-intel-osf1"; exit 0 ;; Rhapsody:*) echo "ppc-apple-rhapsody"; exit 0 ;; Darwin:*) case "$MACHINE" in Power*) echo "ppc-apple-darwin${VERSION}" ;; *) echo "i386-apple-darwin${VERSION}" ;; esac exit 0 ;; SunOS:5.*) echo "${MACHINE}-whatever-solaris2"; exit 0 ;; SunOS:*) echo "${MACHINE}-sun-sunos4"; exit 0 ;; UNIX_System_V:4.*:*) echo "${MACHINE}-whatever-sysv4"; exit 0 ;; *:4*:R4*:m88k) echo "${MACHINE}-whatever-sysv4"; exit 0 ;; DYNIX/ptx:4*:*) echo "${MACHINE}-whatever-sysv4"; exit 0 ;; *:4.0:3.0:3[34]?? | *:4.0:3.0:3[34]??,*) echo "i486-ncr-sysv4"; exit 0 ;; ULTRIX:*) echo "${MACHINE}-unknown-ultrix"; exit 0 ;; SINIX*|ReliantUNIX*) echo "${MACHINE}-siemens-sysv4"; exit 0 ;; POSIX-BC*) echo "${MACHINE}-siemens-sysv4"; exit 0 # Here, $MACHINE == "BS2000" ;; machten:*) echo "${MACHINE}-tenon-${SYSTEM}"; exit 0; ;; library:*) echo "${MACHINE}-ncr-sysv4"; exit 0 ;; ConvexOS:*:11.0:*) echo "${MACHINE}-v11-${SYSTEM}"; exit 0; ;; NEWS-OS:4.*) echo "mips-sony-newsos4"; exit 0; ;; CYGWIN*) case "$RELEASE" in [bB]*|1.0|1.[12].*) echo "${MACHINE}-whatever-cygwin_pre1.3" ;; *) echo "${MACHINE}-whatever-cygwin" ;; esac exit 0 ;; *"CRAY T3E") echo "t3e-cray-unicosmk"; exit 0; ;; *CRAY*) echo "j90-cray-unicos"; exit 0; ;; NONSTOP_KERNEL*) echo "nsr-tandem-nsk"; exit 0; ;; esac # # Ugg. These are all we can determine by what we know about # the output of uname. Be more creative: # # Do the Apollo stuff first. Here, we just simply assume # that the existance of the /usr/apollo directory is proof # enough if [ -d /usr/apollo ]; then echo "whatever-apollo-whatever" exit 0 fi # Now NeXT ISNEXT=`hostinfo 2>/dev/null` case "$ISNEXT" in *'NeXT Mach 3.3'*) echo "whatever-next-nextstep3.3"; exit 0 ;; *NeXT*) echo "whatever-next-nextstep"; exit 0 ;; esac # At this point we gone through all the one's # we know of: Punt echo "${MACHINE}-whatever-${SYSTEM}" exit 0 ) 2>/dev/null | ( # --------------------------------------------------------------------------- # this is where the translation occurs into SSLeay terms # --------------------------------------------------------------------------- # figure out if gcc is available and if so we use it otherwise # we fallback to whatever cc does on the system GCCVER=`(gcc -dumpversion) 2>/dev/null` if [ "$GCCVER" != "" ]; then CC=gcc # then strip off whatever prefix egcs prepends the number with... # Hopefully, this will work for any future prefixes as well. GCCVER=`echo $GCCVER | sed 's/^[a-zA-Z]*\-//'` # Since gcc 3.1 gcc --version behaviour has changed. gcc -dumpversion # does give us what we want though, so we use that. We just just the # major and minor version numbers. # peak single digit before and after first dot, e.g. 2.95.1 gives 29 GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'` else CC=cc fi GCCVER=${GCCVER:-0} if [ "$SYSTEM" = "HP-UX" ];then # By default gcc is a ILP32 compiler (with long long == 64). GCC_BITS="32" if [ $GCCVER -ge 30 ]; then # PA64 support only came in with gcc 3.0.x. - # We look for the preprocessor symbol __LP64__ indicating - # 64bit bit long and pointer. sizeof(int) == 32 on HPUX64. - if gcc -v -E -x c /dev/null 2>&1 | grep __LP64__ > /dev/null; then + # We check if the preprocessor symbol __LP64__ is defined... + if echo "__LP64__" | gcc -v -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null; then + : # __LP64__ has slipped through, it therefore is not defined + else GCC_BITS="64" fi fi fi if [ "$SYSTEM" = "SunOS" ]; then if [ $GCCVER -ge 30 ]; then # 64-bit ABI isn't officially supported in gcc 3.0, but it appears # to be working, at the very least 'make test' passes... if gcc -v -E -x c /dev/null 2>&1 | grep __arch64__ > /dev/null; then GCC_ARCH="-m64" else GCC_ARCH="-m32" fi fi # check for WorkShop C, expected output is "cc: blah-blah C x.x" CCVER=`(cc -V 2>&1) 2>/dev/null | \ egrep -e '^cc: .* C [0-9]\.[0-9]' | \ sed 's/.* C \([0-9]\)\.\([0-9]\).*/\1\2/'` CCVER=${CCVER:-0} if [ $CCVER -gt 40 ]; then CC=cc # overrides gcc!!! if [ $CCVER -eq 50 ]; then echo "WARNING! Detected WorkShop C 5.0. Do make sure you have" echo " patch #107357-01 or later applied." sleep 5 fi elif [ "$CC" = "cc" -a $CCVER -gt 0 ]; then CC=sc3 fi fi if [ "${SYSTEM}-${MACHINE}" = "Linux-alpha" ]; then # check for Compaq C, expected output is "blah-blah C Vx.x" CCCVER=`(ccc -V 2>&1) 2>/dev/null | \ egrep -e '.* C V[0-9]\.[0-9]' | \ sed 's/.* C V\([0-9]\)\.\([0-9]\).*/\1\2/'` CCCVER=${CCCVER:-0} if [ $CCCVER -gt 60 ]; then CC=ccc # overrides gcc!!! well, ccc outperforms inoticeably # only on hash routines and des, otherwise gcc (2.95) # keeps along rather tight... fi fi if [ "${SYSTEM}" = "AIX" ]; then # favor vendor cc over gcc (cc) 2>&1 | grep -iv "not found" > /dev/null && CC=cc fi CCVER=${CCVER:-0} # read the output of the embedded GuessOS read GUESSOS echo Operating system: $GUESSOS # now map the output into SSLeay terms ... really should hack into the # script above so we end up with values in vars but that would take # more time that I want to waste at the moment case "$GUESSOS" in mips2-sgi-irix) CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 4000 ]; then options="$options -mips2" fi OUT="irix-$CC" ;; mips3-sgi-irix) CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then options="$options -mips4" else options="$options -mips3" fi OUT="irix-mips3-$CC" ;; mips4-sgi-irix64) echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure irix64-mips4-$CC' *manually*." if [ "$TEST" = "false" ]; then echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then options="$options -mips4" else options="$options -mips3" fi OUT="irix-mips3-$CC" ;; alpha-*-linux2) ISA=`awk '/cpu model/{print$4}' /proc/cpuinfo` case ${ISA:-generic} in *[67]) OUT="linux-alpha+bwx-$CC" ;; *) OUT="linux-alpha-$CC" ;; esac if [ "$CC" = "gcc" ]; then case ${ISA:-generic} in EV5|EV45) options="$options -mcpu=ev5";; EV56|PCA56) options="$options -mcpu=ev56";; EV6|EV67|PCA57) options="$options -mcpu=ev6";; esac fi ;; mips-*-linux?) cat >dummy.c < /* for printf() prototype */ int main (argc, argv) int argc; char *argv[]; { #ifdef __MIPSEB__ printf ("linux-%s\n", argv[1]); #endif #ifdef __MIPSEL__ printf ("linux-%sel\n", argv[1]); #endif return 0; } EOF ${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}` rm dummy dummy.c ;; ppc64-*-linux2) #Use the standard target for PPC architecture until we create a #special one for the 64bit architecture. OUT="linux-ppc" ;; ppc-*-linux2) OUT="linux-ppc" ;; m68k-*-linux*) OUT="linux-m68k" ;; ia64-*-linux?) OUT="linux-ia64" ;; ppc-apple-rhapsody) OUT="rhapsody-ppc-cc" ;; ppc-apple-darwin*) OUT="darwin-ppc-cc" ;; i386-apple-darwin*) OUT="darwin-i386-cc" ;; sparc64-*-linux2) echo "WARNING! If you *know* that your GNU C supports 64-bit/V9 ABI" echo " and wish to build 64-bit library, then you have to" echo " invoke './Configure linux64-sparcv9' *manually*." if [ "$TEST" = "false" ]; then echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi OUT="linux-sparcv9" ;; sparc-*-linux2) KARCH=`awk '/^type/{print$3}' /proc/cpuinfo` case ${KARCH:-sun4} in sun4u*) OUT="linux-sparcv9" ;; sun4m) OUT="linux-sparcv8" ;; sun4d) OUT="linux-sparcv8" ;; *) OUT="linux-sparcv7" ;; esac ;; parisc-*-linux2) CPUARCH=`awk '/cpu family/{print substr($5,1,3)}' /proc/cpuinfo` CPUSCHEDULE=`awk '/^cpu.[ ]: PA/{print substr($3,3)}' /proc/cpuinfo` # ??TODO ?? Model transformations # 0. CPU Architecture for the 1.1 processor has letter suffixes. We strip that off # assuming no further arch. identification will ever be used by GCC. # 1. I'm most concerned about whether is a 7300LC is closer to a 7100 versus a 7100LC. # 2. The variant 64-bit processors cause concern should GCC support explicit schedulers # for these chips in the future. # PA7300LC -> 7100LC (1.1) # PA8200 -> 8000 (2.0) # PA8500 -> 8000 (2.0) # PA8600 -> 8000 (2.0) CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'` # Finish Model transformations options="$options -mschedule=$CPUSCHEDULE -march=$CPUARCH" OUT="linux-parisc" ;; arm*-*-linux2) OUT="linux-elf-arm" ;; s390-*-linux2) OUT="linux-s390" ;; s390x-*-linux?) OUT="linux-s390x" ;; x86_64-*-linux?) OUT="linux-x86_64" ;; *-*-linux2) OUT="linux-elf" if [ "$GCCVER" -gt 28 ]; then if grep '^model.*Pentium' /proc/cpuinfo >/dev/null ; then OUT="linux-pentium" fi if grep '^model.*Pentium Pro' /proc/cpuinfo >/dev/null ; then OUT="linux-ppro" fi if grep '^model.*K6' /proc/cpuinfo >/dev/null ; then OUT="linux-k6" fi fi ;; *-*-linux1) OUT="linux-aout" ;; sun4u*-*-solaris2) OUT="solaris-sparcv9-$CC" ISA64=`(isalist) 2>/dev/null | grep sparcv9` if [ "$ISA64" != "" ]; then if [ "$CC" = "cc" -a $CCVER -ge 50 ]; then echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-cc' *manually*." if [ "$TEST" = "false" ]; then echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi elif [ "$CC" = "gcc" -a "$GCC_ARCH" = "-m64" ]; then # $GCC_ARCH denotes default ABI chosen by compiler driver # (first one found on the $PATH). I assume that user # expects certain consistency with the rest of his builds # and therefore switch over to 64-bit. OUT="solaris64-sparcv9-gcc" echo "WARNING! If you wish to build 32-bit library, then you have to" echo " invoke './Configure solaris-sparcv9-gcc' *manually*." if [ "$TEST" = "false" ]; then echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi elif [ "$GCC_ARCH" = "-m32" ]; then echo "NOTICE! If you *know* that your GNU C supports 64-bit/V9 ABI" echo " and wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-gcc' *manually*." if [ "$TEST" = "false" ]; then echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi fi fi ;; sun4m-*-solaris2) OUT="solaris-sparcv8-$CC" ;; sun4d-*-solaris2) OUT="solaris-sparcv8-$CC" ;; sun4*-*-solaris2) OUT="solaris-sparcv7-$CC" ;; *86*-*-solaris2) OUT="solaris-x86-$CC" ;; *-*-sunos4) OUT="sunos-$CC" ;; alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;; sparc64-*-freebsd*) OUT="FreeBSD-sparc64" ;; ia64-*-freebsd*) OUT="FreeBSD-ia64" ;; *-freebsd[3-9]*) OUT="FreeBSD-elf" ;; *-freebsd[1-2]*) OUT="FreeBSD" ;; *86*-*-netbsd) OUT="NetBSD-x86" ;; sun3*-*-netbsd) OUT="NetBSD-m68" ;; *-*-netbsd) OUT="NetBSD-sparc" ;; alpha*-*-openbsd) OUT="OpenBSD-alpha" ;; *86*-*-openbsd) OUT="OpenBSD-i386" ;; m68k*-*-openbsd) OUT="OpenBSD-m68k" ;; m88k*-*-openbsd) OUT="OpenBSD-m88k" ;; mips*-*-openbsd) OUT="OpenBSD-mips" ;; pmax*-*-openbsd) OUT="OpenBSD-mips" ;; powerpc*-*-openbsd) OUT="OpenBSD-powerpc" ;; sparc64*-*-openbsd) OUT="OpenBSD-sparc64" ;; sparc*-*-openbsd) OUT="OpenBSD-sparc" ;; vax*-*-openbsd) OUT="OpenBSD-vax" ;; hppa*-*-openbsd) OUT="OpenBSD-hppa" ;; *-*-openbsd) OUT="OpenBSD" ;; *86*-*-bsdi4) OUT="bsdi-elf-gcc" ;; *-*-osf) OUT="alphaold-cc" ;; *-*-tru64) OUT="alpha-cc" ;; *-*-OpenUNIX*) if [ "$CC" = "gcc" ]; then OUT="OpenUNIX-8-gcc" else OUT="OpenUNIX-8" fi ;; *-*-unixware7) OUT="unixware-7" ;; *-*-UnixWare7) OUT="unixware-7" ;; *-*-Unixware7) OUT="unixware-7" ;; *-*-unixware20*) OUT="unixware-2.0" ;; *-*-unixware21*) OUT="unixware-2.1" ;; *-*-UnixWare20*) OUT="unixware-2.0" ;; *-*-UnixWare21*) OUT="unixware-2.1" ;; *-*-Unixware20*) OUT="unixware-2.0" ;; *-*-Unixware21*) OUT="unixware-2.1" ;; BS2000-siemens-sysv4) OUT="BS2000-OSD" ;; RM*-siemens-sysv4) OUT="ReliantUNIX" ;; *-siemens-sysv4) OUT="SINIX" ;; *-hpux1*) if [ $CC = "gcc" ]; then if [ $GCC_BITS = "64" ]; then - OUT="hpux64-parisc-gcc" + OUT="hpux64-parisc2-gcc" else OUT="hpux-parisc-gcc" fi else OUT="hpux-parisc-$CC" fi KERNEL_BITS=`(getconf KERNEL_BITS) 2>/dev/null` KERNEL_BITS=${KERNEL_BITS:-32} CPU_VERSION=`(getconf CPU_VERSION) 2>/dev/null` CPU_VERSION=${CPU_VERSION:-0} # See for further info on CPU_VERSION. if [ $CPU_VERSION -ge 768 ]; then # IA-64 CPU echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi." echo " If you wish to build 32-bit library, the you have to" - echo " invoke './Configure hpux-ia32-cc' *manually*." + echo " invoke './Configure hpux-ia64-cc' *manually*." if [ "$TEST" = "false" ]; then echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi OUT="hpux64-ia64-cc" elif [ $CPU_VERSION -ge 532 ]; then # PA-RISC 2.x CPU if [ "$CC" = "cc" ]; then OUT="hpux-parisc2-cc" # can't we have hpux-parisc2-gcc? fi if [ $KERNEL_BITS -eq 64 -a "$CC" = "cc" ]; then echo "WARNING! If you wish to build 64-bit library then you have to" echo " invoke './Configure hpux64-parisc2-cc' *manually*." if [ "$TEST" = "false" ]; then echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi fi elif [ $CPU_VERSION -ge 528 ]; then # PA-RISC 1.1+ CPU : elif [ $CPU_VERSION -ge 523 ]; then # PA-RISC 1.0 CPU : else # Motorola(?) CPU OUT="hpux-$CC" fi options="$options -D_REENTRANT" ;; *-hpux) OUT="hpux-parisc-$CC" ;; # these are all covered by the catchall below # *-aix) OUT="aix-$CC" ;; # *-dgux) OUT="dgux" ;; mips-sony-newsos4) OUT="newsos4-gcc" ;; *-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;; *-*-cygwin) OUT="Cygwin" ;; t3e-cray-unicosmk) OUT="cray-t3e" ;; j90-cray-unicos) OUT="cray-j90" ;; nsr-tandem-nsk) OUT="tandem-c89" ;; *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;; esac # NB: This atalla support has been superceded by the ENGINE support # That contains its own header and definitions anyway. Support can # be enabled or disabled on any supported platform without external # headers, eg. by adding the "hw-atalla" switch to ./config or # perl Configure # # See whether we can compile Atalla support #if [ -f /usr/include/atasi.h ] #then # options="$options -DATALLA" #fi # gcc < 2.8 does not support -mcpu=ultrasparc if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ] then echo "WARNING! Do consider upgrading to gcc-2.8 or later." sleep 5 OUT=solaris-sparcv9-gcc27 fi if [ "$OUT" = "linux-sparcv9" -a $GCCVER -lt 28 ] then echo "WARNING! Falling down to 'linux-sparcv8'." echo " Upgrade to gcc-2.8 or later." sleep 5 OUT=linux-sparcv8 fi case "$GUESSOS" in i386-*) options="$options 386" ;; esac for i in bf cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 aes ripemd rsa sha do if [ ! -d crypto/$i ] then options="$options no-$i" fi done # Discover Kerberos 5 (since it's still a prototype, we don't # do any guesses yet, that's why this section is commented away. #if [ -d /usr/kerberos ]; then # krb5_dir=/usr/kerberos # if [ \( -f $krb5_dir/lib/libgssapi_krb5.a -o -f $krb5_dir/lib/libgssapi_krb5.so* \)\ # -a \( -f $krb5_dir/lib/libkrb5.a -o -f $krb5_dir/lib/libkrb5.so* \)\ # -a \( -f $krb5_dir/lib/libcom_err.a -o -f $krb5_dir/lib/libcom_err.so* \)\ # -a \( -f $krb5_dir/lib/libk5crypto.a -o -f $krb5_dir/lib/libk5crypto.so* \)\ # -a \( -f $krb5_dir/include/krb5.h \) ]; then # options="$options --with-krb5-flavor=MIT" # fi #elif [ -d /usr/heimdal ]; then # krb5_dir=/usr/heimdal # if [ \( -f $krb5_dir/lib/libgssapi.a -o -f $krb5_dir/lib/libgssapi.so* \)\ # -a \( -f $krb5_dir/lib/libkrb5.a -o -f $krb5_dir/lib/libkrb5.so* \)\ # -a \( -f $krb5_dir/lib/libcom_err.a -o -f $krb5_dir/lib/libcom_err.so* \)\ # -a \( -f $krb5_dir/include/krb5.h \) ]; then # options="$options --with-krb5-flavor=Heimdal" # fi #fi if [ -z "$OUT" ]; then OUT="$CC" fi if [ ".$PERL" = . ] ; then for i in . `echo $PATH | sed 's/:/ /g'`; do if [ -f "$i/perl5" ] ; then PERL="$i/perl5" break; fi; done fi if [ ".$PERL" = . ] ; then for i in . `echo $PATH | sed 's/:/ /g'`; do if [ -f "$i/perl" ] ; then if "$i/perl" -e 'exit($]<5.0)'; then PERL="$i/perl" break; fi; fi; done fi if [ ".$PERL" = . ] ; then echo "You need Perl 5." exit 1 fi # run Configure to check to see if we need to specify the # compiler for the platform ... in which case we add it on # the end ... otherwise we leave it off $PERL ./Configure LIST | grep "$OUT-$CC" > /dev/null if [ $? = "0" ]; then OUT="$OUT-$CC" fi OUT="$PREFIX$OUT" $PERL ./Configure LIST | grep "$OUT" > /dev/null if [ $? = "0" ]; then echo Configuring for $OUT if [ "$TEST" = "true" ]; then echo $PERL ./Configure $OUT $options else $PERL ./Configure $OUT $options fi else echo "This system ($OUT) is not supported. See file INSTALL for details." fi ) diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl index 9def17ae601f..b9951a460054 100644 --- a/crypto/openssl/crypto/Makefile.ssl +++ b/crypto/openssl/crypto/Makefile.ssl @@ -1,218 +1,218 @@ # # SSLeay/crypto/Makefile # DIR= crypto TOP= .. CC= cc INCLUDE= -I. -I$(TOP) -I../include INCLUDES= -I.. -I../.. -I../../include CFLAG= -g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP= /usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl RM= rm -f AR= ar r PEX_LIBS= EX_LIBS= CFLAGS= $(INCLUDE) $(CFLAG) LIBS= SDIRS= md2 md5 sha mdc2 hmac ripemd \ des rc2 rc4 rc5 idea bf cast \ bn ec rsa dsa dh dso engine aes \ buffer bio stack lhash rand err objects \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a SHARED_LIB= libcrypto$(SHLIB_EXT) LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o SRC= $(LIBSRC) EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h \ ossl_typ.h HEADER= cryptlib.h buildinf.h md32_common.h o_time.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: @(cd ..; $(MAKE) DIRS=$(DIR) all) -all: buildinf.h lib subdirs shared +all: shared buildinf.h: ../Makefile.ssl ( echo "#ifndef MK1MF_BUILD"; \ echo ' /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */'; \ echo ' #define CFLAGS "$(CC) $(CFLAG)"'; \ echo ' #define PLATFORM "$(PLATFORM)"'; \ echo " #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \ echo '#endif' ) >buildinf.h testapps: if echo ${SDIRS} | fgrep ' des '; \ then cd des && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' des; fi cd pkcs7 && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps subdirs: @for i in $(SDIRS) ;\ do \ (cd $$i && echo "making all in crypto/$$i..." && \ $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ done; files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO @for i in $(SDIRS) ;\ do \ (cd $$i && echo "making 'files' in crypto/$$i..." && \ $(MAKE) PERL='${PERL}' files ); \ done; links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS) - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @for i in $(SDIRS); do \ (cd $$i && echo "making links in crypto/$$i..." && \ $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \ done; lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib -shared: +shared: buildinf.h lib subdirs if [ -n "$(SHARED_LIBS)" ]; then \ (cd ..; $(MAKE) $(SHARED_LIB)); \ fi libs: @for i in $(SDIRS) ;\ do \ (cd $$i && echo "making libs in crypto/$$i..." && \ $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' lib ); \ done; tests: @for i in $(SDIRS) ;\ do \ (cd $$i && echo "making tests in crypto/$$i..." && \ $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \ done; install: @for i in $(EXHEADER) ;\ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; @for i in $(SDIRS) ;\ do \ (cd $$i && echo "making install in crypto/$$i..." && \ $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \ done; lint: @for i in $(SDIRS) ;\ do \ (cd $$i && echo "making lint in crypto/$$i..." && \ $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' lint ); \ done; depend: if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC) if [ ! -s buildinf.h ]; then rm buildinf.h; fi @for i in $(SDIRS) ;\ do \ (cd $$i && echo "making depend in crypto/$$i..." && \ $(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ); \ done; clean: rm -f buildinf.h *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff @for i in $(SDIRS) ;\ do \ (cd $$i && echo "making clean in crypto/$$i..." && \ $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' clean ); \ done; dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) @for i in $(SDIRS) ;\ do \ (cd $$i && echo "making dclean in crypto/$$i..." && \ $(MAKE) PERL='${PERL}' CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' dclean ); \ done; # DO NOT DELETE THIS LINE -- make depend depends on it. cpt_err.o: ../include/openssl/bio.h ../include/openssl/crypto.h cpt_err.o: ../include/openssl/e_os2.h ../include/openssl/err.h cpt_err.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h cpt_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cpt_err.c cryptlib.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h cryptlib.o: ../include/openssl/err.h ../include/openssl/lhash.h cryptlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h cryptlib.o: ../include/openssl/safestack.h ../include/openssl/stack.h cryptlib.o: ../include/openssl/symhacks.h cryptlib.c cryptlib.h cversion.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h cversion.o: ../include/openssl/err.h ../include/openssl/lhash.h cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h cversion.o: ../include/openssl/symhacks.h buildinf.h cryptlib.h cversion.c ebcdic.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h ebcdic.c ex_data.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h ex_data.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ex_data.o: ../include/openssl/safestack.h ../include/openssl/stack.h ex_data.o: ../include/openssl/symhacks.h cryptlib.h ex_data.c mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h mem.o: ../include/openssl/err.h ../include/openssl/lhash.h mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h mem.o: ../include/openssl/symhacks.h cryptlib.h mem.c mem_clr.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h mem_clr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h mem_clr.o: ../include/openssl/symhacks.h mem_clr.c mem_dbg.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h mem_dbg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h mem_dbg.o: ../include/openssl/safestack.h ../include/openssl/stack.h mem_dbg.o: ../include/openssl/symhacks.h cryptlib.h mem_dbg.c o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c o_time.o: o_time.h tmdiff.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h tmdiff.o: ../include/openssl/err.h ../include/openssl/lhash.h tmdiff.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h tmdiff.o: ../include/openssl/safestack.h ../include/openssl/stack.h tmdiff.o: ../include/openssl/symhacks.h ../include/openssl/tmdiff.h cryptlib.h tmdiff.o: tmdiff.c uid.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h uid.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h uid.o: ../include/openssl/symhacks.h uid.c diff --git a/crypto/openssl/crypto/aes/Makefile.ssl b/crypto/openssl/crypto/aes/Makefile.ssl index 364d05bbfe01..f353aeb697dd 100644 --- a/crypto/openssl/crypto/aes/Makefile.ssl +++ b/crypto/openssl/crypto/aes/Makefile.ssl @@ -1,103 +1,103 @@ # # crypto/aes/Makefile # DIR= aes TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP= /usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r # CFLAGS= -mpentiumpro $(INCLUDES) $(CFLAG) -O3 -fexpensive-optimizations -funroll-loops -fforce-addr CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile #TEST=aestest.c TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC=aes_core.c aes_misc.c aes_ecb.c aes_cbc.c aes_cfb.c aes_ofb.c aes_ctr.c LIBOBJ=aes_core.o aes_misc.o aes_ecb.o aes_cbc.o aes_cfb.o aes_ofb.o aes_ctr.o SRC= $(LIBSRC) EXHEADER= aes.h HEADER= aes_locl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib $(LIBOBJ): $(LIBSRC) files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: installs installs: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. aes_cbc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c aes_locl.h aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c aes_locl.h aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c aes_locl.h aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_ecb.o: ../../include/openssl/opensslconf.h aes_ecb.c aes_locl.h aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_misc.o: ../../include/openssl/opensslconf.h aes_misc.o: ../../include/openssl/opensslv.h aes_locl.h aes_misc.c aes_ofb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_ofb.o: ../../include/openssl/opensslconf.h aes_locl.h aes_ofb.c diff --git a/crypto/openssl/crypto/aes/aes_cbc.c b/crypto/openssl/crypto/aes/aes_cbc.c index 86b27b10d612..1222a21002c1 100644 --- a/crypto/openssl/crypto/aes/aes_cbc.c +++ b/crypto/openssl/crypto/aes/aes_cbc.c @@ -1,111 +1,111 @@ /* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * */ #ifndef AES_DEBUG # ifndef NDEBUG # define NDEBUG # endif #endif #include #include #include "aes_locl.h" void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, const int enc) { unsigned long n; unsigned long len = length; unsigned char tmp[AES_BLOCK_SIZE]; assert(in && out && key && ivec); assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc)); if (AES_ENCRYPT == enc) { while (len >= AES_BLOCK_SIZE) { for(n=0; n < AES_BLOCK_SIZE; ++n) tmp[n] = in[n] ^ ivec[n]; AES_encrypt(tmp, out, key); memcpy(ivec, out, AES_BLOCK_SIZE); len -= AES_BLOCK_SIZE; in += AES_BLOCK_SIZE; out += AES_BLOCK_SIZE; } if (len) { for(n=0; n < len; ++n) tmp[n] = in[n] ^ ivec[n]; for(n=len; n < AES_BLOCK_SIZE; ++n) tmp[n] = ivec[n]; AES_encrypt(tmp, tmp, key); memcpy(out, tmp, AES_BLOCK_SIZE); memcpy(ivec, tmp, AES_BLOCK_SIZE); } } else { while (len >= AES_BLOCK_SIZE) { memcpy(tmp, in, AES_BLOCK_SIZE); AES_decrypt(in, out, key); for(n=0; n < AES_BLOCK_SIZE; ++n) out[n] ^= ivec[n]; memcpy(ivec, tmp, AES_BLOCK_SIZE); len -= AES_BLOCK_SIZE; in += AES_BLOCK_SIZE; out += AES_BLOCK_SIZE; } if (len) { memcpy(tmp, in, AES_BLOCK_SIZE); AES_decrypt(tmp, tmp, key); for(n=0; n < len; ++n) - out[n] ^= ivec[n]; + out[n] = tmp[n] ^ ivec[n]; memcpy(ivec, tmp, AES_BLOCK_SIZE); } } } diff --git a/crypto/openssl/crypto/asn1/Makefile.ssl b/crypto/openssl/crypto/asn1/Makefile.ssl index 944d8f164ae6..cb45194d48e3 100644 --- a/crypto/openssl/crypto/asn1/Makefile.ssl +++ b/crypto/openssl/crypto/asn1/Makefile.ssl @@ -1,1152 +1,1152 @@ # # SSLeay/crypto/asn1/Makefile # DIR= asn1 TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile README TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \ a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c \ a_enum.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c a_strex.c \ x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c x_bignum.c \ x_long.c x_name.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \ d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\ t_req.c t_x509.c t_x509a.c t_crl.c t_pkey.c t_spki.c t_bitst.c \ tasn_new.c tasn_fre.c tasn_enc.c tasn_dec.c tasn_utl.c tasn_typ.c \ f_int.c f_string.c n_pkey.c \ f_enum.c a_hdr.c x_pkey.c a_bool.c x_exten.c \ asn1_par.c asn1_lib.c asn1_err.c a_meth.c a_bytes.c a_strnid.c \ evp_asn1.c asn_pack.c p5_pbe.c p5_pbev2.c p8_pkey.c asn_moid.c LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \ a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o \ a_enum.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o a_strex.o \ x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o x_bignum.o \ x_long.o x_name.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \ d2i_pu.o d2i_pr.o i2d_pu.o i2d_pr.o \ t_req.o t_x509.o t_x509a.o t_crl.o t_pkey.o t_spki.o t_bitst.o \ tasn_new.o tasn_fre.o tasn_enc.o tasn_dec.o tasn_utl.o tasn_typ.o \ f_int.o f_string.o n_pkey.o \ f_enum.o a_hdr.o x_pkey.o a_bool.o x_exten.o \ asn1_par.o asn1_lib.o asn1_err.o a_meth.o a_bytes.o a_strnid.o \ evp_asn1.o asn_pack.o p5_pbe.o p5_pbev2.o p8_pkey.o asn_moid.o SRC= $(LIBSRC) EXHEADER= asn1.h asn1_mac.h asn1t.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) test: test.c cc -g -I../../include -c test.c cc -g -I../../include -o test test.o -L../.. -lcrypto pk: pk.c cc -g -I../../include -c pk.c cc -g -I../../include -o pk pk.o -L../.. -lcrypto all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. a_bitstr.o: ../../e_os.h ../../include/openssl/asn1.h a_bitstr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_bitstr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_bitstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_bitstr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h a_bitstr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_bitstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_bitstr.o: ../../include/openssl/symhacks.h ../cryptlib.h a_bitstr.c a_bool.o: ../../e_os.h ../../include/openssl/asn1.h a_bool.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h a_bool.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_bool.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_bool.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_bool.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_bool.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_bool.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_bool.o: ../cryptlib.h a_bool.c a_bytes.o: ../../e_os.h ../../include/openssl/asn1.h a_bytes.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_bytes.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_bytes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_bytes.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h a_bytes.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_bytes.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_bytes.o: ../../include/openssl/symhacks.h ../cryptlib.h a_bytes.c a_d2i_fp.o: ../../e_os.h ../../include/openssl/asn1.h a_d2i_fp.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h a_d2i_fp.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_d2i_fp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_d2i_fp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_d2i_fp.o: ../../include/openssl/opensslconf.h a_d2i_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_d2i_fp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_d2i_fp.o: ../../include/openssl/symhacks.h ../cryptlib.h a_d2i_fp.c a_digest.o: ../../e_os.h ../../include/openssl/aes.h a_digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h a_digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h a_digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h a_digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h a_digest.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h a_digest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h a_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h a_digest.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h a_digest.o: ../../include/openssl/md2.h ../../include/openssl/md4.h a_digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h a_digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h a_digest.o: ../../include/openssl/opensslconf.h a_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h a_digest.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h a_digest.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h a_digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h a_digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_digest.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h a_digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h a_digest.o: ../cryptlib.h a_digest.c a_dup.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h a_dup.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_dup.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_dup.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_dup.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_dup.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_dup.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_dup.o: ../cryptlib.h a_dup.c a_enum.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h a_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_enum.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_enum.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_enum.o: ../cryptlib.h a_enum.c a_gentm.o: ../../e_os.h ../../include/openssl/asn1.h a_gentm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_gentm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_gentm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_gentm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h a_gentm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_gentm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_gentm.o: ../../include/openssl/symhacks.h ../cryptlib.h ../o_time.h a_gentm.c a_hdr.o: ../../e_os.h ../../include/openssl/asn1.h a_hdr.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h a_hdr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_hdr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_hdr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_hdr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_hdr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_hdr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_hdr.o: ../cryptlib.h a_hdr.c a_i2d_fp.o: ../../e_os.h ../../include/openssl/asn1.h a_i2d_fp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_i2d_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_i2d_fp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_i2d_fp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h a_i2d_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_i2d_fp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_i2d_fp.o: ../../include/openssl/symhacks.h ../cryptlib.h a_i2d_fp.c a_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h a_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_int.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_int.o: ../cryptlib.h a_int.c a_mbstr.o: ../../e_os.h ../../include/openssl/asn1.h a_mbstr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_mbstr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_mbstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_mbstr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h a_mbstr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_mbstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_mbstr.o: ../../include/openssl/symhacks.h ../cryptlib.h a_mbstr.c a_meth.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h a_meth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_meth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_meth.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_meth.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_meth.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_meth.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_meth.o: ../cryptlib.h a_meth.c a_object.o: ../../e_os.h ../../include/openssl/asn1.h a_object.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_object.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_object.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_object.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h a_object.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h a_object.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_object.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_object.o: ../../include/openssl/symhacks.h ../cryptlib.h a_object.c a_octet.o: ../../e_os.h ../../include/openssl/asn1.h a_octet.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_octet.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_octet.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_octet.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h a_octet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_octet.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_octet.o: ../../include/openssl/symhacks.h ../cryptlib.h a_octet.c a_print.o: ../../e_os.h ../../include/openssl/asn1.h a_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h a_print.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_print.o: ../../include/openssl/symhacks.h ../cryptlib.h a_print.c a_set.o: ../../e_os.h ../../include/openssl/asn1.h a_set.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h a_set.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_set.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_set.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_set.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_set.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_set.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_set.o: ../cryptlib.h a_set.c a_sign.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h a_sign.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h a_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_sign.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h a_sign.o: ../../include/openssl/des.h ../../include/openssl/des_old.h a_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h a_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h a_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h a_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h a_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h a_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h a_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h a_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h a_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h a_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h a_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h a_sign.o: ../cryptlib.h a_sign.c a_strex.o: ../../e_os.h ../../include/openssl/aes.h a_strex.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h a_strex.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h a_strex.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h a_strex.o: ../../include/openssl/crypto.h ../../include/openssl/des.h a_strex.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h a_strex.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h a_strex.o: ../../include/openssl/err.h ../../include/openssl/evp.h a_strex.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h a_strex.o: ../../include/openssl/md2.h ../../include/openssl/md4.h a_strex.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h a_strex.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h a_strex.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_strex.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h a_strex.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h a_strex.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h a_strex.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h a_strex.o: ../../include/openssl/sha.h ../../include/openssl/stack.h a_strex.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h a_strex.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h a_strex.o: ../../include/openssl/x509_vfy.h ../cryptlib.h a_strex.c charmap.h a_strnid.o: ../../e_os.h ../../include/openssl/asn1.h a_strnid.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_strnid.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_strnid.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_strnid.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h a_strnid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h a_strnid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_strnid.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_strnid.o: ../../include/openssl/symhacks.h ../cryptlib.h a_strnid.c a_time.o: ../../e_os.h ../../include/openssl/asn1.h a_time.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h a_time.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_time.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_time.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_time.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_time.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_time.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_time.o: ../cryptlib.h ../o_time.h a_time.c a_type.o: ../../e_os.h ../../include/openssl/asn1.h a_type.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h a_type.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_type.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_type.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_type.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_type.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_type.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_type.o: ../cryptlib.h a_type.c a_utctm.o: ../../e_os.h ../../include/openssl/asn1.h a_utctm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h a_utctm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h a_utctm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h a_utctm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h a_utctm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_utctm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_utctm.o: ../../include/openssl/symhacks.h ../cryptlib.h ../o_time.h a_utctm.c a_utf8.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h a_utf8.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_utf8.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h a_utf8.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_utf8.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_utf8.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_utf8.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_utf8.o: ../cryptlib.h a_utf8.c a_verify.o: ../../e_os.h ../../include/openssl/aes.h a_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h a_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h a_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h a_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h a_verify.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h a_verify.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h a_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h a_verify.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h a_verify.o: ../../include/openssl/md2.h ../../include/openssl/md4.h a_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h a_verify.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h a_verify.o: ../../include/openssl/opensslconf.h a_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h a_verify.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h a_verify.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h a_verify.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h a_verify.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h a_verify.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h a_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h a_verify.o: ../cryptlib.h a_verify.c asn1_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h asn1_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h asn1_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h asn1_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h asn1_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h asn1_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h asn1_err.o: ../../include/openssl/symhacks.h asn1_err.c asn1_lib.o: ../../e_os.h ../../include/openssl/asn1.h asn1_lib.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h asn1_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h asn1_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h asn1_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h asn1_lib.o: ../../include/openssl/opensslconf.h asn1_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h asn1_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h asn1_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h asn1_lib.c asn1_par.o: ../../e_os.h ../../include/openssl/asn1.h asn1_par.o: ../../include/openssl/bio.h ../../include/openssl/bn.h asn1_par.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h asn1_par.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h asn1_par.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h asn1_par.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h asn1_par.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h asn1_par.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h asn1_par.o: ../../include/openssl/symhacks.h ../cryptlib.h asn1_par.c asn_moid.o: ../../e_os.h ../../include/openssl/aes.h asn_moid.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h asn_moid.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h asn_moid.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h asn_moid.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h asn_moid.o: ../../include/openssl/des.h ../../include/openssl/des_old.h asn_moid.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h asn_moid.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h asn_moid.o: ../../include/openssl/err.h ../../include/openssl/evp.h asn_moid.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h asn_moid.o: ../../include/openssl/md2.h ../../include/openssl/md4.h asn_moid.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h asn_moid.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h asn_moid.o: ../../include/openssl/opensslconf.h asn_moid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h asn_moid.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h asn_moid.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h asn_moid.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h asn_moid.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h asn_moid.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h asn_moid.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h asn_moid.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h asn_moid.o: ../cryptlib.h asn_moid.c asn_pack.o: ../../e_os.h ../../include/openssl/asn1.h asn_pack.o: ../../include/openssl/bio.h ../../include/openssl/bn.h asn_pack.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h asn_pack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h asn_pack.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h asn_pack.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h asn_pack.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h asn_pack.o: ../../include/openssl/symhacks.h ../cryptlib.h asn_pack.c d2i_pr.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h d2i_pr.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h d2i_pr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h d2i_pr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h d2i_pr.o: ../../include/openssl/des.h ../../include/openssl/des_old.h d2i_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h d2i_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h d2i_pr.o: ../../include/openssl/evp.h ../../include/openssl/idea.h d2i_pr.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h d2i_pr.o: ../../include/openssl/md4.h ../../include/openssl/md5.h d2i_pr.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h d2i_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h d2i_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h d2i_pr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h d2i_pr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h d2i_pr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h d2i_pr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h d2i_pr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h d2i_pr.o: ../../include/openssl/ui_compat.h ../cryptlib.h d2i_pr.c d2i_pu.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h d2i_pu.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h d2i_pu.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h d2i_pu.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h d2i_pu.o: ../../include/openssl/des.h ../../include/openssl/des_old.h d2i_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h d2i_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h d2i_pu.o: ../../include/openssl/evp.h ../../include/openssl/idea.h d2i_pu.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h d2i_pu.o: ../../include/openssl/md4.h ../../include/openssl/md5.h d2i_pu.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h d2i_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h d2i_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h d2i_pu.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h d2i_pu.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h d2i_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h d2i_pu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h d2i_pu.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h d2i_pu.o: ../../include/openssl/ui_compat.h ../cryptlib.h d2i_pu.c evp_asn1.o: ../../e_os.h ../../include/openssl/asn1.h evp_asn1.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h evp_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h evp_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h evp_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h evp_asn1.o: ../../include/openssl/opensslconf.h evp_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h evp_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h evp_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_asn1.c f_enum.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h f_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h f_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h f_enum.o: ../../include/openssl/err.h ../../include/openssl/lhash.h f_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h f_enum.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h f_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h f_enum.o: ../cryptlib.h f_enum.c f_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h f_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h f_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h f_int.o: ../../include/openssl/err.h ../../include/openssl/lhash.h f_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h f_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h f_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h f_int.o: ../cryptlib.h f_int.c f_string.o: ../../e_os.h ../../include/openssl/asn1.h f_string.o: ../../include/openssl/bio.h ../../include/openssl/bn.h f_string.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h f_string.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h f_string.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h f_string.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h f_string.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h f_string.o: ../../include/openssl/symhacks.h ../cryptlib.h f_string.c i2d_pr.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h i2d_pr.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h i2d_pr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h i2d_pr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h i2d_pr.o: ../../include/openssl/des.h ../../include/openssl/des_old.h i2d_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h i2d_pr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h i2d_pr.o: ../../include/openssl/evp.h ../../include/openssl/idea.h i2d_pr.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h i2d_pr.o: ../../include/openssl/md4.h ../../include/openssl/md5.h i2d_pr.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h i2d_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h i2d_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h i2d_pr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h i2d_pr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h i2d_pr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h i2d_pr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h i2d_pr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h i2d_pr.o: ../../include/openssl/ui_compat.h ../cryptlib.h i2d_pr.c i2d_pu.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h i2d_pu.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h i2d_pu.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h i2d_pu.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h i2d_pu.o: ../../include/openssl/des.h ../../include/openssl/des_old.h i2d_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h i2d_pu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h i2d_pu.o: ../../include/openssl/evp.h ../../include/openssl/idea.h i2d_pu.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h i2d_pu.o: ../../include/openssl/md4.h ../../include/openssl/md5.h i2d_pu.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h i2d_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h i2d_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h i2d_pu.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h i2d_pu.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h i2d_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h i2d_pu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h i2d_pu.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h i2d_pu.o: ../../include/openssl/ui_compat.h ../cryptlib.h i2d_pu.c n_pkey.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h n_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/asn1t.h n_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h n_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h n_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h n_pkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h n_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h n_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h n_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h n_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h n_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h n_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h n_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h n_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h n_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h n_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h n_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h n_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h n_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h n_pkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h n_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h n_pkey.o: ../cryptlib.h n_pkey.c nsseq.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h nsseq.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h nsseq.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h nsseq.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h nsseq.o: ../../include/openssl/crypto.h ../../include/openssl/des.h nsseq.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h nsseq.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h nsseq.o: ../../include/openssl/evp.h ../../include/openssl/idea.h nsseq.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h nsseq.o: ../../include/openssl/md4.h ../../include/openssl/md5.h nsseq.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h nsseq.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h nsseq.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h nsseq.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h nsseq.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h nsseq.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h nsseq.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h nsseq.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h nsseq.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h nsseq.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h nsseq.c p5_pbe.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h p5_pbe.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h p5_pbe.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p5_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p5_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p5_pbe.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p5_pbe.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p5_pbe.o: ../../include/openssl/err.h ../../include/openssl/evp.h p5_pbe.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p5_pbe.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p5_pbe.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p5_pbe.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p5_pbe.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h p5_pbe.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h p5_pbe.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h p5_pbe.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p5_pbe.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p5_pbe.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p5_pbe.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p5_pbe.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p5_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p5_pbe.o: ../cryptlib.h p5_pbe.c p5_pbev2.o: ../../e_os.h ../../include/openssl/aes.h p5_pbev2.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h p5_pbev2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h p5_pbev2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p5_pbev2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h p5_pbev2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h p5_pbev2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h p5_pbev2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h p5_pbev2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h p5_pbev2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p5_pbev2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p5_pbev2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p5_pbev2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p5_pbev2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p5_pbev2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h p5_pbev2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p5_pbev2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p5_pbev2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p5_pbev2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p5_pbev2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p5_pbev2.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p5_pbev2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_pbev2.c p8_pkey.o: ../../e_os.h ../../include/openssl/aes.h p8_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h p8_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h p8_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p8_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h p8_pkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h p8_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h p8_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h p8_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h p8_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p8_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p8_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p8_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p8_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p8_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p8_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p8_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p8_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p8_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p8_pkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p8_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p8_pkey.o: ../cryptlib.h p8_pkey.c t_bitst.o: ../../e_os.h ../../include/openssl/aes.h t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h t_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h t_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h t_bitst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h t_bitst.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h t_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h t_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h t_bitst.o: ../../include/openssl/md4.h ../../include/openssl/md5.h t_bitst.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h t_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h t_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h t_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h t_bitst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h t_bitst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h t_bitst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h t_bitst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h t_bitst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h t_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h t_bitst.c t_crl.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h t_crl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h t_crl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h t_crl.o: ../../include/openssl/cast.h ../../include/openssl/conf.h t_crl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h t_crl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h t_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h t_crl.o: ../../include/openssl/err.h ../../include/openssl/evp.h t_crl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h t_crl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h t_crl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h t_crl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h t_crl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h t_crl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h t_crl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h t_crl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h t_crl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h t_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h t_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h t_crl.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h t_crl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h t_crl.o: ../cryptlib.h t_crl.c t_pkey.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h t_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h t_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h t_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h t_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h t_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h t_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h t_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h t_pkey.o: ../../include/openssl/symhacks.h ../cryptlib.h t_pkey.c t_req.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h t_req.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h t_req.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h t_req.o: ../../include/openssl/cast.h ../../include/openssl/conf.h t_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h t_req.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h t_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h t_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h t_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h t_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h t_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h t_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h t_req.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h t_req.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h t_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h t_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h t_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h t_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h t_req.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h t_req.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h t_req.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h t_req.o: ../cryptlib.h t_req.c t_spki.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h t_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h t_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h t_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h t_spki.o: ../../include/openssl/des.h ../../include/openssl/des_old.h t_spki.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h t_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h t_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h t_spki.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h t_spki.o: ../../include/openssl/md4.h ../../include/openssl/md5.h t_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h t_spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h t_spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h t_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h t_spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h t_spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h t_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h t_spki.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h t_spki.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h t_spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h t_spki.o: ../cryptlib.h t_spki.c t_x509.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h t_x509.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h t_x509.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h t_x509.o: ../../include/openssl/cast.h ../../include/openssl/conf.h t_x509.o: ../../include/openssl/crypto.h ../../include/openssl/des.h t_x509.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h t_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h t_x509.o: ../../include/openssl/err.h ../../include/openssl/evp.h t_x509.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h t_x509.o: ../../include/openssl/md2.h ../../include/openssl/md4.h t_x509.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h t_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h t_x509.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h t_x509.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h t_x509.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h t_x509.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h t_x509.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h t_x509.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h t_x509.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h t_x509.o: ../cryptlib.h t_x509.c t_x509a.o: ../../e_os.h ../../include/openssl/aes.h t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h t_x509a.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h t_x509a.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h t_x509a.o: ../../include/openssl/crypto.h ../../include/openssl/des.h t_x509a.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h t_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h t_x509a.o: ../../include/openssl/err.h ../../include/openssl/evp.h t_x509a.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h t_x509a.o: ../../include/openssl/md2.h ../../include/openssl/md4.h t_x509a.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h t_x509a.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h t_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h t_x509a.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h t_x509a.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h t_x509a.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h t_x509a.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h t_x509a.o: ../../include/openssl/sha.h ../../include/openssl/stack.h t_x509a.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h t_x509a.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h t_x509a.c tasn_dec.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h tasn_dec.o: ../../include/openssl/bio.h ../../include/openssl/bn.h tasn_dec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h tasn_dec.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h tasn_dec.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h tasn_dec.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h tasn_dec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tasn_dec.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h tasn_dec.o: ../../include/openssl/symhacks.h tasn_dec.c tasn_enc.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h tasn_enc.o: ../../include/openssl/bio.h ../../include/openssl/bn.h tasn_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h tasn_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h tasn_enc.o: ../../include/openssl/opensslconf.h tasn_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tasn_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h tasn_enc.o: ../../include/openssl/symhacks.h tasn_enc.c tasn_fre.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h tasn_fre.o: ../../include/openssl/bio.h ../../include/openssl/bn.h tasn_fre.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h tasn_fre.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h tasn_fre.o: ../../include/openssl/opensslconf.h tasn_fre.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tasn_fre.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h tasn_fre.o: ../../include/openssl/symhacks.h tasn_fre.c tasn_new.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h tasn_new.o: ../../include/openssl/bio.h ../../include/openssl/bn.h tasn_new.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h tasn_new.o: ../../include/openssl/err.h ../../include/openssl/lhash.h tasn_new.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h tasn_new.o: ../../include/openssl/opensslconf.h tasn_new.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tasn_new.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h tasn_new.o: ../../include/openssl/symhacks.h tasn_new.c tasn_typ.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h tasn_typ.o: ../../include/openssl/bio.h ../../include/openssl/bn.h tasn_typ.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h tasn_typ.o: ../../include/openssl/opensslconf.h tasn_typ.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tasn_typ.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h tasn_typ.o: ../../include/openssl/symhacks.h tasn_typ.c tasn_utl.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h tasn_utl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h tasn_utl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h tasn_utl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h tasn_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h tasn_utl.o: ../../include/openssl/opensslconf.h tasn_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tasn_utl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h tasn_utl.o: ../../include/openssl/symhacks.h tasn_utl.c x_algor.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h x_algor.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_algor.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_algor.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_algor.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x_algor.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x_algor.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x_algor.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x_algor.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x_algor.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x_algor.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x_algor.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x_algor.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x_algor.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x_algor.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x_algor.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_algor.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_algor.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_algor.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x_algor.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x_algor.o: x_algor.c x_attrib.o: ../../e_os.h ../../include/openssl/aes.h x_attrib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h x_attrib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h x_attrib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h x_attrib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h x_attrib.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x_attrib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x_attrib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x_attrib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x_attrib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x_attrib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x_attrib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x_attrib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x_attrib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x_attrib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x_attrib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x_attrib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_attrib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_attrib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_attrib.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x_attrib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x_attrib.o: ../cryptlib.h x_attrib.c x_bignum.o: ../../e_os.h ../../include/openssl/asn1.h x_bignum.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_bignum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h x_bignum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h x_bignum.o: ../../include/openssl/err.h ../../include/openssl/lhash.h x_bignum.o: ../../include/openssl/opensslconf.h x_bignum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x_bignum.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h x_bignum.o: ../../include/openssl/symhacks.h ../cryptlib.h x_bignum.c x_crl.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_crl.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_crl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_crl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x_crl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x_crl.o: ../../include/openssl/err.h ../../include/openssl/evp.h x_crl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x_crl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x_crl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x_crl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x_crl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h x_crl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h x_crl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h x_crl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h x_crl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h x_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h x_crl.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h x_crl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_crl.c x_exten.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h x_exten.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_exten.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_exten.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_exten.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x_exten.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x_exten.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x_exten.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x_exten.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x_exten.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x_exten.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x_exten.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x_exten.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x_exten.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x_exten.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x_exten.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_exten.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_exten.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_exten.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x_exten.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x_exten.o: x_exten.c x_info.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h x_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h x_info.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h x_info.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x_info.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x_info.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x_info.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x_info.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x_info.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x_info.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x_info.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_info.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x_info.o: ../cryptlib.h x_info.c x_long.o: ../../e_os.h ../../include/openssl/asn1.h x_long.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_long.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h x_long.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h x_long.o: ../../include/openssl/err.h ../../include/openssl/lhash.h x_long.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h x_long.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h x_long.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_long.o: ../cryptlib.h x_long.c x_name.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_name.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x_name.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x_name.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x_name.o: ../../include/openssl/err.h ../../include/openssl/evp.h x_name.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x_name.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x_name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x_name.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x_name.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h x_name.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h x_name.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h x_name.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h x_name.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h x_name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x_name.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h x_name.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h x_name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_name.c x_pkey.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h x_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x_pkey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h x_pkey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h x_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h x_pkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h x_pkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h x_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h x_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h x_pkey.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h x_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_pkey.c x_pubkey.o: ../../e_os.h ../../include/openssl/aes.h x_pubkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h x_pubkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h x_pubkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h x_pubkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h x_pubkey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x_pubkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x_pubkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x_pubkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x_pubkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x_pubkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x_pubkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x_pubkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x_pubkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x_pubkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x_pubkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x_pubkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_pubkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_pubkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_pubkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x_pubkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x_pubkey.o: ../cryptlib.h x_pubkey.c x_req.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_req.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x_req.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h x_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x_req.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h x_req.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h x_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h x_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h x_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h x_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x_req.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h x_req.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h x_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_req.c x_sig.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_sig.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_sig.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_sig.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_sig.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x_sig.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x_sig.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x_sig.o: ../../include/openssl/err.h ../../include/openssl/evp.h x_sig.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x_sig.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x_sig.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x_sig.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x_sig.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h x_sig.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h x_sig.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h x_sig.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h x_sig.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h x_sig.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x_sig.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h x_sig.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h x_sig.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_sig.c x_spki.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_spki.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_spki.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_spki.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_spki.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x_spki.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x_spki.o: ../../include/openssl/err.h ../../include/openssl/evp.h x_spki.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x_spki.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x_spki.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x_spki.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x_spki.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h x_spki.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h x_spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h x_spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h x_spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h x_spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x_spki.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h x_spki.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h x_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_spki.c x_val.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_val.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_val.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_val.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_val.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x_val.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x_val.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x_val.o: ../../include/openssl/err.h ../../include/openssl/evp.h x_val.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x_val.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x_val.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x_val.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x_val.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h x_val.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h x_val.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h x_val.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h x_val.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h x_val.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x_val.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h x_val.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h x_val.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_val.c x_x509.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_x509.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h x_x509.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h x_x509.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x_x509.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x_x509.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x_x509.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x_x509.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x_x509.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x_x509.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x_x509.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_x509.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_x509.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x_x509.o: ../../include/openssl/x509v3.h ../cryptlib.h x_x509.c x_x509a.o: ../../e_os.h ../../include/openssl/aes.h x_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h x_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h x_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h x_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h x_x509a.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x_x509a.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x_x509a.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x_x509a.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x_x509a.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x_x509a.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x_x509a.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x_x509a.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_x509a.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_x509a.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x_x509a.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x_x509a.o: ../cryptlib.h x_x509a.c diff --git a/crypto/openssl/crypto/asn1/a_gentm.c b/crypto/openssl/crypto/asn1/a_gentm.c index cd09f68b38f6..85810078681e 100644 --- a/crypto/openssl/crypto/asn1/a_gentm.c +++ b/crypto/openssl/crypto/asn1/a_gentm.c @@ -1,239 +1,240 @@ /* crypto/asn1/a_gentm.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* GENERALIZEDTIME implementation, written by Steve Henson. Based on UTCTIME */ #include #include #include "cryptlib.h" #include "o_time.h" #include #if 0 int i2d_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME *a, unsigned char **pp) { #ifdef CHARSET_EBCDIC /* KLUDGE! We convert to ascii before writing DER */ int len; char tmp[24]; ASN1_STRING tmpstr = *(ASN1_STRING *)a; len = tmpstr.length; ebcdic2ascii(tmp, tmpstr.data, (len >= sizeof tmp) ? sizeof tmp : len); tmpstr.data = tmp; a = (ASN1_GENERALIZEDTIME *) &tmpstr; #endif return(i2d_ASN1_bytes((ASN1_STRING *)a,pp, V_ASN1_GENERALIZEDTIME,V_ASN1_UNIVERSAL)); } ASN1_GENERALIZEDTIME *d2i_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME **a, unsigned char **pp, long length) { ASN1_GENERALIZEDTIME *ret=NULL; ret=(ASN1_GENERALIZEDTIME *)d2i_ASN1_bytes((ASN1_STRING **)a,pp,length, V_ASN1_GENERALIZEDTIME,V_ASN1_UNIVERSAL); if (ret == NULL) { ASN1err(ASN1_F_D2I_ASN1_GENERALIZEDTIME,ERR_R_NESTED_ASN1_ERROR); return(NULL); } #ifdef CHARSET_EBCDIC ascii2ebcdic(ret->data, ret->data, ret->length); #endif if (!ASN1_GENERALIZEDTIME_check(ret)) { ASN1err(ASN1_F_D2I_ASN1_GENERALIZEDTIME,ASN1_R_INVALID_TIME_FORMAT); goto err; } return(ret); err: if ((ret != NULL) && ((a == NULL) || (*a != ret))) M_ASN1_GENERALIZEDTIME_free(ret); return(NULL); } #endif int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d) { static int min[9]={ 0, 0, 1, 1, 0, 0, 0, 0, 0}; static int max[9]={99, 99,12,31,23,59,59,12,59}; char *a; int n,i,l,o; if (d->type != V_ASN1_GENERALIZEDTIME) return(0); l=d->length; a=(char *)d->data; o=0; /* GENERALIZEDTIME is similar to UTCTIME except the year is * represented as YYYY. This stuff treats everything as a two digit * field so make first two fields 00 to 99 */ if (l < 13) goto err; for (i=0; i<7; i++) { if ((i == 6) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) { i++; break; } if ((a[o] < '0') || (a[o] > '9')) goto err; n= a[o]-'0'; if (++o > l) goto err; if ((a[o] < '0') || (a[o] > '9')) goto err; n=(n*10)+ a[o]-'0'; if (++o > l) goto err; if ((n < min[i]) || (n > max[i])) goto err; } /* Optional fractional seconds: decimal point followed by one * or more digits. */ if (a[o] == '.') { if (++o > l) goto err; i = o; while ((a[o] >= '0') && (a[o] <= '9') && (o <= l)) o++; /* Must have at least one digit after decimal point */ if (i == o) goto err; } if (a[o] == 'Z') o++; else if ((a[o] == '+') || (a[o] == '-')) { o++; if (o+4 > l) goto err; for (i=7; i<9; i++) { if ((a[o] < '0') || (a[o] > '9')) goto err; n= a[o]-'0'; o++; if ((a[o] < '0') || (a[o] > '9')) goto err; n=(n*10)+ a[o]-'0'; if ((n < min[i]) || (n > max[i])) goto err; o++; } } return(o == l); err: return(0); } int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str) { ASN1_GENERALIZEDTIME t; t.type=V_ASN1_GENERALIZEDTIME; t.length=strlen(str); t.data=(unsigned char *)str; if (ASN1_GENERALIZEDTIME_check(&t)) { if (s != NULL) { ASN1_STRING_set((ASN1_STRING *)s, (unsigned char *)str,t.length); s->type=V_ASN1_GENERALIZEDTIME; } return(1); } else return(0); } ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, time_t t) { char *p; struct tm *ts; struct tm data; + size_t len = 20; if (s == NULL) s=M_ASN1_GENERALIZEDTIME_new(); if (s == NULL) return(NULL); ts=OPENSSL_gmtime(&t, &data); if (ts == NULL) return(NULL); p=(char *)s->data; - if ((p == NULL) || (s->length < 16)) + if ((p == NULL) || ((size_t)s->length < len)) { - p=OPENSSL_malloc(20); + p=OPENSSL_malloc(len); if (p == NULL) return(NULL); if (s->data != NULL) OPENSSL_free(s->data); s->data=(unsigned char *)p; } - sprintf(p,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900, - ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec); + BIO_snprintf(p,len,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900, + ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec); s->length=strlen(p); s->type=V_ASN1_GENERALIZEDTIME; #ifdef CHARSET_EBCDIC_not ebcdic2ascii(s->data, s->data, s->length); #endif return(s); } diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c index e8a26af521f2..208b3ec395f1 100644 --- a/crypto/openssl/crypto/asn1/a_mbstr.c +++ b/crypto/openssl/crypto/asn1/a_mbstr.c @@ -1,400 +1,400 @@ /* a_mbstr.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 1999. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include "cryptlib.h" #include static int traverse_string(const unsigned char *p, int len, int inform, int (*rfunc)(unsigned long value, void *in), void *arg); static int in_utf8(unsigned long value, void *arg); static int out_utf8(unsigned long value, void *arg); static int type_str(unsigned long value, void *arg); static int cpy_asc(unsigned long value, void *arg); static int cpy_bmp(unsigned long value, void *arg); static int cpy_univ(unsigned long value, void *arg); static int cpy_utf8(unsigned long value, void *arg); static int is_printable(unsigned long value); /* These functions take a string in UTF8, ASCII or multibyte form and * a mask of permissible ASN1 string types. It then works out the minimal * type (using the order Printable < IA5 < T61 < BMP < Universal < UTF8) * and creates a string of the correct type with the supplied data. * Yes this is horrible: it has to be :-( * The 'ncopy' form checks minimum and maximum size limits too. */ int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len, int inform, unsigned long mask) { return ASN1_mbstring_ncopy(out, in, len, inform, mask, 0, 0); } int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, int inform, unsigned long mask, long minsize, long maxsize) { int str_type; int ret; char free_out; int outform, outlen; ASN1_STRING *dest; unsigned char *p; int nchar; char strbuf[32]; int (*cpyfunc)(unsigned long,void *) = NULL; if(len == -1) len = strlen((const char *)in); if(!mask) mask = DIRSTRING_TYPE; /* First do a string check and work out the number of characters */ switch(inform) { case MBSTRING_BMP: if(len & 1) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_INVALID_BMPSTRING_LENGTH); return -1; } nchar = len >> 1; break; case MBSTRING_UNIV: if(len & 3) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH); return -1; } nchar = len >> 2; break; case MBSTRING_UTF8: nchar = 0; /* This counts the characters and does utf8 syntax checking */ ret = traverse_string(in, len, MBSTRING_UTF8, in_utf8, &nchar); if(ret < 0) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_INVALID_UTF8STRING); return -1; } break; case MBSTRING_ASC: nchar = len; break; default: ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_UNKNOWN_FORMAT); return -1; } if((minsize > 0) && (nchar < minsize)) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT); - sprintf(strbuf, "%ld", minsize); + BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize); ERR_add_error_data(2, "minsize=", strbuf); return -1; } if((maxsize > 0) && (nchar > maxsize)) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG); - sprintf(strbuf, "%ld", maxsize); + BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize); ERR_add_error_data(2, "maxsize=", strbuf); return -1; } /* Now work out minimal type (if any) */ if(traverse_string(in, len, inform, type_str, &mask) < 0) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_ILLEGAL_CHARACTERS); return -1; } /* Now work out output format and string type */ outform = MBSTRING_ASC; if(mask & B_ASN1_PRINTABLESTRING) str_type = V_ASN1_PRINTABLESTRING; else if(mask & B_ASN1_IA5STRING) str_type = V_ASN1_IA5STRING; else if(mask & B_ASN1_T61STRING) str_type = V_ASN1_T61STRING; else if(mask & B_ASN1_BMPSTRING) { str_type = V_ASN1_BMPSTRING; outform = MBSTRING_BMP; } else if(mask & B_ASN1_UNIVERSALSTRING) { str_type = V_ASN1_UNIVERSALSTRING; outform = MBSTRING_UNIV; } else { str_type = V_ASN1_UTF8STRING; outform = MBSTRING_UTF8; } if(!out) return str_type; if(*out) { free_out = 0; dest = *out; if(dest->data) { dest->length = 0; OPENSSL_free(dest->data); dest->data = NULL; } dest->type = str_type; } else { free_out = 1; dest = ASN1_STRING_type_new(str_type); if(!dest) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ERR_R_MALLOC_FAILURE); return -1; } *out = dest; } /* If both the same type just copy across */ if(inform == outform) { if(!ASN1_STRING_set(dest, in, len)) { ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE); return -1; } return str_type; } /* Work out how much space the destination will need */ switch(outform) { case MBSTRING_ASC: outlen = nchar; cpyfunc = cpy_asc; break; case MBSTRING_BMP: outlen = nchar << 1; cpyfunc = cpy_bmp; break; case MBSTRING_UNIV: outlen = nchar << 2; cpyfunc = cpy_univ; break; case MBSTRING_UTF8: outlen = 0; traverse_string(in, len, inform, out_utf8, &outlen); cpyfunc = cpy_utf8; break; } if(!(p = OPENSSL_malloc(outlen + 1))) { if(free_out) ASN1_STRING_free(dest); ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE); return -1; } dest->length = outlen; dest->data = p; p[outlen] = 0; traverse_string(in, len, inform, cpyfunc, &p); return str_type; } /* This function traverses a string and passes the value of each character * to an optional function along with a void * argument. */ static int traverse_string(const unsigned char *p, int len, int inform, int (*rfunc)(unsigned long value, void *in), void *arg) { unsigned long value; int ret; while(len) { if(inform == MBSTRING_ASC) { value = *p++; len--; } else if(inform == MBSTRING_BMP) { value = *p++ << 8; value |= *p++; len -= 2; } else if(inform == MBSTRING_UNIV) { value = ((unsigned long)*p++) << 24; value |= ((unsigned long)*p++) << 16; value |= *p++ << 8; value |= *p++; len -= 4; } else { ret = UTF8_getc(p, len, &value); if(ret < 0) return -1; len -= ret; p += ret; } if(rfunc) { ret = rfunc(value, arg); if(ret <= 0) return ret; } } return 1; } /* Various utility functions for traverse_string */ /* Just count number of characters */ static int in_utf8(unsigned long value, void *arg) { int *nchar; nchar = arg; (*nchar)++; return 1; } /* Determine size of output as a UTF8 String */ static int out_utf8(unsigned long value, void *arg) { int *outlen; outlen = arg; *outlen += UTF8_putc(NULL, -1, value); return 1; } /* Determine the "type" of a string: check each character against a * supplied "mask". */ static int type_str(unsigned long value, void *arg) { unsigned long types; types = *((unsigned long *)arg); if((types & B_ASN1_PRINTABLESTRING) && !is_printable(value)) types &= ~B_ASN1_PRINTABLESTRING; if((types & B_ASN1_IA5STRING) && (value > 127)) types &= ~B_ASN1_IA5STRING; if((types & B_ASN1_T61STRING) && (value > 0xff)) types &= ~B_ASN1_T61STRING; if((types & B_ASN1_BMPSTRING) && (value > 0xffff)) types &= ~B_ASN1_BMPSTRING; if(!types) return -1; *((unsigned long *)arg) = types; return 1; } /* Copy one byte per character ASCII like strings */ static int cpy_asc(unsigned long value, void *arg) { unsigned char **p, *q; p = arg; q = *p; *q = (unsigned char) value; (*p)++; return 1; } /* Copy two byte per character BMPStrings */ static int cpy_bmp(unsigned long value, void *arg) { unsigned char **p, *q; p = arg; q = *p; *q++ = (unsigned char) ((value >> 8) & 0xff); *q = (unsigned char) (value & 0xff); *p += 2; return 1; } /* Copy four byte per character UniversalStrings */ static int cpy_univ(unsigned long value, void *arg) { unsigned char **p, *q; p = arg; q = *p; *q++ = (unsigned char) ((value >> 24) & 0xff); *q++ = (unsigned char) ((value >> 16) & 0xff); *q++ = (unsigned char) ((value >> 8) & 0xff); *q = (unsigned char) (value & 0xff); *p += 4; return 1; } /* Copy to a UTF8String */ static int cpy_utf8(unsigned long value, void *arg) { unsigned char **p; int ret; p = arg; /* We already know there is enough room so pass 0xff as the length */ ret = UTF8_putc(*p, 0xff, value); *p += ret; return 1; } /* Return 1 if the character is permitted in a PrintableString */ static int is_printable(unsigned long value) { int ch; if(value > 0x7f) return 0; ch = (int) value; /* Note: we can't use 'isalnum' because certain accented * characters may count as alphanumeric in some environments. */ #ifndef CHARSET_EBCDIC if((ch >= 'a') && (ch <= 'z')) return 1; if((ch >= 'A') && (ch <= 'Z')) return 1; if((ch >= '0') && (ch <= '9')) return 1; if ((ch == ' ') || strchr("'()+,-./:=?", ch)) return 1; #else /*CHARSET_EBCDIC*/ if((ch >= os_toascii['a']) && (ch <= os_toascii['z'])) return 1; if((ch >= os_toascii['A']) && (ch <= os_toascii['Z'])) return 1; if((ch >= os_toascii['0']) && (ch <= os_toascii['9'])) return 1; if ((ch == os_toascii[' ']) || strchr("'()+,-./:=?", os_toebcdic[ch])) return 1; #endif /*CHARSET_EBCDIC*/ return 0; } diff --git a/crypto/openssl/crypto/asn1/a_strex.c b/crypto/openssl/crypto/asn1/a_strex.c index 8abfdfe59804..bde666a6ff15 100644 --- a/crypto/openssl/crypto/asn1/a_strex.c +++ b/crypto/openssl/crypto/asn1/a_strex.c @@ -1,562 +1,562 @@ /* a_strex.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 2000. */ /* ==================================================================== * Copyright (c) 2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include #include #include "charmap.h" #include "cryptlib.h" /* ASN1_STRING_print_ex() and X509_NAME_print_ex(). * Enhanced string and name printing routines handling * multibyte characters, RFC2253 and a host of other * options. */ #define CHARTYPE_BS_ESC (ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253) /* Three IO functions for sending data to memory, a BIO and * and a FILE pointer. */ #if 0 /* never used */ static int send_mem_chars(void *arg, const void *buf, int len) { unsigned char **out = arg; if(!out) return 1; memcpy(*out, buf, len); *out += len; return 1; } #endif static int send_bio_chars(void *arg, const void *buf, int len) { if(!arg) return 1; if(BIO_write(arg, buf, len) != len) return 0; return 1; } static int send_fp_chars(void *arg, const void *buf, int len) { if(!arg) return 1; if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0; return 1; } typedef int char_io(void *arg, const void *buf, int len); /* This function handles display of * strings, one character at a time. * It is passed an unsigned long for each * character because it could come from 2 or even * 4 byte forms. */ static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg) { unsigned char chflgs, chtmp; char tmphex[HEX_SIZE(long)+3]; if(c > 0xffffffffL) return -1; if(c > 0xffff) { BIO_snprintf(tmphex, sizeof tmphex, "\\W%08lX", c); if(!io_ch(arg, tmphex, 10)) return -1; return 10; } if(c > 0xff) { BIO_snprintf(tmphex, sizeof tmphex, "\\U%04lX", c); if(!io_ch(arg, tmphex, 6)) return -1; return 6; } chtmp = (unsigned char)c; if(chtmp > 0x7f) chflgs = flags & ASN1_STRFLGS_ESC_MSB; else chflgs = char_type[chtmp] & flags; if(chflgs & CHARTYPE_BS_ESC) { /* If we don't escape with quotes, signal we need quotes */ if(chflgs & ASN1_STRFLGS_ESC_QUOTE) { if(do_quotes) *do_quotes = 1; if(!io_ch(arg, &chtmp, 1)) return -1; return 1; } if(!io_ch(arg, "\\", 1)) return -1; if(!io_ch(arg, &chtmp, 1)) return -1; return 2; } if(chflgs & (ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_ESC_MSB)) { BIO_snprintf(tmphex, 11, "\\%02X", chtmp); if(!io_ch(arg, tmphex, 3)) return -1; return 3; } if(!io_ch(arg, &chtmp, 1)) return -1; return 1; } #define BUF_TYPE_WIDTH_MASK 0x7 #define BUF_TYPE_CONVUTF8 0x8 /* This function sends each character in a buffer to * do_esc_char(). It interprets the content formats * and converts to or from UTF8 as appropriate. */ static int do_buf(unsigned char *buf, int buflen, int type, unsigned char flags, char *quotes, char_io *io_ch, void *arg) { int i, outlen, len; unsigned char orflags, *p, *q; unsigned long c; p = buf; q = buf + buflen; outlen = 0; while(p != q) { if(p == buf) orflags = CHARTYPE_FIRST_ESC_2253; else orflags = 0; switch(type & BUF_TYPE_WIDTH_MASK) { case 4: c = ((unsigned long)*p++) << 24; c |= ((unsigned long)*p++) << 16; c |= ((unsigned long)*p++) << 8; c |= *p++; break; case 2: c = ((unsigned long)*p++) << 8; c |= *p++; break; case 1: c = *p++; break; case 0: i = UTF8_getc(p, buflen, &c); if(i < 0) return -1; /* Invalid UTF8String */ p += i; break; } if (p == q) orflags = CHARTYPE_LAST_ESC_2253; if(type & BUF_TYPE_CONVUTF8) { unsigned char utfbuf[6]; int utflen; utflen = UTF8_putc(utfbuf, sizeof utfbuf, c); for(i = 0; i < utflen; i++) { /* We don't need to worry about setting orflags correctly * because if utflen==1 its value will be correct anyway * otherwise each character will be > 0x7f and so the * character will never be escaped on first and last. */ len = do_esc_char(utfbuf[i], (unsigned char)(flags | orflags), quotes, io_ch, arg); if(len < 0) return -1; outlen += len; } } else { len = do_esc_char(c, (unsigned char)(flags | orflags), quotes, io_ch, arg); if(len < 0) return -1; outlen += len; } } return outlen; } /* This function hex dumps a buffer of characters */ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen) { const static char hexdig[] = "0123456789ABCDEF"; unsigned char *p, *q; char hextmp[2]; if(arg) { p = buf; q = buf + buflen; while(p != q) { hextmp[0] = hexdig[*p >> 4]; hextmp[1] = hexdig[*p & 0xf]; if(!io_ch(arg, hextmp, 2)) return -1; p++; } } return buflen << 1; } /* "dump" a string. This is done when the type is unknown, * or the flags request it. We can either dump the content * octets or the entire DER encoding. This uses the RFC2253 * #01234 format. */ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str) { /* Placing the ASN1_STRING in a temp ASN1_TYPE allows * the DER encoding to readily obtained */ ASN1_TYPE t; unsigned char *der_buf, *p; int outlen, der_len; if(!io_ch(arg, "#", 1)) return -1; /* If we don't dump DER encoding just dump content octets */ if(!(lflags & ASN1_STRFLGS_DUMP_DER)) { outlen = do_hex_dump(io_ch, arg, str->data, str->length); if(outlen < 0) return -1; return outlen + 1; } t.type = str->type; t.value.ptr = (char *)str; der_len = i2d_ASN1_TYPE(&t, NULL); der_buf = OPENSSL_malloc(der_len); if(!der_buf) return -1; p = der_buf; i2d_ASN1_TYPE(&t, &p); outlen = do_hex_dump(io_ch, arg, der_buf, der_len); OPENSSL_free(der_buf); if(outlen < 0) return -1; return outlen + 1; } /* Lookup table to convert tags to character widths, * 0 = UTF8 encoded, -1 is used for non string types * otherwise it is the number of bytes per character */ const static signed char tag2nbyte[] = { -1, -1, -1, -1, -1, /* 0-4 */ -1, -1, -1, -1, -1, /* 5-9 */ -1, -1, 0, -1, /* 10-13 */ -1, -1, -1, -1, /* 15-17 */ -1, 1, 1, /* 18-20 */ - -1, 1, -1,-1, /* 21-24 */ + -1, 1, 1, 1, /* 21-24 */ -1, 1, -1, /* 25-27 */ 4, -1, 2 /* 28-30 */ }; #define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \ ASN1_STRFLGS_ESC_QUOTE | \ ASN1_STRFLGS_ESC_CTRL | \ ASN1_STRFLGS_ESC_MSB) /* This is the main function, print out an * ASN1_STRING taking note of various escape * and display options. Returns number of * characters written or -1 if an error * occurred. */ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, ASN1_STRING *str) { int outlen, len; int type; char quotes; unsigned char flags; quotes = 0; /* Keep a copy of escape flags */ flags = (unsigned char)(lflags & ESC_FLAGS); type = str->type; outlen = 0; if(lflags & ASN1_STRFLGS_SHOW_TYPE) { const char *tagname; tagname = ASN1_tag2str(type); outlen += strlen(tagname); if(!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1)) return -1; outlen++; } /* Decide what to do with type, either dump content or display it */ /* Dump everything */ if(lflags & ASN1_STRFLGS_DUMP_ALL) type = -1; /* Ignore the string type */ else if(lflags & ASN1_STRFLGS_IGNORE_TYPE) type = 1; else { /* Else determine width based on type */ if((type > 0) && (type < 31)) type = tag2nbyte[type]; else type = -1; if((type == -1) && !(lflags & ASN1_STRFLGS_DUMP_UNKNOWN)) type = 1; } if(type == -1) { len = do_dump(lflags, io_ch, arg, str); if(len < 0) return -1; outlen += len; return outlen; } if(lflags & ASN1_STRFLGS_UTF8_CONVERT) { /* Note: if string is UTF8 and we want * to convert to UTF8 then we just interpret * it as 1 byte per character to avoid converting * twice. */ if(!type) type = 1; else type |= BUF_TYPE_CONVUTF8; } len = do_buf(str->data, str->length, type, flags, "es, io_ch, NULL); if(outlen < 0) return -1; outlen += len; if(quotes) outlen += 2; if(!arg) return outlen; if(quotes && !io_ch(arg, "\"", 1)) return -1; do_buf(str->data, str->length, type, flags, NULL, io_ch, arg); if(quotes && !io_ch(arg, "\"", 1)) return -1; return outlen; } /* Used for line indenting: print 'indent' spaces */ static int do_indent(char_io *io_ch, void *arg, int indent) { int i; for(i = 0; i < indent; i++) if(!io_ch(arg, " ", 1)) return 0; return 1; } #define FN_WIDTH_LN 25 #define FN_WIDTH_SN 10 static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n, int indent, unsigned long flags) { int i, prev = -1, orflags, cnt; int fn_opt, fn_nid; ASN1_OBJECT *fn; ASN1_STRING *val; X509_NAME_ENTRY *ent; char objtmp[80]; const char *objbuf; int outlen, len; char *sep_dn, *sep_mv, *sep_eq; int sep_dn_len, sep_mv_len, sep_eq_len; if(indent < 0) indent = 0; outlen = indent; if(!do_indent(io_ch, arg, indent)) return -1; switch (flags & XN_FLAG_SEP_MASK) { case XN_FLAG_SEP_MULTILINE: sep_dn = "\n"; sep_dn_len = 1; sep_mv = " + "; sep_mv_len = 3; break; case XN_FLAG_SEP_COMMA_PLUS: sep_dn = ","; sep_dn_len = 1; sep_mv = "+"; sep_mv_len = 1; indent = 0; break; case XN_FLAG_SEP_CPLUS_SPC: sep_dn = ", "; sep_dn_len = 2; sep_mv = " + "; sep_mv_len = 3; indent = 0; break; case XN_FLAG_SEP_SPLUS_SPC: sep_dn = "; "; sep_dn_len = 2; sep_mv = " + "; sep_mv_len = 3; indent = 0; break; default: return -1; } if(flags & XN_FLAG_SPC_EQ) { sep_eq = " = "; sep_eq_len = 3; } else { sep_eq = "="; sep_eq_len = 1; } fn_opt = flags & XN_FLAG_FN_MASK; cnt = X509_NAME_entry_count(n); for(i = 0; i < cnt; i++) { if(flags & XN_FLAG_DN_REV) ent = X509_NAME_get_entry(n, cnt - i - 1); else ent = X509_NAME_get_entry(n, i); if(prev != -1) { if(prev == ent->set) { if(!io_ch(arg, sep_mv, sep_mv_len)) return -1; outlen += sep_mv_len; } else { if(!io_ch(arg, sep_dn, sep_dn_len)) return -1; outlen += sep_dn_len; if(!do_indent(io_ch, arg, indent)) return -1; outlen += indent; } } prev = ent->set; fn = X509_NAME_ENTRY_get_object(ent); val = X509_NAME_ENTRY_get_data(ent); fn_nid = OBJ_obj2nid(fn); if(fn_opt != XN_FLAG_FN_NONE) { int objlen, fld_len; if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) { OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1); fld_len = 0; /* XXX: what should this be? */ objbuf = objtmp; } else { if(fn_opt == XN_FLAG_FN_SN) { fld_len = FN_WIDTH_SN; objbuf = OBJ_nid2sn(fn_nid); } else if(fn_opt == XN_FLAG_FN_LN) { fld_len = FN_WIDTH_LN; objbuf = OBJ_nid2ln(fn_nid); } else { fld_len = 0; /* XXX: what should this be? */ objbuf = ""; } } objlen = strlen(objbuf); if(!io_ch(arg, objbuf, objlen)) return -1; if ((objlen < fld_len) && (flags & XN_FLAG_FN_ALIGN)) { if (!do_indent(io_ch, arg, fld_len - objlen)) return -1; outlen += fld_len - objlen; } if(!io_ch(arg, sep_eq, sep_eq_len)) return -1; outlen += objlen + sep_eq_len; } /* If the field name is unknown then fix up the DER dump * flag. We might want to limit this further so it will * DER dump on anything other than a few 'standard' fields. */ if((fn_nid == NID_undef) && (flags & XN_FLAG_DUMP_UNKNOWN_FIELDS)) orflags = ASN1_STRFLGS_DUMP_ALL; else orflags = 0; len = do_print_ex(io_ch, arg, flags | orflags, val); if(len < 0) return -1; outlen += len; } return outlen; } /* Wrappers round the main functions */ int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags) { if(flags == XN_FLAG_COMPAT) return X509_NAME_print(out, nm, indent); return do_name_ex(send_bio_chars, out, nm, indent, flags); } int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags) { if(flags == XN_FLAG_COMPAT) { BIO *btmp; int ret; btmp = BIO_new_fp(fp, BIO_NOCLOSE); if(!btmp) return -1; ret = X509_NAME_print(btmp, nm, indent); BIO_free(btmp); return ret; } return do_name_ex(send_fp_chars, fp, nm, indent, flags); } int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags) { return do_print_ex(send_bio_chars, out, flags, str); } int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags) { return do_print_ex(send_fp_chars, fp, flags, str); } /* Utility function: convert any string type to UTF8, returns number of bytes * in output string or a negative error code */ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in) { ASN1_STRING stmp, *str = &stmp; int mbflag, type, ret; if(!in) return -1; type = in->type; if((type < 0) || (type > 30)) return -1; mbflag = tag2nbyte[type]; if(mbflag == -1) return -1; mbflag |= MBSTRING_FLAG; stmp.data = NULL; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; *out = stmp.data; return stmp.length; } diff --git a/crypto/openssl/crypto/asn1/a_time.c b/crypto/openssl/crypto/asn1/a_time.c index 7348da9457b3..159681fbcb06 100644 --- a/crypto/openssl/crypto/asn1/a_time.c +++ b/crypto/openssl/crypto/asn1/a_time.c @@ -1,161 +1,164 @@ /* crypto/asn1/a_time.c */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ /* This is an implementation of the ASN1 Time structure which is: * Time ::= CHOICE { * utcTime UTCTime, * generalTime GeneralizedTime } * written by Steve Henson. */ #include #include #include "cryptlib.h" #include "o_time.h" #include IMPLEMENT_ASN1_MSTRING(ASN1_TIME, B_ASN1_TIME) IMPLEMENT_ASN1_FUNCTIONS(ASN1_TIME) #if 0 int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **pp) { #ifdef CHARSET_EBCDIC /* KLUDGE! We convert to ascii before writing DER */ char tmp[24]; ASN1_STRING tmpstr; if(a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME) { int len; tmpstr = *(ASN1_STRING *)a; len = tmpstr.length; ebcdic2ascii(tmp, tmpstr.data, (len >= sizeof tmp) ? sizeof tmp : len); tmpstr.data = tmp; a = (ASN1_GENERALIZEDTIME *) &tmpstr; } #endif if(a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME) return(i2d_ASN1_bytes((ASN1_STRING *)a,pp, a->type ,V_ASN1_UNIVERSAL)); ASN1err(ASN1_F_I2D_ASN1_TIME,ASN1_R_EXPECTING_A_TIME); return -1; } #endif ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t) { struct tm *ts; struct tm data; ts=OPENSSL_gmtime(&t,&data); if (ts == NULL) { ASN1err(ASN1_F_ASN1_TIME_SET, ASN1_R_ERROR_GETTING_TIME); return NULL; } if((ts->tm_year >= 50) && (ts->tm_year < 150)) return ASN1_UTCTIME_set(s, t); return ASN1_GENERALIZEDTIME_set(s,t); } int ASN1_TIME_check(ASN1_TIME *t) { if (t->type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_check(t); else if (t->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_check(t); return 0; } /* Convert an ASN1_TIME structure to GeneralizedTime */ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out) { ASN1_GENERALIZEDTIME *ret; char *str; + int newlen; if (!ASN1_TIME_check(t)) return NULL; if (!out || !*out) { if (!(ret = ASN1_GENERALIZEDTIME_new ())) return NULL; if (out) *out = ret; } else ret = *out; /* If already GeneralizedTime just copy across */ if (t->type == V_ASN1_GENERALIZEDTIME) { if(!ASN1_STRING_set(ret, t->data, t->length)) return NULL; return ret; } /* grow the string */ if (!ASN1_STRING_set(ret, NULL, t->length + 2)) return NULL; + /* ASN1_STRING_set() allocated 'len + 1' bytes. */ + newlen = t->length + 2 + 1; str = (char *)ret->data; /* Work out the century and prepend */ - if (t->data[0] >= '5') strcpy(str, "19"); - else strcpy(str, "20"); + if (t->data[0] >= '5') BUF_strlcpy(str, "19", newlen); + else BUF_strlcpy(str, "20", newlen); - BUF_strlcat(str, (char *)t->data, t->length+3); /* Include space for a '\0' */ + BUF_strlcat(str, (char *)t->data, newlen); return ret; } diff --git a/crypto/openssl/crypto/asn1/a_utctm.c b/crypto/openssl/crypto/asn1/a_utctm.c index dbb4a42c9d15..999852dae527 100644 --- a/crypto/openssl/crypto/asn1/a_utctm.c +++ b/crypto/openssl/crypto/asn1/a_utctm.c @@ -1,297 +1,298 @@ /* crypto/asn1/a_utctm.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include "cryptlib.h" #include "o_time.h" #include #if 0 int i2d_ASN1_UTCTIME(ASN1_UTCTIME *a, unsigned char **pp) { #ifndef CHARSET_EBCDIC return(i2d_ASN1_bytes((ASN1_STRING *)a,pp, V_ASN1_UTCTIME,V_ASN1_UNIVERSAL)); #else /* KLUDGE! We convert to ascii before writing DER */ int len; char tmp[24]; ASN1_STRING x = *(ASN1_STRING *)a; len = x.length; ebcdic2ascii(tmp, x.data, (len >= sizeof tmp) ? sizeof tmp : len); x.data = tmp; return i2d_ASN1_bytes(&x, pp, V_ASN1_UTCTIME,V_ASN1_UNIVERSAL); #endif } ASN1_UTCTIME *d2i_ASN1_UTCTIME(ASN1_UTCTIME **a, unsigned char **pp, long length) { ASN1_UTCTIME *ret=NULL; ret=(ASN1_UTCTIME *)d2i_ASN1_bytes((ASN1_STRING **)a,pp,length, V_ASN1_UTCTIME,V_ASN1_UNIVERSAL); if (ret == NULL) { ASN1err(ASN1_F_D2I_ASN1_UTCTIME,ERR_R_NESTED_ASN1_ERROR); return(NULL); } #ifdef CHARSET_EBCDIC ascii2ebcdic(ret->data, ret->data, ret->length); #endif if (!ASN1_UTCTIME_check(ret)) { ASN1err(ASN1_F_D2I_ASN1_UTCTIME,ASN1_R_INVALID_TIME_FORMAT); goto err; } return(ret); err: if ((ret != NULL) && ((a == NULL) || (*a != ret))) M_ASN1_UTCTIME_free(ret); return(NULL); } #endif int ASN1_UTCTIME_check(ASN1_UTCTIME *d) { static int min[8]={ 0, 1, 1, 0, 0, 0, 0, 0}; static int max[8]={99,12,31,23,59,59,12,59}; char *a; int n,i,l,o; if (d->type != V_ASN1_UTCTIME) return(0); l=d->length; a=(char *)d->data; o=0; if (l < 11) goto err; for (i=0; i<6; i++) { if ((i == 5) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) { i++; break; } if ((a[o] < '0') || (a[o] > '9')) goto err; n= a[o]-'0'; if (++o > l) goto err; if ((a[o] < '0') || (a[o] > '9')) goto err; n=(n*10)+ a[o]-'0'; if (++o > l) goto err; if ((n < min[i]) || (n > max[i])) goto err; } if (a[o] == 'Z') o++; else if ((a[o] == '+') || (a[o] == '-')) { o++; if (o+4 > l) goto err; for (i=6; i<8; i++) { if ((a[o] < '0') || (a[o] > '9')) goto err; n= a[o]-'0'; o++; if ((a[o] < '0') || (a[o] > '9')) goto err; n=(n*10)+ a[o]-'0'; if ((n < min[i]) || (n > max[i])) goto err; o++; } } return(o == l); err: return(0); } int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str) { ASN1_UTCTIME t; t.type=V_ASN1_UTCTIME; t.length=strlen(str); t.data=(unsigned char *)str; if (ASN1_UTCTIME_check(&t)) { if (s != NULL) { ASN1_STRING_set((ASN1_STRING *)s, (unsigned char *)str,t.length); s->type = V_ASN1_UTCTIME; } return(1); } else return(0); } ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) { char *p; struct tm *ts; struct tm data; + size_t len = 20; if (s == NULL) s=M_ASN1_UTCTIME_new(); if (s == NULL) return(NULL); ts=OPENSSL_gmtime(&t, &data); if (ts == NULL) return(NULL); p=(char *)s->data; - if ((p == NULL) || (s->length < 14)) + if ((p == NULL) || ((size_t)s->length < len)) { - p=OPENSSL_malloc(20); + p=OPENSSL_malloc(len); if (p == NULL) return(NULL); if (s->data != NULL) OPENSSL_free(s->data); s->data=(unsigned char *)p; } - sprintf(p,"%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100, - ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec); + BIO_snprintf(p,len,"%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100, + ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec); s->length=strlen(p); s->type=V_ASN1_UTCTIME; #ifdef CHARSET_EBCDIC_not ebcdic2ascii(s->data, s->data, s->length); #endif return(s); } int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t) { struct tm *tm; struct tm data; int offset; int year; #define g2(p) (((p)[0]-'0')*10+(p)[1]-'0') if (s->data[12] == 'Z') offset=0; else { offset = g2(s->data+13)*60+g2(s->data+15); if (s->data[12] == '-') offset = -offset; } t -= offset*60; /* FIXME: may overflow in extreme cases */ tm = OPENSSL_gmtime(&t, &data); #define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1 year = g2(s->data); if (year < 50) year += 100; return_cmp(year, tm->tm_year); return_cmp(g2(s->data+2) - 1, tm->tm_mon); return_cmp(g2(s->data+4), tm->tm_mday); return_cmp(g2(s->data+6), tm->tm_hour); return_cmp(g2(s->data+8), tm->tm_min); return_cmp(g2(s->data+10), tm->tm_sec); #undef g2 #undef return_cmp return 0; } #if 0 time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s) { struct tm tm; int offset; memset(&tm,'\0',sizeof tm); #define g2(p) (((p)[0]-'0')*10+(p)[1]-'0') tm.tm_year=g2(s->data); if(tm.tm_year < 50) tm.tm_year+=100; tm.tm_mon=g2(s->data+2)-1; tm.tm_mday=g2(s->data+4); tm.tm_hour=g2(s->data+6); tm.tm_min=g2(s->data+8); tm.tm_sec=g2(s->data+10); if(s->data[12] == 'Z') offset=0; else { offset=g2(s->data+13)*60+g2(s->data+15); if(s->data[12] == '-') offset= -offset; } #undef g2 return mktime(&tm)-offset*60; /* FIXME: mktime assumes the current timezone * instead of UTC, and unless we rewrite OpenSSL * in Lisp we cannot locally change the timezone * without possibly interfering with other parts * of the program. timegm, which uses UTC, is * non-standard. * Also time_t is inappropriate for general * UTC times because it may a 32 bit type. */ } #endif diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c index e30d5dd303c9..a74f1368d34d 100644 --- a/crypto/openssl/crypto/asn1/asn1_lib.c +++ b/crypto/openssl/crypto/asn1/asn1_lib.c @@ -1,432 +1,432 @@ /* crypto/asn1/asn1_lib.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include "cryptlib.h" #include #include static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max); static void asn1_put_length(unsigned char **pp, int length); const char *ASN1_version="ASN.1" OPENSSL_VERSION_PTEXT; int ASN1_check_infinite_end(unsigned char **p, long len) { /* If there is 0 or 1 byte left, the length check should pick * things up */ if (len <= 0) return(1); else if ((len >= 2) && ((*p)[0] == 0) && ((*p)[1] == 0)) { (*p)+=2; return(1); } return(0); } int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass, long omax) { int i,ret; long l; unsigned char *p= *pp; int tag,xclass,inf; long max=omax; if (!max) goto err; ret=(*p&V_ASN1_CONSTRUCTED); xclass=(*p&V_ASN1_PRIVATE); i= *p&V_ASN1_PRIMITIVE_TAG; if (i == V_ASN1_PRIMITIVE_TAG) { /* high-tag */ p++; if (--max == 0) goto err; l=0; while (*p&0x80) { l<<=7L; l|= *(p++)&0x7f; if (--max == 0) goto err; if (l > (INT_MAX >> 7L)) goto err; } l<<=7L; l|= *(p++)&0x7f; tag=(int)l; if (--max == 0) goto err; } else { tag=i; p++; if (--max == 0) goto err; } *ptag=tag; *pclass=xclass; if (!asn1_get_length(&p,&inf,plength,(int)max)) goto err; #if 0 fprintf(stderr,"p=%d + *plength=%ld > omax=%ld + *pp=%d (%d > %d)\n", (int)p,*plength,omax,(int)*pp,(int)(p+ *plength), (int)(omax+ *pp)); #endif if (*plength > (omax - (p - *pp))) { ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG); /* Set this so that even if things are not long enough * the values are set correctly */ ret|=0x80; } *pp=p; return(ret|inf); err: ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_HEADER_TOO_LONG); return(0x80); } static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) { unsigned char *p= *pp; unsigned long ret=0; int i; if (max-- < 1) return(0); if (*p == 0x80) { *inf=1; ret=0; p++; } else { *inf=0; i= *p&0x7f; if (*(p++) & 0x80) { if (i > sizeof(long)) return 0; if (max-- == 0) return(0); while (i-- > 0) { ret<<=8L; ret|= *(p++); if (max-- == 0) return(0); } } else ret=i; } if (ret > LONG_MAX) return 0; *pp=p; *rl=(long)ret; return(1); } /* class 0 is constructed * constructed == 2 for indefinite length constructed */ void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag, int xclass) { unsigned char *p= *pp; int i, ttag; i=(constructed)?V_ASN1_CONSTRUCTED:0; i|=(xclass&V_ASN1_PRIVATE); if (tag < 31) *(p++)=i|(tag&V_ASN1_PRIMITIVE_TAG); else { *(p++)=i|V_ASN1_PRIMITIVE_TAG; for(i = 0, ttag = tag; ttag > 0; i++) ttag >>=7; ttag = i; while(i-- > 0) { p[i] = tag & 0x7f; if(i != (ttag - 1)) p[i] |= 0x80; tag >>= 7; } p += ttag; } if ((constructed == 2) && (length == 0)) *(p++)=0x80; /* der_put_length would output 0 instead */ else asn1_put_length(&p,length); *pp=p; } static void asn1_put_length(unsigned char **pp, int length) { unsigned char *p= *pp; int i,l; if (length <= 127) *(p++)=(unsigned char)length; else { l=length; for (i=0; l > 0; i++) l>>=8; *(p++)=i|0x80; l=i; while (i-- > 0) { p[i]=length&0xff; length>>=8; } p+=l; } *pp=p; } int ASN1_object_size(int constructed, int length, int tag) { int ret; ret=length; ret++; if (tag >= 31) { while (tag > 0) { tag>>=7; ret++; } } if ((length == 0) && (constructed == 2)) ret+=2; ret++; if (length > 127) { while (length > 0) { length>>=8; ret++; } } return(ret); } int asn1_Finish(ASN1_CTX *c) { if ((c->inf == (1|V_ASN1_CONSTRUCTED)) && (!c->eos)) { if (!ASN1_check_infinite_end(&c->p,c->slen)) { c->error=ERR_R_MISSING_ASN1_EOS; return(0); } } if ( ((c->slen != 0) && !(c->inf & 1)) || ((c->slen < 0) && (c->inf & 1))) { c->error=ERR_R_ASN1_LENGTH_MISMATCH; return(0); } return(1); } int asn1_GetSequence(ASN1_CTX *c, long *length) { unsigned char *q; q=c->p; c->inf=ASN1_get_object(&(c->p),&(c->slen),&(c->tag),&(c->xclass), *length); if (c->inf & 0x80) { c->error=ERR_R_BAD_GET_ASN1_OBJECT_CALL; return(0); } if (c->tag != V_ASN1_SEQUENCE) { c->error=ERR_R_EXPECTING_AN_ASN1_SEQUENCE; return(0); } (*length)-=(c->p-q); if (c->max && (*length < 0)) { c->error=ERR_R_ASN1_LENGTH_MISMATCH; return(0); } if (c->inf == (1|V_ASN1_CONSTRUCTED)) c->slen= *length+ *(c->pp)-c->p; c->eos=0; return(1); } ASN1_STRING *ASN1_STRING_dup(ASN1_STRING *str) { ASN1_STRING *ret; if (str == NULL) return(NULL); if ((ret=ASN1_STRING_type_new(str->type)) == NULL) return(NULL); if (!ASN1_STRING_set(ret,str->data,str->length)) { ASN1_STRING_free(ret); return(NULL); } ret->flags = str->flags; return(ret); } int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len) { unsigned char *c; const char *data=_data; if (len < 0) { if (data == NULL) return(0); else len=strlen(data); } if ((str->length < len) || (str->data == NULL)) { c=str->data; if (c == NULL) str->data=OPENSSL_malloc(len+1); else str->data=OPENSSL_realloc(c,len+1); if (str->data == NULL) { str->data=c; return(0); } } str->length=len; if (data != NULL) { memcpy(str->data,data,len); /* an allowance for strings :-) */ str->data[len]='\0'; } return(1); } ASN1_STRING *ASN1_STRING_new(void) { return(ASN1_STRING_type_new(V_ASN1_OCTET_STRING)); } ASN1_STRING *ASN1_STRING_type_new(int type) { ASN1_STRING *ret; ret=(ASN1_STRING *)OPENSSL_malloc(sizeof(ASN1_STRING)); if (ret == NULL) { ASN1err(ASN1_F_ASN1_STRING_TYPE_NEW,ERR_R_MALLOC_FAILURE); return(NULL); } ret->length=0; ret->type=type; ret->data=NULL; ret->flags=0; return(ret); } void ASN1_STRING_free(ASN1_STRING *a) { if (a == NULL) return; if (a->data != NULL) OPENSSL_free(a->data); OPENSSL_free(a); } int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b) { int i; i=(a->length-b->length); if (i == 0) { i=memcmp(a->data,b->data,a->length); if (i == 0) return(a->type-b->type); else return(i); } else return(i); } void asn1_add_error(unsigned char *address, int offset) { char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; - sprintf(buf1,"%lu",(unsigned long)address); - sprintf(buf2,"%d",offset); + BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address); + BIO_snprintf(buf2,sizeof buf2,"%d",offset); ERR_add_error_data(4,"address=",buf1," offset=",buf2); } int ASN1_STRING_length(ASN1_STRING *x) { return M_ASN1_STRING_length(x); } void ASN1_STRING_length_set(ASN1_STRING *x, int len) { M_ASN1_STRING_length_set(x, len); return; } int ASN1_STRING_type(ASN1_STRING *x) { return M_ASN1_STRING_type(x); } unsigned char * ASN1_STRING_data(ASN1_STRING *x) { return M_ASN1_STRING_data(x); } diff --git a/crypto/openssl/crypto/asn1/asn1_par.c b/crypto/openssl/crypto/asn1/asn1_par.c index e48532a24dc7..676d434f034d 100644 --- a/crypto/openssl/crypto/asn1/asn1_par.c +++ b/crypto/openssl/crypto/asn1/asn1_par.c @@ -1,418 +1,418 @@ /* crypto/asn1/asn1_par.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include "cryptlib.h" #include #include #include static int asn1_print_info(BIO *bp, int tag, int xclass,int constructed, int indent); static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset, int depth, int indent, int dump); static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed, int indent) { static const char fmt[]="%-18s"; static const char fmt2[]="%2d %-15s"; char str[128]; const char *p,*p2=NULL; if (constructed & V_ASN1_CONSTRUCTED) p="cons: "; else p="prim: "; if (BIO_write(bp,p,6) < 6) goto err; BIO_indent(bp,indent,128); p=str; if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE) - sprintf(str,"priv [ %d ] ",tag); + BIO_snprintf(str,sizeof str,"priv [ %d ] ",tag); else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC) - sprintf(str,"cont [ %d ]",tag); + BIO_snprintf(str,sizeof str,"cont [ %d ]",tag); else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION) - sprintf(str,"appl [ %d ]",tag); + BIO_snprintf(str,sizeof str,"appl [ %d ]",tag); else p = ASN1_tag2str(tag); if (p2 != NULL) { if (BIO_printf(bp,fmt2,tag,p2) <= 0) goto err; } else { if (BIO_printf(bp,fmt,p) <= 0) goto err; } return(1); err: return(0); } int ASN1_parse(BIO *bp, unsigned char *pp, long len, int indent) { return(asn1_parse2(bp,&pp,len,0,0,indent,0)); } int ASN1_parse_dump(BIO *bp, unsigned char *pp, long len, int indent, int dump) { return(asn1_parse2(bp,&pp,len,0,0,indent,dump)); } static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset, int depth, int indent, int dump) { unsigned char *p,*ep,*tot,*op,*opp; long len; int tag,xclass,ret=0; int nl,hl,j,r; ASN1_OBJECT *o=NULL; ASN1_OCTET_STRING *os=NULL; /* ASN1_BMPSTRING *bmp=NULL;*/ int dump_indent; #if 0 dump_indent = indent; #else dump_indent = 6; /* Because we know BIO_dump_indent() */ #endif p= *pp; tot=p+length; op=p-1; while ((p < tot) && (op < p)) { op=p; j=ASN1_get_object(&p,&len,&tag,&xclass,length); #ifdef LINT j=j; #endif if (j & 0x80) { if (BIO_write(bp,"Error in encoding\n",18) <= 0) goto end; ret=0; goto end; } hl=(p-op); length-=hl; /* if j == 0x21 it is a constructed indefinite length object */ if (BIO_printf(bp,"%5ld:",(long)offset+(long)(op- *pp)) <= 0) goto end; if (j != (V_ASN1_CONSTRUCTED | 1)) { if (BIO_printf(bp,"d=%-2d hl=%ld l=%4ld ", depth,(long)hl,len) <= 0) goto end; } else { if (BIO_printf(bp,"d=%-2d hl=%ld l=inf ", depth,(long)hl) <= 0) goto end; } if (!asn1_print_info(bp,tag,xclass,j,(indent)?depth:0)) goto end; if (j & V_ASN1_CONSTRUCTED) { ep=p+len; if (BIO_write(bp,"\n",1) <= 0) goto end; if (len > length) { BIO_printf(bp, "length is greater than %ld\n",length); ret=0; goto end; } if ((j == 0x21) && (len == 0)) { for (;;) { r=asn1_parse2(bp,&p,(long)(tot-p), offset+(p - *pp),depth+1, indent,dump); if (r == 0) { ret=0; goto end; } if ((r == 2) || (p >= tot)) break; } } else while (p < ep) { r=asn1_parse2(bp,&p,(long)len, offset+(p - *pp),depth+1, indent,dump); if (r == 0) { ret=0; goto end; } } } else if (xclass != 0) { p+=len; if (BIO_write(bp,"\n",1) <= 0) goto end; } else { nl=0; if ( (tag == V_ASN1_PRINTABLESTRING) || (tag == V_ASN1_T61STRING) || (tag == V_ASN1_IA5STRING) || (tag == V_ASN1_VISIBLESTRING) || (tag == V_ASN1_UTCTIME) || (tag == V_ASN1_GENERALIZEDTIME)) { if (BIO_write(bp,":",1) <= 0) goto end; if ((len > 0) && BIO_write(bp,(char *)p,(int)len) != (int)len) goto end; } else if (tag == V_ASN1_OBJECT) { opp=op; if (d2i_ASN1_OBJECT(&o,&opp,len+hl) != NULL) { if (BIO_write(bp,":",1) <= 0) goto end; i2a_ASN1_OBJECT(bp,o); } else { if (BIO_write(bp,":BAD OBJECT",11) <= 0) goto end; } } else if (tag == V_ASN1_BOOLEAN) { int ii; opp=op; ii=d2i_ASN1_BOOLEAN(NULL,&opp,len+hl); if (ii < 0) { if (BIO_write(bp,"Bad boolean\n",12)) goto end; } BIO_printf(bp,":%d",ii); } else if (tag == V_ASN1_BMPSTRING) { /* do the BMP thang */ } else if (tag == V_ASN1_OCTET_STRING) { int i,printable=1; opp=op; os=d2i_ASN1_OCTET_STRING(NULL,&opp,len+hl); if (os != NULL) { opp=os->data; for (i=0; ilength; i++) { if (( (opp[i] < ' ') && (opp[i] != '\n') && (opp[i] != '\r') && (opp[i] != '\t')) || (opp[i] > '~')) { printable=0; break; } } if (printable && (os->length > 0)) { if (BIO_write(bp,":",1) <= 0) goto end; if (BIO_write(bp,(char *)opp, os->length) <= 0) goto end; } if (!printable && (os->length > 0) && dump) { if (!nl) { if (BIO_write(bp,"\n",1) <= 0) goto end; } if (BIO_dump_indent(bp,(char *)opp, ((dump == -1 || dump > os->length)?os->length:dump), dump_indent) <= 0) goto end; nl=1; } M_ASN1_OCTET_STRING_free(os); os=NULL; } } else if (tag == V_ASN1_INTEGER) { ASN1_INTEGER *bs; int i; opp=op; bs=d2i_ASN1_INTEGER(NULL,&opp,len+hl); if (bs != NULL) { if (BIO_write(bp,":",1) <= 0) goto end; if (bs->type == V_ASN1_NEG_INTEGER) if (BIO_write(bp,"-",1) <= 0) goto end; for (i=0; ilength; i++) { if (BIO_printf(bp,"%02X", bs->data[i]) <= 0) goto end; } if (bs->length == 0) { if (BIO_write(bp,"00",2) <= 0) goto end; } } else { if (BIO_write(bp,"BAD INTEGER",11) <= 0) goto end; } M_ASN1_INTEGER_free(bs); } else if (tag == V_ASN1_ENUMERATED) { ASN1_ENUMERATED *bs; int i; opp=op; bs=d2i_ASN1_ENUMERATED(NULL,&opp,len+hl); if (bs != NULL) { if (BIO_write(bp,":",1) <= 0) goto end; if (bs->type == V_ASN1_NEG_ENUMERATED) if (BIO_write(bp,"-",1) <= 0) goto end; for (i=0; ilength; i++) { if (BIO_printf(bp,"%02X", bs->data[i]) <= 0) goto end; } if (bs->length == 0) { if (BIO_write(bp,"00",2) <= 0) goto end; } } else { if (BIO_write(bp,"BAD ENUMERATED",11) <= 0) goto end; } M_ASN1_ENUMERATED_free(bs); } else if (len > 0 && dump) { if (!nl) { if (BIO_write(bp,"\n",1) <= 0) goto end; } if (BIO_dump_indent(bp,(char *)p, ((dump == -1 || dump > len)?len:dump), dump_indent) <= 0) goto end; nl=1; } if (!nl) { if (BIO_write(bp,"\n",1) <= 0) goto end; } p+=len; if ((tag == V_ASN1_EOC) && (xclass == 0)) { ret=2; /* End of sequence */ goto end; } } length-=len; } ret=1; end: if (o != NULL) ASN1_OBJECT_free(o); if (os != NULL) M_ASN1_OCTET_STRING_free(os); *pp=p; return(ret); } const char *ASN1_tag2str(int tag) { const static char *tag2str[] = { "EOC", "BOOLEAN", "INTEGER", "BIT STRING", "OCTET STRING", /* 0-4 */ "NULL", "OBJECT", "OBJECT DESCRIPTOR", "EXTERNAL", "REAL", /* 5-9 */ "ENUMERATED", "", "UTF8STRING", "", /* 10-13 */ "", "", "SEQUENCE", "SET", /* 15-17 */ "NUMERICSTRING", "PRINTABLESTRING", "T61STRING", /* 18-20 */ "VIDEOTEXSTRING", "IA5STRING", "UTCTIME","GENERALIZEDTIME", /* 21-24 */ "GRAPHICSTRING", "VISIBLESTRING", "GENERALSTRING", /* 25-27 */ "UNIVERSALSTRING", "", "BMPSTRING" /* 28-30 */ }; if((tag == V_ASN1_NEG_INTEGER) || (tag == V_ASN1_NEG_ENUMERATED)) tag &= ~0x100; if(tag < 0 || tag > 30) return "(unknown)"; return tag2str[tag]; } diff --git a/crypto/openssl/crypto/asn1/asn_moid.c b/crypto/openssl/crypto/asn1/asn_moid.c index be20db4bad7f..edb44c988f08 100644 --- a/crypto/openssl/crypto/asn1/asn_moid.c +++ b/crypto/openssl/crypto/asn1/asn_moid.c @@ -1,95 +1,100 @@ /* asn_moid.c */ /* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL * project 2001. */ /* ==================================================================== * Copyright (c) 2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include "cryptlib.h" #include #include #include /* Simple ASN1 OID module: add all objects in a given section */ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf) { int i; const char *oid_section; STACK_OF(CONF_VALUE) *sktmp; CONF_VALUE *oval; oid_section = CONF_imodule_get_value(md); if(!(sktmp = NCONF_get_section(cnf, oid_section))) { ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ERROR_LOADING_SECTION); return 0; } for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) { oval = sk_CONF_VALUE_value(sktmp, i); if(OBJ_create(oval->value, oval->name, oval->name) == NID_undef) { ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ADDING_OBJECT); return 0; } } return 1; -} + } + +static void oid_module_finish(CONF_IMODULE *md) + { + OBJ_cleanup(); + } void ASN1_add_oid_module(void) { - CONF_module_add("oid_section", oid_module_init, 0); + CONF_module_add("oid_section", oid_module_init, oid_module_finish); } diff --git a/crypto/openssl/crypto/asn1/t_pkey.c b/crypto/openssl/crypto/asn1/t_pkey.c index 4e09c9e44e23..d15006e6546c 100644 --- a/crypto/openssl/crypto/asn1/t_pkey.c +++ b/crypto/openssl/crypto/asn1/t_pkey.c @@ -1,387 +1,387 @@ /* crypto/asn1/t_pkey.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include "cryptlib.h" #include #include #ifndef OPENSSL_NO_RSA #include #endif #ifndef OPENSSL_NO_DH #include #endif #ifndef OPENSSL_NO_DSA #include #endif static int print(BIO *fp,const char *str,BIGNUM *num, unsigned char *buf,int off); #ifndef OPENSSL_NO_RSA #ifndef OPENSSL_NO_FP_API int RSA_print_fp(FILE *fp, const RSA *x, int off) { BIO *b; int ret; if ((b=BIO_new(BIO_s_file())) == NULL) { RSAerr(RSA_F_RSA_PRINT_FP,ERR_R_BUF_LIB); return(0); } BIO_set_fp(b,fp,BIO_NOCLOSE); ret=RSA_print(b,x,off); BIO_free(b); return(ret); } #endif int RSA_print(BIO *bp, const RSA *x, int off) { char str[128]; const char *s; unsigned char *m=NULL; int ret=0; size_t buf_len=0, i; if (x->n) buf_len = (size_t)BN_num_bytes(x->n); if (x->e) if (buf_len < (i = (size_t)BN_num_bytes(x->e))) buf_len = i; if (x->d) if (buf_len < (i = (size_t)BN_num_bytes(x->d))) buf_len = i; if (x->p) if (buf_len < (i = (size_t)BN_num_bytes(x->p))) buf_len = i; if (x->q) if (buf_len < (i = (size_t)BN_num_bytes(x->q))) buf_len = i; if (x->dmp1) if (buf_len < (i = (size_t)BN_num_bytes(x->dmp1))) buf_len = i; if (x->dmq1) if (buf_len < (i = (size_t)BN_num_bytes(x->dmq1))) buf_len = i; if (x->iqmp) if (buf_len < (i = (size_t)BN_num_bytes(x->iqmp))) buf_len = i; m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { RSAerr(RSA_F_RSA_PRINT,ERR_R_MALLOC_FAILURE); goto err; } if (x->d != NULL) { if(!BIO_indent(bp,off,128)) goto err; if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->n)) <= 0) goto err; } if (x->d == NULL) - sprintf(str,"Modulus (%d bit):",BN_num_bits(x->n)); + BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n)); else - strcpy(str,"modulus:"); + BUF_strlcpy(str,"modulus:",sizeof str); if (!print(bp,str,x->n,m,off)) goto err; s=(x->d == NULL)?"Exponent:":"publicExponent:"; if (!print(bp,s,x->e,m,off)) goto err; if (!print(bp,"privateExponent:",x->d,m,off)) goto err; if (!print(bp,"prime1:",x->p,m,off)) goto err; if (!print(bp,"prime2:",x->q,m,off)) goto err; if (!print(bp,"exponent1:",x->dmp1,m,off)) goto err; if (!print(bp,"exponent2:",x->dmq1,m,off)) goto err; if (!print(bp,"coefficient:",x->iqmp,m,off)) goto err; ret=1; err: if (m != NULL) OPENSSL_free(m); return(ret); } #endif /* OPENSSL_NO_RSA */ #ifndef OPENSSL_NO_DSA #ifndef OPENSSL_NO_FP_API int DSA_print_fp(FILE *fp, const DSA *x, int off) { BIO *b; int ret; if ((b=BIO_new(BIO_s_file())) == NULL) { DSAerr(DSA_F_DSA_PRINT_FP,ERR_R_BUF_LIB); return(0); } BIO_set_fp(b,fp,BIO_NOCLOSE); ret=DSA_print(b,x,off); BIO_free(b); return(ret); } #endif int DSA_print(BIO *bp, const DSA *x, int off) { unsigned char *m=NULL; int ret=0; size_t buf_len=0,i; if (x->p) buf_len = (size_t)BN_num_bytes(x->p); if (x->q) if (buf_len < (i = (size_t)BN_num_bytes(x->q))) buf_len = i; if (x->g) if (buf_len < (i = (size_t)BN_num_bytes(x->g))) buf_len = i; if (x->priv_key) if (buf_len < (i = (size_t)BN_num_bytes(x->priv_key))) buf_len = i; if (x->pub_key) if (buf_len < (i = (size_t)BN_num_bytes(x->pub_key))) buf_len = i; m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE); goto err; } if (x->priv_key != NULL) { if(!BIO_indent(bp,off,128)) goto err; if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->p)) <= 0) goto err; } if ((x->priv_key != NULL) && !print(bp,"priv:",x->priv_key,m,off)) goto err; if ((x->pub_key != NULL) && !print(bp,"pub: ",x->pub_key,m,off)) goto err; if ((x->p != NULL) && !print(bp,"P: ",x->p,m,off)) goto err; if ((x->q != NULL) && !print(bp,"Q: ",x->q,m,off)) goto err; if ((x->g != NULL) && !print(bp,"G: ",x->g,m,off)) goto err; ret=1; err: if (m != NULL) OPENSSL_free(m); return(ret); } #endif /* !OPENSSL_NO_DSA */ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf, int off) { int n,i; const char *neg; if (num == NULL) return(1); neg=(num->neg)?"-":""; if(!BIO_indent(bp,off,128)) return 0; if (BN_num_bytes(num) <= BN_BYTES) { if (BIO_printf(bp,"%s %s%lu (%s0x%lx)\n",number,neg, (unsigned long)num->d[0],neg,(unsigned long)num->d[0]) <= 0) return(0); } else { buf[0]=0; if (BIO_printf(bp,"%s%s",number, (neg[0] == '-')?" (Negative)":"") <= 0) return(0); n=BN_bn2bin(num,&buf[1]); if (buf[1] & 0x80) n++; else buf++; for (i=0; ip) buf_len = (size_t)BN_num_bytes(x->p); if (x->g) if (buf_len < (i = (size_t)BN_num_bytes(x->g))) buf_len = i; m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { reason=ERR_R_MALLOC_FAILURE; goto err; } if (BIO_printf(bp,"Diffie-Hellman-Parameters: (%d bit)\n", BN_num_bits(x->p)) <= 0) goto err; if (!print(bp,"prime:",x->p,m,4)) goto err; if (!print(bp,"generator:",x->g,m,4)) goto err; if (x->length != 0) { if (BIO_printf(bp," recommended-private-length: %d bits\n", (int)x->length) <= 0) goto err; } ret=1; if (0) { err: DHerr(DH_F_DHPARAMS_PRINT,reason); } if (m != NULL) OPENSSL_free(m); return(ret); } #endif #ifndef OPENSSL_NO_DSA #ifndef OPENSSL_NO_FP_API int DSAparams_print_fp(FILE *fp, const DSA *x) { BIO *b; int ret; if ((b=BIO_new(BIO_s_file())) == NULL) { DSAerr(DSA_F_DSAPARAMS_PRINT_FP,ERR_R_BUF_LIB); return(0); } BIO_set_fp(b,fp,BIO_NOCLOSE); ret=DSAparams_print(b, x); BIO_free(b); return(ret); } #endif int DSAparams_print(BIO *bp, const DSA *x) { unsigned char *m=NULL; int reason=ERR_R_BUF_LIB,ret=0; size_t buf_len=0,i; if (x->p) buf_len = (size_t)BN_num_bytes(x->p); if (x->q) if (buf_len < (i = (size_t)BN_num_bytes(x->q))) buf_len = i; if (x->g) if (buf_len < (i = (size_t)BN_num_bytes(x->g))) buf_len = i; m=(unsigned char *)OPENSSL_malloc(buf_len+10); if (m == NULL) { reason=ERR_R_MALLOC_FAILURE; goto err; } if (BIO_printf(bp,"DSA-Parameters: (%d bit)\n", BN_num_bits(x->p)) <= 0) goto err; if (!print(bp,"p:",x->p,m,4)) goto err; if (!print(bp,"q:",x->q,m,4)) goto err; if (!print(bp,"g:",x->g,m,4)) goto err; ret=1; err: if (m != NULL) OPENSSL_free(m); DSAerr(DSA_F_DSAPARAMS_PRINT,reason); return(ret); } #endif /* !OPENSSL_NO_DSA */ diff --git a/crypto/openssl/crypto/asn1/x_long.c b/crypto/openssl/crypto/asn1/x_long.c index c04b192794f1..c5f25956cb28 100644 --- a/crypto/openssl/crypto/asn1/x_long.c +++ b/crypto/openssl/crypto/asn1/x_long.c @@ -1,163 +1,169 @@ /* x_long.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 2000. */ /* ==================================================================== * Copyright (c) 2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include /* Custom primitive type for long handling. This converts between an ASN1_INTEGER * and a long directly. */ static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it); static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it); static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it); static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); static ASN1_PRIMITIVE_FUNCS long_pf = { NULL, 0, long_new, long_free, long_free, /* Clear should set to initial value */ long_c2i, long_i2c }; ASN1_ITEM_start(LONG) ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, ASN1_LONG_UNDEF, "LONG" ASN1_ITEM_end(LONG) ASN1_ITEM_start(ZLONG) ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, 0, "ZLONG" ASN1_ITEM_end(ZLONG) static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { *(long *)pval = it->size; return 1; } static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { *(long *)pval = it->size; } static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it) { long ltmp; unsigned long utmp; int clen, pad, i; - ltmp = *(long *)pval; + /* this exists to bypass broken gcc optimization */ + char *cp = (char *)pval; + + /* use memcpy, because we may not be long aligned */ + memcpy(<mp, cp, sizeof(long)); + if(ltmp == it->size) return -1; /* Convert the long to positive: we subtract one if negative so * we can cleanly handle the padding if only the MSB of the leading * octet is set. */ if(ltmp < 0) utmp = -ltmp - 1; else utmp = ltmp; clen = BN_num_bits_word(utmp); /* If MSB of leading octet set we need to pad */ if(!(clen & 0x7)) pad = 1; else pad = 0; /* Convert number of bits to number of octets */ clen = (clen + 7) >> 3; if(cont) { if(pad) *cont++ = (ltmp < 0) ? 0xff : 0; for(i = clen - 1; i >= 0; i--) { cont[i] = (unsigned char)(utmp & 0xff); if(ltmp < 0) cont[i] ^= 0xff; utmp >>= 8; } } return clen + pad; } static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { int neg, i; long ltmp; unsigned long utmp = 0; + char *cp = (char *)pval; if(len > sizeof(long)) { ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG); return 0; } /* Is it negative? */ if(len && (cont[0] & 0x80)) neg = 1; else neg = 0; utmp = 0; for(i = 0; i < len; i++) { utmp <<= 8; if(neg) utmp |= cont[i] ^ 0xff; else utmp |= cont[i]; } ltmp = (long)utmp; if(neg) { ltmp++; ltmp = -ltmp; } if(ltmp == it->size) { ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG); return 0; } - *(long *)pval = ltmp; + memcpy(cp, <mp, sizeof(long)); return 1; } diff --git a/crypto/openssl/crypto/bf/Makefile.ssl b/crypto/openssl/crypto/bf/Makefile.ssl index bb14a0ee8250..be3ad77a0563 100644 --- a/crypto/openssl/crypto/bf/Makefile.ssl +++ b/crypto/openssl/crypto/bf/Makefile.ssl @@ -1,114 +1,115 @@ # # SSLeay/crypto/blowfish/Makefile # DIR= bf TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r BF_ENC= bf_enc.o # or use #DES_ENC= bx86-elf.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=bftest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=bf_skey.c bf_ecb.c bf_enc.c bf_cfb64.c bf_ofb64.c LIBOBJ=bf_skey.o bf_ecb.o $(BF_ENC) bf_cfb64.o bf_ofb64.o SRC= $(LIBSRC) EXHEADER= blowfish.h HEADER= bf_pi.h bf_locl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib # elf asm/bx86-elf.s: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl (cd asm; $(PERL) bf-586.pl elf $(CFLAGS) $(PROCESSOR) > bx86-elf.s) # a.out asm/bx86-out.o: asm/bx86unix.cpp $(CPP) -DOUT asm/bx86unix.cpp | as -o asm/bx86-out.o # bsdi asm/bx86bsdi.o: asm/bx86unix.cpp $(CPP) -DBSDI asm/bx86unix.cpp | sed 's/ :/:/' | as -o asm/bx86bsdi.o asm/bx86unix.cpp: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl (cd asm; $(PERL) bf-586.pl cpp $(PROCESSOR) >bx86unix.cpp) files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: installs installs: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/bx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. bf_cfb64.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h bf_cfb64.o: ../../include/openssl/opensslconf.h bf_cfb64.c bf_locl.h bf_ecb.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h bf_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h bf_ecb.o: bf_ecb.c bf_locl.h bf_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h bf_enc.o: ../../include/openssl/opensslconf.h bf_enc.c bf_locl.h bf_ofb64.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h bf_ofb64.c bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h bf_skey.o: ../../include/openssl/opensslconf.h bf_locl.h bf_pi.h bf_skey.c diff --git a/crypto/openssl/crypto/bio/Makefile.ssl b/crypto/openssl/crypto/bio/Makefile.ssl index 141a03ae1d21..d0b9e297b082 100644 --- a/crypto/openssl/crypto/bio/Makefile.ssl +++ b/crypto/openssl/crypto/bio/Makefile.ssl @@ -1,216 +1,216 @@ # # SSLeay/crypto/bio/Makefile # DIR= bio TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= bio_lib.c bio_cb.c bio_err.c \ bss_mem.c bss_null.c bss_fd.c \ bss_file.c bss_sock.c bss_conn.c \ bf_null.c bf_buff.c b_print.c b_dump.c \ b_sock.c bss_acpt.c bf_nbio.c bss_log.c bss_bio.c # bf_lbuf.c LIBOBJ= bio_lib.o bio_cb.o bio_err.o \ bss_mem.o bss_null.o bss_fd.o \ bss_file.o bss_sock.o bss_conn.o \ bf_null.o bf_buff.o b_print.o b_dump.o \ b_sock.o bss_acpt.o bf_nbio.o bss_log.o bss_bio.o # bf_lbuf.o SRC= $(LIBSRC) EXHEADER= bio.h HEADER= bss_file.c $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER); \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. b_dump.o: ../../e_os.h ../../include/openssl/bio.h b_dump.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h b_dump.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h b_dump.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h b_dump.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h b_dump.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h b_dump.o: ../cryptlib.h b_dump.c b_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h b_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h b_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h b_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h b_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h b_print.o: ../cryptlib.h b_print.c b_sock.o: ../../e_os.h ../../include/openssl/bio.h b_sock.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h b_sock.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h b_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h b_sock.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h b_sock.o: ../cryptlib.h b_sock.c bf_buff.o: ../../e_os.h ../../include/openssl/bio.h bf_buff.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bf_buff.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bf_buff.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bf_buff.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bf_buff.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bf_buff.o: ../cryptlib.h bf_buff.c bf_nbio.o: ../../e_os.h ../../include/openssl/bio.h bf_nbio.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bf_nbio.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bf_nbio.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bf_nbio.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bf_nbio.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h bf_nbio.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bf_nbio.o: ../cryptlib.h bf_nbio.c bf_null.o: ../../e_os.h ../../include/openssl/bio.h bf_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bf_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bf_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bf_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bf_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bf_null.o: ../cryptlib.h bf_null.c bio_cb.o: ../../e_os.h ../../include/openssl/bio.h bio_cb.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bio_cb.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bio_cb.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bio_cb.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bio_cb.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bio_cb.o: ../cryptlib.h bio_cb.c bio_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h bio_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bio_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bio_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bio_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bio_err.o: bio_err.c bio_lib.o: ../../e_os.h ../../include/openssl/bio.h bio_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bio_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bio_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bio_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bio_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bio_lib.o: ../cryptlib.h bio_lib.c bss_acpt.o: ../../e_os.h ../../include/openssl/bio.h bss_acpt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bss_acpt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bss_acpt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bss_acpt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bss_acpt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bss_acpt.o: ../cryptlib.h bss_acpt.c bss_bio.o: ../../e_os.h ../../include/openssl/bio.h bss_bio.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h bss_bio.o: ../../include/openssl/err.h ../../include/openssl/lhash.h bss_bio.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h bss_bio.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bss_bio.o: ../../include/openssl/symhacks.h bss_bio.c bss_conn.o: ../../e_os.h ../../include/openssl/bio.h bss_conn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bss_conn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bss_conn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bss_conn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bss_conn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bss_conn.o: ../cryptlib.h bss_conn.c bss_fd.o: ../../e_os.h ../../include/openssl/bio.h bss_fd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bss_fd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bss_fd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bss_fd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bss_fd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bss_fd.o: ../cryptlib.h bss_fd.c bss_file.o: ../../e_os.h ../../include/openssl/bio.h bss_file.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bss_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bss_file.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bss_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bss_file.o: ../cryptlib.h bss_file.c bss_log.o: ../../e_os.h ../../include/openssl/bio.h bss_log.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bss_log.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bss_log.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bss_log.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bss_log.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bss_log.o: ../cryptlib.h bss_log.c bss_mem.o: ../../e_os.h ../../include/openssl/bio.h bss_mem.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bss_mem.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bss_mem.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bss_mem.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bss_mem.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bss_mem.o: ../cryptlib.h bss_mem.c bss_null.o: ../../e_os.h ../../include/openssl/bio.h bss_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bss_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bss_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bss_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bss_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bss_null.o: ../cryptlib.h bss_null.c bss_sock.o: ../../e_os.h ../../include/openssl/bio.h bss_sock.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bss_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bss_sock.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bss_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bss_sock.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bss_sock.o: ../cryptlib.h bss_sock.c diff --git a/crypto/openssl/crypto/bio/b_dump.c b/crypto/openssl/crypto/bio/b_dump.c index 8397cfab6a2c..f671e722fa39 100644 --- a/crypto/openssl/crypto/bio/b_dump.c +++ b/crypto/openssl/crypto/bio/b_dump.c @@ -1,152 +1,156 @@ /* crypto/bio/b_dump.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* * Stolen from tjh's ssl/ssl_trc.c stuff. */ #include #include "cryptlib.h" #include #define TRUNCATE #define DUMP_WIDTH 16 #define DUMP_WIDTH_LESS_INDENT(i) (DUMP_WIDTH-((i-(i>6?6:i)+3)/4)) int BIO_dump(BIO *bio, const char *s, int len) { return BIO_dump_indent(bio, s, len, 0); } int BIO_dump_indent(BIO *bio, const char *s, int len, int indent) { int ret=0; char buf[288+1],tmp[20],str[128+1]; int i,j,rows,trunc; unsigned char ch; int dump_width; trunc=0; #ifdef TRUNCATE for(; (len > 0) && ((s[len-1] == ' ') || (s[len-1] == '\0')); len--) trunc++; #endif if (indent < 0) indent = 0; if (indent) { if (indent > 128) indent=128; memset(str,' ',indent); } str[indent]='\0'; dump_width=DUMP_WIDTH_LESS_INDENT(indent); rows=(len/dump_width); if ((rows*dump_width)=len) { - strcat(buf," "); + BUF_strlcat(buf," ",sizeof buf); } else { ch=((unsigned char)*(s+i*dump_width+j)) & 0xff; - sprintf(tmp,"%02x%c",ch,j==7?'-':' '); - strcat(buf,tmp); + BIO_snprintf(tmp,sizeof tmp,"%02x%c",ch, + j==7?'-':' '); + BUF_strlcat(buf,tmp,sizeof buf); } } - strcat(buf," "); + BUF_strlcat(buf," ",sizeof buf); for(j=0;j=len) break; ch=((unsigned char)*(s+i*dump_width+j)) & 0xff; #ifndef CHARSET_EBCDIC - sprintf(tmp,"%c",((ch>=' ')&&(ch<='~'))?ch:'.'); + BIO_snprintf(tmp,sizeof tmp,"%c", + ((ch>=' ')&&(ch<='~'))?ch:'.'); #else - sprintf(tmp,"%c",((ch>=os_toascii[' '])&&(ch<=os_toascii['~'])) - ? os_toebcdic[ch] - : '.'); + BIO_snprintf(tmp,sizeof tmp,"%c", + ((ch>=os_toascii[' '])&&(ch<=os_toascii['~'])) + ? os_toebcdic[ch] + : '.'); #endif - strcat(buf,tmp); + BUF_strlcat(buf,tmp,sizeof buf); } - strcat(buf,"\n"); + BUF_strlcat(buf,"\n",sizeof buf); /* if this is the last call then update the ddt_dump thing so that * we will move the selection point in the debug window */ ret+=BIO_write(bio,(char *)buf,strlen(buf)); } #ifdef TRUNCATE if (trunc > 0) { - sprintf(buf,"%s%04x - \n",str,len+trunc); + BIO_snprintf(buf,sizeof buf,"%s%04x - \n",str, + len+trunc); ret+=BIO_write(bio,(char *)buf,strlen(buf)); } #endif return(ret); } diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c index 2cfc689dd6b4..fbff33179680 100644 --- a/crypto/openssl/crypto/bio/b_print.c +++ b/crypto/openssl/crypto/bio/b_print.c @@ -1,840 +1,840 @@ /* crypto/bio/b_print.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* disable assert() unless BIO_DEBUG has been defined */ #ifndef BIO_DEBUG # ifndef NDEBUG # define NDEBUG # endif #endif /* * Stolen from tjh's ssl/ssl_trc.c stuff. */ #include #include #include #include #include #include "cryptlib.h" #ifndef NO_SYS_TYPES_H #include #endif #include /* To get BN_LLONG properly defined */ #include #ifdef BN_LLONG # ifndef HAVE_LONG_LONG # define HAVE_LONG_LONG 1 # endif #endif /***************************************************************************/ /* * Copyright Patrick Powell 1995 * This code is based on code written by Patrick Powell * It may be used for any purpose as long as this notice remains intact * on all source code distributions. */ /* * This code contains numerious changes and enhancements which were * made by lots of contributors over the last years to Patrick Powell's * original code: * * o Patrick Powell (1995) * o Brandon Long (1996, for Mutt) * o Thomas Roessler (1998, for Mutt) * o Michael Elkins (1998, for Mutt) * o Andrew Tridgell (1998, for Samba) * o Luke Mewburn (1999, for LukemFTP) * o Ralf S. Engelschall (1999, for Pth) * o ... (for OpenSSL) */ #ifdef HAVE_LONG_DOUBLE #define LDOUBLE long double #else #define LDOUBLE double #endif #if HAVE_LONG_LONG # if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__) # define LLONG _int64 # else # define LLONG long long # endif #else #define LLONG long #endif static void fmtstr (char **, char **, size_t *, size_t *, const char *, int, int, int); static void fmtint (char **, char **, size_t *, size_t *, LLONG, int, int, int, int); static void fmtfp (char **, char **, size_t *, size_t *, LDOUBLE, int, int, int); static void doapr_outch (char **, char **, size_t *, size_t *, int); static void _dopr(char **sbuffer, char **buffer, size_t *maxlen, size_t *retlen, int *truncated, const char *format, va_list args); /* format read states */ #define DP_S_DEFAULT 0 #define DP_S_FLAGS 1 #define DP_S_MIN 2 #define DP_S_DOT 3 #define DP_S_MAX 4 #define DP_S_MOD 5 #define DP_S_CONV 6 #define DP_S_DONE 7 /* format flags - Bits */ #define DP_F_MINUS (1 << 0) #define DP_F_PLUS (1 << 1) #define DP_F_SPACE (1 << 2) #define DP_F_NUM (1 << 3) #define DP_F_ZERO (1 << 4) #define DP_F_UP (1 << 5) #define DP_F_UNSIGNED (1 << 6) /* conversion flags */ #define DP_C_SHORT 1 #define DP_C_LONG 2 #define DP_C_LDOUBLE 3 #define DP_C_LLONG 4 /* some handy macros */ #define char_to_int(p) (p - '0') #define OSSL_MAX(p,q) ((p >= q) ? p : q) static void _dopr( char **sbuffer, char **buffer, size_t *maxlen, size_t *retlen, int *truncated, const char *format, va_list args) { char ch; LLONG value; LDOUBLE fvalue; char *strvalue; int min; int max; int state; int flags; int cflags; size_t currlen; state = DP_S_DEFAULT; flags = currlen = cflags = min = 0; max = -1; ch = *format++; while (state != DP_S_DONE) { if (ch == '\0' || (buffer == NULL && currlen >= *maxlen)) state = DP_S_DONE; switch (state) { case DP_S_DEFAULT: if (ch == '%') state = DP_S_FLAGS; else doapr_outch(sbuffer,buffer, &currlen, maxlen, ch); ch = *format++; break; case DP_S_FLAGS: switch (ch) { case '-': flags |= DP_F_MINUS; ch = *format++; break; case '+': flags |= DP_F_PLUS; ch = *format++; break; case ' ': flags |= DP_F_SPACE; ch = *format++; break; case '#': flags |= DP_F_NUM; ch = *format++; break; case '0': flags |= DP_F_ZERO; ch = *format++; break; default: state = DP_S_MIN; break; } break; case DP_S_MIN: if (isdigit((unsigned char)ch)) { min = 10 * min + char_to_int(ch); ch = *format++; } else if (ch == '*') { min = va_arg(args, int); ch = *format++; state = DP_S_DOT; } else state = DP_S_DOT; break; case DP_S_DOT: if (ch == '.') { state = DP_S_MAX; ch = *format++; } else state = DP_S_MOD; break; case DP_S_MAX: if (isdigit((unsigned char)ch)) { if (max < 0) max = 0; max = 10 * max + char_to_int(ch); ch = *format++; } else if (ch == '*') { max = va_arg(args, int); ch = *format++; state = DP_S_MOD; } else state = DP_S_MOD; break; case DP_S_MOD: switch (ch) { case 'h': cflags = DP_C_SHORT; ch = *format++; break; case 'l': if (*format == 'l') { cflags = DP_C_LLONG; format++; } else cflags = DP_C_LONG; ch = *format++; break; case 'q': cflags = DP_C_LLONG; ch = *format++; break; case 'L': cflags = DP_C_LDOUBLE; ch = *format++; break; default: break; } state = DP_S_CONV; break; case DP_S_CONV: switch (ch) { case 'd': case 'i': switch (cflags) { case DP_C_SHORT: value = (short int)va_arg(args, int); break; case DP_C_LONG: value = va_arg(args, long int); break; case DP_C_LLONG: value = va_arg(args, LLONG); break; default: value = va_arg(args, int); break; } fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min, max, flags); break; case 'X': flags |= DP_F_UP; /* FALLTHROUGH */ case 'x': case 'o': case 'u': flags |= DP_F_UNSIGNED; switch (cflags) { case DP_C_SHORT: value = (unsigned short int)va_arg(args, unsigned int); break; case DP_C_LONG: value = (LLONG) va_arg(args, unsigned long int); break; case DP_C_LLONG: value = va_arg(args, unsigned LLONG); break; default: value = (LLONG) va_arg(args, unsigned int); break; } fmtint(sbuffer, buffer, &currlen, maxlen, value, ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), min, max, flags); break; case 'f': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); else fvalue = va_arg(args, double); fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max, flags); break; case 'E': flags |= DP_F_UP; case 'e': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); else fvalue = va_arg(args, double); break; case 'G': flags |= DP_F_UP; case 'g': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); else fvalue = va_arg(args, double); break; case 'c': doapr_outch(sbuffer, buffer, &currlen, maxlen, va_arg(args, int)); break; case 's': strvalue = va_arg(args, char *); if (max < 0) { if (buffer) max = INT_MAX; else max = *maxlen; } fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, flags, min, max); break; case 'p': value = (long)va_arg(args, void *); fmtint(sbuffer, buffer, &currlen, maxlen, value, 16, min, max, flags|DP_F_NUM); break; case 'n': /* XXX */ if (cflags == DP_C_SHORT) { short int *num; num = va_arg(args, short int *); *num = currlen; } else if (cflags == DP_C_LONG) { /* XXX */ long int *num; num = va_arg(args, long int *); *num = (long int) currlen; } else if (cflags == DP_C_LLONG) { /* XXX */ LLONG *num; num = va_arg(args, LLONG *); *num = (LLONG) currlen; } else { int *num; num = va_arg(args, int *); *num = currlen; } break; case '%': doapr_outch(sbuffer, buffer, &currlen, maxlen, ch); break; case 'w': /* not supported yet, treat as next char */ ch = *format++; break; default: /* unknown, skip */ break; } ch = *format++; state = DP_S_DEFAULT; flags = cflags = min = 0; max = -1; break; case DP_S_DONE: break; default: break; } } *truncated = (currlen > *maxlen - 1); if (*truncated) currlen = *maxlen - 1; doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'); *retlen = currlen - 1; return; } static void fmtstr( char **sbuffer, char **buffer, size_t *currlen, size_t *maxlen, const char *value, int flags, int min, int max) { int padlen, strln; int cnt = 0; if (value == 0) value = ""; for (strln = 0; value[strln]; ++strln) ; padlen = min - strln; if (padlen < 0) padlen = 0; if (flags & DP_F_MINUS) padlen = -padlen; while ((padlen > 0) && (cnt < max)) { doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); --padlen; ++cnt; } while (*value && (cnt < max)) { doapr_outch(sbuffer, buffer, currlen, maxlen, *value++); ++cnt; } while ((padlen < 0) && (cnt < max)) { doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); ++padlen; ++cnt; } } static void fmtint( char **sbuffer, char **buffer, size_t *currlen, size_t *maxlen, LLONG value, int base, int min, int max, int flags) { int signvalue = 0; char *prefix = ""; unsigned LLONG uvalue; char convert[DECIMAL_SIZE(value)+3]; int place = 0; int spadlen = 0; int zpadlen = 0; int caps = 0; if (max < 0) max = 0; uvalue = value; if (!(flags & DP_F_UNSIGNED)) { if (value < 0) { signvalue = '-'; uvalue = -value; } else if (flags & DP_F_PLUS) signvalue = '+'; else if (flags & DP_F_SPACE) signvalue = ' '; } if (flags & DP_F_NUM) { if (base == 8) prefix = "0"; if (base == 16) prefix = "0x"; } if (flags & DP_F_UP) caps = 1; do { convert[place++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef") [uvalue % (unsigned) base]; uvalue = (uvalue / (unsigned) base); } while (uvalue && (place < sizeof convert)); if (place == sizeof convert) place--; convert[place] = 0; zpadlen = max - place; spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix); if (zpadlen < 0) zpadlen = 0; if (spadlen < 0) spadlen = 0; if (flags & DP_F_ZERO) { zpadlen = OSSL_MAX(zpadlen, spadlen); spadlen = 0; } if (flags & DP_F_MINUS) spadlen = -spadlen; /* spaces */ while (spadlen > 0) { doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); --spadlen; } /* sign */ if (signvalue) doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); /* prefix */ while (*prefix) { doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); prefix++; } /* zeros */ if (zpadlen > 0) { while (zpadlen > 0) { doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); --zpadlen; } } /* digits */ while (place > 0) doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]); /* left justified spaces */ while (spadlen < 0) { doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); ++spadlen; } return; } static LDOUBLE abs_val(LDOUBLE value) { LDOUBLE result = value; if (value < 0) result = -value; return result; } static LDOUBLE -pow10(int exp) +pow10(int in_exp) { LDOUBLE result = 1; - while (exp) { + while (in_exp) { result *= 10; - exp--; + in_exp--; } return result; } static long roundv(LDOUBLE value) { long intpart; intpart = (long) value; value = value - intpart; if (value >= 0.5) intpart++; return intpart; } static void fmtfp( char **sbuffer, char **buffer, size_t *currlen, size_t *maxlen, LDOUBLE fvalue, int min, int max, int flags) { int signvalue = 0; LDOUBLE ufvalue; char iconvert[20]; char fconvert[20]; int iplace = 0; int fplace = 0; int padlen = 0; int zpadlen = 0; int caps = 0; long intpart; long fracpart; if (max < 0) max = 6; ufvalue = abs_val(fvalue); if (fvalue < 0) signvalue = '-'; else if (flags & DP_F_PLUS) signvalue = '+'; else if (flags & DP_F_SPACE) signvalue = ' '; intpart = (long)ufvalue; /* sorry, we only support 9 digits past the decimal because of our conversion method */ if (max > 9) max = 9; /* we "cheat" by converting the fractional part to integer by multiplying by a factor of 10 */ fracpart = roundv((pow10(max)) * (ufvalue - intpart)); if (fracpart >= pow10(max)) { intpart++; fracpart -= (long)pow10(max); } /* convert integer part */ do { iconvert[iplace++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")[intpart % 10]; intpart = (intpart / 10); - } while (intpart && (iplace < sizeof iplace)); - if (iplace == sizeof iplace) + } while (intpart && (iplace < sizeof iconvert)); + if (iplace == sizeof iconvert) iplace--; iconvert[iplace] = 0; /* convert fractional part */ do { fconvert[fplace++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")[fracpart % 10]; fracpart = (fracpart / 10); } while (fplace < max); - if (fplace == sizeof fplace) + if (fplace == sizeof fconvert) fplace--; fconvert[fplace] = 0; /* -1 for decimal point, another -1 if we are printing a sign */ padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); zpadlen = max - fplace; if (zpadlen < 0) zpadlen = 0; if (padlen < 0) padlen = 0; if (flags & DP_F_MINUS) padlen = -padlen; if ((flags & DP_F_ZERO) && (padlen > 0)) { if (signvalue) { doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); --padlen; signvalue = 0; } while (padlen > 0) { doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); --padlen; } } while (padlen > 0) { doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); --padlen; } if (signvalue) doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); while (iplace > 0) doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]); /* * Decimal point. This should probably use locale to find the correct * char to print out. */ if (max > 0 || (flags & DP_F_NUM)) { doapr_outch(sbuffer, buffer, currlen, maxlen, '.'); while (fplace > 0) doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]); } while (zpadlen > 0) { doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); --zpadlen; } while (padlen < 0) { doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); ++padlen; } } static void doapr_outch( char **sbuffer, char **buffer, size_t *currlen, size_t *maxlen, int c) { /* If we haven't at least one buffer, someone has doe a big booboo */ assert(*sbuffer != NULL || buffer != NULL); if (buffer) { while (*currlen >= *maxlen) { if (*buffer == NULL) { if (*maxlen == 0) *maxlen = 1024; *buffer = OPENSSL_malloc(*maxlen); if (*currlen > 0) { assert(*sbuffer != NULL); memcpy(*buffer, *sbuffer, *currlen); } *sbuffer = NULL; } else { *maxlen += 1024; *buffer = OPENSSL_realloc(*buffer, *maxlen); } } /* What to do if *buffer is NULL? */ assert(*sbuffer != NULL || *buffer != NULL); } if (*currlen < *maxlen) { if (*sbuffer) (*sbuffer)[(*currlen)++] = (char)c; else (*buffer)[(*currlen)++] = (char)c; } return; } /***************************************************************************/ int BIO_printf (BIO *bio, const char *format, ...) { va_list args; int ret; va_start(args, format); ret = BIO_vprintf(bio, format, args); va_end(args); return(ret); } int BIO_vprintf (BIO *bio, const char *format, va_list args) { int ret; size_t retlen; char hugebuf[1024*2]; /* Was previously 10k, which is unreasonable in small-stack environments, like threads or DOS programs. */ char *hugebufp = hugebuf; size_t hugebufsize = sizeof(hugebuf); char *dynbuf = NULL; int ignored; dynbuf = NULL; CRYPTO_push_info("doapr()"); _dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, args); if (dynbuf) { ret=BIO_write(bio, dynbuf, (int)retlen); OPENSSL_free(dynbuf); } else { ret=BIO_write(bio, hugebuf, (int)retlen); } CRYPTO_pop_info(); return(ret); } /* As snprintf is not available everywhere, we provide our own implementation. * This function has nothing to do with BIOs, but it's closely related * to BIO_printf, and we need *some* name prefix ... * (XXX the function should be renamed, but to what?) */ int BIO_snprintf(char *buf, size_t n, const char *format, ...) { va_list args; int ret; va_start(args, format); ret = BIO_vsnprintf(buf, n, format, args); va_end(args); return(ret); } int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) { size_t retlen; int truncated; _dopr(&buf, NULL, &n, &retlen, &truncated, format, args); if (truncated) /* In case of truncation, return -1 like traditional snprintf. * (Current drafts for ISO/IEC 9899 say snprintf should return * the number of characters that would have been written, * had the buffer been large enough.) */ return -1; else return (retlen <= INT_MAX) ? (int)retlen : -1; } diff --git a/crypto/openssl/crypto/bio/b_sock.c b/crypto/openssl/crypto/bio/b_sock.c index 601a14f37c5b..c851298d1e60 100644 --- a/crypto/openssl/crypto/bio/b_sock.c +++ b/crypto/openssl/crypto/bio/b_sock.c @@ -1,752 +1,752 @@ /* crypto/bio/b_sock.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #ifndef OPENSSL_NO_SOCK #include #include #include #define USE_SOCKETS #include "cryptlib.h" #include #ifdef OPENSSL_SYS_WIN16 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */ #else #define SOCKET_PROTOCOL IPPROTO_TCP #endif #ifdef SO_MAXCONN #define MAX_LISTEN SO_MAXCONN #elif defined(SOMAXCONN) #define MAX_LISTEN SOMAXCONN #else #define MAX_LISTEN 32 #endif #ifdef OPENSSL_SYS_WINDOWS static int wsa_init_done=0; #endif #if 0 static unsigned long BIO_ghbn_hits=0L; static unsigned long BIO_ghbn_miss=0L; #define GHBN_NUM 4 static struct ghbn_cache_st { char name[129]; struct hostent *ent; unsigned long order; } ghbn_cache[GHBN_NUM]; #endif static int get_ip(const char *str,unsigned char *ip); #if 0 static void ghbn_free(struct hostent *a); static struct hostent *ghbn_dup(struct hostent *a); #endif int BIO_get_host_ip(const char *str, unsigned char *ip) { int i; int err = 1; int locked = 0; struct hostent *he; i=get_ip(str,ip); if (i < 0) { BIOerr(BIO_F_BIO_GET_HOST_IP,BIO_R_INVALID_IP_ADDRESS); goto err; } /* At this point, we have something that is most probably correct in some way, so let's init the socket. */ if (BIO_sock_init() != 1) return 0; /* don't generate another error code here */ /* If the string actually contained an IP address, we need not do anything more */ if (i > 0) return(1); /* do a gethostbyname */ CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME); locked = 1; he=BIO_gethostbyname(str); if (he == NULL) { BIOerr(BIO_F_BIO_GET_HOST_IP,BIO_R_BAD_HOSTNAME_LOOKUP); goto err; } /* cast to short because of win16 winsock definition */ if ((short)he->h_addrtype != AF_INET) { BIOerr(BIO_F_BIO_GET_HOST_IP,BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET); goto err; } for (i=0; i<4; i++) ip[i]=he->h_addr_list[0][i]; err = 0; err: if (locked) CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME); if (err) { ERR_add_error_data(2,"host=",str); return 0; } else return 1; } int BIO_get_port(const char *str, unsigned short *port_ptr) { int i; struct servent *s; if (str == NULL) { BIOerr(BIO_F_BIO_GET_PORT,BIO_R_NO_PORT_DEFINED); return(0); } i=atoi(str); if (i != 0) *port_ptr=(unsigned short)i; else { CRYPTO_w_lock(CRYPTO_LOCK_GETSERVBYNAME); /* Note: under VMS with SOCKETSHR, it seems like the first * parameter is 'char *', instead of 'const char *' */ s=getservbyname( #ifndef CONST_STRICT (char *) #endif str,"tcp"); if(s != NULL) *port_ptr=ntohs((unsigned short)s->s_port); CRYPTO_w_unlock(CRYPTO_LOCK_GETSERVBYNAME); if(s == NULL) { if (strcmp(str,"http") == 0) *port_ptr=80; else if (strcmp(str,"telnet") == 0) *port_ptr=23; else if (strcmp(str,"socks") == 0) *port_ptr=1080; else if (strcmp(str,"https") == 0) *port_ptr=443; else if (strcmp(str,"ssl") == 0) *port_ptr=443; else if (strcmp(str,"ftp") == 0) *port_ptr=21; else if (strcmp(str,"gopher") == 0) *port_ptr=70; #if 0 else if (strcmp(str,"wais") == 0) *port_ptr=21; #endif else { SYSerr(SYS_F_GETSERVBYNAME,get_last_socket_error()); ERR_add_error_data(3,"service='",str,"'"); return(0); } } } return(1); } int BIO_sock_error(int sock) { int j,i; int size; size=sizeof(int); /* Note: under Windows the third parameter is of type (char *) * whereas under other systems it is (void *) if you don't have * a cast it will choke the compiler: if you do have a cast then * you can either go for (char *) or (void *). */ i=getsockopt(sock,SOL_SOCKET,SO_ERROR,(void *)&j,(void *)&size); if (i < 0) return(1); else return(j); } #if 0 long BIO_ghbn_ctrl(int cmd, int iarg, char *parg) { int i; char **p; switch (cmd) { case BIO_GHBN_CTRL_HITS: return(BIO_ghbn_hits); /* break; */ case BIO_GHBN_CTRL_MISSES: return(BIO_ghbn_miss); /* break; */ case BIO_GHBN_CTRL_CACHE_SIZE: return(GHBN_NUM); /* break; */ case BIO_GHBN_CTRL_GET_ENTRY: if ((iarg >= 0) && (iarg 0)) { p=(char **)parg; if (p == NULL) return(0); *p=ghbn_cache[iarg].name; ghbn_cache[iarg].name[128]='\0'; return(1); } return(0); /* break; */ case BIO_GHBN_CTRL_FLUSH: for (i=0; ih_aliases[i] != NULL; i++) ; i++; ret->h_aliases = (char **)OPENSSL_malloc(i*sizeof(char *)); if (ret->h_aliases == NULL) goto err; memset(ret->h_aliases, 0, i*sizeof(char *)); for (i=0; a->h_addr_list[i] != NULL; i++) ; i++; ret->h_addr_list=(char **)OPENSSL_malloc(i*sizeof(char *)); if (ret->h_addr_list == NULL) goto err; memset(ret->h_addr_list, 0, i*sizeof(char *)); j=strlen(a->h_name)+1; if ((ret->h_name=OPENSSL_malloc(j)) == NULL) goto err; memcpy((char *)ret->h_name,a->h_name,j); for (i=0; a->h_aliases[i] != NULL; i++) { j=strlen(a->h_aliases[i])+1; if ((ret->h_aliases[i]=OPENSSL_malloc(j)) == NULL) goto err; memcpy(ret->h_aliases[i],a->h_aliases[i],j); } ret->h_length=a->h_length; ret->h_addrtype=a->h_addrtype; for (i=0; a->h_addr_list[i] != NULL; i++) { if ((ret->h_addr_list[i]=OPENSSL_malloc(a->h_length)) == NULL) goto err; memcpy(ret->h_addr_list[i],a->h_addr_list[i],a->h_length); } if (0) { err: if (ret != NULL) ghbn_free(ret); ret=NULL; } MemCheck_on(); return(ret); } static void ghbn_free(struct hostent *a) { int i; if(a == NULL) return; if (a->h_aliases != NULL) { for (i=0; a->h_aliases[i] != NULL; i++) OPENSSL_free(a->h_aliases[i]); OPENSSL_free(a->h_aliases); } if (a->h_addr_list != NULL) { for (i=0; a->h_addr_list[i] != NULL; i++) OPENSSL_free(a->h_addr_list[i]); OPENSSL_free(a->h_addr_list); } if (a->h_name != NULL) OPENSSL_free(a->h_name); OPENSSL_free(a); } #endif struct hostent *BIO_gethostbyname(const char *name) { #if 1 /* Caching gethostbyname() results forever is wrong, * so we have to let the true gethostbyname() worry about this */ return gethostbyname(name); #else struct hostent *ret; int i,lowi=0,j; unsigned long low= (unsigned long)-1; # if 0 /* It doesn't make sense to use locking here: The function interface * is not thread-safe, because threads can never be sure when * some other thread destroys the data they were given a pointer to. */ CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME); # endif j=strlen(name); if (j < 128) { for (i=0; i ghbn_cache[i].order) { low=ghbn_cache[i].order; lowi=i; } if (ghbn_cache[i].order > 0) { if (strncmp(name,ghbn_cache[i].name,128) == 0) break; } } } else i=GHBN_NUM; if (i == GHBN_NUM) /* no hit*/ { BIO_ghbn_miss++; /* Note: under VMS with SOCKETSHR, it seems like the first * parameter is 'char *', instead of 'const char *' */ ret=gethostbyname( # ifndef CONST_STRICT (char *) # endif name); if (ret == NULL) goto end; if (j > 128) /* too big to cache */ { # if 0 /* If we were trying to make this function thread-safe (which * is bound to fail), we'd have to give up in this case * (or allocate more memory). */ ret = NULL; # endif goto end; } /* else add to cache */ if (ghbn_cache[lowi].ent != NULL) ghbn_free(ghbn_cache[lowi].ent); /* XXX not thread-safe */ ghbn_cache[lowi].name[0] = '\0'; if((ret=ghbn_cache[lowi].ent=ghbn_dup(ret)) == NULL) { BIOerr(BIO_F_BIO_GETHOSTBYNAME,ERR_R_MALLOC_FAILURE); goto end; } strncpy(ghbn_cache[lowi].name,name,128); ghbn_cache[lowi].order=BIO_ghbn_miss+BIO_ghbn_hits; } else { BIO_ghbn_hits++; ret= ghbn_cache[i].ent; ghbn_cache[i].order=BIO_ghbn_miss+BIO_ghbn_hits; } end: # if 0 CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME); # endif return(ret); #endif } int BIO_sock_init(void) { #ifdef OPENSSL_SYS_WINDOWS static struct WSAData wsa_state; if (!wsa_init_done) { int err; #ifdef SIGINT signal(SIGINT,(void (*)(int))BIO_sock_cleanup); #endif wsa_init_done=1; memset(&wsa_state,0,sizeof(wsa_state)); if (WSAStartup(0x0101,&wsa_state)!=0) { err=WSAGetLastError(); SYSerr(SYS_F_WSASTARTUP,err); BIOerr(BIO_F_BIO_SOCK_INIT,BIO_R_WSASTARTUP); return(-1); } } #endif /* OPENSSL_SYS_WINDOWS */ #ifdef WATT32 extern int _watt_do_exit; _watt_do_exit = 0; /* don't make sock_init() call exit() */ if (sock_init()) return (-1); #endif return(1); } void BIO_sock_cleanup(void) { #ifdef OPENSSL_SYS_WINDOWS if (wsa_init_done) { wsa_init_done=0; #ifndef OPENSSL_SYS_WINCE WSACancelBlockingCall(); #endif WSACleanup(); } #endif } #if !defined(OPENSSL_SYS_VMS) || __VMS_VER >= 70000000 int BIO_socket_ioctl(int fd, long type, void *arg) { int i; #ifdef __DJGPP__ i=ioctlsocket(fd,type,(char *)arg); #else i=ioctlsocket(fd,type,arg); #endif /* __DJGPP__ */ if (i < 0) SYSerr(SYS_F_IOCTLSOCKET,get_last_socket_error()); return(i); } #endif /* __VMS_VER */ /* The reason I have implemented this instead of using sscanf is because * Visual C 1.52c gives an unresolved external when linking a DLL :-( */ static int get_ip(const char *str, unsigned char ip[4]) { unsigned int tmp[4]; int num=0,c,ok=0; tmp[0]=tmp[1]=tmp[2]=tmp[3]=0; for (;;) { c= *(str++); if ((c >= '0') && (c <= '9')) { ok=1; tmp[num]=tmp[num]*10+c-'0'; if (tmp[num] > 255) return(0); } else if (c == '.') { if (!ok) return(-1); if (num == 3) return(0); num++; ok=0; } else if (c == '\0' && (num == 3) && ok) break; else return(0); } ip[0]=tmp[0]; ip[1]=tmp[1]; ip[2]=tmp[2]; ip[3]=tmp[3]; return(1); } int BIO_get_accept_socket(char *host, int bind_mode) { int ret=0; struct sockaddr_in server,client; int s=INVALID_SOCKET,cs; unsigned char ip[4]; unsigned short port; char *str=NULL,*e; const char *h,*p; unsigned long l; int err_num; if (BIO_sock_init() != 1) return(INVALID_SOCKET); if ((str=BUF_strdup(host)) == NULL) return(INVALID_SOCKET); h=p=NULL; h=str; for (e=str; *e; e++) { if (*e == ':') { p= &(e[1]); *e='\0'; } else if (*e == '/') { *e='\0'; break; } } if (p == NULL) { p=h; h="*"; } if (!BIO_get_port(p,&port)) goto err; memset((char *)&server,0,sizeof(server)); server.sin_family=AF_INET; server.sin_port=htons(port); if (strcmp(h,"*") == 0) server.sin_addr.s_addr=INADDR_ANY; else { if (!BIO_get_host_ip(h,&(ip[0]))) goto err; l=(unsigned long) ((unsigned long)ip[0]<<24L)| ((unsigned long)ip[1]<<16L)| ((unsigned long)ip[2]<< 8L)| ((unsigned long)ip[3]); server.sin_addr.s_addr=htonl(l); } again: s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); if (s == INVALID_SOCKET) { SYSerr(SYS_F_SOCKET,get_last_socket_error()); ERR_add_error_data(3,"port='",host,"'"); BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET,BIO_R_UNABLE_TO_CREATE_SOCKET); goto err; } #ifdef SO_REUSEADDR if (bind_mode == BIO_BIND_REUSEADDR) { int i=1; ret=setsockopt(s,SOL_SOCKET,SO_REUSEADDR,(char *)&i,sizeof(i)); bind_mode=BIO_BIND_NORMAL; } #endif if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1) { #ifdef SO_REUSEADDR err_num=get_last_socket_error(); if ((bind_mode == BIO_BIND_REUSEADDR_IF_UNUSED) && (err_num == EADDRINUSE)) { memcpy((char *)&client,(char *)&server,sizeof(server)); if (strcmp(h,"*") == 0) client.sin_addr.s_addr=htonl(0x7F000001); cs=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); if (cs != INVALID_SOCKET) { int ii; ii=connect(cs,(struct sockaddr *)&client, sizeof(client)); closesocket(cs); if (ii == INVALID_SOCKET) { bind_mode=BIO_BIND_REUSEADDR; closesocket(s); goto again; } /* else error */ } /* else error */ } #endif SYSerr(SYS_F_BIND,err_num); ERR_add_error_data(3,"port='",host,"'"); BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET,BIO_R_UNABLE_TO_BIND_SOCKET); goto err; } if (listen(s,MAX_LISTEN) == -1) { SYSerr(SYS_F_BIND,get_last_socket_error()); ERR_add_error_data(3,"port='",host,"'"); BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET,BIO_R_UNABLE_TO_LISTEN_SOCKET); goto err; } ret=1; err: if (str != NULL) OPENSSL_free(str); if ((ret == 0) && (s != INVALID_SOCKET)) { closesocket(s); s= INVALID_SOCKET; } return(s); } int BIO_accept(int sock, char **addr) { int ret=INVALID_SOCKET; static struct sockaddr_in from; unsigned long l; unsigned short port; int len; char *p; memset((char *)&from,0,sizeof(from)); len=sizeof(from); /* Note: under VMS with SOCKETSHR the fourth parameter is currently * of type (int *) whereas under other systems it is (void *) if * you don't have a cast it will choke the compiler: if you do * have a cast then you can either go for (int *) or (void *). */ ret=accept(sock,(struct sockaddr *)&from,(void *)&len); if (ret == INVALID_SOCKET) { if(BIO_sock_should_retry(ret)) return -2; SYSerr(SYS_F_ACCEPT,get_last_socket_error()); BIOerr(BIO_F_BIO_ACCEPT,BIO_R_ACCEPT_ERROR); goto end; } if (addr == NULL) goto end; l=ntohl(from.sin_addr.s_addr); port=ntohs(from.sin_port); if (*addr == NULL) { if ((p=OPENSSL_malloc(24)) == NULL) { BIOerr(BIO_F_BIO_ACCEPT,ERR_R_MALLOC_FAILURE); goto end; } *addr=p; } - sprintf(*addr,"%d.%d.%d.%d:%d", - (unsigned char)(l>>24L)&0xff, - (unsigned char)(l>>16L)&0xff, - (unsigned char)(l>> 8L)&0xff, - (unsigned char)(l )&0xff, - port); + BIO_snprintf(*addr,24,"%d.%d.%d.%d:%d", + (unsigned char)(l>>24L)&0xff, + (unsigned char)(l>>16L)&0xff, + (unsigned char)(l>> 8L)&0xff, + (unsigned char)(l )&0xff, + port); end: return(ret); } int BIO_set_tcp_ndelay(int s, int on) { int ret=0; #if defined(TCP_NODELAY) && (defined(IPPROTO_TCP) || defined(SOL_TCP)) int opt; #ifdef SOL_TCP opt=SOL_TCP; #else #ifdef IPPROTO_TCP opt=IPPROTO_TCP; #endif #endif ret=setsockopt(s,opt,TCP_NODELAY,(char *)&on,sizeof(on)); #endif return(ret == 0); } #endif int BIO_socket_nbio(int s, int mode) { int ret= -1; int l; l=mode; #ifdef FIONBIO ret=BIO_socket_ioctl(s,FIONBIO,&l); #endif return(ret == 0); } diff --git a/crypto/openssl/crypto/bio/bio_cb.c b/crypto/openssl/crypto/bio/bio_cb.c index 0ffa4d21367f..6f4254a1141a 100644 --- a/crypto/openssl/crypto/bio/bio_cb.c +++ b/crypto/openssl/crypto/bio/bio_cb.c @@ -1,133 +1,139 @@ /* crypto/bio/bio_cb.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "cryptlib.h" #include #include long MS_CALLBACK BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret) { BIO *b; MS_STATIC char buf[256]; char *p; long r=1; + size_t p_maxlen; if (BIO_CB_RETURN & cmd) r=ret; - sprintf(buf,"BIO[%08lX]:",(unsigned long)bio); + BIO_snprintf(buf,sizeof buf,"BIO[%08lX]:",(unsigned long)bio); p= &(buf[14]); + p_maxlen = sizeof buf - 14; switch (cmd) { case BIO_CB_FREE: - sprintf(p,"Free - %s\n",bio->method->name); + BIO_snprintf(p,p_maxlen,"Free - %s\n",bio->method->name); break; case BIO_CB_READ: if (bio->method->type & BIO_TYPE_DESCRIPTOR) - sprintf(p,"read(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num); + BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s fd=%d\n", + bio->num,argi,bio->method->name,bio->num); else - sprintf(p,"read(%d,%d) - %s\n",bio->num,argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s\n", + bio->num,argi,bio->method->name); break; case BIO_CB_WRITE: if (bio->method->type & BIO_TYPE_DESCRIPTOR) - sprintf(p,"write(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num); + BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s fd=%d\n", + bio->num,argi,bio->method->name,bio->num); else - sprintf(p,"write(%d,%d) - %s\n",bio->num,argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s\n", + bio->num,argi,bio->method->name); break; case BIO_CB_PUTS: - sprintf(p,"puts() - %s\n",bio->method->name); + BIO_snprintf(p,p_maxlen,"puts() - %s\n",bio->method->name); break; case BIO_CB_GETS: - sprintf(p,"gets(%d) - %s\n",argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"gets(%d) - %s\n",argi,bio->method->name); break; case BIO_CB_CTRL: - sprintf(p,"ctrl(%d) - %s\n",argi,bio->method->name); + BIO_snprintf(p,p_maxlen,"ctrl(%d) - %s\n",argi,bio->method->name); break; case BIO_CB_RETURN|BIO_CB_READ: - sprintf(p,"read return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"read return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_WRITE: - sprintf(p,"write return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"write return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_GETS: - sprintf(p,"gets return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"gets return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_PUTS: - sprintf(p,"puts return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"puts return %ld\n",ret); break; case BIO_CB_RETURN|BIO_CB_CTRL: - sprintf(p,"ctrl return %ld\n",ret); + BIO_snprintf(p,p_maxlen,"ctrl return %ld\n",ret); break; default: - sprintf(p,"bio callback - unknown type (%d)\n",cmd); + BIO_snprintf(p,p_maxlen,"bio callback - unknown type (%d)\n",cmd); break; } b=(BIO *)bio->cb_arg; if (b != NULL) BIO_write(b,buf,strlen(buf)); #if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16) else fputs(buf,stderr); #endif return(r); } diff --git a/crypto/openssl/crypto/bio/bss_conn.c b/crypto/openssl/crypto/bio/bss_conn.c index 743db6ff94a0..f5d0e759e230 100644 --- a/crypto/openssl/crypto/bio/bss_conn.c +++ b/crypto/openssl/crypto/bio/bss_conn.c @@ -1,652 +1,652 @@ /* crypto/bio/bss_conn.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #ifndef OPENSSL_NO_SOCK #include #include #define USE_SOCKETS #include "cryptlib.h" #include #ifdef OPENSSL_SYS_WIN16 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */ #else #define SOCKET_PROTOCOL IPPROTO_TCP #endif #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ #undef FIONBIO #endif typedef struct bio_connect_st { int state; char *param_hostname; char *param_port; int nbio; unsigned char ip[4]; unsigned short port; struct sockaddr_in them; /* int socket; this will be kept in bio->num so that it is * compatible with the bss_sock bio */ /* called when the connection is initially made * callback(BIO,state,ret); The callback should return * 'ret'. state is for compatibility with the ssl info_callback */ int (*info_callback)(const BIO *bio,int state,int ret); } BIO_CONNECT; static int conn_write(BIO *h, const char *buf, int num); static int conn_read(BIO *h, char *buf, int size); static int conn_puts(BIO *h, const char *str); static long conn_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int conn_new(BIO *h); static int conn_free(BIO *data); static long conn_callback_ctrl(BIO *h, int cmd, bio_info_cb *); static int conn_state(BIO *b, BIO_CONNECT *c); static void conn_close_socket(BIO *data); BIO_CONNECT *BIO_CONNECT_new(void ); void BIO_CONNECT_free(BIO_CONNECT *a); static BIO_METHOD methods_connectp= { BIO_TYPE_CONNECT, "socket connect", conn_write, conn_read, conn_puts, NULL, /* connect_gets, */ conn_ctrl, conn_new, conn_free, conn_callback_ctrl, }; static int conn_state(BIO *b, BIO_CONNECT *c) { int ret= -1,i; unsigned long l; char *p,*q; int (*cb)()=NULL; if (c->info_callback != NULL) cb=c->info_callback; for (;;) { switch (c->state) { case BIO_CONN_S_BEFORE: p=c->param_hostname; if (p == NULL) { BIOerr(BIO_F_CONN_STATE,BIO_R_NO_HOSTNAME_SPECIFIED); goto exit_loop; } for ( ; *p != '\0'; p++) { if ((*p == ':') || (*p == '/')) break; } i= *p; if ((i == ':') || (i == '/')) { *(p++)='\0'; if (i == ':') { for (q=p; *q; q++) if (*q == '/') { *q='\0'; break; } if (c->param_port != NULL) OPENSSL_free(c->param_port); c->param_port=BUF_strdup(p); } } if (c->param_port == NULL) { BIOerr(BIO_F_CONN_STATE,BIO_R_NO_PORT_SPECIFIED); ERR_add_error_data(2,"host=",c->param_hostname); goto exit_loop; } c->state=BIO_CONN_S_GET_IP; break; case BIO_CONN_S_GET_IP: if (BIO_get_host_ip(c->param_hostname,&(c->ip[0])) <= 0) goto exit_loop; c->state=BIO_CONN_S_GET_PORT; break; case BIO_CONN_S_GET_PORT: if (c->param_port == NULL) { /* abort(); */ goto exit_loop; } else if (BIO_get_port(c->param_port,&c->port) <= 0) goto exit_loop; c->state=BIO_CONN_S_CREATE_SOCKET; break; case BIO_CONN_S_CREATE_SOCKET: /* now setup address */ memset((char *)&c->them,0,sizeof(c->them)); c->them.sin_family=AF_INET; c->them.sin_port=htons((unsigned short)c->port); l=(unsigned long) ((unsigned long)c->ip[0]<<24L)| ((unsigned long)c->ip[1]<<16L)| ((unsigned long)c->ip[2]<< 8L)| ((unsigned long)c->ip[3]); c->them.sin_addr.s_addr=htonl(l); c->state=BIO_CONN_S_CREATE_SOCKET; ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); if (ret == INVALID_SOCKET) { SYSerr(SYS_F_SOCKET,get_last_socket_error()); ERR_add_error_data(4,"host=",c->param_hostname, ":",c->param_port); BIOerr(BIO_F_CONN_STATE,BIO_R_UNABLE_TO_CREATE_SOCKET); goto exit_loop; } b->num=ret; c->state=BIO_CONN_S_NBIO; break; case BIO_CONN_S_NBIO: if (c->nbio) { if (!BIO_socket_nbio(b->num,1)) { BIOerr(BIO_F_CONN_STATE,BIO_R_ERROR_SETTING_NBIO); ERR_add_error_data(4,"host=", c->param_hostname, ":",c->param_port); goto exit_loop; } } c->state=BIO_CONN_S_CONNECT; #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE) i=1; i=setsockopt(b->num,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); if (i < 0) { SYSerr(SYS_F_SOCKET,get_last_socket_error()); ERR_add_error_data(4,"host=",c->param_hostname, ":",c->param_port); BIOerr(BIO_F_CONN_STATE,BIO_R_KEEPALIVE); goto exit_loop; } #endif break; case BIO_CONN_S_CONNECT: BIO_clear_retry_flags(b); ret=connect(b->num, (struct sockaddr *)&c->them, sizeof(c->them)); b->retry_reason=0; if (ret < 0) { if (BIO_sock_should_retry(ret)) { BIO_set_retry_special(b); c->state=BIO_CONN_S_BLOCKED_CONNECT; b->retry_reason=BIO_RR_CONNECT; } else { SYSerr(SYS_F_CONNECT,get_last_socket_error()); ERR_add_error_data(4,"host=", c->param_hostname, ":",c->param_port); BIOerr(BIO_F_CONN_STATE,BIO_R_CONNECT_ERROR); } goto exit_loop; } else c->state=BIO_CONN_S_OK; break; case BIO_CONN_S_BLOCKED_CONNECT: i=BIO_sock_error(b->num); if (i) { BIO_clear_retry_flags(b); SYSerr(SYS_F_CONNECT,i); ERR_add_error_data(4,"host=", c->param_hostname, ":",c->param_port); BIOerr(BIO_F_CONN_STATE,BIO_R_NBIO_CONNECT_ERROR); ret=0; goto exit_loop; } else c->state=BIO_CONN_S_OK; break; case BIO_CONN_S_OK: ret=1; goto exit_loop; default: /* abort(); */ goto exit_loop; } if (cb != NULL) { if (!(ret=cb((BIO *)b,c->state,ret))) goto end; } } /* Loop does not exit */ exit_loop: if (cb != NULL) ret=cb((BIO *)b,c->state,ret); end: return(ret); } BIO_CONNECT *BIO_CONNECT_new(void) { BIO_CONNECT *ret; if ((ret=(BIO_CONNECT *)OPENSSL_malloc(sizeof(BIO_CONNECT))) == NULL) return(NULL); ret->state=BIO_CONN_S_BEFORE; ret->param_hostname=NULL; ret->param_port=NULL; ret->info_callback=NULL; ret->nbio=0; ret->ip[0]=0; ret->ip[1]=0; ret->ip[2]=0; ret->ip[3]=0; ret->port=0; memset((char *)&ret->them,0,sizeof(ret->them)); return(ret); } void BIO_CONNECT_free(BIO_CONNECT *a) { if(a == NULL) return; if (a->param_hostname != NULL) OPENSSL_free(a->param_hostname); if (a->param_port != NULL) OPENSSL_free(a->param_port); OPENSSL_free(a); } BIO_METHOD *BIO_s_connect(void) { return(&methods_connectp); } static int conn_new(BIO *bi) { bi->init=0; bi->num=INVALID_SOCKET; bi->flags=0; if ((bi->ptr=(char *)BIO_CONNECT_new()) == NULL) return(0); else return(1); } static void conn_close_socket(BIO *bio) { BIO_CONNECT *c; c=(BIO_CONNECT *)bio->ptr; if (bio->num != INVALID_SOCKET) { /* Only do a shutdown if things were established */ if (c->state == BIO_CONN_S_OK) shutdown(bio->num,2); closesocket(bio->num); bio->num=INVALID_SOCKET; } } static int conn_free(BIO *a) { BIO_CONNECT *data; if (a == NULL) return(0); data=(BIO_CONNECT *)a->ptr; if (a->shutdown) { conn_close_socket(a); BIO_CONNECT_free(data); a->ptr=NULL; a->flags=0; a->init=0; } return(1); } static int conn_read(BIO *b, char *out, int outl) { int ret=0; BIO_CONNECT *data; data=(BIO_CONNECT *)b->ptr; if (data->state != BIO_CONN_S_OK) { ret=conn_state(b,data); if (ret <= 0) return(ret); } if (out != NULL) { clear_socket_error(); ret=readsocket(b->num,out,outl); BIO_clear_retry_flags(b); if (ret <= 0) { if (BIO_sock_should_retry(ret)) BIO_set_retry_read(b); } } return(ret); } static int conn_write(BIO *b, const char *in, int inl) { int ret; BIO_CONNECT *data; data=(BIO_CONNECT *)b->ptr; if (data->state != BIO_CONN_S_OK) { ret=conn_state(b,data); if (ret <= 0) return(ret); } clear_socket_error(); ret=writesocket(b->num,in,inl); BIO_clear_retry_flags(b); if (ret <= 0) { if (BIO_sock_should_retry(ret)) BIO_set_retry_write(b); } return(ret); } static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) { BIO *dbio; int *ip; const char **pptr; long ret=1; BIO_CONNECT *data; data=(BIO_CONNECT *)b->ptr; switch (cmd) { case BIO_CTRL_RESET: ret=0; data->state=BIO_CONN_S_BEFORE; conn_close_socket(b); b->flags=0; break; case BIO_C_DO_STATE_MACHINE: /* use this one to start the connection */ if (!data->state != BIO_CONN_S_OK) ret=(long)conn_state(b,data); else ret=1; break; case BIO_C_GET_CONNECT: if (ptr != NULL) { pptr=(const char **)ptr; if (num == 0) { *pptr=data->param_hostname; } else if (num == 1) { *pptr=data->param_port; } else if (num == 2) { *pptr= (char *)&(data->ip[0]); } else if (num == 3) { *((int *)ptr)=data->port; } if ((!b->init) || (ptr == NULL)) *pptr="not initialized"; ret=1; } break; case BIO_C_SET_CONNECT: if (ptr != NULL) { b->init=1; if (num == 0) { if (data->param_hostname != NULL) OPENSSL_free(data->param_hostname); data->param_hostname=BUF_strdup(ptr); } else if (num == 1) { if (data->param_port != NULL) OPENSSL_free(data->param_port); data->param_port=BUF_strdup(ptr); } else if (num == 2) { char buf[16]; unsigned char *p = ptr; - sprintf(buf,"%d.%d.%d.%d", - p[0],p[1],p[2],p[3]); + BIO_snprintf(buf,sizeof buf,"%d.%d.%d.%d", + p[0],p[1],p[2],p[3]); if (data->param_hostname != NULL) OPENSSL_free(data->param_hostname); data->param_hostname=BUF_strdup(buf); memcpy(&(data->ip[0]),ptr,4); } else if (num == 3) { char buf[DECIMAL_SIZE(int)+1]; - sprintf(buf,"%d",*(int *)ptr); + BIO_snprintf(buf,sizeof buf,"%d",*(int *)ptr); if (data->param_port != NULL) OPENSSL_free(data->param_port); data->param_port=BUF_strdup(buf); data->port= *(int *)ptr; } } break; case BIO_C_SET_NBIO: data->nbio=(int)num; break; case BIO_C_GET_FD: if (b->init) { ip=(int *)ptr; if (ip != NULL) *ip=b->num; ret=b->num; } else ret= -1; break; case BIO_CTRL_GET_CLOSE: ret=b->shutdown; break; case BIO_CTRL_SET_CLOSE: b->shutdown=(int)num; break; case BIO_CTRL_PENDING: case BIO_CTRL_WPENDING: ret=0; break; case BIO_CTRL_FLUSH: break; case BIO_CTRL_DUP: { dbio=(BIO *)ptr; if (data->param_port) BIO_set_conn_port(dbio,data->param_port); if (data->param_hostname) BIO_set_conn_hostname(dbio,data->param_hostname); BIO_set_nbio(dbio,data->nbio); /* FIXME: the cast of the function seems unlikely to be a good idea */ (void)BIO_set_info_callback(dbio,(bio_info_cb *)data->info_callback); } break; case BIO_CTRL_SET_CALLBACK: { #if 0 /* FIXME: Should this be used? -- Richard Levitte */ BIOerr(BIO_F_CONN_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); ret = -1; #else ret=0; #endif } break; case BIO_CTRL_GET_CALLBACK: { int (**fptr)(); fptr=(int (**)())ptr; *fptr=data->info_callback; } break; default: ret=0; break; } return(ret); } static long conn_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp) { long ret=1; BIO_CONNECT *data; data=(BIO_CONNECT *)b->ptr; switch (cmd) { case BIO_CTRL_SET_CALLBACK: { data->info_callback=(int (*)(const struct bio_st *, int, int))fp; } break; default: ret=0; break; } return(ret); } static int conn_puts(BIO *bp, const char *str) { int n,ret; n=strlen(str); ret=conn_write(bp,str,n); return(ret); } BIO *BIO_new_connect(char *str) { BIO *ret; ret=BIO_new(BIO_s_connect()); if (ret == NULL) return(NULL); if (BIO_set_conn_hostname(ret,str)) return(ret); else { BIO_free(ret); return(NULL); } } #endif diff --git a/crypto/openssl/crypto/bio/bss_file.c b/crypto/openssl/crypto/bio/bss_file.c index 6904b5c081c4..9cdf159f82f8 100644 --- a/crypto/openssl/crypto/bio/bss_file.c +++ b/crypto/openssl/crypto/bio/bss_file.c @@ -1,341 +1,341 @@ /* crypto/bio/bss_file.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* * 03-Dec-1997 rdenny@dc3.com Fix bug preventing use of stdin/stdout * with binary data (e.g. asn1parse -inform DER < xxx) under * Windows */ #ifndef HEADER_BSS_FILE_C #define HEADER_BSS_FILE_C #include #include #include "cryptlib.h" #include #include #if !defined(OPENSSL_NO_STDIO) static int MS_CALLBACK file_write(BIO *h, const char *buf, int num); static int MS_CALLBACK file_read(BIO *h, char *buf, int size); static int MS_CALLBACK file_puts(BIO *h, const char *str); static int MS_CALLBACK file_gets(BIO *h, char *str, int size); static long MS_CALLBACK file_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int MS_CALLBACK file_new(BIO *h); static int MS_CALLBACK file_free(BIO *data); static BIO_METHOD methods_filep= { BIO_TYPE_FILE, "FILE pointer", file_write, file_read, file_puts, file_gets, file_ctrl, file_new, file_free, NULL, }; BIO *BIO_new_file(const char *filename, const char *mode) { BIO *ret; FILE *file; if ((file=fopen(filename,mode)) == NULL) { SYSerr(SYS_F_FOPEN,get_last_sys_error()); ERR_add_error_data(5,"fopen('",filename,"','",mode,"')"); if (errno == ENOENT) BIOerr(BIO_F_BIO_NEW_FILE,BIO_R_NO_SUCH_FILE); else BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB); return(NULL); } if ((ret=BIO_new(BIO_s_file_internal())) == NULL) return(NULL); BIO_set_fp(ret,file,BIO_CLOSE); return(ret); } BIO *BIO_new_fp(FILE *stream, int close_flag) { BIO *ret; if ((ret=BIO_new(BIO_s_file())) == NULL) return(NULL); BIO_set_fp(ret,stream,close_flag); return(ret); } BIO_METHOD *BIO_s_file(void) { return(&methods_filep); } static int MS_CALLBACK file_new(BIO *bi) { bi->init=0; bi->num=0; bi->ptr=NULL; return(1); } static int MS_CALLBACK file_free(BIO *a) { if (a == NULL) return(0); if (a->shutdown) { if ((a->init) && (a->ptr != NULL)) { fclose((FILE *)a->ptr); a->ptr=NULL; } a->init=0; } return(1); } static int MS_CALLBACK file_read(BIO *b, char *out, int outl) { int ret=0; if (b->init && (out != NULL)) { ret=fread(out,1,(int)outl,(FILE *)b->ptr); if(ret == 0 && ferror((FILE *)b->ptr)) { SYSerr(SYS_F_FREAD,get_last_sys_error()); BIOerr(BIO_F_FILE_READ,ERR_R_SYS_LIB); ret=-1; } } return(ret); } static int MS_CALLBACK file_write(BIO *b, const char *in, int inl) { int ret=0; if (b->init && (in != NULL)) { if (fwrite(in,(int)inl,1,(FILE *)b->ptr)) ret=inl; /* ret=fwrite(in,1,(int)inl,(FILE *)b->ptr); */ /* according to Tim Hudson , the commented * out version above can cause 'inl' write calls under * some stupid stdio implementations (VMS) */ } return(ret); } static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) { long ret=1; FILE *fp=(FILE *)b->ptr; FILE **fpp; char p[4]; switch (cmd) { case BIO_C_FILE_SEEK: case BIO_CTRL_RESET: ret=(long)fseek(fp,num,0); break; case BIO_CTRL_EOF: ret=(long)feof(fp); break; case BIO_C_FILE_TELL: case BIO_CTRL_INFO: ret=ftell(fp); break; case BIO_C_SET_FILE_PTR: file_free(b); b->shutdown=(int)num&BIO_CLOSE; b->ptr=(char *)ptr; b->init=1; #if defined(OPENSSL_SYS_WINDOWS) if (num & BIO_FP_TEXT) _setmode(fileno((FILE *)ptr),_O_TEXT); else _setmode(fileno((FILE *)ptr),_O_BINARY); #elif defined(OPENSSL_SYS_MSDOS) { int fd = fileno((FILE*)ptr); /* Set correct text/binary mode */ if (num & BIO_FP_TEXT) _setmode(fd,_O_TEXT); /* Dangerous to set stdin/stdout to raw (unless redirected) */ else { if (fd == STDIN_FILENO || fd == STDOUT_FILENO) { if (isatty(fd) <= 0) _setmode(fd,_O_BINARY); } else _setmode(fd,_O_BINARY); } } #elif defined(OPENSSL_SYS_OS2) if (num & BIO_FP_TEXT) setmode(fileno((FILE *)ptr), O_TEXT); else setmode(fileno((FILE *)ptr), O_BINARY); #endif break; case BIO_C_SET_FILENAME: file_free(b); b->shutdown=(int)num&BIO_CLOSE; if (num & BIO_FP_APPEND) { if (num & BIO_FP_READ) - strcpy(p,"a+"); - else strcpy(p,"a"); + BUF_strlcpy(p,"a+",sizeof p); + else BUF_strlcpy(p,"a",sizeof p); } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE)) - strcpy(p,"r+"); + BUF_strlcpy(p,"r+",sizeof p); else if (num & BIO_FP_WRITE) - strcpy(p,"w"); + BUF_strlcpy(p,"w",sizeof p); else if (num & BIO_FP_READ) - strcpy(p,"r"); + BUF_strlcpy(p,"r",sizeof p); else { BIOerr(BIO_F_FILE_CTRL,BIO_R_BAD_FOPEN_MODE); ret=0; break; } #if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) if (!(num & BIO_FP_TEXT)) strcat(p,"b"); else strcat(p,"t"); #endif fp=fopen(ptr,p); if (fp == NULL) { SYSerr(SYS_F_FOPEN,get_last_sys_error()); ERR_add_error_data(5,"fopen('",ptr,"','",p,"')"); BIOerr(BIO_F_FILE_CTRL,ERR_R_SYS_LIB); ret=0; break; } b->ptr=(char *)fp; b->init=1; break; case BIO_C_GET_FILE_PTR: /* the ptr parameter is actually a FILE ** in this case. */ if (ptr != NULL) { fpp=(FILE **)ptr; *fpp=(FILE *)b->ptr; } break; case BIO_CTRL_GET_CLOSE: ret=(long)b->shutdown; break; case BIO_CTRL_SET_CLOSE: b->shutdown=(int)num; break; case BIO_CTRL_FLUSH: fflush((FILE *)b->ptr); break; case BIO_CTRL_DUP: ret=1; break; case BIO_CTRL_WPENDING: case BIO_CTRL_PENDING: case BIO_CTRL_PUSH: case BIO_CTRL_POP: default: ret=0; break; } return(ret); } static int MS_CALLBACK file_gets(BIO *bp, char *buf, int size) { int ret=0; buf[0]='\0'; fgets(buf,size,(FILE *)bp->ptr); if (buf[0] != '\0') ret=strlen(buf); return(ret); } static int MS_CALLBACK file_puts(BIO *bp, const char *str) { int n,ret; n=strlen(str); ret=file_write(bp,str,n); return(ret); } #endif /* OPENSSL_NO_STDIO */ #endif /* HEADER_BSS_FILE_C */ diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl index 090fccdf7d29..50892ef44c6b 100644 --- a/crypto/openssl/crypto/bn/Makefile.ssl +++ b/crypto/openssl/crypto/bn/Makefile.ssl @@ -1,323 +1,326 @@ # # SSLeay/crypto/bn/Makefile # DIR= bn TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r BN_ASM= bn_asm.o # or use #BN_ASM= bn86-elf.o CFLAGS= $(INCLUDES) $(CFLAG) ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=bntest.c exptest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \ bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \ bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \ bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \ bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o SRC= $(LIBSRC) EXHEADER= bn.h HEADER= bn_lcl.h bn_prime.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib bn_prime.h: bn_prime.pl $(PERL) bn_prime.pl >bn_prime.h divtest: divtest.c ../../libcrypto.a cc -I../../include divtest.c -o divtest ../../libcrypto.a bnbug: bnbug.c ../../libcrypto.a top cc -g -I../../include bnbug.c -o bnbug ../../libcrypto.a lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib # elf asm/bn86-elf.s: asm/bn-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) bn-586.pl elf $(CFLAGS) > bn86-elf.s) asm/co86-elf.s: asm/co-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) co-586.pl elf $(CFLAGS) > co86-elf.s) # a.out asm/bn86-out.o: asm/bn86unix.cpp $(CPP) -DOUT asm/bn86unix.cpp | as -o asm/bn86-out.o asm/co86-out.o: asm/co86unix.cpp $(CPP) -DOUT asm/co86unix.cpp | as -o asm/co86-out.o # bsdi asm/bn86bsdi.o: asm/bn86unix.cpp $(CPP) -DBSDI asm/bn86unix.cpp | sed 's/ :/:/' | as -o asm/bn86bsdi.o asm/co86bsdi.o: asm/co86unix.cpp $(CPP) -DBSDI asm/co86unix.cpp | sed 's/ :/:/' | as -o asm/co86bsdi.o asm/bn86unix.cpp: asm/bn-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) bn-586.pl cpp >bn86unix.cpp ) asm/co86unix.cpp: asm/co-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) co-586.pl cpp >co86unix.cpp ) asm/sparcv8.o: asm/sparcv8.S asm/sparcv8plus.o: asm/sparcv8plus.S # Old GNU assembler doesn't understand V9 instructions, so we # hire /usr/ccs/bin/as to do the job. Note that option is called # *-gcc27, but even gcc 2>=8 users may experience similar problem # if they didn't bother to upgrade GNU assembler. Such users should # not choose this option, but be adviced to *remove* GNU assembler # or upgrade it. asm/sparcv8plus-gcc27.o: asm/sparcv8plus.S $(CC) $(ASFLAGS) -E asm/sparcv8plus.S | \ /usr/ccs/bin/as -xarch=v8plus - -o asm/sparcv8plus-gcc27.o asm/ia64.o: asm/ia64.S # Some compiler drivers (most notably HP-UX and Intel C++) don't # understand .S extension:-( I wish I could pipe output from cc -E, # but it's too compiler driver/ABI dependent to cover with a single # rule... asm/ia64-cpp.o: asm/ia64.S $(CC) $(ASFLAGS) -E asm/ia64.S > /tmp/ia64.$$$$.s && \ $(CC) $(ASFLAGS) -c -o asm/ia64-cpp.o /tmp/ia64.$$$$.s; \ rm -f /tmp/ia64.$$$$.s asm/x86_64-gcc.o: asm/x86_64-gcc.c +asm/pa-risc2W.o: asm/pa-risc2W.s + /usr/ccs/bin/as -o asm/pa-rics2W.o asm/pa-risc2W.s + files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; exptest: rm -f exptest gcc -I../../include -g2 -ggdb -o exptest exptest.c ../../libcrypto.a div: rm -f a.out gcc -I.. -g div.c ../../libcrypto.a tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/co86unix.cpp asm/bn86unix.cpp asm/*-elf.* *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bn_asm.s # DO NOT DELETE THIS LINE -- make depend depends on it. bn_add.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_add.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_add.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_add.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_add.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_add.o: ../cryptlib.h bn_add.c bn_lcl.h bn_asm.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_asm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_asm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_asm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_asm.o: ../cryptlib.h bn_asm.c bn_lcl.h bn_blind.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_blind.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_blind.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_blind.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_blind.o: ../cryptlib.h bn_blind.c bn_lcl.h bn_ctx.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_ctx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_ctx.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_ctx.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_ctx.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_ctx.o: ../cryptlib.h bn_ctx.c bn_lcl.h bn_div.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_div.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_div.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_div.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_div.o: ../cryptlib.h bn_div.c bn_lcl.h bn_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h bn_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h bn_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h bn_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h bn_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_err.o: ../../include/openssl/symhacks.h bn_err.c bn_exp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_exp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_exp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_exp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_exp.o: ../cryptlib.h bn_exp.c bn_lcl.h bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_exp2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_exp2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_exp2.o: ../cryptlib.h bn_exp2.c bn_lcl.h bn_gcd.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_gcd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_gcd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_gcd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_gcd.o: ../cryptlib.h bn_gcd.c bn_lcl.h bn_kron.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h bn_kron.o: ../../include/openssl/opensslconf.h bn_kron.c bn_lcl.h bn_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_lib.o: ../cryptlib.h bn_lcl.h bn_lib.c bn_mod.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mod.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_mod.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_mod.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_mod.o: ../cryptlib.h bn_lcl.h bn_mod.c bn_mont.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mont.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_mont.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_mont.o: ../cryptlib.h bn_lcl.h bn_mont.c bn_mpi.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mpi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_mpi.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_mpi.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_mpi.o: ../cryptlib.h bn_lcl.h bn_mpi.c bn_mul.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mul.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_mul.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_mul.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_mul.o: ../cryptlib.h bn_lcl.h bn_mul.c bn_prime.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_prime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_prime.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_prime.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h bn_prime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_prime.o: ../cryptlib.h bn_lcl.h bn_prime.c bn_prime.h bn_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_print.o: ../cryptlib.h bn_lcl.h bn_print.c bn_rand.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_rand.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h bn_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_rand.o: ../cryptlib.h bn_lcl.h bn_rand.c bn_recp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_recp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_recp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_recp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_recp.o: ../cryptlib.h bn_lcl.h bn_recp.c bn_shift.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_shift.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_shift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_shift.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_shift.o: ../cryptlib.h bn_lcl.h bn_shift.c bn_sqr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_sqr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_sqr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_sqr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_sqr.o: ../cryptlib.h bn_lcl.h bn_sqr.c bn_sqrt.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_sqrt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_sqrt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_sqrt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_sqrt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_sqrt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_sqrt.o: ../cryptlib.h bn_lcl.h bn_sqrt.c bn_word.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_word.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_word.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_word.o: ../cryptlib.h bn_lcl.h bn_word.c diff --git a/crypto/openssl/crypto/bn/asm/bn-586.pl b/crypto/openssl/crypto/bn/asm/bn-586.pl index 33f61259201a..c4de4a2beece 100644 --- a/crypto/openssl/crypto/bn/asm/bn-586.pl +++ b/crypto/openssl/crypto/bn/asm/bn-586.pl @@ -1,593 +1,593 @@ #!/usr/local/bin/perl push(@INC,"perlasm","../../perlasm"); require "x86asm.pl"; &asm_init($ARGV[0],$0); &bn_mul_add_words("bn_mul_add_words"); &bn_mul_words("bn_mul_words"); &bn_sqr_words("bn_sqr_words"); &bn_div_words("bn_div_words"); &bn_add_words("bn_add_words"); &bn_sub_words("bn_sub_words"); -&bn_sub_part_words("bn_sub_part_words"); +#&bn_sub_part_words("bn_sub_part_words"); &asm_finish(); sub bn_mul_add_words { local($name)=@_; &function_begin($name,""); &comment(""); $Low="eax"; $High="edx"; $a="ebx"; $w="ebp"; $r="edi"; $c="esi"; &xor($c,$c); # clear carry &mov($r,&wparam(0)); # &mov("ecx",&wparam(2)); # &mov($a,&wparam(1)); # &and("ecx",0xfffffff8); # num / 8 &mov($w,&wparam(3)); # &push("ecx"); # Up the stack for a tmp variable &jz(&label("maw_finish")); &set_label("maw_loop",0); &mov(&swtmp(0),"ecx"); # for ($i=0; $i<32; $i+=4) { &comment("Round $i"); &mov("eax",&DWP($i,$a,"",0)); # *a &mul($w); # *a * w &add("eax",$c); # L(t)+= *r &mov($c,&DWP($i,$r,"",0)); # L(t)+= *r &adc("edx",0); # H(t)+=carry &add("eax",$c); # L(t)+=c &adc("edx",0); # H(t)+=carry &mov(&DWP($i,$r,"",0),"eax"); # *r= L(t); &mov($c,"edx"); # c= H(t); } &comment(""); &mov("ecx",&swtmp(0)); # &add($a,32); &add($r,32); &sub("ecx",8); &jnz(&label("maw_loop")); &set_label("maw_finish",0); &mov("ecx",&wparam(2)); # get num &and("ecx",7); &jnz(&label("maw_finish2")); # helps branch prediction &jmp(&label("maw_end")); &set_label("maw_finish2",1); for ($i=0; $i<7; $i++) { &comment("Tail Round $i"); &mov("eax",&DWP($i*4,$a,"",0));# *a &mul($w); # *a * w &add("eax",$c); # L(t)+=c &mov($c,&DWP($i*4,$r,"",0)); # L(t)+= *r &adc("edx",0); # H(t)+=carry &add("eax",$c); &adc("edx",0); # H(t)+=carry &dec("ecx") if ($i != 7-1); &mov(&DWP($i*4,$r,"",0),"eax"); # *r= L(t); &mov($c,"edx"); # c= H(t); &jz(&label("maw_end")) if ($i != 7-1); } &set_label("maw_end",0); &mov("eax",$c); &pop("ecx"); # clear variable from &function_end($name); } sub bn_mul_words { local($name)=@_; &function_begin($name,""); &comment(""); $Low="eax"; $High="edx"; $a="ebx"; $w="ecx"; $r="edi"; $c="esi"; $num="ebp"; &xor($c,$c); # clear carry &mov($r,&wparam(0)); # &mov($a,&wparam(1)); # &mov($num,&wparam(2)); # &mov($w,&wparam(3)); # &and($num,0xfffffff8); # num / 8 &jz(&label("mw_finish")); &set_label("mw_loop",0); for ($i=0; $i<32; $i+=4) { &comment("Round $i"); &mov("eax",&DWP($i,$a,"",0)); # *a &mul($w); # *a * w &add("eax",$c); # L(t)+=c # XXX &adc("edx",0); # H(t)+=carry &mov(&DWP($i,$r,"",0),"eax"); # *r= L(t); &mov($c,"edx"); # c= H(t); } &comment(""); &add($a,32); &add($r,32); &sub($num,8); &jz(&label("mw_finish")); &jmp(&label("mw_loop")); &set_label("mw_finish",0); &mov($num,&wparam(2)); # get num &and($num,7); &jnz(&label("mw_finish2")); &jmp(&label("mw_end")); &set_label("mw_finish2",1); for ($i=0; $i<7; $i++) { &comment("Tail Round $i"); &mov("eax",&DWP($i*4,$a,"",0));# *a &mul($w); # *a * w &add("eax",$c); # L(t)+=c # XXX &adc("edx",0); # H(t)+=carry &mov(&DWP($i*4,$r,"",0),"eax");# *r= L(t); &mov($c,"edx"); # c= H(t); &dec($num) if ($i != 7-1); &jz(&label("mw_end")) if ($i != 7-1); } &set_label("mw_end",0); &mov("eax",$c); &function_end($name); } sub bn_sqr_words { local($name)=@_; &function_begin($name,""); &comment(""); $r="esi"; $a="edi"; $num="ebx"; &mov($r,&wparam(0)); # &mov($a,&wparam(1)); # &mov($num,&wparam(2)); # &and($num,0xfffffff8); # num / 8 &jz(&label("sw_finish")); &set_label("sw_loop",0); for ($i=0; $i<32; $i+=4) { &comment("Round $i"); &mov("eax",&DWP($i,$a,"",0)); # *a # XXX &mul("eax"); # *a * *a &mov(&DWP($i*2,$r,"",0),"eax"); # &mov(&DWP($i*2+4,$r,"",0),"edx");# } &comment(""); &add($a,32); &add($r,64); &sub($num,8); &jnz(&label("sw_loop")); &set_label("sw_finish",0); &mov($num,&wparam(2)); # get num &and($num,7); &jz(&label("sw_end")); for ($i=0; $i<7; $i++) { &comment("Tail Round $i"); &mov("eax",&DWP($i*4,$a,"",0)); # *a # XXX &mul("eax"); # *a * *a &mov(&DWP($i*8,$r,"",0),"eax"); # &dec($num) if ($i != 7-1); &mov(&DWP($i*8+4,$r,"",0),"edx"); &jz(&label("sw_end")) if ($i != 7-1); } &set_label("sw_end",0); &function_end($name); } sub bn_div_words { local($name)=@_; &function_begin($name,""); &mov("edx",&wparam(0)); # &mov("eax",&wparam(1)); # &mov("ebx",&wparam(2)); # &div("ebx"); &function_end($name); } sub bn_add_words { local($name)=@_; &function_begin($name,""); &comment(""); $a="esi"; $b="edi"; $c="eax"; $r="ebx"; $tmp1="ecx"; $tmp2="edx"; $num="ebp"; &mov($r,&wparam(0)); # get r &mov($a,&wparam(1)); # get a &mov($b,&wparam(2)); # get b &mov($num,&wparam(3)); # get num &xor($c,$c); # clear carry &and($num,0xfffffff8); # num / 8 &jz(&label("aw_finish")); &set_label("aw_loop",0); for ($i=0; $i<8; $i++) { &comment("Round $i"); &mov($tmp1,&DWP($i*4,$a,"",0)); # *a &mov($tmp2,&DWP($i*4,$b,"",0)); # *b &add($tmp1,$c); &mov($c,0); &adc($c,$c); &add($tmp1,$tmp2); &adc($c,0); &mov(&DWP($i*4,$r,"",0),$tmp1); # *r } &comment(""); &add($a,32); &add($b,32); &add($r,32); &sub($num,8); &jnz(&label("aw_loop")); &set_label("aw_finish",0); &mov($num,&wparam(3)); # get num &and($num,7); &jz(&label("aw_end")); for ($i=0; $i<7; $i++) { &comment("Tail Round $i"); &mov($tmp1,&DWP($i*4,$a,"",0)); # *a &mov($tmp2,&DWP($i*4,$b,"",0));# *b &add($tmp1,$c); &mov($c,0); &adc($c,$c); &add($tmp1,$tmp2); &adc($c,0); &dec($num) if ($i != 6); &mov(&DWP($i*4,$r,"",0),$tmp1); # *r &jz(&label("aw_end")) if ($i != 6); } &set_label("aw_end",0); # &mov("eax",$c); # $c is "eax" &function_end($name); } sub bn_sub_words { local($name)=@_; &function_begin($name,""); &comment(""); $a="esi"; $b="edi"; $c="eax"; $r="ebx"; $tmp1="ecx"; $tmp2="edx"; $num="ebp"; &mov($r,&wparam(0)); # get r &mov($a,&wparam(1)); # get a &mov($b,&wparam(2)); # get b &mov($num,&wparam(3)); # get num &xor($c,$c); # clear carry &and($num,0xfffffff8); # num / 8 &jz(&label("aw_finish")); &set_label("aw_loop",0); for ($i=0; $i<8; $i++) { &comment("Round $i"); &mov($tmp1,&DWP($i*4,$a,"",0)); # *a &mov($tmp2,&DWP($i*4,$b,"",0)); # *b &sub($tmp1,$c); &mov($c,0); &adc($c,$c); &sub($tmp1,$tmp2); &adc($c,0); &mov(&DWP($i*4,$r,"",0),$tmp1); # *r } &comment(""); &add($a,32); &add($b,32); &add($r,32); &sub($num,8); &jnz(&label("aw_loop")); &set_label("aw_finish",0); &mov($num,&wparam(3)); # get num &and($num,7); &jz(&label("aw_end")); for ($i=0; $i<7; $i++) { &comment("Tail Round $i"); &mov($tmp1,&DWP($i*4,$a,"",0)); # *a &mov($tmp2,&DWP($i*4,$b,"",0));# *b &sub($tmp1,$c); &mov($c,0); &adc($c,$c); &sub($tmp1,$tmp2); &adc($c,0); &dec($num) if ($i != 6); &mov(&DWP($i*4,$r,"",0),$tmp1); # *r &jz(&label("aw_end")) if ($i != 6); } &set_label("aw_end",0); # &mov("eax",$c); # $c is "eax" &function_end($name); } sub bn_sub_part_words { local($name)=@_; &function_begin($name,""); &comment(""); $a="esi"; $b="edi"; $c="eax"; $r="ebx"; $tmp1="ecx"; $tmp2="edx"; $num="ebp"; &mov($r,&wparam(0)); # get r &mov($a,&wparam(1)); # get a &mov($b,&wparam(2)); # get b &mov($num,&wparam(3)); # get num &xor($c,$c); # clear carry &and($num,0xfffffff8); # num / 8 &jz(&label("aw_finish")); &set_label("aw_loop",0); for ($i=0; $i<8; $i++) { &comment("Round $i"); &mov($tmp1,&DWP($i*4,$a,"",0)); # *a &mov($tmp2,&DWP($i*4,$b,"",0)); # *b &sub($tmp1,$c); &mov($c,0); &adc($c,$c); &sub($tmp1,$tmp2); &adc($c,0); &mov(&DWP($i*4,$r,"",0),$tmp1); # *r } &comment(""); &add($a,32); &add($b,32); &add($r,32); &sub($num,8); &jnz(&label("aw_loop")); &set_label("aw_finish",0); &mov($num,&wparam(3)); # get num &and($num,7); &jz(&label("aw_end")); for ($i=0; $i<7; $i++) { &comment("Tail Round $i"); &mov($tmp1,&DWP(0,$a,"",0)); # *a &mov($tmp2,&DWP(0,$b,"",0));# *b &sub($tmp1,$c); &mov($c,0); &adc($c,$c); &sub($tmp1,$tmp2); &adc($c,0); &mov(&DWP(0,$r,"",0),$tmp1); # *r &add($a, 4); &add($b, 4); &add($r, 4); &dec($num) if ($i != 6); &jz(&label("aw_end")) if ($i != 6); } &set_label("aw_end",0); &cmp(&wparam(4),0); &je(&label("pw_end")); &mov($num,&wparam(4)); # get dl &cmp($num,0); &je(&label("pw_end")); &jge(&label("pw_pos")); &comment("pw_neg"); &mov($tmp2,0); &sub($tmp2,$num); &mov($num,$tmp2); &and($num,0xfffffff8); # num / 8 &jz(&label("pw_neg_finish")); &set_label("pw_neg_loop",0); for ($i=0; $i<8; $i++) { &comment("dl<0 Round $i"); &mov($tmp1,0); &mov($tmp2,&DWP($i*4,$b,"",0)); # *b &sub($tmp1,$c); &mov($c,0); &adc($c,$c); &sub($tmp1,$tmp2); &adc($c,0); &mov(&DWP($i*4,$r,"",0),$tmp1); # *r } &comment(""); &add($b,32); &add($r,32); &sub($num,8); &jnz(&label("pw_neg_loop")); &set_label("pw_neg_finish",0); &mov($tmp2,&wparam(4)); # get dl &mov($num,0); &sub($num,$tmp2); &and($num,7); &jz(&label("pw_end")); for ($i=0; $i<7; $i++) { &comment("dl<0 Tail Round $i"); &mov($tmp1,0); &mov($tmp2,&DWP($i*4,$b,"",0));# *b &sub($tmp1,$c); &mov($c,0); &adc($c,$c); &sub($tmp1,$tmp2); &adc($c,0); &dec($num) if ($i != 6); &mov(&DWP($i*4,$r,"",0),$tmp1); # *r &jz(&label("pw_end")) if ($i != 6); } &jmp(&label("pw_end")); &set_label("pw_pos",0); &and($num,0xfffffff8); # num / 8 &jz(&label("pw_pos_finish")); &set_label("pw_pos_loop",0); for ($i=0; $i<8; $i++) { &comment("dl>0 Round $i"); &mov($tmp1,&DWP($i*4,$a,"",0)); # *a &sub($tmp1,$c); &mov(&DWP($i*4,$r,"",0),$tmp1); # *r &jnc(&label("pw_nc".$i)); } &comment(""); &add($a,32); &add($r,32); &sub($num,8); &jnz(&label("pw_pos_loop")); &set_label("pw_pos_finish",0); &mov($num,&wparam(4)); # get dl &and($num,7); &jz(&label("pw_end")); for ($i=0; $i<7; $i++) { &comment("dl>0 Tail Round $i"); &mov($tmp1,&DWP($i*4,$a,"",0)); # *a &sub($tmp1,$c); &mov(&DWP($i*4,$r,"",0),$tmp1); # *r &jnc(&label("pw_tail_nc".$i)); &dec($num) if ($i != 6); &jz(&label("pw_end")) if ($i != 6); } &mov($c,1); &jmp(&label("pw_end")); &set_label("pw_nc_loop",0); for ($i=0; $i<8; $i++) { &mov($tmp1,&DWP($i*4,$a,"",0)); # *a &mov(&DWP($i*4,$r,"",0),$tmp1); # *r &set_label("pw_nc".$i,0); } &comment(""); &add($a,32); &add($r,32); &sub($num,8); &jnz(&label("pw_nc_loop")); &mov($num,&wparam(4)); # get dl &and($num,7); &jz(&label("pw_nc_end")); for ($i=0; $i<7; $i++) { &mov($tmp1,&DWP($i*4,$a,"",0)); # *a &mov(&DWP($i*4,$r,"",0),$tmp1); # *r &set_label("pw_tail_nc".$i,0); &dec($num) if ($i != 6); &jz(&label("pw_nc_end")) if ($i != 6); } &set_label("pw_nc_end",0); &mov($c,0); &set_label("pw_end",0); # &mov("eax",$c); # $c is "eax" &function_end($name); } diff --git a/crypto/openssl/crypto/bn/asm/x86_64-gcc.c b/crypto/openssl/crypto/bn/asm/x86_64-gcc.c index b97b394661aa..450e8e43228e 100644 --- a/crypto/openssl/crypto/bn/asm/x86_64-gcc.c +++ b/crypto/openssl/crypto/bn/asm/x86_64-gcc.c @@ -1,575 +1,575 @@ /* * x86_64 BIGNUM accelerator version 0.1, December 2002. * * Implemented by Andy Polyakov for the OpenSSL * project. * * Rights for redistribution and usage in source and binary forms are * granted according to the OpenSSL license. Warranty of any kind is * disclaimed. * * Q. Version 0.1? It doesn't sound like Andy, he used to assign real * versions, like 1.0... * A. Well, that's because this code is basically a quick-n-dirty * proof-of-concept hack. As you can see it's implemented with * inline assembler, which means that you're bound to GCC and that * there must be a room for fine-tuning. * * Q. Why inline assembler? * A. x86_64 features own ABI I'm not familiar with. Which is why * I decided to let the compiler take care of subroutine * prologue/epilogue as well as register allocation. * * Q. How much faster does it get? * A. Unfortunately people sitting on x86_64 hardware are prohibited * to disclose the performance numbers, so they (SuSE labs to be * specific) wouldn't tell me. However! Very similar coding technique * (reaching out for 128-bit result from 64x64-bit multiplication) * results in >3 times performance improvement on MIPS and I see no * reason why gain on x86_64 would be so much different:-) */ #define BN_ULONG unsigned long /* * "m"(a), "+m"(r) is the way to favor DirectPath ľ-code; * "g"(0) let the compiler to decide where does it * want to keep the value of zero; */ #define mul_add(r,a,word,carry) do { \ register BN_ULONG high,low; \ asm ("mulq %3" \ : "=a"(low),"=d"(high) \ : "a"(word),"m"(a) \ : "cc"); \ asm ("addq %2,%0; adcq %3,%1" \ : "+r"(carry),"+d"(high)\ : "a"(low),"g"(0) \ : "cc"); \ asm ("addq %2,%0; adcq %3,%1" \ : "+m"(r),"+d"(high) \ : "r"(carry),"g"(0) \ : "cc"); \ carry=high; \ } while (0) #define mul(r,a,word,carry) do { \ register BN_ULONG high,low; \ asm ("mulq %3" \ : "=a"(low),"=d"(high) \ : "a"(word),"g"(a) \ : "cc"); \ asm ("addq %2,%0; adcq %3,%1" \ : "+r"(carry),"+d"(high)\ : "a"(low),"g"(0) \ : "cc"); \ (r)=carry, carry=high; \ } while (0) #define sqr(r0,r1,a) \ asm ("mulq %2" \ : "=a"(r0),"=d"(r1) \ : "a"(a) \ : "cc"); BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w) { BN_ULONG c1=0; if (num <= 0) return(c1); while (num&~3) { mul_add(rp[0],ap[0],w,c1); mul_add(rp[1],ap[1],w,c1); mul_add(rp[2],ap[2],w,c1); mul_add(rp[3],ap[3],w,c1); ap+=4; rp+=4; num-=4; } if (num) { mul_add(rp[0],ap[0],w,c1); if (--num==0) return c1; mul_add(rp[1],ap[1],w,c1); if (--num==0) return c1; mul_add(rp[2],ap[2],w,c1); return c1; } return(c1); } BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w) { BN_ULONG c1=0; if (num <= 0) return(c1); while (num&~3) { mul(rp[0],ap[0],w,c1); mul(rp[1],ap[1],w,c1); mul(rp[2],ap[2],w,c1); mul(rp[3],ap[3],w,c1); ap+=4; rp+=4; num-=4; } if (num) { mul(rp[0],ap[0],w,c1); if (--num == 0) return c1; mul(rp[1],ap[1],w,c1); if (--num == 0) return c1; mul(rp[2],ap[2],w,c1); } return(c1); } void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n) { if (n <= 0) return; while (n&~3) { sqr(r[0],r[1],a[0]); sqr(r[2],r[3],a[1]); sqr(r[4],r[5],a[2]); sqr(r[6],r[7],a[3]); a+=4; r+=8; n-=4; } if (n) { sqr(r[0],r[1],a[0]); if (--n == 0) return; sqr(r[2],r[3],a[1]); if (--n == 0) return; sqr(r[4],r[5],a[2]); } } BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) { BN_ULONG ret,waste; - asm ("divq %3" + asm ("divq %4" : "=a"(ret),"=d"(waste) : "a"(l),"d"(h),"g"(d) : "cc"); return ret; } BN_ULONG bn_add_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n) { BN_ULONG ret,i; if (n <= 0) return 0; asm ( " subq %2,%2 \n" ".align 16 \n" "1: movq (%4,%2,8),%0 \n" " adcq (%5,%2,8),%0 \n" " movq %0,(%3,%2,8) \n" " leaq 1(%2),%2 \n" " loop 1b \n" " sbbq %0,%0 \n" : "+a"(ret),"+c"(n),"+r"(i) : "r"(rp),"r"(ap),"r"(bp) : "cc" ); return ret&1; } #ifndef SIMICS BN_ULONG bn_sub_words (BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int n) { BN_ULONG ret,i; if (n <= 0) return 0; asm ( " subq %2,%2 \n" ".align 16 \n" "1: movq (%4,%2,8),%0 \n" " sbbq (%5,%2,8),%0 \n" " movq %0,(%3,%2,8) \n" " leaq 1(%2),%2 \n" " loop 1b \n" " sbbq %0,%0 \n" : "+a"(ret),"+c"(n),"+r"(i) : "r"(rp),"r"(ap),"r"(bp) : "cc" ); return ret&1; } #else /* Simics 1.4<7 has buggy sbbq:-( */ #define BN_MASK2 0xffffffffffffffffL BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) { BN_ULONG t1,t2; int c=0; if (n <= 0) return((BN_ULONG)0); for (;;) { t1=a[0]; t2=b[0]; r[0]=(t1-t2-c)&BN_MASK2; if (t1 != t2) c=(t1 < t2); if (--n <= 0) break; t1=a[1]; t2=b[1]; r[1]=(t1-t2-c)&BN_MASK2; if (t1 != t2) c=(t1 < t2); if (--n <= 0) break; t1=a[2]; t2=b[2]; r[2]=(t1-t2-c)&BN_MASK2; if (t1 != t2) c=(t1 < t2); if (--n <= 0) break; t1=a[3]; t2=b[3]; r[3]=(t1-t2-c)&BN_MASK2; if (t1 != t2) c=(t1 < t2); if (--n <= 0) break; a+=4; b+=4; r+=4; } return(c); } #endif /* mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) */ /* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */ /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */ /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */ #if 0 /* original macros are kept for reference purposes */ #define mul_add_c(a,b,c0,c1,c2) { \ BN_ULONG ta=(a),tb=(b); \ t1 = ta * tb; \ t2 = BN_UMULT_HIGH(ta,tb); \ c0 += t1; t2 += (c0 #ifdef __cplusplus extern "C" { #endif /* Used for temp variables */ #define BN_CTX_NUM 32 #define BN_CTX_NUM_POS 12 struct bignum_ctx { int tos; BIGNUM bn[BN_CTX_NUM]; int flags; int depth; int pos[BN_CTX_NUM_POS]; int too_many; } /* BN_CTX */; /* * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions * * * For window size 'w' (w >= 2) and a random 'b' bits exponent, * the number of multiplications is a constant plus on average * * 2^(w-1) + (b-w)/(w+1); * * here 2^(w-1) is for precomputing the table (we actually need * entries only for windows that have the lowest bit set), and * (b-w)/(w+1) is an approximation for the expected number of * w-bit windows, not counting the first one. * * Thus we should use * * w >= 6 if b > 671 * w = 5 if 671 > b > 239 * w = 4 if 239 > b > 79 * w = 3 if 79 > b > 23 * w <= 2 if 23 > b * * (with draws in between). Very small exponents are often selected * with low Hamming weight, so we use w = 1 for b <= 23. */ #if 1 #define BN_window_bits_for_exponent_size(b) \ ((b) > 671 ? 6 : \ (b) > 239 ? 5 : \ (b) > 79 ? 4 : \ (b) > 23 ? 3 : 1) #else /* Old SSLeay/OpenSSL table. * Maximum window size was 5, so this table differs for b==1024; * but it coincides for other interesting values (b==160, b==512). */ #define BN_window_bits_for_exponent_size(b) \ ((b) > 255 ? 5 : \ (b) > 127 ? 4 : \ (b) > 17 ? 3 : 1) #endif /* Pentium pro 16,16,16,32,64 */ /* Alpha 16,16,16,16.64 */ #define BN_MULL_SIZE_NORMAL (16) /* 32 */ #define BN_MUL_RECURSIVE_SIZE_NORMAL (16) /* 32 less than */ #define BN_SQR_RECURSIVE_SIZE_NORMAL (16) /* 32 */ #define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32) /* 32 */ #define BN_MONT_CTX_SET_SIZE_WORD (64) /* 32 */ #if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC) /* * BN_UMULT_HIGH section. * * No, I'm not trying to overwhelm you when stating that the * product of N-bit numbers is 2*N bits wide:-) No, I don't expect * you to be impressed when I say that if the compiler doesn't * support 2*N integer type, then you have to replace every N*N * multiplication with 4 (N/2)*(N/2) accompanied by some shifts * and additions which unavoidably results in severe performance * penalties. Of course provided that the hardware is capable of * producing 2*N result... That's when you normally start * considering assembler implementation. However! It should be * pointed out that some CPUs (most notably Alpha, PowerPC and * upcoming IA-64 family:-) provide *separate* instruction * calculating the upper half of the product placing the result * into a general purpose register. Now *if* the compiler supports * inline assembler, then it's not impossible to implement the * "bignum" routines (and have the compiler optimize 'em) * exhibiting "native" performance in C. That's what BN_UMULT_HIGH * macro is about:-) * * */ # if defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT)) # if defined(__DECC) # include # define BN_UMULT_HIGH(a,b) (BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b)) # elif defined(__GNUC__) # define BN_UMULT_HIGH(a,b) ({ \ register BN_ULONG ret; \ asm ("umulh %1,%2,%0" \ : "=r"(ret) \ : "r"(a), "r"(b)); \ ret; }) # endif /* compiler */ # elif defined(_ARCH_PPC) && defined(__64BIT__) && defined(SIXTY_FOUR_BIT_LONG) # if defined(__GNUC__) # define BN_UMULT_HIGH(a,b) ({ \ register BN_ULONG ret; \ asm ("mulhdu %0,%1,%2" \ : "=r"(ret) \ : "r"(a), "r"(b)); \ ret; }) # endif /* compiler */ # elif defined(__x86_64) && defined(SIXTY_FOUR_BIT_LONG) # if defined(__GNUC__) # define BN_UMULT_HIGH(a,b) ({ \ register BN_ULONG ret,discard; \ asm ("mulq %3" \ : "=a"(discard),"=d"(ret) \ : "a"(a), "g"(b) \ : "cc"); \ ret; }) # define BN_UMULT_LOHI(low,high,a,b) \ asm ("mulq %3" \ : "=a"(low),"=d"(high) \ : "a"(a),"g"(b) \ : "cc"); # endif # endif /* cpu */ #endif /* OPENSSL_NO_ASM */ /************************************************************* * Using the long long type */ #define Lw(t) (((BN_ULONG)(t))&BN_MASK2) #define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2) /* This is used for internal error checking and is not normally used */ #ifdef BN_DEBUG # include # define bn_check_top(a) assert ((a)->top >= 0 && (a)->top <= (a)->dmax); #else # define bn_check_top(a) #endif /* This macro is to add extra stuff for development checking */ #ifdef BN_DEBUG #define bn_set_max(r) ((r)->max=(r)->top,BN_set_flags((r),BN_FLG_STATIC_DATA)) #else #define bn_set_max(r) #endif /* These macros are used to 'take' a section of a bignum for read only use */ #define bn_set_low(r,a,n) \ { \ (r)->top=((a)->top > (n))?(n):(a)->top; \ (r)->d=(a)->d; \ (r)->neg=(a)->neg; \ (r)->flags|=BN_FLG_STATIC_DATA; \ bn_set_max(r); \ } #define bn_set_high(r,a,n) \ { \ if ((a)->top > (n)) \ { \ (r)->top=(a)->top-n; \ (r)->d= &((a)->d[n]); \ } \ else \ (r)->top=0; \ (r)->neg=(a)->neg; \ (r)->flags|=BN_FLG_STATIC_DATA; \ bn_set_max(r); \ } #ifdef BN_LLONG #define mul_add(r,a,w,c) { \ BN_ULLONG t; \ t=(BN_ULLONG)w * (a) + (r) + (c); \ (r)= Lw(t); \ (c)= Hw(t); \ } #define mul(r,a,w,c) { \ BN_ULLONG t; \ t=(BN_ULLONG)w * (a) + (c); \ (r)= Lw(t); \ (c)= Hw(t); \ } #define sqr(r0,r1,a) { \ BN_ULLONG t; \ t=(BN_ULLONG)(a)*(a); \ (r0)=Lw(t); \ (r1)=Hw(t); \ } #elif defined(BN_UMULT_HIGH) #define mul_add(r,a,w,c) { \ BN_ULONG high,low,ret,tmp=(a); \ ret = (r); \ high= BN_UMULT_HIGH(w,tmp); \ ret += (c); \ low = (w) * tmp; \ (c) = (ret<(c))?1:0; \ (c) += high; \ ret += low; \ (c) += (ret>BN_BITS4)&BN_MASK2l) #define L2HBITS(a) (((a)<>BN_BITS2)&BN_MASKl) #define LL2HBITS(a) ((BN_ULLONG)((a)&BN_MASKl)<>(BN_BITS4-1); \ m =(m&BN_MASK2l)<<(BN_BITS4+1); \ l=(l+m)&BN_MASK2; if (l < m) h++; \ (lo)=l; \ (ho)=h; \ } #define mul_add(r,a,bl,bh,c) { \ BN_ULONG l,h; \ \ h= (a); \ l=LBITS(h); \ h=HBITS(h); \ mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ (c)=(r); \ l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ (c)=h&BN_MASK2; \ (r)=l; \ } #define mul(r,a,bl,bh,c) { \ BN_ULONG l,h; \ \ h= (a); \ l=LBITS(h); \ h=HBITS(h); \ mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ l+=(c); if ((l&BN_MASK2) < (c)) h++; \ (c)=h&BN_MASK2; \ (r)=l&BN_MASK2; \ } #endif /* !BN_LLONG */ void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb); void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp); void bn_sqr_comba8(BN_ULONG *r,const BN_ULONG *a); void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a); int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n); int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl); -#if 0 -/* bn_mul.c rollback */ -void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2, - int dna,int dnb,BN_ULONG *t); -void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, - int n,int tna,int tnb,BN_ULONG *t); -#endif -void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t); -void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n); +#ifdef BN_RECURSION +void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, + BN_ULONG *t); +void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn, + int n, BN_ULONG *t); void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2, BN_ULONG *t); void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2, BN_ULONG *t); +void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t); +#endif +void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n); #ifdef __cplusplus } #endif #endif diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c index fa0ff485ade4..e1660450bc0f 100644 --- a/crypto/openssl/crypto/bn/bn_lib.c +++ b/crypto/openssl/crypto/bn/bn_lib.c @@ -1,824 +1,824 @@ /* crypto/bn/bn_lib.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #ifndef BN_DEBUG # undef NDEBUG /* avoid conflicting definitions */ # define NDEBUG #endif #include #include #include #include "cryptlib.h" #include "bn_lcl.h" const char *BN_version="Big Number" OPENSSL_VERSION_PTEXT; /* For a 32 bit machine * 2 - 4 == 128 * 3 - 8 == 256 * 4 - 16 == 512 * 5 - 32 == 1024 * 6 - 64 == 2048 * 7 - 128 == 4096 * 8 - 256 == 8192 */ static int bn_limit_bits=0; static int bn_limit_num=8; /* (1<= 0) { if (mult > (sizeof(int)*8)-1) mult=sizeof(int)*8-1; bn_limit_bits=mult; bn_limit_num=1<= 0) { if (high > (sizeof(int)*8)-1) high=sizeof(int)*8-1; bn_limit_bits_high=high; bn_limit_num_high=1<= 0) { if (low > (sizeof(int)*8)-1) low=sizeof(int)*8-1; bn_limit_bits_low=low; bn_limit_num_low=1<= 0) { if (mont > (sizeof(int)*8)-1) mont=sizeof(int)*8-1; bn_limit_bits_mont=mont; bn_limit_num_mont=1<>56)]+56); } else return(bits[(int)(l>>48)]+48); } else { if (l & 0x0000ff0000000000L) { return(bits[(int)(l>>40)]+40); } else return(bits[(int)(l>>32)]+32); } } else #else #ifdef SIXTY_FOUR_BIT if (l & 0xffffffff00000000LL) { if (l & 0xffff000000000000LL) { if (l & 0xff00000000000000LL) { return(bits[(int)(l>>56)]+56); } else return(bits[(int)(l>>48)]+48); } else { if (l & 0x0000ff0000000000LL) { return(bits[(int)(l>>40)]+40); } else return(bits[(int)(l>>32)]+32); } } else #endif #endif { #if defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG) if (l & 0xffff0000L) { if (l & 0xff000000L) return(bits[(int)(l>>24L)]+24); else return(bits[(int)(l>>16L)]+16); } else #endif { #if defined(SIXTEEN_BIT) || defined(THIRTY_TWO_BIT) || defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG) if (l & 0xff00L) return(bits[(int)(l>>8)]+8); else #endif return(bits[(int)(l )] ); } } } int BN_num_bits(const BIGNUM *a) { BN_ULONG l; int i; bn_check_top(a); if (a->top == 0) return(0); l=a->d[a->top-1]; assert(l != 0); i=(a->top-1)*BN_BITS2; return(i+BN_num_bits_word(l)); } void BN_clear_free(BIGNUM *a) { int i; if (a == NULL) return; if (a->d != NULL) { OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0])); if (!(BN_get_flags(a,BN_FLG_STATIC_DATA))) OPENSSL_free(a->d); } i=BN_get_flags(a,BN_FLG_MALLOCED); OPENSSL_cleanse(a,sizeof(BIGNUM)); if (i) OPENSSL_free(a); } void BN_free(BIGNUM *a) { if (a == NULL) return; if ((a->d != NULL) && !(BN_get_flags(a,BN_FLG_STATIC_DATA))) OPENSSL_free(a->d); a->flags|=BN_FLG_FREE; /* REMOVE? */ if (a->flags & BN_FLG_MALLOCED) OPENSSL_free(a); } void BN_init(BIGNUM *a) { memset(a,0,sizeof(BIGNUM)); } BIGNUM *BN_new(void) { BIGNUM *ret; if ((ret=(BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL) { BNerr(BN_F_BN_NEW,ERR_R_MALLOC_FAILURE); return(NULL); } ret->flags=BN_FLG_MALLOCED; ret->top=0; ret->neg=0; ret->dmax=0; ret->d=NULL; return(ret); } /* This is used both by bn_expand2() and bn_dup_expand() */ /* The caller MUST check that words > b->dmax before calling this */ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) { BN_ULONG *A,*a = NULL; const BN_ULONG *B; int i; if (words > (INT_MAX/(4*BN_BITS2))) { BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_BIGNUM_TOO_LONG); return NULL; } bn_check_top(b); if (BN_get_flags(b,BN_FLG_STATIC_DATA)) { BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA); return(NULL); } a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*(words+1)); if (A == NULL) { BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE); return(NULL); } #if 1 B=b->d; /* Check if the previous number needs to be copied */ if (B != NULL) { for (i=b->top>>2; i>0; i--,A+=4,B+=4) { /* * The fact that the loop is unrolled * 4-wise is a tribute to Intel. It's * the one that doesn't have enough * registers to accomodate more data. * I'd unroll it 8-wise otherwise:-) * * */ BN_ULONG a0,a1,a2,a3; a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3]; A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3; } switch (b->top&3) { case 3: A[2]=B[2]; case 2: A[1]=B[1]; case 1: A[0]=B[0]; case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does * the switch table by doing a=top&3; a--; goto jump_table[a]; * which fails for top== 0 */ ; } } /* Now need to zero any data between b->top and b->max */ /* XXX Why? */ A= &(a[b->top]); for (i=(words - b->top)>>3; i>0; i--,A+=8) { A[0]=0; A[1]=0; A[2]=0; A[3]=0; A[4]=0; A[5]=0; A[6]=0; A[7]=0; } for (i=(words - b->top)&7; i>0; i--,A++) A[0]=0; #else memset(A,0,sizeof(BN_ULONG)*(words+1)); memcpy(A,b->d,sizeof(b->d[0])*b->top); #endif return(a); } /* This is an internal function that can be used instead of bn_expand2() * when there is a need to copy BIGNUMs instead of only expanding the * data part, while still expanding them. * Especially useful when needing to expand BIGNUMs that are declared * 'const' and should therefore not be changed. * The reason to use this instead of a BN_dup() followed by a bn_expand2() * is memory allocation overhead. A BN_dup() followed by a bn_expand2() * will allocate new memory for the BIGNUM data twice, and free it once, * while bn_dup_expand() makes sure allocation is made only once. */ BIGNUM *bn_dup_expand(const BIGNUM *b, int words) { BIGNUM *r = NULL; /* This function does not work if * words <= b->dmax && top < words * because BN_dup() does not preserve 'dmax'! * (But bn_dup_expand() is not used anywhere yet.) */ if (words > b->dmax) { BN_ULONG *a = bn_expand_internal(b, words); if (a) { r = BN_new(); if (r) { r->top = b->top; r->dmax = words; r->neg = b->neg; r->d = a; } else { /* r == NULL, BN_new failure */ OPENSSL_free(a); } } /* If a == NULL, there was an error in allocation in bn_expand_internal(), and NULL should be returned */ } else { r = BN_dup(b); } return r; } /* This is an internal function that should not be used in applications. * It ensures that 'b' has enough room for a 'words' word number number. * It is mostly used by the various BIGNUM routines. If there is an error, * NULL is returned. If not, 'b' is returned. */ BIGNUM *bn_expand2(BIGNUM *b, int words) { if (words > b->dmax) { BN_ULONG *a = bn_expand_internal(b, words); if (a) { if (b->d) OPENSSL_free(b->d); b->d=a; b->dmax=words; } else b = NULL; } return b; } BIGNUM *BN_dup(const BIGNUM *a) { BIGNUM *r, *t; if (a == NULL) return NULL; bn_check_top(a); t = BN_new(); if (t == NULL) return(NULL); r = BN_copy(t, a); /* now r == t || r == NULL */ if (r == NULL) BN_free(t); return r; } BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b) { int i; BN_ULONG *A; const BN_ULONG *B; bn_check_top(b); if (a == b) return(a); if (bn_wexpand(a,b->top) == NULL) return(NULL); #if 1 A=a->d; B=b->d; for (i=b->top>>2; i>0; i--,A+=4,B+=4) { BN_ULONG a0,a1,a2,a3; a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3]; A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3; } switch (b->top&3) { case 3: A[2]=B[2]; case 2: A[1]=B[1]; case 1: A[0]=B[0]; case 0: ; /* ultrix cc workaround, see comments in bn_expand_internal */ } #else memcpy(a->d,b->d,sizeof(b->d[0])*b->top); #endif /* memset(&(a->d[b->top]),0,sizeof(a->d[0])*(a->max-b->top));*/ a->top=b->top; if ((a->top == 0) && (a->d != NULL)) a->d[0]=0; a->neg=b->neg; return(a); } void BN_swap(BIGNUM *a, BIGNUM *b) { int flags_old_a, flags_old_b; BN_ULONG *tmp_d; int tmp_top, tmp_dmax, tmp_neg; flags_old_a = a->flags; flags_old_b = b->flags; tmp_d = a->d; tmp_top = a->top; tmp_dmax = a->dmax; tmp_neg = a->neg; a->d = b->d; a->top = b->top; a->dmax = b->dmax; a->neg = b->neg; b->d = tmp_d; b->top = tmp_top; b->dmax = tmp_dmax; b->neg = tmp_neg; a->flags = (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA); b->flags = (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA); } void BN_clear(BIGNUM *a) { if (a->d != NULL) memset(a->d,0,a->dmax*sizeof(a->d[0])); a->top=0; a->neg=0; } BN_ULONG BN_get_word(const BIGNUM *a) { int i,n; BN_ULONG ret=0; n=BN_num_bytes(a); if (n > sizeof(BN_ULONG)) return(BN_MASK2); for (i=a->top-1; i>=0; i--) { #ifndef SIXTY_FOUR_BIT /* the data item > unsigned long */ ret<<=BN_BITS4; /* stops the compiler complaining */ ret<<=BN_BITS4; #else ret=0; #endif ret|=a->d[i]; } return(ret); } int BN_set_word(BIGNUM *a, BN_ULONG w) { int i,n; if (bn_expand(a,sizeof(BN_ULONG)*8) == NULL) return(0); n=sizeof(BN_ULONG)/BN_BYTES; a->neg=0; a->top=0; a->d[0]=(BN_ULONG)w&BN_MASK2; if (a->d[0] != 0) a->top=1; for (i=1; i>=BN_BITS2 so compilers don't complain * on builds where sizeof(long) == BN_TYPES */ #ifndef SIXTY_FOUR_BIT /* the data item > unsigned long */ w>>=BN_BITS4; w>>=BN_BITS4; #else w=0; #endif a->d[i]=(BN_ULONG)w&BN_MASK2; if (a->d[i] != 0) a->top=i+1; } return(1); } BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) { unsigned int i,m; unsigned int n; BN_ULONG l; if (ret == NULL) ret=BN_new(); if (ret == NULL) return(NULL); l=0; n=len; if (n == 0) { ret->top=0; return(ret); } if (bn_expand(ret,(int)(n+2)*8) == NULL) return(NULL); i=((n-1)/BN_BYTES)+1; m=((n-1)%(BN_BYTES)); ret->top=i; ret->neg=0; while (n-- > 0) { l=(l<<8L)| *(s++); if (m-- == 0) { ret->d[--i]=l; l=0; m=BN_BYTES-1; } } /* need to call this due to clear byte at top if avoiding * having the top bit set (-ve number) */ bn_fix_top(ret); return(ret); } /* ignore negative */ int BN_bn2bin(const BIGNUM *a, unsigned char *to) { int n,i; BN_ULONG l; n=i=BN_num_bytes(a); while (i-- > 0) { l=a->d[i/BN_BYTES]; *(to++)=(unsigned char)(l>>(8*(i%BN_BYTES)))&0xff; } return(n); } int BN_ucmp(const BIGNUM *a, const BIGNUM *b) { int i; BN_ULONG t1,t2,*ap,*bp; bn_check_top(a); bn_check_top(b); i=a->top-b->top; if (i != 0) return(i); ap=a->d; bp=b->d; for (i=a->top-1; i>=0; i--) { t1= ap[i]; t2= bp[i]; if (t1 != t2) return(t1 > t2?1:-1); } return(0); } int BN_cmp(const BIGNUM *a, const BIGNUM *b) { int i; int gt,lt; BN_ULONG t1,t2; if ((a == NULL) || (b == NULL)) { if (a != NULL) return(-1); else if (b != NULL) return(1); else return(0); } bn_check_top(a); bn_check_top(b); if (a->neg != b->neg) { if (a->neg) return(-1); else return(1); } if (a->neg == 0) { gt=1; lt= -1; } else { gt= -1; lt=1; } if (a->top > b->top) return(gt); if (a->top < b->top) return(lt); for (i=a->top-1; i>=0; i--) { t1=a->d[i]; t2=b->d[i]; if (t1 > t2) return(gt); if (t1 < t2) return(lt); } return(0); } int BN_set_bit(BIGNUM *a, int n) { int i,j,k; i=n/BN_BITS2; j=n%BN_BITS2; if (a->top <= i) { if (bn_wexpand(a,i+1) == NULL) return(0); for(k=a->top; kd[k]=0; a->top=i+1; } a->d[i]|=(((BN_ULONG)1)<top <= i) return(0); a->d[i]&=(~(((BN_ULONG)1)<top <= i) return(0); return((a->d[i]&(((BN_ULONG)1)<= a->top) return(0); if (b == 0) a->top=w; else { a->top=w+1; a->d[w]&= ~(BN_MASK2< bb)?1:-1); for (i=n-2; i>=0; i--) { aa=a[i]; bb=b[i]; if (aa != bb) return((aa > bb)?1:-1); } return(0); } /* Here follows a specialised variants of bn_cmp_words(). It has the property of performing the operation on arrays of different sizes. The sizes of those arrays is expressed through cl, which is the common length ( basicall, min(len(a),len(b)) ), and dl, which is the delta between the two lengths, calculated as len(a)-len(b). All lengths are the number of BN_ULONGs... */ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl) { int n,i; n = cl-1; if (dl < 0) { for (i=dl; i<0; i++) { if (b[n-i] != 0) return -1; /* a < b */ } } if (dl > 0) { for (i=dl; i>0; i--) { if (a[n+i] != 0) return 1; /* a > b */ } } return bn_cmp_words(a,b,cl); } diff --git a/crypto/openssl/crypto/bn/bn_print.c b/crypto/openssl/crypto/bn/bn_print.c index 5f46b1826c03..0d942603b1b1 100644 --- a/crypto/openssl/crypto/bn/bn_print.c +++ b/crypto/openssl/crypto/bn/bn_print.c @@ -1,332 +1,333 @@ /* crypto/bn/bn_print.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include "cryptlib.h" #include #include "bn_lcl.h" static const char *Hex="0123456789ABCDEF"; /* Must 'OPENSSL_free' the returned data */ char *BN_bn2hex(const BIGNUM *a) { int i,j,v,z=0; char *buf; char *p; buf=(char *)OPENSSL_malloc(a->top*BN_BYTES*2+2); if (buf == NULL) { BNerr(BN_F_BN_BN2HEX,ERR_R_MALLOC_FAILURE); goto err; } p=buf; if (a->neg) *(p++)='-'; if (a->top == 0) *(p++)='0'; for (i=a->top-1; i >=0; i--) { for (j=BN_BITS2-8; j >= 0; j-=8) { /* strip leading zeros */ v=((int)(a->d[i]>>(long)j))&0xff; if (z || (v != 0)) { *(p++)=Hex[v>>4]; *(p++)=Hex[v&0x0f]; z=1; } } } *p='\0'; err: return(buf); } /* Must 'OPENSSL_free' the returned data */ char *BN_bn2dec(const BIGNUM *a) { int i=0,num; char *buf=NULL; char *p; BIGNUM *t=NULL; BN_ULONG *bn_data=NULL,*lp; i=BN_num_bits(a)*3; num=(i/10+i/1000+3)+1; bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG)); buf=(char *)OPENSSL_malloc(num+3); if ((buf == NULL) || (bn_data == NULL)) { BNerr(BN_F_BN_BN2DEC,ERR_R_MALLOC_FAILURE); goto err; } if ((t=BN_dup(a)) == NULL) goto err; +#define BUF_REMAIN (num+3 - (size_t)(p - buf)) p=buf; lp=bn_data; if (t->neg) *(p++)='-'; if (t->top == 0) { *(p++)='0'; *(p++)='\0'; } else { i=0; while (!BN_is_zero(t)) { *lp=BN_div_word(t,BN_DEC_CONV); lp++; } lp--; /* We now have a series of blocks, BN_DEC_NUM chars * in length, where the last one needs truncation. * The blocks need to be reversed in order. */ - sprintf(p,BN_DEC_FMT1,*lp); + BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT1,*lp); while (*p) p++; while (lp != bn_data) { lp--; - sprintf(p,BN_DEC_FMT2,*lp); + BIO_snprintf(p,BUF_REMAIN,BN_DEC_FMT2,*lp); while (*p) p++; } } err: if (bn_data != NULL) OPENSSL_free(bn_data); if (t != NULL) BN_free(t); return(buf); } int BN_hex2bn(BIGNUM **bn, const char *a) { BIGNUM *ret=NULL; BN_ULONG l=0; int neg=0,h,m,i,j,k,c; int num; if ((a == NULL) || (*a == '\0')) return(0); if (*a == '-') { neg=1; a++; } for (i=0; isxdigit((unsigned char) a[i]); i++) ; num=i+neg; if (bn == NULL) return(num); /* a is the start of the hex digits, and it is 'i' long */ if (*bn == NULL) { if ((ret=BN_new()) == NULL) return(0); } else { ret= *bn; BN_zero(ret); } /* i is the number of hex digests; */ if (bn_expand(ret,i*4) == NULL) goto err; j=i; /* least significant 'hex' */ m=0; h=0; while (j > 0) { m=((BN_BYTES*2) <= j)?(BN_BYTES*2):j; l=0; for (;;) { c=a[j-m]; if ((c >= '0') && (c <= '9')) k=c-'0'; else if ((c >= 'a') && (c <= 'f')) k=c-'a'+10; else if ((c >= 'A') && (c <= 'F')) k=c-'A'+10; else k=0; /* paranoia */ l=(l<<4)|k; if (--m <= 0) { ret->d[h++]=l; break; } } j-=(BN_BYTES*2); } ret->top=h; bn_fix_top(ret); ret->neg=neg; *bn=ret; return(num); err: if (*bn == NULL) BN_free(ret); return(0); } int BN_dec2bn(BIGNUM **bn, const char *a) { BIGNUM *ret=NULL; BN_ULONG l=0; int neg=0,i,j; int num; if ((a == NULL) || (*a == '\0')) return(0); if (*a == '-') { neg=1; a++; } for (i=0; isdigit((unsigned char) a[i]); i++) ; num=i+neg; if (bn == NULL) return(num); /* a is the start of the digits, and it is 'i' long. * We chop it into BN_DEC_NUM digits at a time */ if (*bn == NULL) { if ((ret=BN_new()) == NULL) return(0); } else { ret= *bn; BN_zero(ret); } /* i is the number of digests, a bit of an over expand; */ if (bn_expand(ret,i*4) == NULL) goto err; j=BN_DEC_NUM-(i%BN_DEC_NUM); if (j == BN_DEC_NUM) j=0; l=0; while (*a) { l*=10; l+= *a-'0'; a++; if (++j == BN_DEC_NUM) { BN_mul_word(ret,BN_DEC_CONV); BN_add_word(ret,l); l=0; j=0; } } ret->neg=neg; bn_fix_top(ret); *bn=ret; return(num); err: if (*bn == NULL) BN_free(ret); return(0); } #ifndef OPENSSL_NO_BIO #ifndef OPENSSL_NO_FP_API int BN_print_fp(FILE *fp, const BIGNUM *a) { BIO *b; int ret; if ((b=BIO_new(BIO_s_file())) == NULL) return(0); BIO_set_fp(b,fp,BIO_NOCLOSE); ret=BN_print(b,a); BIO_free(b); return(ret); } #endif int BN_print(BIO *bp, const BIGNUM *a) { int i,j,v,z=0; int ret=0; if ((a->neg) && (BIO_write(bp,"-",1) != 1)) goto end; if ((a->top == 0) && (BIO_write(bp,"0",1) != 1)) goto end; for (i=a->top-1; i >=0; i--) { for (j=BN_BITS2-4; j >= 0; j-=4) { /* strip leading zeros */ v=((int)(a->d[i]>>(long)j))&0x0f; if (z || (v != 0)) { if (BIO_write(bp,&(Hex[v]),1) != 1) goto end; z=1; } } } ret=1; end: return(ret); } #endif #ifdef BN_DEBUG void bn_dump1(FILE *o, const char *a, const BN_ULONG *b,int n) { int i; fprintf(o, "%s=", a); for (i=n-1;i>=0;i--) fprintf(o, "%08lX", b[i]); /* assumes 32-bit BN_ULONG */ fprintf(o, "\n"); } #endif diff --git a/crypto/openssl/crypto/buffer/Makefile.ssl b/crypto/openssl/crypto/buffer/Makefile.ssl index e8b6c9693a94..b131ca307894 100644 --- a/crypto/openssl/crypto/buffer/Makefile.ssl +++ b/crypto/openssl/crypto/buffer/Makefile.ssl @@ -1,94 +1,94 @@ # # SSLeay/crypto/buffer/Makefile # DIR= buffer TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= buffer.c buf_err.c LIBOBJ= buffer.o buf_err.o SRC= $(LIBSRC) EXHEADER= buffer.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. buf_err.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h buf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h buf_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h buf_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h buf_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h buf_err.o: ../../include/openssl/symhacks.h buf_err.c buffer.o: ../../e_os.h ../../include/openssl/bio.h buffer.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h buffer.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h buffer.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h buffer.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h buffer.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h buffer.o: ../cryptlib.h buffer.c diff --git a/crypto/openssl/crypto/cast/Makefile.ssl b/crypto/openssl/crypto/cast/Makefile.ssl index 70c47bf8e695..98393a37ba5d 100644 --- a/crypto/openssl/crypto/cast/Makefile.ssl +++ b/crypto/openssl/crypto/cast/Makefile.ssl @@ -1,119 +1,120 @@ # # SSLeay/crypto/cast/Makefile # DIR= cast TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CAST_ENC=c_enc.o # or use #CAST_ENC=asm/cx86-elf.o #CAST_ENC=asm/cx86-out.o #CAST_ENC=asm/cx86-sol.o #CAST_ENC=asm/cx86bdsi.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=casttest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=c_skey.c c_ecb.c c_enc.c c_cfb64.c c_ofb64.c LIBOBJ=c_skey.o c_ecb.o $(CAST_ENC) c_cfb64.o c_ofb64.o SRC= $(LIBSRC) EXHEADER= cast.h HEADER= cast_s.h cast_lcl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib # elf asm/cx86-elf.s: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl (cd asm; $(PERL) cast-586.pl elf $(CLAGS) $(PROCESSOR) > cx86-elf.s) # a.out asm/cx86-out.o: asm/cx86unix.cpp $(CPP) -DOUT asm/cx86unix.cpp | as -o asm/cx86-out.o # bsdi asm/cx86bsdi.o: asm/cx86unix.cpp $(CPP) -DBSDI asm/cx86unix.cpp | sed 's/ :/:/' | as -o asm/cx86bsdi.o asm/cx86unix.cpp: asm/cast-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl (cd asm; $(PERL) cast-586.pl cpp $(PROCESSOR) >cx86unix.cpp) files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/cx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. c_cfb64.o: ../../e_os.h ../../include/openssl/cast.h c_cfb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h c_cfb64.o: c_cfb64.c cast_lcl.h c_ecb.o: ../../e_os.h ../../include/openssl/cast.h c_ecb.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h c_ecb.o: ../../include/openssl/opensslv.h c_ecb.c cast_lcl.h c_enc.o: ../../e_os.h ../../include/openssl/cast.h c_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h c_enc.o: c_enc.c cast_lcl.h c_ofb64.o: ../../e_os.h ../../include/openssl/cast.h c_ofb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h c_ofb64.o: c_ofb64.c cast_lcl.h c_skey.o: ../../e_os.h ../../include/openssl/cast.h c_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h c_skey.o: c_skey.c cast_lcl.h cast_s.h diff --git a/crypto/openssl/crypto/comp/Makefile.ssl b/crypto/openssl/crypto/comp/Makefile.ssl index f60c7a1afc7b..f70ba1b2853d 100644 --- a/crypto/openssl/crypto/comp/Makefile.ssl +++ b/crypto/openssl/crypto/comp/Makefile.ssl @@ -1,114 +1,114 @@ # # SSLeay/crypto/comp/Makefile # DIR= comp TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= comp_lib.c comp_err.c \ c_rle.c c_zlib.c LIBOBJ= comp_lib.o comp_err.o \ c_rle.o c_zlib.o SRC= $(LIBSRC) EXHEADER= comp.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. c_rle.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h c_rle.o: ../../include/openssl/bn.h ../../include/openssl/comp.h c_rle.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h c_rle.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h c_rle.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h c_rle.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h c_rle.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h c_rle.c c_zlib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h c_zlib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h c_zlib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h c_zlib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h c_zlib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h c_zlib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h c_zlib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h c_zlib.o: c_zlib.c comp_err.o: ../../include/openssl/bio.h ../../include/openssl/comp.h comp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h comp_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h comp_err.o: ../../include/openssl/opensslconf.h comp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h comp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h comp_err.o: comp_err.c comp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h comp_lib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h comp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h comp_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h comp_lib.o: ../../include/openssl/opensslconf.h comp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h comp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h comp_lib.o: ../../include/openssl/symhacks.h comp_lib.c diff --git a/crypto/openssl/crypto/conf/Makefile.ssl b/crypto/openssl/crypto/conf/Makefile.ssl index 28b3f9ac0b55..c5873bc6e782 100644 --- a/crypto/openssl/crypto/conf/Makefile.ssl +++ b/crypto/openssl/crypto/conf/Makefile.ssl @@ -1,183 +1,183 @@ # # SSLeay/crypto/conf/Makefile # DIR= conf TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c \ conf_mall.c conf_sap.c LIBOBJ= conf_err.o conf_lib.o conf_api.o conf_def.o conf_mod.o \ conf_mall.o conf_sap.o SRC= $(LIBSRC) EXHEADER= conf.h conf_api.h HEADER= conf_def.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. conf_api.o: ../../e_os.h ../../include/openssl/bio.h conf_api.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h conf_api.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h conf_api.o: conf_api.c conf_def.o: ../../e_os.h ../../include/openssl/bio.h conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h conf_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h conf_def.o: ../cryptlib.h conf_def.c conf_def.h conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h conf_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h conf_err.o: ../../include/openssl/opensslconf.h conf_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h conf_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h conf_err.o: conf_err.c conf_lib.o: ../../include/openssl/bio.h ../../include/openssl/conf.h conf_lib.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h conf_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h conf_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h conf_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h conf_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h conf_lib.o: conf_lib.c conf_mall.o: ../../e_os.h ../../include/openssl/aes.h conf_mall.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h conf_mall.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h conf_mall.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h conf_mall.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h conf_mall.o: ../../include/openssl/des.h ../../include/openssl/des_old.h conf_mall.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h conf_mall.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h conf_mall.o: ../../include/openssl/engine.h ../../include/openssl/err.h conf_mall.o: ../../include/openssl/evp.h ../../include/openssl/idea.h conf_mall.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h conf_mall.o: ../../include/openssl/md4.h ../../include/openssl/md5.h conf_mall.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h conf_mall.o: ../../include/openssl/objects.h conf_mall.o: ../../include/openssl/opensslconf.h conf_mall.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h conf_mall.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h conf_mall.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h conf_mall.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h conf_mall.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h conf_mall.o: ../../include/openssl/sha.h ../../include/openssl/stack.h conf_mall.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h conf_mall.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h conf_mall.o: ../../include/openssl/x509_vfy.h ../cryptlib.h conf_mall.c conf_mod.o: ../../e_os.h ../../include/openssl/aes.h conf_mod.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h conf_mod.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h conf_mod.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h conf_mod.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h conf_mod.o: ../../include/openssl/des.h ../../include/openssl/des_old.h conf_mod.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h conf_mod.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h conf_mod.o: ../../include/openssl/err.h ../../include/openssl/evp.h conf_mod.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h conf_mod.o: ../../include/openssl/md2.h ../../include/openssl/md4.h conf_mod.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h conf_mod.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h conf_mod.o: ../../include/openssl/opensslconf.h conf_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h conf_mod.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h conf_mod.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h conf_mod.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h conf_mod.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h conf_mod.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h conf_mod.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h conf_mod.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h conf_mod.o: ../cryptlib.h conf_mod.c conf_sap.o: ../../e_os.h ../../include/openssl/aes.h conf_sap.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h conf_sap.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h conf_sap.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h conf_sap.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h conf_sap.o: ../../include/openssl/des.h ../../include/openssl/des_old.h conf_sap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h conf_sap.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h conf_sap.o: ../../include/openssl/engine.h ../../include/openssl/err.h conf_sap.o: ../../include/openssl/evp.h ../../include/openssl/idea.h conf_sap.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h conf_sap.o: ../../include/openssl/md4.h ../../include/openssl/md5.h conf_sap.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h conf_sap.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h conf_sap.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h conf_sap.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h conf_sap.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h conf_sap.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h conf_sap.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h conf_sap.o: ../../include/openssl/sha.h ../../include/openssl/stack.h conf_sap.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h conf_sap.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h conf_sap.o: ../../include/openssl/x509_vfy.h ../cryptlib.h conf_sap.c diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c index 57d2739ae0c8..2e9f52f1fd50 100644 --- a/crypto/openssl/crypto/conf/conf_def.c +++ b/crypto/openssl/crypto/conf/conf_def.c @@ -1,740 +1,740 @@ /* crypto/conf/conf.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* Part of the code in here was originally in conf.c, which is now removed */ #include #include #include #include #include #include #include "conf_def.h" #include #include #include "cryptlib.h" static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); static void clear_comments(CONF *conf, char *p); static int str_copy(CONF *conf,char *section,char **to, char *from); static char *scan_quote(CONF *conf, char *p); static char *scan_dquote(CONF *conf, char *p); #define scan_esc(conf,p) (((IS_EOF((conf),(p)[1]))?((p)+1):((p)+2))) static CONF *def_create(CONF_METHOD *meth); static int def_init_default(CONF *conf); static int def_init_WIN32(CONF *conf); static int def_destroy(CONF *conf); static int def_destroy_data(CONF *conf); static int def_load(CONF *conf, const char *name, long *eline); static int def_load_bio(CONF *conf, BIO *bp, long *eline); static int def_dump(const CONF *conf, BIO *bp); static int def_is_number(const CONF *conf, char c); static int def_to_int(const CONF *conf, char c); const char *CONF_def_version="CONF_def" OPENSSL_VERSION_PTEXT; static CONF_METHOD default_method = { "OpenSSL default", def_create, def_init_default, def_destroy, def_destroy_data, def_load_bio, def_dump, def_is_number, def_to_int, def_load }; static CONF_METHOD WIN32_method = { "WIN32", def_create, def_init_WIN32, def_destroy, def_destroy_data, def_load_bio, def_dump, def_is_number, def_to_int, def_load }; CONF_METHOD *NCONF_default() { return &default_method; } CONF_METHOD *NCONF_WIN32() { return &WIN32_method; } static CONF *def_create(CONF_METHOD *meth) { CONF *ret; ret = (CONF *)OPENSSL_malloc(sizeof(CONF) + sizeof(unsigned short *)); if (ret) if (meth->init(ret) == 0) { OPENSSL_free(ret); ret = NULL; } return ret; } static int def_init_default(CONF *conf) { if (conf == NULL) return 0; conf->meth = &default_method; conf->meth_data = (void *)CONF_type_default; conf->data = NULL; return 1; } static int def_init_WIN32(CONF *conf) { if (conf == NULL) return 0; conf->meth = &WIN32_method; conf->meth_data = (void *)CONF_type_win32; conf->data = NULL; return 1; } static int def_destroy(CONF *conf) { if (def_destroy_data(conf)) { OPENSSL_free(conf); return 1; } return 0; } static int def_destroy_data(CONF *conf) { if (conf == NULL) return 0; _CONF_free_data(conf); return 1; } static int def_load(CONF *conf, const char *name, long *line) { int ret; BIO *in=NULL; #ifdef OPENSSL_SYS_VMS in=BIO_new_file(name, "r"); #else in=BIO_new_file(name, "rb"); #endif if (in == NULL) { if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE) CONFerr(CONF_F_CONF_LOAD,CONF_R_NO_SUCH_FILE); else CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB); return 0; } ret = def_load_bio(conf, in, line); BIO_free(in); return ret; } static int def_load_bio(CONF *conf, BIO *in, long *line) { /* The macro BUFSIZE conflicts with a system macro in VxWorks */ #define CONFBUFSIZE 512 int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; int again,n; long eline=0; char btmp[DECIMAL_SIZE(eline)+1]; CONF_VALUE *v=NULL,*tv; CONF_VALUE *sv=NULL; char *section=NULL,*buf; STACK_OF(CONF_VALUE) *section_sk=NULL,*ts; char *start,*psection,*pname; void *h = (void *)(conf->data); if ((buff=BUF_MEM_new()) == NULL) { CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB); goto err; } section=(char *)OPENSSL_malloc(10); if (section == NULL) { CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE); goto err; } - strcpy(section,"default"); + BUF_strlcpy(section,"default",10); if (_CONF_new_data(conf) == 0) { CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE); goto err; } sv=_CONF_new_section(conf,section); if (sv == NULL) { CONFerr(CONF_F_CONF_LOAD_BIO, CONF_R_UNABLE_TO_CREATE_NEW_SECTION); goto err; } section_sk=(STACK_OF(CONF_VALUE) *)sv->value; bufnum=0; again=0; for (;;) { if (!BUF_MEM_grow(buff,bufnum+CONFBUFSIZE)) { CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB); goto err; } p= &(buff->data[bufnum]); *p='\0'; BIO_gets(in, p, CONFBUFSIZE-1); p[CONFBUFSIZE-1]='\0'; ii=i=strlen(p); if (i == 0 && !again) break; again=0; while (i > 0) { if ((p[i-1] != '\r') && (p[i-1] != '\n')) break; else i--; } /* we removed some trailing stuff so there is a new * line on the end. */ if (ii && i == ii) again=1; /* long line */ else { p[i]='\0'; eline++; /* another input line */ } /* we now have a line with trailing \r\n removed */ /* i is the number of bytes */ bufnum+=i; v=NULL; /* check for line continuation */ if (bufnum >= 1) { /* If we have bytes and the last char '\\' and * second last char is not '\\' */ p= &(buff->data[bufnum-1]); if (IS_ESC(conf,p[0]) && ((bufnum <= 1) || !IS_ESC(conf,p[-1]))) { bufnum--; again=1; } } if (again) continue; bufnum=0; buf=buff->data; clear_comments(conf, buf); n=strlen(buf); s=eat_ws(conf, buf); if (IS_EOF(conf,*s)) continue; /* blank line */ if (*s == '[') { char *ss; s++; start=eat_ws(conf, s); ss=start; again: end=eat_alpha_numeric(conf, ss); p=eat_ws(conf, end); if (*p != ']') { if (*p != '\0') { ss=p; goto again; } CONFerr(CONF_F_CONF_LOAD_BIO, CONF_R_MISSING_CLOSE_SQUARE_BRACKET); goto err; } *end='\0'; if (!str_copy(conf,NULL,§ion,start)) goto err; if ((sv=_CONF_get_section(conf,section)) == NULL) sv=_CONF_new_section(conf,section); if (sv == NULL) { CONFerr(CONF_F_CONF_LOAD_BIO, CONF_R_UNABLE_TO_CREATE_NEW_SECTION); goto err; } section_sk=(STACK_OF(CONF_VALUE) *)sv->value; continue; } else { pname=s; psection=NULL; end=eat_alpha_numeric(conf, s); if ((end[0] == ':') && (end[1] == ':')) { *end='\0'; end+=2; psection=pname; pname=end; end=eat_alpha_numeric(conf, end); } p=eat_ws(conf, end); if (*p != '=') { CONFerr(CONF_F_CONF_LOAD_BIO, CONF_R_MISSING_EQUAL_SIGN); goto err; } *end='\0'; p++; start=eat_ws(conf, p); while (!IS_EOF(conf,*p)) p++; p--; while ((p != start) && (IS_WS(conf,*p))) p--; p++; *p='\0'; if (!(v=(CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) { CONFerr(CONF_F_CONF_LOAD_BIO, ERR_R_MALLOC_FAILURE); goto err; } if (psection == NULL) psection=section; v->name=(char *)OPENSSL_malloc(strlen(pname)+1); v->value=NULL; if (v->name == NULL) { CONFerr(CONF_F_CONF_LOAD_BIO, ERR_R_MALLOC_FAILURE); goto err; } - strcpy(v->name,pname); + BUF_strlcpy(v->name,pname,strlen(pname)+1); if (!str_copy(conf,psection,&(v->value),start)) goto err; if (strcmp(psection,section) != 0) { if ((tv=_CONF_get_section(conf,psection)) == NULL) tv=_CONF_new_section(conf,psection); if (tv == NULL) { CONFerr(CONF_F_CONF_LOAD_BIO, CONF_R_UNABLE_TO_CREATE_NEW_SECTION); goto err; } ts=(STACK_OF(CONF_VALUE) *)tv->value; } else { tv=sv; ts=section_sk; } #if 1 if (_CONF_add_string(conf, tv, v) == 0) { CONFerr(CONF_F_CONF_LOAD_BIO, ERR_R_MALLOC_FAILURE); goto err; } #else v->section=tv->section; if (!sk_CONF_VALUE_push(ts,v)) { CONFerr(CONF_F_CONF_LOAD_BIO, ERR_R_MALLOC_FAILURE); goto err; } vv=(CONF_VALUE *)lh_insert(conf->data,v); if (vv != NULL) { sk_CONF_VALUE_delete_ptr(ts,vv); OPENSSL_free(vv->name); OPENSSL_free(vv->value); OPENSSL_free(vv); } #endif v=NULL; } } if (buff != NULL) BUF_MEM_free(buff); if (section != NULL) OPENSSL_free(section); return(1); err: if (buff != NULL) BUF_MEM_free(buff); if (section != NULL) OPENSSL_free(section); if (line != NULL) *line=eline; - sprintf(btmp,"%ld",eline); + BIO_snprintf(btmp,sizeof btmp,"%ld",eline); ERR_add_error_data(2,"line ",btmp); if ((h != conf->data) && (conf->data != NULL)) { CONF_free(conf->data); conf->data=NULL; } if (v != NULL) { if (v->name != NULL) OPENSSL_free(v->name); if (v->value != NULL) OPENSSL_free(v->value); if (v != NULL) OPENSSL_free(v); } return(0); } static void clear_comments(CONF *conf, char *p) { char *to; to=p; for (;;) { if (IS_FCOMMENT(conf,*p)) { *p='\0'; return; } if (!IS_WS(conf,*p)) { break; } p++; } for (;;) { if (IS_COMMENT(conf,*p)) { *p='\0'; return; } if (IS_DQUOTE(conf,*p)) { p=scan_dquote(conf, p); continue; } if (IS_QUOTE(conf,*p)) { p=scan_quote(conf, p); continue; } if (IS_ESC(conf,*p)) { p=scan_esc(conf,p); continue; } if (IS_EOF(conf,*p)) return; else p++; } } static int str_copy(CONF *conf, char *section, char **pto, char *from) { int q,r,rr=0,to=0,len=0; char *s,*e,*rp,*p,*rrp,*np,*cp,v; BUF_MEM *buf; if ((buf=BUF_MEM_new()) == NULL) return(0); len=strlen(from)+1; if (!BUF_MEM_grow(buf,len)) goto err; for (;;) { if (IS_QUOTE(conf,*from)) { q= *from; from++; while (!IS_EOF(conf,*from) && (*from != q)) { if (IS_ESC(conf,*from)) { from++; if (IS_EOF(conf,*from)) break; } buf->data[to++]= *(from++); } if (*from == q) from++; } else if (IS_DQUOTE(conf,*from)) { q= *from; from++; while (!IS_EOF(conf,*from)) { if (*from == q) { if (*(from+1) == q) { from++; } else { break; } } buf->data[to++]= *(from++); } if (*from == q) from++; } else if (IS_ESC(conf,*from)) { from++; v= *(from++); if (IS_EOF(conf,v)) break; else if (v == 'r') v='\r'; else if (v == 'n') v='\n'; else if (v == 'b') v='\b'; else if (v == 't') v='\t'; buf->data[to++]= v; } else if (IS_EOF(conf,*from)) break; else if (*from == '$') { /* try to expand it */ rrp=NULL; s= &(from[1]); if (*s == '{') q='}'; else if (*s == '(') q=')'; else q=0; if (q) s++; cp=section; e=np=s; while (IS_ALPHA_NUMERIC(conf,*e)) e++; if ((e[0] == ':') && (e[1] == ':')) { cp=np; rrp=e; rr= *e; *rrp='\0'; e+=2; np=e; while (IS_ALPHA_NUMERIC(conf,*e)) e++; } r= *e; *e='\0'; rp=e; if (q) { if (r != q) { CONFerr(CONF_F_STR_COPY,CONF_R_NO_CLOSE_BRACE); goto err; } e++; } /* So at this point we have * ns which is the start of the name string which is * '\0' terminated. * cs which is the start of the section string which is * '\0' terminated. * e is the 'next point after'. * r and s are the chars replaced by the '\0' * rp and sp is where 'r' and 's' came from. */ p=_CONF_get_string(conf,cp,np); if (rrp != NULL) *rrp=rr; *rp=r; if (p == NULL) { CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE); goto err; } BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from))); while (*p) buf->data[to++]= *(p++); from=e; } else buf->data[to++]= *(from++); } buf->data[to]='\0'; if (*pto != NULL) OPENSSL_free(*pto); *pto=buf->data; OPENSSL_free(buf); return(1); err: if (buf != NULL) BUF_MEM_free(buf); return(0); } static char *eat_ws(CONF *conf, char *p) { while (IS_WS(conf,*p) && (!IS_EOF(conf,*p))) p++; return(p); } static char *eat_alpha_numeric(CONF *conf, char *p) { for (;;) { if (IS_ESC(conf,*p)) { p=scan_esc(conf,p); continue; } if (!IS_ALPHA_NUMERIC_PUNCT(conf,*p)) return(p); p++; } } static char *scan_quote(CONF *conf, char *p) { int q= *p; p++; while (!(IS_EOF(conf,*p)) && (*p != q)) { if (IS_ESC(conf,*p)) { p++; if (IS_EOF(conf,*p)) return(p); } p++; } if (*p == q) p++; return(p); } static char *scan_dquote(CONF *conf, char *p) { int q= *p; p++; while (!(IS_EOF(conf,*p))) { if (*p == q) { if (*(p+1) == q) { p++; } else { break; } } p++; } if (*p == q) p++; return(p); } static void dump_value(CONF_VALUE *a, BIO *out) { if (a->name) BIO_printf(out, "[%s] %s=%s\n", a->section, a->name, a->value); else BIO_printf(out, "[[%s]]\n", a->section); } static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_value, CONF_VALUE *, BIO *) static int def_dump(const CONF *conf, BIO *out) { lh_doall_arg(conf->data, LHASH_DOALL_ARG_FN(dump_value), out); return 1; } static int def_is_number(const CONF *conf, char c) { return IS_NUMBER(conf,c); } static int def_to_int(const CONF *conf, char c) { return c - '0'; } diff --git a/crypto/openssl/crypto/conf/conf_mod.c b/crypto/openssl/crypto/conf/conf_mod.c index edcc08921c2f..d45adea85131 100644 --- a/crypto/openssl/crypto/conf/conf_mod.c +++ b/crypto/openssl/crypto/conf/conf_mod.c @@ -1,616 +1,616 @@ /* conf_mod.c */ /* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL * project 2001. */ /* ==================================================================== * Copyright (c) 2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include "cryptlib.h" #include #include #include #define DSO_mod_init_name "OPENSSL_init" #define DSO_mod_finish_name "OPENSSL_finish" /* This structure contains a data about supported modules. * entries in this table correspond to either dynamic or * static modules. */ struct conf_module_st { /* DSO of this module or NULL if static */ DSO *dso; /* Name of the module */ char *name; /* Init function */ conf_init_func *init; /* Finish function */ conf_finish_func *finish; /* Number of successfully initialized modules */ int links; void *usr_data; }; /* This structure contains information about modules that have been * successfully initialized. There may be more than one entry for a * given module. */ struct conf_imodule_st { CONF_MODULE *pmod; char *name; char *value; unsigned long flags; void *usr_data; }; static STACK_OF(CONF_MODULE) *supported_modules = NULL; static STACK_OF(CONF_IMODULE) *initialized_modules = NULL; static void module_free(CONF_MODULE *md); static void module_finish(CONF_IMODULE *imod); static int module_run(const CONF *cnf, char *name, char *value, unsigned long flags); static CONF_MODULE *module_add(DSO *dso, const char *name, conf_init_func *ifunc, conf_finish_func *ffunc); static CONF_MODULE *module_find(char *name); static int module_init(CONF_MODULE *pmod, char *name, char *value, const CONF *cnf); static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value, unsigned long flags); /* Main function: load modules from a CONF structure */ int CONF_modules_load(const CONF *cnf, const char *appname, unsigned long flags) { STACK_OF(CONF_VALUE) *values; CONF_VALUE *vl; char *vsection; int ret, i; if (!cnf) return 1; if (appname == NULL) appname = "openssl_conf"; vsection = NCONF_get_string(cnf, NULL, appname); if (!vsection) { ERR_clear_error(); return 1; } values = NCONF_get_section(cnf, vsection); if (!values) return 0; for (i = 0; i < sk_CONF_VALUE_num(values); i++) { vl = sk_CONF_VALUE_value(values, i); ret = module_run(cnf, vl->name, vl->value, flags); if (ret <= 0) if(!(flags & CONF_MFLAGS_IGNORE_ERRORS)) return ret; } return 1; } int CONF_modules_load_file(const char *filename, const char *appname, unsigned long flags) { char *file = NULL; CONF *conf = NULL; int ret = 0; conf = NCONF_new(NULL); if (!conf) goto err; if (filename == NULL) { file = CONF_get1_default_config_file(); if (!file) goto err; } else file = (char *)filename; if (NCONF_load(conf, file, NULL) <= 0) { if ((flags & CONF_MFLAGS_IGNORE_MISSING_FILE) && (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE)) { ERR_clear_error(); ret = 1; } goto err; } ret = CONF_modules_load(conf, appname, flags); err: if (filename == NULL) OPENSSL_free(file); NCONF_free(conf); return ret; } static int module_run(const CONF *cnf, char *name, char *value, unsigned long flags) { CONF_MODULE *md; int ret; md = module_find(name); /* Module not found: try to load DSO */ if (!md && !(flags & CONF_MFLAGS_NO_DSO)) md = module_load_dso(cnf, name, value, flags); if (!md) { if (!(flags & CONF_MFLAGS_SILENT)) { CONFerr(CONF_F_MODULE_RUN, CONF_R_UNKNOWN_MODULE_NAME); ERR_add_error_data(2, "module=", name); } return -1; } ret = module_init(md, name, value, cnf); if (ret <= 0) { if (!(flags & CONF_MFLAGS_SILENT)) { char rcode[DECIMAL_SIZE(ret)+1]; CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR); - sprintf(rcode, "%-8d", ret); + BIO_snprintf(rcode, sizeof rcode, "%-8d", ret); ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode); } } return ret; } /* Load a module from a DSO */ static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value, unsigned long flags) { DSO *dso = NULL; conf_init_func *ifunc; conf_finish_func *ffunc; char *path = NULL; int errcode = 0; CONF_MODULE *md; /* Look for alternative path in module section */ path = NCONF_get_string(cnf, value, "path"); if (!path) { ERR_get_error(); path = name; } dso = DSO_load(NULL, path, NULL, 0); if (!dso) { errcode = CONF_R_ERROR_LOADING_DSO; goto err; } ifunc = (conf_init_func *)DSO_bind_func(dso, DSO_mod_init_name); if (!ifunc) { errcode = CONF_R_MISSING_INIT_FUNCTION; goto err; } ffunc = (conf_finish_func *)DSO_bind_func(dso, DSO_mod_finish_name); /* All OK, add module */ md = module_add(dso, name, ifunc, ffunc); if (!md) goto err; return md; err: if (dso) DSO_free(dso); CONFerr(CONF_F_MODULE_LOAD_DSO, errcode); ERR_add_error_data(4, "module=", name, ", path=", path); return NULL; } /* add module to list */ static CONF_MODULE *module_add(DSO *dso, const char *name, conf_init_func *ifunc, conf_finish_func *ffunc) { CONF_MODULE *tmod = NULL; if (supported_modules == NULL) supported_modules = sk_CONF_MODULE_new_null(); if (supported_modules == NULL) return NULL; tmod = OPENSSL_malloc(sizeof(CONF_MODULE)); if (tmod == NULL) return NULL; tmod->dso = dso; tmod->name = BUF_strdup(name); tmod->init = ifunc; tmod->finish = ffunc; tmod->links = 0; if (!sk_CONF_MODULE_push(supported_modules, tmod)) { OPENSSL_free(tmod); return NULL; } return tmod; } /* Find a module from the list. We allow module names of the * form modname.XXXX to just search for modname to allow the * same module to be initialized more than once. */ static CONF_MODULE *module_find(char *name) { CONF_MODULE *tmod; int i, nchar; char *p; p = strrchr(name, '.'); if (p) nchar = p - name; else nchar = strlen(name); for (i = 0; i < sk_CONF_MODULE_num(supported_modules); i++) { tmod = sk_CONF_MODULE_value(supported_modules, i); if (!strncmp(tmod->name, name, nchar)) return tmod; } return NULL; } /* initialize a module */ static int module_init(CONF_MODULE *pmod, char *name, char *value, const CONF *cnf) { int ret = 1; int init_called = 0; CONF_IMODULE *imod = NULL; /* Otherwise add initialized module to list */ imod = OPENSSL_malloc(sizeof(CONF_IMODULE)); if (!imod) goto err; imod->pmod = pmod; imod->name = BUF_strdup(name); imod->value = BUF_strdup(value); imod->usr_data = NULL; if (!imod->name || !imod->value) goto memerr; /* Try to initialize module */ if(pmod->init) { ret = pmod->init(imod, cnf); init_called = 1; /* Error occurred, exit */ if (ret <= 0) goto err; } if (initialized_modules == NULL) { initialized_modules = sk_CONF_IMODULE_new_null(); if (!initialized_modules) { CONFerr(CONF_F_MODULE_INIT, ERR_R_MALLOC_FAILURE); goto err; } } if (!sk_CONF_IMODULE_push(initialized_modules, imod)) { CONFerr(CONF_F_MODULE_INIT, ERR_R_MALLOC_FAILURE); goto err; } pmod->links++; return ret; err: /* We've started the module so we'd better finish it */ if (pmod->finish && init_called) pmod->finish(imod); memerr: if (imod) { if (imod->name) OPENSSL_free(imod->name); if (imod->value) OPENSSL_free(imod->value); OPENSSL_free(imod); } return -1; } /* Unload any dynamic modules that have a link count of zero: * i.e. have no active initialized modules. If 'all' is set * then all modules are unloaded including static ones. */ void CONF_modules_unload(int all) { int i; CONF_MODULE *md; CONF_modules_finish(); /* unload modules in reverse order */ for (i = sk_CONF_MODULE_num(supported_modules) - 1; i >= 0; i--) { md = sk_CONF_MODULE_value(supported_modules, i); /* If static or in use and 'all' not set ignore it */ if (((md->links > 0) || !md->dso) && !all) continue; /* Since we're working in reverse this is OK */ sk_CONF_MODULE_delete(supported_modules, i); module_free(md); } if (sk_CONF_MODULE_num(supported_modules) == 0) { sk_CONF_MODULE_free(supported_modules); supported_modules = NULL; } } /* unload a single module */ static void module_free(CONF_MODULE *md) { if (md->dso) DSO_free(md->dso); OPENSSL_free(md->name); OPENSSL_free(md); } /* finish and free up all modules instances */ void CONF_modules_finish(void) { CONF_IMODULE *imod; while (sk_CONF_IMODULE_num(initialized_modules) > 0) { imod = sk_CONF_IMODULE_pop(initialized_modules); module_finish(imod); } sk_CONF_IMODULE_free(initialized_modules); initialized_modules = NULL; } /* finish a module instance */ static void module_finish(CONF_IMODULE *imod) { if (imod->pmod->finish) imod->pmod->finish(imod); imod->pmod->links--; OPENSSL_free(imod->name); OPENSSL_free(imod->value); OPENSSL_free(imod); } /* Add a static module to OpenSSL */ int CONF_module_add(const char *name, conf_init_func *ifunc, conf_finish_func *ffunc) { if (module_add(NULL, name, ifunc, ffunc)) return 1; else return 0; } void CONF_modules_free(void) { CONF_modules_finish(); CONF_modules_unload(1); } /* Utility functions */ const char *CONF_imodule_get_name(const CONF_IMODULE *md) { return md->name; } const char *CONF_imodule_get_value(const CONF_IMODULE *md) { return md->value; } void *CONF_imodule_get_usr_data(const CONF_IMODULE *md) { return md->usr_data; } void CONF_imodule_set_usr_data(CONF_IMODULE *md, void *usr_data) { md->usr_data = usr_data; } CONF_MODULE *CONF_imodule_get_module(const CONF_IMODULE *md) { return md->pmod; } unsigned long CONF_imodule_get_flags(const CONF_IMODULE *md) { return md->flags; } void CONF_imodule_set_flags(CONF_IMODULE *md, unsigned long flags) { md->flags = flags; } void *CONF_module_get_usr_data(CONF_MODULE *pmod) { return pmod->usr_data; } void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data) { pmod->usr_data = usr_data; } /* Return default config file name */ char *CONF_get1_default_config_file(void) { char *file; int len; file = getenv("OPENSSL_CONF"); if (file) return BUF_strdup(file); len = strlen(X509_get_default_cert_area()); #ifndef OPENSSL_SYS_VMS len++; #endif len += strlen(OPENSSL_CONF); file = OPENSSL_malloc(len + 1); if (!file) return NULL; - strcpy(file,X509_get_default_cert_area()); + BUF_strlcpy(file,X509_get_default_cert_area(),len + 1); #ifndef OPENSSL_SYS_VMS - strcat(file,"/"); + BUF_strlcat(file,"/",len + 1); #endif - strcat(file,OPENSSL_CONF); + BUF_strlcat(file,OPENSSL_CONF,len + 1); return file; } /* This function takes a list separated by 'sep' and calls the * callback function giving the start and length of each member * optionally stripping leading and trailing whitespace. This can * be used to parse comma separated lists for example. */ -int CONF_parse_list(const char *list, int sep, int nospc, +int CONF_parse_list(const char *list_, int sep, int nospc, int (*list_cb)(const char *elem, int len, void *usr), void *arg) { int ret; const char *lstart, *tmpend, *p; - lstart = list; + lstart = list_; for(;;) { if (nospc) { while(*lstart && isspace((unsigned char)*lstart)) lstart++; } p = strchr(lstart, sep); if (p == lstart || !*lstart) ret = list_cb(NULL, 0, arg); else { if (p) tmpend = p - 1; else tmpend = lstart + strlen(lstart) - 1; if (nospc) { while(isspace((unsigned char)*tmpend)) tmpend--; } ret = list_cb(lstart, tmpend - lstart + 1, arg); } if (ret <= 0) return ret; if (p == NULL) return 1; lstart = p + 1; } } diff --git a/crypto/openssl/crypto/cversion.c b/crypto/openssl/crypto/cversion.c index 8ecfba7b16ba..beeeb14013e7 100644 --- a/crypto/openssl/crypto/cversion.c +++ b/crypto/openssl/crypto/cversion.c @@ -1,118 +1,120 @@ /* crypto/cversion.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include "cryptlib.h" #include +#ifndef NO_WINDOWS_BRAINDEATH #include "buildinf.h" +#endif const char *SSLeay_version(int t) { if (t == SSLEAY_VERSION) return OPENSSL_VERSION_TEXT; if (t == SSLEAY_BUILT_ON) { #ifdef DATE static char buf[sizeof(DATE)+11]; - sprintf(buf,"built on: %s",DATE); + BIO_snprintf(buf,sizeof buf,"built on: %s",DATE); return(buf); #else return("built on: date not available"); #endif } if (t == SSLEAY_CFLAGS) { #ifdef CFLAGS static char buf[sizeof(CFLAGS)+11]; - sprintf(buf,"compiler: %s",CFLAGS); + BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS); return(buf); #else return("compiler: information not available"); #endif } if (t == SSLEAY_PLATFORM) { #ifdef PLATFORM static char buf[sizeof(PLATFORM)+11]; - sprintf(buf,"platform: %s", PLATFORM); + BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM); return(buf); #else return("platform: information not available"); #endif } if (t == SSLEAY_DIR) { #ifdef OPENSSLDIR return "OPENSSLDIR: \"" OPENSSLDIR "\""; #else return "OPENSSLDIR: N/A"; #endif } return("not available"); } unsigned long SSLeay(void) { return(SSLEAY_VERSION_NUMBER); } diff --git a/crypto/openssl/crypto/des/Makefile.ssl b/crypto/openssl/crypto/des/Makefile.ssl index 548573f4b185..0d9ba2b42f27 100644 --- a/crypto/openssl/crypto/des/Makefile.ssl +++ b/crypto/openssl/crypto/des/Makefile.ssl @@ -1,314 +1,316 @@ # # SSLeay/crypto/des/Makefile # DIR= des TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES=-I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r RANLIB= ranlib DES_ENC= des_enc.o fcrypt_b.o # or use #DES_ENC= dx86-elf.o yx86-elf.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=destest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC= cbc_cksm.c cbc_enc.c cfb64enc.c cfb_enc.c \ ecb3_enc.c ecb_enc.c enc_read.c enc_writ.c \ fcrypt.c ofb64enc.c ofb_enc.c pcbc_enc.c \ qud_cksm.c rand_key.c rpc_enc.c set_key.c \ des_enc.c fcrypt_b.c \ xcbc_enc.c \ str2key.c cfb64ede.c ofb64ede.c ede_cbcm_enc.c des_old.c des_old2.c \ read2pwd.c LIBOBJ= set_key.o ecb_enc.o cbc_enc.o \ ecb3_enc.o cfb64enc.o cfb64ede.o cfb_enc.o ofb64ede.o \ enc_read.o enc_writ.o ofb64enc.o \ ofb_enc.o str2key.o pcbc_enc.o qud_cksm.o rand_key.o \ ${DES_ENC} \ fcrypt.o xcbc_enc.o rpc_enc.o cbc_cksm.o \ ede_cbcm_enc.o des_old.o des_old2.o read2pwd.o SRC= $(LIBSRC) EXHEADER= des.h des_old.h HEADER= des_locl.h rpc_des.h spr.h des_ver.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib des: des.o cbc3_enc.o lib $(CC) $(CFLAGS) -o des des.o cbc3_enc.o $(LIB) # elf asm/dx86-elf.s: asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl (cd asm; $(PERL) des-586.pl elf $(CFLAGS) > dx86-elf.s) asm/yx86-elf.s: asm/crypt586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl (cd asm; $(PERL) crypt586.pl elf $(CFLAGS) > yx86-elf.s) # a.out asm/dx86-out.o: asm/dx86unix.cpp $(CPP) -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o asm/yx86-out.o: asm/yx86unix.cpp $(CPP) -DOUT asm/yx86unix.cpp | as -o asm/yx86-out.o # bsdi asm/dx86bsdi.o: asm/dx86unix.cpp $(CPP) -DBSDI asm/dx86unix.cpp | sed 's/ :/:/' | as -o asm/dx86bsdi.o asm/yx86bsdi.o: asm/yx86unix.cpp $(CPP) -DBSDI asm/yx86unix.cpp | sed 's/ :/:/' | as -o asm/yx86bsdi.o asm/dx86unix.cpp: asm/des-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl (cd asm; $(PERL) des-586.pl cpp >dx86unix.cpp) asm/yx86unix.cpp: asm/crypt586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) crypt586.pl cpp >yx86unix.cpp) files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: installs installs: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/dx86unix.cpp asm/yx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. cbc_cksm.o: ../../include/openssl/crypto.h ../../include/openssl/des.h cbc_cksm.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h cbc_cksm.o: ../../include/openssl/opensslconf.h cbc_cksm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h cbc_cksm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h cbc_cksm.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h cbc_cksm.o: cbc_cksm.c des_locl.h cbc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h cbc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h cbc_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h cbc_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h cbc_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h cbc_enc.o: ../../include/openssl/ui_compat.h cbc_enc.c des_locl.h ncbc_enc.c cfb64ede.o: ../../include/openssl/crypto.h ../../include/openssl/des.h cfb64ede.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h cfb64ede.o: ../../include/openssl/opensslconf.h cfb64ede.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h cfb64ede.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h cfb64ede.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h cfb64ede.o: cfb64ede.c des_locl.h cfb64enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h cfb64enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h cfb64enc.o: ../../include/openssl/opensslconf.h cfb64enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h cfb64enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h cfb64enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h cfb64enc.o: cfb64enc.c des_locl.h -cfb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h -cfb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h -cfb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -cfb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -cfb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -cfb_enc.o: ../../include/openssl/ui_compat.h cfb_enc.c des_locl.h +cfb_enc.o: ../../e_os.h ../../include/openssl/crypto.h +cfb_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h +cfb_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +cfb_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +cfb_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +cfb_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +cfb_enc.o: cfb_enc.c des_locl.h des_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h des_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h des_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h des_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h des_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h des_enc.o: ../../include/openssl/ui_compat.h des_enc.c des_locl.h ncbc_enc.c des_old.o: ../../include/openssl/crypto.h ../../include/openssl/des.h des_old.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h des_old.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h des_old.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h des_old.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h des_old.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h des_old.o: ../../include/openssl/ui_compat.h des_old.c des_old2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h des_old2.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h des_old2.o: ../../include/openssl/opensslconf.h des_old2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h des_old2.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h des_old2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h des_old2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h des_old2.o: des_old2.c ecb3_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ecb3_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h ecb3_enc.o: ../../include/openssl/opensslconf.h ecb3_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ecb3_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ecb3_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ecb3_enc.o: des_locl.h ecb3_enc.c -ecb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h -ecb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h -ecb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -ecb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -ecb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -ecb_enc.o: ../../include/openssl/ui_compat.h des_locl.h des_ver.h ecb_enc.c -ecb_enc.o: spr.h +ecb_enc.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +ecb_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h +ecb_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +ecb_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +ecb_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +ecb_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +ecb_enc.o: des_locl.h des_ver.h ecb_enc.c spr.h ede_cbcm_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ede_cbcm_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h ede_cbcm_enc.o: ../../include/openssl/opensslconf.h ede_cbcm_enc.o: ../../include/openssl/opensslv.h ede_cbcm_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ede_cbcm_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ede_cbcm_enc.o: ../../include/openssl/ui_compat.h des_locl.h ede_cbcm_enc.c enc_read.o: ../../e_os.h ../../include/openssl/bio.h enc_read.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h enc_read.o: ../../include/openssl/des.h ../../include/openssl/des_old.h enc_read.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h enc_read.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h enc_read.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h enc_read.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h enc_read.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h enc_read.o: ../cryptlib.h des_locl.h enc_read.c enc_writ.o: ../../e_os.h ../../include/openssl/bio.h enc_writ.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h enc_writ.o: ../../include/openssl/des.h ../../include/openssl/des_old.h enc_writ.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h enc_writ.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h enc_writ.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h enc_writ.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h enc_writ.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h enc_writ.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h enc_writ.o: ../cryptlib.h des_locl.h enc_writ.c fcrypt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h fcrypt.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h fcrypt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h fcrypt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h fcrypt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h fcrypt.o: ../../include/openssl/ui_compat.h des_locl.h fcrypt.c fcrypt_b.o: ../../include/openssl/crypto.h ../../include/openssl/des.h fcrypt_b.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h fcrypt_b.o: ../../include/openssl/opensslconf.h fcrypt_b.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h fcrypt_b.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h fcrypt_b.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h fcrypt_b.o: des_locl.h fcrypt_b.c ofb64ede.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ofb64ede.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h ofb64ede.o: ../../include/openssl/opensslconf.h ofb64ede.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ofb64ede.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ofb64ede.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ofb64ede.o: des_locl.h ofb64ede.c ofb64enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ofb64enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h ofb64enc.o: ../../include/openssl/opensslconf.h ofb64enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ofb64enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ofb64enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ofb64enc.o: des_locl.h ofb64enc.c ofb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ofb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h ofb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h ofb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ofb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ofb_enc.o: ../../include/openssl/ui_compat.h des_locl.h ofb_enc.c pcbc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pcbc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h pcbc_enc.o: ../../include/openssl/opensslconf.h pcbc_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h pcbc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pcbc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pcbc_enc.o: des_locl.h pcbc_enc.c qud_cksm.o: ../../include/openssl/crypto.h ../../include/openssl/des.h qud_cksm.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h qud_cksm.o: ../../include/openssl/opensslconf.h qud_cksm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h qud_cksm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h qud_cksm.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h qud_cksm.o: des_locl.h qud_cksm.c rand_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h rand_key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h rand_key.o: ../../include/openssl/opensslconf.h rand_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rand_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h rand_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rand_key.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h rand_key.o: rand_key.c read2pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h read2pwd.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h read2pwd.o: ../../include/openssl/opensslconf.h read2pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h read2pwd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h read2pwd.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h read2pwd.o: read2pwd.c rpc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h rpc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h rpc_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h rpc_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h rpc_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h rpc_enc.o: ../../include/openssl/ui_compat.h des_locl.h des_ver.h rpc_des.h rpc_enc.o: rpc_enc.c set_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h set_key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h set_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h set_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h set_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h set_key.o: ../../include/openssl/ui_compat.h des_locl.h set_key.c str2key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h str2key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h str2key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h str2key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h str2key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h str2key.o: ../../include/openssl/ui_compat.h des_locl.h str2key.c xcbc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h xcbc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h xcbc_enc.o: ../../include/openssl/opensslconf.h xcbc_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h xcbc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h xcbc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h xcbc_enc.o: des_locl.h xcbc_enc.c diff --git a/crypto/openssl/crypto/des/cfb_enc.c b/crypto/openssl/crypto/des/cfb_enc.c index 2600bdfc93a9..03cabb223cdf 100644 --- a/crypto/openssl/crypto/des/cfb_enc.c +++ b/crypto/openssl/crypto/des/cfb_enc.c @@ -1,175 +1,174 @@ /* crypto/des/cfb_enc.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ +#include "e_os.h" #include "des_locl.h" /* The input and output are loaded in multiples of 8 bits. * What this means is that if you hame numbits=12 and length=2 * the first 12 bits will be retrieved from the first byte and half * the second. The second 12 bits will come from the 3rd and half the 4th * byte. */ -/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of - * length */ /* Until Aug 1 2003 this function did not correctly implement CFB-r, so it * will not be compatible with any encryption prior to that date. Ben. */ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc) { - register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8; - register unsigned long l=length; - register int num=numbits; + register DES_LONG d0,d1,v0,v1; + register unsigned long l=length,n=(numbits+7)/8; + register int num=numbits,i; DES_LONG ti[2]; unsigned char *iv; unsigned char ovec[16]; if (num > 64) return; iv = &(*ivec)[0]; c2l(iv,v0); c2l(iv,v1); if (enc) { while (l >= n) { l-=n; ti[0]=v0; ti[1]=v1; DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); c2ln(in,d0,d1,n); in+=n; d0^=ti[0]; d1^=ti[1]; l2cn(d0,d1,out,n); out+=n; /* 30-08-94 - eay - changed because l>>32 and * l<<32 are bad under gcc :-( */ if (num == 32) { v0=v1; v1=d0; } else if (num == 64) { v0=d0; v1=d1; } else { iv=&ovec[0]; l2c(v0,iv); l2c(v1,iv); l2c(d0,iv); l2c(d1,iv); /* shift ovec left most of the bits... */ memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); /* now the remaining bits */ if(num%8 != 0) - for(n=0 ; n < 8 ; ++n) + for(i=0 ; i < 8 ; ++i) { - ovec[n]<<=num%8; - ovec[n]|=ovec[n+1]>>(8-num%8); + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); } iv=&ovec[0]; c2l(iv,v0); c2l(iv,v1); } } } else { while (l >= n) { l-=n; ti[0]=v0; ti[1]=v1; DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); c2ln(in,d0,d1,n); in+=n; /* 30-08-94 - eay - changed because l>>32 and * l<<32 are bad under gcc :-( */ if (num == 32) { v0=v1; v1=d0; } else if (num == 64) { v0=d0; v1=d1; } else { iv=&ovec[0]; l2c(v0,iv); l2c(v1,iv); l2c(d0,iv); l2c(d1,iv); /* shift ovec left most of the bits... */ memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); /* now the remaining bits */ if(num%8 != 0) - for(n=0 ; n < 8 ; ++n) + for(i=0 ; i < 8 ; ++i) { - ovec[n]<<=num%8; - ovec[n]|=ovec[n+1]>>(8-num%8); + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); } iv=&ovec[0]; c2l(iv,v0); c2l(iv,v1); } d0^=ti[0]; d1^=ti[1]; l2cn(d0,d1,out,n); out+=n; } } iv = &(*ivec)[0]; l2c(v0,iv); l2c(v1,iv); v0=v1=d0=d1=ti[0]=ti[1]=0; } diff --git a/crypto/openssl/crypto/des/ecb_enc.c b/crypto/openssl/crypto/des/ecb_enc.c index 1b70f68806d9..784aa5ba23d2 100644 --- a/crypto/openssl/crypto/des/ecb_enc.c +++ b/crypto/openssl/crypto/des/ecb_enc.c @@ -1,121 +1,123 @@ /* crypto/des/ecb_enc.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include "des_locl.h" #include "des_ver.h" #include "spr.h" #include +#include OPENSSL_GLOBAL const char *libdes_version="libdes" OPENSSL_VERSION_PTEXT; OPENSSL_GLOBAL const char *DES_version="DES" OPENSSL_VERSION_PTEXT; const char *DES_options(void) { static int init=1; static char buf[32]; if (init) { const char *ptr,*unroll,*risc,*size; #ifdef DES_PTR ptr="ptr"; #else ptr="idx"; #endif #if defined(DES_RISC1) || defined(DES_RISC2) #ifdef DES_RISC1 risc="risc1"; #endif #ifdef DES_RISC2 risc="risc2"; #endif #else risc="cisc"; #endif #ifdef DES_UNROLL unroll="16"; #else unroll="4"; #endif if (sizeof(DES_LONG) != sizeof(long)) size="int"; else size="long"; - sprintf(buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,size); + BIO_snprintf(buf,sizeof buf,"des(%s,%s,%s,%s)",ptr,risc,unroll, + size); init=0; } return(buf); } void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, DES_key_schedule *ks, int enc) { register DES_LONG l; DES_LONG ll[2]; const unsigned char *in = &(*input)[0]; unsigned char *out = &(*output)[0]; c2l(in,l); ll[0]=l; c2l(in,l); ll[1]=l; DES_encrypt1(ll,ks,enc); l=ll[0]; l2c(l,out); l=ll[1]; l2c(l,out); l=ll[0]=ll[1]=0; } diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl index 1c447e971f87..e05fc01a1283 100644 --- a/crypto/openssl/crypto/dh/Makefile.ssl +++ b/crypto/openssl/crypto/dh/Makefile.ssl @@ -1,133 +1,133 @@ # # SSLeay/crypto/dh/Makefile # DIR= dh TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= dhtest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC= dh_asn1.c dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c LIBOBJ= dh_asn1.o dh_gen.o dh_key.o dh_lib.o dh_check.o dh_err.o SRC= $(LIBSRC) EXHEADER= dh.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. dh_asn1.o: ../../e_os.h ../../include/openssl/asn1.h dh_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h dh_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h dh_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dh_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h dh_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h dh_asn1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h dh_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dh_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dh_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_asn1.c dh_check.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h dh_check.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dh_check.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h dh_check.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dh_check.o: ../../include/openssl/opensslconf.h dh_check.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dh_check.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dh_check.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_check.c dh_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h dh_err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dh_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h dh_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h dh_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dh_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dh_err.o: ../../include/openssl/symhacks.h dh_err.c dh_gen.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h dh_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dh_gen.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h dh_gen.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dh_gen.o: ../cryptlib.h dh_gen.c dh_key.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dh_key.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h dh_key.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_key.c dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dh_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dh_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dh_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h dh_lib.o: ../cryptlib.h dh_lib.c diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl index 014d0063477e..e5f8a8cf514f 100644 --- a/crypto/openssl/crypto/dsa/Makefile.ssl +++ b/crypto/openssl/crypto/dsa/Makefile.ssl @@ -1,171 +1,171 @@ # # SSLeay/crypto/dsa/Makefile # DIR= dsa TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=dsatest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC= dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c \ dsa_err.c dsa_ossl.c LIBOBJ= dsa_gen.o dsa_key.o dsa_lib.o dsa_asn1.o dsa_vrf.o dsa_sign.o \ dsa_err.o dsa_ossl.o SRC= $(LIBSRC) EXHEADER= dsa.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. dsa_asn1.o: ../../e_os.h ../../include/openssl/asn1.h dsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h dsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h dsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dsa_asn1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dsa_asn1.o: ../../include/openssl/opensslconf.h dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dsa_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dsa_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_asn1.c dsa_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h dsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dsa_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h dsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dsa_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dsa_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h dsa_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dsa_err.o: dsa_err.c dsa_gen.o: ../../e_os.h ../../include/openssl/aes.h dsa_gen.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h dsa_gen.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h dsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h dsa_gen.o: ../../include/openssl/crypto.h ../../include/openssl/des.h dsa_gen.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h dsa_gen.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h dsa_gen.o: ../../include/openssl/err.h ../../include/openssl/evp.h dsa_gen.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h dsa_gen.o: ../../include/openssl/md2.h ../../include/openssl/md4.h dsa_gen.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h dsa_gen.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h dsa_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dsa_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h dsa_gen.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h dsa_gen.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h dsa_gen.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h dsa_gen.o: ../../include/openssl/sha.h ../../include/openssl/stack.h dsa_gen.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h dsa_gen.o: ../../include/openssl/ui_compat.h ../cryptlib.h dsa_gen.c dsa_key.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h dsa_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dsa_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h dsa_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h dsa_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h dsa_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dsa_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h dsa_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dsa_key.o: ../cryptlib.h dsa_key.c dsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h dsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h dsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h dsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h dsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h dsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dsa_lib.o: ../../include/openssl/ui.h ../cryptlib.h dsa_lib.c dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dsa_ossl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h dsa_ossl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dsa_ossl.o: ../cryptlib.h dsa_ossl.c dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h dsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dsa_sign.o: ../cryptlib.h dsa_sign.c dsa_vrf.o: ../../e_os.h ../../include/openssl/asn1.h dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dsa_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dsa_vrf.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_vrf.c diff --git a/crypto/openssl/crypto/dso/Makefile.ssl b/crypto/openssl/crypto/dso/Makefile.ssl index 3d00363bb664..c0449d184e5b 100644 --- a/crypto/openssl/crypto/dso/Makefile.ssl +++ b/crypto/openssl/crypto/dso/Makefile.ssl @@ -1,142 +1,142 @@ # # SSLeay/crypto/dso/Makefile # DIR= dso TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= dso_dl.c dso_dlfcn.c dso_err.c dso_lib.c dso_null.c \ dso_openssl.c dso_win32.c dso_vms.c LIBOBJ= dso_dl.o dso_dlfcn.o dso_err.o dso_lib.o dso_null.o \ dso_openssl.o dso_win32.o dso_vms.o SRC= $(LIBSRC) EXHEADER= dso.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. dso_dl.o: ../../e_os.h ../../include/openssl/bio.h dso_dl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dso_dl.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h dso_dl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dso_dl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dso_dl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dso_dl.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_dl.c dso_dlfcn.o: ../../e_os.h ../../include/openssl/bio.h dso_dlfcn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dso_dlfcn.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h dso_dlfcn.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dso_dlfcn.o: ../../include/openssl/opensslconf.h dso_dlfcn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h dso_dlfcn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dso_dlfcn.o: ../cryptlib.h dso_dlfcn.c dso_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h dso_err.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h dso_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dso_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dso_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dso_err.o: ../../include/openssl/symhacks.h dso_err.c dso_lib.o: ../../e_os.h ../../include/openssl/bio.h dso_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dso_lib.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h dso_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dso_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dso_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dso_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_lib.c dso_null.o: ../../e_os.h ../../include/openssl/bio.h dso_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dso_null.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h dso_null.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dso_null.o: ../../include/openssl/opensslconf.h dso_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h dso_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dso_null.o: ../cryptlib.h dso_null.c dso_openssl.o: ../../e_os.h ../../include/openssl/bio.h dso_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dso_openssl.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h dso_openssl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dso_openssl.o: ../../include/openssl/opensslconf.h dso_openssl.o: ../../include/openssl/opensslv.h dso_openssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dso_openssl.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_openssl.c dso_vms.o: ../../e_os.h ../../include/openssl/bio.h dso_vms.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dso_vms.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h dso_vms.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dso_vms.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dso_vms.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h dso_vms.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_vms.c dso_win32.o: ../../e_os.h ../../include/openssl/bio.h dso_win32.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h dso_win32.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h dso_win32.o: ../../include/openssl/err.h ../../include/openssl/lhash.h dso_win32.o: ../../include/openssl/opensslconf.h dso_win32.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h dso_win32.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dso_win32.o: ../cryptlib.h dso_win32.c diff --git a/crypto/openssl/crypto/dso/dso_lib.c b/crypto/openssl/crypto/dso/dso_lib.c index 556069b9b824..48d9fdb25e2b 100644 --- a/crypto/openssl/crypto/dso/dso_lib.c +++ b/crypto/openssl/crypto/dso/dso_lib.c @@ -1,439 +1,439 @@ /* dso_lib.c */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ /* ==================================================================== * Copyright (c) 2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include "cryptlib.h" #include static DSO_METHOD *default_DSO_meth = NULL; DSO *DSO_new(void) { return(DSO_new_method(NULL)); } void DSO_set_default_method(DSO_METHOD *meth) { default_DSO_meth = meth; } DSO_METHOD *DSO_get_default_method(void) { return(default_DSO_meth); } DSO_METHOD *DSO_get_method(DSO *dso) { return(dso->meth); } DSO_METHOD *DSO_set_method(DSO *dso, DSO_METHOD *meth) { DSO_METHOD *mtmp; mtmp = dso->meth; dso->meth = meth; return(mtmp); } DSO *DSO_new_method(DSO_METHOD *meth) { DSO *ret; if(default_DSO_meth == NULL) /* We default to DSO_METH_openssl() which in turn defaults * to stealing the "best available" method. Will fallback * to DSO_METH_null() in the worst case. */ default_DSO_meth = DSO_METHOD_openssl(); ret = (DSO *)OPENSSL_malloc(sizeof(DSO)); if(ret == NULL) { DSOerr(DSO_F_DSO_NEW_METHOD,ERR_R_MALLOC_FAILURE); return(NULL); } memset(ret, 0, sizeof(DSO)); ret->meth_data = sk_new_null(); if(ret->meth_data == NULL) { /* sk_new doesn't generate any errors so we do */ DSOerr(DSO_F_DSO_NEW_METHOD,ERR_R_MALLOC_FAILURE); OPENSSL_free(ret); return(NULL); } if(meth == NULL) ret->meth = default_DSO_meth; else ret->meth = meth; ret->references = 1; if((ret->meth->init != NULL) && !ret->meth->init(ret)) { OPENSSL_free(ret); ret=NULL; } return(ret); } int DSO_free(DSO *dso) { int i; if(dso == NULL) { DSOerr(DSO_F_DSO_FREE,ERR_R_PASSED_NULL_PARAMETER); return(0); } i=CRYPTO_add(&dso->references,-1,CRYPTO_LOCK_DSO); #ifdef REF_PRINT REF_PRINT("DSO",dso); #endif if(i > 0) return(1); #ifdef REF_CHECK if(i < 0) { fprintf(stderr,"DSO_free, bad reference count\n"); abort(); } #endif if((dso->meth->dso_unload != NULL) && !dso->meth->dso_unload(dso)) { DSOerr(DSO_F_DSO_FREE,DSO_R_UNLOAD_FAILED); return(0); } if((dso->meth->finish != NULL) && !dso->meth->finish(dso)) { DSOerr(DSO_F_DSO_FREE,DSO_R_FINISH_FAILED); return(0); } sk_free(dso->meth_data); if(dso->filename != NULL) OPENSSL_free(dso->filename); if(dso->loaded_filename != NULL) OPENSSL_free(dso->loaded_filename); OPENSSL_free(dso); return(1); } int DSO_flags(DSO *dso) { return((dso == NULL) ? 0 : dso->flags); } int DSO_up_ref(DSO *dso) { if (dso == NULL) { DSOerr(DSO_F_DSO_UP_REF,ERR_R_PASSED_NULL_PARAMETER); return(0); } CRYPTO_add(&dso->references,1,CRYPTO_LOCK_DSO); return(1); } DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags) { DSO *ret; int allocated = 0; if(dso == NULL) { ret = DSO_new_method(meth); if(ret == NULL) { DSOerr(DSO_F_DSO_LOAD,ERR_R_MALLOC_FAILURE); goto err; } allocated = 1; /* Pass the provided flags to the new DSO object */ if(DSO_ctrl(ret, DSO_CTRL_SET_FLAGS, flags, NULL) < 0) { DSOerr(DSO_F_DSO_LOAD,DSO_R_CTRL_FAILED); goto err; } } else ret = dso; /* Don't load if we're currently already loaded */ if(ret->filename != NULL) { DSOerr(DSO_F_DSO_LOAD,DSO_R_DSO_ALREADY_LOADED); goto err; } /* filename can only be NULL if we were passed a dso that already has * one set. */ if(filename != NULL) if(!DSO_set_filename(ret, filename)) { DSOerr(DSO_F_DSO_LOAD,DSO_R_SET_FILENAME_FAILED); goto err; } filename = ret->filename; if(filename == NULL) { DSOerr(DSO_F_DSO_LOAD,DSO_R_NO_FILENAME); goto err; } if(ret->meth->dso_load == NULL) { DSOerr(DSO_F_DSO_LOAD,DSO_R_UNSUPPORTED); goto err; } if(!ret->meth->dso_load(ret)) { DSOerr(DSO_F_DSO_LOAD,DSO_R_LOAD_FAILED); goto err; } /* Load succeeded */ return(ret); err: if(allocated) DSO_free(ret); return(NULL); } void *DSO_bind_var(DSO *dso, const char *symname) { void *ret = NULL; if((dso == NULL) || (symname == NULL)) { DSOerr(DSO_F_DSO_BIND_VAR,ERR_R_PASSED_NULL_PARAMETER); return(NULL); } if(dso->meth->dso_bind_var == NULL) { DSOerr(DSO_F_DSO_BIND_VAR,DSO_R_UNSUPPORTED); return(NULL); } if((ret = dso->meth->dso_bind_var(dso, symname)) == NULL) { DSOerr(DSO_F_DSO_BIND_VAR,DSO_R_SYM_FAILURE); return(NULL); } /* Success */ return(ret); } DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname) { DSO_FUNC_TYPE ret = NULL; if((dso == NULL) || (symname == NULL)) { DSOerr(DSO_F_DSO_BIND_FUNC,ERR_R_PASSED_NULL_PARAMETER); return(NULL); } if(dso->meth->dso_bind_func == NULL) { DSOerr(DSO_F_DSO_BIND_FUNC,DSO_R_UNSUPPORTED); return(NULL); } if((ret = dso->meth->dso_bind_func(dso, symname)) == NULL) { DSOerr(DSO_F_DSO_BIND_FUNC,DSO_R_SYM_FAILURE); return(NULL); } /* Success */ return(ret); } /* I don't really like these *_ctrl functions very much to be perfectly * honest. For one thing, I think I have to return a negative value for * any error because possible DSO_ctrl() commands may return values * such as "size"s that can legitimately be zero (making the standard * "if(DSO_cmd(...))" form that works almost everywhere else fail at * odd times. I'd prefer "output" values to be passed by reference and * the return value as success/failure like usual ... but we conform * when we must... :-) */ long DSO_ctrl(DSO *dso, int cmd, long larg, void *parg) { if(dso == NULL) { DSOerr(DSO_F_DSO_CTRL,ERR_R_PASSED_NULL_PARAMETER); return(-1); } /* We should intercept certain generic commands and only pass control * to the method-specific ctrl() function if it's something we don't * handle. */ switch(cmd) { case DSO_CTRL_GET_FLAGS: return dso->flags; case DSO_CTRL_SET_FLAGS: dso->flags = (int)larg; return(0); case DSO_CTRL_OR_FLAGS: dso->flags |= (int)larg; return(0); default: break; } if((dso->meth == NULL) || (dso->meth->dso_ctrl == NULL)) { DSOerr(DSO_F_DSO_CTRL,DSO_R_UNSUPPORTED); return(-1); } return(dso->meth->dso_ctrl(dso,cmd,larg,parg)); } int DSO_set_name_converter(DSO *dso, DSO_NAME_CONVERTER_FUNC cb, DSO_NAME_CONVERTER_FUNC *oldcb) { if(dso == NULL) { DSOerr(DSO_F_DSO_SET_NAME_CONVERTER, ERR_R_PASSED_NULL_PARAMETER); return(0); } if(oldcb) *oldcb = dso->name_converter; dso->name_converter = cb; return(1); } const char *DSO_get_filename(DSO *dso) { if(dso == NULL) { DSOerr(DSO_F_DSO_GET_FILENAME,ERR_R_PASSED_NULL_PARAMETER); return(NULL); } return(dso->filename); } int DSO_set_filename(DSO *dso, const char *filename) { char *copied; if((dso == NULL) || (filename == NULL)) { DSOerr(DSO_F_DSO_SET_FILENAME,ERR_R_PASSED_NULL_PARAMETER); return(0); } if(dso->loaded_filename) { DSOerr(DSO_F_DSO_SET_FILENAME,DSO_R_DSO_ALREADY_LOADED); return(0); } /* We'll duplicate filename */ copied = OPENSSL_malloc(strlen(filename) + 1); if(copied == NULL) { DSOerr(DSO_F_DSO_SET_FILENAME,ERR_R_MALLOC_FAILURE); return(0); } - strcpy(copied, filename); + BUF_strlcpy(copied, filename, strlen(filename) + 1); if(dso->filename) OPENSSL_free(dso->filename); dso->filename = copied; return(1); } char *DSO_convert_filename(DSO *dso, const char *filename) { char *result = NULL; if(dso == NULL) { DSOerr(DSO_F_DSO_CONVERT_FILENAME,ERR_R_PASSED_NULL_PARAMETER); return(NULL); } if(filename == NULL) filename = dso->filename; if(filename == NULL) { DSOerr(DSO_F_DSO_CONVERT_FILENAME,DSO_R_NO_FILENAME); return(NULL); } if((dso->flags & DSO_FLAG_NO_NAME_TRANSLATION) == 0) { if(dso->name_converter != NULL) result = dso->name_converter(dso, filename); else if(dso->meth->dso_name_converter != NULL) result = dso->meth->dso_name_converter(dso, filename); } if(result == NULL) { result = OPENSSL_malloc(strlen(filename) + 1); if(result == NULL) { DSOerr(DSO_F_DSO_CONVERT_FILENAME, ERR_R_MALLOC_FAILURE); return(NULL); } - strcpy(result, filename); + BUF_strlcpy(result, filename, strlen(filename) + 1); } return(result); } const char *DSO_get_loaded_filename(DSO *dso) { if(dso == NULL) { DSOerr(DSO_F_DSO_GET_LOADED_FILENAME, ERR_R_PASSED_NULL_PARAMETER); return(NULL); } return(dso->loaded_filename); } diff --git a/crypto/openssl/crypto/ec/Makefile.ssl b/crypto/openssl/crypto/ec/Makefile.ssl index c34a49c1b149..a2805c47a2f5 100644 --- a/crypto/openssl/crypto/ec/Makefile.ssl +++ b/crypto/openssl/crypto/ec/Makefile.ssl @@ -1,128 +1,128 @@ # # crypto/ec/Makefile # DIR= ec TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=ectest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC= ec_lib.c ecp_smpl.c ecp_mont.c ecp_recp.c ecp_nist.c ec_cvt.c ec_mult.c \ ec_err.c LIBOBJ= ec_lib.o ecp_smpl.o ecp_mont.o ecp_recp.o ecp_nist.o ec_cvt.o ec_mult.o \ ec_err.o SRC= $(LIBSRC) EXHEADER= ec.h HEADER= ec_lcl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. ec_cvt.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h ec_cvt.o: ../../include/openssl/ec.h ../../include/openssl/opensslconf.h ec_cvt.o: ../../include/openssl/symhacks.h ec_cvt.c ec_lcl.h ec_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h ec_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h ec_err.o: ../../include/openssl/ec.h ../../include/openssl/err.h ec_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h ec_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ec_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ec_err.o: ec_err.c ec_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h ec_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h ec_lib.o: ../../include/openssl/ec.h ../../include/openssl/err.h ec_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h ec_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ec_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ec_lib.o: ec_lcl.h ec_lib.c ec_mult.o: ../../include/openssl/bio.h ../../include/openssl/bn.h ec_mult.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h ec_mult.o: ../../include/openssl/ec.h ../../include/openssl/err.h ec_mult.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h ec_mult.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ec_mult.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ec_mult.o: ec_lcl.h ec_mult.c ecp_mont.o: ../../include/openssl/bio.h ../../include/openssl/bn.h ecp_mont.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h ecp_mont.o: ../../include/openssl/ec.h ../../include/openssl/err.h ecp_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h ecp_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ecp_mont.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ecp_mont.o: ec_lcl.h ecp_mont.c ecp_nist.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h ecp_nist.o: ../../include/openssl/ec.h ../../include/openssl/opensslconf.h ecp_nist.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_nist.c ecp_recp.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h ecp_recp.o: ../../include/openssl/ec.h ../../include/openssl/opensslconf.h ecp_recp.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_recp.c ecp_smpl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h ecp_smpl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h ecp_smpl.o: ../../include/openssl/ec.h ../../include/openssl/err.h ecp_smpl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h ecp_smpl.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ecp_smpl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ecp_smpl.o: ec_lcl.h ecp_smpl.c diff --git a/crypto/openssl/crypto/ec/ecp_smpl.c b/crypto/openssl/crypto/ec/ecp_smpl.c index 4666a052bfab..e9a51fb87a1c 100644 --- a/crypto/openssl/crypto/ec/ecp_smpl.c +++ b/crypto/openssl/crypto/ec/ecp_smpl.c @@ -1,1717 +1,1717 @@ /* crypto/ec/ecp_smpl.c */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "ec_lcl.h" const EC_METHOD *EC_GFp_simple_method(void) { static const EC_METHOD ret = { ec_GFp_simple_group_init, ec_GFp_simple_group_finish, ec_GFp_simple_group_clear_finish, ec_GFp_simple_group_copy, ec_GFp_simple_group_set_curve_GFp, ec_GFp_simple_group_get_curve_GFp, ec_GFp_simple_group_set_generator, ec_GFp_simple_group_get0_generator, ec_GFp_simple_group_get_order, ec_GFp_simple_group_get_cofactor, ec_GFp_simple_point_init, ec_GFp_simple_point_finish, ec_GFp_simple_point_clear_finish, ec_GFp_simple_point_copy, ec_GFp_simple_point_set_to_infinity, ec_GFp_simple_set_Jprojective_coordinates_GFp, ec_GFp_simple_get_Jprojective_coordinates_GFp, ec_GFp_simple_point_set_affine_coordinates_GFp, ec_GFp_simple_point_get_affine_coordinates_GFp, ec_GFp_simple_set_compressed_coordinates_GFp, ec_GFp_simple_point2oct, ec_GFp_simple_oct2point, ec_GFp_simple_add, ec_GFp_simple_dbl, ec_GFp_simple_invert, ec_GFp_simple_is_at_infinity, ec_GFp_simple_is_on_curve, ec_GFp_simple_cmp, ec_GFp_simple_make_affine, ec_GFp_simple_points_make_affine, ec_GFp_simple_field_mul, ec_GFp_simple_field_sqr, 0 /* field_encode */, 0 /* field_decode */, 0 /* field_set_to_one */ }; return &ret; } int ec_GFp_simple_group_init(EC_GROUP *group) { BN_init(&group->field); BN_init(&group->a); BN_init(&group->b); group->a_is_minus3 = 0; group->generator = NULL; BN_init(&group->order); BN_init(&group->cofactor); return 1; } void ec_GFp_simple_group_finish(EC_GROUP *group) { BN_free(&group->field); BN_free(&group->a); BN_free(&group->b); if (group->generator != NULL) EC_POINT_free(group->generator); BN_free(&group->order); BN_free(&group->cofactor); } void ec_GFp_simple_group_clear_finish(EC_GROUP *group) { BN_clear_free(&group->field); BN_clear_free(&group->a); BN_clear_free(&group->b); if (group->generator != NULL) { EC_POINT_clear_free(group->generator); group->generator = NULL; } BN_clear_free(&group->order); BN_clear_free(&group->cofactor); } int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) { if (!BN_copy(&dest->field, &src->field)) return 0; if (!BN_copy(&dest->a, &src->a)) return 0; if (!BN_copy(&dest->b, &src->b)) return 0; dest->a_is_minus3 = src->a_is_minus3; if (src->generator != NULL) { if (dest->generator == NULL) { dest->generator = EC_POINT_new(dest); if (dest->generator == NULL) return 0; } if (!EC_POINT_copy(dest->generator, src->generator)) return 0; } else { /* src->generator == NULL */ if (dest->generator != NULL) { EC_POINT_clear_free(dest->generator); dest->generator = NULL; } } if (!BN_copy(&dest->order, &src->order)) return 0; if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0; return 1; } int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { int ret = 0; BN_CTX *new_ctx = NULL; BIGNUM *tmp_a; /* p must be a prime > 3 */ if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) { ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP, EC_R_INVALID_FIELD); return 0; } if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } BN_CTX_start(ctx); tmp_a = BN_CTX_get(ctx); if (tmp_a == NULL) goto err; /* group->field */ if (!BN_copy(&group->field, p)) goto err; group->field.neg = 0; /* group->a */ if (!BN_nnmod(tmp_a, a, p, ctx)) goto err; if (group->meth->field_encode) { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; } else if (!BN_copy(&group->a, tmp_a)) goto err; /* group->b */ if (!BN_nnmod(&group->b, b, p, ctx)) goto err; if (group->meth->field_encode) if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err; /* group->a_is_minus3 */ if (!BN_add_word(tmp_a, 3)) goto err; group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field)); ret = 1; err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) { int ret = 0; BN_CTX *new_ctx = NULL; if (p != NULL) { if (!BN_copy(p, &group->field)) return 0; } if (a != NULL || b != NULL) { if (group->meth->field_decode) { if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } if (a != NULL) { if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err; } if (b != NULL) { if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err; } } else { if (a != NULL) { if (!BN_copy(a, &group->a)) goto err; } if (b != NULL) { if (!BN_copy(b, &group->b)) goto err; } } } ret = 1; err: if (new_ctx) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_group_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor) { if (generator == NULL) { ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER); return 0 ; } if (group->generator == NULL) { group->generator = EC_POINT_new(group); if (group->generator == NULL) return 0; } if (!EC_POINT_copy(group->generator, generator)) return 0; if (order != NULL) { if (!BN_copy(&group->order, order)) return 0; } else { if (!BN_zero(&group->order)) return 0; } if (cofactor != NULL) { if (!BN_copy(&group->cofactor, cofactor)) return 0; } else { if (!BN_zero(&group->cofactor)) return 0; } return 1; } EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *group) { return group->generator; } int ec_GFp_simple_group_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) { if (!BN_copy(order, &group->order)) return 0; return !BN_is_zero(&group->order); } int ec_GFp_simple_group_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx) { if (!BN_copy(cofactor, &group->cofactor)) return 0; return !BN_is_zero(&group->cofactor); } int ec_GFp_simple_point_init(EC_POINT *point) { BN_init(&point->X); BN_init(&point->Y); BN_init(&point->Z); point->Z_is_one = 0; return 1; } void ec_GFp_simple_point_finish(EC_POINT *point) { BN_free(&point->X); BN_free(&point->Y); BN_free(&point->Z); } void ec_GFp_simple_point_clear_finish(EC_POINT *point) { BN_clear_free(&point->X); BN_clear_free(&point->Y); BN_clear_free(&point->Z); point->Z_is_one = 0; } int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) { if (!BN_copy(&dest->X, &src->X)) return 0; if (!BN_copy(&dest->Y, &src->Y)) return 0; if (!BN_copy(&dest->Z, &src->Z)) return 0; dest->Z_is_one = src->Z_is_one; return 1; } int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point) { point->Z_is_one = 0; return (BN_zero(&point->Z)); } int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx) { BN_CTX *new_ctx = NULL; int ret = 0; if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } if (x != NULL) { if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err; if (group->meth->field_encode) { if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err; } } if (y != NULL) { if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err; if (group->meth->field_encode) { if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err; } } if (z != NULL) { int Z_is_one; if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err; Z_is_one = BN_is_one(&point->Z); if (group->meth->field_encode) { if (Z_is_one && (group->meth->field_set_to_one != 0)) { if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err; } else { if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err; } } point->Z_is_one = Z_is_one; } ret = 1; err: if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx) { BN_CTX *new_ctx = NULL; int ret = 0; if (group->meth->field_decode != 0) { if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } if (x != NULL) { if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err; } if (y != NULL) { if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err; } if (z != NULL) { if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err; } } else { if (x != NULL) { if (!BN_copy(x, &point->X)) goto err; } if (y != NULL) { if (!BN_copy(y, &point->Y)) goto err; } if (z != NULL) { if (!BN_copy(z, &point->Z)) goto err; } } ret = 1; err: if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) { if (x == NULL || y == NULL) { /* unlike for projective coordinates, we do not tolerate this */ ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_PASSED_NULL_PARAMETER); return 0; } return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx); } int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx) { BN_CTX *new_ctx = NULL; BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3; const BIGNUM *X_, *Y_, *Z_; int ret = 0; if (EC_POINT_is_at_infinity(group, point)) { ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_POINT_AT_INFINITY); return 0; } if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } BN_CTX_start(ctx); X = BN_CTX_get(ctx); Y = BN_CTX_get(ctx); Z = BN_CTX_get(ctx); Z_1 = BN_CTX_get(ctx); Z_2 = BN_CTX_get(ctx); Z_3 = BN_CTX_get(ctx); if (Z_3 == NULL) goto err; /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */ if (group->meth->field_decode) { if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err; if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err; if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err; X_ = X; Y_ = Y; Z_ = Z; } else { X_ = &point->X; Y_ = &point->Y; Z_ = &point->Z; } if (BN_is_one(Z_)) { if (x != NULL) { if (!BN_copy(x, X_)) goto err; } if (y != NULL) { if (!BN_copy(y, Y_)) goto err; } } else { if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx)) { ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_BN_LIB); goto err; } if (group->meth->field_encode == 0) { /* field_sqr works on standard representation */ if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err; } else { if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err; } if (x != NULL) { if (group->meth->field_encode == 0) { /* field_mul works on standard representation */ if (!group->meth->field_mul(group, x, X_, Z_2, ctx)) goto err; } else { if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err; } } if (y != NULL) { if (group->meth->field_encode == 0) { /* field_mul works on standard representation */ if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err; if (!group->meth->field_mul(group, y, Y_, Z_3, ctx)) goto err; } else { if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err; if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err; } } } ret = 1; err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x_, int y_bit, BN_CTX *ctx) { BN_CTX *new_ctx = NULL; BIGNUM *tmp1, *tmp2, *x, *y; int ret = 0; if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } y_bit = (y_bit != 0); BN_CTX_start(ctx); tmp1 = BN_CTX_get(ctx); tmp2 = BN_CTX_get(ctx); x = BN_CTX_get(ctx); y = BN_CTX_get(ctx); if (y == NULL) goto err; /* Recover y. We have a Weierstrass equation * y^2 = x^3 + a*x + b, * so y is one of the square roots of x^3 + a*x + b. */ /* tmp1 := x^3 */ if (!BN_nnmod(x, x_, &group->field,ctx)) goto err; if (group->meth->field_decode == 0) { /* field_{sqr,mul} work on standard representation */ if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err; if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) goto err; } else { if (!BN_mod_sqr(tmp2, x_, &group->field, ctx)) goto err; if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) goto err; } /* tmp1 := tmp1 + a*x */ if (group->a_is_minus3) { if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err; if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err; if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err; } else { if (group->meth->field_decode) { if (!group->meth->field_decode(group, tmp2, &group->a, ctx)) goto err; if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) goto err; } else { /* field_mul works on standard representation */ if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) goto err; } if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err; } /* tmp1 := tmp1 + b */ if (group->meth->field_decode) { if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err; if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err; } else { if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err; } if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) { unsigned long err = ERR_peek_error(); if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) { (void)ERR_get_error(); ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT); } else ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_BN_LIB); goto err; } /* If tmp1 is not a square (i.e. there is no point on the curve with * our x), then y now is a nonsense value too */ if (y_bit != BN_is_odd(y)) { if (BN_is_zero(y)) { int kron; kron = BN_kronecker(x, &group->field, ctx); if (kron == -2) goto err; if (kron == 1) ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSION_BIT); else ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT); goto err; } if (!BN_usub(y, &group->field, y)) goto err; } if (y_bit != BN_is_odd(y)) { ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_INTERNAL_ERROR); goto err; } if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; ret = 1; err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, unsigned char *buf, size_t len, BN_CTX *ctx) { size_t ret; BN_CTX *new_ctx = NULL; int used_ctx = 0; BIGNUM *x, *y; size_t field_len, i, skip; if ((form != POINT_CONVERSION_COMPRESSED) && (form != POINT_CONVERSION_UNCOMPRESSED) && (form != POINT_CONVERSION_HYBRID)) { ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM); goto err; } if (EC_POINT_is_at_infinity(group, point)) { /* encodes to a single 0 octet */ if (buf != NULL) { if (len < 1) { ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL); return 0; } buf[0] = 0; } return 1; } /* ret := required output buffer length */ field_len = BN_num_bytes(&group->field); ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len; /* if 'buf' is NULL, just return required length */ if (buf != NULL) { if (len < ret) { ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL); goto err; } if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } BN_CTX_start(ctx); used_ctx = 1; x = BN_CTX_get(ctx); y = BN_CTX_get(ctx); if (y == NULL) goto err; if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y)) buf[0] = form + 1; else buf[0] = form; i = 1; skip = field_len - BN_num_bytes(x); if (skip > field_len) { ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); goto err; } while (skip > 0) { buf[i++] = 0; skip--; } skip = BN_bn2bin(x, buf + i); i += skip; if (i != 1 + field_len) { ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); goto err; } if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID) { skip = field_len - BN_num_bytes(y); if (skip > field_len) { ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); goto err; } while (skip > 0) { buf[i++] = 0; skip--; } skip = BN_bn2bin(y, buf + i); i += skip; } if (i != ret) { ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR); goto err; } } if (used_ctx) BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; err: if (used_ctx) BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return 0; } int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, const unsigned char *buf, size_t len, BN_CTX *ctx) { point_conversion_form_t form; int y_bit; BN_CTX *new_ctx = NULL; BIGNUM *x, *y; size_t field_len, enc_len; int ret = 0; if (len == 0) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL); return 0; } form = buf[0]; y_bit = form & 1; - form = form & ~1; + form = form & ~1U; if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) && (form != POINT_CONVERSION_UNCOMPRESSED) && (form != POINT_CONVERSION_HYBRID)) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); return 0; } if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); return 0; } if (form == 0) { if (len != 1) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); return 0; } return EC_POINT_set_to_infinity(group, point); } field_len = BN_num_bytes(&group->field); enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len; if (len != enc_len) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); return 0; } if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } BN_CTX_start(ctx); x = BN_CTX_get(ctx); y = BN_CTX_get(ctx); if (y == NULL) goto err; if (!BN_bin2bn(buf + 1, field_len, x)) goto err; if (BN_ucmp(x, &group->field) >= 0) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } if (form == POINT_CONVERSION_COMPRESSED) { if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err; } else { if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err; if (BN_ucmp(y, &group->field) >= 0) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } if (form == POINT_CONVERSION_HYBRID) { if (y_bit != BN_is_odd(y)) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } } if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; } if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */ { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } ret = 1; err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) { int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); const BIGNUM *p; BN_CTX *new_ctx = NULL; BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6; int ret = 0; if (a == b) return EC_POINT_dbl(group, r, a, ctx); if (EC_POINT_is_at_infinity(group, a)) return EC_POINT_copy(r, b); if (EC_POINT_is_at_infinity(group, b)) return EC_POINT_copy(r, a); field_mul = group->meth->field_mul; field_sqr = group->meth->field_sqr; p = &group->field; if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } BN_CTX_start(ctx); n0 = BN_CTX_get(ctx); n1 = BN_CTX_get(ctx); n2 = BN_CTX_get(ctx); n3 = BN_CTX_get(ctx); n4 = BN_CTX_get(ctx); n5 = BN_CTX_get(ctx); n6 = BN_CTX_get(ctx); if (n6 == NULL) goto end; /* Note that in this function we must not read components of 'a' or 'b' * once we have written the corresponding components of 'r'. * ('r' might be one of 'a' or 'b'.) */ /* n1, n2 */ if (b->Z_is_one) { if (!BN_copy(n1, &a->X)) goto end; if (!BN_copy(n2, &a->Y)) goto end; /* n1 = X_a */ /* n2 = Y_a */ } else { if (!field_sqr(group, n0, &b->Z, ctx)) goto end; if (!field_mul(group, n1, &a->X, n0, ctx)) goto end; /* n1 = X_a * Z_b^2 */ if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end; if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end; /* n2 = Y_a * Z_b^3 */ } /* n3, n4 */ if (a->Z_is_one) { if (!BN_copy(n3, &b->X)) goto end; if (!BN_copy(n4, &b->Y)) goto end; /* n3 = X_b */ /* n4 = Y_b */ } else { if (!field_sqr(group, n0, &a->Z, ctx)) goto end; if (!field_mul(group, n3, &b->X, n0, ctx)) goto end; /* n3 = X_b * Z_a^2 */ if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end; if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end; /* n4 = Y_b * Z_a^3 */ } /* n5, n6 */ if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end; if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end; /* n5 = n1 - n3 */ /* n6 = n2 - n4 */ if (BN_is_zero(n5)) { if (BN_is_zero(n6)) { /* a is the same point as b */ BN_CTX_end(ctx); ret = EC_POINT_dbl(group, r, a, ctx); ctx = NULL; goto end; } else { /* a is the inverse of b */ if (!BN_zero(&r->Z)) goto end; r->Z_is_one = 0; ret = 1; goto end; } } /* 'n7', 'n8' */ if (!BN_mod_add_quick(n1, n1, n3, p)) goto end; if (!BN_mod_add_quick(n2, n2, n4, p)) goto end; /* 'n7' = n1 + n3 */ /* 'n8' = n2 + n4 */ /* Z_r */ if (a->Z_is_one && b->Z_is_one) { if (!BN_copy(&r->Z, n5)) goto end; } else { if (a->Z_is_one) { if (!BN_copy(n0, &b->Z)) goto end; } else if (b->Z_is_one) { if (!BN_copy(n0, &a->Z)) goto end; } else { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; } if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end; } r->Z_is_one = 0; /* Z_r = Z_a * Z_b * n5 */ /* X_r */ if (!field_sqr(group, n0, n6, ctx)) goto end; if (!field_sqr(group, n4, n5, ctx)) goto end; if (!field_mul(group, n3, n1, n4, ctx)) goto end; if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end; /* X_r = n6^2 - n5^2 * 'n7' */ /* 'n9' */ if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end; if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end; /* n9 = n5^2 * 'n7' - 2 * X_r */ /* Y_r */ if (!field_mul(group, n0, n0, n6, ctx)) goto end; if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */ if (!field_mul(group, n1, n2, n5, ctx)) goto end; if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end; if (BN_is_odd(n0)) if (!BN_add(n0, n0, p)) goto end; /* now 0 <= n0 < 2*p, and n0 is even */ if (!BN_rshift1(&r->Y, n0)) goto end; /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */ ret = 1; end: if (ctx) /* otherwise we already called BN_CTX_end */ BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) { int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); const BIGNUM *p; BN_CTX *new_ctx = NULL; BIGNUM *n0, *n1, *n2, *n3; int ret = 0; if (EC_POINT_is_at_infinity(group, a)) { if (!BN_zero(&r->Z)) return 0; r->Z_is_one = 0; return 1; } field_mul = group->meth->field_mul; field_sqr = group->meth->field_sqr; p = &group->field; if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } BN_CTX_start(ctx); n0 = BN_CTX_get(ctx); n1 = BN_CTX_get(ctx); n2 = BN_CTX_get(ctx); n3 = BN_CTX_get(ctx); if (n3 == NULL) goto err; /* Note that in this function we must not read components of 'a' * once we have written the corresponding components of 'r'. * ('r' might the same as 'a'.) */ /* n1 */ if (a->Z_is_one) { if (!field_sqr(group, n0, &a->X, ctx)) goto err; if (!BN_mod_lshift1_quick(n1, n0, p)) goto err; if (!BN_mod_add_quick(n0, n0, n1, p)) goto err; if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err; /* n1 = 3 * X_a^2 + a_curve */ } else if (group->a_is_minus3) { if (!field_sqr(group, n1, &a->Z, ctx)) goto err; if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err; if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err; if (!field_mul(group, n1, n0, n2, ctx)) goto err; if (!BN_mod_lshift1_quick(n0, n1, p)) goto err; if (!BN_mod_add_quick(n1, n0, n1, p)) goto err; /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) * = 3 * X_a^2 - 3 * Z_a^4 */ } else { if (!field_sqr(group, n0, &a->X, ctx)) goto err; if (!BN_mod_lshift1_quick(n1, n0, p)) goto err; if (!BN_mod_add_quick(n0, n0, n1, p)) goto err; if (!field_sqr(group, n1, &a->Z, ctx)) goto err; if (!field_sqr(group, n1, n1, ctx)) goto err; if (!field_mul(group, n1, n1, &group->a, ctx)) goto err; if (!BN_mod_add_quick(n1, n1, n0, p)) goto err; /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */ } /* Z_r */ if (a->Z_is_one) { if (!BN_copy(n0, &a->Y)) goto err; } else { if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err; } if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err; r->Z_is_one = 0; /* Z_r = 2 * Y_a * Z_a */ /* n2 */ if (!field_sqr(group, n3, &a->Y, ctx)) goto err; if (!field_mul(group, n2, &a->X, n3, ctx)) goto err; if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err; /* n2 = 4 * X_a * Y_a^2 */ /* X_r */ if (!BN_mod_lshift1_quick(n0, n2, p)) goto err; if (!field_sqr(group, &r->X, n1, ctx)) goto err; if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err; /* X_r = n1^2 - 2 * n2 */ /* n3 */ if (!field_sqr(group, n0, n3, ctx)) goto err; if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err; /* n3 = 8 * Y_a^4 */ /* Y_r */ if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err; if (!field_mul(group, n0, n1, n0, ctx)) goto err; if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err; /* Y_r = n1 * (n2 - X_r) - n3 */ ret = 1; err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) { if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y)) /* point is its own inverse */ return 1; return BN_usub(&point->Y, &group->field, &point->Y); } int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) { return BN_is_zero(&point->Z); } int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) { int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); const BIGNUM *p; BN_CTX *new_ctx = NULL; BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6; int ret = -1; if (EC_POINT_is_at_infinity(group, point)) return 1; field_mul = group->meth->field_mul; field_sqr = group->meth->field_sqr; p = &group->field; if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return -1; } BN_CTX_start(ctx); rh = BN_CTX_get(ctx); tmp1 = BN_CTX_get(ctx); tmp2 = BN_CTX_get(ctx); Z4 = BN_CTX_get(ctx); Z6 = BN_CTX_get(ctx); if (Z6 == NULL) goto err; /* We have a curve defined by a Weierstrass equation * y^2 = x^3 + a*x + b. * The point to consider is given in Jacobian projective coordinates * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3). * Substituting this and multiplying by Z^6 transforms the above equation into * Y^2 = X^3 + a*X*Z^4 + b*Z^6. * To test this, we add up the right-hand side in 'rh'. */ /* rh := X^3 */ if (!field_sqr(group, rh, &point->X, ctx)) goto err; if (!field_mul(group, rh, rh, &point->X, ctx)) goto err; if (!point->Z_is_one) { if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err; if (!field_sqr(group, Z4, tmp1, ctx)) goto err; if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err; /* rh := rh + a*X*Z^4 */ if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err; if (group->a_is_minus3) { if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err; if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err; if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err; } else { if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err; if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err; } /* rh := rh + b*Z^6 */ if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err; if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err; } else { /* point->Z_is_one */ /* rh := rh + a*X */ if (group->a_is_minus3) { if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err; if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err; if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err; } else { if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err; if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err; } /* rh := rh + b */ if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err; } /* 'lh' := Y^2 */ if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err; ret = (0 == BN_cmp(tmp1, rh)); err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) { /* return values: * -1 error * 0 equal (in affine coordinates) * 1 not equal */ int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); BN_CTX *new_ctx = NULL; BIGNUM *tmp1, *tmp2, *Za23, *Zb23; const BIGNUM *tmp1_, *tmp2_; int ret = -1; if (EC_POINT_is_at_infinity(group, a)) { return EC_POINT_is_at_infinity(group, b) ? 0 : 1; } if (a->Z_is_one && b->Z_is_one) { return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1; } field_mul = group->meth->field_mul; field_sqr = group->meth->field_sqr; if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return -1; } BN_CTX_start(ctx); tmp1 = BN_CTX_get(ctx); tmp2 = BN_CTX_get(ctx); Za23 = BN_CTX_get(ctx); Zb23 = BN_CTX_get(ctx); if (Zb23 == NULL) goto end; /* We have to decide whether * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3), * or equivalently, whether * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3). */ if (!b->Z_is_one) { if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end; if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end; tmp1_ = tmp1; } else tmp1_ = &a->X; if (!a->Z_is_one) { if (!field_sqr(group, Za23, &a->Z, ctx)) goto end; if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end; tmp2_ = tmp2; } else tmp2_ = &b->X; /* compare X_a*Z_b^2 with X_b*Z_a^2 */ if (BN_cmp(tmp1_, tmp2_) != 0) { ret = 1; /* points differ */ goto end; } if (!b->Z_is_one) { if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end; if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end; /* tmp1_ = tmp1 */ } else tmp1_ = &a->Y; if (!a->Z_is_one) { if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end; if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end; /* tmp2_ = tmp2 */ } else tmp2_ = &b->Y; /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */ if (BN_cmp(tmp1_, tmp2_) != 0) { ret = 1; /* points differ */ goto end; } /* points are equal */ ret = 0; end: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) { BN_CTX *new_ctx = NULL; BIGNUM *x, *y; int ret = 0; if (point->Z_is_one || EC_POINT_is_at_infinity(group, point)) return 1; if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } BN_CTX_start(ctx); x = BN_CTX_get(ctx); y = BN_CTX_get(ctx); if (y == NULL) goto err; if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; if (!point->Z_is_one) { ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR); goto err; } ret = 1; err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; } int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx) { BN_CTX *new_ctx = NULL; BIGNUM *tmp0, *tmp1; size_t pow2 = 0; BIGNUM **heap = NULL; size_t i; int ret = 0; if (num == 0) return 1; if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) return 0; } BN_CTX_start(ctx); tmp0 = BN_CTX_get(ctx); tmp1 = BN_CTX_get(ctx); if (tmp0 == NULL || tmp1 == NULL) goto err; /* Before converting the individual points, compute inverses of all Z values. * Modular inversion is rather slow, but luckily we can do with a single * explicit inversion, plus about 3 multiplications per input value. */ pow2 = 1; while (num > pow2) pow2 <<= 1; /* Now pow2 is the smallest power of 2 satifsying pow2 >= num. * We need twice that. */ pow2 <<= 1; heap = OPENSSL_malloc(pow2 * sizeof heap[0]); if (heap == NULL) goto err; /* The array is used as a binary tree, exactly as in heapsort: * * heap[1] * heap[2] heap[3] * heap[4] heap[5] heap[6] heap[7] * heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15] * * We put the Z's in the last line; * then we set each other node to the product of its two child-nodes (where * empty or 0 entries are treated as ones); * then we invert heap[1]; * then we invert each other node by replacing it by the product of its * parent (after inversion) and its sibling (before inversion). */ heap[0] = NULL; for (i = pow2/2 - 1; i > 0; i--) heap[i] = NULL; for (i = 0; i < num; i++) heap[pow2/2 + i] = &points[i]->Z; for (i = pow2/2 + num; i < pow2; i++) heap[i] = NULL; /* set each node to the product of its children */ for (i = pow2/2 - 1; i > 0; i--) { heap[i] = BN_new(); if (heap[i] == NULL) goto err; if (heap[2*i] != NULL) { if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1])) { if (!BN_copy(heap[i], heap[2*i])) goto err; } else { if (BN_is_zero(heap[2*i])) { if (!BN_copy(heap[i], heap[2*i + 1])) goto err; } else { if (!group->meth->field_mul(group, heap[i], heap[2*i], heap[2*i + 1], ctx)) goto err; } } } } /* invert heap[1] */ if (!BN_is_zero(heap[1])) { if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx)) { ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB); goto err; } } if (group->meth->field_encode != 0) { /* in the Montgomery case, we just turned R*H (representing H) * into 1/(R*H), but we need R*(1/H) (representing 1/H); * i.e. we have need to multiply by the Montgomery factor twice */ if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err; if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err; } /* set other heap[i]'s to their inverses */ for (i = 2; i < pow2/2 + num; i += 2) { /* i is even */ if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1])) { if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err; if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err; if (!BN_copy(heap[i], tmp0)) goto err; if (!BN_copy(heap[i + 1], tmp1)) goto err; } else { if (!BN_copy(heap[i], heap[i/2])) goto err; } } /* we have replaced all non-zero Z's by their inverses, now fix up all the points */ for (i = 0; i < num; i++) { EC_POINT *p = points[i]; if (!BN_is_zero(&p->Z)) { /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1) */ if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err; if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err; if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err; if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err; if (group->meth->field_set_to_one != 0) { if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err; } else { if (!BN_one(&p->Z)) goto err; } p->Z_is_one = 1; } } ret = 1; err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); if (heap != NULL) { /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */ for (i = pow2/2 - 1; i > 0; i--) { if (heap[i] != NULL) BN_clear_free(heap[i]); } OPENSSL_free(heap); } return ret; } int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { return BN_mod_mul(r, a, b, &group->field, ctx); } int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { return BN_mod_sqr(r, a, &group->field, ctx); } diff --git a/crypto/openssl/crypto/engine/Makefile.ssl b/crypto/openssl/crypto/engine/Makefile.ssl index 847d6724000c..30a4446ff969 100644 --- a/crypto/openssl/crypto/engine/Makefile.ssl +++ b/crypto/openssl/crypto/engine/Makefile.ssl @@ -1,538 +1,538 @@ # # OpenSSL/crypto/engine/Makefile # DIR= engine TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= enginetest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC= eng_err.c eng_lib.c eng_list.c eng_init.c eng_ctrl.c \ eng_table.c eng_pkey.c eng_fat.c eng_all.c \ tb_rsa.c tb_dsa.c tb_dh.c tb_rand.c tb_cipher.c tb_digest.c \ eng_openssl.c eng_dyn.c eng_cnf.c \ hw_atalla.c hw_cswift.c hw_ncipher.c hw_nuron.c hw_ubsec.c \ hw_cryptodev.c hw_aep.c hw_sureware.c hw_4758_cca.c LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \ eng_table.o eng_pkey.o eng_fat.o eng_all.o \ tb_rsa.o tb_dsa.o tb_dh.o tb_rand.o tb_cipher.o tb_digest.o \ eng_openssl.o eng_dyn.o eng_cnf.o \ hw_atalla.o hw_cswift.o hw_ncipher.o hw_nuron.o hw_ubsec.o \ hw_cryptodev.o hw_aep.o hw_sureware.o hw_4758_cca.o SRC= $(LIBSRC) EXHEADER= engine.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) errors: $(PERL) $(TOP)/util/mkerr.pl -conf hw.ec \ -nostatic -staticloader -write hw_*.c tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. eng_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h eng_all.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h eng_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h eng_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h eng_all.o: ../../include/openssl/err.h ../../include/openssl/lhash.h eng_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h eng_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h eng_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h eng_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h eng_all.o: ../../include/openssl/ui.h eng_all.c eng_int.h eng_cnf.o: ../../e_os.h ../../include/openssl/asn1.h eng_cnf.o: ../../include/openssl/bio.h ../../include/openssl/bn.h eng_cnf.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h eng_cnf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h eng_cnf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h eng_cnf.o: ../../include/openssl/engine.h ../../include/openssl/err.h eng_cnf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h eng_cnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h eng_cnf.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h eng_cnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_cnf.o: ../cryptlib.h eng_cnf.c eng_ctrl.o: ../../e_os.h ../../include/openssl/asn1.h eng_ctrl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h eng_ctrl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h eng_ctrl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h eng_ctrl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h eng_ctrl.o: ../../include/openssl/opensslconf.h eng_ctrl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h eng_ctrl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h eng_ctrl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h eng_ctrl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_ctrl.o: ../cryptlib.h eng_ctrl.c eng_int.h eng_dyn.o: ../../e_os.h ../../include/openssl/asn1.h eng_dyn.o: ../../include/openssl/bio.h ../../include/openssl/bn.h eng_dyn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h eng_dyn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h eng_dyn.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h eng_dyn.o: ../../include/openssl/engine.h ../../include/openssl/err.h eng_dyn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h eng_dyn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h eng_dyn.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h eng_dyn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_dyn.o: ../cryptlib.h eng_dyn.c eng_int.h eng_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h eng_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h eng_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h eng_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h eng_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h eng_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h eng_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h eng_err.o: ../../include/openssl/ui.h eng_err.c eng_fat.o: ../../e_os.h ../../include/openssl/asn1.h eng_fat.o: ../../include/openssl/bio.h ../../include/openssl/bn.h eng_fat.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h eng_fat.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h eng_fat.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h eng_fat.o: ../../include/openssl/engine.h ../../include/openssl/err.h eng_fat.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h eng_fat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h eng_fat.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h eng_fat.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_fat.o: ../cryptlib.h eng_fat.c eng_int.h eng_init.o: ../../e_os.h ../../include/openssl/asn1.h eng_init.o: ../../include/openssl/bio.h ../../include/openssl/bn.h eng_init.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h eng_init.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h eng_init.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h eng_init.o: ../../include/openssl/err.h ../../include/openssl/lhash.h eng_init.o: ../../include/openssl/opensslconf.h eng_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h eng_init.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h eng_init.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h eng_init.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_init.o: ../cryptlib.h eng_init.c eng_int.h eng_lib.o: ../../e_os.h ../../include/openssl/asn1.h eng_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h eng_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h eng_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h eng_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h eng_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h eng_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h eng_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h eng_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h eng_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h eng_lib.o: ../../include/openssl/ui.h ../cryptlib.h eng_int.h eng_lib.c eng_list.o: ../../e_os.h ../../include/openssl/asn1.h eng_list.o: ../../include/openssl/bio.h ../../include/openssl/bn.h eng_list.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h eng_list.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h eng_list.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h eng_list.o: ../../include/openssl/err.h ../../include/openssl/lhash.h eng_list.o: ../../include/openssl/opensslconf.h eng_list.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h eng_list.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h eng_list.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h eng_list.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_list.o: ../cryptlib.h eng_int.h eng_list.c eng_openssl.o: ../../e_os.h ../../include/openssl/aes.h eng_openssl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h eng_openssl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h eng_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h eng_openssl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h eng_openssl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h eng_openssl.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h eng_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h eng_openssl.o: ../../include/openssl/err.h ../../include/openssl/evp.h eng_openssl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h eng_openssl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h eng_openssl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h eng_openssl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h eng_openssl.o: ../../include/openssl/opensslconf.h eng_openssl.o: ../../include/openssl/opensslv.h eng_openssl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h eng_openssl.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h eng_openssl.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h eng_openssl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h eng_openssl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h eng_openssl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h eng_openssl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h eng_openssl.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h eng_openssl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h eng_openssl.o: ../cryptlib.h eng_openssl.c eng_pkey.o: ../../e_os.h ../../include/openssl/asn1.h eng_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h eng_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h eng_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h eng_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h eng_pkey.o: ../../include/openssl/opensslconf.h eng_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h eng_pkey.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h eng_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h eng_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_pkey.o: ../cryptlib.h eng_int.h eng_pkey.c eng_table.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h eng_table.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h eng_table.o: ../../include/openssl/bn.h ../../include/openssl/cast.h eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/des.h eng_table.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h eng_table.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h eng_table.o: ../../include/openssl/engine.h ../../include/openssl/err.h eng_table.o: ../../include/openssl/evp.h ../../include/openssl/idea.h eng_table.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h eng_table.o: ../../include/openssl/md4.h ../../include/openssl/md5.h eng_table.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h eng_table.o: ../../include/openssl/objects.h eng_table.o: ../../include/openssl/opensslconf.h eng_table.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h eng_table.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h eng_table.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h eng_table.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h eng_table.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h eng_table.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h eng_table.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h eng_table.o: eng_int.h eng_table.c hw_4758_cca.o: ../../e_os.h ../../include/openssl/aes.h hw_4758_cca.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h hw_4758_cca.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h hw_4758_cca.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h hw_4758_cca.o: ../../include/openssl/crypto.h ../../include/openssl/des.h hw_4758_cca.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h hw_4758_cca.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h hw_4758_cca.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h hw_4758_cca.o: ../../include/openssl/err.h ../../include/openssl/evp.h hw_4758_cca.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h hw_4758_cca.o: ../../include/openssl/md2.h ../../include/openssl/md4.h hw_4758_cca.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h hw_4758_cca.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h hw_4758_cca.o: ../../include/openssl/opensslconf.h hw_4758_cca.o: ../../include/openssl/opensslv.h hw_4758_cca.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h hw_4758_cca.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h hw_4758_cca.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h hw_4758_cca.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h hw_4758_cca.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h hw_4758_cca.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h hw_4758_cca.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h hw_4758_cca.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h hw_4758_cca.o: ../cryptlib.h hw_4758_cca.c hw_4758_cca_err.c hw_4758_cca_err.h hw_4758_cca.o: vendor_defns/hw_4758_cca.h hw_aep.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h hw_aep.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h hw_aep.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h hw_aep.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h hw_aep.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h hw_aep.o: ../../include/openssl/err.h ../../include/openssl/lhash.h hw_aep.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h hw_aep.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h hw_aep.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h hw_aep.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h hw_aep.o: ../../include/openssl/ui.h hw_aep.c hw_aep_err.c hw_aep_err.h hw_aep.o: vendor_defns/aep.h hw_atalla.o: ../../e_os.h ../../include/openssl/asn1.h hw_atalla.o: ../../include/openssl/bio.h ../../include/openssl/bn.h hw_atalla.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h hw_atalla.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h hw_atalla.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h hw_atalla.o: ../../include/openssl/engine.h ../../include/openssl/err.h hw_atalla.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h hw_atalla.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h hw_atalla.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h hw_atalla.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h hw_atalla.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h hw_atalla.o: ../cryptlib.h hw_atalla.c hw_atalla_err.c hw_atalla_err.h hw_atalla.o: vendor_defns/atalla.h hw_cryptodev.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h hw_cryptodev.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h hw_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/cast.h hw_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/des.h hw_cryptodev.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h hw_cryptodev.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h hw_cryptodev.o: ../../include/openssl/engine.h ../../include/openssl/err.h hw_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/idea.h hw_cryptodev.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h hw_cryptodev.o: ../../include/openssl/md4.h ../../include/openssl/md5.h hw_cryptodev.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h hw_cryptodev.o: ../../include/openssl/objects.h hw_cryptodev.o: ../../include/openssl/opensslconf.h hw_cryptodev.o: ../../include/openssl/opensslv.h hw_cryptodev.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h hw_cryptodev.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h hw_cryptodev.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h hw_cryptodev.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h hw_cryptodev.o: ../../include/openssl/sha.h ../../include/openssl/stack.h hw_cryptodev.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h hw_cryptodev.o: ../../include/openssl/ui_compat.h hw_cryptodev.c hw_cswift.o: ../../e_os.h ../../include/openssl/asn1.h hw_cswift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h hw_cswift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h hw_cswift.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h hw_cswift.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h hw_cswift.o: ../../include/openssl/engine.h ../../include/openssl/err.h hw_cswift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h hw_cswift.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h hw_cswift.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h hw_cswift.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h hw_cswift.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h hw_cswift.o: ../cryptlib.h hw_cswift.c hw_cswift_err.c hw_cswift_err.h hw_cswift.o: vendor_defns/cswift.h hw_ncipher.o: ../../e_os.h ../../include/openssl/aes.h hw_ncipher.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h hw_ncipher.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h hw_ncipher.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h hw_ncipher.o: ../../include/openssl/crypto.h ../../include/openssl/des.h hw_ncipher.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h hw_ncipher.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h hw_ncipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h hw_ncipher.o: ../../include/openssl/err.h ../../include/openssl/evp.h hw_ncipher.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h hw_ncipher.o: ../../include/openssl/md2.h ../../include/openssl/md4.h hw_ncipher.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h hw_ncipher.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h hw_ncipher.o: ../../include/openssl/opensslconf.h hw_ncipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h hw_ncipher.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h hw_ncipher.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h hw_ncipher.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h hw_ncipher.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h hw_ncipher.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h hw_ncipher.o: ../../include/openssl/sha.h ../../include/openssl/stack.h hw_ncipher.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h hw_ncipher.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h hw_ncipher.o: ../../include/openssl/x509_vfy.h ../cryptlib.h hw_ncipher.c hw_ncipher.o: hw_ncipher_err.c hw_ncipher_err.h vendor_defns/hwcryptohook.h hw_nuron.o: ../../e_os.h ../../include/openssl/asn1.h hw_nuron.o: ../../include/openssl/bio.h ../../include/openssl/bn.h hw_nuron.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h hw_nuron.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h hw_nuron.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h hw_nuron.o: ../../include/openssl/engine.h ../../include/openssl/err.h hw_nuron.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h hw_nuron.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h hw_nuron.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h hw_nuron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h hw_nuron.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h hw_nuron.o: ../cryptlib.h hw_nuron.c hw_nuron_err.c hw_nuron_err.h hw_sureware.o: ../../e_os.h ../../include/openssl/aes.h hw_sureware.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h hw_sureware.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h hw_sureware.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h hw_sureware.o: ../../include/openssl/crypto.h ../../include/openssl/des.h hw_sureware.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h hw_sureware.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h hw_sureware.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h hw_sureware.o: ../../include/openssl/err.h ../../include/openssl/evp.h hw_sureware.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h hw_sureware.o: ../../include/openssl/md2.h ../../include/openssl/md4.h hw_sureware.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h hw_sureware.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h hw_sureware.o: ../../include/openssl/opensslconf.h hw_sureware.o: ../../include/openssl/opensslv.h hw_sureware.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h hw_sureware.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h hw_sureware.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h hw_sureware.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h hw_sureware.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h hw_sureware.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h hw_sureware.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h hw_sureware.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h hw_sureware.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h hw_sureware.o: ../cryptlib.h eng_int.h engine.h hw_sureware.c hw_sureware_err.c hw_sureware.o: hw_sureware_err.h vendor_defns/sureware.h hw_ubsec.o: ../../e_os.h ../../include/openssl/asn1.h hw_ubsec.o: ../../include/openssl/bio.h ../../include/openssl/bn.h hw_ubsec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h hw_ubsec.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h hw_ubsec.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h hw_ubsec.o: ../../include/openssl/engine.h ../../include/openssl/err.h hw_ubsec.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h hw_ubsec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h hw_ubsec.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h hw_ubsec.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h hw_ubsec.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h hw_ubsec.o: ../cryptlib.h hw_ubsec.c hw_ubsec_err.c hw_ubsec_err.h hw_ubsec.o: vendor_defns/hw_ubsec.h tb_cipher.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h tb_cipher.o: ../../include/openssl/bn.h ../../include/openssl/cast.h tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/des.h tb_cipher.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h tb_cipher.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h tb_cipher.o: ../../include/openssl/engine.h ../../include/openssl/err.h tb_cipher.o: ../../include/openssl/evp.h ../../include/openssl/idea.h tb_cipher.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h tb_cipher.o: ../../include/openssl/md4.h ../../include/openssl/md5.h tb_cipher.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h tb_cipher.o: ../../include/openssl/objects.h tb_cipher.o: ../../include/openssl/opensslconf.h tb_cipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tb_cipher.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h tb_cipher.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h tb_cipher.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h tb_cipher.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h tb_cipher.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h tb_cipher.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h tb_cipher.o: eng_int.h tb_cipher.c tb_dh.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h tb_dh.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h tb_dh.o: ../../include/openssl/bn.h ../../include/openssl/cast.h tb_dh.o: ../../include/openssl/crypto.h ../../include/openssl/des.h tb_dh.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h tb_dh.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h tb_dh.o: ../../include/openssl/engine.h ../../include/openssl/err.h tb_dh.o: ../../include/openssl/evp.h ../../include/openssl/idea.h tb_dh.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h tb_dh.o: ../../include/openssl/md4.h ../../include/openssl/md5.h tb_dh.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h tb_dh.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h tb_dh.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tb_dh.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h tb_dh.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h tb_dh.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h tb_dh.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h tb_dh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h tb_dh.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h eng_int.h tb_dh.o: tb_dh.c tb_digest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h tb_digest.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h tb_digest.o: ../../include/openssl/bn.h ../../include/openssl/cast.h tb_digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h tb_digest.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h tb_digest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h tb_digest.o: ../../include/openssl/engine.h ../../include/openssl/err.h tb_digest.o: ../../include/openssl/evp.h ../../include/openssl/idea.h tb_digest.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h tb_digest.o: ../../include/openssl/md4.h ../../include/openssl/md5.h tb_digest.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h tb_digest.o: ../../include/openssl/objects.h tb_digest.o: ../../include/openssl/opensslconf.h tb_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tb_digest.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h tb_digest.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h tb_digest.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h tb_digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h tb_digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h tb_digest.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h tb_digest.o: eng_int.h tb_digest.c tb_dsa.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h tb_dsa.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h tb_dsa.o: ../../include/openssl/bn.h ../../include/openssl/cast.h tb_dsa.o: ../../include/openssl/crypto.h ../../include/openssl/des.h tb_dsa.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h tb_dsa.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h tb_dsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h tb_dsa.o: ../../include/openssl/evp.h ../../include/openssl/idea.h tb_dsa.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h tb_dsa.o: ../../include/openssl/md4.h ../../include/openssl/md5.h tb_dsa.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h tb_dsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h tb_dsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tb_dsa.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h tb_dsa.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h tb_dsa.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h tb_dsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h tb_dsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h tb_dsa.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h tb_dsa.o: eng_int.h tb_dsa.c tb_rand.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h tb_rand.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h tb_rand.o: ../../include/openssl/bn.h ../../include/openssl/cast.h tb_rand.o: ../../include/openssl/crypto.h ../../include/openssl/des.h tb_rand.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h tb_rand.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h tb_rand.o: ../../include/openssl/engine.h ../../include/openssl/err.h tb_rand.o: ../../include/openssl/evp.h ../../include/openssl/idea.h tb_rand.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h tb_rand.o: ../../include/openssl/md4.h ../../include/openssl/md5.h tb_rand.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h tb_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h tb_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tb_rand.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h tb_rand.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h tb_rand.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h tb_rand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h tb_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h tb_rand.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h tb_rand.o: eng_int.h tb_rand.c tb_rsa.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h tb_rsa.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h tb_rsa.o: ../../include/openssl/bn.h ../../include/openssl/cast.h tb_rsa.o: ../../include/openssl/crypto.h ../../include/openssl/des.h tb_rsa.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h tb_rsa.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h tb_rsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h tb_rsa.o: ../../include/openssl/evp.h ../../include/openssl/idea.h tb_rsa.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h tb_rsa.o: ../../include/openssl/md4.h ../../include/openssl/md5.h tb_rsa.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h tb_rsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h tb_rsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h tb_rsa.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h tb_rsa.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h tb_rsa.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h tb_rsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h tb_rsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h tb_rsa.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h tb_rsa.o: eng_int.h tb_rsa.c diff --git a/crypto/openssl/crypto/engine/eng_ctrl.c b/crypto/openssl/crypto/engine/eng_ctrl.c index ad3858395bed..412c73fb0fd3 100644 --- a/crypto/openssl/crypto/engine/eng_ctrl.c +++ b/crypto/openssl/crypto/engine/eng_ctrl.c @@ -1,387 +1,391 @@ /* crypto/engine/eng_ctrl.c */ /* ==================================================================== * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include "eng_int.h" #include /* When querying a ENGINE-specific control command's 'description', this string * is used if the ENGINE_CMD_DEFN has cmd_desc set to NULL. */ static const char *int_no_description = ""; /* These internal functions handle 'CMD'-related control commands when the * ENGINE in question has asked us to take care of it (ie. the ENGINE did not * set the ENGINE_FLAGS_MANUAL_CMD_CTRL flag. */ static int int_ctrl_cmd_is_null(const ENGINE_CMD_DEFN *defn) { if((defn->cmd_num == 0) || (defn->cmd_name == NULL)) return 1; return 0; } static int int_ctrl_cmd_by_name(const ENGINE_CMD_DEFN *defn, const char *s) { int idx = 0; while(!int_ctrl_cmd_is_null(defn) && (strcmp(defn->cmd_name, s) != 0)) { idx++; defn++; } if(int_ctrl_cmd_is_null(defn)) /* The given name wasn't found */ return -1; return idx; } static int int_ctrl_cmd_by_num(const ENGINE_CMD_DEFN *defn, unsigned int num) { int idx = 0; /* NB: It is stipulated that 'cmd_defn' lists are ordered by cmd_num. So * our searches don't need to take any longer than necessary. */ while(!int_ctrl_cmd_is_null(defn) && (defn->cmd_num < num)) { idx++; defn++; } if(defn->cmd_num == num) return idx; /* The given cmd_num wasn't found */ return -1; } static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)()) { int idx; char *s = (char *)p; /* Take care of the easy one first (eg. it requires no searches) */ if(cmd == ENGINE_CTRL_GET_FIRST_CMD_TYPE) { if((e->cmd_defns == NULL) || int_ctrl_cmd_is_null(e->cmd_defns)) return 0; return e->cmd_defns->cmd_num; } /* One or two commands require that "p" be a valid string buffer */ if((cmd == ENGINE_CTRL_GET_CMD_FROM_NAME) || (cmd == ENGINE_CTRL_GET_NAME_FROM_CMD) || (cmd == ENGINE_CTRL_GET_DESC_FROM_CMD)) { if(s == NULL) { ENGINEerr(ENGINE_F_INT_CTRL_HELPER, ERR_R_PASSED_NULL_PARAMETER); return -1; } } /* Now handle cmd_name -> cmd_num conversion */ if(cmd == ENGINE_CTRL_GET_CMD_FROM_NAME) { if((e->cmd_defns == NULL) || ((idx = int_ctrl_cmd_by_name( e->cmd_defns, s)) < 0)) { ENGINEerr(ENGINE_F_INT_CTRL_HELPER, ENGINE_R_INVALID_CMD_NAME); return -1; } return e->cmd_defns[idx].cmd_num; } /* For the rest of the commands, the 'long' argument must specify a * valie command number - so we need to conduct a search. */ if((e->cmd_defns == NULL) || ((idx = int_ctrl_cmd_by_num(e->cmd_defns, (unsigned int)i)) < 0)) { ENGINEerr(ENGINE_F_INT_CTRL_HELPER, ENGINE_R_INVALID_CMD_NUMBER); return -1; } /* Now the logic splits depending on command type */ switch(cmd) { case ENGINE_CTRL_GET_NEXT_CMD_TYPE: idx++; if(int_ctrl_cmd_is_null(e->cmd_defns + idx)) /* end-of-list */ return 0; else return e->cmd_defns[idx].cmd_num; case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD: return strlen(e->cmd_defns[idx].cmd_name); case ENGINE_CTRL_GET_NAME_FROM_CMD: - return sprintf(s, "%s", e->cmd_defns[idx].cmd_name); + return BIO_snprintf(s,strlen(e->cmd_defns[idx].cmd_name) + 1, + "%s", e->cmd_defns[idx].cmd_name); case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD: if(e->cmd_defns[idx].cmd_desc) return strlen(e->cmd_defns[idx].cmd_desc); return strlen(int_no_description); case ENGINE_CTRL_GET_DESC_FROM_CMD: if(e->cmd_defns[idx].cmd_desc) - return sprintf(s, "%s", e->cmd_defns[idx].cmd_desc); - return sprintf(s, "%s", int_no_description); + return BIO_snprintf(s, + strlen(e->cmd_defns[idx].cmd_desc) + 1, + "%s", e->cmd_defns[idx].cmd_desc); + return BIO_snprintf(s, strlen(int_no_description) + 1,"%s", + int_no_description); case ENGINE_CTRL_GET_CMD_FLAGS: return e->cmd_defns[idx].cmd_flags; } /* Shouldn't really be here ... */ ENGINEerr(ENGINE_F_INT_CTRL_HELPER,ENGINE_R_INTERNAL_LIST_ERROR); return -1; } int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) { int ctrl_exists, ref_exists; if(e == NULL) { ENGINEerr(ENGINE_F_ENGINE_CTRL,ERR_R_PASSED_NULL_PARAMETER); return 0; } CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); ref_exists = ((e->struct_ref > 0) ? 1 : 0); CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ctrl_exists = ((e->ctrl == NULL) ? 0 : 1); if(!ref_exists) { ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_REFERENCE); return 0; } /* Intercept any "root-level" commands before trying to hand them on to * ctrl() handlers. */ switch(cmd) { case ENGINE_CTRL_HAS_CTRL_FUNCTION: return ctrl_exists; case ENGINE_CTRL_GET_FIRST_CMD_TYPE: case ENGINE_CTRL_GET_NEXT_CMD_TYPE: case ENGINE_CTRL_GET_CMD_FROM_NAME: case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD: case ENGINE_CTRL_GET_NAME_FROM_CMD: case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD: case ENGINE_CTRL_GET_DESC_FROM_CMD: case ENGINE_CTRL_GET_CMD_FLAGS: if(ctrl_exists && !(e->flags & ENGINE_FLAGS_MANUAL_CMD_CTRL)) return int_ctrl_helper(e,cmd,i,p,f); if(!ctrl_exists) { ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION); /* For these cmd-related functions, failure is indicated * by a -1 return value (because 0 is used as a valid * return in some places). */ return -1; } default: break; } /* Anything else requires a ctrl() handler to exist. */ if(!ctrl_exists) { ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION); return 0; } return e->ctrl(e, cmd, i, p, f); } int ENGINE_cmd_is_executable(ENGINE *e, int cmd) { int flags; if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, cmd, NULL, NULL)) < 0) { ENGINEerr(ENGINE_F_ENGINE_CMD_IS_EXECUTABLE, ENGINE_R_INVALID_CMD_NUMBER); return 0; } if(!(flags & ENGINE_CMD_FLAG_NO_INPUT) && !(flags & ENGINE_CMD_FLAG_NUMERIC) && !(flags & ENGINE_CMD_FLAG_STRING)) return 0; return 1; } int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name, long i, void *p, void (*f)(), int cmd_optional) { int num; if((e == NULL) || (cmd_name == NULL)) { ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING, ERR_R_PASSED_NULL_PARAMETER); return 0; } if((e->ctrl == NULL) || ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FROM_NAME, 0, (void *)cmd_name, NULL)) <= 0)) { /* If the command didn't *have* to be supported, we fake * success. This allows certain settings to be specified for * multiple ENGINEs and only require a change of ENGINE id * (without having to selectively apply settings). Eg. changing * from a hardware device back to the regular software ENGINE * without editing the config file, etc. */ if(cmd_optional) { ERR_clear_error(); return 1; } ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD, ENGINE_R_INVALID_CMD_NAME); return 0; } /* Force the result of the control command to 0 or 1, for the reasons * mentioned before. */ if (ENGINE_ctrl(e, num, i, p, f)) return 1; return 0; } int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, int cmd_optional) { int num, flags; long l; char *ptr; if((e == NULL) || (cmd_name == NULL)) { ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING, ERR_R_PASSED_NULL_PARAMETER); return 0; } if((e->ctrl == NULL) || ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FROM_NAME, 0, (void *)cmd_name, NULL)) <= 0)) { /* If the command didn't *have* to be supported, we fake * success. This allows certain settings to be specified for * multiple ENGINEs and only require a change of ENGINE id * (without having to selectively apply settings). Eg. changing * from a hardware device back to the regular software ENGINE * without editing the config file, etc. */ if(cmd_optional) { ERR_clear_error(); return 1; } ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING, ENGINE_R_INVALID_CMD_NAME); return 0; } if(!ENGINE_cmd_is_executable(e, num)) { ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING, ENGINE_R_CMD_NOT_EXECUTABLE); return 0; } if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num, NULL, NULL)) < 0) { /* Shouldn't happen, given that ENGINE_cmd_is_executable() * returned success. */ ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING, ENGINE_R_INTERNAL_LIST_ERROR); return 0; } /* If the command takes no input, there must be no input. And vice * versa. */ if(flags & ENGINE_CMD_FLAG_NO_INPUT) { if(arg != NULL) { ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING, ENGINE_R_COMMAND_TAKES_NO_INPUT); return 0; } /* We deliberately force the result of ENGINE_ctrl() to 0 or 1 * rather than returning it as "return data". This is to ensure * usage of these commands is consistent across applications and * that certain applications don't understand it one way, and * others another. */ if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL)) return 1; return 0; } /* So, we require input */ if(arg == NULL) { ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING, ENGINE_R_COMMAND_TAKES_INPUT); return 0; } /* If it takes string input, that's easy */ if(flags & ENGINE_CMD_FLAG_STRING) { /* Same explanation as above */ if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL)) return 1; return 0; } /* If it doesn't take numeric either, then it is unsupported for use in * a config-setting situation, which is what this function is for. This * should never happen though, because ENGINE_cmd_is_executable() was * used. */ if(!(flags & ENGINE_CMD_FLAG_NUMERIC)) { ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING, ENGINE_R_INTERNAL_LIST_ERROR); return 0; } l = strtol(arg, &ptr, 10); if((arg == ptr) || (*ptr != '\0')) { ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING, ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER); return 0; } /* Force the result of the control command to 0 or 1, for the reasons * mentioned before. */ if(ENGINE_ctrl(e, num, l, NULL, NULL)) return 1; return 0; } diff --git a/crypto/openssl/crypto/engine/eng_fat.c b/crypto/openssl/crypto/engine/eng_fat.c index 0d7dae00b243..7ccf7022ee38 100644 --- a/crypto/openssl/crypto/engine/eng_fat.c +++ b/crypto/openssl/crypto/engine/eng_fat.c @@ -1,147 +1,147 @@ /* crypto/engine/eng_fat.c */ /* ==================================================================== * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include "eng_int.h" #include #include int ENGINE_set_default(ENGINE *e, unsigned int flags) { if((flags & ENGINE_METHOD_CIPHERS) && !ENGINE_set_default_ciphers(e)) return 0; if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e)) return 0; #ifndef OPENSSL_NO_RSA if((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e)) return 0; #endif #ifndef OPENSSL_NO_DSA if((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e)) return 0; #endif #ifndef OPENSSL_NO_DH if((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e)) return 0; #endif if((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e)) return 0; return 1; } /* Set default algorithms using a string */ static int int_def_cb(const char *alg, int len, void *arg) { unsigned int *pflags = arg; if (!strncmp(alg, "ALL", len)) *pflags |= ENGINE_METHOD_ALL; else if (!strncmp(alg, "RSA", len)) *pflags |= ENGINE_METHOD_RSA; else if (!strncmp(alg, "DSA", len)) *pflags |= ENGINE_METHOD_DSA; else if (!strncmp(alg, "DH", len)) *pflags |= ENGINE_METHOD_DH; else if (!strncmp(alg, "RAND", len)) *pflags |= ENGINE_METHOD_RAND; else if (!strncmp(alg, "CIPHERS", len)) *pflags |= ENGINE_METHOD_CIPHERS; else if (!strncmp(alg, "DIGESTS", len)) *pflags |= ENGINE_METHOD_DIGESTS; else return 0; return 1; } -int ENGINE_set_default_string(ENGINE *e, const char *list) +int ENGINE_set_default_string(ENGINE *e, const char *def_list) { unsigned int flags = 0; - if (!CONF_parse_list(list, ',', 1, int_def_cb, &flags)) + if (!CONF_parse_list(def_list, ',', 1, int_def_cb, &flags)) { ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_STRING, ENGINE_R_INVALID_STRING); - ERR_add_error_data(2, "str=",list); + ERR_add_error_data(2, "str=",def_list); return 0; } return ENGINE_set_default(e, flags); } int ENGINE_register_complete(ENGINE *e) { ENGINE_register_ciphers(e); ENGINE_register_digests(e); #ifndef OPENSSL_NO_RSA ENGINE_register_RSA(e); #endif #ifndef OPENSSL_NO_DSA ENGINE_register_DSA(e); #endif #ifndef OPENSSL_NO_DH ENGINE_register_DH(e); #endif ENGINE_register_RAND(e); return 1; } int ENGINE_register_all_complete(void) { ENGINE *e; for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e)) ENGINE_register_complete(e); return 1; } diff --git a/crypto/openssl/crypto/engine/engine.h b/crypto/openssl/crypto/engine/engine.h index 9c3ab182d379..900f75ce8d6d 100644 --- a/crypto/openssl/crypto/engine/engine.h +++ b/crypto/openssl/crypto/engine/engine.h @@ -1,726 +1,729 @@ /* openssl/engine.h */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ /* ==================================================================== * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #ifndef HEADER_ENGINE_H #define HEADER_ENGINE_H #include #ifdef OPENSSL_NO_ENGINE #error ENGINE is disabled. #endif #include #include #ifndef OPENSSL_NO_RSA #include #endif #ifndef OPENSSL_NO_DSA #include #endif #ifndef OPENSSL_NO_DH #include #endif #include #include #include #include #ifdef __cplusplus extern "C" { #endif /* Fixups for missing algorithms */ #ifdef OPENSSL_NO_RSA typedef void RSA_METHOD; #endif #ifdef OPENSSL_NO_DSA typedef void DSA_METHOD; #endif #ifdef OPENSSL_NO_DH typedef void DH_METHOD; #endif /* These flags are used to control combinations of algorithm (methods) * by bitwise "OR"ing. */ #define ENGINE_METHOD_RSA (unsigned int)0x0001 #define ENGINE_METHOD_DSA (unsigned int)0x0002 #define ENGINE_METHOD_DH (unsigned int)0x0004 #define ENGINE_METHOD_RAND (unsigned int)0x0008 #define ENGINE_METHOD_CIPHERS (unsigned int)0x0040 #define ENGINE_METHOD_DIGESTS (unsigned int)0x0080 /* Obvious all-or-nothing cases. */ #define ENGINE_METHOD_ALL (unsigned int)0xFFFF #define ENGINE_METHOD_NONE (unsigned int)0x0000 /* This(ese) flag(s) controls behaviour of the ENGINE_TABLE mechanism used * internally to control registration of ENGINE implementations, and can be set * by ENGINE_set_table_flags(). The "NOINIT" flag prevents attempts to * initialise registered ENGINEs if they are not already initialised. */ #define ENGINE_TABLE_FLAG_NOINIT (unsigned int)0x0001 /* ENGINE flags that can be set by ENGINE_set_flags(). */ /* #define ENGINE_FLAGS_MALLOCED 0x0001 */ /* Not used */ /* This flag is for ENGINEs that wish to handle the various 'CMD'-related * control commands on their own. Without this flag, ENGINE_ctrl() handles these * control commands on behalf of the ENGINE using their "cmd_defns" data. */ #define ENGINE_FLAGS_MANUAL_CMD_CTRL (int)0x0002 /* This flag is for ENGINEs who return new duplicate structures when found via * "ENGINE_by_id()". When an ENGINE must store state (eg. if ENGINE_ctrl() * commands are called in sequence as part of some stateful process like * key-generation setup and execution), it can set this flag - then each attempt * to obtain the ENGINE will result in it being copied into a new structure. * Normally, ENGINEs don't declare this flag so ENGINE_by_id() just increments * the existing ENGINE's structural reference count. */ #define ENGINE_FLAGS_BY_ID_COPY (int)0x0004 /* ENGINEs can support their own command types, and these flags are used in * ENGINE_CTRL_GET_CMD_FLAGS to indicate to the caller what kind of input each * command expects. Currently only numeric and string input is supported. If a * control command supports none of the _NUMERIC, _STRING, or _NO_INPUT options, * then it is regarded as an "internal" control command - and not for use in * config setting situations. As such, they're not available to the * ENGINE_ctrl_cmd_string() function, only raw ENGINE_ctrl() access. Changes to * this list of 'command types' should be reflected carefully in * ENGINE_cmd_is_executable() and ENGINE_ctrl_cmd_string(). */ /* accepts a 'long' input value (3rd parameter to ENGINE_ctrl) */ #define ENGINE_CMD_FLAG_NUMERIC (unsigned int)0x0001 /* accepts string input (cast from 'void*' to 'const char *', 4th parameter to * ENGINE_ctrl) */ #define ENGINE_CMD_FLAG_STRING (unsigned int)0x0002 /* Indicates that the control command takes *no* input. Ie. the control command * is unparameterised. */ #define ENGINE_CMD_FLAG_NO_INPUT (unsigned int)0x0004 /* Indicates that the control command is internal. This control command won't * be shown in any output, and is only usable through the ENGINE_ctrl_cmd() * function. */ #define ENGINE_CMD_FLAG_INTERNAL (unsigned int)0x0008 /* NB: These 3 control commands are deprecated and should not be used. ENGINEs * relying on these commands should compile conditional support for * compatibility (eg. if these symbols are defined) but should also migrate the * same functionality to their own ENGINE-specific control functions that can be * "discovered" by calling applications. The fact these control commands * wouldn't be "executable" (ie. usable by text-based config) doesn't change the * fact that application code can find and use them without requiring per-ENGINE * hacking. */ /* These flags are used to tell the ctrl function what should be done. * All command numbers are shared between all engines, even if some don't * make sense to some engines. In such a case, they do nothing but return * the error ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED. */ #define ENGINE_CTRL_SET_LOGSTREAM 1 #define ENGINE_CTRL_SET_PASSWORD_CALLBACK 2 #define ENGINE_CTRL_HUP 3 /* Close and reinitialise any handles/connections etc. */ #define ENGINE_CTRL_SET_USER_INTERFACE 4 /* Alternative to callback */ #define ENGINE_CTRL_SET_CALLBACK_DATA 5 /* User-specific data, used when calling the password callback and the user interface */ /* These control commands allow an application to deal with an arbitrary engine * in a dynamic way. Warn: Negative return values indicate errors FOR THESE * COMMANDS because zero is used to indicate 'end-of-list'. Other commands, * including ENGINE-specific command types, return zero for an error. * * An ENGINE can choose to implement these ctrl functions, and can internally * manage things however it chooses - it does so by setting the * ENGINE_FLAGS_MANUAL_CMD_CTRL flag (using ENGINE_set_flags()). Otherwise the * ENGINE_ctrl() code handles this on the ENGINE's behalf using the cmd_defns * data (set using ENGINE_set_cmd_defns()). This means an ENGINE's ctrl() * handler need only implement its own commands - the above "meta" commands will * be taken care of. */ /* Returns non-zero if the supplied ENGINE has a ctrl() handler. If "not", then * all the remaining control commands will return failure, so it is worth * checking this first if the caller is trying to "discover" the engine's * capabilities and doesn't want errors generated unnecessarily. */ #define ENGINE_CTRL_HAS_CTRL_FUNCTION 10 /* Returns a positive command number for the first command supported by the * engine. Returns zero if no ctrl commands are supported. */ #define ENGINE_CTRL_GET_FIRST_CMD_TYPE 11 /* The 'long' argument specifies a command implemented by the engine, and the * return value is the next command supported, or zero if there are no more. */ #define ENGINE_CTRL_GET_NEXT_CMD_TYPE 12 /* The 'void*' argument is a command name (cast from 'const char *'), and the * return value is the command that corresponds to it. */ #define ENGINE_CTRL_GET_CMD_FROM_NAME 13 /* The next two allow a command to be converted into its corresponding string * form. In each case, the 'long' argument supplies the command. In the NAME_LEN * case, the return value is the length of the command name (not counting a * trailing EOL). In the NAME case, the 'void*' argument must be a string buffer * large enough, and it will be populated with the name of the command (WITH a * trailing EOL). */ #define ENGINE_CTRL_GET_NAME_LEN_FROM_CMD 14 #define ENGINE_CTRL_GET_NAME_FROM_CMD 15 /* The next two are similar but give a "short description" of a command. */ #define ENGINE_CTRL_GET_DESC_LEN_FROM_CMD 16 #define ENGINE_CTRL_GET_DESC_FROM_CMD 17 /* With this command, the return value is the OR'd combination of * ENGINE_CMD_FLAG_*** values that indicate what kind of input a given * engine-specific ctrl command expects. */ #define ENGINE_CTRL_GET_CMD_FLAGS 18 /* ENGINE implementations should start the numbering of their own control * commands from this value. (ie. ENGINE_CMD_BASE, ENGINE_CMD_BASE + 1, etc). */ #define ENGINE_CMD_BASE 200 /* NB: These 2 nCipher "chil" control commands are deprecated, and their * functionality is now available through ENGINE-specific control commands * (exposed through the above-mentioned 'CMD'-handling). Code using these 2 * commands should be migrated to the more general command handling before these * are removed. */ /* Flags specific to the nCipher "chil" engine */ #define ENGINE_CTRL_CHIL_SET_FORKCHECK 100 /* Depending on the value of the (long)i argument, this sets or * unsets the SimpleForkCheck flag in the CHIL API to enable or * disable checking and workarounds for applications that fork(). */ #define ENGINE_CTRL_CHIL_NO_LOCKING 101 /* This prevents the initialisation function from providing mutex * callbacks to the nCipher library. */ /* If an ENGINE supports its own specific control commands and wishes the * framework to handle the above 'ENGINE_CMD_***'-manipulation commands on its * behalf, it should supply a null-terminated array of ENGINE_CMD_DEFN entries * to ENGINE_set_cmd_defns(). It should also implement a ctrl() handler that * supports the stated commands (ie. the "cmd_num" entries as described by the * array). NB: The array must be ordered in increasing order of cmd_num. * "null-terminated" means that the last ENGINE_CMD_DEFN element has cmd_num set * to zero and/or cmd_name set to NULL. */ typedef struct ENGINE_CMD_DEFN_st { unsigned int cmd_num; /* The command number */ const char *cmd_name; /* The command name itself */ const char *cmd_desc; /* A short description of the command */ unsigned int cmd_flags; /* The input the command expects */ } ENGINE_CMD_DEFN; /* Generic function pointer */ typedef int (*ENGINE_GEN_FUNC_PTR)(); /* Generic function pointer taking no arguments */ typedef int (*ENGINE_GEN_INT_FUNC_PTR)(ENGINE *); /* Specific control function pointer */ typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)()); /* Generic load_key function pointer */ typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *, UI_METHOD *ui_method, void *callback_data); /* These callback types are for an ENGINE's handler for cipher and digest logic. * These handlers have these prototypes; * int foo(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid); * int foo(ENGINE *e, const EVP_MD **digest, const int **nids, int nid); * Looking at how to implement these handlers in the case of cipher support, if * the framework wants the EVP_CIPHER for 'nid', it will call; * foo(e, &p_evp_cipher, NULL, nid); (return zero for failure) * If the framework wants a list of supported 'nid's, it will call; * foo(e, NULL, &p_nids, 0); (returns number of 'nids' or -1 for error) */ /* Returns to a pointer to the array of supported cipher 'nid's. If the second * parameter is non-NULL it is set to the size of the returned array. */ typedef int (*ENGINE_CIPHERS_PTR)(ENGINE *, const EVP_CIPHER **, const int **, int); typedef int (*ENGINE_DIGESTS_PTR)(ENGINE *, const EVP_MD **, const int **, int); /* STRUCTURE functions ... all of these functions deal with pointers to ENGINE * structures where the pointers have a "structural reference". This means that * their reference is to allowed access to the structure but it does not imply * that the structure is functional. To simply increment or decrement the * structural reference count, use ENGINE_by_id and ENGINE_free. NB: This is not * required when iterating using ENGINE_get_next as it will automatically * decrement the structural reference count of the "current" ENGINE and * increment the structural reference count of the ENGINE it returns (unless it * is NULL). */ /* Get the first/last "ENGINE" type available. */ ENGINE *ENGINE_get_first(void); ENGINE *ENGINE_get_last(void); /* Iterate to the next/previous "ENGINE" type (NULL = end of the list). */ ENGINE *ENGINE_get_next(ENGINE *e); ENGINE *ENGINE_get_prev(ENGINE *e); /* Add another "ENGINE" type into the array. */ int ENGINE_add(ENGINE *e); /* Remove an existing "ENGINE" type from the array. */ int ENGINE_remove(ENGINE *e); /* Retrieve an engine from the list by its unique "id" value. */ ENGINE *ENGINE_by_id(const char *id); /* Add all the built-in engines. */ void ENGINE_load_openssl(void); void ENGINE_load_dynamic(void); void ENGINE_load_cswift(void); void ENGINE_load_chil(void); void ENGINE_load_atalla(void); void ENGINE_load_nuron(void); void ENGINE_load_ubsec(void); void ENGINE_load_aep(void); void ENGINE_load_sureware(void); void ENGINE_load_4758cca(void); void ENGINE_load_cryptodev(void); void ENGINE_load_builtin_engines(void); /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation * "registry" handling. */ unsigned int ENGINE_get_table_flags(void); void ENGINE_set_table_flags(unsigned int flags); /* Manage registration of ENGINEs per "table". For each type, there are 3 * functions; * ENGINE_register_***(e) - registers the implementation from 'e' (if it has one) * ENGINE_unregister_***(e) - unregister the implementation from 'e' * ENGINE_register_all_***() - call ENGINE_register_***() for each 'e' in the list * Cleanup is automatically registered from each table when required, so * ENGINE_cleanup() will reverse any "register" operations. */ int ENGINE_register_RSA(ENGINE *e); void ENGINE_unregister_RSA(ENGINE *e); void ENGINE_register_all_RSA(void); int ENGINE_register_DSA(ENGINE *e); void ENGINE_unregister_DSA(ENGINE *e); void ENGINE_register_all_DSA(void); int ENGINE_register_DH(ENGINE *e); void ENGINE_unregister_DH(ENGINE *e); void ENGINE_register_all_DH(void); int ENGINE_register_RAND(ENGINE *e); void ENGINE_unregister_RAND(ENGINE *e); void ENGINE_register_all_RAND(void); int ENGINE_register_ciphers(ENGINE *e); void ENGINE_unregister_ciphers(ENGINE *e); void ENGINE_register_all_ciphers(void); int ENGINE_register_digests(ENGINE *e); void ENGINE_unregister_digests(ENGINE *e); void ENGINE_register_all_digests(void); /* These functions register all support from the above categories. Note, use of * these functions can result in static linkage of code your application may not * need. If you only need a subset of functionality, consider using more * selective initialisation. */ int ENGINE_register_complete(ENGINE *e); int ENGINE_register_all_complete(void); /* Send parametrised control commands to the engine. The possibilities to send * down an integer, a pointer to data or a function pointer are provided. Any of * the parameters may or may not be NULL, depending on the command number. In * actuality, this function only requires a structural (rather than functional) * reference to an engine, but many control commands may require the engine be * functional. The caller should be aware of trying commands that require an * operational ENGINE, and only use functional references in such situations. */ int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); /* This function tests if an ENGINE-specific command is usable as a "setting". * Eg. in an application's config file that gets processed through * ENGINE_ctrl_cmd_string(). If this returns zero, it is not available to * ENGINE_ctrl_cmd_string(), only ENGINE_ctrl(). */ int ENGINE_cmd_is_executable(ENGINE *e, int cmd); /* This function works like ENGINE_ctrl() with the exception of taking a * command name instead of a command number, and can handle optional commands. * See the comment on ENGINE_ctrl_cmd_string() for an explanation on how to * use the cmd_name and cmd_optional. */ int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name, long i, void *p, void (*f)(), int cmd_optional); /* This function passes a command-name and argument to an ENGINE. The cmd_name * is converted to a command number and the control command is called using * 'arg' as an argument (unless the ENGINE doesn't support such a command, in * which case no control command is called). The command is checked for input * flags, and if necessary the argument will be converted to a numeric value. If * cmd_optional is non-zero, then if the ENGINE doesn't support the given * cmd_name the return value will be success anyway. This function is intended * for applications to use so that users (or config files) can supply * engine-specific config data to the ENGINE at run-time to control behaviour of * specific engines. As such, it shouldn't be used for calling ENGINE_ctrl() * functions that return data, deal with binary data, or that are otherwise * supposed to be used directly through ENGINE_ctrl() in application code. Any * "return" data from an ENGINE_ctrl() operation in this function will be lost - * the return value is interpreted as failure if the return value is zero, * success otherwise, and this function returns a boolean value as a result. In * other words, vendors of 'ENGINE'-enabled devices should write ENGINE * implementations with parameterisations that work in this scheme, so that * compliant ENGINE-based applications can work consistently with the same * configuration for the same ENGINE-enabled devices, across applications. */ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, int cmd_optional); /* These functions are useful for manufacturing new ENGINE structures. They * don't address reference counting at all - one uses them to populate an ENGINE * structure with personalised implementations of things prior to using it * directly or adding it to the builtin ENGINE list in OpenSSL. These are also * here so that the ENGINE structure doesn't have to be exposed and break binary * compatibility! */ ENGINE *ENGINE_new(void); int ENGINE_free(ENGINE *e); int ENGINE_up_ref(ENGINE *e); int ENGINE_set_id(ENGINE *e, const char *id); int ENGINE_set_name(ENGINE *e, const char *name); int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth); int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth); int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth); int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth); int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f); int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f); int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f); int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f); int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f); int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f); int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f); int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f); int ENGINE_set_flags(ENGINE *e, int flags); int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns); /* These functions (and the "get" function lower down) allow control over any * per-structure ENGINE data. */ int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg); /* This function cleans up anything that needs it. Eg. the ENGINE_add() function * automatically ensures the list cleanup function is registered to be called * from ENGINE_cleanup(). Similarly, all ENGINE_register_*** functions ensure * ENGINE_cleanup() will clean up after them. */ void ENGINE_cleanup(void); /* These return values from within the ENGINE structure. These can be useful * with functional references as well as structural references - it depends * which you obtained. Using the result for functional purposes if you only * obtained a structural reference may be problematic! */ const char *ENGINE_get_id(const ENGINE *e); const char *ENGINE_get_name(const ENGINE *e); const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e); const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e); const DH_METHOD *ENGINE_get_DH(const ENGINE *e); const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e); ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e); ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e); ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e); ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e); ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e); ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e); ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e); ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e); const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid); const EVP_MD *ENGINE_get_digest(ENGINE *e, int nid); const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e); int ENGINE_get_flags(const ENGINE *e); void *ENGINE_get_ex_data(const ENGINE *e, int idx); /* FUNCTIONAL functions. These functions deal with ENGINE structures * that have (or will) be initialised for use. Broadly speaking, the * structural functions are useful for iterating the list of available * engine types, creating new engine types, and other "list" operations. * These functions actually deal with ENGINEs that are to be used. As * such these functions can fail (if applicable) when particular * engines are unavailable - eg. if a hardware accelerator is not * attached or not functioning correctly. Each ENGINE has 2 reference * counts; structural and functional. Every time a functional reference * is obtained or released, a corresponding structural reference is * automatically obtained or released too. */ /* Initialise a engine type for use (or up its reference count if it's * already in use). This will fail if the engine is not currently * operational and cannot initialise. */ int ENGINE_init(ENGINE *e); /* Free a functional reference to a engine type. This does not require * a corresponding call to ENGINE_free as it also releases a structural * reference. */ int ENGINE_finish(ENGINE *e); /* The following functions handle keys that are stored in some secondary * location, handled by the engine. The storage may be on a card or * whatever. */ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data); EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data); /* This returns a pointer for the current ENGINE structure that * is (by default) performing any RSA operations. The value returned * is an incremented reference, so it should be free'd (ENGINE_finish) * before it is discarded. */ ENGINE *ENGINE_get_default_RSA(void); /* Same for the other "methods" */ ENGINE *ENGINE_get_default_DSA(void); ENGINE *ENGINE_get_default_DH(void); ENGINE *ENGINE_get_default_RAND(void); /* These functions can be used to get a functional reference to perform * ciphering or digesting corresponding to "nid". */ ENGINE *ENGINE_get_cipher_engine(int nid); ENGINE *ENGINE_get_digest_engine(int nid); /* This sets a new default ENGINE structure for performing RSA * operations. If the result is non-zero (success) then the ENGINE * structure will have had its reference count up'd so the caller * should still free their own reference 'e'. */ int ENGINE_set_default_RSA(ENGINE *e); -int ENGINE_set_default_string(ENGINE *e, const char *list); +int ENGINE_set_default_string(ENGINE *e, const char *def_list); /* Same for the other "methods" */ int ENGINE_set_default_DSA(ENGINE *e); int ENGINE_set_default_DH(ENGINE *e); int ENGINE_set_default_RAND(ENGINE *e); int ENGINE_set_default_ciphers(ENGINE *e); int ENGINE_set_default_digests(ENGINE *e); /* The combination "set" - the flags are bitwise "OR"d from the * ENGINE_METHOD_*** defines above. As with the "ENGINE_register_complete()" * function, this function can result in unnecessary static linkage. If your * application requires only specific functionality, consider using more * selective functions. */ int ENGINE_set_default(ENGINE *e, unsigned int flags); void ENGINE_add_conf_module(void); /* Deprecated functions ... */ /* int ENGINE_clear_defaults(void); */ /**************************/ /* DYNAMIC ENGINE SUPPORT */ /**************************/ /* Binary/behaviour compatibility levels */ #define OSSL_DYNAMIC_VERSION (unsigned long)0x00010200 /* Binary versions older than this are too old for us (whether we're a loader or * a loadee) */ #define OSSL_DYNAMIC_OLDEST (unsigned long)0x00010200 /* When compiling an ENGINE entirely as an external shared library, loadable by * the "dynamic" ENGINE, these types are needed. The 'dynamic_fns' structure * type provides the calling application's (or library's) error functionality * and memory management function pointers to the loaded library. These should * be used/set in the loaded library code so that the loading application's * 'state' will be used/changed in all operations. */ typedef void *(*dyn_MEM_malloc_cb)(size_t); typedef void *(*dyn_MEM_realloc_cb)(void *, size_t); typedef void (*dyn_MEM_free_cb)(void *); typedef struct st_dynamic_MEM_fns { dyn_MEM_malloc_cb malloc_cb; dyn_MEM_realloc_cb realloc_cb; dyn_MEM_free_cb free_cb; } dynamic_MEM_fns; /* FIXME: Perhaps the memory and locking code (crypto.h) should declare and use * these types so we (and any other dependant code) can simplify a bit?? */ typedef void (*dyn_lock_locking_cb)(int,int,const char *,int); typedef int (*dyn_lock_add_lock_cb)(int*,int,int,const char *,int); typedef struct CRYPTO_dynlock_value *(*dyn_dynlock_create_cb)( const char *,int); typedef void (*dyn_dynlock_lock_cb)(int,struct CRYPTO_dynlock_value *, const char *,int); typedef void (*dyn_dynlock_destroy_cb)(struct CRYPTO_dynlock_value *, const char *,int); typedef struct st_dynamic_LOCK_fns { dyn_lock_locking_cb lock_locking_cb; dyn_lock_add_lock_cb lock_add_lock_cb; dyn_dynlock_create_cb dynlock_create_cb; dyn_dynlock_lock_cb dynlock_lock_cb; dyn_dynlock_destroy_cb dynlock_destroy_cb; } dynamic_LOCK_fns; /* The top-level structure */ typedef struct st_dynamic_fns { const ERR_FNS *err_fns; const CRYPTO_EX_DATA_IMPL *ex_data_fns; dynamic_MEM_fns mem_fns; dynamic_LOCK_fns lock_fns; } dynamic_fns; /* The version checking function should be of this prototype. NB: The * ossl_version value passed in is the OSSL_DYNAMIC_VERSION of the loading code. * If this function returns zero, it indicates a (potential) version * incompatibility and the loaded library doesn't believe it can proceed. * Otherwise, the returned value is the (latest) version supported by the * loading library. The loader may still decide that the loaded code's version * is unsatisfactory and could veto the load. The function is expected to * be implemented with the symbol name "v_check", and a default implementation * can be fully instantiated with IMPLEMENT_DYNAMIC_CHECK_FN(). */ typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version); #define IMPLEMENT_DYNAMIC_CHECK_FN() \ unsigned long v_check(unsigned long v) { \ if(v >= OSSL_DYNAMIC_OLDEST) return OSSL_DYNAMIC_VERSION; \ return 0; } /* This function is passed the ENGINE structure to initialise with its own * function and command settings. It should not adjust the structural or * functional reference counts. If this function returns zero, (a) the load will * be aborted, (b) the previous ENGINE state will be memcpy'd back onto the * structure, and (c) the shared library will be unloaded. So implementations * should do their own internal cleanup in failure circumstances otherwise they * could leak. The 'id' parameter, if non-NULL, represents the ENGINE id that * the loader is looking for. If this is NULL, the shared library can choose to * return failure or to initialise a 'default' ENGINE. If non-NULL, the shared * library must initialise only an ENGINE matching the passed 'id'. The function * is expected to be implemented with the symbol name "bind_engine". A standard * implementation can be instantiated with IMPLEMENT_DYNAMIC_BIND_FN(fn) where * the parameter 'fn' is a callback function that populates the ENGINE structure * and returns an int value (zero for failure). 'fn' should have prototype; * [static] int fn(ENGINE *e, const char *id); */ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, const dynamic_fns *fns); #define IMPLEMENT_DYNAMIC_BIND_FN(fn) \ int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \ - if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \ - fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \ - return 0; \ - CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \ - CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \ - CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \ - CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \ - CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \ - if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \ - return 0; \ - if(!ERR_set_implementation(fns->err_fns)) return 0; \ + if (ERR_get_implementation() != fns->err_fns) \ + { \ + if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \ + fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \ + return 0; \ + CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \ + CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \ + CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \ + CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \ + CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \ + if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \ + return 0; \ + if(!ERR_set_implementation(fns->err_fns)) return 0; \ + } \ if(!fn(e,id)) return 0; \ return 1; } #if defined(__OpenBSD__) || defined(__FreeBSD__) void ENGINE_setup_bsd_cryptodev(void); #endif /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ void ERR_load_ENGINE_strings(void); /* Error codes for the ENGINE functions. */ /* Function codes. */ #define ENGINE_F_DYNAMIC_CTRL 180 #define ENGINE_F_DYNAMIC_GET_DATA_CTX 181 #define ENGINE_F_DYNAMIC_LOAD 182 #define ENGINE_F_ENGINE_ADD 105 #define ENGINE_F_ENGINE_BY_ID 106 #define ENGINE_F_ENGINE_CMD_IS_EXECUTABLE 170 #define ENGINE_F_ENGINE_CTRL 142 #define ENGINE_F_ENGINE_CTRL_CMD 178 #define ENGINE_F_ENGINE_CTRL_CMD_STRING 171 #define ENGINE_F_ENGINE_FINISH 107 #define ENGINE_F_ENGINE_FREE 108 #define ENGINE_F_ENGINE_GET_CIPHER 185 #define ENGINE_F_ENGINE_GET_DEFAULT_TYPE 177 #define ENGINE_F_ENGINE_GET_DIGEST 186 #define ENGINE_F_ENGINE_GET_NEXT 115 #define ENGINE_F_ENGINE_GET_PREV 116 #define ENGINE_F_ENGINE_INIT 119 #define ENGINE_F_ENGINE_LIST_ADD 120 #define ENGINE_F_ENGINE_LIST_REMOVE 121 #define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY 150 #define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY 151 #define ENGINE_F_ENGINE_MODULE_INIT 187 #define ENGINE_F_ENGINE_NEW 122 #define ENGINE_F_ENGINE_REMOVE 123 #define ENGINE_F_ENGINE_SET_DEFAULT_STRING 189 #define ENGINE_F_ENGINE_SET_DEFAULT_TYPE 126 #define ENGINE_F_ENGINE_SET_ID 129 #define ENGINE_F_ENGINE_SET_NAME 130 #define ENGINE_F_ENGINE_TABLE_REGISTER 184 #define ENGINE_F_ENGINE_UNLOAD_KEY 152 #define ENGINE_F_ENGINE_UP_REF 190 #define ENGINE_F_INT_CTRL_HELPER 172 #define ENGINE_F_INT_ENGINE_CONFIGURE 188 #define ENGINE_F_LOG_MESSAGE 141 #define ENGINE_F_SET_DATA_CTX 183 /* Reason codes. */ #define ENGINE_R_ALREADY_LOADED 100 #define ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER 133 #define ENGINE_R_CMD_NOT_EXECUTABLE 134 #define ENGINE_R_COMMAND_TAKES_INPUT 135 #define ENGINE_R_COMMAND_TAKES_NO_INPUT 136 #define ENGINE_R_CONFLICTING_ENGINE_ID 103 #define ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED 119 #define ENGINE_R_DH_NOT_IMPLEMENTED 139 #define ENGINE_R_DSA_NOT_IMPLEMENTED 140 #define ENGINE_R_DSO_FAILURE 104 #define ENGINE_R_DSO_NOT_FOUND 132 #define ENGINE_R_ENGINES_SECTION_ERROR 148 #define ENGINE_R_ENGINE_IS_NOT_IN_LIST 105 #define ENGINE_R_ENGINE_SECTION_ERROR 149 #define ENGINE_R_FAILED_LOADING_PRIVATE_KEY 128 #define ENGINE_R_FAILED_LOADING_PUBLIC_KEY 129 #define ENGINE_R_FINISH_FAILED 106 #define ENGINE_R_GET_HANDLE_FAILED 107 #define ENGINE_R_ID_OR_NAME_MISSING 108 #define ENGINE_R_INIT_FAILED 109 #define ENGINE_R_INTERNAL_LIST_ERROR 110 #define ENGINE_R_INVALID_ARGUMENT 143 #define ENGINE_R_INVALID_CMD_NAME 137 #define ENGINE_R_INVALID_CMD_NUMBER 138 #define ENGINE_R_INVALID_INIT_VALUE 151 #define ENGINE_R_INVALID_STRING 150 #define ENGINE_R_NOT_INITIALISED 117 #define ENGINE_R_NOT_LOADED 112 #define ENGINE_R_NO_CONTROL_FUNCTION 120 #define ENGINE_R_NO_INDEX 144 #define ENGINE_R_NO_LOAD_FUNCTION 125 #define ENGINE_R_NO_REFERENCE 130 #define ENGINE_R_NO_SUCH_ENGINE 116 #define ENGINE_R_NO_UNLOAD_FUNCTION 126 #define ENGINE_R_PROVIDE_PARAMETERS 113 #define ENGINE_R_RSA_NOT_IMPLEMENTED 141 #define ENGINE_R_UNIMPLEMENTED_CIPHER 146 #define ENGINE_R_UNIMPLEMENTED_DIGEST 147 #define ENGINE_R_VERSION_INCOMPATIBILITY 145 #ifdef __cplusplus } #endif #endif diff --git a/crypto/openssl/crypto/engine/hw_cryptodev.c b/crypto/openssl/crypto/engine/hw_cryptodev.c index 40af97ac248b..467c0daa1b66 100644 --- a/crypto/openssl/crypto/engine/hw_cryptodev.c +++ b/crypto/openssl/crypto/engine/hw_cryptodev.c @@ -1,1132 +1,1131 @@ /* * Copyright (c) 2002 Bob Beck * Copyright (c) 2002 Theo de Raadt * Copyright (c) 2002 Markus Friedl * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the author nor the names of contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ #include #include #include #if (defined(__unix__) || defined(unix)) && !defined(USG) #include # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041) # define HAVE_CRYPTODEV # endif # if (OpenBSD >= 200110) # define HAVE_SYSLOG_R # endif #endif #ifndef HAVE_CRYPTODEV void ENGINE_load_cryptodev(void) { /* This is a NOP on platforms without /dev/crypto */ return; } #else #include #include #include #include #include #include #include #include #include #include #include struct dev_crypto_state { struct session_op d_sess; int d_fd; }; static u_int32_t cryptodev_asymfeat = 0; static int get_asym_dev_crypto(void); static int open_dev_crypto(void); static int get_dev_crypto(void); static int cryptodev_max_iv(int cipher); static int cryptodev_key_length_valid(int cipher, int len); static int cipher_nid_to_cryptodev(int nid); static int get_cryptodev_ciphers(const int **cnids); static int get_cryptodev_digests(const int **cnids); static int cryptodev_usable_ciphers(const int **nids); static int cryptodev_usable_digests(const int **nids); static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl); static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx); static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid); static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, const int **nids, int nid); static int bn2crparam(const BIGNUM *a, struct crparam *crp); static int crparam2bn(struct crparam *crp, BIGNUM *a); static void zapparams(struct crypt_kop *kop); static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s); static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, BN_CTX *ctx, BN_MONT_CTX *mont); static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); void ENGINE_load_cryptodev(void); static const ENGINE_CMD_DEFN cryptodev_defns[] = { { 0, NULL, NULL, 0 } }; static struct { int id; int nid; int ivmax; int keylen; } ciphers[] = { { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, }, { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, }, { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, }, { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, }, { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, }, { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, }, { 0, NID_undef, 0, 0, }, }; static struct { int id; int nid; } digests[] = { { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, }, { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, }, { CRYPTO_MD5_KPDK, NID_undef, }, { CRYPTO_SHA1_KPDK, NID_undef, }, { CRYPTO_MD5, NID_md5, }, { CRYPTO_SHA1, NID_undef, }, { 0, NID_undef, }, }; /* * Return a fd if /dev/crypto seems usable, 0 otherwise. */ static int open_dev_crypto(void) { static int fd = -1; if (fd == -1) { if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1) return (-1); /* close on exec */ if (fcntl(fd, F_SETFD, 1) == -1) { close(fd); fd = -1; return (-1); } } return (fd); } static int get_dev_crypto(void) { int fd, retfd; if ((fd = open_dev_crypto()) == -1) return (-1); if (ioctl(fd, CRIOGET, &retfd) == -1) return (-1); /* close on exec */ if (fcntl(retfd, F_SETFD, 1) == -1) { close(retfd); return (-1); } return (retfd); } /* Caching version for asym operations */ static int get_asym_dev_crypto(void) { static int fd = -1; if (fd == -1) fd = get_dev_crypto(); return fd; } /* * XXXX this needs to be set for each alg - and determined from * a running card. */ static int cryptodev_max_iv(int cipher) { int i; for (i = 0; ciphers[i].id; i++) if (ciphers[i].id == cipher) return (ciphers[i].ivmax); return (0); } /* * XXXX this needs to be set for each alg - and determined from * a running card. For now, fake it out - but most of these * for real devices should return 1 for the supported key * sizes the device can handle. */ static int cryptodev_key_length_valid(int cipher, int len) { int i; for (i = 0; ciphers[i].id; i++) if (ciphers[i].id == cipher) return (ciphers[i].keylen == len); return (0); } /* convert libcrypto nids to cryptodev */ static int cipher_nid_to_cryptodev(int nid) { int i; for (i = 0; ciphers[i].id; i++) if (ciphers[i].nid == nid) return (ciphers[i].id); return (0); } /* * Find out what ciphers /dev/crypto will let us have a session for. * XXX note, that some of these openssl doesn't deal with yet! * returning them here is harmless, as long as we return NULL * when asked for a handler in the cryptodev_engine_ciphers routine */ static int get_cryptodev_ciphers(const int **cnids) { static int nids[CRYPTO_ALGORITHM_MAX]; struct session_op sess; int fd, i, count = 0; if ((fd = get_dev_crypto()) < 0) { *nids = NULL; return (0); } memset(&sess, 0, sizeof(sess)); sess.key = (caddr_t)"123456781234567812345678"; for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { if (ciphers[i].nid == NID_undef) continue; sess.cipher = ciphers[i].id; sess.keylen = ciphers[i].keylen; sess.mac = 0; if (ioctl(fd, CIOCGSESSION, &sess) != -1 && ioctl(fd, CIOCFSESSION, &sess.ses) != -1) nids[count++] = ciphers[i].nid; } close(fd); if (count > 0) *cnids = nids; else *cnids = NULL; return (count); } /* * Find out what digests /dev/crypto will let us have a session for. * XXX note, that some of these openssl doesn't deal with yet! * returning them here is harmless, as long as we return NULL * when asked for a handler in the cryptodev_engine_digests routine */ static int get_cryptodev_digests(const int **cnids) { static int nids[CRYPTO_ALGORITHM_MAX]; struct session_op sess; int fd, i, count = 0; if ((fd = get_dev_crypto()) < 0) { *nids = NULL; return (0); } memset(&sess, 0, sizeof(sess)); for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { if (digests[i].nid == NID_undef) continue; sess.mac = digests[i].id; sess.cipher = 0; if (ioctl(fd, CIOCGSESSION, &sess) != -1 && ioctl(fd, CIOCFSESSION, &sess.ses) != -1) nids[count++] = digests[i].nid; } close(fd); if (count > 0) *cnids = nids; else *cnids = NULL; return (count); } /* * Find the useable ciphers|digests from dev/crypto - this is the first * thing called by the engine init crud which determines what it * can use for ciphers from this engine. We want to return * only what we can do, anythine else is handled by software. * * If we can't initialize the device to do anything useful for * any reason, we want to return a NULL array, and 0 length, * which forces everything to be done is software. By putting * the initalization of the device in here, we ensure we can * use this engine as the default, and if for whatever reason * /dev/crypto won't do what we want it will just be done in * software * * This can (should) be greatly expanded to perhaps take into * account speed of the device, and what we want to do. * (although the disabling of particular alg's could be controlled * by the device driver with sysctl's.) - this is where we * want most of the decisions made about what we actually want * to use from /dev/crypto. */ static int cryptodev_usable_ciphers(const int **nids) { return (get_cryptodev_ciphers(nids)); } static int cryptodev_usable_digests(const int **nids) { /* * XXXX just disable all digests for now, because it sucks. * we need a better way to decide this - i.e. I may not * want digests on slow cards like hifn on fast machines, * but might want them on slow or loaded machines, etc. * will also want them when using crypto cards that don't * suck moose gonads - would be nice to be able to decide something * as reasonable default without having hackery that's card dependent. * of course, the default should probably be just do everything, * with perhaps a sysctl to turn algoritms off (or have them off * by default) on cards that generally suck like the hifn. */ *nids = NULL; return (0); } static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { struct crypt_op cryp; struct dev_crypto_state *state = ctx->cipher_data; struct session_op *sess = &state->d_sess; void *iiv; unsigned char save_iv[EVP_MAX_IV_LENGTH]; if (state->d_fd < 0) return (0); if (!inl) return (1); if ((inl % ctx->cipher->block_size) != 0) return (0); memset(&cryp, 0, sizeof(cryp)); cryp.ses = sess->ses; cryp.flags = 0; cryp.len = inl; cryp.src = (caddr_t) in; cryp.dst = (caddr_t) out; cryp.mac = 0; cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; if (ctx->cipher->iv_len) { cryp.iv = (caddr_t) ctx->iv; if (!ctx->encrypt) { iiv = (void *) in + inl - ctx->cipher->iv_len; memcpy(save_iv, iiv, ctx->cipher->iv_len); } } else cryp.iv = NULL; if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) { /* XXX need better errror handling * this can fail for a number of different reasons. */ return (0); } if (ctx->cipher->iv_len) { if (ctx->encrypt) iiv = (void *) out + inl - ctx->cipher->iv_len; else iiv = save_iv; memcpy(ctx->iv, iiv, ctx->cipher->iv_len); } return (1); } static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { struct dev_crypto_state *state = ctx->cipher_data; struct session_op *sess = &state->d_sess; int cipher; if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef) return (0); if (ctx->cipher->iv_len > cryptodev_max_iv(cipher)) return (0); if (!cryptodev_key_length_valid(cipher, ctx->key_len)) return (0); memset(sess, 0, sizeof(struct session_op)); if ((state->d_fd = get_dev_crypto()) < 0) return (0); sess->key = (unsigned char *)key; sess->keylen = ctx->key_len; sess->cipher = cipher; if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { close(state->d_fd); state->d_fd = -1; return (0); } return (1); } /* * free anything we allocated earlier when initting a * session, and close the session. */ static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx) { int ret = 0; struct dev_crypto_state *state = ctx->cipher_data; struct session_op *sess = &state->d_sess; if (state->d_fd < 0) return (0); /* XXX if this ioctl fails, someting's wrong. the invoker * may have called us with a bogus ctx, or we could * have a device that for whatever reason just doesn't * want to play ball - it's not clear what's right * here - should this be an error? should it just * increase a counter, hmm. For right now, we return * 0 - I don't believe that to be "right". we could * call the gorpy openssl lib error handlers that * print messages to users of the library. hmm.. */ if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) { ret = 0; } else { ret = 1; } close(state->d_fd); state->d_fd = -1; return (ret); } /* * libcrypto EVP stuff - this is how we get wired to EVP so the engine * gets called when libcrypto requests a cipher NID. */ /* DES CBC EVP */ const EVP_CIPHER cryptodev_des_cbc = { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, cryptodev_init_key, cryptodev_cipher, cryptodev_cleanup, sizeof(struct dev_crypto_state), EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL }; /* 3DES CBC EVP */ const EVP_CIPHER cryptodev_3des_cbc = { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, cryptodev_init_key, cryptodev_cipher, cryptodev_cleanup, sizeof(struct dev_crypto_state), EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL }; const EVP_CIPHER cryptodev_bf_cbc = { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, cryptodev_init_key, cryptodev_cipher, cryptodev_cleanup, sizeof(struct dev_crypto_state), EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL }; const EVP_CIPHER cryptodev_cast_cbc = { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, cryptodev_init_key, cryptodev_cipher, cryptodev_cleanup, sizeof(struct dev_crypto_state), EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL }; const EVP_CIPHER cryptodev_aes_cbc = { NID_aes_128_cbc, 16, 16, 16, EVP_CIPH_CBC_MODE, cryptodev_init_key, cryptodev_cipher, cryptodev_cleanup, sizeof(struct dev_crypto_state), EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL }; /* * Registered by the ENGINE when used to find out how to deal with * a particular NID in the ENGINE. this says what we'll do at the * top level - note, that list is restricted by what we answer with */ static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid) { if (!cipher) return (cryptodev_usable_ciphers(nids)); switch (nid) { case NID_des_ede3_cbc: *cipher = &cryptodev_3des_cbc; break; case NID_des_cbc: *cipher = &cryptodev_des_cbc; break; case NID_bf_cbc: *cipher = &cryptodev_bf_cbc; break; case NID_cast5_cbc: *cipher = &cryptodev_cast_cbc; break; case NID_aes_128_cbc: *cipher = &cryptodev_aes_cbc; break; default: *cipher = NULL; break; } return (*cipher != NULL); } static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, const int **nids, int nid) { if (!digest) return (cryptodev_usable_digests(nids)); switch (nid) { case NID_md5: *digest = NULL; /* need to make a clean md5 critter */ break; default: *digest = NULL; break; } return (*digest != NULL); } /* * Convert a BIGNUM to the representation that /dev/crypto needs. * Upon completion of use, the caller is responsible for freeing * crp->crp_p. */ static int bn2crparam(const BIGNUM *a, struct crparam *crp) { int i, j, k; ssize_t words, bytes, bits; u_char *b; crp->crp_p = NULL; crp->crp_nbits = 0; bits = BN_num_bits(a); bytes = (bits + 7) / 8; b = malloc(bytes); if (b == NULL) return (1); crp->crp_p = b; crp->crp_nbits = bits; for (i = 0, j = 0; i < a->top; i++) { for (k = 0; k < BN_BITS2 / 8; k++) { if ((j + k) >= bytes) return (0); b[j + k] = a->d[i] >> (k * 8); } j += BN_BITS2 / 8; } return (0); } /* Convert a /dev/crypto parameter to a BIGNUM */ static int crparam2bn(struct crparam *crp, BIGNUM *a) { u_int8_t *pd; int i, bytes; bytes = (crp->crp_nbits + 7) / 8; if (bytes == 0) return (-1); if ((pd = (u_int8_t *) malloc(bytes)) == NULL) return (-1); for (i = 0; i < bytes; i++) pd[i] = crp->crp_p[bytes - i - 1]; BN_bin2bn(pd, bytes, a); free(pd); return (0); } static void zapparams(struct crypt_kop *kop) { int i; for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) { if (kop->crk_param[i].crp_p) free(kop->crk_param[i].crp_p); kop->crk_param[i].crp_p = NULL; kop->crk_param[i].crp_nbits = 0; } } static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s) { int fd, ret = -1; if ((fd = get_asym_dev_crypto()) < 0) return (ret); if (r) { kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char)); kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8; kop->crk_oparams++; } if (s) { kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char)); kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8; kop->crk_oparams++; } if (ioctl(fd, CIOCKEY, kop) == 0) { if (r) crparam2bn(&kop->crk_param[kop->crk_iparams], r); if (s) crparam2bn(&kop->crk_param[kop->crk_iparams+1], s); ret = 0; } return (ret); } static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { struct crypt_kop kop; int ret = 1; /* Currently, we know we can do mod exp iff we can do any * asymmetric operations at all. */ if (cryptodev_asymfeat == 0) { ret = BN_mod_exp(r, a, p, m, ctx); return (ret); } memset(&kop, 0, sizeof kop); kop.crk_op = CRK_MOD_EXP; /* inputs: a^p % m */ if (bn2crparam(a, &kop.crk_param[0])) goto err; if (bn2crparam(p, &kop.crk_param[1])) goto err; if (bn2crparam(m, &kop.crk_param[2])) goto err; kop.crk_iparams = 3; if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) { const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); } err: zapparams(&kop); return (ret); } static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) { int r; BN_CTX *ctx; ctx = BN_CTX_new(); r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL); BN_CTX_free(ctx); return (r); } static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) { struct crypt_kop kop; int ret = 1; if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) { /* XXX 0 means failure?? */ return (0); } memset(&kop, 0, sizeof kop); kop.crk_op = CRK_MOD_EXP_CRT; /* inputs: rsa->p rsa->q I rsa->dmp1 rsa->dmq1 rsa->iqmp */ if (bn2crparam(rsa->p, &kop.crk_param[0])) goto err; if (bn2crparam(rsa->q, &kop.crk_param[1])) goto err; if (bn2crparam(I, &kop.crk_param[2])) goto err; if (bn2crparam(rsa->dmp1, &kop.crk_param[3])) goto err; if (bn2crparam(rsa->dmq1, &kop.crk_param[4])) goto err; if (bn2crparam(rsa->iqmp, &kop.crk_param[5])) goto err; kop.crk_iparams = 6; if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) { const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); ret = (*meth->rsa_mod_exp)(r0, I, rsa); } err: zapparams(&kop); return (ret); } static RSA_METHOD cryptodev_rsa = { "cryptodev RSA method", NULL, /* rsa_pub_enc */ NULL, /* rsa_pub_dec */ NULL, /* rsa_priv_enc */ NULL, /* rsa_priv_dec */ NULL, NULL, NULL, /* init */ NULL, /* finish */ 0, /* flags */ NULL, /* app_data */ NULL, /* rsa_sign */ NULL /* rsa_verify */ }; static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx)); } static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, BN_CTX *ctx, BN_MONT_CTX *mont) { BIGNUM t2; int ret = 0; BN_init(&t2); /* v = ( g^u1 * y^u2 mod p ) mod q */ /* let t1 = g ^ u1 mod p */ ret = 0; if (!dsa->meth->bn_mod_exp(dsa,t1,dsa->g,u1,dsa->p,ctx,mont)) goto err; /* let t2 = y ^ u2 mod p */ if (!dsa->meth->bn_mod_exp(dsa,&t2,dsa->pub_key,u2,dsa->p,ctx,mont)) goto err; /* let u1 = t1 * t2 mod p */ if (!BN_mod_mul(u1,t1,&t2,dsa->p,ctx)) goto err; BN_copy(t1,u1); ret = 1; err: BN_free(&t2); return(ret); } static DSA_SIG * cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { struct crypt_kop kop; BIGNUM *r = NULL, *s = NULL; DSA_SIG *dsaret = NULL; if ((r = BN_new()) == NULL) goto err; if ((s = BN_new()) == NULL) { BN_free(r); goto err; } - printf("bar\n"); memset(&kop, 0, sizeof kop); kop.crk_op = CRK_DSA_SIGN; /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */ kop.crk_param[0].crp_p = (caddr_t)dgst; kop.crk_param[0].crp_nbits = dlen * 8; if (bn2crparam(dsa->p, &kop.crk_param[1])) goto err; if (bn2crparam(dsa->q, &kop.crk_param[2])) goto err; if (bn2crparam(dsa->g, &kop.crk_param[3])) goto err; if (bn2crparam(dsa->priv_key, &kop.crk_param[4])) goto err; kop.crk_iparams = 5; if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r, BN_num_bytes(dsa->q), s) == 0) { dsaret = DSA_SIG_new(); dsaret->r = r; dsaret->s = s; } else { const DSA_METHOD *meth = DSA_OpenSSL(); BN_free(r); BN_free(s); dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa); } err: kop.crk_param[0].crp_p = NULL; zapparams(&kop); return (dsaret); } static int cryptodev_dsa_verify(const unsigned char *dgst, int dlen, DSA_SIG *sig, DSA *dsa) { struct crypt_kop kop; int dsaret = 1; memset(&kop, 0, sizeof kop); kop.crk_op = CRK_DSA_VERIFY; /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */ kop.crk_param[0].crp_p = (caddr_t)dgst; kop.crk_param[0].crp_nbits = dlen * 8; if (bn2crparam(dsa->p, &kop.crk_param[1])) goto err; if (bn2crparam(dsa->q, &kop.crk_param[2])) goto err; if (bn2crparam(dsa->g, &kop.crk_param[3])) goto err; if (bn2crparam(dsa->pub_key, &kop.crk_param[4])) goto err; if (bn2crparam(sig->r, &kop.crk_param[5])) goto err; if (bn2crparam(sig->s, &kop.crk_param[6])) goto err; kop.crk_iparams = 7; if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) { dsaret = kop.crk_status; } else { const DSA_METHOD *meth = DSA_OpenSSL(); dsaret = (meth->dsa_do_verify)(dgst, dlen, sig, dsa); } err: kop.crk_param[0].crp_p = NULL; zapparams(&kop); return (dsaret); } static DSA_METHOD cryptodev_dsa = { "cryptodev DSA method", NULL, NULL, /* dsa_sign_setup */ NULL, NULL, /* dsa_mod_exp */ NULL, NULL, /* init */ NULL, /* finish */ 0, /* flags */ NULL /* app_data */ }; static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx)); } static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { struct crypt_kop kop; int dhret = 1; int fd, keylen; if ((fd = get_asym_dev_crypto()) < 0) { const DH_METHOD *meth = DH_OpenSSL(); return ((meth->compute_key)(key, pub_key, dh)); } keylen = BN_num_bits(dh->p); memset(&kop, 0, sizeof kop); kop.crk_op = CRK_DH_COMPUTE_KEY; /* inputs: dh->priv_key pub_key dh->p key */ if (bn2crparam(dh->priv_key, &kop.crk_param[0])) goto err; if (bn2crparam(pub_key, &kop.crk_param[1])) goto err; if (bn2crparam(dh->p, &kop.crk_param[2])) goto err; kop.crk_iparams = 3; kop.crk_param[3].crp_p = key; kop.crk_param[3].crp_nbits = keylen * 8; kop.crk_oparams = 1; if (ioctl(fd, CIOCKEY, &kop) == -1) { const DH_METHOD *meth = DH_OpenSSL(); dhret = (meth->compute_key)(key, pub_key, dh); } err: kop.crk_param[3].crp_p = NULL; zapparams(&kop); return (dhret); } static DH_METHOD cryptodev_dh = { "cryptodev DH method", NULL, /* cryptodev_dh_generate_key */ NULL, NULL, NULL, NULL, 0, /* flags */ NULL /* app_data */ }; /* * ctrl right now is just a wrapper that doesn't do much * but I expect we'll want some options soon. */ static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) { #ifdef HAVE_SYSLOG_R struct syslog_data sd = SYSLOG_DATA_INIT; #endif switch (cmd) { default: #ifdef HAVE_SYSLOG_R syslog_r(LOG_ERR, &sd, "cryptodev_ctrl: unknown command %d", cmd); #else syslog(LOG_ERR, "cryptodev_ctrl: unknown command %d", cmd); #endif break; } return (1); } void ENGINE_load_cryptodev(void) { ENGINE *engine = ENGINE_new(); int fd; if (engine == NULL) return; - if ((fd = get_dev_crypto()) < 0) + if ((fd = get_dev_crypto()) < 0) { + ENGINE_free(engine); return; + } /* * find out what asymmetric crypto algorithms we support */ if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) { close(fd); + ENGINE_free(engine); return; } close(fd); if (!ENGINE_set_id(engine, "cryptodev") || !ENGINE_set_name(engine, "BSD cryptodev engine") || !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || !ENGINE_set_digests(engine, cryptodev_engine_digests) || !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) || !ENGINE_set_cmd_defns(engine, cryptodev_defns)) { ENGINE_free(engine); return; } if (ENGINE_set_RSA(engine, &cryptodev_rsa)) { const RSA_METHOD *rsa_meth = RSA_PKCS1_SSLeay(); cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp; cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp; cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc; cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec; cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc; cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec; if (cryptodev_asymfeat & CRF_MOD_EXP) { cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp; if (cryptodev_asymfeat & CRF_MOD_EXP_CRT) cryptodev_rsa.rsa_mod_exp = cryptodev_rsa_mod_exp; else cryptodev_rsa.rsa_mod_exp = cryptodev_rsa_nocrt_mod_exp; } } if (ENGINE_set_DSA(engine, &cryptodev_dsa)) { const DSA_METHOD *meth = DSA_OpenSSL(); memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD)); if (cryptodev_asymfeat & CRF_DSA_SIGN) cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign; if (cryptodev_asymfeat & CRF_MOD_EXP) { cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp; cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp; } if (cryptodev_asymfeat & CRF_DSA_VERIFY) cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify; } if (ENGINE_set_DH(engine, &cryptodev_dh)){ const DH_METHOD *dh_meth = DH_OpenSSL(); cryptodev_dh.generate_key = dh_meth->generate_key; cryptodev_dh.compute_key = dh_meth->compute_key; cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp; if (cryptodev_asymfeat & CRF_MOD_EXP) { cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh; if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY) cryptodev_dh.compute_key = cryptodev_dh_compute_key; } } ENGINE_add(engine); ENGINE_free(engine); ERR_clear_error(); } #endif /* HAVE_CRYPTODEV */ diff --git a/crypto/openssl/crypto/err/Makefile.ssl b/crypto/openssl/crypto/err/Makefile.ssl index 390bde1f1680..b253061d0727 100644 --- a/crypto/openssl/crypto/err/Makefile.ssl +++ b/crypto/openssl/crypto/err/Makefile.ssl @@ -1,119 +1,119 @@ # # SSLeay/crypto/err/Makefile # DIR= err TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC=err.c err_all.c err_prn.c LIBOBJ=err.o err_all.o err_prn.o SRC= $(LIBSRC) EXHEADER= err.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. err.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/buffer.h err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h err.o: ../../include/openssl/symhacks.h ../cryptlib.h err.c err_all.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h err_all.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h err_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h err_all.o: ../../include/openssl/cast.h ../../include/openssl/conf.h err_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h err_all.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h err_all.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h err_all.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h err_all.o: ../../include/openssl/engine.h ../../include/openssl/err.h err_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h err_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h err_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h err_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h err_all.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h err_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h err_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem2.h err_all.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h err_all.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h err_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h err_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h err_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h err_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h err_all.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h err_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h err_all.o: ../../include/openssl/x509v3.h err_all.c err_prn.o: ../../e_os.h ../../include/openssl/bio.h err_prn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h err_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h err_prn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h err_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h err_prn.o: ../cryptlib.h err_prn.c diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c index 633a1addfe8c..792f32960096 100644 --- a/crypto/openssl/crypto/err/err.c +++ b/crypto/openssl/crypto/err/err.c @@ -1,1075 +1,1075 @@ /* crypto/err/err.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include #include #include "cryptlib.h" #include #include #include static void err_load_strings(int lib, ERR_STRING_DATA *str); static void ERR_STATE_free(ERR_STATE *s); #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA ERR_str_libraries[]= { {ERR_PACK(ERR_LIB_NONE,0,0) ,"unknown library"}, {ERR_PACK(ERR_LIB_SYS,0,0) ,"system library"}, {ERR_PACK(ERR_LIB_BN,0,0) ,"bignum routines"}, {ERR_PACK(ERR_LIB_RSA,0,0) ,"rsa routines"}, {ERR_PACK(ERR_LIB_DH,0,0) ,"Diffie-Hellman routines"}, {ERR_PACK(ERR_LIB_EVP,0,0) ,"digital envelope routines"}, {ERR_PACK(ERR_LIB_BUF,0,0) ,"memory buffer routines"}, {ERR_PACK(ERR_LIB_OBJ,0,0) ,"object identifier routines"}, {ERR_PACK(ERR_LIB_PEM,0,0) ,"PEM routines"}, {ERR_PACK(ERR_LIB_DSA,0,0) ,"dsa routines"}, {ERR_PACK(ERR_LIB_X509,0,0) ,"x509 certificate routines"}, {ERR_PACK(ERR_LIB_ASN1,0,0) ,"asn1 encoding routines"}, {ERR_PACK(ERR_LIB_CONF,0,0) ,"configuration file routines"}, {ERR_PACK(ERR_LIB_CRYPTO,0,0) ,"common libcrypto routines"}, {ERR_PACK(ERR_LIB_EC,0,0) ,"elliptic curve routines"}, {ERR_PACK(ERR_LIB_SSL,0,0) ,"SSL routines"}, {ERR_PACK(ERR_LIB_BIO,0,0) ,"BIO routines"}, {ERR_PACK(ERR_LIB_PKCS7,0,0) ,"PKCS7 routines"}, {ERR_PACK(ERR_LIB_X509V3,0,0) ,"X509 V3 routines"}, {ERR_PACK(ERR_LIB_PKCS12,0,0) ,"PKCS12 routines"}, {ERR_PACK(ERR_LIB_RAND,0,0) ,"random number generator"}, {ERR_PACK(ERR_LIB_DSO,0,0) ,"DSO support routines"}, {ERR_PACK(ERR_LIB_ENGINE,0,0) ,"engine routines"}, {ERR_PACK(ERR_LIB_OCSP,0,0) ,"OCSP routines"}, {0,NULL}, }; static ERR_STRING_DATA ERR_str_functs[]= { {ERR_PACK(0,SYS_F_FOPEN,0), "fopen"}, {ERR_PACK(0,SYS_F_CONNECT,0), "connect"}, {ERR_PACK(0,SYS_F_GETSERVBYNAME,0), "getservbyname"}, {ERR_PACK(0,SYS_F_SOCKET,0), "socket"}, {ERR_PACK(0,SYS_F_IOCTLSOCKET,0), "ioctlsocket"}, {ERR_PACK(0,SYS_F_BIND,0), "bind"}, {ERR_PACK(0,SYS_F_LISTEN,0), "listen"}, {ERR_PACK(0,SYS_F_ACCEPT,0), "accept"}, #ifdef OPENSSL_SYS_WINDOWS {ERR_PACK(0,SYS_F_WSASTARTUP,0), "WSAstartup"}, #endif {ERR_PACK(0,SYS_F_OPENDIR,0), "opendir"}, {ERR_PACK(0,SYS_F_FREAD,0), "fread"}, {0,NULL}, }; static ERR_STRING_DATA ERR_str_reasons[]= { {ERR_R_SYS_LIB ,"system lib"}, {ERR_R_BN_LIB ,"BN lib"}, {ERR_R_RSA_LIB ,"RSA lib"}, {ERR_R_DH_LIB ,"DH lib"}, {ERR_R_EVP_LIB ,"EVP lib"}, {ERR_R_BUF_LIB ,"BUF lib"}, {ERR_R_OBJ_LIB ,"OBJ lib"}, {ERR_R_PEM_LIB ,"PEM lib"}, {ERR_R_DSA_LIB ,"DSA lib"}, {ERR_R_X509_LIB ,"X509 lib"}, {ERR_R_ASN1_LIB ,"ASN1 lib"}, {ERR_R_CONF_LIB ,"CONF lib"}, {ERR_R_CRYPTO_LIB ,"CRYPTO lib"}, {ERR_R_EC_LIB ,"EC lib"}, {ERR_R_SSL_LIB ,"SSL lib"}, {ERR_R_BIO_LIB ,"BIO lib"}, {ERR_R_PKCS7_LIB ,"PKCS7 lib"}, {ERR_R_X509V3_LIB ,"X509V3 lib"}, {ERR_R_PKCS12_LIB ,"PKCS12 lib"}, {ERR_R_RAND_LIB ,"RAND lib"}, {ERR_R_DSO_LIB ,"DSO lib"}, {ERR_R_ENGINE_LIB ,"ENGINE lib"}, {ERR_R_OCSP_LIB ,"OCSP lib"}, {ERR_R_NESTED_ASN1_ERROR ,"nested asn1 error"}, {ERR_R_BAD_ASN1_OBJECT_HEADER ,"bad asn1 object header"}, {ERR_R_BAD_GET_ASN1_OBJECT_CALL ,"bad get asn1 object call"}, {ERR_R_EXPECTING_AN_ASN1_SEQUENCE ,"expecting an asn1 sequence"}, {ERR_R_ASN1_LENGTH_MISMATCH ,"asn1 length mismatch"}, {ERR_R_MISSING_ASN1_EOS ,"missing asn1 eos"}, {ERR_R_FATAL ,"fatal"}, {ERR_R_MALLOC_FAILURE ,"malloc failure"}, {ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED ,"called a function you should not call"}, {ERR_R_PASSED_NULL_PARAMETER ,"passed a null parameter"}, {ERR_R_INTERNAL_ERROR ,"internal error"}, {0,NULL}, }; #endif /* Define the predeclared (but externally opaque) "ERR_FNS" type */ struct st_ERR_FNS { /* Works on the "error_hash" string table */ LHASH *(*cb_err_get)(int create); void (*cb_err_del)(void); ERR_STRING_DATA *(*cb_err_get_item)(const ERR_STRING_DATA *); ERR_STRING_DATA *(*cb_err_set_item)(ERR_STRING_DATA *); ERR_STRING_DATA *(*cb_err_del_item)(ERR_STRING_DATA *); /* Works on the "thread_hash" error-state table */ LHASH *(*cb_thread_get)(int create); void (*cb_thread_release)(LHASH **hash); ERR_STATE *(*cb_thread_get_item)(const ERR_STATE *); ERR_STATE *(*cb_thread_set_item)(ERR_STATE *); void (*cb_thread_del_item)(const ERR_STATE *); /* Returns the next available error "library" numbers */ int (*cb_get_next_lib)(void); }; /* Predeclarations of the "err_defaults" functions */ static LHASH *int_err_get(int create); static void int_err_del(void); static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *); static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *); static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *); static LHASH *int_thread_get(int create); static void int_thread_release(LHASH **hash); static ERR_STATE *int_thread_get_item(const ERR_STATE *); static ERR_STATE *int_thread_set_item(ERR_STATE *); static void int_thread_del_item(const ERR_STATE *); static int int_err_get_next_lib(void); /* The static ERR_FNS table using these defaults functions */ static const ERR_FNS err_defaults = { int_err_get, int_err_del, int_err_get_item, int_err_set_item, int_err_del_item, int_thread_get, int_thread_release, int_thread_get_item, int_thread_set_item, int_thread_del_item, int_err_get_next_lib }; /* The replacable table of ERR_FNS functions we use at run-time */ static const ERR_FNS *err_fns = NULL; /* Eg. rather than using "err_get()", use "ERRFN(err_get)()". */ #define ERRFN(a) err_fns->cb_##a /* The internal state used by "err_defaults" - as such, the setting, reading, * creating, and deleting of this data should only be permitted via the * "err_defaults" functions. This way, a linked module can completely defer all * ERR state operation (together with requisite locking) to the implementations * and state in the loading application. */ static LHASH *int_error_hash = NULL; static LHASH *int_thread_hash = NULL; static int int_thread_hash_references = 0; static int int_err_library_number= ERR_LIB_USER; /* Internal function that checks whether "err_fns" is set and if not, sets it to * the defaults. */ static void err_fns_check(void) { if (err_fns) return; CRYPTO_w_lock(CRYPTO_LOCK_ERR); if (!err_fns) err_fns = &err_defaults; CRYPTO_w_unlock(CRYPTO_LOCK_ERR); } /* API functions to get or set the underlying ERR functions. */ const ERR_FNS *ERR_get_implementation(void) { err_fns_check(); return err_fns; } int ERR_set_implementation(const ERR_FNS *fns) { int ret = 0; CRYPTO_w_lock(CRYPTO_LOCK_ERR); /* It's too late if 'err_fns' is non-NULL. BTW: not much point setting * an error is there?! */ if (!err_fns) { err_fns = fns; ret = 1; } CRYPTO_w_unlock(CRYPTO_LOCK_ERR); return ret; } /* These are the callbacks provided to "lh_new()" when creating the LHASH tables * internal to the "err_defaults" implementation. */ /* static unsigned long err_hash(ERR_STRING_DATA *a); */ static unsigned long err_hash(const void *a_void); /* static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b); */ static int err_cmp(const void *a_void, const void *b_void); /* static unsigned long pid_hash(ERR_STATE *pid); */ static unsigned long pid_hash(const void *pid_void); /* static int pid_cmp(ERR_STATE *a,ERR_STATE *pid); */ static int pid_cmp(const void *a_void,const void *pid_void); static unsigned long get_error_values(int inc,int top,const char **file,int *line, const char **data,int *flags); /* The internal functions used in the "err_defaults" implementation */ static LHASH *int_err_get(int create) { LHASH *ret = NULL; CRYPTO_w_lock(CRYPTO_LOCK_ERR); if (!int_error_hash && create) { CRYPTO_push_info("int_err_get (err.c)"); int_error_hash = lh_new(err_hash, err_cmp); CRYPTO_pop_info(); } if (int_error_hash) ret = int_error_hash; CRYPTO_w_unlock(CRYPTO_LOCK_ERR); return ret; } static void int_err_del(void) { CRYPTO_w_lock(CRYPTO_LOCK_ERR); if (int_error_hash) { lh_free(int_error_hash); int_error_hash = NULL; } CRYPTO_w_unlock(CRYPTO_LOCK_ERR); } static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d) { ERR_STRING_DATA *p; LHASH *hash; err_fns_check(); hash = ERRFN(err_get)(0); if (!hash) return NULL; CRYPTO_r_lock(CRYPTO_LOCK_ERR); p = (ERR_STRING_DATA *)lh_retrieve(hash, d); CRYPTO_r_unlock(CRYPTO_LOCK_ERR); return p; } static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *d) { ERR_STRING_DATA *p; LHASH *hash; err_fns_check(); hash = ERRFN(err_get)(1); if (!hash) return NULL; CRYPTO_w_lock(CRYPTO_LOCK_ERR); p = (ERR_STRING_DATA *)lh_insert(hash, d); CRYPTO_w_unlock(CRYPTO_LOCK_ERR); return p; } static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *d) { ERR_STRING_DATA *p; LHASH *hash; err_fns_check(); hash = ERRFN(err_get)(0); if (!hash) return NULL; CRYPTO_w_lock(CRYPTO_LOCK_ERR); p = (ERR_STRING_DATA *)lh_delete(hash, d); CRYPTO_w_unlock(CRYPTO_LOCK_ERR); return p; } static LHASH *int_thread_get(int create) { LHASH *ret = NULL; CRYPTO_w_lock(CRYPTO_LOCK_ERR); if (!int_thread_hash && create) { CRYPTO_push_info("int_thread_get (err.c)"); int_thread_hash = lh_new(pid_hash, pid_cmp); CRYPTO_pop_info(); } if (int_thread_hash) { int_thread_hash_references++; ret = int_thread_hash; } CRYPTO_w_unlock(CRYPTO_LOCK_ERR); return ret; } static void int_thread_release(LHASH **hash) { int i; if (hash == NULL || *hash == NULL) return; i = CRYPTO_add(&int_thread_hash_references, -1, CRYPTO_LOCK_ERR); #ifdef REF_PRINT fprintf(stderr,"%4d:%s\n",int_thread_hash_references,"ERR"); #endif if (i > 0) return; #ifdef REF_CHECK if (i < 0) { fprintf(stderr,"int_thread_release, bad reference count\n"); abort(); /* ok */ } #endif *hash = NULL; } static ERR_STATE *int_thread_get_item(const ERR_STATE *d) { ERR_STATE *p; LHASH *hash; err_fns_check(); hash = ERRFN(thread_get)(0); if (!hash) return NULL; CRYPTO_r_lock(CRYPTO_LOCK_ERR); p = (ERR_STATE *)lh_retrieve(hash, d); CRYPTO_r_unlock(CRYPTO_LOCK_ERR); ERRFN(thread_release)(&hash); return p; } static ERR_STATE *int_thread_set_item(ERR_STATE *d) { ERR_STATE *p; LHASH *hash; err_fns_check(); hash = ERRFN(thread_get)(1); if (!hash) return NULL; CRYPTO_w_lock(CRYPTO_LOCK_ERR); p = (ERR_STATE *)lh_insert(hash, d); CRYPTO_w_unlock(CRYPTO_LOCK_ERR); ERRFN(thread_release)(&hash); return p; } static void int_thread_del_item(const ERR_STATE *d) { ERR_STATE *p; LHASH *hash; err_fns_check(); hash = ERRFN(thread_get)(0); if (!hash) return; CRYPTO_w_lock(CRYPTO_LOCK_ERR); p = (ERR_STATE *)lh_delete(hash, d); /* make sure we don't leak memory */ if (int_thread_hash_references == 1 && int_thread_hash && (lh_num_items(int_thread_hash) == 0)) { lh_free(int_thread_hash); int_thread_hash = NULL; } CRYPTO_w_unlock(CRYPTO_LOCK_ERR); ERRFN(thread_release)(&hash); if (p) ERR_STATE_free(p); } static int int_err_get_next_lib(void) { int ret; CRYPTO_w_lock(CRYPTO_LOCK_ERR); ret = int_err_library_number++; CRYPTO_w_unlock(CRYPTO_LOCK_ERR); return ret; } #ifndef OPENSSL_NO_ERR #define NUM_SYS_STR_REASONS 127 #define LEN_SYS_STR_REASON 32 static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1]; /* SYS_str_reasons is filled with copies of strerror() results at * initialization. * 'errno' values up to 127 should cover all usual errors, * others will be displayed numerically by ERR_error_string. * It is crucial that we have something for each reason code * that occurs in ERR_str_reasons, or bogus reason strings * will be returned for SYSerr(), which always gets an errno * value and never one of those 'standard' reason codes. */ static void build_SYS_str_reasons() { /* OPENSSL_malloc cannot be used here, use static storage instead */ static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON]; int i; static int init = 1; if (!init) return; CRYPTO_w_lock(CRYPTO_LOCK_ERR); for (i = 1; i <= NUM_SYS_STR_REASONS; i++) { ERR_STRING_DATA *str = &SYS_str_reasons[i - 1]; str->error = (unsigned long)i; if (str->string == NULL) { char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]); char *src = strerror(i); if (src != NULL) { strncpy(*dest, src, sizeof *dest); (*dest)[sizeof *dest - 1] = '\0'; str->string = *dest; } } if (str->string == NULL) str->string = "unknown"; } /* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL}, * as required by ERR_load_strings. */ init = 0; CRYPTO_w_unlock(CRYPTO_LOCK_ERR); } #endif #define err_clear_data(p,i) \ if (((p)->err_data[i] != NULL) && \ (p)->err_data_flags[i] & ERR_TXT_MALLOCED) \ { \ OPENSSL_free((p)->err_data[i]); \ (p)->err_data[i]=NULL; \ } \ (p)->err_data_flags[i]=0; static void ERR_STATE_free(ERR_STATE *s) { int i; if (s == NULL) return; for (i=0; ierror) { str->error|=ERR_PACK(lib,0,0); ERRFN(err_set_item)(str); str++; } } void ERR_load_strings(int lib, ERR_STRING_DATA *str) { ERR_load_ERR_strings(); err_load_strings(lib, str); } void ERR_unload_strings(int lib, ERR_STRING_DATA *str) { while (str->error) { str->error|=ERR_PACK(lib,0,0); ERRFN(err_del_item)(str); str++; } } void ERR_free_strings(void) { err_fns_check(); ERRFN(err_del)(); } /********************************************************/ void ERR_put_error(int lib, int func, int reason, const char *file, int line) { ERR_STATE *es; #ifdef _OSD_POSIX /* In the BS2000-OSD POSIX subsystem, the compiler generates * path names in the form "*POSIX(/etc/passwd)". * This dirty hack strips them to something sensible. * @@@ We shouldn't modify a const string, though. */ if (strncmp(file,"*POSIX(", sizeof("*POSIX(")-1) == 0) { char *end; /* Skip the "*POSIX(" prefix */ file += sizeof("*POSIX(")-1; end = &file[strlen(file)-1]; if (*end == ')') *end = '\0'; /* Optional: use the basename of the path only. */ if ((end = strrchr(file, '/')) != NULL) file = &end[1]; } #endif es=ERR_get_state(); es->top=(es->top+1)%ERR_NUM_ERRORS; if (es->top == es->bottom) es->bottom=(es->bottom+1)%ERR_NUM_ERRORS; es->err_buffer[es->top]=ERR_PACK(lib,func,reason); es->err_file[es->top]=file; es->err_line[es->top]=line; err_clear_data(es,es->top); } void ERR_clear_error(void) { int i; ERR_STATE *es; es=ERR_get_state(); for (i=0; ierr_buffer[i]=0; err_clear_data(es,i); es->err_file[i]=NULL; es->err_line[i]= -1; } es->top=es->bottom=0; } unsigned long ERR_get_error(void) { return(get_error_values(1,0,NULL,NULL,NULL,NULL)); } unsigned long ERR_get_error_line(const char **file, int *line) { return(get_error_values(1,0,file,line,NULL,NULL)); } unsigned long ERR_get_error_line_data(const char **file, int *line, const char **data, int *flags) { return(get_error_values(1,0,file,line,data,flags)); } unsigned long ERR_peek_error(void) { return(get_error_values(0,0,NULL,NULL,NULL,NULL)); } unsigned long ERR_peek_error_line(const char **file, int *line) { return(get_error_values(0,0,file,line,NULL,NULL)); } unsigned long ERR_peek_error_line_data(const char **file, int *line, const char **data, int *flags) { return(get_error_values(0,0,file,line,data,flags)); } unsigned long ERR_peek_last_error(void) { return(get_error_values(0,1,NULL,NULL,NULL,NULL)); } unsigned long ERR_peek_last_error_line(const char **file, int *line) { return(get_error_values(0,1,file,line,NULL,NULL)); } unsigned long ERR_peek_last_error_line_data(const char **file, int *line, const char **data, int *flags) { return(get_error_values(0,1,file,line,data,flags)); } static unsigned long get_error_values(int inc, int top, const char **file, int *line, const char **data, int *flags) { int i=0; ERR_STATE *es; unsigned long ret; es=ERR_get_state(); if (inc && top) { if (file) *file = ""; if (line) *line = 0; if (data) *data = ""; if (flags) *flags = 0; return ERR_R_INTERNAL_ERROR; } if (es->bottom == es->top) return 0; if (top) i=es->top; /* last error */ else i=(es->bottom+1)%ERR_NUM_ERRORS; /* first error */ ret=es->err_buffer[i]; if (inc) { es->bottom=i; es->err_buffer[i]=0; } if ((file != NULL) && (line != NULL)) { if (es->err_file[i] == NULL) { *file="NA"; if (line != NULL) *line=0; } else { *file=es->err_file[i]; if (line != NULL) *line=es->err_line[i]; } } if (data == NULL) { if (inc) { err_clear_data(es, i); } } else { if (es->err_data[i] == NULL) { *data=""; if (flags != NULL) *flags=0; } else { *data=es->err_data[i]; if (flags != NULL) *flags=es->err_data_flags[i]; } } return ret; } void ERR_error_string_n(unsigned long e, char *buf, size_t len) { char lsbuf[64], fsbuf[64], rsbuf[64]; const char *ls,*fs,*rs; unsigned long l,f,r; l=ERR_GET_LIB(e); f=ERR_GET_FUNC(e); r=ERR_GET_REASON(e); ls=ERR_lib_error_string(e); fs=ERR_func_error_string(e); rs=ERR_reason_error_string(e); if (ls == NULL) BIO_snprintf(lsbuf, sizeof(lsbuf), "lib(%lu)", l); if (fs == NULL) BIO_snprintf(fsbuf, sizeof(fsbuf), "func(%lu)", f); if (rs == NULL) BIO_snprintf(rsbuf, sizeof(rsbuf), "reason(%lu)", r); BIO_snprintf(buf, len,"error:%08lX:%s:%s:%s", e, ls?ls:lsbuf, fs?fs:fsbuf, rs?rs:rsbuf); if (strlen(buf) == len-1) { /* output may be truncated; make sure we always have 5 * colon-separated fields, i.e. 4 colons ... */ #define NUM_COLONS 4 if (len > NUM_COLONS) /* ... if possible */ { int i; char *s = buf; for (i = 0; i < NUM_COLONS; i++) { char *colon = strchr(s, ':'); if (colon == NULL || colon > &buf[len-1] - NUM_COLONS + i) { /* set colon no. i at last possible position * (buf[len-1] is the terminating 0)*/ colon = &buf[len-1] - NUM_COLONS + i; *colon = ':'; } s = colon + 1; } } } } /* BAD for multi-threading: uses a local buffer if ret == NULL */ /* ERR_error_string_n should be used instead for ret != NULL * as ERR_error_string cannot know how large the buffer is */ char *ERR_error_string(unsigned long e, char *ret) { static char buf[256]; if (ret == NULL) ret=buf; ERR_error_string_n(e, ret, 256); return ret; } LHASH *ERR_get_string_table(void) { err_fns_check(); return ERRFN(err_get)(0); } LHASH *ERR_get_err_state_table(void) { err_fns_check(); return ERRFN(thread_get)(0); } void ERR_release_err_state_table(LHASH **hash) { err_fns_check(); ERRFN(thread_release)(hash); } const char *ERR_lib_error_string(unsigned long e) { ERR_STRING_DATA d,*p; unsigned long l; err_fns_check(); l=ERR_GET_LIB(e); d.error=ERR_PACK(l,0,0); p=ERRFN(err_get_item)(&d); return((p == NULL)?NULL:p->string); } const char *ERR_func_error_string(unsigned long e) { ERR_STRING_DATA d,*p; unsigned long l,f; err_fns_check(); l=ERR_GET_LIB(e); f=ERR_GET_FUNC(e); d.error=ERR_PACK(l,f,0); p=ERRFN(err_get_item)(&d); return((p == NULL)?NULL:p->string); } const char *ERR_reason_error_string(unsigned long e) { ERR_STRING_DATA d,*p=NULL; unsigned long l,r; err_fns_check(); l=ERR_GET_LIB(e); r=ERR_GET_REASON(e); d.error=ERR_PACK(l,0,r); p=ERRFN(err_get_item)(&d); if (!p) { d.error=ERR_PACK(0,0,r); p=ERRFN(err_get_item)(&d); } return((p == NULL)?NULL:p->string); } /* static unsigned long err_hash(ERR_STRING_DATA *a) */ static unsigned long err_hash(const void *a_void) { unsigned long ret,l; l=((ERR_STRING_DATA *)a_void)->error; ret=l^ERR_GET_LIB(l)^ERR_GET_FUNC(l); return(ret^ret%19*13); } /* static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b) */ static int err_cmp(const void *a_void, const void *b_void) { return((int)(((ERR_STRING_DATA *)a_void)->error - ((ERR_STRING_DATA *)b_void)->error)); } /* static unsigned long pid_hash(ERR_STATE *a) */ static unsigned long pid_hash(const void *a_void) { return(((ERR_STATE *)a_void)->pid*13); } /* static int pid_cmp(ERR_STATE *a, ERR_STATE *b) */ static int pid_cmp(const void *a_void, const void *b_void) { return((int)((long)((ERR_STATE *)a_void)->pid - (long)((ERR_STATE *)b_void)->pid)); } void ERR_remove_state(unsigned long pid) { ERR_STATE tmp; err_fns_check(); if (pid == 0) pid=(unsigned long)CRYPTO_thread_id(); tmp.pid=pid; /* thread_del_item automatically destroys the LHASH if the number of * items reaches zero. */ ERRFN(thread_del_item)(&tmp); } ERR_STATE *ERR_get_state(void) { static ERR_STATE fallback; ERR_STATE *ret,tmp,*tmpp=NULL; int i; unsigned long pid; err_fns_check(); pid=(unsigned long)CRYPTO_thread_id(); tmp.pid=pid; ret=ERRFN(thread_get_item)(&tmp); /* ret == the error state, if NULL, make a new one */ if (ret == NULL) { ret=(ERR_STATE *)OPENSSL_malloc(sizeof(ERR_STATE)); if (ret == NULL) return(&fallback); ret->pid=pid; ret->top=0; ret->bottom=0; for (i=0; ierr_data[i]=NULL; ret->err_data_flags[i]=0; } tmpp = ERRFN(thread_set_item)(ret); /* To check if insertion failed, do a get. */ if (ERRFN(thread_get_item)(ret) != ret) { ERR_STATE_free(ret); /* could not insert it */ return(&fallback); } /* If a race occured in this function and we came second, tmpp * is the first one that we just replaced. */ if (tmpp) ERR_STATE_free(tmpp); } return ret; } int ERR_get_next_error_library(void) { err_fns_check(); return ERRFN(get_next_lib)(); } void ERR_set_error_data(char *data, int flags) { ERR_STATE *es; int i; es=ERR_get_state(); i=es->top; if (i == 0) i=ERR_NUM_ERRORS-1; err_clear_data(es,i); es->err_data[i]=data; es->err_data_flags[i]=flags; } void ERR_add_error_data(int num, ...) { va_list args; int i,n,s; char *str,*p,*a; s=80; str=OPENSSL_malloc(s+1); if (str == NULL) return; str[0]='\0'; va_start(args, num); n=0; for (i=0; i */ if (a != NULL) { n+=strlen(a); if (n > s) { s=n+20; p=OPENSSL_realloc(str,s+1); if (p == NULL) { OPENSSL_free(str); goto err; } else str=p; } - strcat(str,a); + BUF_strlcat(str,a,s+1); } } ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING); err: va_end(args); } diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl index 772afd71f5a0..f33aebd33a2c 100644 --- a/crypto/openssl/crypto/evp/Makefile.ssl +++ b/crypto/openssl/crypto/evp/Makefile.ssl @@ -1,1059 +1,1059 @@ # # SSLeay/crypto/evp/Makefile # DIR= evp TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=evp_test.c TESTDATA=evptests.txt APPS= LIB=$(TOP)/libcrypto.a LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \ e_des.c e_bf.c e_idea.c e_des3.c \ e_rc4.c e_aes.c names.c \ e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \ m_null.c m_md2.c m_md4.c m_md5.c m_sha.c m_sha1.c \ m_dss.c m_dss1.c m_mdc2.c m_ripemd.c \ p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ e_des.o e_bf.o e_idea.o e_des3.o \ e_rc4.o e_aes.o names.o \ e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \ m_null.o m_md2.o m_md4.o m_md5.o m_sha.o m_sha1.o \ m_dss.o m_dss1.o m_mdc2.o m_ripemd.o \ p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \ bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o SRC= $(LIBSRC) EXHEADER= evp.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) cp $(TESTDATA) ../../test @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. bio_b64.o: ../../e_os.h ../../include/openssl/aes.h bio_b64.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h bio_b64.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h bio_b64.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h bio_b64.o: ../../include/openssl/crypto.h ../../include/openssl/des.h bio_b64.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h bio_b64.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h bio_b64.o: ../../include/openssl/err.h ../../include/openssl/evp.h bio_b64.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h bio_b64.o: ../../include/openssl/md2.h ../../include/openssl/md4.h bio_b64.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h bio_b64.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h bio_b64.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h bio_b64.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h bio_b64.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h bio_b64.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h bio_b64.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h bio_b64.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bio_b64.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h bio_b64.o: ../cryptlib.h bio_b64.c bio_enc.o: ../../e_os.h ../../include/openssl/aes.h bio_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h bio_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h bio_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h bio_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h bio_enc.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h bio_enc.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h bio_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h bio_enc.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h bio_enc.o: ../../include/openssl/md2.h ../../include/openssl/md4.h bio_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h bio_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h bio_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h bio_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h bio_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h bio_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h bio_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h bio_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bio_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h bio_enc.o: ../cryptlib.h bio_enc.c bio_md.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h bio_md.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h bio_md.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h bio_md.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h bio_md.o: ../../include/openssl/des.h ../../include/openssl/des_old.h bio_md.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h bio_md.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bio_md.o: ../../include/openssl/evp.h ../../include/openssl/idea.h bio_md.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h bio_md.o: ../../include/openssl/md4.h ../../include/openssl/md5.h bio_md.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h bio_md.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h bio_md.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bio_md.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h bio_md.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h bio_md.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h bio_md.o: ../../include/openssl/sha.h ../../include/openssl/stack.h bio_md.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h bio_md.o: ../../include/openssl/ui_compat.h ../cryptlib.h bio_md.c bio_ok.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h bio_ok.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h bio_ok.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h bio_ok.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h bio_ok.o: ../../include/openssl/des.h ../../include/openssl/des_old.h bio_ok.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h bio_ok.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bio_ok.o: ../../include/openssl/evp.h ../../include/openssl/idea.h bio_ok.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h bio_ok.o: ../../include/openssl/md4.h ../../include/openssl/md5.h bio_ok.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h bio_ok.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h bio_ok.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bio_ok.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h bio_ok.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h bio_ok.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h bio_ok.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h bio_ok.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bio_ok.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h bio_ok.o: ../cryptlib.h bio_ok.c c_all.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h c_all.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h c_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h c_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h c_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h c_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h c_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h c_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h c_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h c_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h c_all.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h c_all.o: ../../include/openssl/ui_compat.h ../cryptlib.h c_all.c c_allc.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h c_allc.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h c_allc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h c_allc.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h c_allc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h c_allc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h c_allc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h c_allc.o: ../../include/openssl/evp.h ../../include/openssl/idea.h c_allc.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h c_allc.o: ../../include/openssl/md4.h ../../include/openssl/md5.h c_allc.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h c_allc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h c_allc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h c_allc.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h c_allc.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h c_allc.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h c_allc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h c_allc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h c_allc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h c_allc.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h c_allc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h c_allc.c c_alld.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h c_alld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h c_alld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h c_alld.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h c_alld.o: ../../include/openssl/des.h ../../include/openssl/des_old.h c_alld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h c_alld.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h c_alld.o: ../../include/openssl/evp.h ../../include/openssl/idea.h c_alld.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h c_alld.o: ../../include/openssl/md4.h ../../include/openssl/md5.h c_alld.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h c_alld.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h c_alld.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h c_alld.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h c_alld.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h c_alld.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h c_alld.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h c_alld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h c_alld.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h c_alld.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h c_alld.o: ../../include/openssl/x509_vfy.h ../cryptlib.h c_alld.c digest.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h digest.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h digest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h digest.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h digest.o: ../../include/openssl/des.h ../../include/openssl/des_old.h digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h digest.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h digest.o: ../../include/openssl/md2.h ../../include/openssl/md4.h digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h digest.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h digest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h digest.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h digest.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h digest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h digest.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h digest.o: ../../include/openssl/ui_compat.h ../cryptlib.h digest.c e_aes.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h e_aes.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_aes.o: ../../include/openssl/bn.h ../../include/openssl/cast.h e_aes.o: ../../include/openssl/crypto.h ../../include/openssl/des.h e_aes.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h e_aes.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h e_aes.o: ../../include/openssl/err.h ../../include/openssl/evp.h e_aes.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h e_aes.o: ../../include/openssl/md2.h ../../include/openssl/md4.h e_aes.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h e_aes.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h e_aes.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h e_aes.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h e_aes.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h e_aes.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h e_aes.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h e_aes.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h e_aes.c e_aes.o: evp_locl.h e_bf.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h e_bf.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_bf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_bf.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h e_bf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h e_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h e_bf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h e_bf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h e_bf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h e_bf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h e_bf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h e_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_bf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_bf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_bf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_bf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_bf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_bf.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_bf.c evp_locl.h e_cast.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h e_cast.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_cast.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_cast.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h e_cast.o: ../../include/openssl/des.h ../../include/openssl/des_old.h e_cast.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h e_cast.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h e_cast.o: ../../include/openssl/evp.h ../../include/openssl/idea.h e_cast.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h e_cast.o: ../../include/openssl/md4.h ../../include/openssl/md5.h e_cast.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h e_cast.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_cast.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_cast.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_cast.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_cast.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_cast.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_cast.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_cast.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_cast.c evp_locl.h e_des.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h e_des.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_des.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_des.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h e_des.o: ../../include/openssl/des.h ../../include/openssl/des_old.h e_des.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h e_des.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h e_des.o: ../../include/openssl/evp.h ../../include/openssl/idea.h e_des.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h e_des.o: ../../include/openssl/md4.h ../../include/openssl/md5.h e_des.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h e_des.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_des.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_des.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_des.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_des.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_des.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_des.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_des.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des.c evp_locl.h e_des3.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h e_des3.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_des3.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_des3.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h e_des3.o: ../../include/openssl/des.h ../../include/openssl/des_old.h e_des3.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h e_des3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h e_des3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h e_des3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h e_des3.o: ../../include/openssl/md4.h ../../include/openssl/md5.h e_des3.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h e_des3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_des3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_des3.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_des3.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_des3.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_des3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_des3.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_des3.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des3.c evp_locl.h e_idea.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h e_idea.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_idea.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_idea.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h e_idea.o: ../../include/openssl/des.h ../../include/openssl/des_old.h e_idea.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h e_idea.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h e_idea.o: ../../include/openssl/evp.h ../../include/openssl/idea.h e_idea.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h e_idea.o: ../../include/openssl/md4.h ../../include/openssl/md5.h e_idea.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h e_idea.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_idea.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_idea.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_idea.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_idea.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_idea.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_idea.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_idea.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_idea.c evp_locl.h e_null.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h e_null.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_null.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h e_null.o: ../../include/openssl/des.h ../../include/openssl/des_old.h e_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h e_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h e_null.o: ../../include/openssl/evp.h ../../include/openssl/idea.h e_null.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h e_null.o: ../../include/openssl/md4.h ../../include/openssl/md5.h e_null.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h e_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_null.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_null.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_null.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_null.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_null.c e_rc2.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h e_rc2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_rc2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_rc2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h e_rc2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h e_rc2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h e_rc2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h e_rc2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h e_rc2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h e_rc2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h e_rc2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h e_rc2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_rc2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_rc2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_rc2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_rc2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_rc2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_rc2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_rc2.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_rc2.c evp_locl.h e_rc4.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h e_rc4.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_rc4.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_rc4.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h e_rc4.o: ../../include/openssl/des.h ../../include/openssl/des_old.h e_rc4.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h e_rc4.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h e_rc4.o: ../../include/openssl/evp.h ../../include/openssl/idea.h e_rc4.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h e_rc4.o: ../../include/openssl/md4.h ../../include/openssl/md5.h e_rc4.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h e_rc4.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_rc4.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_rc4.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_rc4.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_rc4.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_rc4.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_rc4.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_rc4.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_rc4.c e_rc5.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h e_rc5.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h e_rc5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_rc5.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h e_rc5.o: ../../include/openssl/des.h ../../include/openssl/des_old.h e_rc5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h e_rc5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h e_rc5.o: ../../include/openssl/evp.h ../../include/openssl/idea.h e_rc5.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h e_rc5.o: ../../include/openssl/md4.h ../../include/openssl/md5.h e_rc5.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h e_rc5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_rc5.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_rc5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_rc5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_rc5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_rc5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_rc5.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_rc5.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_rc5.c evp_locl.h e_xcbc_d.o: ../../e_os.h ../../include/openssl/aes.h e_xcbc_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h e_xcbc_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h e_xcbc_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h e_xcbc_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h e_xcbc_d.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h e_xcbc_d.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h e_xcbc_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h e_xcbc_d.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h e_xcbc_d.o: ../../include/openssl/md2.h ../../include/openssl/md4.h e_xcbc_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h e_xcbc_d.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h e_xcbc_d.o: ../../include/openssl/opensslconf.h e_xcbc_d.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h e_xcbc_d.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h e_xcbc_d.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h e_xcbc_d.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h e_xcbc_d.o: ../../include/openssl/sha.h ../../include/openssl/stack.h e_xcbc_d.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h e_xcbc_d.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_xcbc_d.c encode.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h encode.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h encode.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h encode.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h encode.o: ../../include/openssl/des.h ../../include/openssl/des_old.h encode.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h encode.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h encode.o: ../../include/openssl/evp.h ../../include/openssl/idea.h encode.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h encode.o: ../../include/openssl/md4.h ../../include/openssl/md5.h encode.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h encode.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h encode.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h encode.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h encode.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h encode.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h encode.o: ../../include/openssl/sha.h ../../include/openssl/stack.h encode.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h encode.o: ../../include/openssl/ui_compat.h ../cryptlib.h encode.c evp_acnf.o: ../../e_os.h ../../include/openssl/aes.h evp_acnf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h evp_acnf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h evp_acnf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h evp_acnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h evp_acnf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h evp_acnf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h evp_acnf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h evp_acnf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h evp_acnf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h evp_acnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h evp_acnf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h evp_acnf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h evp_acnf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h evp_acnf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h evp_acnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h evp_acnf.o: ../../include/openssl/ui_compat.h ../cryptlib.h evp_acnf.c evp_enc.o: ../../e_os.h ../../include/openssl/aes.h evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h evp_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h evp_enc.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h evp_enc.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h evp_enc.o: ../../include/openssl/engine.h ../../include/openssl/err.h evp_enc.o: ../../include/openssl/evp.h ../../include/openssl/idea.h evp_enc.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h evp_enc.o: ../../include/openssl/md4.h ../../include/openssl/md5.h evp_enc.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h evp_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h evp_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h evp_enc.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h evp_enc.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h evp_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h evp_err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h evp_err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h evp_err.o: ../../include/openssl/bn.h ../../include/openssl/cast.h evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h evp_err.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h evp_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h evp_err.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h evp_err.o: ../../include/openssl/md2.h ../../include/openssl/md4.h evp_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h evp_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h evp_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h evp_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h evp_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h evp_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h evp_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h evp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h evp_err.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h evp_err.o: evp_err.c evp_key.o: ../../e_os.h ../../include/openssl/aes.h evp_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h evp_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h evp_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h evp_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h evp_key.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h evp_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h evp_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h evp_key.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h evp_key.o: ../../include/openssl/md2.h ../../include/openssl/md4.h evp_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h evp_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h evp_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h evp_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h evp_key.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h evp_key.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h evp_key.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h evp_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h evp_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h evp_key.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h evp_key.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_key.c evp_lib.o: ../../e_os.h ../../include/openssl/aes.h evp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h evp_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h evp_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h evp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h evp_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h evp_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h evp_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h evp_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h evp_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h evp_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h evp_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h evp_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h evp_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h evp_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h evp_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h evp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h evp_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h evp_lib.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h evp_lib.o: ../cryptlib.h evp_lib.c evp_pbe.o: ../../e_os.h ../../include/openssl/aes.h evp_pbe.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h evp_pbe.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h evp_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h evp_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/des.h evp_pbe.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h evp_pbe.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h evp_pbe.o: ../../include/openssl/err.h ../../include/openssl/evp.h evp_pbe.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h evp_pbe.o: ../../include/openssl/md2.h ../../include/openssl/md4.h evp_pbe.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h evp_pbe.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h evp_pbe.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h evp_pbe.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h evp_pbe.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h evp_pbe.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h evp_pbe.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h evp_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h evp_pbe.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h evp_pbe.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h evp_pbe.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_pbe.c evp_pkey.o: ../../e_os.h ../../include/openssl/aes.h evp_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h evp_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h evp_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h evp_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h evp_pkey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h evp_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h evp_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h evp_pkey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h evp_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h evp_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h evp_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h evp_pkey.o: ../../include/openssl/opensslconf.h evp_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h evp_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h evp_pkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h evp_pkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h evp_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h evp_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h evp_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h evp_pkey.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h evp_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_pkey.c m_dss.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h m_dss.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h m_dss.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h m_dss.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h m_dss.o: ../../include/openssl/des.h ../../include/openssl/des_old.h m_dss.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h m_dss.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h m_dss.o: ../../include/openssl/evp.h ../../include/openssl/idea.h m_dss.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h m_dss.o: ../../include/openssl/md4.h ../../include/openssl/md5.h m_dss.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h m_dss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h m_dss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_dss.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_dss.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_dss.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_dss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_dss.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_dss.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_dss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_dss.o: ../cryptlib.h m_dss.c m_dss1.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h m_dss1.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h m_dss1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h m_dss1.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h m_dss1.o: ../../include/openssl/des.h ../../include/openssl/des_old.h m_dss1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h m_dss1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h m_dss1.o: ../../include/openssl/evp.h ../../include/openssl/idea.h m_dss1.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h m_dss1.o: ../../include/openssl/md4.h ../../include/openssl/md5.h m_dss1.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h m_dss1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h m_dss1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_dss1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_dss1.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_dss1.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_dss1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_dss1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_dss1.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_dss1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_dss1.o: ../cryptlib.h m_dss1.c m_md2.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h m_md2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h m_md2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h m_md2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h m_md2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h m_md2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h m_md2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h m_md2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h m_md2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h m_md2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h m_md2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h m_md2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h m_md2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_md2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_md2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_md2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_md2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_md2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_md2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_md2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_md2.o: ../cryptlib.h m_md2.c m_md4.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h m_md4.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h m_md4.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h m_md4.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h m_md4.o: ../../include/openssl/des.h ../../include/openssl/des_old.h m_md4.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h m_md4.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h m_md4.o: ../../include/openssl/evp.h ../../include/openssl/idea.h m_md4.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h m_md4.o: ../../include/openssl/md4.h ../../include/openssl/md5.h m_md4.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h m_md4.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h m_md4.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_md4.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_md4.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_md4.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_md4.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_md4.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_md4.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_md4.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_md4.o: ../cryptlib.h m_md4.c m_md5.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h m_md5.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h m_md5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h m_md5.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h m_md5.o: ../../include/openssl/des.h ../../include/openssl/des_old.h m_md5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h m_md5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h m_md5.o: ../../include/openssl/evp.h ../../include/openssl/idea.h m_md5.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h m_md5.o: ../../include/openssl/md4.h ../../include/openssl/md5.h m_md5.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h m_md5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h m_md5.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_md5.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_md5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_md5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_md5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_md5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_md5.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_md5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_md5.o: ../cryptlib.h m_md5.c m_mdc2.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h m_mdc2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h m_mdc2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h m_mdc2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h m_mdc2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h m_mdc2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h m_mdc2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h m_mdc2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h m_mdc2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h m_mdc2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h m_mdc2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h m_mdc2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h m_mdc2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_mdc2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_mdc2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_mdc2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_mdc2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_mdc2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_mdc2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_mdc2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_mdc2.o: ../cryptlib.h m_mdc2.c m_null.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h m_null.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h m_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h m_null.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h m_null.o: ../../include/openssl/des.h ../../include/openssl/des_old.h m_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h m_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h m_null.o: ../../include/openssl/evp.h ../../include/openssl/idea.h m_null.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h m_null.o: ../../include/openssl/md4.h ../../include/openssl/md5.h m_null.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h m_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h m_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_null.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_null.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_null.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_null.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_null.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_null.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_null.o: ../cryptlib.h m_null.c m_ripemd.o: ../../e_os.h ../../include/openssl/aes.h m_ripemd.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h m_ripemd.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h m_ripemd.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h m_ripemd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h m_ripemd.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h m_ripemd.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h m_ripemd.o: ../../include/openssl/err.h ../../include/openssl/evp.h m_ripemd.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h m_ripemd.o: ../../include/openssl/md2.h ../../include/openssl/md4.h m_ripemd.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h m_ripemd.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h m_ripemd.o: ../../include/openssl/opensslconf.h m_ripemd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_ripemd.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_ripemd.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_ripemd.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_ripemd.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_ripemd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_ripemd.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_ripemd.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_ripemd.o: ../cryptlib.h m_ripemd.c m_sha.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h m_sha.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h m_sha.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h m_sha.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h m_sha.o: ../../include/openssl/des.h ../../include/openssl/des_old.h m_sha.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h m_sha.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h m_sha.o: ../../include/openssl/evp.h ../../include/openssl/idea.h m_sha.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h m_sha.o: ../../include/openssl/md4.h ../../include/openssl/md5.h m_sha.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h m_sha.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h m_sha.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_sha.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_sha.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_sha.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_sha.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_sha.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_sha.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_sha.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_sha.o: ../cryptlib.h m_sha.c m_sha1.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h m_sha1.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h m_sha1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h m_sha1.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h m_sha1.o: ../../include/openssl/des.h ../../include/openssl/des_old.h m_sha1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h m_sha1.o: ../../include/openssl/evp.h ../../include/openssl/idea.h m_sha1.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h m_sha1.o: ../../include/openssl/md4.h ../../include/openssl/md5.h m_sha1.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h m_sha1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h m_sha1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_sha1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h m_sha1.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h m_sha1.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h m_sha1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_sha1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h m_sha1.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h m_sha1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_sha1.o: ../cryptlib.h m_sha1.c names.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h names.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h names.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h names.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h names.o: ../../include/openssl/des.h ../../include/openssl/des_old.h names.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h names.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h names.o: ../../include/openssl/evp.h ../../include/openssl/idea.h names.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h names.o: ../../include/openssl/md4.h ../../include/openssl/md5.h names.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h names.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h names.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h names.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h names.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h names.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h names.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h names.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h names.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h names.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h names.o: ../cryptlib.h names.c p5_crpt.o: ../../e_os.h ../../include/openssl/aes.h p5_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p5_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p5_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p5_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p5_crpt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p5_crpt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p5_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h p5_crpt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p5_crpt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p5_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p5_crpt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p5_crpt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h p5_crpt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h p5_crpt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p5_crpt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p5_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p5_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p5_crpt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p5_crpt.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p5_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_crpt.c p5_crpt2.o: ../../e_os.h ../../include/openssl/aes.h p5_crpt2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p5_crpt2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p5_crpt2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p5_crpt2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p5_crpt2.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p5_crpt2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p5_crpt2.o: ../../include/openssl/err.h ../../include/openssl/evp.h p5_crpt2.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h p5_crpt2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p5_crpt2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p5_crpt2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p5_crpt2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p5_crpt2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p5_crpt2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p5_crpt2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p5_crpt2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p5_crpt2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p5_crpt2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p5_crpt2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p5_crpt2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p5_crpt2.o: ../cryptlib.h p5_crpt2.c p_dec.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h p_dec.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h p_dec.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p_dec.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h p_dec.o: ../../include/openssl/des.h ../../include/openssl/des_old.h p_dec.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h p_dec.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h p_dec.o: ../../include/openssl/evp.h ../../include/openssl/idea.h p_dec.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p_dec.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p_dec.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p_dec.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p_dec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p_dec.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h p_dec.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p_dec.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p_dec.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p_dec.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p_dec.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p_dec.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p_dec.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_dec.c p_enc.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h p_enc.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h p_enc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p_enc.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h p_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h p_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h p_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h p_enc.o: ../../include/openssl/evp.h ../../include/openssl/idea.h p_enc.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p_enc.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p_enc.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h p_enc.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p_enc.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p_enc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p_enc.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_enc.c p_lib.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h p_lib.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h p_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h p_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h p_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h p_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_lib.c p_open.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h p_open.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h p_open.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p_open.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h p_open.o: ../../include/openssl/des.h ../../include/openssl/des_old.h p_open.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h p_open.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h p_open.o: ../../include/openssl/evp.h ../../include/openssl/idea.h p_open.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p_open.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p_open.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p_open.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p_open.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p_open.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p_open.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p_open.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p_open.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p_open.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p_open.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p_open.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p_open.o: ../cryptlib.h p_open.c p_seal.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h p_seal.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h p_seal.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p_seal.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h p_seal.o: ../../include/openssl/des.h ../../include/openssl/des_old.h p_seal.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h p_seal.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h p_seal.o: ../../include/openssl/evp.h ../../include/openssl/idea.h p_seal.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p_seal.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p_seal.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p_seal.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p_seal.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h p_seal.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p_seal.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p_seal.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p_seal.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p_seal.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p_seal.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_seal.c p_sign.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h p_sign.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h p_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p_sign.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h p_sign.o: ../../include/openssl/des.h ../../include/openssl/des_old.h p_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h p_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h p_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h p_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p_sign.o: ../cryptlib.h p_sign.c p_verify.o: ../../e_os.h ../../include/openssl/aes.h p_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p_verify.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p_verify.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h p_verify.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p_verify.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p_verify.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p_verify.o: ../../include/openssl/opensslconf.h p_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p_verify.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p_verify.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p_verify.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p_verify.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p_verify.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p_verify.o: ../cryptlib.h p_verify.c diff --git a/crypto/openssl/crypto/evp/bio_ok.c b/crypto/openssl/crypto/evp/bio_ok.c index 530ab937cea7..4e3f10141bf3 100644 --- a/crypto/openssl/crypto/evp/bio_ok.c +++ b/crypto/openssl/crypto/evp/bio_ok.c @@ -1,575 +1,575 @@ /* crypto/evp/bio_ok.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* From: Arne Ansper Why BIO_f_reliable? I wrote function which took BIO* as argument, read data from it and processed it. Then I wanted to store the input file in encrypted form. OK I pushed BIO_f_cipher to the BIO stack and everything was OK. BUT if user types wrong password BIO_f_cipher outputs only garbage and my function crashes. Yes I can and I should fix my function, but BIO_f_cipher is easy way to add encryption support to many existing applications and it's hard to debug and fix them all. So I wanted another BIO which would catch the incorrect passwords and file damages which cause garbage on BIO_f_cipher's output. The easy way is to push the BIO_f_md and save the checksum at the end of the file. However there are several problems with this approach: 1) you must somehow separate checksum from actual data. 2) you need lot's of memory when reading the file, because you must read to the end of the file and verify the checksum before letting the application to read the data. BIO_f_reliable tries to solve both problems, so that you can read and write arbitrary long streams using only fixed amount of memory. BIO_f_reliable splits data stream into blocks. Each block is prefixed with it's length and suffixed with it's digest. So you need only several Kbytes of memory to buffer single block before verifying it's digest. BIO_f_reliable goes further and adds several important capabilities: 1) the digest of the block is computed over the whole stream -- so nobody can rearrange the blocks or remove or replace them. 2) to detect invalid passwords right at the start BIO_f_reliable adds special prefix to the stream. In order to avoid known plain-text attacks this prefix is generated as follows: *) digest is initialized with random seed instead of standardized one. - *) same seed is written to ouput + *) same seed is written to output *) well-known text is then hashed and the output of the digest is also written to output. reader can now read the seed from stream, hash the same string and then compare the digest output. Bad things: BIO_f_reliable knows what's going on in EVP_Digest. I initially wrote and tested this code on x86 machine and wrote the digests out in machine-dependent order :( There are people using this code and I cannot change this easily without making existing data files unreadable. */ #include #include #include "cryptlib.h" #include #include #include #include static int ok_write(BIO *h, const char *buf, int num); static int ok_read(BIO *h, char *buf, int size); static long ok_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int ok_new(BIO *h); static int ok_free(BIO *data); static long ok_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp); static void sig_out(BIO* b); static void sig_in(BIO* b); static void block_out(BIO* b); static void block_in(BIO* b); #define OK_BLOCK_SIZE (1024*4) #define OK_BLOCK_BLOCK 4 #define IOBS (OK_BLOCK_SIZE+ OK_BLOCK_BLOCK+ 3*EVP_MAX_MD_SIZE) #define WELLKNOWN "The quick brown fox jumped over the lazy dog's back." #ifndef L_ENDIAN #define swapem(x) \ ((unsigned long int)((((unsigned long int)(x) & 0x000000ffU) << 24) | \ (((unsigned long int)(x) & 0x0000ff00U) << 8) | \ (((unsigned long int)(x) & 0x00ff0000U) >> 8) | \ (((unsigned long int)(x) & 0xff000000U) >> 24))) #else #define swapem(x) (x) #endif typedef struct ok_struct { int buf_len; int buf_off; int buf_len_save; int buf_off_save; int cont; /* <= 0 when finished */ int finished; EVP_MD_CTX md; int blockout; /* output block is ready */ int sigio; /* must process signature */ unsigned char buf[IOBS]; } BIO_OK_CTX; static BIO_METHOD methods_ok= { BIO_TYPE_CIPHER,"reliable", ok_write, ok_read, NULL, /* ok_puts, */ NULL, /* ok_gets, */ ok_ctrl, ok_new, ok_free, ok_callback_ctrl, }; BIO_METHOD *BIO_f_reliable(void) { return(&methods_ok); } static int ok_new(BIO *bi) { BIO_OK_CTX *ctx; ctx=(BIO_OK_CTX *)OPENSSL_malloc(sizeof(BIO_OK_CTX)); if (ctx == NULL) return(0); ctx->buf_len=0; ctx->buf_off=0; ctx->buf_len_save=0; ctx->buf_off_save=0; ctx->cont=1; ctx->finished=0; ctx->blockout= 0; ctx->sigio=1; EVP_MD_CTX_init(&ctx->md); bi->init=0; bi->ptr=(char *)ctx; bi->flags=0; return(1); } static int ok_free(BIO *a) { if (a == NULL) return(0); EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md); OPENSSL_cleanse(a->ptr,sizeof(BIO_OK_CTX)); OPENSSL_free(a->ptr); a->ptr=NULL; a->init=0; a->flags=0; return(1); } static int ok_read(BIO *b, char *out, int outl) { int ret=0,i,n; BIO_OK_CTX *ctx; if (out == NULL) return(0); ctx=(BIO_OK_CTX *)b->ptr; if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0)) return(0); while(outl > 0) { /* copy clean bytes to output buffer */ if (ctx->blockout) { i=ctx->buf_len-ctx->buf_off; if (i > outl) i=outl; memcpy(out,&(ctx->buf[ctx->buf_off]),i); ret+=i; out+=i; outl-=i; ctx->buf_off+=i; /* all clean bytes are out */ if (ctx->buf_len == ctx->buf_off) { ctx->buf_off=0; /* copy start of the next block into proper place */ if(ctx->buf_len_save- ctx->buf_off_save > 0) { ctx->buf_len= ctx->buf_len_save- ctx->buf_off_save; memmove(ctx->buf, &(ctx->buf[ctx->buf_off_save]), ctx->buf_len); } else { ctx->buf_len=0; } ctx->blockout= 0; } } /* output buffer full -- cancel */ if (outl == 0) break; /* no clean bytes in buffer -- fill it */ n=IOBS- ctx->buf_len; i=BIO_read(b->next_bio,&(ctx->buf[ctx->buf_len]),n); if (i <= 0) break; /* nothing new */ ctx->buf_len+= i; /* no signature yet -- check if we got one */ if (ctx->sigio == 1) sig_in(b); /* signature ok -- check if we got block */ if (ctx->sigio == 0) block_in(b); /* invalid block -- cancel */ if (ctx->cont <= 0) break; } BIO_clear_retry_flags(b); BIO_copy_next_retry(b); return(ret); } static int ok_write(BIO *b, const char *in, int inl) { int ret=0,n,i; BIO_OK_CTX *ctx; ctx=(BIO_OK_CTX *)b->ptr; ret=inl; if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0)) return(0); if(ctx->sigio) sig_out(b); do{ BIO_clear_retry_flags(b); n=ctx->buf_len-ctx->buf_off; while (ctx->blockout && n > 0) { i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n); if (i <= 0) { BIO_copy_next_retry(b); if(!BIO_should_retry(b)) ctx->cont= 0; return(i); } ctx->buf_off+=i; n-=i; } /* at this point all pending data has been written */ ctx->blockout= 0; if (ctx->buf_len == ctx->buf_off) { ctx->buf_len=OK_BLOCK_BLOCK; ctx->buf_off=0; } if ((in == NULL) || (inl <= 0)) return(0); n= (inl+ ctx->buf_len > OK_BLOCK_SIZE+ OK_BLOCK_BLOCK) ? OK_BLOCK_SIZE+ OK_BLOCK_BLOCK- ctx->buf_len : inl; memcpy((unsigned char *)(&(ctx->buf[ctx->buf_len])),(unsigned char *)in,n); ctx->buf_len+= n; inl-=n; in+=n; if(ctx->buf_len >= OK_BLOCK_SIZE+ OK_BLOCK_BLOCK) { block_out(b); } }while(inl > 0); BIO_clear_retry_flags(b); BIO_copy_next_retry(b); return(ret); } static long ok_ctrl(BIO *b, int cmd, long num, void *ptr) { BIO_OK_CTX *ctx; EVP_MD *md; const EVP_MD **ppmd; long ret=1; int i; ctx=b->ptr; switch (cmd) { case BIO_CTRL_RESET: ctx->buf_len=0; ctx->buf_off=0; ctx->buf_len_save=0; ctx->buf_off_save=0; ctx->cont=1; ctx->finished=0; ctx->blockout= 0; ctx->sigio=1; ret=BIO_ctrl(b->next_bio,cmd,num,ptr); break; case BIO_CTRL_EOF: /* More to read */ if (ctx->cont <= 0) ret=1; else ret=BIO_ctrl(b->next_bio,cmd,num,ptr); break; case BIO_CTRL_PENDING: /* More to read in buffer */ case BIO_CTRL_WPENDING: /* More to read in buffer */ ret=ctx->blockout ? ctx->buf_len-ctx->buf_off : 0; if (ret <= 0) ret=BIO_ctrl(b->next_bio,cmd,num,ptr); break; case BIO_CTRL_FLUSH: /* do a final write */ if(ctx->blockout == 0) block_out(b); while (ctx->blockout) { i=ok_write(b,NULL,0); if (i < 0) { ret=i; break; } } ctx->finished=1; ctx->buf_off=ctx->buf_len=0; ctx->cont=(int)ret; /* Finally flush the underlying BIO */ ret=BIO_ctrl(b->next_bio,cmd,num,ptr); break; case BIO_C_DO_STATE_MACHINE: BIO_clear_retry_flags(b); ret=BIO_ctrl(b->next_bio,cmd,num,ptr); BIO_copy_next_retry(b); break; case BIO_CTRL_INFO: ret=(long)ctx->cont; break; case BIO_C_SET_MD: md=ptr; EVP_DigestInit_ex(&ctx->md, md, NULL); b->init=1; break; case BIO_C_GET_MD: if (b->init) { ppmd=ptr; *ppmd=ctx->md.digest; } else ret=0; break; default: ret=BIO_ctrl(b->next_bio,cmd,num,ptr); break; } return(ret); } static long ok_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp) { long ret=1; if (b->next_bio == NULL) return(0); switch (cmd) { default: ret=BIO_callback_ctrl(b->next_bio,cmd,fp); break; } return(ret); } static void longswap(void *_ptr, int len) { #ifndef L_ENDIAN int i; char *ptr=_ptr; for(i= 0;i < len;i+= 4){ *((unsigned long *)&(ptr[i]))= swapem(*((unsigned long *)&(ptr[i]))); } #endif } static void sig_out(BIO* b) { BIO_OK_CTX *ctx; EVP_MD_CTX *md; ctx=b->ptr; md=&ctx->md; if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return; EVP_DigestInit_ex(md, md->digest, NULL); /* FIXME: there's absolutely no guarantee this makes any sense at all, * particularly now EVP_MD_CTX has been restructured. */ RAND_pseudo_bytes(md->md_data, md->digest->md_size); memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size); longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size); ctx->buf_len+= md->digest->md_size; EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)); EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL); ctx->buf_len+= md->digest->md_size; ctx->blockout= 1; ctx->sigio= 0; } static void sig_in(BIO* b) { BIO_OK_CTX *ctx; EVP_MD_CTX *md; unsigned char tmp[EVP_MAX_MD_SIZE]; int ret= 0; ctx=b->ptr; md=&ctx->md; if(ctx->buf_len- ctx->buf_off < 2* md->digest->md_size) return; EVP_DigestInit_ex(md, md->digest, NULL); memcpy(md->md_data, &(ctx->buf[ctx->buf_off]), md->digest->md_size); longswap(md->md_data, md->digest->md_size); ctx->buf_off+= md->digest->md_size; EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)); EVP_DigestFinal_ex(md, tmp, NULL); ret= memcmp(&(ctx->buf[ctx->buf_off]), tmp, md->digest->md_size) == 0; ctx->buf_off+= md->digest->md_size; if(ret == 1) { ctx->sigio= 0; if(ctx->buf_len != ctx->buf_off) { memmove(ctx->buf, &(ctx->buf[ctx->buf_off]), ctx->buf_len- ctx->buf_off); } ctx->buf_len-= ctx->buf_off; ctx->buf_off= 0; } else { ctx->cont= 0; } } static void block_out(BIO* b) { BIO_OK_CTX *ctx; EVP_MD_CTX *md; unsigned long tl; ctx=b->ptr; md=&ctx->md; tl= ctx->buf_len- OK_BLOCK_BLOCK; tl= swapem(tl); memcpy(ctx->buf, &tl, OK_BLOCK_BLOCK); tl= swapem(tl); EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl); EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL); ctx->buf_len+= md->digest->md_size; ctx->blockout= 1; } static void block_in(BIO* b) { BIO_OK_CTX *ctx; EVP_MD_CTX *md; long tl= 0; unsigned char tmp[EVP_MAX_MD_SIZE]; ctx=b->ptr; md=&ctx->md; memcpy(&tl, ctx->buf, OK_BLOCK_BLOCK); tl= swapem(tl); if (ctx->buf_len < tl+ OK_BLOCK_BLOCK+ md->digest->md_size) return; EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl); EVP_DigestFinal_ex(md, tmp, NULL); if(memcmp(&(ctx->buf[tl+ OK_BLOCK_BLOCK]), tmp, md->digest->md_size) == 0) { /* there might be parts from next block lurking around ! */ ctx->buf_off_save= tl+ OK_BLOCK_BLOCK+ md->digest->md_size; ctx->buf_len_save= ctx->buf_len; ctx->buf_off= OK_BLOCK_BLOCK; ctx->buf_len= tl+ OK_BLOCK_BLOCK; ctx->blockout= 1; } else { ctx->cont= 0; } } diff --git a/crypto/openssl/crypto/evp/digest.c b/crypto/openssl/crypto/evp/digest.c index b22eed442115..0623ddf1f05f 100644 --- a/crypto/openssl/crypto/evp/digest.c +++ b/crypto/openssl/crypto/evp/digest.c @@ -1,325 +1,334 @@ /* crypto/evp/digest.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include #include #ifndef OPENSSL_NO_ENGINE #include #endif void EVP_MD_CTX_init(EVP_MD_CTX *ctx) { memset(ctx,'\0',sizeof *ctx); } EVP_MD_CTX *EVP_MD_CTX_create(void) { EVP_MD_CTX *ctx=OPENSSL_malloc(sizeof *ctx); EVP_MD_CTX_init(ctx); return ctx; } int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) { EVP_MD_CTX_init(ctx); return EVP_DigestInit_ex(ctx, type, NULL); } int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); #ifndef OPENSSL_NO_ENGINE /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing * the previous handle, re-querying for an ENGINE, and having a * reinitialisation, when it may all be unecessary. */ if (ctx->engine && ctx->digest && (!type || (type && (type->type == ctx->digest->type)))) goto skip_to_init; if (type) { /* Ensure an ENGINE left lying around from last time is cleared * (the previous check attempted to avoid this if the same * ENGINE and EVP_MD could be used). */ if(ctx->engine) ENGINE_finish(ctx->engine); if(impl) { if (!ENGINE_init(impl)) { EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_INITIALIZATION_ERROR); return 0; } } else /* Ask if an ENGINE is reserved for this job */ impl = ENGINE_get_digest_engine(type->type); if(impl) { /* There's an ENGINE for this job ... (apparently) */ const EVP_MD *d = ENGINE_get_digest(impl, type->type); if(!d) { /* Same comment from evp_enc.c */ EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_INITIALIZATION_ERROR); return 0; } /* We'll use the ENGINE's private digest definition */ type = d; /* Store the ENGINE functional reference so we know * 'type' came from an ENGINE and we need to release * it when done. */ ctx->engine = impl; } else ctx->engine = NULL; } else if(!ctx->digest) { EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_NO_DIGEST_SET); return 0; } #endif if (ctx->digest != type) { if (ctx->digest && ctx->digest->ctx_size) OPENSSL_free(ctx->md_data); ctx->digest=type; if (type->ctx_size) ctx->md_data=OPENSSL_malloc(type->ctx_size); } #ifndef OPENSSL_NO_ENGINE skip_to_init: #endif return ctx->digest->init(ctx); } int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, unsigned int count) { return ctx->digest->update(ctx,data,(unsigned long)count); } /* The caller can assume that this removes any secret data from the context */ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { int ret; ret = EVP_DigestFinal_ex(ctx, md, size); EVP_MD_CTX_cleanup(ctx); return ret; } /* The caller can assume that this removes any secret data from the context */ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) { int ret; OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); if (size != NULL) *size=ctx->digest->md_size; if (ctx->digest->cleanup) { ctx->digest->cleanup(ctx); EVP_MD_CTX_set_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); } memset(ctx->md_data,0,ctx->digest->ctx_size); return ret; } int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) { EVP_MD_CTX_init(out); return EVP_MD_CTX_copy_ex(out, in); } int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { + unsigned char *tmp_buf; if ((in == NULL) || (in->digest == NULL)) { EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED); return 0; } #ifndef OPENSSL_NO_ENGINE /* Make sure it's safe to copy a digest context using an ENGINE */ if (in->engine && !ENGINE_init(in->engine)) { EVPerr(EVP_F_EVP_MD_CTX_COPY,ERR_R_ENGINE_LIB); return 0; } #endif + if (out->digest == in->digest) + { + tmp_buf = out->md_data; + EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE); + } + else tmp_buf = NULL; EVP_MD_CTX_cleanup(out); memcpy(out,in,sizeof *out); if (out->digest->ctx_size) { - out->md_data=OPENSSL_malloc(out->digest->ctx_size); + if (tmp_buf) out->md_data = tmp_buf; + else out->md_data=OPENSSL_malloc(out->digest->ctx_size); memcpy(out->md_data,in->md_data,out->digest->ctx_size); } - + if (out->digest->copy) return out->digest->copy(out,in); return 1; } int EVP_Digest(void *data, unsigned int count, unsigned char *md, unsigned int *size, const EVP_MD *type, ENGINE *impl) { EVP_MD_CTX ctx; int ret; EVP_MD_CTX_init(&ctx); EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT); ret=EVP_DigestInit_ex(&ctx, type, impl) && EVP_DigestUpdate(&ctx, data, count) && EVP_DigestFinal_ex(&ctx, md, size); EVP_MD_CTX_cleanup(&ctx); return ret; } void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) { EVP_MD_CTX_cleanup(ctx); OPENSSL_free(ctx); } /* This call frees resources associated with the context */ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, * because sometimes only copies of the context are ever finalised. */ if (ctx->digest && ctx->digest->cleanup && !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED)) ctx->digest->cleanup(ctx); - if (ctx->digest && ctx->digest->ctx_size && ctx->md_data) + if (ctx->digest && ctx->digest->ctx_size && ctx->md_data + && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) { OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } #ifndef OPENSSL_NO_ENGINE if(ctx->engine) /* The EVP_MD we used belongs to an ENGINE, release the * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); #endif memset(ctx,'\0',sizeof *ctx); return 1; } diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h index 45a25f968d9f..4801d8eaa3b5 100644 --- a/crypto/openssl/crypto/evp/evp.h +++ b/crypto/openssl/crypto/evp/evp.h @@ -1,900 +1,902 @@ /* crypto/evp/evp.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #ifndef HEADER_ENVELOPE_H #define HEADER_ENVELOPE_H #ifdef OPENSSL_ALGORITHM_DEFINES # include #else # define OPENSSL_ALGORITHM_DEFINES # include # undef OPENSSL_ALGORITHM_DEFINES #endif #include #include #ifndef OPENSSL_NO_BIO #include #endif #ifndef OPENSSL_NO_MD2 #include #endif #ifndef OPENSSL_NO_MD4 #include #endif #ifndef OPENSSL_NO_MD5 #include #endif #ifndef OPENSSL_NO_SHA #include #endif #ifndef OPENSSL_NO_RIPEMD #include #endif #ifndef OPENSSL_NO_DES #include #endif #ifndef OPENSSL_NO_RC4 #include #endif #ifndef OPENSSL_NO_RC2 #include #endif #ifndef OPENSSL_NO_RC5 #include #endif #ifndef OPENSSL_NO_BF #include #endif #ifndef OPENSSL_NO_CAST #include #endif #ifndef OPENSSL_NO_IDEA #include #endif #ifndef OPENSSL_NO_MDC2 #include #endif #ifndef OPENSSL_NO_AES #include #endif /* #define EVP_RC2_KEY_SIZE 16 #define EVP_RC4_KEY_SIZE 16 #define EVP_BLOWFISH_KEY_SIZE 16 #define EVP_CAST5_KEY_SIZE 16 #define EVP_RC5_32_12_16_KEY_SIZE 16 */ #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */ #define EVP_MAX_KEY_LENGTH 32 #define EVP_MAX_IV_LENGTH 16 #define EVP_MAX_BLOCK_LENGTH 32 #define PKCS5_SALT_LEN 8 /* Default PKCS#5 iteration count */ #define PKCS5_DEFAULT_ITER 2048 #ifndef OPENSSL_NO_RSA #include #endif #ifndef OPENSSL_NO_DSA #include #endif #ifndef OPENSSL_NO_DH #include #endif #include #define EVP_PK_RSA 0x0001 #define EVP_PK_DSA 0x0002 #define EVP_PK_DH 0x0004 #define EVP_PKT_SIGN 0x0010 #define EVP_PKT_ENC 0x0020 #define EVP_PKT_EXCH 0x0040 #define EVP_PKS_RSA 0x0100 #define EVP_PKS_DSA 0x0200 #define EVP_PKT_EXP 0x1000 /* <= 512 bit key */ #define EVP_PKEY_NONE NID_undef #define EVP_PKEY_RSA NID_rsaEncryption #define EVP_PKEY_RSA2 NID_rsa #define EVP_PKEY_DSA NID_dsa #define EVP_PKEY_DSA1 NID_dsa_2 #define EVP_PKEY_DSA2 NID_dsaWithSHA #define EVP_PKEY_DSA3 NID_dsaWithSHA1 #define EVP_PKEY_DSA4 NID_dsaWithSHA1_2 #define EVP_PKEY_DH NID_dhKeyAgreement #ifdef __cplusplus extern "C" { #endif /* Type needs to be a bit field * Sub-type needs to be for variations on the method, as in, can it do * arbitrary encryption.... */ struct evp_pkey_st { int type; int save_type; int references; union { char *ptr; #ifndef OPENSSL_NO_RSA struct rsa_st *rsa; /* RSA */ #endif #ifndef OPENSSL_NO_DSA struct dsa_st *dsa; /* DSA */ #endif #ifndef OPENSSL_NO_DH struct dh_st *dh; /* DH */ #endif } pkey; int save_parameters; STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ } /* EVP_PKEY */; #define EVP_PKEY_MO_SIGN 0x0001 #define EVP_PKEY_MO_VERIFY 0x0002 #define EVP_PKEY_MO_ENCRYPT 0x0004 #define EVP_PKEY_MO_DECRYPT 0x0008 #if 0 /* This structure is required to tie the message digest and signing together. * The lookup can be done by md/pkey_method, oid, oid/pkey_method, or * oid, md and pkey. * This is required because for various smart-card perform the digest and * signing/verification on-board. To handle this case, the specific * EVP_MD and EVP_PKEY_METHODs need to be closely associated. * When a PKEY is created, it will have a EVP_PKEY_METHOD associated with it. * This can either be software or a token to provide the required low level * routines. */ typedef struct evp_pkey_md_st { int oid; EVP_MD *md; EVP_PKEY_METHOD *pkey; } EVP_PKEY_MD; #define EVP_rsa_md2() \ EVP_PKEY_MD_add(NID_md2WithRSAEncryption,\ EVP_rsa_pkcs1(),EVP_md2()) #define EVP_rsa_md5() \ EVP_PKEY_MD_add(NID_md5WithRSAEncryption,\ EVP_rsa_pkcs1(),EVP_md5()) #define EVP_rsa_sha0() \ EVP_PKEY_MD_add(NID_shaWithRSAEncryption,\ EVP_rsa_pkcs1(),EVP_sha()) #define EVP_rsa_sha1() \ EVP_PKEY_MD_add(NID_sha1WithRSAEncryption,\ EVP_rsa_pkcs1(),EVP_sha1()) #define EVP_rsa_ripemd160() \ EVP_PKEY_MD_add(NID_ripemd160WithRSA,\ EVP_rsa_pkcs1(),EVP_ripemd160()) #define EVP_rsa_mdc2() \ EVP_PKEY_MD_add(NID_mdc2WithRSA,\ EVP_rsa_octet_string(),EVP_mdc2()) #define EVP_dsa_sha() \ EVP_PKEY_MD_add(NID_dsaWithSHA,\ EVP_dsa(),EVP_sha()) #define EVP_dsa_sha1() \ EVP_PKEY_MD_add(NID_dsaWithSHA1,\ EVP_dsa(),EVP_sha1()) typedef struct evp_pkey_method_st { char *name; int flags; int type; /* RSA, DSA, an SSLeay specific constant */ int oid; /* For the pub-key type */ int encrypt_oid; /* pub/priv key encryption */ int (*sign)(); int (*verify)(); struct { int (*set)(); /* get and/or set the underlying type */ int (*get)(); int (*encrypt)(); int (*decrypt)(); int (*i2d)(); int (*d2i)(); int (*dup)(); } pub,priv; int (*set_asn1_parameters)(); int (*get_asn1_parameters)(); } EVP_PKEY_METHOD; #endif #ifndef EVP_MD struct env_md_st { int type; int pkey_type; int md_size; unsigned long flags; int (*init)(EVP_MD_CTX *ctx); int (*update)(EVP_MD_CTX *ctx,const void *data,unsigned long count); int (*final)(EVP_MD_CTX *ctx,unsigned char *md); int (*copy)(EVP_MD_CTX *to,const EVP_MD_CTX *from); int (*cleanup)(EVP_MD_CTX *ctx); /* FIXME: prototype these some day */ int (*sign)(); int (*verify)(); int required_pkey_type[5]; /*EVP_PKEY_xxx */ int block_size; int ctx_size; /* how big does the ctx->md_data need to be */ } /* EVP_MD */; #define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single * block */ #define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0} #ifndef OPENSSL_NO_DSA #define EVP_PKEY_DSA_method DSA_sign,DSA_verify, \ {EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3, \ EVP_PKEY_DSA4,0} #else #define EVP_PKEY_DSA_method EVP_PKEY_NULL_method #endif #ifndef OPENSSL_NO_RSA #define EVP_PKEY_RSA_method RSA_sign,RSA_verify, \ {EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0} #define EVP_PKEY_RSA_ASN1_OCTET_STRING_method \ RSA_sign_ASN1_OCTET_STRING, \ RSA_verify_ASN1_OCTET_STRING, \ {EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0} #else #define EVP_PKEY_RSA_method EVP_PKEY_NULL_method #define EVP_PKEY_RSA_ASN1_OCTET_STRING_method EVP_PKEY_NULL_method #endif #endif /* !EVP_MD */ struct env_md_ctx_st { const EVP_MD *digest; ENGINE *engine; /* functional reference if 'digest' is ENGINE-provided */ unsigned long flags; void *md_data; } /* EVP_MD_CTX */; /* values for EVP_MD_CTX flags */ #define EVP_MD_CTX_FLAG_ONESHOT 0x0001 /* digest update will be called * once only */ #define EVP_MD_CTX_FLAG_CLEANED 0x0002 /* context has already been * cleaned */ +#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data + * in EVP_MD_CTX_cleanup */ struct evp_cipher_st { int nid; int block_size; int key_len; /* Default value for variable length ciphers */ int iv_len; unsigned long flags; /* Various flags */ int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); /* init key */ int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl);/* encrypt/decrypt data */ int (*cleanup)(EVP_CIPHER_CTX *); /* cleanup ctx */ int ctx_size; /* how big ctx->cipher_data needs to be */ int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Populate a ASN1_TYPE with parameters */ int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Get parameters from a ASN1_TYPE */ int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); /* Miscellaneous operations */ void *app_data; /* Application data */ } /* EVP_CIPHER */; /* Values for cipher flags */ /* Modes for ciphers */ #define EVP_CIPH_STREAM_CIPHER 0x0 #define EVP_CIPH_ECB_MODE 0x1 #define EVP_CIPH_CBC_MODE 0x2 #define EVP_CIPH_CFB_MODE 0x3 #define EVP_CIPH_OFB_MODE 0x4 #define EVP_CIPH_MODE 0x7 /* Set if variable length cipher */ #define EVP_CIPH_VARIABLE_LENGTH 0x8 /* Set if the iv handling should be done by the cipher itself */ #define EVP_CIPH_CUSTOM_IV 0x10 /* Set if the cipher's init() function should be called if key is NULL */ #define EVP_CIPH_ALWAYS_CALL_INIT 0x20 /* Call ctrl() to init cipher parameters */ #define EVP_CIPH_CTRL_INIT 0x40 /* Don't use standard key length function */ #define EVP_CIPH_CUSTOM_KEY_LENGTH 0x80 /* Don't use standard block padding */ #define EVP_CIPH_NO_PADDING 0x100 /* ctrl() values */ #define EVP_CTRL_INIT 0x0 #define EVP_CTRL_SET_KEY_LENGTH 0x1 #define EVP_CTRL_GET_RC2_KEY_BITS 0x2 #define EVP_CTRL_SET_RC2_KEY_BITS 0x3 #define EVP_CTRL_GET_RC5_ROUNDS 0x4 #define EVP_CTRL_SET_RC5_ROUNDS 0x5 typedef struct evp_cipher_info_st { const EVP_CIPHER *cipher; unsigned char iv[EVP_MAX_IV_LENGTH]; } EVP_CIPHER_INFO; struct evp_cipher_ctx_st { const EVP_CIPHER *cipher; ENGINE *engine; /* functional reference if 'cipher' is ENGINE-provided */ int encrypt; /* encrypt or decrypt */ int buf_len; /* number we have left */ unsigned char oiv[EVP_MAX_IV_LENGTH]; /* original iv */ unsigned char iv[EVP_MAX_IV_LENGTH]; /* working iv */ unsigned char buf[EVP_MAX_BLOCK_LENGTH];/* saved partial block */ int num; /* used by cfb/ofb mode */ void *app_data; /* application stuff */ int key_len; /* May change for variable length cipher */ unsigned long flags; /* Various flags */ void *cipher_data; /* per EVP data */ int final_used; int block_mask; unsigned char final[EVP_MAX_BLOCK_LENGTH];/* possible final block */ } /* EVP_CIPHER_CTX */; typedef struct evp_Encode_Ctx_st { int num; /* number saved in a partial encode/decode */ int length; /* The length is either the output line length * (in input bytes) or the shortest input line * length that is ok. Once decoding begins, * the length is adjusted up each time a longer * line is decoded */ unsigned char enc_data[80]; /* data to encode */ int line_num; /* number read on current line */ int expect_nl; } EVP_ENCODE_CTX; /* Password based encryption function */ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de); #ifndef OPENSSL_NO_RSA #define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) #endif #ifndef OPENSSL_NO_DSA #define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ (char *)(dsa)) #endif #ifndef OPENSSL_NO_DH #define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\ (char *)(dh)) #endif /* Add some extra combinations */ #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a)) #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a)) #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a)) #define EVP_MD_type(e) ((e)->type) #define EVP_MD_nid(e) EVP_MD_type(e) #define EVP_MD_name(e) OBJ_nid2sn(EVP_MD_nid(e)) #define EVP_MD_pkey_type(e) ((e)->pkey_type) #define EVP_MD_size(e) ((e)->md_size) #define EVP_MD_block_size(e) ((e)->block_size) #define EVP_MD_CTX_md(e) ((e)->digest) #define EVP_MD_CTX_size(e) EVP_MD_size((e)->digest) #define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest) #define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest) #define EVP_CIPHER_nid(e) ((e)->nid) #define EVP_CIPHER_name(e) OBJ_nid2sn(EVP_CIPHER_nid(e)) #define EVP_CIPHER_block_size(e) ((e)->block_size) #define EVP_CIPHER_key_length(e) ((e)->key_len) #define EVP_CIPHER_iv_length(e) ((e)->iv_len) #define EVP_CIPHER_flags(e) ((e)->flags) #define EVP_CIPHER_mode(e) (((e)->flags) & EVP_CIPH_MODE) #define EVP_CIPHER_CTX_cipher(e) ((e)->cipher) #define EVP_CIPHER_CTX_nid(e) ((e)->cipher->nid) #define EVP_CIPHER_CTX_block_size(e) ((e)->cipher->block_size) #define EVP_CIPHER_CTX_key_length(e) ((e)->key_len) #define EVP_CIPHER_CTX_iv_length(e) ((e)->cipher->iv_len) #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d)) #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) #define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags) #define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE) #define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80) #define EVP_DECODE_LENGTH(l) ((l+3)/4*3+80) #define EVP_SignInit_ex(a,b,c) EVP_DigestInit_ex(a,b,c) #define EVP_SignInit(a,b) EVP_DigestInit(a,b) #define EVP_SignUpdate(a,b,c) EVP_DigestUpdate(a,b,c) #define EVP_VerifyInit_ex(a,b,c) EVP_DigestInit_ex(a,b,c) #define EVP_VerifyInit(a,b) EVP_DigestInit(a,b) #define EVP_VerifyUpdate(a,b,c) EVP_DigestUpdate(a,b,c) #define EVP_OpenUpdate(a,b,c,d,e) EVP_DecryptUpdate(a,b,c,d,e) #define EVP_SealUpdate(a,b,c,d,e) EVP_EncryptUpdate(a,b,c,d,e) #ifdef CONST_STRICT void BIO_set_md(BIO *,const EVP_MD *md); #else # define BIO_set_md(b,md) BIO_ctrl(b,BIO_C_SET_MD,0,(char *)md) #endif #define BIO_get_md(b,mdp) BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp) #define BIO_get_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp) #define BIO_get_cipher_status(b) BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL) #define BIO_get_cipher_ctx(b,c_pp) BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp) #define EVP_Cipher(c,o,i,l) (c)->cipher->do_cipher((c),(o),(i),(l)) #define EVP_add_cipher_alias(n,alias) \ OBJ_NAME_add((alias),OBJ_NAME_TYPE_CIPHER_METH|OBJ_NAME_ALIAS,(n)) #define EVP_add_digest_alias(n,alias) \ OBJ_NAME_add((alias),OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,(n)) #define EVP_delete_cipher_alias(alias) \ OBJ_NAME_remove(alias,OBJ_NAME_TYPE_CIPHER_METH|OBJ_NAME_ALIAS); #define EVP_delete_digest_alias(alias) \ OBJ_NAME_remove(alias,OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS); void EVP_MD_CTX_init(EVP_MD_CTX *ctx); int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); EVP_MD_CTX *EVP_MD_CTX_create(void); void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in); #define EVP_MD_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs)) #define EVP_MD_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs)) #define EVP_MD_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs)) int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d, unsigned int cnt); int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s); int EVP_Digest(void *data, unsigned int count, unsigned char *md, unsigned int *size, const EVP_MD *type, ENGINE *impl); int EVP_MD_CTX_copy(EVP_MD_CTX *out,const EVP_MD_CTX *in); int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); int EVP_DigestFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s); int EVP_read_pw_string(char *buf,int length,const char *prompt,int verify); void EVP_set_pw_prompt(char *prompt); char * EVP_get_pw_prompt(void); int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md, const unsigned char *salt, const unsigned char *data, int datal, int count, unsigned char *key,unsigned char *iv); int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv); int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); int EVP_DecryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv); int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv); int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_CipherInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, const unsigned char *key,const unsigned char *iv, int enc); int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key,const unsigned char *iv, int enc); int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s, EVP_PKEY *pkey); int EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf, unsigned int siglen,EVP_PKEY *pkey); int EVP_OpenInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,unsigned char *ek, int ekl,unsigned char *iv,EVP_PKEY *priv); int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek, int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk); int EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl); void EVP_EncodeInit(EVP_ENCODE_CTX *ctx); void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out, int *outl,unsigned char *in,int inl); void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl); int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n); void EVP_DecodeInit(EVP_ENCODE_CTX *ctx); int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl, unsigned char *in, int inl); int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl); int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n); void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad); int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); #ifndef OPENSSL_NO_BIO BIO_METHOD *BIO_f_md(void); BIO_METHOD *BIO_f_base64(void); BIO_METHOD *BIO_f_cipher(void); BIO_METHOD *BIO_f_reliable(void); void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k, unsigned char *i, int enc); #endif const EVP_MD *EVP_md_null(void); #ifndef OPENSSL_NO_MD2 const EVP_MD *EVP_md2(void); #endif #ifndef OPENSSL_NO_MD4 const EVP_MD *EVP_md4(void); #endif #ifndef OPENSSL_NO_MD5 const EVP_MD *EVP_md5(void); #endif #ifndef OPENSSL_NO_SHA const EVP_MD *EVP_sha(void); const EVP_MD *EVP_sha1(void); const EVP_MD *EVP_dss(void); const EVP_MD *EVP_dss1(void); #endif #ifndef OPENSSL_NO_MDC2 const EVP_MD *EVP_mdc2(void); #endif #ifndef OPENSSL_NO_RIPEMD const EVP_MD *EVP_ripemd160(void); #endif const EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */ #ifndef OPENSSL_NO_DES const EVP_CIPHER *EVP_des_ecb(void); const EVP_CIPHER *EVP_des_ede(void); const EVP_CIPHER *EVP_des_ede3(void); const EVP_CIPHER *EVP_des_ede_ecb(void); const EVP_CIPHER *EVP_des_ede3_ecb(void); const EVP_CIPHER *EVP_des_cfb(void); const EVP_CIPHER *EVP_des_ede_cfb(void); const EVP_CIPHER *EVP_des_ede3_cfb(void); const EVP_CIPHER *EVP_des_ofb(void); const EVP_CIPHER *EVP_des_ede_ofb(void); const EVP_CIPHER *EVP_des_ede3_ofb(void); const EVP_CIPHER *EVP_des_cbc(void); const EVP_CIPHER *EVP_des_ede_cbc(void); const EVP_CIPHER *EVP_des_ede3_cbc(void); const EVP_CIPHER *EVP_desx_cbc(void); /* This should now be supported through the dev_crypto ENGINE. But also, why are * rc4 and md5 declarations made here inside a "NO_DES" precompiler branch? */ #if 0 # ifdef OPENSSL_OPENBSD_DEV_CRYPTO const EVP_CIPHER *EVP_dev_crypto_des_ede3_cbc(void); const EVP_CIPHER *EVP_dev_crypto_rc4(void); const EVP_MD *EVP_dev_crypto_md5(void); # endif #endif #endif #ifndef OPENSSL_NO_RC4 const EVP_CIPHER *EVP_rc4(void); const EVP_CIPHER *EVP_rc4_40(void); #endif #ifndef OPENSSL_NO_IDEA const EVP_CIPHER *EVP_idea_ecb(void); const EVP_CIPHER *EVP_idea_cfb(void); const EVP_CIPHER *EVP_idea_ofb(void); const EVP_CIPHER *EVP_idea_cbc(void); #endif #ifndef OPENSSL_NO_RC2 const EVP_CIPHER *EVP_rc2_ecb(void); const EVP_CIPHER *EVP_rc2_cbc(void); const EVP_CIPHER *EVP_rc2_40_cbc(void); const EVP_CIPHER *EVP_rc2_64_cbc(void); const EVP_CIPHER *EVP_rc2_cfb(void); const EVP_CIPHER *EVP_rc2_ofb(void); #endif #ifndef OPENSSL_NO_BF const EVP_CIPHER *EVP_bf_ecb(void); const EVP_CIPHER *EVP_bf_cbc(void); const EVP_CIPHER *EVP_bf_cfb(void); const EVP_CIPHER *EVP_bf_ofb(void); #endif #ifndef OPENSSL_NO_CAST const EVP_CIPHER *EVP_cast5_ecb(void); const EVP_CIPHER *EVP_cast5_cbc(void); const EVP_CIPHER *EVP_cast5_cfb(void); const EVP_CIPHER *EVP_cast5_ofb(void); #endif #ifndef OPENSSL_NO_RC5 const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); #endif #ifndef OPENSSL_NO_AES const EVP_CIPHER *EVP_aes_128_ecb(void); const EVP_CIPHER *EVP_aes_128_cbc(void); const EVP_CIPHER *EVP_aes_128_cfb(void); const EVP_CIPHER *EVP_aes_128_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_128_ctr(void); #endif const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_cbc(void); const EVP_CIPHER *EVP_aes_192_cfb(void); const EVP_CIPHER *EVP_aes_192_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_192_ctr(void); #endif const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_cbc(void); const EVP_CIPHER *EVP_aes_256_cfb(void); const EVP_CIPHER *EVP_aes_256_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_256_ctr(void); #endif #endif void OPENSSL_add_all_algorithms_noconf(void); void OPENSSL_add_all_algorithms_conf(void); #ifdef OPENSSL_LOAD_CONF #define OpenSSL_add_all_algorithms() \ OPENSSL_add_all_algorithms_conf() #else #define OpenSSL_add_all_algorithms() \ OPENSSL_add_all_algorithms_noconf() #endif void OpenSSL_add_all_ciphers(void); void OpenSSL_add_all_digests(void); #define SSLeay_add_all_algorithms() OpenSSL_add_all_algorithms() #define SSLeay_add_all_ciphers() OpenSSL_add_all_ciphers() #define SSLeay_add_all_digests() OpenSSL_add_all_digests() int EVP_add_cipher(const EVP_CIPHER *cipher); int EVP_add_digest(const EVP_MD *digest); const EVP_CIPHER *EVP_get_cipherbyname(const char *name); const EVP_MD *EVP_get_digestbyname(const char *name); void EVP_cleanup(void); int EVP_PKEY_decrypt(unsigned char *dec_key,unsigned char *enc_key, int enc_key_len,EVP_PKEY *private_key); int EVP_PKEY_encrypt(unsigned char *enc_key, unsigned char *key,int key_len,EVP_PKEY *pub_key); int EVP_PKEY_type(int type); int EVP_PKEY_bits(EVP_PKEY *pkey); int EVP_PKEY_size(EVP_PKEY *pkey); int EVP_PKEY_assign(EVP_PKEY *pkey,int type,char *key); #ifndef OPENSSL_NO_RSA struct rsa_st; int EVP_PKEY_set1_RSA(EVP_PKEY *pkey,struct rsa_st *key); struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey); #endif #ifndef OPENSSL_NO_DSA struct dsa_st; int EVP_PKEY_set1_DSA(EVP_PKEY *pkey,struct dsa_st *key); struct dsa_st *EVP_PKEY_get1_DSA(EVP_PKEY *pkey); #endif #ifndef OPENSSL_NO_DH struct dh_st; int EVP_PKEY_set1_DH(EVP_PKEY *pkey,struct dh_st *key); struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey); #endif EVP_PKEY * EVP_PKEY_new(void); void EVP_PKEY_free(EVP_PKEY *pkey); EVP_PKEY * d2i_PublicKey(int type,EVP_PKEY **a, unsigned char **pp, long length); int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp); EVP_PKEY * d2i_PrivateKey(int type,EVP_PKEY **a, unsigned char **pp, long length); EVP_PKEY * d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp, long length); int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp); int EVP_PKEY_copy_parameters(EVP_PKEY *to,EVP_PKEY *from); int EVP_PKEY_missing_parameters(EVP_PKEY *pkey); int EVP_PKEY_save_parameters(EVP_PKEY *pkey,int mode); int EVP_PKEY_cmp_parameters(EVP_PKEY *a,EVP_PKEY *b); int EVP_CIPHER_type(const EVP_CIPHER *ctx); /* calls methods */ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); /* These are used by EVP_CIPHER methods */ int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *c,ASN1_TYPE *type); int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c,ASN1_TYPE *type); /* PKCS5 password based encryption */ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de); int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, unsigned char *salt, int saltlen, int iter, int keylen, unsigned char *out); int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de); void PKCS5_PBE_add(void); int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen, ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de); int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md, EVP_PBE_KEYGEN *keygen); void EVP_PBE_cleanup(void); /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ void ERR_load_EVP_strings(void); /* Error codes for the EVP functions. */ /* Function codes. */ #define EVP_F_D2I_PKEY 100 #define EVP_F_EVP_CIPHERINIT 123 #define EVP_F_EVP_CIPHER_CTX_CTRL 124 #define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 #define EVP_F_EVP_DECRYPTFINAL 101 #define EVP_F_EVP_DIGESTINIT 128 #define EVP_F_EVP_ENCRYPTFINAL 127 #define EVP_F_EVP_MD_CTX_COPY 110 #define EVP_F_EVP_OPENINIT 102 #define EVP_F_EVP_PBE_ALG_ADD 115 #define EVP_F_EVP_PBE_CIPHERINIT 116 #define EVP_F_EVP_PKCS82PKEY 111 #define EVP_F_EVP_PKCS8_SET_BROKEN 112 #define EVP_F_EVP_PKEY2PKCS8 113 #define EVP_F_EVP_PKEY_COPY_PARAMETERS 103 #define EVP_F_EVP_PKEY_DECRYPT 104 #define EVP_F_EVP_PKEY_ENCRYPT 105 #define EVP_F_EVP_PKEY_GET1_DH 119 #define EVP_F_EVP_PKEY_GET1_DSA 120 #define EVP_F_EVP_PKEY_GET1_RSA 121 #define EVP_F_EVP_PKEY_NEW 106 #define EVP_F_EVP_RIJNDAEL 126 #define EVP_F_EVP_SIGNFINAL 107 #define EVP_F_EVP_VERIFYFINAL 108 #define EVP_F_PKCS5_PBE_KEYIVGEN 117 #define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118 #define EVP_F_RC2_MAGIC_TO_METH 109 #define EVP_F_RC5_CTRL 125 /* Reason codes. */ #define EVP_R_BAD_BLOCK_LENGTH 136 #define EVP_R_BAD_DECRYPT 100 #define EVP_R_BAD_KEY_LENGTH 137 #define EVP_R_BN_DECODE_ERROR 112 #define EVP_R_BN_PUBKEY_ERROR 113 #define EVP_R_CIPHER_PARAMETER_ERROR 122 #define EVP_R_CTRL_NOT_IMPLEMENTED 132 #define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 #define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 #define EVP_R_DECODE_ERROR 114 #define EVP_R_DIFFERENT_KEY_TYPES 101 #define EVP_R_ENCODE_ERROR 115 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 #define EVP_R_EXPECTING_A_DH_KEY 128 #define EVP_R_EXPECTING_A_DSA_KEY 129 #define EVP_R_INITIALIZATION_ERROR 134 #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_KEY_LENGTH 130 #define EVP_R_IV_TOO_LARGE 102 #define EVP_R_KEYGEN_FAILURE 120 #define EVP_R_MISSING_PARAMETERS 103 #define EVP_R_NO_CIPHER_SET 131 #define EVP_R_NO_DIGEST_SET 139 #define EVP_R_NO_DSA_PARAMETERS 116 #define EVP_R_NO_SIGN_FUNCTION_CONFIGURED 104 #define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105 #define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117 #define EVP_R_PUBLIC_KEY_NOT_RSA 106 #define EVP_R_UNKNOWN_PBE_ALGORITHM 121 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135 #define EVP_R_UNSUPPORTED_CIPHER 107 #define EVP_R_UNSUPPORTED_KEYLENGTH 123 #define EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION 124 #define EVP_R_UNSUPPORTED_KEY_SIZE 108 #define EVP_R_UNSUPPORTED_PRF 125 #define EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM 118 #define EVP_R_UNSUPPORTED_SALT_TYPE 126 #define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 #define EVP_R_WRONG_PUBLIC_KEY_TYPE 110 #ifdef __cplusplus } #endif #endif diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c index be0758a87965..8ea5aa935dda 100644 --- a/crypto/openssl/crypto/evp/evp_enc.c +++ b/crypto/openssl/crypto/evp/evp_enc.c @@ -1,521 +1,533 @@ /* crypto/evp/evp_enc.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include "cryptlib.h" #include #include #ifndef OPENSSL_NO_ENGINE #include #endif #include "evp_locl.h" const char *EVP_version="EVP" OPENSSL_VERSION_PTEXT; void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) { memset(ctx,0,sizeof(EVP_CIPHER_CTX)); /* ctx->cipher=NULL; */ } int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv, int enc) { if (cipher) EVP_CIPHER_CTX_init(ctx); return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc); } int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc) { if (enc == -1) enc = ctx->encrypt; else { if (enc) enc = 1; ctx->encrypt = enc; } #ifndef OPENSSL_NO_ENGINE /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing * the previous handle, re-querying for an ENGINE, and having a * reinitialisation, when it may all be unecessary. */ if (ctx->engine && ctx->cipher && (!cipher || (cipher && (cipher->nid == ctx->cipher->nid)))) goto skip_to_init; #endif if (cipher) { /* Ensure a context left lying around from last time is cleared * (the previous check attempted to avoid this if the same * ENGINE and EVP_CIPHER could be used). */ EVP_CIPHER_CTX_cleanup(ctx); /* Restore encrypt field: it is zeroed by cleanup */ ctx->encrypt = enc; #ifndef OPENSSL_NO_ENGINE if(impl) { if (!ENGINE_init(impl)) { EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_INITIALIZATION_ERROR); return 0; } } else /* Ask if an ENGINE is reserved for this job */ impl = ENGINE_get_cipher_engine(cipher->nid); if(impl) { /* There's an ENGINE for this job ... (apparently) */ const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid); if(!c) { /* One positive side-effect of US's export * control history, is that we should at least * be able to avoid using US mispellings of * "initialisation"? */ EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_INITIALIZATION_ERROR); return 0; } /* We'll use the ENGINE's private cipher definition */ cipher = c; /* Store the ENGINE functional reference so we know * 'cipher' came from an ENGINE and we need to release * it when done. */ ctx->engine = impl; } else ctx->engine = NULL; #endif ctx->cipher=cipher; - ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size); + if (ctx->cipher->ctx_size) + { + ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size); + if (!ctx->cipher_data) + { + EVPerr(EVP_F_EVP_CIPHERINIT, ERR_R_MALLOC_FAILURE); + return 0; + } + } + else + { + ctx->cipher_data = NULL; + } ctx->key_len = cipher->key_len; ctx->flags = 0; if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_INITIALIZATION_ERROR); return 0; } } } else if(!ctx->cipher) { EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_NO_CIPHER_SET); return 0; } #ifndef OPENSSL_NO_ENGINE skip_to_init: #endif /* we assume block size is a power of 2 in *cryptUpdate */ OPENSSL_assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16); if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) { switch(EVP_CIPHER_CTX_mode(ctx)) { case EVP_CIPH_STREAM_CIPHER: case EVP_CIPH_ECB_MODE: break; case EVP_CIPH_CFB_MODE: case EVP_CIPH_OFB_MODE: ctx->num = 0; case EVP_CIPH_CBC_MODE: OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof ctx->iv); if(iv) memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx)); memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); break; default: return 0; break; } } if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; } ctx->buf_len=0; ctx->final_used=0; ctx->block_mask=ctx->cipher->block_size-1; return 1; } int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { if (ctx->encrypt) return EVP_EncryptUpdate(ctx,out,outl,in,inl); else return EVP_DecryptUpdate(ctx,out,outl,in,inl); } int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { if (ctx->encrypt) return EVP_EncryptFinal_ex(ctx,out,outl); else return EVP_DecryptFinal_ex(ctx,out,outl); } int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { if (ctx->encrypt) return EVP_EncryptFinal(ctx,out,outl); else return EVP_DecryptFinal(ctx,out,outl); } int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv) { return EVP_CipherInit(ctx, cipher, key, iv, 1); } int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv) { return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1); } int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv) { return EVP_CipherInit(ctx, cipher, key, iv, 0); } int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv) { return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); } int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { int i,j,bl; OPENSSL_assert(inl > 0); if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0) { if(ctx->cipher->do_cipher(ctx,out,in,inl)) { *outl=inl; return 1; } else { *outl=0; return 0; } } i=ctx->buf_len; bl=ctx->cipher->block_size; OPENSSL_assert(bl <= sizeof ctx->buf); if (i != 0) { if (i+inl < bl) { memcpy(&(ctx->buf[i]),in,inl); ctx->buf_len+=inl; *outl=0; return 1; } else { j=bl-i; memcpy(&(ctx->buf[i]),in,j); if(!ctx->cipher->do_cipher(ctx,out,ctx->buf,bl)) return 0; inl-=j; in+=j; out+=bl; *outl=bl; } } else *outl = 0; i=inl&(bl-1); inl-=i; if (inl > 0) { if(!ctx->cipher->do_cipher(ctx,out,in,inl)) return 0; *outl+=inl; } if (i != 0) memcpy(ctx->buf,&(in[inl]),i); ctx->buf_len=i; return 1; } int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int ret; ret = EVP_EncryptFinal_ex(ctx, out, outl); return ret; } int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int i,n,b,bl,ret; b=ctx->cipher->block_size; OPENSSL_assert(b <= sizeof ctx->buf); if (b == 1) { *outl=0; return 1; } bl=ctx->buf_len; if (ctx->flags & EVP_CIPH_NO_PADDING) { if(bl) { EVPerr(EVP_F_EVP_ENCRYPTFINAL,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); return 0; } *outl = 0; return 1; } n=b-bl; for (i=bl; ibuf[i]=n; ret=ctx->cipher->do_cipher(ctx,out,ctx->buf,b); if(ret) *outl=b; return ret; } int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { int b, fix_len; if (inl == 0) { *outl=0; return 1; } if (ctx->flags & EVP_CIPH_NO_PADDING) return EVP_EncryptUpdate(ctx, out, outl, in, inl); b=ctx->cipher->block_size; OPENSSL_assert(b <= sizeof ctx->final); if(ctx->final_used) { memcpy(out,ctx->final,b); out+=b; fix_len = 1; } else fix_len = 0; if(!EVP_EncryptUpdate(ctx,out,outl,in,inl)) return 0; /* if we have 'decrypted' a multiple of block size, make sure * we have a copy of this last block */ if (b > 1 && !ctx->buf_len) { *outl-=b; ctx->final_used=1; memcpy(ctx->final,&out[*outl],b); } else ctx->final_used = 0; if (fix_len) *outl += b; return 1; } int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int ret; ret = EVP_DecryptFinal_ex(ctx, out, outl); return ret; } int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int i,b; int n; *outl=0; b=ctx->cipher->block_size; if (ctx->flags & EVP_CIPH_NO_PADDING) { if(ctx->buf_len) { EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); return 0; } *outl = 0; return 1; } if (b > 1) { if (ctx->buf_len || !ctx->final_used) { EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_WRONG_FINAL_BLOCK_LENGTH); return(0); } OPENSSL_assert(b <= sizeof ctx->final); n=ctx->final[b-1]; if (n > b) { EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT); return(0); } for (i=0; ifinal[--b] != n) { EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT); return(0); } } n=ctx->cipher->block_size-n; for (i=0; ifinal[i]; *outl=n; } else *outl=0; return(1); } int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { if (c->cipher != NULL) { if(c->cipher->cleanup && !c->cipher->cleanup(c)) return 0; /* Cleanse cipher context data */ if (c->cipher_data) OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size); } if (c->cipher_data) OPENSSL_free(c->cipher_data); #ifndef OPENSSL_NO_ENGINE if (c->engine) /* The EVP_CIPHER we used belongs to an ENGINE, release the * functional reference we held for this reason. */ ENGINE_finish(c->engine); #endif memset(c,0,sizeof(EVP_CIPHER_CTX)); return 1; } int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen) { if(c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH) return EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_KEY_LENGTH, keylen, NULL); if(c->key_len == keylen) return 1; if((keylen > 0) && (c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) { c->key_len = keylen; return 1; } EVPerr(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,EVP_R_INVALID_KEY_LENGTH); return 0; } int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) { if (pad) ctx->flags &= ~EVP_CIPH_NO_PADDING; else ctx->flags |= EVP_CIPH_NO_PADDING; return 1; } int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { int ret; if(!ctx->cipher) { EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET); return 0; } if(!ctx->cipher->ctrl) { EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_CTRL_NOT_IMPLEMENTED); return 0; } ret = ctx->cipher->ctrl(ctx, type, arg, ptr); if(ret == -1) { EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED); return 0; } return ret; } diff --git a/crypto/openssl/crypto/evp/evp_pbe.c b/crypto/openssl/crypto/evp/evp_pbe.c index 0da88fdcffe2..91e545a1416d 100644 --- a/crypto/openssl/crypto/evp/evp_pbe.c +++ b/crypto/openssl/crypto/evp/evp_pbe.c @@ -1,136 +1,136 @@ /* evp_pbe.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 1999. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include #include /* Password based encryption (PBE) functions */ static STACK *pbe_algs; /* Setup a cipher context from a PBE algorithm */ typedef struct { int pbe_nid; const EVP_CIPHER *cipher; const EVP_MD *md; EVP_PBE_KEYGEN *keygen; } EVP_PBE_CTL; int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen, ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de) { EVP_PBE_CTL *pbetmp, pbelu; int i; pbelu.pbe_nid = OBJ_obj2nid(pbe_obj); if (pbelu.pbe_nid != NID_undef) i = sk_find(pbe_algs, (char *)&pbelu); else i = -1; if (i == -1) { char obj_tmp[80]; EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_PBE_ALGORITHM); - if (!pbe_obj) strcpy (obj_tmp, "NULL"); + if (!pbe_obj) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp); else i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, pbe_obj); ERR_add_error_data(2, "TYPE=", obj_tmp); return 0; } if(!pass) passlen = 0; else if (passlen == -1) passlen = strlen(pass); pbetmp = (EVP_PBE_CTL *)sk_value (pbe_algs, i); i = (*pbetmp->keygen)(ctx, pass, passlen, param, pbetmp->cipher, pbetmp->md, en_de); if (!i) { EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_KEYGEN_FAILURE); return 0; } return 1; } static int pbe_cmp(const char * const *a, const char * const *b) { EVP_PBE_CTL **pbe1 = (EVP_PBE_CTL **) a, **pbe2 = (EVP_PBE_CTL **)b; return ((*pbe1)->pbe_nid - (*pbe2)->pbe_nid); } /* Add a PBE algorithm */ int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md, EVP_PBE_KEYGEN *keygen) { EVP_PBE_CTL *pbe_tmp; if (!pbe_algs) pbe_algs = sk_new(pbe_cmp); if (!(pbe_tmp = (EVP_PBE_CTL*) OPENSSL_malloc (sizeof(EVP_PBE_CTL)))) { EVPerr(EVP_F_EVP_PBE_ALG_ADD,ERR_R_MALLOC_FAILURE); return 0; } pbe_tmp->pbe_nid = nid; pbe_tmp->cipher = cipher; pbe_tmp->md = md; pbe_tmp->keygen = keygen; sk_push (pbe_algs, (char *)pbe_tmp); return 1; } void EVP_PBE_cleanup(void) { sk_pop_free(pbe_algs, OPENSSL_freeFunc); pbe_algs = NULL; } diff --git a/crypto/openssl/crypto/evp/evp_pkey.c b/crypto/openssl/crypto/evp/evp_pkey.c index 34b5b1d21ccb..eb481ec661da 100644 --- a/crypto/openssl/crypto/evp/evp_pkey.c +++ b/crypto/openssl/crypto/evp/evp_pkey.c @@ -1,412 +1,412 @@ /* evp_pkey.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 1999. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include "cryptlib.h" #include #include #ifndef OPENSSL_NO_DSA static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8inf, EVP_PKEY *pkey); #endif /* Extract a private key from a PKCS8 structure */ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8) { EVP_PKEY *pkey = NULL; #ifndef OPENSSL_NO_RSA RSA *rsa = NULL; #endif #ifndef OPENSSL_NO_DSA DSA *dsa = NULL; ASN1_INTEGER *privkey; ASN1_TYPE *t1, *t2, *param = NULL; STACK_OF(ASN1_TYPE) *ndsa = NULL; BN_CTX *ctx = NULL; int plen; #endif X509_ALGOR *a; unsigned char *p; const unsigned char *cp; int pkeylen; char obj_tmp[80]; if(p8->pkey->type == V_ASN1_OCTET_STRING) { p8->broken = PKCS8_OK; p = p8->pkey->value.octet_string->data; pkeylen = p8->pkey->value.octet_string->length; } else { p8->broken = PKCS8_NO_OCTET; p = p8->pkey->value.sequence->data; pkeylen = p8->pkey->value.sequence->length; } if (!(pkey = EVP_PKEY_new())) { EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE); return NULL; } a = p8->pkeyalg; switch (OBJ_obj2nid(a->algorithm)) { #ifndef OPENSSL_NO_RSA case NID_rsaEncryption: cp = p; if (!(rsa = d2i_RSAPrivateKey (NULL,&cp, pkeylen))) { EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR); return NULL; } EVP_PKEY_assign_RSA (pkey, rsa); break; #endif #ifndef OPENSSL_NO_DSA case NID_dsa: /* PKCS#8 DSA is weird: you just get a private key integer * and parameters in the AlgorithmIdentifier the pubkey must * be recalculated. */ /* Check for broken DSA PKCS#8, UGH! */ if(*p == (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) { if(!(ndsa = ASN1_seq_unpack_ASN1_TYPE(p, pkeylen, d2i_ASN1_TYPE, ASN1_TYPE_free))) { EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR); goto dsaerr; } if(sk_ASN1_TYPE_num(ndsa) != 2 ) { EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR); goto dsaerr; } /* Handle Two broken types: * SEQUENCE {parameters, priv_key} * SEQUENCE {pub_key, priv_key} */ t1 = sk_ASN1_TYPE_value(ndsa, 0); t2 = sk_ASN1_TYPE_value(ndsa, 1); if(t1->type == V_ASN1_SEQUENCE) { p8->broken = PKCS8_EMBEDDED_PARAM; param = t1; } else if(a->parameter->type == V_ASN1_SEQUENCE) { p8->broken = PKCS8_NS_DB; param = a->parameter; } else { EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR); goto dsaerr; } if(t2->type != V_ASN1_INTEGER) { EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR); goto dsaerr; } privkey = t2->value.integer; } else { if (!(privkey=d2i_ASN1_INTEGER (NULL, &p, pkeylen))) { EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR); goto dsaerr; } param = p8->pkeyalg->parameter; } if (!param || (param->type != V_ASN1_SEQUENCE)) { EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR); goto dsaerr; } cp = p = param->value.sequence->data; plen = param->value.sequence->length; if (!(dsa = d2i_DSAparams (NULL, &cp, plen))) { EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR); goto dsaerr; } /* We have parameters now set private key */ if (!(dsa->priv_key = ASN1_INTEGER_to_BN(privkey, NULL))) { EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_DECODE_ERROR); goto dsaerr; } /* Calculate public key (ouch!) */ if (!(dsa->pub_key = BN_new())) { EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE); goto dsaerr; } if (!(ctx = BN_CTX_new())) { EVPerr(EVP_F_EVP_PKCS82PKEY,ERR_R_MALLOC_FAILURE); goto dsaerr; } if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) { EVPerr(EVP_F_EVP_PKCS82PKEY,EVP_R_BN_PUBKEY_ERROR); goto dsaerr; } EVP_PKEY_assign_DSA(pkey, dsa); BN_CTX_free (ctx); if(ndsa) sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); else ASN1_INTEGER_free(privkey); break; dsaerr: BN_CTX_free (ctx); sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); DSA_free(dsa); EVP_PKEY_free(pkey); return NULL; break; #endif default: EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM); - if (!a->algorithm) strcpy (obj_tmp, "NULL"); + if (!a->algorithm) BUF_strlcpy (obj_tmp, "NULL", sizeof obj_tmp); else i2t_ASN1_OBJECT(obj_tmp, 80, a->algorithm); ERR_add_error_data(2, "TYPE=", obj_tmp); EVP_PKEY_free (pkey); return NULL; } return pkey; } PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) { return EVP_PKEY2PKCS8_broken(pkey, PKCS8_OK); } /* Turn a private key into a PKCS8 structure */ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken) { PKCS8_PRIV_KEY_INFO *p8; if (!(p8 = PKCS8_PRIV_KEY_INFO_new())) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); return NULL; } p8->broken = broken; ASN1_INTEGER_set (p8->version, 0); if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); PKCS8_PRIV_KEY_INFO_free (p8); return NULL; } p8->pkey->type = V_ASN1_OCTET_STRING; switch (EVP_PKEY_type(pkey->type)) { #ifndef OPENSSL_NO_RSA case EVP_PKEY_RSA: if(p8->broken == PKCS8_NO_OCTET) p8->pkey->type = V_ASN1_SEQUENCE; p8->pkeyalg->algorithm = OBJ_nid2obj(NID_rsaEncryption); p8->pkeyalg->parameter->type = V_ASN1_NULL; if (!ASN1_pack_string ((char *)pkey, i2d_PrivateKey, &p8->pkey->value.octet_string)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); PKCS8_PRIV_KEY_INFO_free (p8); return NULL; } break; #endif #ifndef OPENSSL_NO_DSA case EVP_PKEY_DSA: if(!dsa_pkey2pkcs8(p8, pkey)) { PKCS8_PRIV_KEY_INFO_free (p8); return NULL; } break; #endif default: EVPerr(EVP_F_EVP_PKEY2PKCS8, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM); PKCS8_PRIV_KEY_INFO_free (p8); return NULL; } RAND_add(p8->pkey->value.octet_string->data, p8->pkey->value.octet_string->length, 0); return p8; } PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken) { switch (broken) { case PKCS8_OK: p8->broken = PKCS8_OK; return p8; break; case PKCS8_NO_OCTET: p8->broken = PKCS8_NO_OCTET; p8->pkey->type = V_ASN1_SEQUENCE; return p8; break; default: EVPerr(EVP_F_EVP_PKCS8_SET_BROKEN,EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE); return NULL; break; } } #ifndef OPENSSL_NO_DSA static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) { ASN1_STRING *params; ASN1_INTEGER *prkey; ASN1_TYPE *ttmp; STACK_OF(ASN1_TYPE) *ndsa; unsigned char *p, *q; int len; p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa); len = i2d_DSAparams (pkey->pkey.dsa, NULL); if (!(p = OPENSSL_malloc(len))) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); PKCS8_PRIV_KEY_INFO_free (p8); return 0; } q = p; i2d_DSAparams (pkey->pkey.dsa, &q); params = ASN1_STRING_new(); ASN1_STRING_set(params, p, len); OPENSSL_free(p); /* Get private key into integer */ if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) { EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR); return 0; } switch(p8->broken) { case PKCS8_OK: case PKCS8_NO_OCTET: if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER, &p8->pkey->value.octet_string)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); M_ASN1_INTEGER_free (prkey); return 0; } M_ASN1_INTEGER_free (prkey); p8->pkeyalg->parameter->value.sequence = params; p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE; break; case PKCS8_NS_DB: p8->pkeyalg->parameter->value.sequence = params; p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE; ndsa = sk_ASN1_TYPE_new_null(); ttmp = ASN1_TYPE_new(); if (!(ttmp->value.integer = BN_to_ASN1_INTEGER (pkey->pkey.dsa->pub_key, NULL))) { EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR); PKCS8_PRIV_KEY_INFO_free(p8); return 0; } ttmp->type = V_ASN1_INTEGER; sk_ASN1_TYPE_push(ndsa, ttmp); ttmp = ASN1_TYPE_new(); ttmp->value.integer = prkey; ttmp->type = V_ASN1_INTEGER; sk_ASN1_TYPE_push(ndsa, ttmp); p8->pkey->value.octet_string = ASN1_OCTET_STRING_new(); if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE, &p8->pkey->value.octet_string->data, &p8->pkey->value.octet_string->length)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); M_ASN1_INTEGER_free(prkey); return 0; } sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); break; case PKCS8_EMBEDDED_PARAM: p8->pkeyalg->parameter->type = V_ASN1_NULL; ndsa = sk_ASN1_TYPE_new_null(); ttmp = ASN1_TYPE_new(); ttmp->value.sequence = params; ttmp->type = V_ASN1_SEQUENCE; sk_ASN1_TYPE_push(ndsa, ttmp); ttmp = ASN1_TYPE_new(); ttmp->value.integer = prkey; ttmp->type = V_ASN1_INTEGER; sk_ASN1_TYPE_push(ndsa, ttmp); p8->pkey->value.octet_string = ASN1_OCTET_STRING_new(); if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE, &p8->pkey->value.octet_string->data, &p8->pkey->value.octet_string->length)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); M_ASN1_INTEGER_free (prkey); return 0; } sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); break; } return 1; } #endif diff --git a/crypto/openssl/crypto/hmac/Makefile.ssl b/crypto/openssl/crypto/hmac/Makefile.ssl index d48df0597e02..f1c07322c4bb 100644 --- a/crypto/openssl/crypto/hmac/Makefile.ssl +++ b/crypto/openssl/crypto/hmac/Makefile.ssl @@ -1,101 +1,101 @@ # # SSLeay/crypto/md/Makefile # DIR= hmac TOP= ../.. CC= cc INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=hmactest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=hmac.c LIBOBJ=hmac.o SRC= $(LIBSRC) EXHEADER= hmac.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. hmac.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h hmac.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h hmac.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h hmac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h hmac.o: ../../include/openssl/des.h ../../include/openssl/des_old.h hmac.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h hmac.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h hmac.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h hmac.o: ../../include/openssl/md2.h ../../include/openssl/md4.h hmac.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h hmac.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h hmac.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h hmac.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h hmac.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h hmac.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h hmac.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h hmac.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h hmac.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h hmac.o: ../cryptlib.h hmac.c diff --git a/crypto/openssl/crypto/idea/Makefile.ssl b/crypto/openssl/crypto/idea/Makefile.ssl index ca4b76fc2f4a..fa016ea399e3 100644 --- a/crypto/openssl/crypto/idea/Makefile.ssl +++ b/crypto/openssl/crypto/idea/Makefile.ssl @@ -1,91 +1,91 @@ # # SSLeay/crypto/idea/Makefile # DIR= idea TOP= ../.. CC= cc INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=ideatest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=i_cbc.c i_cfb64.c i_ofb64.c i_ecb.c i_skey.c LIBOBJ=i_cbc.o i_cfb64.o i_ofb64.o i_ecb.o i_skey.o SRC= $(LIBSRC) EXHEADER= idea.h HEADER= idea_lcl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. i_cbc.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h i_cbc.o: i_cbc.c idea_lcl.h i_cfb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h i_cfb64.o: i_cfb64.c idea_lcl.h i_ecb.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h i_ecb.o: ../../include/openssl/opensslv.h i_ecb.c idea_lcl.h i_ofb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h i_ofb64.o: i_ofb64.c idea_lcl.h i_skey.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h i_skey.o: i_skey.c idea_lcl.h diff --git a/crypto/openssl/crypto/krb5/Makefile.ssl b/crypto/openssl/crypto/krb5/Makefile.ssl index 7136d7a4023c..d9224c0f092d 100644 --- a/crypto/openssl/crypto/krb5/Makefile.ssl +++ b/crypto/openssl/crypto/krb5/Makefile.ssl @@ -1,90 +1,90 @@ # # OpenSSL/krb5/Makefile.ssl # DIR= krb5 TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile README TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= krb5_asn.c LIBOBJ= krb5_asn.o SRC= $(LIBSRC) EXHEADER= krb5_asn.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile ; + @sh $(TOP)/util/point.sh Makefile.ssl Makefile ; @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. krb5_asn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h krb5_asn.o: ../../include/openssl/bio.h ../../include/openssl/bn.h krb5_asn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h krb5_asn.o: ../../include/openssl/krb5_asn.h krb5_asn.o: ../../include/openssl/opensslconf.h krb5_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h krb5_asn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h krb5_asn.o: ../../include/openssl/symhacks.h krb5_asn.c diff --git a/crypto/openssl/crypto/lhash/Makefile.ssl b/crypto/openssl/crypto/lhash/Makefile.ssl index 1902e4a8998d..60e7ee339315 100644 --- a/crypto/openssl/crypto/lhash/Makefile.ssl +++ b/crypto/openssl/crypto/lhash/Makefile.ssl @@ -1,93 +1,93 @@ # # SSLeay/crypto/lhash/Makefile # DIR= lhash TOP= ../.. CC= cc INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC=lhash.c lh_stats.c LIBOBJ=lhash.o lh_stats.o SRC= $(LIBSRC) EXHEADER= lhash.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. lh_stats.o: ../../e_os.h ../../include/openssl/bio.h lh_stats.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h lh_stats.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h lh_stats.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h lh_stats.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h lh_stats.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h lh_stats.o: ../cryptlib.h lh_stats.c lhash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h lhash.o: ../../include/openssl/e_os2.h ../../include/openssl/lhash.h lhash.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h lhash.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h lhash.o: ../../include/openssl/symhacks.h lhash.c diff --git a/crypto/openssl/crypto/md2/Makefile.ssl b/crypto/openssl/crypto/md2/Makefile.ssl index e5b3265a442e..3206924c900a 100644 --- a/crypto/openssl/crypto/md2/Makefile.ssl +++ b/crypto/openssl/crypto/md2/Makefile.ssl @@ -1,93 +1,93 @@ # # SSLeay/crypto/md/Makefile # DIR= md2 TOP= ../.. CC= cc INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=md2test.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=md2_dgst.c md2_one.c LIBOBJ=md2_dgst.o md2_one.o SRC= $(LIBSRC) EXHEADER= md2.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. md2_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h md2_dgst.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h md2_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h md2_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h md2_dgst.o: md2_dgst.c md2_one.o: ../../e_os.h ../../include/openssl/bio.h md2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h md2_one.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h md2_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h md2_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h md2_one.o: ../../include/openssl/symhacks.h ../cryptlib.h md2_one.c diff --git a/crypto/openssl/crypto/md4/Makefile.ssl b/crypto/openssl/crypto/md4/Makefile.ssl index 4d2d7369e621..7d2e8d8d3b31 100644 --- a/crypto/openssl/crypto/md4/Makefile.ssl +++ b/crypto/openssl/crypto/md4/Makefile.ssl @@ -1,91 +1,91 @@ # # SSLeay/crypto/md4/Makefile # DIR= md4 TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=md4test.c APPS=md4.c LIB=$(TOP)/libcrypto.a LIBSRC=md4_dgst.c md4_one.c LIBOBJ=md4_dgst.o md4_one.o SRC= $(LIBSRC) EXHEADER= md4.h HEADER= md4_locl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/mx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h md4_dgst.o: ../../include/openssl/opensslconf.h md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_dgst.c md4_dgst.o: md4_locl.h md4_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h md4_one.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h md4_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h md4_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h md4_one.o: md4_one.c diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl index 2d4df972ffb6..2361775a2dc8 100644 --- a/crypto/openssl/crypto/md5/Makefile.ssl +++ b/crypto/openssl/crypto/md5/Makefile.ssl @@ -1,127 +1,127 @@ # # SSLeay/crypto/md5/Makefile # DIR= md5 TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES=-I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r MD5_ASM_OBJ= CFLAGS= $(INCLUDES) $(CFLAG) ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=md5test.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=md5_dgst.c md5_one.c LIBOBJ=md5_dgst.o md5_one.o $(MD5_ASM_OBJ) SRC= $(LIBSRC) EXHEADER= md5.h HEADER= md5_locl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib # elf asm/mx86-elf.s: asm/md5-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) md5-586.pl elf $(CFLAGS) > mx86-elf.s) # a.out asm/mx86-out.o: asm/mx86unix.cpp $(CPP) -DOUT asm/mx86unix.cpp | as -o asm/mx86-out.o # bsdi asm/mx86bsdi.o: asm/mx86unix.cpp $(CPP) -DBSDI asm/mx86unix.cpp | sed 's/ :/:/' | as -o asm/mx86bsdi.o asm/mx86unix.cpp: asm/md5-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) md5-586.pl cpp >mx86unix.cpp) asm/md5-sparcv8plus.o: asm/md5-sparcv9.S $(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -c \ -o asm/md5-sparcv8plus.o asm/md5-sparcv9.S # Old GNU assembler doesn't understand V9 instructions, so we # hire /usr/ccs/bin/as to do the job. Note that option is called # *-gcc27, but even gcc 2>=8 users may experience similar problem # if they didn't bother to upgrade GNU assembler. Such users should # not choose this option, but be adviced to *remove* GNU assembler # or upgrade it. asm/md5-sparcv8plus-gcc27.o: asm/md5-sparcv9.S $(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -E asm/md5-sparcv9.S | \ /usr/ccs/bin/as -xarch=v8plus - -o asm/md5-sparcv8plus-gcc27.o asm/md5-sparcv9.o: asm/md5-sparcv9.S $(CC) $(ASFLAGS) -DMD5_BLOCK_DATA_ORDER -c \ -o asm/md5-sparcv9.o asm/md5-sparcv9.S files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/mx86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md5.h md5_dgst.o: ../../include/openssl/opensslconf.h md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_dgst.c md5_dgst.o: md5_locl.h md5_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h md5_one.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h md5_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h md5_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h md5_one.o: md5_one.c diff --git a/crypto/openssl/crypto/mdc2/Makefile.ssl b/crypto/openssl/crypto/mdc2/Makefile.ssl index 387d7f8cd895..33f366fb087d 100644 --- a/crypto/openssl/crypto/mdc2/Makefile.ssl +++ b/crypto/openssl/crypto/mdc2/Makefile.ssl @@ -1,98 +1,98 @@ # # SSLeay/crypto/mdc2/Makefile # DIR= mdc2 TOP= ../.. CC= cc INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= mdc2test.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=mdc2dgst.c mdc2_one.c LIBOBJ=mdc2dgst.o mdc2_one.o SRC= $(LIBSRC) EXHEADER= mdc2.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. mdc2_one.o: ../../e_os.h ../../include/openssl/bio.h mdc2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h mdc2_one.o: ../../include/openssl/des.h ../../include/openssl/des_old.h mdc2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h mdc2_one.o: ../../include/openssl/lhash.h ../../include/openssl/mdc2.h mdc2_one.o: ../../include/openssl/opensslconf.h mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h mdc2_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h mdc2_one.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h mdc2_one.o: ../cryptlib.h mdc2_one.c mdc2dgst.o: ../../include/openssl/crypto.h ../../include/openssl/des.h mdc2dgst.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h mdc2dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h mdc2dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h mdc2dgst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h mdc2dgst.o: mdc2dgst.c diff --git a/crypto/openssl/crypto/mem.c b/crypto/openssl/crypto/mem.c index 29df7d35b248..dd86733b7705 100644 --- a/crypto/openssl/crypto/mem.c +++ b/crypto/openssl/crypto/mem.c @@ -1,397 +1,401 @@ /* crypto/mem.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "cryptlib.h" static int allow_customize = 1; /* we provide flexible functions for */ static int allow_customize_debug = 1;/* exchanging memory-related functions at * run-time, but this must be done * before any blocks are actually * allocated; or we'll run into huge * problems when malloc/free pairs * don't match etc. */ /* the following pointers may be changed as long as 'allow_customize' is set */ static void *(*malloc_func)(size_t) = malloc; static void *default_malloc_ex(size_t num, const char *file, int line) { return malloc_func(num); } static void *(*malloc_ex_func)(size_t, const char *file, int line) = default_malloc_ex; static void *(*realloc_func)(void *, size_t)= realloc; static void *default_realloc_ex(void *str, size_t num, const char *file, int line) { return realloc_func(str,num); } static void *(*realloc_ex_func)(void *, size_t, const char *file, int line) = default_realloc_ex; static void (*free_func)(void *) = free; static void *(*malloc_locked_func)(size_t) = malloc; static void *default_malloc_locked_ex(size_t num, const char *file, int line) { return malloc_locked_func(num); } static void *(*malloc_locked_ex_func)(size_t, const char *file, int line) = default_malloc_locked_ex; static void (*free_locked_func)(void *) = free; /* may be changed as long as 'allow_customize_debug' is set */ /* XXX use correct function pointer types */ #ifdef CRYPTO_MDEBUG /* use default functions from mem_dbg.c */ static void (*malloc_debug_func)(void *,int,const char *,int,int) = CRYPTO_dbg_malloc; static void (*realloc_debug_func)(void *,void *,int,const char *,int,int) = CRYPTO_dbg_realloc; static void (*free_debug_func)(void *,int) = CRYPTO_dbg_free; static void (*set_debug_options_func)(long) = CRYPTO_dbg_set_options; static long (*get_debug_options_func)(void) = CRYPTO_dbg_get_options; #else /* applications can use CRYPTO_malloc_debug_init() to select above case * at run-time */ static void (*malloc_debug_func)(void *,int,const char *,int,int) = NULL; static void (*realloc_debug_func)(void *,void *,int,const char *,int,int) = NULL; static void (*free_debug_func)(void *,int) = NULL; static void (*set_debug_options_func)(long) = NULL; static long (*get_debug_options_func)(void) = NULL; #endif int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t), void (*f)(void *)) { if (!allow_customize) return 0; if ((m == 0) || (r == 0) || (f == 0)) return 0; malloc_func=m; malloc_ex_func=default_malloc_ex; realloc_func=r; realloc_ex_func=default_realloc_ex; free_func=f; malloc_locked_func=m; malloc_locked_ex_func=default_malloc_locked_ex; free_locked_func=f; return 1; } int CRYPTO_set_mem_ex_functions( void *(*m)(size_t,const char *,int), void *(*r)(void *, size_t,const char *,int), void (*f)(void *)) { if (!allow_customize) return 0; if ((m == 0) || (r == 0) || (f == 0)) return 0; malloc_func=0; malloc_ex_func=m; realloc_func=0; realloc_ex_func=r; free_func=f; malloc_locked_func=0; malloc_locked_ex_func=m; free_locked_func=f; return 1; } int CRYPTO_set_locked_mem_functions(void *(*m)(size_t), void (*f)(void *)) { if (!allow_customize) return 0; if ((m == NULL) || (f == NULL)) return 0; malloc_locked_func=m; malloc_locked_ex_func=default_malloc_locked_ex; free_locked_func=f; return 1; } int CRYPTO_set_locked_mem_ex_functions( void *(*m)(size_t,const char *,int), void (*f)(void *)) { if (!allow_customize) return 0; if ((m == NULL) || (f == NULL)) return 0; malloc_locked_func=0; malloc_locked_ex_func=m; free_func=f; return 1; } int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int), void (*r)(void *,void *,int,const char *,int,int), void (*f)(void *,int), void (*so)(long), long (*go)(void)) { if (!allow_customize_debug) return 0; malloc_debug_func=m; realloc_debug_func=r; free_debug_func=f; set_debug_options_func=so; get_debug_options_func=go; return 1; } void CRYPTO_get_mem_functions(void *(**m)(size_t), void *(**r)(void *, size_t), void (**f)(void *)) { if (m != NULL) *m = (malloc_ex_func == default_malloc_ex) ? malloc_func : 0; if (r != NULL) *r = (realloc_ex_func == default_realloc_ex) ? realloc_func : 0; if (f != NULL) *f=free_func; } void CRYPTO_get_mem_ex_functions( void *(**m)(size_t,const char *,int), void *(**r)(void *, size_t,const char *,int), void (**f)(void *)) { if (m != NULL) *m = (malloc_ex_func != default_malloc_ex) ? malloc_ex_func : 0; if (r != NULL) *r = (realloc_ex_func != default_realloc_ex) ? realloc_ex_func : 0; if (f != NULL) *f=free_func; } void CRYPTO_get_locked_mem_functions(void *(**m)(size_t), void (**f)(void *)) { if (m != NULL) *m = (malloc_locked_ex_func == default_malloc_locked_ex) ? malloc_locked_func : 0; if (f != NULL) *f=free_locked_func; } void CRYPTO_get_locked_mem_ex_functions( void *(**m)(size_t,const char *,int), void (**f)(void *)) { if (m != NULL) *m = (malloc_locked_ex_func != default_malloc_locked_ex) ? malloc_locked_ex_func : 0; if (f != NULL) *f=free_locked_func; } void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int), void (**r)(void *,void *,int,const char *,int,int), void (**f)(void *,int), void (**so)(long), long (**go)(void)) { if (m != NULL) *m=malloc_debug_func; if (r != NULL) *r=realloc_debug_func; if (f != NULL) *f=free_debug_func; if (so != NULL) *so=set_debug_options_func; if (go != NULL) *go=get_debug_options_func; } void *CRYPTO_malloc_locked(int num, const char *file, int line) { void *ret = NULL; extern unsigned char cleanse_ctr; - if (num < 0) return NULL; + if (num <= 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) { allow_customize_debug = 0; malloc_debug_func(NULL, num, file, line, 0); } ret = malloc_locked_ex_func(num,file,line); #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: > 0x%p (%d)\n", ret, num); #endif if (malloc_debug_func != NULL) malloc_debug_func(ret, num, file, line, 1); /* Create a dependency on the value of 'cleanse_ctr' so our memory * sanitisation function can't be optimised out. NB: We only do * this for >2Kb so the overhead doesn't bother us. */ if(ret && (num > 2048)) ((unsigned char *)ret)[0] = cleanse_ctr; return ret; } void CRYPTO_free_locked(void *str) { if (free_debug_func != NULL) free_debug_func(str, 0); #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: < 0x%p\n", str); #endif free_locked_func(str); if (free_debug_func != NULL) free_debug_func(NULL, 1); } void *CRYPTO_malloc(int num, const char *file, int line) { void *ret = NULL; extern unsigned char cleanse_ctr; - if (num < 0) return NULL; + if (num <= 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) { allow_customize_debug = 0; malloc_debug_func(NULL, num, file, line, 0); } ret = malloc_ex_func(num,file,line); #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: > 0x%p (%d)\n", ret, num); #endif if (malloc_debug_func != NULL) malloc_debug_func(ret, num, file, line, 1); /* Create a dependency on the value of 'cleanse_ctr' so our memory * sanitisation function can't be optimised out. NB: We only do * this for >2Kb so the overhead doesn't bother us. */ if(ret && (num > 2048)) ((unsigned char *)ret)[0] = cleanse_ctr; return ret; } void *CRYPTO_realloc(void *str, int num, const char *file, int line) { void *ret = NULL; if (str == NULL) return CRYPTO_malloc(num, file, line); - if (num < 0) return NULL; + if (num <= 0) return NULL; if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret = realloc_ex_func(str,num,file,line); #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: | 0x%p -> 0x%p (%d)\n", str, ret, num); #endif if (realloc_debug_func != NULL) realloc_debug_func(str, ret, num, file, line, 1); return ret; } void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, int line) { void *ret = NULL; if (str == NULL) return CRYPTO_malloc(num, file, line); - if (num < 0) return NULL; + if (num <= 0) return NULL; if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret=malloc_ex_func(num,file,line); if(ret) + { memcpy(ret,str,old_len); - OPENSSL_cleanse(str,old_len); - free_func(str); + OPENSSL_cleanse(str,old_len); + free_func(str); + } #ifdef LEVITTE_DEBUG_MEM - fprintf(stderr, "LEVITTE_DEBUG_MEM: | 0x%p -> 0x%p (%d)\n", str, ret, num); + fprintf(stderr, + "LEVITTE_DEBUG_MEM: | 0x%p -> 0x%p (%d)\n", + str, ret, num); #endif if (realloc_debug_func != NULL) realloc_debug_func(str, ret, num, file, line, 1); return ret; } void CRYPTO_free(void *str) { if (free_debug_func != NULL) free_debug_func(str, 0); #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: < 0x%p\n", str); #endif free_func(str); if (free_debug_func != NULL) free_debug_func(NULL, 1); } void *CRYPTO_remalloc(void *a, int num, const char *file, int line) { if (a != NULL) OPENSSL_free(a); a=(char *)OPENSSL_malloc(num); return(a); } void CRYPTO_set_mem_debug_options(long bits) { if (set_debug_options_func != NULL) set_debug_options_func(bits); } long CRYPTO_get_mem_debug_options(void) { if (get_debug_options_func != NULL) return get_debug_options_func(); return 0; } diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c index 57bd08f65d92..e212de27e488 100644 --- a/crypto/openssl/crypto/mem_dbg.c +++ b/crypto/openssl/crypto/mem_dbg.c @@ -1,784 +1,787 @@ /* crypto/mem_dbg.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include #include #include #include #include "cryptlib.h" static int mh_mode=CRYPTO_MEM_CHECK_OFF; /* The state changes to CRYPTO_MEM_CHECK_ON | CRYPTO_MEM_CHECK_ENABLE * when the application asks for it (usually after library initialisation * for which no book-keeping is desired). * * State CRYPTO_MEM_CHECK_ON exists only temporarily when the library * thinks that certain allocations should not be checked (e.g. the data * structures used for memory checking). It is not suitable as an initial * state: the library will unexpectedly enable memory checking when it * executes one of those sections that want to disable checking * temporarily. * * State CRYPTO_MEM_CHECK_ENABLE without ..._ON makes no sense whatsoever. */ static unsigned long order = 0; /* number of memory requests */ static LHASH *mh=NULL; /* hash-table of memory requests (address as key); * access requires MALLOC2 lock */ typedef struct app_mem_info_st /* For application-defined information (static C-string `info') * to be displayed in memory leak list. * Each thread has its own stack. For applications, there is * CRYPTO_push_info("...") to push an entry, * CRYPTO_pop_info() to pop an entry, * CRYPTO_remove_all_info() to pop all entries. */ { unsigned long thread; const char *file; int line; const char *info; struct app_mem_info_st *next; /* tail of thread's stack */ int references; } APP_INFO; static void app_info_free(APP_INFO *); static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's * that are at the top of their thread's stack * (with `thread' as key); * access requires MALLOC2 lock */ typedef struct mem_st /* memory-block description */ { void *addr; int num; const char *file; int line; unsigned long thread; unsigned long order; time_t time; APP_INFO *app_info; } MEM; static long options = /* extra information to be recorded */ #if defined(CRYPTO_MDEBUG_TIME) || defined(CRYPTO_MDEBUG_ALL) V_CRYPTO_MDEBUG_TIME | #endif #if defined(CRYPTO_MDEBUG_THREAD) || defined(CRYPTO_MDEBUG_ALL) V_CRYPTO_MDEBUG_THREAD | #endif 0; static unsigned int num_disable = 0; /* num_disable > 0 * iff * mh_mode == CRYPTO_MEM_CHECK_ON (w/o ..._ENABLE) */ static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0. * CRYPTO_LOCK_MALLOC2 is locked * exactly in this case (by the * thread named in disabling_thread). */ static void app_info_free(APP_INFO *inf) { if (--(inf->references) <= 0) { if (inf->next != NULL) { app_info_free(inf->next); } OPENSSL_free(inf); } } int CRYPTO_mem_ctrl(int mode) { int ret=mh_mode; CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); switch (mode) { /* for applications (not to be called while multiple threads * use the library): */ case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */ mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE; num_disable = 0; break; case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */ mh_mode = 0; num_disable = 0; /* should be true *before* MemCheck_stop is used, or there'll be a lot of confusion */ break; /* switch off temporarily (for library-internal use): */ case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { if (!num_disable || (disabling_thread != CRYPTO_thread_id())) /* otherwise we already have the MALLOC2 lock */ { /* Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed while * we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock if * somebody else holds CRYPTO_LOCK_MALLOC2 (and cannot release * it because we block entry to this function). * Give them a chance, first, and then claim the locks in * appropriate order (long-time lock first). */ CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); /* Note that after we have waited for CRYPTO_LOCK_MALLOC2 * and CRYPTO_LOCK_MALLOC, we'll still be in the right * "case" and "if" branch because MemCheck_start and * MemCheck_stop may never be used while there are multiple * OpenSSL threads. */ CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2); CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); mh_mode &= ~CRYPTO_MEM_CHECK_ENABLE; disabling_thread=CRYPTO_thread_id(); } num_disable++; } break; case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { if (num_disable) /* always true, or something is going wrong */ { num_disable--; if (num_disable == 0) { mh_mode|=CRYPTO_MEM_CHECK_ENABLE; CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); } } } break; default: break; } CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); return(ret); } int CRYPTO_is_mem_check_on(void) { int ret = 0; if (mh_mode & CRYPTO_MEM_CHECK_ON) { CRYPTO_r_lock(CRYPTO_LOCK_MALLOC); ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE) || (disabling_thread != CRYPTO_thread_id()); CRYPTO_r_unlock(CRYPTO_LOCK_MALLOC); } return(ret); } void CRYPTO_dbg_set_options(long bits) { options = bits; } long CRYPTO_dbg_get_options(void) { return options; } /* static int mem_cmp(MEM *a, MEM *b) */ static int mem_cmp(const void *a_void, const void *b_void) { return((const char *)((const MEM *)a_void)->addr - (const char *)((const MEM *)b_void)->addr); } /* static unsigned long mem_hash(MEM *a) */ static unsigned long mem_hash(const void *a_void) { unsigned long ret; ret=(unsigned long)((const MEM *)a_void)->addr; ret=ret*17851+(ret>>14)*7+(ret>>4)*251; return(ret); } /* static int app_info_cmp(APP_INFO *a, APP_INFO *b) */ static int app_info_cmp(const void *a_void, const void *b_void) { return(((const APP_INFO *)a_void)->thread != ((const APP_INFO *)b_void)->thread); } /* static unsigned long app_info_hash(APP_INFO *a) */ static unsigned long app_info_hash(const void *a_void) { unsigned long ret; ret=(unsigned long)((const APP_INFO *)a_void)->thread; ret=ret*17851+(ret>>14)*7+(ret>>4)*251; return(ret); } static APP_INFO *pop_info(void) { APP_INFO tmp; APP_INFO *ret = NULL; if (amih != NULL) { tmp.thread=CRYPTO_thread_id(); if ((ret=(APP_INFO *)lh_delete(amih,&tmp)) != NULL) { APP_INFO *next=ret->next; if (next != NULL) { next->references++; lh_insert(amih,(char *)next); } #ifdef LEVITTE_DEBUG_MEM if (ret->thread != tmp.thread) { fprintf(stderr, "pop_info(): deleted info has other thread ID (%lu) than the current thread (%lu)!!!!\n", ret->thread, tmp.thread); abort(); } #endif if (--(ret->references) <= 0) { ret->next = NULL; if (next != NULL) next->references--; OPENSSL_free(ret); } } } return(ret); } int CRYPTO_push_info_(const char *info, const char *file, int line) { APP_INFO *ami, *amim; int ret=0; if (is_MemCheck_on()) { MemCheck_off(); /* obtain MALLOC2 lock */ if ((ami = (APP_INFO *)OPENSSL_malloc(sizeof(APP_INFO))) == NULL) { ret=0; goto err; } if (amih == NULL) { if ((amih=lh_new(app_info_hash, app_info_cmp)) == NULL) { OPENSSL_free(ami); ret=0; goto err; } } ami->thread=CRYPTO_thread_id(); ami->file=file; ami->line=line; ami->info=info; ami->references=1; ami->next=NULL; if ((amim=(APP_INFO *)lh_insert(amih,(char *)ami)) != NULL) { #ifdef LEVITTE_DEBUG_MEM if (ami->thread != amim->thread) { fprintf(stderr, "CRYPTO_push_info(): previous info has other thread ID (%lu) than the current thread (%lu)!!!!\n", amim->thread, ami->thread); abort(); } #endif ami->next=amim; } err: MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } int CRYPTO_pop_info(void) { int ret=0; if (is_MemCheck_on()) /* _must_ be true, or something went severely wrong */ { MemCheck_off(); /* obtain MALLOC2 lock */ ret=(pop_info() != NULL); MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } int CRYPTO_remove_all_info(void) { int ret=0; if (is_MemCheck_on()) /* _must_ be true */ { MemCheck_off(); /* obtain MALLOC2 lock */ while(pop_info() != NULL) ret++; MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } static unsigned long break_order_num=0; void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, int before_p) { MEM *m,*mm; APP_INFO tmp,*amim; switch(before_p & 127) { case 0: break; case 1: if (addr == NULL) break; if (is_MemCheck_on()) { MemCheck_off(); /* make sure we hold MALLOC2 lock */ if ((m=(MEM *)OPENSSL_malloc(sizeof(MEM))) == NULL) { OPENSSL_free(addr); MemCheck_on(); /* release MALLOC2 lock * if num_disabled drops to 0 */ return; } if (mh == NULL) { if ((mh=lh_new(mem_hash, mem_cmp)) == NULL) { OPENSSL_free(addr); OPENSSL_free(m); addr=NULL; goto err; } } m->addr=addr; m->file=file; m->line=line; m->num=num; if (options & V_CRYPTO_MDEBUG_THREAD) m->thread=CRYPTO_thread_id(); else m->thread=0; if (order == break_order_num) { /* BREAK HERE */ m->order=order; } m->order=order++; #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: [%5d] %c 0x%p (%d)\n", m->order, (before_p & 128) ? '*' : '+', m->addr, m->num); #endif if (options & V_CRYPTO_MDEBUG_TIME) m->time=time(NULL); else m->time=0; tmp.thread=CRYPTO_thread_id(); m->app_info=NULL; if (amih != NULL && (amim=(APP_INFO *)lh_retrieve(amih,(char *)&tmp)) != NULL) { m->app_info = amim; amim->references++; } if ((mm=(MEM *)lh_insert(mh,(char *)m)) != NULL) { /* Not good, but don't sweat it */ if (mm->app_info != NULL) { mm->app_info->references--; } OPENSSL_free(mm); } err: MemCheck_on(); /* release MALLOC2 lock * if num_disabled drops to 0 */ } break; } return; } void CRYPTO_dbg_free(void *addr, int before_p) { MEM m,*mp; switch(before_p) { case 0: if (addr == NULL) break; if (is_MemCheck_on() && (mh != NULL)) { MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr; mp=(MEM *)lh_delete(mh,(char *)&m); if (mp != NULL) { #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: [%5d] - 0x%p (%d)\n", mp->order, mp->addr, mp->num); #endif if (mp->app_info != NULL) app_info_free(mp->app_info); OPENSSL_free(mp); } MemCheck_on(); /* release MALLOC2 lock * if num_disabled drops to 0 */ } break; case 1: break; } } void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, const char *file, int line, int before_p) { MEM m,*mp; #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: --> CRYPTO_dbg_malloc(addr1 = %p, addr2 = %p, num = %d, file = \"%s\", line = %d, before_p = %d)\n", addr1, addr2, num, file, line, before_p); #endif switch(before_p) { case 0: break; case 1: if (addr2 == NULL) break; if (addr1 == NULL) { CRYPTO_dbg_malloc(addr2, num, file, line, 128 | before_p); break; } if (is_MemCheck_on()) { MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr1; mp=(MEM *)lh_delete(mh,(char *)&m); if (mp != NULL) { #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, "LEVITTE_DEBUG_MEM: [%5d] * 0x%p (%d) -> 0x%p (%d)\n", mp->order, mp->addr, mp->num, addr2, num); #endif mp->addr=addr2; mp->num=num; lh_insert(mh,(char *)mp); } MemCheck_on(); /* release MALLOC2 lock * if num_disabled drops to 0 */ } break; } return; } typedef struct mem_leak_st { BIO *bio; int chunks; long bytes; } MEM_LEAK; static void print_leak(const MEM *m, MEM_LEAK *l) { char buf[1024]; char *bufp = buf; APP_INFO *amip; int ami_cnt; struct tm *lcl = NULL; unsigned long ti; +#define BUF_REMAIN (sizeof buf - (size_t)(bufp - buf)) + if(m->addr == (char *)l->bio) return; if (options & V_CRYPTO_MDEBUG_TIME) { lcl = localtime(&m->time); - sprintf(bufp, "[%02d:%02d:%02d] ", + BIO_snprintf(bufp, BUF_REMAIN, "[%02d:%02d:%02d] ", lcl->tm_hour,lcl->tm_min,lcl->tm_sec); bufp += strlen(bufp); } - sprintf(bufp, "%5lu file=%s, line=%d, ", + BIO_snprintf(bufp, BUF_REMAIN, "%5lu file=%s, line=%d, ", m->order,m->file,m->line); bufp += strlen(bufp); if (options & V_CRYPTO_MDEBUG_THREAD) { - sprintf(bufp, "thread=%lu, ", m->thread); + BIO_snprintf(bufp, BUF_REMAIN, "thread=%lu, ", m->thread); bufp += strlen(bufp); } - sprintf(bufp, "number=%d, address=%08lX\n", + BIO_snprintf(bufp, BUF_REMAIN, "number=%d, address=%08lX\n", m->num,(unsigned long)m->addr); bufp += strlen(bufp); BIO_puts(l->bio,buf); l->chunks++; l->bytes+=m->num; amip=m->app_info; ami_cnt=0; if (!amip) return; ti=amip->thread; do { int buf_len; int info_len; ami_cnt++; memset(buf,'>',ami_cnt); - sprintf(buf + ami_cnt, + BIO_snprintf(buf + ami_cnt, sizeof buf - ami_cnt, " thread=%lu, file=%s, line=%d, info=\"", amip->thread, amip->file, amip->line); buf_len=strlen(buf); info_len=strlen(amip->info); if (128 - buf_len - 3 < info_len) { memcpy(buf + buf_len, amip->info, 128 - buf_len - 3); buf_len = 128 - 3; } else { - strcpy(buf + buf_len, amip->info); + BUF_strlcpy(buf + buf_len, amip->info, + sizeof buf - buf_len); buf_len = strlen(buf); } - sprintf(buf + buf_len, "\"\n"); + BIO_snprintf(buf + buf_len, sizeof buf - buf_len, "\"\n"); BIO_puts(l->bio,buf); amip = amip->next; } while(amip && amip->thread == ti); #ifdef LEVITTE_DEBUG_MEM if (amip) { fprintf(stderr, "Thread switch detected in backtrace!!!!\n"); abort(); } #endif } static IMPLEMENT_LHASH_DOALL_ARG_FN(print_leak, const MEM *, MEM_LEAK *) void CRYPTO_mem_leaks(BIO *b) { MEM_LEAK ml; if (mh == NULL && amih == NULL) return; MemCheck_off(); /* obtain MALLOC2 lock */ ml.bio=b; ml.bytes=0; ml.chunks=0; if (mh != NULL) lh_doall_arg(mh, LHASH_DOALL_ARG_FN(print_leak), (char *)&ml); if (ml.chunks != 0) { BIO_printf(b,"%ld bytes leaked in %d chunks\n", ml.bytes,ml.chunks); } else { /* Make sure that, if we found no leaks, memory-leak debugging itself * does not introduce memory leaks (which might irritate * external debugging tools). * (When someone enables leak checking, but does not call * this function, we declare it to be their fault.) * * XXX This should be in CRYPTO_mem_leaks_cb, * and CRYPTO_mem_leaks should be implemented by * using CRYPTO_mem_leaks_cb. * (Also their should be a variant of lh_doall_arg * that takes a function pointer instead of a void *; * this would obviate the ugly and illegal * void_fn_to_char kludge in CRYPTO_mem_leaks_cb. * Otherwise the code police will come and get us.) */ int old_mh_mode; CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); /* avoid deadlock when lh_free() uses CRYPTO_dbg_free(), * which uses CRYPTO_is_mem_check_on */ old_mh_mode = mh_mode; mh_mode = CRYPTO_MEM_CHECK_OFF; if (mh != NULL) { lh_free(mh); mh = NULL; } if (amih != NULL) { if (lh_num_items(amih) == 0) { lh_free(amih); amih = NULL; } } mh_mode = old_mh_mode; CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); } MemCheck_on(); /* release MALLOC2 lock */ } #ifndef OPENSSL_NO_FP_API void CRYPTO_mem_leaks_fp(FILE *fp) { BIO *b; if (mh == NULL) return; /* Need to turn off memory checking when allocated BIOs ... especially * as we're creating them at a time when we're trying to check we've not * left anything un-free()'d!! */ MemCheck_off(); b = BIO_new(BIO_s_file()); MemCheck_on(); if(!b) return; BIO_set_fp(b,fp,BIO_NOCLOSE); CRYPTO_mem_leaks(b); BIO_free(b); } #endif /* FIXME: We really don't allow much to the callback. For example, it has no chance of reaching the info stack for the item it processes. Should it really be this way? -- Richard Levitte */ /* NB: The prototypes have been typedef'd to CRYPTO_MEM_LEAK_CB inside crypto.h * If this code is restructured, remove the callback type if it is no longer * needed. -- Geoff Thorpe */ static void cb_leak(const MEM *m, CRYPTO_MEM_LEAK_CB **cb) { (**cb)(m->order,m->file,m->line,m->num,m->addr); } static IMPLEMENT_LHASH_DOALL_ARG_FN(cb_leak, const MEM *, CRYPTO_MEM_LEAK_CB **) void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb) { if (mh == NULL) return; CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2); lh_doall_arg(mh, LHASH_DOALL_ARG_FN(cb_leak), &cb); CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); } diff --git a/crypto/openssl/crypto/objects/Makefile.ssl b/crypto/openssl/crypto/objects/Makefile.ssl index 1f5d213495b9..3e7a194cf990 100644 --- a/crypto/openssl/crypto/objects/Makefile.ssl +++ b/crypto/openssl/crypto/objects/Makefile.ssl @@ -1,123 +1,123 @@ # # SSLeay/crypto/objects/Makefile # DIR= objects TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r PERL= perl CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile README TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= o_names.c obj_dat.c obj_lib.c obj_err.c LIBOBJ= o_names.o obj_dat.o obj_lib.o obj_err.o SRC= $(LIBSRC) EXHEADER= objects.h obj_mac.h HEADER= $(EXHEADER) obj_dat.h ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: obj_dat.h lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib obj_dat.h: obj_dat.pl obj_mac.h $(PERL) obj_dat.pl obj_mac.h obj_dat.h # objects.pl both reads and writes obj_mac.num obj_mac.h: objects.pl objects.txt obj_mac.num $(PERL) objects.pl objects.txt obj_mac.num obj_mac.h files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. o_names.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h o_names.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h o_names.o: ../../include/openssl/e_os2.h ../../include/openssl/lhash.h o_names.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h o_names.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h o_names.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h o_names.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h o_names.o: o_names.c obj_dat.o: ../../e_os.h ../../include/openssl/asn1.h obj_dat.o: ../../include/openssl/bio.h ../../include/openssl/bn.h obj_dat.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h obj_dat.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h obj_dat.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h obj_dat.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h obj_dat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h obj_dat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h obj_dat.o: ../../include/openssl/symhacks.h ../cryptlib.h obj_dat.c obj_dat.h obj_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h obj_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h obj_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h obj_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h obj_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h obj_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h obj_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h obj_err.o: ../../include/openssl/symhacks.h obj_err.c obj_lib.o: ../../e_os.h ../../include/openssl/asn1.h obj_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h obj_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h obj_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h obj_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h obj_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h obj_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h obj_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h obj_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h obj_lib.c diff --git a/crypto/openssl/crypto/objects/obj_dat.c b/crypto/openssl/crypto/objects/obj_dat.c index 5d983e3ed472..4534dc09856e 100644 --- a/crypto/openssl/crypto/objects/obj_dat.c +++ b/crypto/openssl/crypto/objects/obj_dat.c @@ -1,666 +1,666 @@ /* crypto/objects/obj_dat.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include "cryptlib.h" #include #include #include /* obj_dat.h is generated from objects.h by obj_dat.pl */ #ifndef OPENSSL_NO_OBJECT #include "obj_dat.h" #else /* You will have to load all the objects needed manually in the application */ #define NUM_NID 0 #define NUM_SN 0 #define NUM_LN 0 #define NUM_OBJ 0 static unsigned char lvalues[1]; static ASN1_OBJECT nid_objs[1]; static ASN1_OBJECT *sn_objs[1]; static ASN1_OBJECT *ln_objs[1]; static ASN1_OBJECT *obj_objs[1]; #endif static int sn_cmp(const void *a, const void *b); static int ln_cmp(const void *a, const void *b); static int obj_cmp(const void *a, const void *b); #define ADDED_DATA 0 #define ADDED_SNAME 1 #define ADDED_LNAME 2 #define ADDED_NID 3 typedef struct added_obj_st { int type; ASN1_OBJECT *obj; } ADDED_OBJ; static int new_nid=NUM_NID; static LHASH *added=NULL; static int sn_cmp(const void *a, const void *b) { const ASN1_OBJECT * const *ap = a, * const *bp = b; return(strcmp((*ap)->sn,(*bp)->sn)); } static int ln_cmp(const void *a, const void *b) { const ASN1_OBJECT * const *ap = a, * const *bp = b; return(strcmp((*ap)->ln,(*bp)->ln)); } /* static unsigned long add_hash(ADDED_OBJ *ca) */ static unsigned long add_hash(const void *ca_void) { const ASN1_OBJECT *a; int i; unsigned long ret=0; unsigned char *p; ADDED_OBJ *ca = (ADDED_OBJ *)ca_void; a=ca->obj; switch (ca->type) { case ADDED_DATA: ret=a->length<<20L; p=(unsigned char *)a->data; for (i=0; ilength; i++) ret^=p[i]<<((i*3)%24); break; case ADDED_SNAME: ret=lh_strhash(a->sn); break; case ADDED_LNAME: ret=lh_strhash(a->ln); break; case ADDED_NID: ret=a->nid; break; default: /* abort(); */ return 0; } ret&=0x3fffffffL; ret|=ca->type<<30L; return(ret); } /* static int add_cmp(ADDED_OBJ *ca, ADDED_OBJ *cb) */ static int add_cmp(const void *ca_void, const void *cb_void) { ASN1_OBJECT *a,*b; int i; ADDED_OBJ *ca = (ADDED_OBJ *)ca_void; ADDED_OBJ *cb = (ADDED_OBJ *)cb_void; i=ca->type-cb->type; if (i) return(i); a=ca->obj; b=cb->obj; switch (ca->type) { case ADDED_DATA: i=(a->length - b->length); if (i) return(i); return(memcmp(a->data,b->data,a->length)); case ADDED_SNAME: if (a->sn == NULL) return(-1); else if (b->sn == NULL) return(1); else return(strcmp(a->sn,b->sn)); case ADDED_LNAME: if (a->ln == NULL) return(-1); else if (b->ln == NULL) return(1); else return(strcmp(a->ln,b->ln)); case ADDED_NID: return(a->nid-b->nid); default: /* abort(); */ return 0; } } static int init_added(void) { if (added != NULL) return(1); added=lh_new(add_hash,add_cmp); return(added != NULL); } static void cleanup1(ADDED_OBJ *a) { a->obj->nid=0; a->obj->flags|=ASN1_OBJECT_FLAG_DYNAMIC| ASN1_OBJECT_FLAG_DYNAMIC_STRINGS| ASN1_OBJECT_FLAG_DYNAMIC_DATA; } static void cleanup2(ADDED_OBJ *a) { a->obj->nid++; } static void cleanup3(ADDED_OBJ *a) { if (--a->obj->nid == 0) ASN1_OBJECT_free(a->obj); OPENSSL_free(a); } static IMPLEMENT_LHASH_DOALL_FN(cleanup1, ADDED_OBJ *) static IMPLEMENT_LHASH_DOALL_FN(cleanup2, ADDED_OBJ *) static IMPLEMENT_LHASH_DOALL_FN(cleanup3, ADDED_OBJ *) void OBJ_cleanup(void) { if (added == NULL) return; added->down_load=0; lh_doall(added,LHASH_DOALL_FN(cleanup1)); /* zero counters */ lh_doall(added,LHASH_DOALL_FN(cleanup2)); /* set counters */ lh_doall(added,LHASH_DOALL_FN(cleanup3)); /* free objects */ lh_free(added); added=NULL; } int OBJ_new_nid(int num) { int i; i=new_nid; new_nid+=num; return(i); } int OBJ_add_object(const ASN1_OBJECT *obj) { ASN1_OBJECT *o; ADDED_OBJ *ao[4]={NULL,NULL,NULL,NULL},*aop; int i; if (added == NULL) if (!init_added()) return(0); if ((o=OBJ_dup(obj)) == NULL) goto err; if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err; if ((o->length != 0) && (obj->data != NULL)) ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); if (o->sn != NULL) ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); if (o->ln != NULL) ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); for (i=ADDED_DATA; i<=ADDED_NID; i++) { if (ao[i] != NULL) { ao[i]->type=i; ao[i]->obj=o; aop=(ADDED_OBJ *)lh_insert(added,ao[i]); /* memory leak, buit should not normally matter */ if (aop != NULL) OPENSSL_free(aop); } } o->flags&= ~(ASN1_OBJECT_FLAG_DYNAMIC|ASN1_OBJECT_FLAG_DYNAMIC_STRINGS| ASN1_OBJECT_FLAG_DYNAMIC_DATA); return(o->nid); err: for (i=ADDED_DATA; i<=ADDED_NID; i++) if (ao[i] != NULL) OPENSSL_free(ao[i]); if (o != NULL) OPENSSL_free(o); return(NID_undef); } ASN1_OBJECT *OBJ_nid2obj(int n) { ADDED_OBJ ad,*adp; ASN1_OBJECT ob; if ((n >= 0) && (n < NUM_NID)) { if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) { OBJerr(OBJ_F_OBJ_NID2OBJ,OBJ_R_UNKNOWN_NID); return(NULL); } return((ASN1_OBJECT *)&(nid_objs[n])); } else if (added == NULL) return(NULL); else { ad.type=ADDED_NID; ad.obj= &ob; ob.nid=n; adp=(ADDED_OBJ *)lh_retrieve(added,&ad); if (adp != NULL) return(adp->obj); else { OBJerr(OBJ_F_OBJ_NID2OBJ,OBJ_R_UNKNOWN_NID); return(NULL); } } } const char *OBJ_nid2sn(int n) { ADDED_OBJ ad,*adp; ASN1_OBJECT ob; if ((n >= 0) && (n < NUM_NID)) { if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) { OBJerr(OBJ_F_OBJ_NID2SN,OBJ_R_UNKNOWN_NID); return(NULL); } return(nid_objs[n].sn); } else if (added == NULL) return(NULL); else { ad.type=ADDED_NID; ad.obj= &ob; ob.nid=n; adp=(ADDED_OBJ *)lh_retrieve(added,&ad); if (adp != NULL) return(adp->obj->sn); else { OBJerr(OBJ_F_OBJ_NID2SN,OBJ_R_UNKNOWN_NID); return(NULL); } } } const char *OBJ_nid2ln(int n) { ADDED_OBJ ad,*adp; ASN1_OBJECT ob; if ((n >= 0) && (n < NUM_NID)) { if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) { OBJerr(OBJ_F_OBJ_NID2LN,OBJ_R_UNKNOWN_NID); return(NULL); } return(nid_objs[n].ln); } else if (added == NULL) return(NULL); else { ad.type=ADDED_NID; ad.obj= &ob; ob.nid=n; adp=(ADDED_OBJ *)lh_retrieve(added,&ad); if (adp != NULL) return(adp->obj->ln); else { OBJerr(OBJ_F_OBJ_NID2LN,OBJ_R_UNKNOWN_NID); return(NULL); } } } int OBJ_obj2nid(const ASN1_OBJECT *a) { ASN1_OBJECT **op; ADDED_OBJ ad,*adp; if (a == NULL) return(NID_undef); if (a->nid != 0) return(a->nid); if (added != NULL) { ad.type=ADDED_DATA; ad.obj=(ASN1_OBJECT *)a; /* XXX: ugly but harmless */ adp=(ADDED_OBJ *)lh_retrieve(added,&ad); if (adp != NULL) return (adp->obj->nid); } op=(ASN1_OBJECT **)OBJ_bsearch((char *)&a,(char *)obj_objs,NUM_OBJ, sizeof(ASN1_OBJECT *),obj_cmp); if (op == NULL) return(NID_undef); return((*op)->nid); } /* Convert an object name into an ASN1_OBJECT * if "noname" is not set then search for short and long names first. * This will convert the "dotted" form into an object: unlike OBJ_txt2nid * it can be used with any objects, not just registered ones. */ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name) { int nid = NID_undef; ASN1_OBJECT *op=NULL; unsigned char *buf,*p; int i, j; if(!no_name) { if( ((nid = OBJ_sn2nid(s)) != NID_undef) || ((nid = OBJ_ln2nid(s)) != NID_undef) ) return OBJ_nid2obj(nid); } /* Work out size of content octets */ i=a2d_ASN1_OBJECT(NULL,0,s,-1); if (i <= 0) { /* Clear the error */ ERR_get_error(); return NULL; } /* Work out total size */ j = ASN1_object_size(0,i,V_ASN1_OBJECT); if((buf=(unsigned char *)OPENSSL_malloc(j)) == NULL) return NULL; p = buf; /* Write out tag+length */ ASN1_put_object(&p,0,i,V_ASN1_OBJECT,V_ASN1_UNIVERSAL); /* Write out contents */ a2d_ASN1_OBJECT(p,i,s,-1); p=buf; op=d2i_ASN1_OBJECT(NULL,&p,j); OPENSSL_free(buf); return op; } int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) { int i,idx=0,n=0,len,nid; unsigned long l; unsigned char *p; const char *s; char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; if (buf_len <= 0) return(0); if ((a == NULL) || (a->data == NULL)) { buf[0]='\0'; return(0); } if (no_name || (nid=OBJ_obj2nid(a)) == NID_undef) { len=a->length; p=a->data; idx=0; l=0; while (idx < a->length) { l|=(p[idx]&0x7f); if (!(p[idx] & 0x80)) break; l<<=7L; idx++; } idx++; i=(int)(l/40); if (i > 2) i=2; l-=(long)(i*40); - sprintf(tbuf,"%d.%lu",i,l); + BIO_snprintf(tbuf,sizeof tbuf,"%d.%lu",i,l); i=strlen(tbuf); BUF_strlcpy(buf,tbuf,buf_len); buf_len-=i; buf+=i; n+=i; l=0; for (; idx 0) BUF_strlcpy(buf,tbuf,buf_len); buf_len-=i; buf+=i; n+=i; l=0; } l<<=7L; } } else { s=OBJ_nid2ln(nid); if (s == NULL) s=OBJ_nid2sn(nid); BUF_strlcpy(buf,s,buf_len); n=strlen(s); } return(n); } int OBJ_txt2nid(const char *s) { ASN1_OBJECT *obj; int nid; obj = OBJ_txt2obj(s, 0); nid = OBJ_obj2nid(obj); ASN1_OBJECT_free(obj); return nid; } int OBJ_ln2nid(const char *s) { ASN1_OBJECT o,*oo= &o,**op; ADDED_OBJ ad,*adp; o.ln=s; if (added != NULL) { ad.type=ADDED_LNAME; ad.obj= &o; adp=(ADDED_OBJ *)lh_retrieve(added,&ad); if (adp != NULL) return (adp->obj->nid); } op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)ln_objs,NUM_LN, sizeof(ASN1_OBJECT *),ln_cmp); if (op == NULL) return(NID_undef); return((*op)->nid); } int OBJ_sn2nid(const char *s) { ASN1_OBJECT o,*oo= &o,**op; ADDED_OBJ ad,*adp; o.sn=s; if (added != NULL) { ad.type=ADDED_SNAME; ad.obj= &o; adp=(ADDED_OBJ *)lh_retrieve(added,&ad); if (adp != NULL) return (adp->obj->nid); } op=(ASN1_OBJECT **)OBJ_bsearch((char *)&oo,(char *)sn_objs,NUM_SN, sizeof(ASN1_OBJECT *),sn_cmp); if (op == NULL) return(NID_undef); return((*op)->nid); } static int obj_cmp(const void *ap, const void *bp) { int j; ASN1_OBJECT *a= *(ASN1_OBJECT **)ap; ASN1_OBJECT *b= *(ASN1_OBJECT **)bp; j=(a->length - b->length); if (j) return(j); return(memcmp(a->data,b->data,a->length)); } const char *OBJ_bsearch(const char *key, const char *base, int num, int size, int (*cmp)(const void *, const void *)) { int l,h,i,c; const char *p; if (num == 0) return(NULL); l=0; h=num; while (l < h) { i=(l+h)/2; p= &(base[i*size]); c=(*cmp)(key,p); if (c < 0) h=i; else if (c > 0) l=i+1; else return(p); } #ifdef CHARSET_EBCDIC /* THIS IS A KLUDGE - Because the *_obj is sorted in ASCII order, and * I don't have perl (yet), we revert to a *LINEAR* search * when the object wasn't found in the binary search. */ for (i=0; i$ARGV[1]") || die "Can't open output file $ARGV[1]"; while () { next unless /^\#define\s+(\S+)\s+(.*)$/; $v=$1; $d=$2; $d =~ s/^\"//; $d =~ s/\"$//; if ($v =~ /^SN_(.*)$/) { if(defined $snames{$d}) { print "WARNING: Duplicate short name \"$d\"\n"; } else { $snames{$d} = "X"; } $sn{$1}=$d; } elsif ($v =~ /^LN_(.*)$/) { if(defined $lnames{$d}) { print "WARNING: Duplicate long name \"$d\"\n"; } else { $lnames{$d} = "X"; } $ln{$1}=$d; } elsif ($v =~ /^NID_(.*)$/) { $nid{$d}=$1; } elsif ($v =~ /^OBJ_(.*)$/) { $obj{$1}=$v; $objd{$v}=$d; } } close IN; %ob=&expand_obj(*objd); @a=sort { $a <=> $b } keys %nid; $n=$a[$#a]+1; @lvalues=(); $lvalues=0; for ($i=0; $i<$n; $i++) { if (!defined($nid{$i})) { push(@out,"{NULL,NULL,NID_undef,0,NULL},\n"); } else { $sn=defined($sn{$nid{$i}})?"$sn{$nid{$i}}":"NULL"; $ln=defined($ln{$nid{$i}})?"$ln{$nid{$i}}":"NULL"; if ($sn eq "NULL") { $sn=$ln; $sn{$nid{$i}} = $ln; } if ($ln eq "NULL") { $ln=$sn; $ln{$nid{$i}} = $sn; } $out ="{"; $out.="\"$sn\""; $out.=","."\"$ln\""; $out.=",NID_$nid{$i},"; if (defined($obj{$nid{$i}})) { $v=$objd{$obj{$nid{$i}}}; $v =~ s/L//g; $v =~ s/,/ /g; $r=&der_it($v); $z=""; $length=0; foreach (unpack("C*",$r)) { $z.=sprintf("0x%02X,",$_); $length++; } $obj_der{$obj{$nid{$i}}}=$z; $obj_len{$obj{$nid{$i}}}=$length; push(@lvalues,sprintf("%-45s/* [%3d] %s */\n", $z,$lvalues,$obj{$nid{$i}})); $out.="$length,&(lvalues[$lvalues]),0"; $lvalues+=$length; } else { $out.="0,NULL"; } $out.="},\n"; push(@out,$out); } } @a=grep(defined($sn{$nid{$_}}),0 .. $n); foreach (sort { $sn{$nid{$a}} cmp $sn{$nid{$b}} } @a) { push(@sn,sprintf("&(nid_objs[%2d]),/* \"$sn{$nid{$_}}\" */\n",$_)); } @a=grep(defined($ln{$nid{$_}}),0 .. $n); foreach (sort { $ln{$nid{$a}} cmp $ln{$nid{$b}} } @a) { push(@ln,sprintf("&(nid_objs[%2d]),/* \"$ln{$nid{$_}}\" */\n",$_)); } @a=grep(defined($obj{$nid{$_}}),0 .. $n); foreach (sort obj_cmp @a) { $m=$obj{$nid{$_}}; $v=$objd{$m}; $v =~ s/L//g; $v =~ s/,/ /g; push(@ob,sprintf("&(nid_objs[%2d]),/* %-32s %s */\n",$_,$m,$v)); } print OUT <<'EOF'; /* crypto/objects/obj_dat.h */ /* THIS FILE IS GENERATED FROM objects.h by obj_dat.pl via the * following command: * perl obj_dat.pl obj_mac.h obj_dat.h */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ EOF printf OUT "#define NUM_NID %d\n",$n; printf OUT "#define NUM_SN %d\n",$#sn+1; printf OUT "#define NUM_LN %d\n",$#ln+1; printf OUT "#define NUM_OBJ %d\n\n",$#ob+1; printf OUT "static unsigned char lvalues[%d]={\n",$lvalues+1; print OUT @lvalues; print OUT "};\n\n"; printf OUT "static ASN1_OBJECT nid_objs[NUM_NID]={\n"; foreach (@out) { if (length($_) > 75) { $out=""; foreach (split(/,/)) { $t=$out.$_.","; if (length($t) > 70) { print OUT "$out\n"; $t="\t$_,"; } $out=$t; } chop $out; print OUT "$out"; } else { print OUT $_; } } print OUT "};\n\n"; printf OUT "static ASN1_OBJECT *sn_objs[NUM_SN]={\n"; print OUT @sn; print OUT "};\n\n"; printf OUT "static ASN1_OBJECT *ln_objs[NUM_LN]={\n"; print OUT @ln; print OUT "};\n\n"; printf OUT "static ASN1_OBJECT *obj_objs[NUM_OBJ]={\n"; print OUT @ob; print OUT "};\n\n"; close OUT; sub der_it { local($v)=@_; local(@a,$i,$ret,@r); @a=split(/\s+/,$v); $ret.=pack("C*",$a[0]*40+$a[1]); shift @a; shift @a; foreach (@a) { @r=(); $t=0; while ($_ >= 128) { $x=$_%128; $_/=128; push(@r,((($t++)?0x80:0)|$x)); } push(@r,((($t++)?0x80:0)|$_)); $ret.=pack("C*",reverse(@r)); } return($ret); } diff --git a/crypto/openssl/crypto/ocsp/Makefile.ssl b/crypto/openssl/crypto/ocsp/Makefile.ssl index 8d5a85a55cae..02477be53868 100644 --- a/crypto/openssl/crypto/ocsp/Makefile.ssl +++ b/crypto/openssl/crypto/ocsp/Makefile.ssl @@ -1,293 +1,293 @@ # # OpenSSL/ocsp/Makefile.ssl # DIR= ocsp TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile README TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= ocsp_asn.c ocsp_ext.c ocsp_ht.c ocsp_lib.c ocsp_cl.c \ ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c LIBOBJ= ocsp_asn.o ocsp_ext.o ocsp_ht.o ocsp_lib.o ocsp_cl.o \ ocsp_srv.o ocsp_prn.o ocsp_vfy.o ocsp_err.o SRC= $(LIBSRC) EXHEADER= ocsp.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile ; + @sh $(TOP)/util/point.sh Makefile.ssl Makefile ; @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. ocsp_asn.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h ocsp_asn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h ocsp_asn.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h ocsp_asn.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h ocsp_asn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h ocsp_asn.o: ../../include/openssl/des.h ../../include/openssl/des_old.h ocsp_asn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h ocsp_asn.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h ocsp_asn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h ocsp_asn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h ocsp_asn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h ocsp_asn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h ocsp_asn.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h ocsp_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ocsp_asn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h ocsp_asn.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h ocsp_asn.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h ocsp_asn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ocsp_asn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ocsp_asn.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ocsp_asn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ocsp_asn.o: ../../include/openssl/x509v3.h ocsp_asn.c ocsp_cl.o: ../../e_os.h ../../include/openssl/aes.h ocsp_cl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ocsp_cl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h ocsp_cl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h ocsp_cl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h ocsp_cl.o: ../../include/openssl/des.h ../../include/openssl/des_old.h ocsp_cl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h ocsp_cl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h ocsp_cl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h ocsp_cl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h ocsp_cl.o: ../../include/openssl/md4.h ../../include/openssl/md5.h ocsp_cl.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h ocsp_cl.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h ocsp_cl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h ocsp_cl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h ocsp_cl.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h ocsp_cl.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h ocsp_cl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h ocsp_cl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h ocsp_cl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ocsp_cl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ocsp_cl.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ocsp_cl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ocsp_cl.o: ../../include/openssl/x509v3.h ../cryptlib.h ocsp_cl.c ocsp_err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h ocsp_err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h ocsp_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h ocsp_err.o: ../../include/openssl/cast.h ../../include/openssl/conf.h ocsp_err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ocsp_err.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h ocsp_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h ocsp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h ocsp_err.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h ocsp_err.o: ../../include/openssl/md2.h ../../include/openssl/md4.h ocsp_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h ocsp_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h ocsp_err.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h ocsp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ocsp_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h ocsp_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h ocsp_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h ocsp_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ocsp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ocsp_err.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ocsp_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ocsp_err.o: ../../include/openssl/x509v3.h ocsp_err.c ocsp_ext.o: ../../e_os.h ../../include/openssl/aes.h ocsp_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ocsp_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h ocsp_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h ocsp_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h ocsp_ext.o: ../../include/openssl/des.h ../../include/openssl/des_old.h ocsp_ext.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h ocsp_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h ocsp_ext.o: ../../include/openssl/evp.h ../../include/openssl/idea.h ocsp_ext.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h ocsp_ext.o: ../../include/openssl/md4.h ../../include/openssl/md5.h ocsp_ext.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h ocsp_ext.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h ocsp_ext.o: ../../include/openssl/opensslconf.h ocsp_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ocsp_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h ocsp_ext.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h ocsp_ext.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h ocsp_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h ocsp_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ocsp_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ocsp_ext.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h ocsp_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h ocsp_ext.o: ../cryptlib.h ocsp_ext.c ocsp_ht.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h ocsp_ht.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h ocsp_ht.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h ocsp_ht.o: ../../include/openssl/cast.h ../../include/openssl/conf.h ocsp_ht.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ocsp_ht.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h ocsp_ht.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h ocsp_ht.o: ../../include/openssl/err.h ../../include/openssl/evp.h ocsp_ht.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h ocsp_ht.o: ../../include/openssl/md2.h ../../include/openssl/md4.h ocsp_ht.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h ocsp_ht.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h ocsp_ht.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h ocsp_ht.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ocsp_ht.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h ocsp_ht.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h ocsp_ht.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h ocsp_ht.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ocsp_ht.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ocsp_ht.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ocsp_ht.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ocsp_ht.o: ../../include/openssl/x509v3.h ocsp_ht.c ocsp_lib.o: ../../e_os.h ../../include/openssl/aes.h ocsp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ocsp_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h ocsp_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h ocsp_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h ocsp_lib.o: ../../include/openssl/des.h ../../include/openssl/des_old.h ocsp_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h ocsp_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h ocsp_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h ocsp_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h ocsp_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h ocsp_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h ocsp_lib.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h ocsp_lib.o: ../../include/openssl/opensslconf.h ocsp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ocsp_lib.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h ocsp_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h ocsp_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h ocsp_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h ocsp_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h ocsp_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ocsp_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ocsp_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h ocsp_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h ocsp_lib.o: ../cryptlib.h ocsp_lib.c ocsp_prn.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h ocsp_prn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h ocsp_prn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h ocsp_prn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h ocsp_prn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ocsp_prn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h ocsp_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h ocsp_prn.o: ../../include/openssl/err.h ../../include/openssl/evp.h ocsp_prn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h ocsp_prn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h ocsp_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h ocsp_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h ocsp_prn.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h ocsp_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ocsp_prn.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h ocsp_prn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h ocsp_prn.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h ocsp_prn.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h ocsp_prn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ocsp_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ocsp_prn.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ocsp_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ocsp_prn.o: ../../include/openssl/x509v3.h ocsp_prn.c ocsp_srv.o: ../../e_os.h ../../include/openssl/aes.h ocsp_srv.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ocsp_srv.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h ocsp_srv.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h ocsp_srv.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h ocsp_srv.o: ../../include/openssl/des.h ../../include/openssl/des_old.h ocsp_srv.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h ocsp_srv.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h ocsp_srv.o: ../../include/openssl/evp.h ../../include/openssl/idea.h ocsp_srv.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h ocsp_srv.o: ../../include/openssl/md4.h ../../include/openssl/md5.h ocsp_srv.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h ocsp_srv.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h ocsp_srv.o: ../../include/openssl/opensslconf.h ocsp_srv.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ocsp_srv.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h ocsp_srv.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h ocsp_srv.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h ocsp_srv.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h ocsp_srv.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h ocsp_srv.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ocsp_srv.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ocsp_srv.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h ocsp_srv.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h ocsp_srv.o: ../cryptlib.h ocsp_srv.c ocsp_vfy.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h ocsp_vfy.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h ocsp_vfy.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h ocsp_vfy.o: ../../include/openssl/cast.h ../../include/openssl/conf.h ocsp_vfy.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ocsp_vfy.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h ocsp_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h ocsp_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h ocsp_vfy.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h ocsp_vfy.o: ../../include/openssl/md2.h ../../include/openssl/md4.h ocsp_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h ocsp_vfy.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h ocsp_vfy.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h ocsp_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ocsp_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h ocsp_vfy.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h ocsp_vfy.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h ocsp_vfy.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ocsp_vfy.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ocsp_vfy.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ocsp_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ocsp_vfy.o: ../../include/openssl/x509v3.h ocsp_vfy.c diff --git a/crypto/openssl/crypto/ocsp/ocsp_ext.c b/crypto/openssl/crypto/ocsp/ocsp_ext.c index d6c8899f58e0..57399433fc42 100755 --- a/crypto/openssl/crypto/ocsp/ocsp_ext.c +++ b/crypto/openssl/crypto/ocsp/ocsp_ext.c @@ -1,528 +1,538 @@ /* ocsp_ext.c */ /* Written by Tom Titchener for the OpenSSL * project. */ /* History: This file was transfered to Richard Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included in OpenSSL or released as a patch kit. */ /* ==================================================================== * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include #include #include #include /* Standard wrapper functions for extensions */ /* OCSP request extensions */ int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x) { return(X509v3_get_ext_count(x->tbsRequest->requestExtensions)); } int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos) { return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos)); } int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos) { return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos)); } int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos) { return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos)); } X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc) { return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc)); } X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc) { return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc)); } void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx); } int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit, unsigned long flags) { return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags); } int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc) { return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL); } /* Single extensions */ int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x) { return(X509v3_get_ext_count(x->singleRequestExtensions)); } int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos) { return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos)); } int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos) { return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos)); } int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos) { return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos)); } X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc) { return(X509v3_get_ext(x->singleRequestExtensions,loc)); } X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc) { return(X509v3_delete_ext(x->singleRequestExtensions,loc)); } void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx); } int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit, unsigned long flags) { return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags); } int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc) { return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL); } /* OCSP Basic response */ int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x) { return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions)); } int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos) { return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos)); } int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos) { return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos)); } int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos) { return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos)); } X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc) { return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc)); } X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc) { return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc)); } void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx); } int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit, unsigned long flags) { return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags); } int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc) { return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL); } /* OCSP single response extensions */ int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x) { return(X509v3_get_ext_count(x->singleExtensions)); } int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos) { return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos)); } int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos) { return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos)); } int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos) { return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos)); } X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc) { return(X509v3_get_ext(x->singleExtensions,loc)); } X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc) { return(X509v3_delete_ext(x->singleExtensions,loc)); } void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->singleExtensions, nid, crit, idx); } int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit, unsigned long flags) { return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags); } int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc) { return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL); } /* also CRL Entry Extensions */ ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), char *data, STACK_OF(ASN1_OBJECT) *sk) { int i; unsigned char *p, *b = NULL; if (data) { if ((i=i2d(data,NULL)) <= 0) goto err; if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i))) goto err; if (i2d(data, &p) <= 0) goto err; } else if (sk) { if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,i2d,V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,IS_SEQUENCE))<=0) goto err; if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i))) goto err; if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,i2d,V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,IS_SEQUENCE)<=0) goto err; } else { OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA); goto err; } if (!s && !(s = ASN1_STRING_new())) goto err; if (!(ASN1_STRING_set(s, b, i))) goto err; OPENSSL_free(b); return s; err: if (b) OPENSSL_free(b); return NULL; } /* Nonce handling functions */ /* Add a nonce to an extension stack. A nonce can be specificed or if NULL * a random nonce will be generated. + * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the + * nonce, previous versions used the raw nonce. */ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len) { unsigned char *tmpval; ASN1_OCTET_STRING os; int ret = 0; if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH; - if (val) tmpval = val; + /* Create the OCTET STRING manually by writing out the header and + * appending the content octets. This avoids an extra memory allocation + * operation in some cases. Applications should *NOT* do this because + * it relies on library internals. + */ + os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING); + os.data = OPENSSL_malloc(os.length); + if (os.data == NULL) + goto err; + tmpval = os.data; + ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); + if (val) + memcpy(tmpval, val, len); else - { - if (!(tmpval = OPENSSL_malloc(len))) goto err; RAND_pseudo_bytes(tmpval, len); - } - os.data = tmpval; - os.length = len; if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) goto err; ret = 1; err: - if(!val) OPENSSL_free(tmpval); + if (os.data) + OPENSSL_free(os.data); return ret; } /* Add nonce to an OCSP request */ int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len) { return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len); } /* Same as above but for a response */ int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len) { return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len); } /* Check nonce validity in a request and response. * Return value reflects result: * 1: nonces present and equal. * 2: nonces both absent. * 3: nonce present in response only. * 0: nonces both present and not equal. * -1: nonce in request only. * * For most responders clients can check return > 0. * If responder doesn't handle nonces return != 0 may be * necessary. return == 0 is always an error. */ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs) { /* * Since we are only interested in the presence or absence of * the nonce and comparing its value there is no need to use * the X509V3 routines: this way we can avoid them allocating an * ASN1_OCTET_STRING structure for the value which would be * freed immediately anyway. */ int req_idx, resp_idx; X509_EXTENSION *req_ext, *resp_ext; req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1); resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1); /* Check both absent */ if((req_idx < 0) && (resp_idx < 0)) return 2; /* Check in request only */ if((req_idx >= 0) && (resp_idx < 0)) return -1; /* Check in response but not request */ if((req_idx < 0) && (resp_idx >= 0)) return 3; /* Otherwise nonce in request and response so retrieve the extensions */ req_ext = OCSP_REQUEST_get_ext(req, req_idx); resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx); if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value)) return 0; return 1; } /* Copy the nonce value (if any) from an OCSP request to * a response. */ int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req) { X509_EXTENSION *req_ext; int req_idx; /* Check for nonce in request */ req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1); /* If no nonce that's OK */ if (req_idx < 0) return 2; req_ext = OCSP_REQUEST_get_ext(req, req_idx); return OCSP_BASICRESP_add_ext(resp, req_ext, -1); } X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim) { X509_EXTENSION *x = NULL; OCSP_CRLID *cid = NULL; if (!(cid = OCSP_CRLID_new())) goto err; if (url) { if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err; if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err; } if (n) { if (!(cid->crlNum = ASN1_INTEGER_new())) goto err; if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err; } if (tim) { if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err; if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) goto err; } if (!(x = X509_EXTENSION_new())) goto err; if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) goto err; if (!(ASN1_STRING_encode(x->value,i2d_OCSP_CRLID,(char*)cid,NULL))) goto err; OCSP_CRLID_free(cid); return x; err: if (x) X509_EXTENSION_free(x); if (cid) OCSP_CRLID_free(cid); return NULL; } /* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */ X509_EXTENSION *OCSP_accept_responses_new(char **oids) { int nid; STACK_OF(ASN1_OBJECT) *sk = NULL; ASN1_OBJECT *o = NULL; X509_EXTENSION *x = NULL; if (!(sk = sk_ASN1_OBJECT_new_null())) goto err; while (oids && *oids) { if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid))) sk_ASN1_OBJECT_push(sk, o); oids++; } if (!(x = X509_EXTENSION_new())) goto err; if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses))) goto err; if (!(ASN1_STRING_encode(x->value,i2d_ASN1_OBJECT,NULL,sk))) goto err; sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); return x; err: if (x) X509_EXTENSION_free(x); if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); return NULL; } /* ArchiveCutoff ::= GeneralizedTime */ X509_EXTENSION *OCSP_archive_cutoff_new(char* tim) { X509_EXTENSION *x=NULL; ASN1_GENERALIZEDTIME *gt = NULL; if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err; if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err; if (!(x = X509_EXTENSION_new())) goto err; if (!(x->object=OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))goto err; if (!(ASN1_STRING_encode(x->value,i2d_ASN1_GENERALIZEDTIME, (char*)gt,NULL))) goto err; ASN1_GENERALIZEDTIME_free(gt); return x; err: if (gt) ASN1_GENERALIZEDTIME_free(gt); if (x) X509_EXTENSION_free(x); return NULL; } /* per ACCESS_DESCRIPTION parameter are oids, of which there are currently * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String. */ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls) { X509_EXTENSION *x = NULL; ASN1_IA5STRING *ia5 = NULL; OCSP_SERVICELOC *sloc = NULL; ACCESS_DESCRIPTION *ad = NULL; if (!(sloc = OCSP_SERVICELOC_new())) goto err; if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err; if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err; while (urls && *urls) { if (!(ad = ACCESS_DESCRIPTION_new())) goto err; if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err; if (!(ad->location = GENERAL_NAME_new())) goto err; if (!(ia5 = ASN1_IA5STRING_new())) goto err; if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err; ad->location->type = GEN_URI; ad->location->d.ia5 = ia5; if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err; urls++; } if (!(x = X509_EXTENSION_new())) goto err; if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator))) goto err; if (!(ASN1_STRING_encode(x->value, i2d_OCSP_SERVICELOC, (char*)sloc, NULL))) goto err; OCSP_SERVICELOC_free(sloc); return x; err: if (x) X509_EXTENSION_free(x); if (sloc) OCSP_SERVICELOC_free(sloc); return NULL; } diff --git a/crypto/openssl/crypto/ocsp/ocsp_lib.c b/crypto/openssl/crypto/ocsp/ocsp_lib.c index 3875af165c71..9e87fc78957e 100755 --- a/crypto/openssl/crypto/ocsp/ocsp_lib.c +++ b/crypto/openssl/crypto/ocsp/ocsp_lib.c @@ -1,261 +1,262 @@ /* ocsp_lib.c */ /* Written by Tom Titchener for the OpenSSL * project. */ /* History: This file was transfered to Richard Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included in OpenSSL or released as a patch kit. */ /* ==================================================================== * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include #include #include #include #include /* Convert a certificate and its issuer to an OCSP_CERTID */ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) { X509_NAME *iname; ASN1_INTEGER *serial; ASN1_BIT_STRING *ikey; #ifndef OPENSSL_NO_SHA1 if(!dgst) dgst = EVP_sha1(); #endif if (subject) { iname = X509_get_issuer_name(subject); serial = X509_get_serialNumber(subject); } else { iname = X509_get_subject_name(issuer); serial = NULL; } ikey = X509_get0_pubkey_bitstr(issuer); return OCSP_cert_id_new(dgst, iname, ikey, serial); } OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName, ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber) { int nid; unsigned int i; X509_ALGOR *alg; OCSP_CERTID *cid = NULL; unsigned char md[EVP_MAX_MD_SIZE]; if (!(cid = OCSP_CERTID_new())) goto err; alg = cid->hashAlgorithm; if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm); if ((nid = EVP_MD_type(dgst)) == NID_undef) { OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_UNKNOWN_NID); goto err; } if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err; if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err; alg->parameter->type=V_ASN1_NULL; if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr; if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err; /* Calculate the issuerKey hash, excluding tag and length */ EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL); if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err; if (serialNumber) { ASN1_INTEGER_free(cid->serialNumber); if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err; } return cid; digerr: OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR); err: if (cid) OCSP_CERTID_free(cid); return NULL; } int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b) { int ret; ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm); if (ret) return ret; ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash); if (ret) return ret; return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash); } int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) { int ret; ret = OCSP_id_issuer_cmp(a, b); if (ret) return ret; return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber); } /* Parse a URL and split it up into host, port and path components and whether * it is SSL. */ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl) { char *p, *buf; char *host, *port; /* dup the buffer since we are going to mess with it */ buf = BUF_strdup(url); if (!buf) goto mem_err; *phost = NULL; *pport = NULL; *ppath = NULL; /* Check for initial colon */ p = strchr(buf, ':'); if (!p) goto parse_err; *(p++) = '\0'; if (!strcmp(buf, "http")) { *pssl = 0; port = "80"; } else if (!strcmp(buf, "https")) { *pssl = 1; port = "443"; } else goto parse_err; /* Check for double slash */ if ((p[0] != '/') || (p[1] != '/')) goto parse_err; p += 2; host = p; /* Check for trailing part of path */ p = strchr(p, '/'); if (!p) *ppath = BUF_strdup("/"); else { *ppath = BUF_strdup(p); /* Set start of path to 0 so hostname is valid */ *p = '\0'; } if (!*ppath) goto mem_err; /* Look for optional ':' for port number */ if ((p = strchr(host, ':'))) { *p = 0; port = p + 1; } else { /* Not found: set default port */ if (*pssl) port = "443"; else port = "80"; } *pport = BUF_strdup(port); if (!*pport) goto mem_err; *phost = BUF_strdup(host); if (!*phost) goto mem_err; OPENSSL_free(buf); return 1; mem_err: OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE); goto err; parse_err: OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL); err: + if (buf) OPENSSL_free(buf); if (*ppath) OPENSSL_free(*ppath); if (*pport) OPENSSL_free(*pport); if (*phost) OPENSSL_free(*phost); return 0; } diff --git a/crypto/openssl/crypto/ocsp/ocsp_vfy.c b/crypto/openssl/crypto/ocsp/ocsp_vfy.c index 1f5fda7ca310..3d58dfb06cf3 100644 --- a/crypto/openssl/crypto/ocsp/ocsp_vfy.c +++ b/crypto/openssl/crypto/ocsp/ocsp_vfy.c @@ -1,444 +1,444 @@ /* ocsp_vfy.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 2000. */ /* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags); static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret); static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp); static int ocsp_check_delegated(X509 *x, int flags); static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); /* Verify a basic response message */ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { X509 *signer, *x; STACK_OF(X509) *chain = NULL; X509_STORE_CTX ctx; int i, ret = 0; ret = ocsp_find_signer(&signer, bs, certs, st, flags); if (!ret) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); goto end; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; skey = X509_get_pubkey(signer); ret = OCSP_BASICRESP_verify(bs, skey, 0); EVP_PKEY_free(skey); if(ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; } } if (!(flags & OCSP_NOVERIFY)) { int init_res; if(flags & OCSP_NOCHAIN) init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); else init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); if(!init_res) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); goto end; } X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); ret = X509_verify_cert(&ctx); chain = X509_STORE_CTX_get1_chain(&ctx); X509_STORE_CTX_cleanup(&ctx); if (ret <= 0) { i = X509_STORE_CTX_get_error(&ctx); OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(i)); goto end; } if(flags & OCSP_NOCHECKS) { ret = 1; goto end; } /* At this point we have a valid certificate chain * need to verify it against the OCSP issuer criteria. */ ret = ocsp_check_issuer(bs, chain, flags); /* If fatal error or valid match then finish */ if (ret != 0) goto end; /* Easy case: explicitly trusted. Get root CA and * check for explicit trust */ if(flags & OCSP_NOEXPLICIT) goto end; x = sk_X509_value(chain, sk_X509_num(chain) - 1); if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED); goto end; } ret = 1; } end: if(chain) sk_X509_pop_free(chain, X509_free); return ret; } static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { X509 *signer; OCSP_RESPID *rid = bs->tbsResponseData->responderId; if ((signer = ocsp_find_signer_sk(certs, rid))) { *psigner = signer; return 2; } if(!(flags & OCSP_NOINTERN) && (signer = ocsp_find_signer_sk(bs->certs, rid))) { *psigner = signer; return 1; } /* Maybe lookup from store if by subject name */ *psigner = NULL; return 0; } static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) { int i; unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; X509 *x; /* Easy if lookup by name */ if (id->type == V_OCSP_RESPID_NAME) return X509_find_by_subject(certs, id->value.byName); /* Lookup by key hash */ /* If key hash isn't SHA1 length then forget it */ if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL; keyhash = id->value.byKey->data; /* Calculate hash of each key and compare */ for (i = 0; i < sk_X509_num(certs); i++) { x = sk_X509_value(certs, i); X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL); if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH)) return x; } return NULL; } static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags) { STACK_OF(OCSP_SINGLERESP) *sresp; X509 *signer, *sca; OCSP_CERTID *caid = NULL; int i; sresp = bs->tbsResponseData->responses; if (sk_X509_num(chain) <= 0) { OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN); return -1; } /* See if the issuer IDs match. */ i = ocsp_check_ids(sresp, &caid); /* If ID mismatch or other error then return */ if (i <= 0) return i; signer = sk_X509_value(chain, 0); /* Check to see if OCSP responder CA matches request CA */ if (sk_X509_num(chain) > 1) { sca = sk_X509_value(chain, 1); i = ocsp_match_issuerid(sca, caid, sresp); if (i < 0) return i; if (i) { /* We have a match, if extensions OK then success */ if (ocsp_check_delegated(signer, flags)) return 1; return 0; } } /* Otherwise check if OCSP request signed directly by request CA */ return ocsp_match_issuerid(signer, caid, sresp); } /* Check the issuer certificate IDs for equality. If there is a mismatch with the same * algorithm then there's no point trying to match any certificates against the issuer. * If the issuer IDs all match then we just need to check equality against one of them. */ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) { OCSP_CERTID *tmpid, *cid; int i, idcount; idcount = sk_OCSP_SINGLERESP_num(sresp); if (idcount <= 0) { OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); return -1; } cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; *ret = NULL; for (i = 1; i < idcount; i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; + tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; /* Check to see if IDs match */ if (OCSP_id_issuer_cmp(cid, tmpid)) { /* If algoritm mismatch let caller deal with it */ if (OBJ_cmp(tmpid->hashAlgorithm->algorithm, cid->hashAlgorithm->algorithm)) return 2; /* Else mismatch */ return 0; } } /* All IDs match: only need to check one ID */ *ret = cid; return 1; } static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp) { /* If only one ID to match then do it */ if(cid) { const EVP_MD *dgst; X509_NAME *iname; int mdlen; unsigned char md[EVP_MAX_MD_SIZE]; if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) { OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST); return -1; } mdlen = EVP_MD_size(dgst); if ((cid->issuerNameHash->length != mdlen) || (cid->issuerKeyHash->length != mdlen)) return 0; iname = X509_get_subject_name(cert); if (!X509_NAME_digest(iname, dgst, md, NULL)) return -1; if (memcmp(md, cid->issuerNameHash->data, mdlen)) return 0; X509_pubkey_digest(cert, EVP_sha1(), md, NULL); if (memcmp(md, cid->issuerKeyHash->data, mdlen)) return 0; return 1; } else { /* We have to match the whole lot */ int i, ret; OCSP_CERTID *tmpid; for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; + tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; ret = ocsp_match_issuerid(cert, tmpid, NULL); if (ret <= 0) return ret; } return 1; } } static int ocsp_check_delegated(X509 *x, int flags) { X509_check_purpose(x, -1, 0); if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN)) return 1; OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); return 0; } /* Verify an OCSP request. This is fortunately much easier than OCSP * response verify. Just find the signers certificate and verify it * against a given trust value. */ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags) { X509 *signer; X509_NAME *nm; GENERAL_NAME *gen; int ret; X509_STORE_CTX ctx; if (!req->optionalSignature) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); return 0; } gen = req->tbsRequest->requestorName; if (gen->type != GEN_DIRNAME) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); return 0; } nm = gen->d.directoryName; ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags); if (ret <= 0) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); return 0; } if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) flags |= OCSP_NOVERIFY; if (!(flags & OCSP_NOSIGS)) { EVP_PKEY *skey; skey = X509_get_pubkey(signer); ret = OCSP_REQUEST_verify(req, skey); EVP_PKEY_free(skey); if(ret <= 0) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE); return 0; } } if (!(flags & OCSP_NOVERIFY)) { int init_res; if(flags & OCSP_NOCHAIN) init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL); else init_res = X509_STORE_CTX_init(&ctx, store, signer, req->optionalSignature->certs); if(!init_res) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB); return 0; } X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST); ret = X509_verify_cert(&ctx); X509_STORE_CTX_cleanup(&ctx); if (ret <= 0) { ret = X509_STORE_CTX_get_error(&ctx); OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR); ERR_add_error_data(2, "Verify error:", X509_verify_cert_error_string(ret)); return 0; } } return 1; } static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { X509 *signer; if(!(flags & OCSP_NOINTERN)) { signer = X509_find_by_subject(req->optionalSignature->certs, nm); *psigner = signer; return 1; } signer = X509_find_by_subject(certs, nm); if (signer) { *psigner = signer; return 2; } return 0; } diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h index fe6ff88bdc6a..492041bc7cb5 100644 --- a/crypto/openssl/crypto/opensslconf.h +++ b/crypto/openssl/crypto/opensslconf.h @@ -1,183 +1,180 @@ /* opensslconf.h */ /* WARNING: Generated automatically from opensslconf.h.in by Configure. */ /* OpenSSL was configured with the following options: */ -#ifndef OPENSSL_SYSNAME_WIN16 -# define OPENSSL_SYSNAME_WIN16 -#endif #ifndef OPENSSL_DOING_MAKEDEPEND #ifndef OPENSSL_NO_KRB5 # define OPENSSL_NO_KRB5 #endif #endif /* OPENSSL_DOING_MAKEDEPEND */ /* The OPENSSL_NO_* macros are also defined as NO_* if the application asks for it. This is a transient feature that is provided for those who haven't had the time to do the appropriate changes in their applications. */ #ifdef OPENSSL_ALGORITHM_DEFINES # if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5) # define NO_KRB5 # endif #endif /* crypto/opensslconf.h.in */ /* Generate 80386 code? */ #undef I386_ONLY #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) #define OPENSSLDIR "/usr/local/ssl" #endif #endif #undef OPENSSL_UNISTD #define OPENSSL_UNISTD #undef OPENSSL_EXPORT_VAR_AS_FUNCTION #if defined(HEADER_IDEA_H) && !defined(IDEA_INT) #define IDEA_INT unsigned int #endif #if defined(HEADER_MD2_H) && !defined(MD2_INT) -#define MD2_INT unsigned char +#define MD2_INT unsigned int #endif #if defined(HEADER_RC2_H) && !defined(RC2_INT) /* I need to put in a mod for the alpha - eay */ #define RC2_INT unsigned int #endif #if defined(HEADER_RC4_H) #if !defined(RC4_INT) /* using int types make the structure larger but make the code faster * on most boxes I have tested - up to %20 faster. */ /* * I don't know what does "most" mean, but declaring "int" is a must on: * - Intel P6 because partial register stalls are very expensive; * - elder Alpha because it lacks byte load/store instructions; */ #define RC4_INT unsigned int #endif #if !defined(RC4_CHUNK) /* * This enables code handling data aligned at natural CPU word * boundary. See crypto/rc4/rc4_enc.c for further details. */ #undef RC4_CHUNK #endif #endif #if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a * %20 speed up (longs are 8 bytes, int's are 4). */ #ifndef DES_LONG #define DES_LONG unsigned long #endif #endif #if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) #define CONFIG_HEADER_BN_H #undef BN_LLONG /* Should we define BN_DIV2W here? */ /* Only one for the following should be defined */ /* The prime number generation stuff may not work when * EIGHT_BIT but I don't care since I've only used this mode * for debuging the bignum libraries */ #undef SIXTY_FOUR_BIT_LONG #undef SIXTY_FOUR_BIT #define THIRTY_TWO_BIT #undef SIXTEEN_BIT #undef EIGHT_BIT #endif #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) #define CONFIG_HEADER_RC4_LOCL_H /* if this is defined data[i] is used instead of *data, this is a %20 * speedup on x86 */ -#define RC4_INDEX +#undef RC4_INDEX #endif #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) #define CONFIG_HEADER_BF_LOCL_H #undef BF_PTR #endif /* HEADER_BF_LOCL_H */ #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) #define CONFIG_HEADER_DES_LOCL_H #ifndef DES_DEFAULT_OPTIONS /* the following is tweaked from a config script, that is why it is a * protected undef/define */ #ifndef DES_PTR -#define DES_PTR +#undef DES_PTR #endif /* This helps C compiler generate the correct code for multiple functional * units. It reduces register dependancies at the expense of 2 more * registers */ #ifndef DES_RISC1 #undef DES_RISC1 #endif #ifndef DES_RISC2 #undef DES_RISC2 #endif #if defined(DES_RISC1) && defined(DES_RISC2) YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! #endif /* Unroll the inner loop, this sometimes helps, sometimes hinders. * Very mucy CPU dependant */ #ifndef DES_UNROLL -#define DES_UNROLL +#undef DES_UNROLL #endif /* These default values were supplied by * Peter Gutman * They are only used if nothing else has been defined */ #if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) /* Special defines which change the way the code is built depending on the CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find even newer MIPS CPU's, but at the moment one size fits all for optimization options. Older Sparc's work better with only UNROLL, but there's no way to tell at compile time what it is you're running on */ #if defined( sun ) /* Newer Sparc's */ # define DES_PTR # define DES_RISC1 # define DES_UNROLL #elif defined( __ultrix ) /* Older MIPS */ # define DES_PTR # define DES_RISC2 # define DES_UNROLL #elif defined( __osf1__ ) /* Alpha */ # define DES_PTR # define DES_RISC2 #elif defined ( _AIX ) /* RS6000 */ /* Unknown */ #elif defined( __hpux ) /* HP-PA */ /* Unknown */ #elif defined( __aux ) /* 68K */ /* Unknown */ #elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ # define DES_UNROLL #elif defined( __sgi ) /* Newer MIPS */ # define DES_PTR # define DES_RISC2 # define DES_UNROLL #elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ # define DES_PTR # define DES_RISC1 # define DES_UNROLL #endif /* Systems-specific speed defines */ #endif #endif /* DES_DEFAULT_OPTIONS */ #endif /* HEADER_DES_LOCL_H */ diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index e226d9de7969..02f1710fb3f6 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -1,85 +1,85 @@ #ifndef HEADER_OPENSSLV_H #define HEADER_OPENSSLV_H /* Numeric release version identifier: * MNNFFPPS: major minor fix patch status * The status nibble has one of the values 0 for development, 1 to e for betas * 1 to 14, and f for release. The patch level is exactly that. * For example: * 0.9.3-dev 0x00903000 * 0.9.3-beta1 0x00903001 * 0.9.3-beta2-dev 0x00903002 * 0.9.3-beta2 0x00903002 (same as ...beta2-dev) * 0.9.3 0x0090300f * 0.9.3a 0x0090301f * 0.9.4 0x0090400f * 1.2.3z 0x102031af * * For continuity reasons (because 0.9.5 is already out, and is coded * 0x00905100), between 0.9.5 and 0.9.6 the coding of the patch level * part is slightly different, by setting the highest bit. This means * that 0.9.5a looks like this: 0x0090581f. At 0.9.6, we can start * with 0x0090600S... * * (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.) * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090703fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7c 30 Sep 2003" +#define OPENSSL_VERSION_NUMBER 0x0090704fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d 17 Mar 2004" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT /* The macros below are to be used for shared library (.so, .dll, ...) * versioning. That kind of versioning works a bit differently between * operating systems. The most usual scheme is to set a major and a minor * number, and have the runtime loader check that the major number is equal * to what it was at application link time, while the minor number has to * be greater or equal to what it was at application link time. With this * scheme, the version number is usually part of the file name, like this: * * libcrypto.so.0.9 * * Some unixen also make a softlink with the major verson number only: * * libcrypto.so.0 * * On Tru64 and IRIX 6.x it works a little bit differently. There, the * shared library version is stored in the file, and is actually a series * of versions, separated by colons. The rightmost version present in the * library when linking an application is stored in the application to be * matched at run time. When the application is run, a check is done to * see if the library version stored in the application matches any of the * versions in the version string of the library itself. * This version string can be constructed in any way, depending on what * kind of matching is desired. However, to implement the same scheme as * the one used in the other unixen, all compatible versions, from lowest * to highest, should be part of the string. Consecutive builds would * give the following versions strings: * * 3.0 * 3.0:3.1 * 3.0:3.1:3.2 * 4.0 * 4.0:4.1 * * Notice how version 4 is completely incompatible with version, and * therefore give the breach you can see. * * There may be other schemes as well that I haven't yet discovered. * * So, here's the way it works here: first of all, the library version * number doesn't need at all to match the overall OpenSSL version. * However, it's nice and more understandable if it actually does. * The current library version is stored in the macro SHLIB_VERSION_NUMBER, * which is just a piece of text in the format "M.m.e" (Major, minor, edit). * For the sake of Tru64, IRIX, and any other OS that behaves in similar ways, * we need to keep a history of version numbers, which is done in the * macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and * should only keep the versions that are binary compatible with the current. */ #define SHLIB_VERSION_HISTORY "" #define SHLIB_VERSION_NUMBER "0.9.7" #endif /* HEADER_OPENSSLV_H */ diff --git a/crypto/openssl/crypto/pem/Makefile.ssl b/crypto/openssl/crypto/pem/Makefile.ssl index 90eda931f73a..d3043eb4013f 100644 --- a/crypto/openssl/crypto/pem/Makefile.ssl +++ b/crypto/openssl/crypto/pem/Makefile.ssl @@ -1,336 +1,336 @@ # # SSLeay/crypto/pem/Makefile # DIR= pem TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= pem_sign.c pem_seal.c pem_info.c pem_lib.c pem_all.c pem_err.c \ pem_x509.c pem_xaux.c pem_oth.c pem_pk8.c pem_pkey.c LIBOBJ= pem_sign.o pem_seal.o pem_info.o pem_lib.o pem_all.o pem_err.o \ pem_x509.o pem_xaux.o pem_oth.o pem_pk8.o pem_pkey.o SRC= $(LIBSRC) EXHEADER= pem.h pem2.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: $(EXHEADER) - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. pem_all.o: ../../e_os.h ../../include/openssl/aes.h pem_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_all.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h pem_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h pem_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h pem_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h pem_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h pem_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h pem_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pem_all.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h pem_all.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h pem_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_all.c pem_err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h pem_err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h pem_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h pem_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h pem_err.o: ../../include/openssl/des.h ../../include/openssl/des_old.h pem_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h pem_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h pem_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h pem_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h pem_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h pem_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h pem_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h pem_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pem_err.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h pem_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h pem_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h pem_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h pem_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h pem_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pem_err.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pem_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h pem_err.o: pem_err.c pem_info.o: ../../e_os.h ../../include/openssl/aes.h pem_info.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_info.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_info.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_info.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_info.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_info.o: ../../include/openssl/opensslconf.h pem_info.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pem_info.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h pem_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h pem_info.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h pem_info.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h pem_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h pem_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pem_info.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pem_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h pem_info.o: ../cryptlib.h pem_info.c pem_lib.o: ../../e_os.h ../../include/openssl/aes.h pem_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h pem_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h pem_lib.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h pem_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h pem_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h pem_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h pem_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h pem_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pem_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h pem_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h pem_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_lib.c pem_oth.o: ../../e_os.h ../../include/openssl/aes.h pem_oth.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_oth.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_oth.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_oth.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_oth.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_oth.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_oth.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_oth.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_oth.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_oth.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_oth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_oth.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h pem_oth.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h pem_oth.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h pem_oth.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h pem_oth.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h pem_oth.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h pem_oth.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h pem_oth.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pem_oth.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pem_oth.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h pem_oth.o: ../cryptlib.h pem_oth.c pem_pk8.o: ../../e_os.h ../../include/openssl/aes.h pem_pk8.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_pk8.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_pk8.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_pk8.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_pk8.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_pk8.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_pk8.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_pk8.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_pk8.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_pk8.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_pk8.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_pk8.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h pem_pk8.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h pem_pk8.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h pem_pk8.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h pem_pk8.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h pem_pk8.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h pem_pk8.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h pem_pk8.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pem_pk8.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h pem_pk8.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h pem_pk8.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_pk8.c pem_pkey.o: ../../e_os.h ../../include/openssl/aes.h pem_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_pkey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_pkey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_pkey.o: ../../include/openssl/opensslconf.h pem_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pem_pkey.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h pem_pkey.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h pem_pkey.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h pem_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h pem_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h pem_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h pem_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pem_pkey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pem_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h pem_pkey.o: ../cryptlib.h pem_pkey.c pem_seal.o: ../../e_os.h ../../include/openssl/aes.h pem_seal.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_seal.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_seal.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_seal.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_seal.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_seal.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_seal.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_seal.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_seal.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_seal.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_seal.o: ../../include/openssl/opensslconf.h pem_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pem_seal.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h pem_seal.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h pem_seal.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h pem_seal.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h pem_seal.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h pem_seal.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pem_seal.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h pem_seal.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h pem_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_seal.c pem_sign.o: ../../e_os.h ../../include/openssl/aes.h pem_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_sign.o: ../../include/openssl/opensslconf.h pem_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pem_sign.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h pem_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h pem_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h pem_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h pem_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h pem_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pem_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h pem_sign.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h pem_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_sign.c pem_x509.o: ../../e_os.h ../../include/openssl/aes.h pem_x509.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_x509.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_x509.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_x509.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_x509.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_x509.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_x509.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_x509.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_x509.o: ../../include/openssl/opensslconf.h pem_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pem_x509.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h pem_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h pem_x509.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h pem_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h pem_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h pem_x509.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pem_x509.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pem_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h pem_x509.o: ../cryptlib.h pem_x509.c pem_xaux.o: ../../e_os.h ../../include/openssl/aes.h pem_xaux.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pem_xaux.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pem_xaux.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pem_xaux.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pem_xaux.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pem_xaux.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pem_xaux.o: ../../include/openssl/err.h ../../include/openssl/evp.h pem_xaux.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pem_xaux.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pem_xaux.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pem_xaux.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pem_xaux.o: ../../include/openssl/opensslconf.h pem_xaux.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pem_xaux.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h pem_xaux.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h pem_xaux.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h pem_xaux.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h pem_xaux.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h pem_xaux.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pem_xaux.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pem_xaux.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h pem_xaux.o: ../cryptlib.h pem_xaux.c diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c index 70b5446797e9..7785039b993c 100644 --- a/crypto/openssl/crypto/pem/pem_lib.c +++ b/crypto/openssl/crypto/pem/pem_lib.c @@ -1,766 +1,771 @@ /* crypto/pem/pem_lib.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include "cryptlib.h" #include #include #include #include #include #include #include #ifndef OPENSSL_NO_DES #include #endif const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT; #define MIN_LENGTH 4 static int load_iv(unsigned char **fromp,unsigned char *to, int num); static int check_pem(const char *nm, const char *name); int PEM_def_callback(char *buf, int num, int w, void *key) { #ifdef OPENSSL_NO_FP_API /* We should not ever call the default callback routine from * windows. */ PEMerr(PEM_F_DEF_CALLBACK,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return(-1); #else int i,j; const char *prompt; if(key) { i=strlen(key); i=(i > num)?num:i; memcpy(buf,key,i); return(i); } prompt=EVP_get_pw_prompt(); if (prompt == NULL) prompt="Enter PEM pass phrase:"; for (;;) { i=EVP_read_pw_string(buf,num,prompt,w); if (i != 0) { PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); memset(buf,0,(unsigned int)num); return(-1); } j=strlen(buf); if (j < MIN_LENGTH) { fprintf(stderr,"phrase is too short, needs to be at least %d chars\n",MIN_LENGTH); } else break; } return(j); #endif } void PEM_proc_type(char *buf, int type) { const char *str; if (type == PEM_TYPE_ENCRYPTED) str="ENCRYPTED"; else if (type == PEM_TYPE_MIC_CLEAR) str="MIC-CLEAR"; else if (type == PEM_TYPE_MIC_ONLY) str="MIC-ONLY"; else str="BAD-TYPE"; - strcat(buf,"Proc-Type: 4,"); - strcat(buf,str); - strcat(buf,"\n"); + BUF_strlcat(buf,"Proc-Type: 4,",PEM_BUFSIZE); + BUF_strlcat(buf,str,PEM_BUFSIZE); + BUF_strlcat(buf,"\n",PEM_BUFSIZE); } void PEM_dek_info(char *buf, const char *type, int len, char *str) { static const unsigned char map[17]="0123456789ABCDEF"; long i; int j; - strcat(buf,"DEK-Info: "); - strcat(buf,type); - strcat(buf,","); + BUF_strlcat(buf,"DEK-Info: ",PEM_BUFSIZE); + BUF_strlcat(buf,type,PEM_BUFSIZE); + BUF_strlcat(buf,",",PEM_BUFSIZE); j=strlen(buf); + if (j + (len * 2) + 1 > PEM_BUFSIZE) + return; for (i=0; i>4)&0x0f]; buf[j+i*2+1]=map[(str[i] )&0x0f]; } buf[j+i*2]='\n'; buf[j+i*2+1]='\0'; } #ifndef OPENSSL_NO_FP_API char *PEM_ASN1_read(char *(*d2i)(), const char *name, FILE *fp, char **x, pem_password_cb *cb, void *u) { BIO *b; char *ret; if ((b=BIO_new(BIO_s_file())) == NULL) { PEMerr(PEM_F_PEM_ASN1_READ,ERR_R_BUF_LIB); return(0); } BIO_set_fp(b,fp,BIO_NOCLOSE); ret=PEM_ASN1_read_bio(d2i,name,b,x,cb,u); BIO_free(b); return(ret); } #endif static int check_pem(const char *nm, const char *name) { /* Normal matching nm and name */ if (!strcmp(nm,name)) return 1; /* Make PEM_STRING_EVP_PKEY match any private key */ if(!strcmp(nm,PEM_STRING_PKCS8) && !strcmp(name,PEM_STRING_EVP_PKEY)) return 1; if(!strcmp(nm,PEM_STRING_PKCS8INF) && !strcmp(name,PEM_STRING_EVP_PKEY)) return 1; if(!strcmp(nm,PEM_STRING_RSA) && !strcmp(name,PEM_STRING_EVP_PKEY)) return 1; if(!strcmp(nm,PEM_STRING_DSA) && !strcmp(name,PEM_STRING_EVP_PKEY)) return 1; /* Permit older strings */ if(!strcmp(nm,PEM_STRING_X509_OLD) && !strcmp(name,PEM_STRING_X509)) return 1; if(!strcmp(nm,PEM_STRING_X509_REQ_OLD) && !strcmp(name,PEM_STRING_X509_REQ)) return 1; /* Allow normal certs to be read as trusted certs */ if(!strcmp(nm,PEM_STRING_X509) && !strcmp(name,PEM_STRING_X509_TRUSTED)) return 1; if(!strcmp(nm,PEM_STRING_X509_OLD) && !strcmp(name,PEM_STRING_X509_TRUSTED)) return 1; /* Some CAs use PKCS#7 with CERTIFICATE headers */ if(!strcmp(nm, PEM_STRING_X509) && !strcmp(name, PEM_STRING_PKCS7)) return 1; return 0; } int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, const char *name, BIO *bp, pem_password_cb *cb, void *u) { EVP_CIPHER_INFO cipher; char *nm=NULL,*header=NULL; unsigned char *data=NULL; long len; int ret = 0; for (;;) { if (!PEM_read_bio(bp,&nm,&header,&data,&len)) { if(ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE) ERR_add_error_data(2, "Expecting: ", name); return 0; } if(check_pem(nm, name)) break; OPENSSL_free(nm); OPENSSL_free(header); OPENSSL_free(data); } if (!PEM_get_EVP_CIPHER_INFO(header,&cipher)) goto err; if (!PEM_do_header(&cipher,data,&len,cb,u)) goto err; *pdata = data; *plen = len; if (pnm) *pnm = nm; ret = 1; err: if (!ret || !pnm) OPENSSL_free(nm); OPENSSL_free(header); if (!ret) OPENSSL_free(data); return ret; } #ifndef OPENSSL_NO_FP_API int PEM_ASN1_write(int (*i2d)(), const char *name, FILE *fp, char *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *callback, void *u) { BIO *b; int ret; if ((b=BIO_new(BIO_s_file())) == NULL) { PEMerr(PEM_F_PEM_ASN1_WRITE,ERR_R_BUF_LIB); return(0); } BIO_set_fp(b,fp,BIO_NOCLOSE); ret=PEM_ASN1_write_bio(i2d,name,b,x,enc,kstr,klen,callback,u); BIO_free(b); return(ret); } #endif int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *callback, void *u) { EVP_CIPHER_CTX ctx; int dsize=0,i,j,ret=0; unsigned char *p,*data=NULL; const char *objstr=NULL; char buf[PEM_BUFSIZE]; unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char iv[EVP_MAX_IV_LENGTH]; if (enc != NULL) { objstr=OBJ_nid2sn(EVP_CIPHER_nid(enc)); if (objstr == NULL) { PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,PEM_R_UNSUPPORTED_CIPHER); goto err; } } if ((dsize=i2d(x,NULL)) < 0) { PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE); dsize=0; goto err; } /* dzise + 8 bytes are needed */ /* actually it needs the cipher block size extra... */ data=(unsigned char *)OPENSSL_malloc((unsigned int)dsize+20); if (data == NULL) { PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE); goto err; } p=data; i=i2d(x,&p); if (enc != NULL) { if (kstr == NULL) { if (callback == NULL) klen=PEM_def_callback(buf,PEM_BUFSIZE,1,u); else klen=(*callback)(buf,PEM_BUFSIZE,1,u); if (klen <= 0) { PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,PEM_R_READ_KEY); goto err; } #ifdef CHARSET_EBCDIC /* Convert the pass phrase from EBCDIC */ ebcdic2ascii(buf, buf, klen); #endif kstr=(unsigned char *)buf; } RAND_add(data,i,0);/* put in the RSA key. */ OPENSSL_assert(enc->iv_len <= sizeof iv); if (RAND_pseudo_bytes(iv,enc->iv_len) < 0) /* Generate a salt */ goto err; /* The 'iv' is used as the iv and as a salt. It is * NOT taken from the BytesToKey function */ EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL); if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE); OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf); buf[0]='\0'; PEM_proc_type(buf,PEM_TYPE_ENCRYPTED); PEM_dek_info(buf,objstr,enc->iv_len,(char *)iv); /* k=strlen(buf); */ EVP_CIPHER_CTX_init(&ctx); EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv); EVP_EncryptUpdate(&ctx,data,&j,data,i); EVP_EncryptFinal_ex(&ctx,&(data[j]),&i); EVP_CIPHER_CTX_cleanup(&ctx); i+=j; ret=1; } else { ret=1; buf[0]='\0'; } i=PEM_write_bio(bp,name,buf,data,i); if (i <= 0) ret=0; err: OPENSSL_cleanse(key,sizeof(key)); OPENSSL_cleanse(iv,sizeof(iv)); OPENSSL_cleanse((char *)&ctx,sizeof(ctx)); OPENSSL_cleanse(buf,PEM_BUFSIZE); if (data != NULL) { OPENSSL_cleanse(data,(unsigned int)dsize); OPENSSL_free(data); } return(ret); } int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, pem_password_cb *callback,void *u) { int i,j,o,klen; long len; EVP_CIPHER_CTX ctx; unsigned char key[EVP_MAX_KEY_LENGTH]; char buf[PEM_BUFSIZE]; len= *plen; if (cipher->cipher == NULL) return(1); if (callback == NULL) klen=PEM_def_callback(buf,PEM_BUFSIZE,0,u); else klen=callback(buf,PEM_BUFSIZE,0,u); if (klen <= 0) { PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_PASSWORD_READ); return(0); } #ifdef CHARSET_EBCDIC /* Convert the pass phrase from EBCDIC */ ebcdic2ascii(buf, buf, klen); #endif EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]), (unsigned char *)buf,klen,1,key,NULL); j=(int)len; EVP_CIPHER_CTX_init(&ctx); EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0])); EVP_DecryptUpdate(&ctx,data,&i,data,j); o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j); EVP_CIPHER_CTX_cleanup(&ctx); OPENSSL_cleanse((char *)buf,sizeof(buf)); OPENSSL_cleanse((char *)key,sizeof(key)); j+=i; if (!o) { PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_DECRYPT); return(0); } *plen=j; return(1); } int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) { int o; const EVP_CIPHER *enc=NULL; char *p,c; cipher->cipher=NULL; if ((header == NULL) || (*header == '\0') || (*header == '\n')) return(1); if (strncmp(header,"Proc-Type: ",11) != 0) { PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_NOT_PROC_TYPE); return(0); } header+=11; if (*header != '4') return(0); header++; if (*header != ',') return(0); header++; if (strncmp(header,"ENCRYPTED",9) != 0) { PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_NOT_ENCRYPTED); return(0); } for (; (*header != '\n') && (*header != '\0'); header++) ; if (*header == '\0') { PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_SHORT_HEADER); return(0); } header++; if (strncmp(header,"DEK-Info: ",10) != 0) { PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_NOT_DEK_INFO); return(0); } header+=10; p=header; for (;;) { c= *header; #ifndef CHARSET_EBCDIC if (!( ((c >= 'A') && (c <= 'Z')) || (c == '-') || ((c >= '0') && (c <= '9')))) break; #else if (!( isupper(c) || (c == '-') || isdigit(c))) break; #endif header++; } *header='\0'; o=OBJ_sn2nid(p); cipher->cipher=enc=EVP_get_cipherbyname(p); *header=c; header++; if (enc == NULL) { PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION); return(0); } if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),enc->iv_len)) return(0); return(1); } static int load_iv(unsigned char **fromp, unsigned char *to, int num) { int v,i; unsigned char *from; from= *fromp; for (i=0; i= '0') && (*from <= '9')) v= *from-'0'; else if ((*from >= 'A') && (*from <= 'F')) v= *from-'A'+10; else if ((*from >= 'a') && (*from <= 'f')) v= *from-'a'+10; else { PEMerr(PEM_F_LOAD_IV,PEM_R_BAD_IV_CHARS); return(0); } from++; to[i/2]|=v<<(long)((!(i&1))*4); } *fromp=from; return(1); } #ifndef OPENSSL_NO_FP_API int PEM_write(FILE *fp, char *name, char *header, unsigned char *data, long len) { BIO *b; int ret; if ((b=BIO_new(BIO_s_file())) == NULL) { PEMerr(PEM_F_PEM_WRITE,ERR_R_BUF_LIB); return(0); } BIO_set_fp(b,fp,BIO_NOCLOSE); ret=PEM_write_bio(b, name, header, data,len); BIO_free(b); return(ret); } #endif int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, long len) { int nlen,n,i,j,outl; - unsigned char *buf; + unsigned char *buf = NULL; EVP_ENCODE_CTX ctx; int reason=ERR_R_BUF_LIB; EVP_EncodeInit(&ctx); nlen=strlen(name); if ( (BIO_write(bp,"-----BEGIN ",11) != 11) || (BIO_write(bp,name,nlen) != nlen) || (BIO_write(bp,"-----\n",6) != 6)) goto err; i=strlen(header); if (i > 0) { if ( (BIO_write(bp,header,i) != i) || (BIO_write(bp,"\n",1) != 1)) goto err; } - buf=(unsigned char *)OPENSSL_malloc(PEM_BUFSIZE*8); + buf = OPENSSL_malloc(PEM_BUFSIZE*8); if (buf == NULL) { reason=ERR_R_MALLOC_FAILURE; goto err; } i=j=0; while (len > 0) { n=(int)((len>(PEM_BUFSIZE*5))?(PEM_BUFSIZE*5):len); EVP_EncodeUpdate(&ctx,buf,&outl,&(data[j]),n); if ((outl) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; i+=outl; len-=n; j+=n; } EVP_EncodeFinal(&ctx,buf,&outl); if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; OPENSSL_free(buf); + buf = NULL; if ( (BIO_write(bp,"-----END ",9) != 9) || (BIO_write(bp,name,nlen) != nlen) || (BIO_write(bp,"-----\n",6) != 6)) goto err; return(i+outl); err: + if (buf) + OPENSSL_free(buf); PEMerr(PEM_F_PEM_WRITE_BIO,reason); return(0); } #ifndef OPENSSL_NO_FP_API int PEM_read(FILE *fp, char **name, char **header, unsigned char **data, long *len) { BIO *b; int ret; if ((b=BIO_new(BIO_s_file())) == NULL) { PEMerr(PEM_F_PEM_READ,ERR_R_BUF_LIB); return(0); } BIO_set_fp(b,fp,BIO_NOCLOSE); ret=PEM_read_bio(b, name, header, data,len); BIO_free(b); return(ret); } #endif int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data, long *len) { EVP_ENCODE_CTX ctx; int end=0,i,k,bl=0,hl=0,nohead=0; char buf[256]; BUF_MEM *nameB; BUF_MEM *headerB; BUF_MEM *dataB,*tmpB; nameB=BUF_MEM_new(); headerB=BUF_MEM_new(); dataB=BUF_MEM_new(); if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL)) { PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); return(0); } buf[254]='\0'; for (;;) { i=BIO_gets(bp,buf,254); if (i <= 0) { PEMerr(PEM_F_PEM_READ_BIO,PEM_R_NO_START_LINE); goto err; } while ((i >= 0) && (buf[i] <= ' ')) i--; buf[++i]='\n'; buf[++i]='\0'; if (strncmp(buf,"-----BEGIN ",11) == 0) { i=strlen(&(buf[11])); if (strncmp(&(buf[11+i-6]),"-----\n",6) != 0) continue; if (!BUF_MEM_grow(nameB,i+9)) { PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; } memcpy(nameB->data,&(buf[11]),i-6); nameB->data[i-6]='\0'; break; } } hl=0; if (!BUF_MEM_grow(headerB,256)) { PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; } headerB->data[0]='\0'; for (;;) { i=BIO_gets(bp,buf,254); if (i <= 0) break; while ((i >= 0) && (buf[i] <= ' ')) i--; buf[++i]='\n'; buf[++i]='\0'; if (buf[0] == '\n') break; if (!BUF_MEM_grow(headerB,hl+i+9)) { PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; } if (strncmp(buf,"-----END ",9) == 0) { nohead=1; break; } memcpy(&(headerB->data[hl]),buf,i); headerB->data[hl+i]='\0'; hl+=i; } bl=0; if (!BUF_MEM_grow(dataB,1024)) { PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; } dataB->data[0]='\0'; if (!nohead) { for (;;) { i=BIO_gets(bp,buf,254); if (i <= 0) break; while ((i >= 0) && (buf[i] <= ' ')) i--; buf[++i]='\n'; buf[++i]='\0'; if (i != 65) end=1; if (strncmp(buf,"-----END ",9) == 0) break; if (i > 65) break; if (!BUF_MEM_grow_clean(dataB,i+bl+9)) { PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; } memcpy(&(dataB->data[bl]),buf,i); dataB->data[bl+i]='\0'; bl+=i; if (end) { buf[0]='\0'; i=BIO_gets(bp,buf,254); if (i <= 0) break; while ((i >= 0) && (buf[i] <= ' ')) i--; buf[++i]='\n'; buf[++i]='\0'; break; } } } else { tmpB=headerB; headerB=dataB; dataB=tmpB; bl=hl; } i=strlen(nameB->data); if ( (strncmp(buf,"-----END ",9) != 0) || (strncmp(nameB->data,&(buf[9]),i) != 0) || (strncmp(&(buf[9+i]),"-----\n",6) != 0)) { PEMerr(PEM_F_PEM_READ_BIO,PEM_R_BAD_END_LINE); goto err; } EVP_DecodeInit(&ctx); i=EVP_DecodeUpdate(&ctx, (unsigned char *)dataB->data,&bl, (unsigned char *)dataB->data,bl); if (i < 0) { PEMerr(PEM_F_PEM_READ_BIO,PEM_R_BAD_BASE64_DECODE); goto err; } i=EVP_DecodeFinal(&ctx,(unsigned char *)&(dataB->data[bl]),&k); if (i < 0) { PEMerr(PEM_F_PEM_READ_BIO,PEM_R_BAD_BASE64_DECODE); goto err; } bl+=k; if (bl == 0) goto err; *name=nameB->data; *header=headerB->data; *data=(unsigned char *)dataB->data; *len=bl; OPENSSL_free(nameB); OPENSSL_free(headerB); OPENSSL_free(dataB); return(1); err: BUF_MEM_free(nameB); BUF_MEM_free(headerB); BUF_MEM_free(dataB); return(0); } diff --git a/crypto/openssl/crypto/pem/pem_pkey.c b/crypto/openssl/crypto/pem/pem_pkey.c index d96ecf694067..f77c949e87b3 100644 --- a/crypto/openssl/crypto/pem/pem_pkey.c +++ b/crypto/openssl/crypto/pem/pem_pkey.c @@ -1,140 +1,144 @@ /* crypto/pem/pem_pkey.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include "cryptlib.h" #include #include #include #include #include #include #include EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u) { char *nm=NULL; unsigned char *p=NULL,*data=NULL; long len; EVP_PKEY *ret=NULL; if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, cb, u)) return NULL; p = data; if (strcmp(nm,PEM_STRING_RSA) == 0) ret=d2i_PrivateKey(EVP_PKEY_RSA,x,&p,len); else if (strcmp(nm,PEM_STRING_DSA) == 0) ret=d2i_PrivateKey(EVP_PKEY_DSA,x,&p,len); else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); + if(x) { + if(*x) EVP_PKEY_free((EVP_PKEY *)*x); + *x = ret; + } PKCS8_PRIV_KEY_INFO_free(p8inf); } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; X509_SIG *p8; int klen; char psbuf[PEM_BUFSIZE]; p8 = d2i_X509_SIG(NULL, &p, len); if(!p8) goto p8err; if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u); else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u); if (klen <= 0) { PEMerr(PEM_F_PEM_ASN1_READ_BIO, PEM_R_BAD_PASSWORD_READ); goto err; } p8inf = PKCS8_decrypt(p8, psbuf, klen); X509_SIG_free(p8); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); if(x) { if(*x) EVP_PKEY_free((EVP_PKEY *)*x); *x = ret; } PKCS8_PRIV_KEY_INFO_free(p8inf); } p8err: if (ret == NULL) PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB); err: OPENSSL_free(nm); OPENSSL_free(data); return(ret); } #ifndef OPENSSL_NO_FP_API EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u) { BIO *b; EVP_PKEY *ret; if ((b=BIO_new(BIO_s_file())) == NULL) { PEMerr(PEM_F_PEM_ASN1_READ,ERR_R_BUF_LIB); return(0); } BIO_set_fp(b,fp,BIO_NOCLOSE); ret=PEM_read_bio_PrivateKey(b,x,cb,u); BIO_free(b); return(ret); } #endif diff --git a/crypto/openssl/crypto/pkcs12/Makefile.ssl b/crypto/openssl/crypto/pkcs12/Makefile.ssl index b4c564262cb3..a6e47b40855b 100644 --- a/crypto/openssl/crypto/pkcs12/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs12/Makefile.ssl @@ -1,417 +1,417 @@ # # SSLeay/crypto/pkcs12/Makefile # DIR= pkcs12 TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= p12_add.c p12_asn.c p12_attr.c p12_crpt.c p12_crt.c p12_decr.c \ p12_init.c p12_key.c p12_kiss.c p12_mutl.c\ p12_utl.c p12_npas.c pk12err.c p12_p8d.c p12_p8e.c LIBOBJ= p12_add.o p12_asn.o p12_attr.o p12_crpt.o p12_crt.o p12_decr.o \ p12_init.o p12_key.o p12_kiss.o p12_mutl.o\ p12_utl.o p12_npas.o pk12err.o p12_p8d.o p12_p8e.o SRC= $(LIBSRC) EXHEADER= pkcs12.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) test: all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. p12_add.o: ../../e_os.h ../../include/openssl/aes.h p12_add.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_add.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_add.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_add.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_add.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_add.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_add.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_add.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_add.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_add.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_add.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_add.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h p12_add.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h p12_add.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p12_add.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p12_add.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p12_add.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p12_add.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p12_add.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p12_add.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p12_add.o: ../cryptlib.h p12_add.c p12_asn.o: ../../e_os.h ../../include/openssl/aes.h p12_asn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h p12_asn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h p12_asn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p12_asn.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h p12_asn.o: ../../include/openssl/des.h ../../include/openssl/des_old.h p12_asn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h p12_asn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h p12_asn.o: ../../include/openssl/evp.h ../../include/openssl/idea.h p12_asn.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p12_asn.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p12_asn.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p12_asn.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p12_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p12_asn.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h p12_asn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p12_asn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p12_asn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p12_asn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p12_asn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p12_asn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p12_asn.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_asn.c p12_attr.o: ../../e_os.h ../../include/openssl/aes.h p12_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_attr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_attr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_attr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_attr.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_attr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_attr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_attr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_attr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_attr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_attr.o: ../../include/openssl/opensslconf.h p12_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p12_attr.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h p12_attr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p12_attr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p12_attr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p12_attr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p12_attr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p12_attr.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p12_attr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_attr.c p12_crpt.o: ../../e_os.h ../../include/openssl/aes.h p12_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_crpt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_crpt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_crpt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_crpt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_crpt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_crpt.o: ../../include/openssl/opensslconf.h p12_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p12_crpt.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h p12_crpt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p12_crpt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p12_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p12_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p12_crpt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p12_crpt.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p12_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_crpt.c p12_crt.o: ../../e_os.h ../../include/openssl/aes.h p12_crt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_crt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_crt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_crt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_crt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_crt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_crt.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_crt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_crt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_crt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_crt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_crt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h p12_crt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h p12_crt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p12_crt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p12_crt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p12_crt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p12_crt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p12_crt.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p12_crt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p12_crt.o: ../cryptlib.h p12_crt.c p12_decr.o: ../../e_os.h ../../include/openssl/aes.h p12_decr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_decr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_decr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_decr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_decr.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_decr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_decr.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_decr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_decr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_decr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_decr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_decr.o: ../../include/openssl/opensslconf.h p12_decr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p12_decr.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h p12_decr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p12_decr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p12_decr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p12_decr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p12_decr.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p12_decr.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p12_decr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_decr.c p12_init.o: ../../e_os.h ../../include/openssl/aes.h p12_init.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_init.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_init.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_init.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_init.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_init.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_init.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_init.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_init.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_init.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_init.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_init.o: ../../include/openssl/opensslconf.h p12_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p12_init.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h p12_init.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p12_init.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p12_init.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p12_init.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p12_init.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p12_init.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p12_init.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_init.c p12_key.o: ../../e_os.h ../../include/openssl/aes.h p12_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_key.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_key.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_key.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h p12_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h p12_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p12_key.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p12_key.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p12_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p12_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p12_key.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p12_key.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p12_key.o: ../cryptlib.h p12_key.c p12_kiss.o: ../../e_os.h ../../include/openssl/aes.h p12_kiss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_kiss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_kiss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_kiss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_kiss.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_kiss.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_kiss.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_kiss.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_kiss.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_kiss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_kiss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_kiss.o: ../../include/openssl/opensslconf.h p12_kiss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p12_kiss.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h p12_kiss.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p12_kiss.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p12_kiss.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p12_kiss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p12_kiss.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p12_kiss.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p12_kiss.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_kiss.c p12_mutl.o: ../../e_os.h ../../include/openssl/aes.h p12_mutl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_mutl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_mutl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_mutl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_mutl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_mutl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_mutl.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_mutl.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h p12_mutl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p12_mutl.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p12_mutl.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p12_mutl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p12_mutl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p12_mutl.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h p12_mutl.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h p12_mutl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p12_mutl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p12_mutl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p12_mutl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p12_mutl.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p12_mutl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p12_mutl.o: ../cryptlib.h p12_mutl.c p12_npas.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h p12_npas.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h p12_npas.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p12_npas.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h p12_npas.o: ../../include/openssl/des.h ../../include/openssl/des_old.h p12_npas.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h p12_npas.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h p12_npas.o: ../../include/openssl/evp.h ../../include/openssl/idea.h p12_npas.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h p12_npas.o: ../../include/openssl/md4.h ../../include/openssl/md5.h p12_npas.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h p12_npas.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h p12_npas.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h p12_npas.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h p12_npas.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h p12_npas.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h p12_npas.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h p12_npas.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p12_npas.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p12_npas.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h p12_npas.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h p12_npas.o: ../../include/openssl/x509_vfy.h p12_npas.c p12_p8d.o: ../../e_os.h ../../include/openssl/aes.h p12_p8d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_p8d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_p8d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_p8d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_p8d.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_p8d.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_p8d.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_p8d.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_p8d.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_p8d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_p8d.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_p8d.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h p12_p8d.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h p12_p8d.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p12_p8d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p12_p8d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p12_p8d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p12_p8d.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p12_p8d.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p12_p8d.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p12_p8d.o: ../cryptlib.h p12_p8d.c p12_p8e.o: ../../e_os.h ../../include/openssl/aes.h p12_p8e.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_p8e.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_p8e.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_p8e.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_p8e.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_p8e.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_p8e.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_p8e.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_p8e.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_p8e.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_p8e.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_p8e.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h p12_p8e.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h p12_p8e.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p12_p8e.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p12_p8e.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p12_p8e.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p12_p8e.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p12_p8e.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p12_p8e.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p12_p8e.o: ../cryptlib.h p12_p8e.c p12_utl.o: ../../e_os.h ../../include/openssl/aes.h p12_utl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h p12_utl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h p12_utl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h p12_utl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h p12_utl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h p12_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h p12_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h p12_utl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h p12_utl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h p12_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h p12_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h p12_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h p12_utl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h p12_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h p12_utl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h p12_utl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h p12_utl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h p12_utl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h p12_utl.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h p12_utl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h p12_utl.o: ../cryptlib.h p12_utl.c pk12err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h pk12err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h pk12err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h pk12err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h pk12err.o: ../../include/openssl/des.h ../../include/openssl/des_old.h pk12err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h pk12err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h pk12err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h pk12err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h pk12err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h pk12err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h pk12err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h pk12err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pk12err.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h pk12err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h pk12err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h pk12err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h pk12err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pk12err.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h pk12err.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h pk12err.o: ../../include/openssl/x509_vfy.h pk12err.c diff --git a/crypto/openssl/crypto/pkcs7/Makefile.ssl b/crypto/openssl/crypto/pkcs7/Makefile.ssl index 69cddb04b8b3..c3bfc7d560e9 100644 --- a/crypto/openssl/crypto/pkcs7/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs7/Makefile.ssl @@ -1,243 +1,243 @@ # # SSLeay/crypto/pkcs7/Makefile # DIR= pkcs7 TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r PEX_LIBS= EX_LIBS= CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile README TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= pk7_asn1.c pk7_lib.c pkcs7err.c pk7_doit.c pk7_smime.c pk7_attr.c \ pk7_mime.c LIBOBJ= pk7_asn1.o pk7_lib.o pkcs7err.o pk7_doit.o pk7_smime.o pk7_attr.o \ pk7_mime.o SRC= $(LIBSRC) EXHEADER= pkcs7.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) test: all: lib testapps: enc dec sign verify enc: enc.o lib $(CC) $(CFLAGS) -o enc enc.o $(PEX_LIBS) $(LIB) $(EX_LIBS) dec: dec.o lib $(CC) $(CFLAGS) -o dec dec.o $(PEX_LIBS) $(LIB) $(EX_LIBS) sign: sign.o lib $(CC) $(CFLAGS) -o sign sign.o $(PEX_LIBS) $(LIB) $(EX_LIBS) verify: verify.o example.o lib $(CC) $(CFLAGS) -o verify verify.o $(PEX_LIBS) example.o $(LIB) $(EX_LIBS) lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff enc dec sign verify # DO NOT DELETE THIS LINE -- make depend depends on it. pk7_asn1.o: ../../e_os.h ../../include/openssl/aes.h pk7_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h pk7_asn1.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h pk7_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h pk7_asn1.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h pk7_asn1.o: ../../include/openssl/des.h ../../include/openssl/des_old.h pk7_asn1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h pk7_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h pk7_asn1.o: ../../include/openssl/evp.h ../../include/openssl/idea.h pk7_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h pk7_asn1.o: ../../include/openssl/md4.h ../../include/openssl/md5.h pk7_asn1.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h pk7_asn1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h pk7_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pk7_asn1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h pk7_asn1.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h pk7_asn1.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h pk7_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h pk7_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pk7_asn1.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pk7_asn1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h pk7_asn1.o: ../cryptlib.h pk7_asn1.c pk7_attr.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h pk7_attr.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h pk7_attr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h pk7_attr.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h pk7_attr.o: ../../include/openssl/des.h ../../include/openssl/des_old.h pk7_attr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h pk7_attr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h pk7_attr.o: ../../include/openssl/evp.h ../../include/openssl/idea.h pk7_attr.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h pk7_attr.o: ../../include/openssl/md4.h ../../include/openssl/md5.h pk7_attr.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h pk7_attr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h pk7_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pk7_attr.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h pk7_attr.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h pk7_attr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h pk7_attr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h pk7_attr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h pk7_attr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pk7_attr.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pk7_attr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h pk7_attr.o: pk7_attr.c pk7_doit.o: ../../e_os.h ../../include/openssl/aes.h pk7_doit.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pk7_doit.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pk7_doit.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pk7_doit.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h pk7_doit.o: ../../include/openssl/des.h ../../include/openssl/des_old.h pk7_doit.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h pk7_doit.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h pk7_doit.o: ../../include/openssl/evp.h ../../include/openssl/idea.h pk7_doit.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h pk7_doit.o: ../../include/openssl/md4.h ../../include/openssl/md5.h pk7_doit.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h pk7_doit.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h pk7_doit.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pk7_doit.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h pk7_doit.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h pk7_doit.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h pk7_doit.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h pk7_doit.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pk7_doit.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h pk7_doit.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h pk7_doit.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h pk7_doit.o: ../cryptlib.h pk7_doit.c pk7_lib.o: ../../e_os.h ../../include/openssl/aes.h pk7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pk7_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pk7_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pk7_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pk7_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pk7_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pk7_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h pk7_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pk7_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pk7_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pk7_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pk7_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h pk7_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h pk7_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h pk7_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h pk7_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h pk7_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pk7_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h pk7_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h pk7_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pk7_lib.c pk7_mime.o: ../../e_os.h ../../include/openssl/aes.h pk7_mime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pk7_mime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pk7_mime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pk7_mime.o: ../../include/openssl/crypto.h ../../include/openssl/des.h pk7_mime.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h pk7_mime.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h pk7_mime.o: ../../include/openssl/err.h ../../include/openssl/evp.h pk7_mime.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h pk7_mime.o: ../../include/openssl/md2.h ../../include/openssl/md4.h pk7_mime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h pk7_mime.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h pk7_mime.o: ../../include/openssl/opensslconf.h pk7_mime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pk7_mime.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h pk7_mime.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h pk7_mime.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h pk7_mime.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h pk7_mime.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pk7_mime.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h pk7_mime.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h pk7_mime.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pk7_mime.c pk7_smime.o: ../../e_os.h ../../include/openssl/aes.h pk7_smime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pk7_smime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h pk7_smime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h pk7_smime.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h pk7_smime.o: ../../include/openssl/des.h ../../include/openssl/des_old.h pk7_smime.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h pk7_smime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h pk7_smime.o: ../../include/openssl/evp.h ../../include/openssl/idea.h pk7_smime.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h pk7_smime.o: ../../include/openssl/md4.h ../../include/openssl/md5.h pk7_smime.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h pk7_smime.o: ../../include/openssl/objects.h pk7_smime.o: ../../include/openssl/opensslconf.h pk7_smime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pk7_smime.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h pk7_smime.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h pk7_smime.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h pk7_smime.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h pk7_smime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pk7_smime.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h pk7_smime.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h pk7_smime.o: ../../include/openssl/x509v3.h ../cryptlib.h pk7_smime.c pkcs7err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h pkcs7err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h pkcs7err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h pkcs7err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h pkcs7err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h pkcs7err.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h pkcs7err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h pkcs7err.o: pkcs7err.c diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index 190ca0e9bf57..35c7dcd0b3e7 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -1,984 +1,978 @@ /* crypto/pkcs7/pk7_doit.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include "cryptlib.h" #include #include #include #include static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value); static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); static int PKCS7_type_is_other(PKCS7* p7) { int isOther=1; int nid=OBJ_obj2nid(p7->type); switch( nid ) { case NID_pkcs7_data: case NID_pkcs7_signed: case NID_pkcs7_enveloped: case NID_pkcs7_signedAndEnveloped: case NID_pkcs7_digest: case NID_pkcs7_encrypted: isOther=0; break; default: isOther=1; } return isOther; } -static int PKCS7_type_is_octet_string(PKCS7* p7) +static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7) { - if ( 0==PKCS7_type_is_other(p7) ) - return 0; - - return (V_ASN1_OCTET_STRING==p7->d.other->type) ? 1 : 0; + if ( PKCS7_type_is_data(p7)) + return p7->d.data; + if ( PKCS7_type_is_other(p7) && p7->d.other + && (p7->d.other->type == V_ASN1_OCTET_STRING)) + return p7->d.other->value.octet_string; + return NULL; } BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) { - int i,j; + int i; BIO *out=NULL,*btmp=NULL; X509_ALGOR *xa; const EVP_MD *evp_md; const EVP_CIPHER *evp_cipher=NULL; STACK_OF(X509_ALGOR) *md_sk=NULL; STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; X509_ALGOR *xalg=NULL; PKCS7_RECIP_INFO *ri=NULL; EVP_PKEY *pkey; i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; switch (i) { case NID_pkcs7_signed: md_sk=p7->d.sign->md_algs; break; case NID_pkcs7_signedAndEnveloped: rsk=p7->d.signed_and_enveloped->recipientinfo; md_sk=p7->d.signed_and_enveloped->md_algs; xalg=p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher=p7->d.signed_and_enveloped->enc_data->cipher; if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_CIPHER_NOT_INITIALIZED); goto err; } break; case NID_pkcs7_enveloped: rsk=p7->d.enveloped->recipientinfo; xalg=p7->d.enveloped->enc_data->algorithm; evp_cipher=p7->d.enveloped->enc_data->cipher; if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_CIPHER_NOT_INITIALIZED); goto err; } break; default: PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE); goto err; } if (md_sk != NULL) { for (i=0; ialgorithm); - evp_md=EVP_get_digestbyname(OBJ_nid2sn(j)); + evp_md=EVP_get_digestbyobj(xa->algorithm); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNKNOWN_DIGEST_TYPE); goto err; } BIO_set_md(btmp,evp_md); if (out == NULL) out=btmp; else BIO_push(out,btmp); btmp=NULL; } } if (evp_cipher != NULL) { unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char iv[EVP_MAX_IV_LENGTH]; int keylen,ivlen; int jj,max; unsigned char *tmp; EVP_CIPHER_CTX *ctx; if ((btmp=BIO_new(BIO_f_cipher())) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB); goto err; } BIO_get_cipher_ctx(btmp, &ctx); keylen=EVP_CIPHER_key_length(evp_cipher); ivlen=EVP_CIPHER_iv_length(evp_cipher); if (RAND_bytes(key,keylen) <= 0) goto err; xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen); EVP_CipherInit_ex(ctx, evp_cipher, NULL, key, iv, 1); if (ivlen > 0) { if (xalg->parameter == NULL) xalg->parameter=ASN1_TYPE_new(); if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) goto err; } /* Lets do the pub key stuff :-) */ max=0; for (i=0; icert == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_MISSING_CERIPEND_INFO); goto err; } pkey=X509_get_pubkey(ri->cert); jj=EVP_PKEY_size(pkey); EVP_PKEY_free(pkey); if (max < jj) max=jj; } if ((tmp=(unsigned char *)OPENSSL_malloc(max)) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_MALLOC_FAILURE); goto err; } for (i=0; icert); jj=EVP_PKEY_encrypt(tmp,key,keylen,pkey); EVP_PKEY_free(pkey); if (jj <= 0) { PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_EVP_LIB); OPENSSL_free(tmp); goto err; } M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj); } OPENSSL_free(tmp); OPENSSL_cleanse(key, keylen); if (out == NULL) out=btmp; else BIO_push(out,btmp); btmp=NULL; } - if (bio == NULL) { + if (bio == NULL) + { if (PKCS7_is_detached(p7)) bio=BIO_new(BIO_s_null()); - else { - if (PKCS7_type_is_signed(p7) ) { - if ( PKCS7_type_is_data(p7->d.sign->contents)) { - ASN1_OCTET_STRING *os; - os=p7->d.sign->contents->d.data; - if (os->length > 0) - bio = BIO_new_mem_buf(os->data, os->length); - } - else if ( PKCS7_type_is_octet_string(p7->d.sign->contents) ) { - ASN1_OCTET_STRING *os; - os=p7->d.sign->contents->d.other->value.octet_string; - if (os->length > 0) - bio = BIO_new_mem_buf(os->data, os->length); - } - } - if(bio == NULL) { + else + { + ASN1_OCTET_STRING *os; + os = PKCS7_get_octet_string(p7->d.sign->contents); + if (os && os->length > 0) + bio = BIO_new_mem_buf(os->data, os->length); + if(bio == NULL) + { bio=BIO_new(BIO_s_mem()); BIO_set_mem_eof_return(bio,0); + } } - } } BIO_push(out,bio); bio=NULL; if (0) { err: if (out != NULL) BIO_free_all(out); if (btmp != NULL) BIO_free_all(btmp); out=NULL; } return(out); } /* int */ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) { int i,j; BIO *out=NULL,*btmp=NULL,*etmp=NULL,*bio=NULL; unsigned char *tmp=NULL; X509_ALGOR *xa; ASN1_OCTET_STRING *data_body=NULL; const EVP_MD *evp_md; const EVP_CIPHER *evp_cipher=NULL; EVP_CIPHER_CTX *evp_ctx=NULL; X509_ALGOR *enc_alg=NULL; STACK_OF(X509_ALGOR) *md_sk=NULL; STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; X509_ALGOR *xalg=NULL; PKCS7_RECIP_INFO *ri=NULL; i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; switch (i) { case NID_pkcs7_signed: - data_body=p7->d.sign->contents->d.data; + data_body=PKCS7_get_octet_string(p7->d.sign->contents); md_sk=p7->d.sign->md_algs; break; case NID_pkcs7_signedAndEnveloped: rsk=p7->d.signed_and_enveloped->recipientinfo; md_sk=p7->d.signed_and_enveloped->md_algs; data_body=p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; - evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm))); + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } xalg=p7->d.signed_and_enveloped->enc_data->algorithm; break; case NID_pkcs7_enveloped: rsk=p7->d.enveloped->recipientinfo; enc_alg=p7->d.enveloped->enc_data->algorithm; data_body=p7->d.enveloped->enc_data->enc_data; - evp_cipher=EVP_get_cipherbyname(OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm))); + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } xalg=p7->d.enveloped->enc_data->algorithm; break; default: PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE); goto err; } /* We will be checking the signature */ if (md_sk != NULL) { for (i=0; ialgorithm); - evp_md=EVP_get_digestbyname(OBJ_nid2sn(j)); + evp_md=EVP_get_digestbynid(j); if (evp_md == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNKNOWN_DIGEST_TYPE); goto err; } BIO_set_md(btmp,evp_md); if (out == NULL) out=btmp; else BIO_push(out,btmp); btmp=NULL; } } if (evp_cipher != NULL) { #if 0 unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char *p; int keylen,ivlen; int max; X509_OBJECT ret; #endif int jj; if ((etmp=BIO_new(BIO_f_cipher())) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB); goto err; } /* It was encrypted, we need to decrypt the secret key * with the private key */ /* Find the recipientInfo which matches the passed certificate * (if any) */ for (i=0; iissuer_and_serial->issuer, pcert->cert_info->issuer) && !M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, ri->issuer_and_serial->serial)) break; ri=NULL; } if (ri == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); goto err; } jj=EVP_PKEY_size(pkey); tmp=(unsigned char *)OPENSSL_malloc(jj+10); if (tmp == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_MALLOC_FAILURE); goto err; } jj=EVP_PKEY_decrypt(tmp, M_ASN1_STRING_data(ri->enc_key), M_ASN1_STRING_length(ri->enc_key), pkey); if (jj <= 0) { PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_EVP_LIB); goto err; } evp_ctx=NULL; BIO_get_cipher_ctx(etmp,&evp_ctx); EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0); if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) goto err; if (jj != EVP_CIPHER_CTX_key_length(evp_ctx)) { /* Some S/MIME clients don't use the same key * and effective key length. The key length is * determined by the size of the decrypted RSA key. */ if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, jj)) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH); goto err; } } EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0); OPENSSL_cleanse(tmp,jj); if (out == NULL) out=etmp; else BIO_push(out,etmp); etmp=NULL; } #if 1 if (PKCS7_is_detached(p7) || (in_bio != NULL)) { bio=in_bio; } else { #if 0 bio=BIO_new(BIO_s_mem()); /* We need to set this so that when we have read all * the data, the encrypt BIO, if present, will read * EOF and encode the last few bytes */ BIO_set_mem_eof_return(bio,0); if (data_body->length > 0) BIO_write(bio,(char *)data_body->data,data_body->length); #else if (data_body->length > 0) bio = BIO_new_mem_buf(data_body->data,data_body->length); else { bio=BIO_new(BIO_s_mem()); BIO_set_mem_eof_return(bio,0); } #endif } BIO_push(out,bio); bio=NULL; #endif if (0) { err: if (out != NULL) BIO_free_all(out); if (btmp != NULL) BIO_free_all(btmp); if (etmp != NULL) BIO_free_all(etmp); if (bio != NULL) BIO_free_all(bio); out=NULL; } if (tmp != NULL) OPENSSL_free(tmp); return(out); } int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) { int ret=0; int i,j; BIO *btmp; BUF_MEM *buf_mem=NULL; BUF_MEM *buf=NULL; PKCS7_SIGNER_INFO *si; EVP_MD_CTX *mdc,ctx_tmp; STACK_OF(X509_ATTRIBUTE) *sk; STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; ASN1_OCTET_STRING *os=NULL; EVP_MD_CTX_init(&ctx_tmp); i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; switch (i) { case NID_pkcs7_signedAndEnveloped: /* XXXXXXXXXXXXXXXX */ si_sk=p7->d.signed_and_enveloped->signer_info; os=M_ASN1_OCTET_STRING_new(); p7->d.signed_and_enveloped->enc_data->enc_data=os; break; case NID_pkcs7_enveloped: /* XXXXXXXXXXXXXXXX */ os=M_ASN1_OCTET_STRING_new(); p7->d.enveloped->enc_data->enc_data=os; break; case NID_pkcs7_signed: si_sk=p7->d.sign->signer_info; - os=p7->d.sign->contents->d.data; + os=PKCS7_get_octet_string(p7->d.sign->contents); /* If detached data then the content is excluded */ - if(p7->detached) { + if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { M_ASN1_OCTET_STRING_free(os); p7->d.sign->contents->d.data = NULL; } break; } if (si_sk != NULL) { if ((buf=BUF_MEM_new()) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB); goto err; } for (i=0; ipkey == NULL) continue; j=OBJ_obj2nid(si->digest_alg->algorithm); btmp=bio; for (;;) { if ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL) { PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); goto err; } BIO_get_md_ctx(btmp,&mdc); if (mdc == NULL) { PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_INTERNAL_ERROR); goto err; } if (EVP_MD_CTX_type(mdc) == j) break; else btmp=BIO_next(btmp); } /* We now have the EVP_MD_CTX, lets do the * signing. */ EVP_MD_CTX_copy_ex(&ctx_tmp,mdc); if (!BUF_MEM_grow_clean(buf,EVP_PKEY_size(si->pkey))) { PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB); goto err; } sk=si->auth_attr; /* If there are attributes, we add the digest * attribute and only sign the attributes */ if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { unsigned char md_data[EVP_MAX_MD_SIZE], *abuf=NULL; unsigned int md_len, alen; ASN1_OCTET_STRING *digest; ASN1_UTCTIME *sign_time; const EVP_MD *md_tmp; /* Add signing time if not already present */ if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) { sign_time=X509_gmtime_adj(NULL,0); PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,sign_time); } /* Add digest */ md_tmp=EVP_MD_CTX_md(&ctx_tmp); EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len); digest=M_ASN1_OCTET_STRING_new(); M_ASN1_OCTET_STRING_set(digest,md_data,md_len); PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest, V_ASN1_OCTET_STRING,digest); /* Now sign the attributes */ EVP_SignInit_ex(&ctx_tmp,md_tmp,NULL); alen = ASN1_item_i2d((ASN1_VALUE *)sk,&abuf, ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); if(!abuf) goto err; EVP_SignUpdate(&ctx_tmp,abuf,alen); OPENSSL_free(abuf); } #ifndef OPENSSL_NO_DSA if (si->pkey->type == EVP_PKEY_DSA) ctx_tmp.digest=EVP_dss1(); #endif if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data, (unsigned int *)&buf->length,si->pkey)) { PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_EVP_LIB); goto err; } if (!ASN1_STRING_set(si->enc_digest, (unsigned char *)buf->data,buf->length)) { PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_ASN1_LIB); goto err; } } } if (!PKCS7_is_detached(p7)) { btmp=BIO_find_type(bio,BIO_TYPE_MEM); if (btmp == NULL) { PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); goto err; } BIO_get_mem_ptr(btmp,&buf_mem); /* Mark the BIO read only then we can use its copy of the data * instead of making an extra copy. */ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); BIO_set_mem_eof_return(btmp, 0); os->data = (unsigned char *)buf_mem->data; os->length = buf_mem->length; #if 0 M_ASN1_OCTET_STRING_set(os, (unsigned char *)buf_mem->data,buf_mem->length); #endif } ret=1; err: EVP_MD_CTX_cleanup(&ctx_tmp); if (buf != NULL) BUF_MEM_free(buf); return(ret); } int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si) { PKCS7_ISSUER_AND_SERIAL *ias; int ret=0,i; STACK_OF(X509) *cert; X509 *x509; if (PKCS7_type_is_signed(p7)) { cert=p7->d.sign->cert; } else if (PKCS7_type_is_signedAndEnveloped(p7)) { cert=p7->d.signed_and_enveloped->cert; } else { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_WRONG_PKCS7_TYPE); goto err; } /* XXXXXXXXXXXXXXXXXXXXXXX */ ias=si->issuer_and_serial; x509=X509_find_by_issuer_and_serial(cert,ias->issuer,ias->serial); /* were we able to find the cert in passed to us */ if (x509 == NULL) { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); goto err; } /* Lets verify */ if(!X509_STORE_CTX_init(ctx,cert_store,x509,cert)) { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB); goto err; } X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN); i=X509_verify_cert(ctx); if (i <= 0) { PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB); X509_STORE_CTX_cleanup(ctx); goto err; } X509_STORE_CTX_cleanup(ctx); return PKCS7_signatureVerify(bio, p7, si, x509); err: return ret; } int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509) { ASN1_OCTET_STRING *os; EVP_MD_CTX mdc_tmp,*mdc; int ret=0,i; int md_type; STACK_OF(X509_ATTRIBUTE) *sk; BIO *btmp; EVP_PKEY *pkey; EVP_MD_CTX_init(&mdc_tmp); if (!PKCS7_type_is_signed(p7) && !PKCS7_type_is_signedAndEnveloped(p7)) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_WRONG_PKCS7_TYPE); goto err; } md_type=OBJ_obj2nid(si->digest_alg->algorithm); btmp=bio; for (;;) { if ((btmp == NULL) || ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL)) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); goto err; } BIO_get_md_ctx(btmp,&mdc); if (mdc == NULL) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_INTERNAL_ERROR); goto err; } if (EVP_MD_CTX_type(mdc) == md_type) break; /* Workaround for some broken clients that put the signature * OID instead of the digest OID in digest_alg->algorithm */ if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) break; btmp=BIO_next(btmp); } /* mdc is the digest ctx that we want, unless there are attributes, * in which case the digest is the signed attributes */ EVP_MD_CTX_copy_ex(&mdc_tmp,mdc); sk=si->auth_attr; if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; unsigned int md_len, alen; ASN1_OCTET_STRING *message_digest; EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len); message_digest=PKCS7_digest_from_attributes(sk); if (!message_digest) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); goto err; } if ((message_digest->length != (int)md_len) || (memcmp(message_digest->data,md_dat,md_len))) { #if 0 { int ii; for (ii=0; iilength; ii++) printf("%02X",message_digest->data[ii]); printf(" sent\n"); for (ii=0; iienc_digest; pkey = X509_get_pubkey(x509); if (!pkey) { ret = -1; goto err; } #ifndef OPENSSL_NO_DSA if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1(); #endif i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey); EVP_PKEY_free(pkey); if (i <= 0) { PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE); ret= -1; goto err; } else ret=1; err: EVP_MD_CTX_cleanup(&mdc_tmp); return(ret); } PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) { STACK_OF(PKCS7_RECIP_INFO) *rsk; PKCS7_RECIP_INFO *ri; int i; i=OBJ_obj2nid(p7->type); if (i != NID_pkcs7_signedAndEnveloped) return(NULL); rsk=p7->d.signed_and_enveloped->recipientinfo; ri=sk_PKCS7_RECIP_INFO_value(rsk,0); if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) return(NULL); ri=sk_PKCS7_RECIP_INFO_value(rsk,idx); return(ri->issuer_and_serial); } ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) { return(get_attribute(si->auth_attr,nid)); } ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) { return(get_attribute(si->unauth_attr,nid)); } static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) { int i; X509_ATTRIBUTE *xa; ASN1_OBJECT *o; o=OBJ_nid2obj(nid); if (!o || !sk) return(NULL); for (i=0; iobject,o) == 0) { if (!xa->single && sk_ASN1_TYPE_num(xa->value.set)) return(sk_ASN1_TYPE_value(xa->value.set,0)); else return(NULL); } } return(NULL); } ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) { ASN1_TYPE *astype; if(!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) return NULL; return astype->value.octet_string; } int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) { int i; if (p7si->auth_attr != NULL) sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr,X509_ATTRIBUTE_free); p7si->auth_attr=sk_X509_ATTRIBUTE_dup(sk); for (i=0; iauth_attr,i, X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i)))) == NULL) return(0); } return(1); } int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) { int i; if (p7si->unauth_attr != NULL) sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free); p7si->unauth_attr=sk_X509_ATTRIBUTE_dup(sk); for (i=0; iunauth_attr,i, X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i)))) == NULL) return(0); } return(1); } int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value) { return(add_attribute(&(p7si->auth_attr),nid,atrtype,value)); } int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value) { return(add_attribute(&(p7si->unauth_attr),nid,atrtype,value)); } static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value) { X509_ATTRIBUTE *attr=NULL; if (*sk == NULL) { *sk = sk_X509_ATTRIBUTE_new_null(); new_attrib: attr=X509_ATTRIBUTE_create(nid,atrtype,value); sk_X509_ATTRIBUTE_push(*sk,attr); } else { int i; for (i=0; iobject) == nid) { X509_ATTRIBUTE_free(attr); attr=X509_ATTRIBUTE_create(nid,atrtype,value); sk_X509_ATTRIBUTE_set(*sk,i,attr); goto end; } } goto new_attrib; } end: return(1); } diff --git a/crypto/openssl/crypto/rand/Makefile.ssl b/crypto/openssl/crypto/rand/Makefile.ssl index b25421e3ab45..e5cbe5319c3c 100644 --- a/crypto/openssl/crypto/rand/Makefile.ssl +++ b/crypto/openssl/crypto/rand/Makefile.ssl @@ -1,194 +1,196 @@ # # SSLeay/crypto/rand/Makefile # DIR= rand TOP= ../.. CC= cc INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= randtest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \ rand_win.c rand_unix.c rand_os2.c LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o \ rand_win.o rand_unix.o rand_os2.o SRC= $(LIBSRC) EXHEADER= rand.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. md_rand.o: ../../e_os.h ../../include/openssl/aes.h md_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h md_rand.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h md_rand.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h md_rand.o: ../../include/openssl/des.h ../../include/openssl/des_old.h md_rand.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h md_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h md_rand.o: ../../include/openssl/evp.h ../../include/openssl/idea.h md_rand.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h md_rand.o: ../../include/openssl/md4.h ../../include/openssl/md5.h md_rand.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h md_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h md_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h md_rand.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h md_rand.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h md_rand.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h md_rand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h md_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h md_rand.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h md_rand.o: md_rand.c rand_lcl.h -rand_egd.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +rand_egd.o: ../../include/openssl/buffer.h ../../include/openssl/e_os2.h +rand_egd.o: ../../include/openssl/opensslconf.h rand_egd.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h rand_egd.o: rand_egd.c rand_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h rand_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h rand_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rand_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rand_err.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h rand_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rand_err.o: rand_err.c rand_lib.o: ../../e_os.h ../../include/openssl/asn1.h rand_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rand_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h rand_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h rand_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h rand_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h rand_lib.o: ../../include/openssl/opensslconf.h rand_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rand_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rand_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h rand_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h rand_lib.o: ../cryptlib.h rand_lib.c rand_os2.o: ../../e_os.h ../../include/openssl/aes.h rand_os2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rand_os2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h rand_os2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h rand_os2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h rand_os2.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h rand_os2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h rand_os2.o: ../../include/openssl/err.h ../../include/openssl/evp.h rand_os2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h rand_os2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h rand_os2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h rand_os2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h rand_os2.o: ../../include/openssl/opensslconf.h rand_os2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rand_os2.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h rand_os2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h rand_os2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h rand_os2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h rand_os2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rand_os2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h rand_os2.o: ../cryptlib.h rand_lcl.h rand_os2.c rand_unix.o: ../../e_os.h ../../include/openssl/aes.h rand_unix.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rand_unix.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h rand_unix.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h rand_unix.o: ../../include/openssl/crypto.h ../../include/openssl/des.h rand_unix.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h rand_unix.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h rand_unix.o: ../../include/openssl/err.h ../../include/openssl/evp.h rand_unix.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h rand_unix.o: ../../include/openssl/md2.h ../../include/openssl/md4.h rand_unix.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h rand_unix.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h rand_unix.o: ../../include/openssl/opensslconf.h rand_unix.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rand_unix.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h rand_unix.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h rand_unix.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h rand_unix.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h rand_unix.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rand_unix.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h rand_unix.o: ../cryptlib.h rand_lcl.h rand_unix.c rand_win.o: ../../e_os.h ../../include/openssl/aes.h rand_win.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rand_win.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h rand_win.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h rand_win.o: ../../include/openssl/crypto.h ../../include/openssl/des.h rand_win.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h rand_win.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h rand_win.o: ../../include/openssl/err.h ../../include/openssl/evp.h rand_win.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h rand_win.o: ../../include/openssl/md2.h ../../include/openssl/md4.h rand_win.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h rand_win.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h rand_win.o: ../../include/openssl/opensslconf.h rand_win.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rand_win.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h rand_win.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h rand_win.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h rand_win.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h rand_win.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rand_win.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h rand_win.o: ../cryptlib.h rand_lcl.h rand_win.c -randfile.o: ../../e_os.h ../../include/openssl/crypto.h -randfile.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +randfile.o: ../../e_os.h ../../include/openssl/buffer.h +randfile.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +randfile.o: ../../include/openssl/opensslconf.h randfile.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h randfile.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h randfile.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h randfile.o: randfile.c diff --git a/crypto/openssl/crypto/rand/rand_egd.c b/crypto/openssl/crypto/rand/rand_egd.c index 1f168221e3c9..6f742900a0a2 100644 --- a/crypto/openssl/crypto/rand/rand_egd.c +++ b/crypto/openssl/crypto/rand/rand_egd.c @@ -1,298 +1,299 @@ /* crypto/rand/rand_egd.c */ /* Written by Ulf Moeller and Lutz Jaenicke for the OpenSSL project. */ /* ==================================================================== * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include +#include /* * Query the EGD . * * This module supplies three routines: * * RAND_query_egd_bytes(path, buf, bytes) * will actually query "bytes" bytes of entropy form the egd-socket located * at path and will write them to buf (if supplied) or will directly feed * it to RAND_seed() if buf==NULL. * The number of bytes is not limited by the maximum chunk size of EGD, * which is 255 bytes. If more than 255 bytes are wanted, several chunks * of entropy bytes are requested. The connection is left open until the * query is competed. * RAND_query_egd_bytes() returns with * -1 if an error occured during connection or communication. * num the number of bytes read from the EGD socket. This number is either * the number of bytes requested or smaller, if the EGD pool is * drained and the daemon signals that the pool is empty. * This routine does not touch any RAND_status(). This is necessary, since * PRNG functions may call it during initialization. * * RAND_egd_bytes(path, bytes) will query "bytes" bytes and have them * used to seed the PRNG. * RAND_egd_bytes() is a wrapper for RAND_query_egd_bytes() with buf=NULL. * Unlike RAND_query_egd_bytes(), RAND_status() is used to test the * seed status so that the return value can reflect the seed state: * -1 if an error occured during connection or communication _or_ * if the PRNG has still not received the required seeding. * num the number of bytes read from the EGD socket. This number is either * the number of bytes requested or smaller, if the EGD pool is * drained and the daemon signals that the pool is empty. * * RAND_egd(path) will query 255 bytes and use the bytes retreived to seed * the PRNG. * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. */ #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) { return(-1); } int RAND_egd(const char *path) { return(-1); } int RAND_egd_bytes(const char *path,int bytes) { return(-1); } #else #include #include OPENSSL_UNISTD #include #include #ifndef NO_SYS_UN_H # ifdef OPENSSL_SYS_VXWORKS # include # else # include # endif #else struct sockaddr_un { short sun_family; /* AF_UNIX */ char sun_path[108]; /* path name (gag) */ }; #endif /* NO_SYS_UN_H */ #include #include #ifndef offsetof # define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER) #endif int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) { int ret = 0; struct sockaddr_un addr; int len, num, numbytes; int fd = -1; int success; unsigned char egdbuf[2], tempbuf[255], *retrievebuf; memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; if (strlen(path) >= sizeof(addr.sun_path)) return (-1); - strcpy(addr.sun_path,path); + BUF_strlcpy(addr.sun_path,path,sizeof addr.sun_path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); fd = socket(AF_UNIX, SOCK_STREAM, 0); if (fd == -1) return (-1); success = 0; while (!success) { if (connect(fd, (struct sockaddr *)&addr, len) == 0) success = 1; else { switch (errno) { #ifdef EINTR case EINTR: #endif #ifdef EAGAIN case EAGAIN: #endif #ifdef EINPROGRESS case EINPROGRESS: #endif #ifdef EALREADY case EALREADY: #endif /* No error, try again */ break; #ifdef EISCONN case EISCONN: success = 1; break; #endif default: goto err; /* failure */ } } } while(bytes > 0) { egdbuf[0] = 1; egdbuf[1] = bytes < 255 ? bytes : 255; numbytes = 0; while (numbytes != 2) { num = write(fd, egdbuf + numbytes, 2 - numbytes); if (num >= 0) numbytes += num; else { switch (errno) { #ifdef EINTR case EINTR: #endif #ifdef EAGAIN case EAGAIN: #endif /* No error, try again */ break; default: ret = -1; goto err; /* failure */ } } } numbytes = 0; while (numbytes != 1) { num = read(fd, egdbuf, 1); if (num >= 0) numbytes += num; else { switch (errno) { #ifdef EINTR case EINTR: #endif #ifdef EAGAIN case EAGAIN: #endif /* No error, try again */ break; default: ret = -1; goto err; /* failure */ } } } if(egdbuf[0] == 0) goto err; if (buf) retrievebuf = buf + ret; else retrievebuf = tempbuf; numbytes = 0; while (numbytes != egdbuf[0]) { num = read(fd, retrievebuf + numbytes, egdbuf[0] - numbytes); if (num >= 0) numbytes += num; else { switch (errno) { #ifdef EINTR case EINTR: #endif #ifdef EAGAIN case EAGAIN: #endif /* No error, try again */ break; default: ret = -1; goto err; /* failure */ } } } ret += egdbuf[0]; bytes -= egdbuf[0]; if (!buf) RAND_seed(tempbuf, egdbuf[0]); } err: if (fd != -1) close(fd); return(ret); } int RAND_egd_bytes(const char *path, int bytes) { int num, ret = 0; num = RAND_query_egd_bytes(path, NULL, bytes); if (num < 1) goto err; if (RAND_status() == 1) ret = num; err: return(ret); } int RAND_egd(const char *path) { return (RAND_egd_bytes(path, 255)); } #endif diff --git a/crypto/openssl/crypto/rand/rand_unix.c b/crypto/openssl/crypto/rand/rand_unix.c index a776e522431b..0599719dd1d0 100644 --- a/crypto/openssl/crypto/rand/rand_unix.c +++ b/crypto/openssl/crypto/rand/rand_unix.c @@ -1,245 +1,264 @@ /* crypto/rand/rand_unix.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #define USE_SOCKETS #include "e_os.h" #include "cryptlib.h" #include #include "rand_lcl.h" #if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS)) #include #include #include #include #include #include +#ifdef __OpenBSD__ +int RAND_poll(void) +{ + u_int32_t rnd = 0, i; + unsigned char buf[ENTROPY_NEEDED]; + + for (i = 0; i < sizeof(buf); i++) { + if (i % 4 == 0) + rnd = arc4random(); + buf[i] = rnd; + rnd >>= 8; + } + RAND_add(buf, sizeof(buf), ENTROPY_NEEDED); + memset(buf, 0, sizeof(buf)); + + return 1; +} +#else int RAND_poll(void) { unsigned long l; pid_t curr_pid = getpid(); #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) unsigned char tmpbuf[ENTROPY_NEEDED]; int n = 0; #endif #ifdef DEVRANDOM static const char *randomfiles[] = { DEVRANDOM, NULL }; const char **randomfile = NULL; int fd; #endif #ifdef DEVRANDOM_EGD static const char *egdsockets[] = { DEVRANDOM_EGD, NULL }; const char **egdsocket = NULL; #endif #ifdef DEVRANDOM /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD * have this. Use /dev/urandom if you can as /dev/random may block * if it runs out of random entries. */ for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++) { if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK #ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it our controlling tty */ |O_NOCTTY #endif #ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */ |O_NOFOLLOW #endif )) >= 0) { struct timeval t = { 0, 10*1000 }; /* Spend 10ms on each file. */ int r; fd_set fset; do { FD_ZERO(&fset); FD_SET(fd, &fset); r = -1; if (select(fd+1,&fset,NULL,NULL,&t) < 0) t.tv_usec=0; else if (FD_ISSET(fd, &fset)) { r=read(fd,(unsigned char *)tmpbuf+n, ENTROPY_NEEDED-n); if (r > 0) n += r; } /* Some Unixen will update t, some won't. For those who won't, give up here, otherwise, we will do this once again for the remaining time. */ if (t.tv_usec == 10*1000) t.tv_usec=0; } while ((r > 0 || (errno == EINTR || errno == EAGAIN)) && t.tv_usec != 0 && n < ENTROPY_NEEDED); close(fd); } } #endif #ifdef DEVRANDOM_EGD /* Use an EGD socket to read entropy from an EGD or PRNGD entropy * collecting daemon. */ for (egdsocket = egdsockets; *egdsocket && n < ENTROPY_NEEDED; egdsocket++) { int r; r = RAND_query_egd_bytes(*egdsocket, (unsigned char *)tmpbuf+n, ENTROPY_NEEDED-n); if (r > 0) n += r; } #endif #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) if (n > 0) { RAND_add(tmpbuf,sizeof tmpbuf,n); OPENSSL_cleanse(tmpbuf,n); } #endif /* put in some default random data, we need more than just this */ l=curr_pid; RAND_add(&l,sizeof(l),0); l=getuid(); RAND_add(&l,sizeof(l),0); l=time(NULL); RAND_add(&l,sizeof(l),0); #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) return 1; #else return 0; #endif } +#endif #endif #if defined(OPENSSL_SYS_VXWORKS) int RAND_poll(void) { return 0; } #endif diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c index 263068d25699..3584842224c0 100644 --- a/crypto/openssl/crypto/rand/rand_win.c +++ b/crypto/openssl/crypto/rand/rand_win.c @@ -1,727 +1,727 @@ /* crypto/rand/rand_win.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include "cryptlib.h" #include #include "rand_lcl.h" #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) #include #ifndef _WIN32_WINNT # define _WIN32_WINNT 0x0400 #endif #include #include /* Intel hardware RNG CSP -- available from * http://developer.intel.com/design/security/rng/redist_license.htm */ #define PROV_INTEL_SEC 22 #define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider") static void readtimer(void); static void readscreen(void); /* It appears like CURSORINFO, PCURSORINFO and LPCURSORINFO are only defined when WINVER is 0x0500 and up, which currently only happens on Win2000. Unfortunately, those are typedefs, so they're a little bit difficult to detect properly. On the other hand, the macro CURSOR_SHOWING is defined within the same conditional, so it can be use to detect the absence of said typedefs. */ #ifndef CURSOR_SHOWING /* * Information about the global cursor. */ typedef struct tagCURSORINFO { DWORD cbSize; DWORD flags; HCURSOR hCursor; POINT ptScreenPos; } CURSORINFO, *PCURSORINFO, *LPCURSORINFO; #define CURSOR_SHOWING 0x00000001 #endif /* CURSOR_SHOWING */ typedef BOOL (WINAPI *CRYPTACQUIRECONTEXT)(HCRYPTPROV *, LPCTSTR, LPCTSTR, DWORD, DWORD); typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV, DWORD, BYTE *); typedef BOOL (WINAPI *CRYPTRELEASECONTEXT)(HCRYPTPROV, DWORD); typedef HWND (WINAPI *GETFOREGROUNDWINDOW)(VOID); typedef BOOL (WINAPI *GETCURSORINFO)(PCURSORINFO); typedef DWORD (WINAPI *GETQUEUESTATUS)(UINT); typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD); typedef BOOL (WINAPI *CLOSETOOLHELP32SNAPSHOT)(HANDLE); typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, DWORD); typedef BOOL (WINAPI *HEAP32NEXT)(LPHEAPENTRY32); typedef BOOL (WINAPI *HEAP32LIST)(HANDLE, LPHEAPLIST32); typedef BOOL (WINAPI *PROCESS32)(HANDLE, LPPROCESSENTRY32); typedef BOOL (WINAPI *THREAD32)(HANDLE, LPTHREADENTRY32); typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32); #include #ifndef OPENSSL_SYS_WINCE #include #endif #if 1 /* The NET API is Unicode only. It requires the use of the UNICODE * macro. When UNICODE is defined LPTSTR becomes LPWSTR. LMSTR was * was added to the Platform SDK to allow the NET API to be used in * non-Unicode applications provided that Unicode strings were still * used for input. LMSTR is defined as LPWSTR. */ typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*); typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); #endif /* 1 */ int RAND_poll(void) { MEMORYSTATUS m; HCRYPTPROV hProvider = 0; BYTE buf[64]; DWORD w; HWND h; HMODULE advapi, kernel, user, netapi; CRYPTACQUIRECONTEXT acquire = 0; CRYPTGENRANDOM gen = 0; CRYPTRELEASECONTEXT release = 0; #if 1 /* There was previously a problem with NETSTATGET. Currently, this * section is still experimental, but if all goes well, this conditional * will be removed */ NETSTATGET netstatget = 0; NETFREE netfree = 0; #endif /* 1 */ /* Determine the OS version we are on so we can turn off things * that do not work properly. */ OSVERSIONINFO osverinfo ; osverinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ; GetVersionEx( &osverinfo ) ; #if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO /* poll the CryptoAPI PRNG */ /* The CryptoAPI returns sizeof(buf) bytes of randomness */ if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { if (CryptGenRandom(hProvider, sizeof(buf), buf)) RAND_add(buf, sizeof(buf), sizeof(buf)); CryptReleaseContext(hProvider, 0); } #endif /* load functions dynamically - not available on all systems */ advapi = LoadLibrary(TEXT("ADVAPI32.DLL")); kernel = LoadLibrary(TEXT("KERNEL32.DLL")); user = LoadLibrary(TEXT("USER32.DLL")); netapi = LoadLibrary(TEXT("NETAPI32.DLL")); #ifndef OPENSSL_SYS_WINCE #if 1 /* There was previously a problem with NETSTATGET. Currently, this * section is still experimental, but if all goes well, this conditional * will be removed */ if (netapi) { netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet")); netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree")); } if (netstatget && netfree) { LPBYTE outbuf; /* NetStatisticsGet() is a Unicode only function * STAT_WORKSTATION_0 contains 45 fields and STAT_SERVER_0 * contains 17 fields. We treat each field as a source of * one byte of entropy. */ if (netstatget(NULL, L"LanmanWorkstation", 0, 0, &outbuf) == 0) { RAND_add(outbuf, sizeof(STAT_WORKSTATION_0), 45); netfree(outbuf); } if (netstatget(NULL, L"LanmanServer", 0, 0, &outbuf) == 0) { RAND_add(outbuf, sizeof(STAT_SERVER_0), 17); netfree(outbuf); } } if (netapi) FreeLibrary(netapi); #endif /* 1 */ #endif /* !OPENSSL_SYS_WINCE */ #ifndef OPENSSL_SYS_WINCE /* It appears like this can cause an exception deep within ADVAPI32.DLL * at random times on Windows 2000. Reported by Jeffrey Altman. * Only use it on NT. */ /* Wolfgang Marczy reports that * the RegQueryValueEx call below can hang on NT4.0 (SP6). * So we don't use this at all for now. */ #if 0 if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT && osverinfo.dwMajorVersion < 5) { /* Read Performance Statistics from NT/2000 registry * The size of the performance data can vary from call * to call so we must guess the size of the buffer to use * and increase its size if we get an ERROR_MORE_DATA * return instead of ERROR_SUCCESS. */ LONG rc=ERROR_MORE_DATA; char * buf=NULL; DWORD bufsz=0; DWORD length; while (rc == ERROR_MORE_DATA) { buf = realloc(buf,bufsz+8192); if (!buf) break; bufsz += 8192; length = bufsz; rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, TEXT("Global"), NULL, NULL, buf, &length); } if (rc == ERROR_SUCCESS) { /* For entropy count assume only least significant * byte of each DWORD is random. */ RAND_add(&length, sizeof(length), 0); RAND_add(buf, length, length / 4.0); /* Close the Registry Key to allow Windows to cleanup/close * the open handle * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened * when the RegQueryValueEx above is done. However, if * it is not explicitly closed, it can cause disk * partition manipulation problems. */ RegCloseKey(HKEY_PERFORMANCE_DATA); } if (buf) free(buf); } #endif #endif /* !OPENSSL_SYS_WINCE */ if (advapi) { acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi, TEXT("CryptAcquireContextA")); gen = (CRYPTGENRANDOM) GetProcAddress(advapi, TEXT("CryptGenRandom")); release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, TEXT("CryptReleaseContext")); } if (acquire && gen && release) { /* poll the CryptoAPI PRNG */ /* The CryptoAPI returns sizeof(buf) bytes of randomness */ if (acquire(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { if (gen(hProvider, sizeof(buf), buf) != 0) { RAND_add(buf, sizeof(buf), 0); #if 0 printf("randomness from PROV_RSA_FULL\n"); #endif } release(hProvider, 0); } /* poll the Pentium PRG with CryptoAPI */ if (acquire(&hProvider, 0, INTEL_DEF_PROV, PROV_INTEL_SEC, 0)) { if (gen(hProvider, sizeof(buf), buf) != 0) { RAND_add(buf, sizeof(buf), sizeof(buf)); #if 0 printf("randomness from PROV_INTEL_SEC\n"); #endif } release(hProvider, 0); } } if (advapi) FreeLibrary(advapi); /* timer data */ readtimer(); /* memory usage statistics */ GlobalMemoryStatus(&m); RAND_add(&m, sizeof(m), 1); /* process ID */ w = GetCurrentProcessId(); RAND_add(&w, sizeof(w), 1); if (user) { GETCURSORINFO cursor; GETFOREGROUNDWINDOW win; GETQUEUESTATUS queue; win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow")); cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo")); queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus")); if (win) { /* window handle */ h = win(); RAND_add(&h, sizeof(h), 0); } if (cursor) { /* unfortunately, its not safe to call GetCursorInfo() * on NT4 even though it exists in SP3 (or SP6) and * higher. */ if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT && osverinfo.dwMajorVersion < 5) cursor = 0; } if (cursor) { /* cursor position */ /* assume 2 bytes of entropy */ CURSORINFO ci; ci.cbSize = sizeof(CURSORINFO); if (cursor(&ci)) RAND_add(&ci, ci.cbSize, 2); } if (queue) { /* message queue status */ /* assume 1 byte of entropy */ w = queue(QS_ALLEVENTS); RAND_add(&w, sizeof(w), 1); } FreeLibrary(user); } /* Toolhelp32 snapshot: enumerate processes, threads, modules and heap * http://msdn.microsoft.com/library/psdk/winbase/toolhelp_5pfd.htm * (Win 9x and 2000 only, not available on NT) * * This seeding method was proposed in Peter Gutmann, Software * Generation of Practically Strong Random Numbers, * http://www.usenix.org/publications/library/proceedings/sec98/gutmann.html * revised version at http://www.cryptoengines.com/~peter/06_random.pdf * (The assignment of entropy estimates below is arbitrary, but based * on Peter's analysis the full poll appears to be safe. Additional * interactive seeding is encouraged.) */ if (kernel) { CREATETOOLHELP32SNAPSHOT snap; CLOSETOOLHELP32SNAPSHOT close_snap; HANDLE handle; HEAP32FIRST heap_first; HEAP32NEXT heap_next; HEAP32LIST heaplist_first, heaplist_next; PROCESS32 process_first, process_next; THREAD32 thread_first, thread_next; MODULE32 module_first, module_next; HEAPLIST32 hlist; HEAPENTRY32 hentry; PROCESSENTRY32 p; THREADENTRY32 t; MODULEENTRY32 m; snap = (CREATETOOLHELP32SNAPSHOT) GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot")); close_snap = (CLOSETOOLHELP32SNAPSHOT) GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot")); heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First")); heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next")); heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst")); heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext")); process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First")); process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next")); thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First")); thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next")); module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First")); module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next")); if (snap && heap_first && heap_next && heaplist_first && heaplist_next && process_first && process_next && thread_first && thread_next && module_first && module_next && (handle = snap(TH32CS_SNAPALL,0)) != INVALID_HANDLE_VALUE) { /* heap list and heap walking */ /* HEAPLIST32 contains 3 fields that will change with * each entry. Consider each field a source of 1 byte * of entropy. * HEAPENTRY32 contains 5 fields that will change with * each entry. Consider each field a source of 1 byte * of entropy. */ hlist.dwSize = sizeof(HEAPLIST32); if (heaplist_first(handle, &hlist)) do { RAND_add(&hlist, hlist.dwSize, 3); hentry.dwSize = sizeof(HEAPENTRY32); if (heap_first(&hentry, hlist.th32ProcessID, hlist.th32HeapID)) { int entrycnt = 80; do RAND_add(&hentry, hentry.dwSize, 5); while (heap_next(&hentry) && --entrycnt > 0); } } while (heaplist_next(handle, &hlist)); /* process walking */ /* PROCESSENTRY32 contains 9 fields that will change * with each entry. Consider each field a source of * 1 byte of entropy. */ p.dwSize = sizeof(PROCESSENTRY32); if (process_first(handle, &p)) do RAND_add(&p, p.dwSize, 9); while (process_next(handle, &p)); /* thread walking */ /* THREADENTRY32 contains 6 fields that will change * with each entry. Consider each field a source of * 1 byte of entropy. */ t.dwSize = sizeof(THREADENTRY32); if (thread_first(handle, &t)) do RAND_add(&t, t.dwSize, 6); while (thread_next(handle, &t)); /* module walking */ /* MODULEENTRY32 contains 9 fields that will change * with each entry. Consider each field a source of * 1 byte of entropy. */ m.dwSize = sizeof(MODULEENTRY32); if (module_first(handle, &m)) do RAND_add(&m, m.dwSize, 9); while (module_next(handle, &m)); if (close_snap) close_snap(handle); else CloseHandle(handle); } FreeLibrary(kernel); } #if 0 printf("Exiting RAND_poll\n"); #endif return(1); } int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam) { double add_entropy=0; switch (iMsg) { case WM_KEYDOWN: { static WPARAM key; if (key != wParam) add_entropy = 0.05; key = wParam; } break; case WM_MOUSEMOVE: { static int lastx,lasty,lastdx,lastdy; int x,y,dx,dy; x=LOWORD(lParam); y=HIWORD(lParam); dx=lastx-x; dy=lasty-y; if (dx != 0 && dy != 0 && dx-lastdx != 0 && dy-lastdy != 0) add_entropy=.2; lastx=x, lasty=y; lastdx=dx, lastdy=dy; } break; } readtimer(); RAND_add(&iMsg, sizeof(iMsg), add_entropy); RAND_add(&wParam, sizeof(wParam), 0); RAND_add(&lParam, sizeof(lParam), 0); return (RAND_status()); } void RAND_screen(void) /* function available for backward compatibility */ { RAND_poll(); readscreen(); } /* feed timing information to the PRNG */ static void readtimer(void) { DWORD w; LARGE_INTEGER l; static int have_perfc = 1; #if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE) static int have_tsc = 1; DWORD cyclecount; if (have_tsc) { __try { __asm { _emit 0x0f _emit 0x31 mov cyclecount, eax } RAND_add(&cyclecount, sizeof(cyclecount), 1); } __except(EXCEPTION_EXECUTE_HANDLER) { have_tsc = 0; } } #else # define have_tsc 0 #endif if (have_perfc) { if (QueryPerformanceCounter(&l) == 0) have_perfc = 0; else RAND_add(&l, sizeof(l), 0); } if (!have_tsc && !have_perfc) { w = GetTickCount(); RAND_add(&w, sizeof(w), 0); } } /* feed screen contents to PRNG */ /***************************************************************************** * * Created 960901 by Gertjan van Oosten, gertjan@West.NL, West Consulting B.V. * * Code adapted from - * ; + * ; * the original copyright message is: * * (C) Copyright Microsoft Corp. 1993. All rights reserved. * * You have a royalty-free right to use, modify, reproduce and * distribute the Sample Files (and/or any modified version) in * any way you find useful, provided that you agree that * Microsoft has no warranty obligations or liability for any * Sample Application Files which are modified. */ static void readscreen(void) { #ifndef OPENSSL_SYS_WINCE HDC hScrDC; /* screen DC */ HDC hMemDC; /* memory DC */ HBITMAP hBitmap; /* handle for our bitmap */ HBITMAP hOldBitmap; /* handle for previous bitmap */ BITMAP bm; /* bitmap properties */ unsigned int size; /* size of bitmap */ char *bmbits; /* contents of bitmap */ int w; /* screen width */ int h; /* screen height */ int y; /* y-coordinate of screen lines to grab */ int n = 16; /* number of screen lines to grab at a time */ /* Create a screen DC and a memory DC compatible to screen DC */ hScrDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL); hMemDC = CreateCompatibleDC(hScrDC); /* Get screen resolution */ w = GetDeviceCaps(hScrDC, HORZRES); h = GetDeviceCaps(hScrDC, VERTRES); /* Create a bitmap compatible with the screen DC */ hBitmap = CreateCompatibleBitmap(hScrDC, w, n); /* Select new bitmap into memory DC */ hOldBitmap = SelectObject(hMemDC, hBitmap); /* Get bitmap properties */ GetObject(hBitmap, sizeof(BITMAP), (LPSTR)&bm); size = (unsigned int)bm.bmWidthBytes * bm.bmHeight * bm.bmPlanes; bmbits = OPENSSL_malloc(size); if (bmbits) { /* Now go through the whole screen, repeatedly grabbing n lines */ for (y = 0; y < h-n; y += n) { unsigned char md[MD_DIGEST_LENGTH]; /* Bitblt screen DC to memory DC */ BitBlt(hMemDC, 0, 0, w, n, hScrDC, 0, y, SRCCOPY); /* Copy bitmap bits from memory DC to bmbits */ GetBitmapBits(hBitmap, size, bmbits); /* Get the hash of the bitmap */ MD(bmbits,size,md); /* Seed the random generator with the hash value */ RAND_add(md, MD_DIGEST_LENGTH, 0); } OPENSSL_free(bmbits); } /* Select old bitmap back into memory DC */ hBitmap = SelectObject(hMemDC, hOldBitmap); /* Clean up */ DeleteObject(hBitmap); DeleteDC(hMemDC); DeleteDC(hScrDC); #endif /* !OPENSSL_SYS_WINCE */ } #endif diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c index 41574768ab76..f5d0843d139d 100644 --- a/crypto/openssl/crypto/rand/randfile.c +++ b/crypto/openssl/crypto/rand/randfile.c @@ -1,234 +1,283 @@ /* crypto/rand/randfile.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* We need to define this to get macros like S_IFBLK and S_IFCHR */ +#define _XOPEN_SOURCE 1 + #include #include #include #include #include "e_os.h" #include #include +#include #ifdef OPENSSL_SYS_VMS #include #endif #ifndef NO_SYS_TYPES_H # include #endif #ifdef MAC_OS_pre_X # include #else # include #endif #undef BUFSIZE #define BUFSIZE 1024 #define RAND_DATA 1024 /* #define RFILE ".rnd" - defined in ../../e_os.h */ /* Note that these functions are intended for seed files only. * Entropy devices and EGD sockets are handled in rand_unix.c */ int RAND_load_file(const char *file, long bytes) { /* If bytes >= 0, read up to 'bytes' bytes. * if bytes == -1, read complete file. */ MS_STATIC unsigned char buf[BUFSIZE]; struct stat sb; int i,ret=0,n; FILE *in; if (file == NULL) return(0); i=stat(file,&sb); /* If the state fails, put some crap in anyway */ RAND_add(&sb,sizeof(sb),0); if (i < 0) return(0); if (bytes == 0) return(ret); in=fopen(file,"rb"); if (in == NULL) goto err; +#if defined(S_IFBLK) && defined(S_IFCHR) + if (sb.st_mode & (S_IFBLK | S_IFCHR)) { + /* this file is a device. we don't want read an infinite number + * of bytes from a random device, nor do we want to use buffered + * I/O because we will waste system entropy. + */ + bytes = (bytes == -1) ? 2048 : bytes; /* ok, is 2048 enough? */ + setvbuf(in, NULL, _IONBF, 0); /* don't do buffered reads */ + } +#endif for (;;) { if (bytes > 0) n = (bytes < BUFSIZE)?(int)bytes:BUFSIZE; else n = BUFSIZE; i=fread(buf,1,n,in); if (i <= 0) break; /* even if n != i, use the full array */ RAND_add(buf,n,i); ret+=i; if (bytes > 0) { bytes-=n; if (bytes <= 0) break; } } fclose(in); OPENSSL_cleanse(buf,BUFSIZE); err: return(ret); } int RAND_write_file(const char *file) { unsigned char buf[BUFSIZE]; int i,ret=0,rand_err=0; FILE *out = NULL; int n; + struct stat sb; + i=stat(file,&sb); + if (i != -1) { +#if defined(S_IFBLK) && defined(S_IFCHR) + if (sb.st_mode & (S_IFBLK | S_IFCHR)) { + /* this file is a device. we don't write back to it. + * we "succeed" on the assumption this is some sort + * of random device. Otherwise attempting to write to + * and chmod the device causes problems. + */ + return(1); + } +#endif + } + #if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32) /* For some reason Win32 can't write to files created this way */ /* chmod(..., 0600) is too late to protect the file, * permissions should be restrictive from the start */ int fd = open(file, O_CREAT, 0600); if (fd != -1) out = fdopen(fd, "wb"); #endif if (out == NULL) out = fopen(file,"wb"); if (out == NULL) goto err; #ifndef NO_CHMOD chmod(file,0600); #endif n=RAND_DATA; for (;;) { i=(n > BUFSIZE)?BUFSIZE:n; n-=BUFSIZE; if (RAND_bytes(buf,i) <= 0) rand_err=1; i=fwrite(buf,1,i,out); if (i <= 0) { ret=0; break; } ret+=i; if (n <= 0) break; } #ifdef OPENSSL_SYS_VMS /* Try to delete older versions of the file, until there aren't any */ { char *tmpf; tmpf = OPENSSL_malloc(strlen(file) + 4); /* to add ";-1" and a nul */ if (tmpf) { strcpy(tmpf, file); strcat(tmpf, ";-1"); while(delete(tmpf) == 0) ; rename(file,";1"); /* Make sure it's version 1, or we will reach the limit (32767) at some point... */ } } #endif /* OPENSSL_SYS_VMS */ fclose(out); OPENSSL_cleanse(buf,BUFSIZE); err: return (rand_err ? -1 : ret); } const char *RAND_file_name(char *buf, size_t size) { char *s=NULL; - char *ret=NULL; + int ok = 0; +#ifdef __OpenBSD__ + struct stat sb; +#endif if (OPENSSL_issetugid() == 0) s=getenv("RANDFILE"); - if (s != NULL) + if (s != NULL && *s && strlen(s) + 1 < size) { - if(strlen(s) >= size) + if (BUF_strlcpy(buf,s,size) >= size) return NULL; - strcpy(buf,s); - ret=buf; } else { if (OPENSSL_issetugid() == 0) s=getenv("HOME"); #ifdef DEFAULT_HOME if (s == NULL) { s = DEFAULT_HOME; } #endif - if (s != NULL && (strlen(s)+strlen(RFILE)+2 < size)) + if (s && *s && strlen(s)+strlen(RFILE)+2 < size) { - strcpy(buf,s); + BUF_strlcpy(buf,s,size); #ifndef OPENSSL_SYS_VMS - strcat(buf,"/"); + BUF_strlcat(buf,"/",size); #endif - strcat(buf,RFILE); - ret=buf; + BUF_strlcat(buf,RFILE,size); + ok = 1; } else buf[0] = '\0'; /* no file name */ } - return(ret); + +#ifdef __OpenBSD__ + /* given that all random loads just fail if the file can't be + * seen on a stat, we stat the file we're returning, if it + * fails, use /dev/arandom instead. this allows the user to + * use their own source for good random data, but defaults + * to something hopefully decent if that isn't available. + */ + + if (!ok) + if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) { + return(NULL); + } + if (stat(buf,&sb) == -1) + if (BUF_strlcpy(buf,"/dev/arandom",size) >= size) { + return(NULL); + } + +#endif + return(buf); } diff --git a/crypto/openssl/crypto/rc2/Makefile.ssl b/crypto/openssl/crypto/rc2/Makefile.ssl index aa73dea5b601..98d5960d5d6c 100644 --- a/crypto/openssl/crypto/rc2/Makefile.ssl +++ b/crypto/openssl/crypto/rc2/Makefile.ssl @@ -1,91 +1,91 @@ # # SSLeay/crypto/rc2/Makefile # DIR= rc2 TOP= ../.. CC= cc INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=rc2test.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=rc2_ecb.c rc2_skey.c rc2_cbc.c rc2cfb64.c rc2ofb64.c LIBOBJ=rc2_ecb.o rc2_skey.o rc2_cbc.o rc2cfb64.o rc2ofb64.o SRC= $(LIBSRC) EXHEADER= rc2.h HEADER= rc2_locl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. rc2_cbc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h rc2_cbc.o: rc2_cbc.c rc2_locl.h rc2_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h rc2_ecb.o: ../../include/openssl/rc2.h rc2_ecb.c rc2_locl.h rc2_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h rc2_skey.o: rc2_locl.h rc2_skey.c rc2cfb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h rc2cfb64.o: rc2_locl.h rc2cfb64.c rc2ofb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h rc2ofb64.o: rc2_locl.h rc2ofb64.c diff --git a/crypto/openssl/crypto/rc4/Makefile.ssl b/crypto/openssl/crypto/rc4/Makefile.ssl index b210b42f8f4b..3e602662be2b 100644 --- a/crypto/openssl/crypto/rc4/Makefile.ssl +++ b/crypto/openssl/crypto/rc4/Makefile.ssl @@ -1,109 +1,110 @@ # # SSLeay/crypto/rc4/Makefile # DIR= rc4 TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r RC4_ENC=rc4_enc.o # or use #RC4_ENC=asm/rx86-elf.o #RC4_ENC=asm/rx86-out.o #RC4_ENC=asm/rx86-sol.o #RC4_ENC=asm/rx86bdsi.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=rc4test.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=rc4_skey.c rc4_enc.c LIBOBJ=rc4_skey.o $(RC4_ENC) SRC= $(LIBSRC) EXHEADER= rc4.h HEADER= $(EXHEADER) rc4_locl.h ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib # elf asm/rx86-elf.s: asm/rc4-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) rc4-586.pl elf $(CFLAGS) > rx86-elf.s) # a.out asm/rx86-out.o: asm/rx86unix.cpp $(CPP) -DOUT asm/rx86unix.cpp | as -o asm/rx86-out.o # bsdi asm/rx86bsdi.o: asm/rx86unix.cpp $(CPP) -DBSDI asm/rx86unix.cpp | sed 's/ :/:/' | as -o asm/rx86bsdi.o asm/rx86unix.cpp: asm/rc4-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) rc4-586.pl cpp >rx86unix.cpp) files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/rx86unix.cpp asm/*-elf.* *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o # DO NOT DELETE THIS LINE -- make depend depends on it. rc4_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc4.h rc4_enc.o: rc4_enc.c rc4_locl.h rc4_skey.o: ../../include/openssl/opensslconf.h rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc4.h rc4_skey.o: rc4_locl.h rc4_skey.c diff --git a/crypto/openssl/crypto/rc5/Makefile.ssl b/crypto/openssl/crypto/rc5/Makefile.ssl index 3ad665594686..3f9632f8f753 100644 --- a/crypto/openssl/crypto/rc5/Makefile.ssl +++ b/crypto/openssl/crypto/rc5/Makefile.ssl @@ -1,107 +1,108 @@ # # SSLeay/crypto/rc5/Makefile # DIR= rc5 TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r RC5_ENC= rc5_enc.o # or use #DES_ENC= r586-elf.o CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=rc5test.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=rc5_skey.c rc5_ecb.c rc5_enc.c rc5cfb64.c rc5ofb64.c LIBOBJ=rc5_skey.o rc5_ecb.o $(RC5_ENC) rc5cfb64.o rc5ofb64.o SRC= $(LIBSRC) EXHEADER= rc5.h HEADER= rc5_locl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib # elf asm/r586-elf.s: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl (cd asm; $(PERL) rc5-586.pl elf $(CFLAGS) > r586-elf.s) # a.out asm/r586-out.o: asm/r586unix.cpp $(CPP) -DOUT asm/r586unix.cpp | as -o asm/r586-out.o # bsdi asm/r586bsdi.o: asm/r586unix.cpp $(CPP) -DBSDI asm/r586unix.cpp | sed 's/ :/:/' | as -o asm/r586bsdi.o asm/r586unix.cpp: asm/rc5-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl (cd asm; $(PERL) rc5-586.pl cpp >r586unix.cpp) files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/r586unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. rc5_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h rc5_ecb.o: rc5_ecb.c rc5_locl.h rc5_enc.o: ../../include/openssl/rc5.h rc5_enc.c rc5_locl.h rc5_skey.o: ../../include/openssl/rc5.h rc5_locl.h rc5_skey.c rc5cfb64.o: ../../include/openssl/rc5.h rc5_locl.h rc5cfb64.c rc5ofb64.o: ../../include/openssl/rc5.h rc5_locl.h rc5ofb64.c diff --git a/crypto/openssl/crypto/ripemd/Makefile.ssl b/crypto/openssl/crypto/ripemd/Makefile.ssl index 3583dfdcaf32..f22ac790aed3 100644 --- a/crypto/openssl/crypto/ripemd/Makefile.ssl +++ b/crypto/openssl/crypto/ripemd/Makefile.ssl @@ -1,107 +1,108 @@ # # SSLeay/crypto/ripemd/Makefile # DIR= ripemd TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r RIP_ASM_OBJ= CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=rmdtest.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=rmd_dgst.c rmd_one.c LIBOBJ=rmd_dgst.o rmd_one.o $(RMD160_ASM_OBJ) SRC= $(LIBSRC) EXHEADER= ripemd.h HEADER= rmd_locl.h rmdconst.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib # elf asm/rm86-elf.s: asm/rmd-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) rmd-586.pl elf $(CFLAGS) > rm86-elf.s) # a.out asm/rm86-out.o: asm/rm86unix.cpp $(CPP) -DOUT asm/rm86unix.cpp | as -o asm/rm86-out.o # bsdi asm/rm86bsdi.o: asm/rm86unix.cpp $(CPP) -DBSDI asm/rm86unix.cpp | sed 's/ :/:/' | as -o asm/rm86bsdi.o asm/rm86unix.cpp: asm/rmd-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) rmd-586.pl cpp >rm86unix.cpp) files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/rm86unix.cpp asm/*-elf.* *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h rmd_dgst.o: ../md32_common.h rmd_dgst.c rmd_locl.h rmdconst.h rmd_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h rmd_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h rmd_one.o: ../../include/openssl/ripemd.h ../../include/openssl/safestack.h rmd_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rmd_one.o: rmd_one.c diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl index ce3f818e5b62..8089344a046f 100644 --- a/crypto/openssl/crypto/rsa/Makefile.ssl +++ b/crypto/openssl/crypto/rsa/Makefile.ssl @@ -1,241 +1,241 @@ # # SSLeay/crypto/rsa/Makefile # DIR= rsa TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST=rsa_test.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \ rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \ rsa_asn1.c LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \ rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \ rsa_asn1.o SRC= $(LIBSRC) EXHEADER= rsa.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. rsa_asn1.o: ../../e_os.h ../../include/openssl/asn1.h rsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h rsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h rsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h rsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h rsa_asn1.o: ../../include/openssl/opensslconf.h rsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_asn1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h rsa_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rsa_asn1.o: ../cryptlib.h rsa_asn1.c rsa_chk.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_chk.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h rsa_chk.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h rsa_chk.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_chk.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_chk.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h rsa_chk.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rsa_chk.o: rsa_chk.c rsa_eay.o: ../../e_os.h ../../include/openssl/asn1.h rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h rsa_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h rsa_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h rsa_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rsa_err.o: rsa_err.c rsa_gen.o: ../../e_os.h ../../include/openssl/asn1.h rsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h rsa_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h rsa_gen.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_gen.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h rsa_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rsa_gen.o: ../cryptlib.h rsa_gen.c rsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h rsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h rsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h rsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h rsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rsa_lib.o: ../../include/openssl/ui.h ../cryptlib.h rsa_lib.c rsa_none.o: ../../e_os.h ../../include/openssl/asn1.h rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_none.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h rsa_none.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h rsa_none.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_none.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_none.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_none.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h rsa_none.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_none.c rsa_null.o: ../../e_os.h ../../include/openssl/asn1.h rsa_null.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h rsa_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h rsa_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_null.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h rsa_null.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_null.c rsa_oaep.o: ../../e_os.h ../../include/openssl/aes.h rsa_oaep.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_oaep.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h rsa_oaep.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h rsa_oaep.o: ../../include/openssl/crypto.h ../../include/openssl/des.h rsa_oaep.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h rsa_oaep.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h rsa_oaep.o: ../../include/openssl/err.h ../../include/openssl/evp.h rsa_oaep.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h rsa_oaep.o: ../../include/openssl/md2.h ../../include/openssl/md4.h rsa_oaep.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h rsa_oaep.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h rsa_oaep.o: ../../include/openssl/opensslconf.h rsa_oaep.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_oaep.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h rsa_oaep.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h rsa_oaep.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h rsa_oaep.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h rsa_oaep.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rsa_oaep.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h rsa_oaep.o: ../cryptlib.h rsa_oaep.c rsa_pk1.o: ../../e_os.h ../../include/openssl/asn1.h rsa_pk1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_pk1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h rsa_pk1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h rsa_pk1.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_pk1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_pk1.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_pk1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pk1.c rsa_saos.o: ../../e_os.h ../../include/openssl/aes.h rsa_saos.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_saos.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h rsa_saos.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h rsa_saos.o: ../../include/openssl/crypto.h ../../include/openssl/des.h rsa_saos.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h rsa_saos.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h rsa_saos.o: ../../include/openssl/err.h ../../include/openssl/evp.h rsa_saos.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h rsa_saos.o: ../../include/openssl/md2.h ../../include/openssl/md4.h rsa_saos.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h rsa_saos.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h rsa_saos.o: ../../include/openssl/opensslconf.h rsa_saos.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_saos.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h rsa_saos.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h rsa_saos.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h rsa_saos.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h rsa_saos.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rsa_saos.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h rsa_saos.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h rsa_saos.o: ../cryptlib.h rsa_saos.c rsa_sign.o: ../../e_os.h ../../include/openssl/aes.h rsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h rsa_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h rsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h rsa_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h rsa_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h rsa_sign.o: ../../include/openssl/opensslconf.h rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h rsa_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h rsa_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h rsa_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h rsa_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h rsa_sign.o: ../cryptlib.h rsa_sign.c rsa_ssl.o: ../../e_os.h ../../include/openssl/asn1.h rsa_ssl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h rsa_ssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h rsa_ssl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h rsa_ssl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c diff --git a/crypto/openssl/crypto/sha/Makefile.ssl b/crypto/openssl/crypto/sha/Makefile.ssl index 864645c8b547..4ba201c787de 100644 --- a/crypto/openssl/crypto/sha/Makefile.ssl +++ b/crypto/openssl/crypto/sha/Makefile.ssl @@ -1,115 +1,116 @@ # # SSLeay/crypto/sha/Makefile # DIR= sha TOP= ../.. CC= cc CPP= $(CC) -E INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r SHA1_ASM_OBJ= CFLAGS= $(INCLUDES) $(CFLAG) +ASFLAGS= $(INCLUDES) $(ASFLAG) GENERAL=Makefile TEST=shatest.c sha1test.c APPS= LIB=$(TOP)/libcrypto.a LIBSRC=sha_dgst.c sha1dgst.c sha_one.c sha1_one.c LIBOBJ=sha_dgst.o sha1dgst.o sha_one.o sha1_one.o $(SHA1_ASM_OBJ) SRC= $(LIBSRC) EXHEADER= sha.h HEADER= sha_locl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib # elf asm/sx86-elf.s: asm/sha1-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) sha1-586.pl elf $(CFLAGS) $(PROCESSOR) > sx86-elf.s) # a.out asm/sx86-out.o: asm/sx86unix.cpp $(CPP) -DOUT asm/sx86unix.cpp | as -o asm/sx86-out.o # bsdi asm/sx86bsdi.o: asm/sx86unix.cpp $(CPP) -DBSDI asm/sx86unix.cpp | sed 's/ :/:/' | as -o asm/sx86bsdi.o asm/sx86unix.cpp: asm/sha1-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) sha1-586.pl cpp $(PROCESSOR) >sx86unix.cpp) files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f asm/sx86unix.cpp asm/*-elf.* *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff asm/*.o # DO NOT DELETE THIS LINE -- make depend depends on it. sha1_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h sha1_one.o: ../../include/openssl/opensslconf.h sha1_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h sha1_one.o: ../../include/openssl/sha.h ../../include/openssl/stack.h sha1_one.o: ../../include/openssl/symhacks.h sha1_one.c sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h sha1dgst.o: ../md32_common.h sha1dgst.c sha_locl.h sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h sha_dgst.o: ../md32_common.h sha_dgst.c sha_locl.h sha_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h sha_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h sha_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h sha_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h sha_one.o: sha_one.c diff --git a/crypto/openssl/crypto/sha/asm/sha1-586.pl b/crypto/openssl/crypto/sha/asm/sha1-586.pl index fe51fd079457..e00f70955384 100644 --- a/crypto/openssl/crypto/sha/asm/sha1-586.pl +++ b/crypto/openssl/crypto/sha/asm/sha1-586.pl @@ -1,540 +1,425 @@ #!/usr/local/bin/perl +# It was noted that Intel IA-32 C compiler generates code which +# performs ~30% *faster* on P4 CPU than original *hand-coded* +# SHA1 assembler implementation. To address this problem (and +# prove that humans are still better than machines:-), the +# original code was overhauled, which resulted in following +# performance changes: +# +# compared with original compared with Intel cc +# assembler impl. generated code +# Pentium -25% +37% +# PIII/AMD +8% +16% +# P4 +85%(!) +45% +# +# As you can see Pentium came out as looser:-( Yet I reckoned that +# improvement on P4 outweights the loss and incorporate this +# re-tuned code to 0.9.7 and later. +# ---------------------------------------------------------------- +# Those who for any particular reason absolutely must score on +# Pentium can replace this module with one from 0.9.6 distribution. +# This "offer" shall be revoked the moment programming interface to +# this module is changed, in which case this paragraph should be +# removed. +# ---------------------------------------------------------------- +# + $normal=0; push(@INC,"perlasm","../../perlasm"); require "x86asm.pl"; &asm_init($ARGV[0],"sha1-586.pl",$ARGV[$#ARGV] eq "386"); $A="eax"; $B="ecx"; $C="ebx"; $D="edx"; $E="edi"; $T="esi"; $tmp1="ebp"; $off=9*4; @K=(0x5a827999,0x6ed9eba1,0x8f1bbcdc,0xca62c1d6); &sha1_block_data("sha1_block_asm_data_order"); &asm_finish(); sub Nn { local($p)=@_; local(%n)=($A,$T,$B,$A,$C,$B,$D,$C,$E,$D,$T,$E); return($n{$p}); } sub Np { local($p)=@_; local(%n)=($A,$T,$B,$A,$C,$B,$D,$C,$E,$D,$T,$E); local(%n)=($A,$B,$B,$C,$C,$D,$D,$E,$E,$T,$T,$A); return($n{$p}); } sub Na { local($n)=@_; return( (($n )&0x0f), (($n+ 2)&0x0f), (($n+ 8)&0x0f), (($n+13)&0x0f), (($n+ 1)&0x0f)); } sub X_expand { local($in)=@_; &comment("First, load the words onto the stack in network byte order"); for ($i=0; $i<16; $i+=2) { &mov($A,&DWP(($i+0)*4,$in,"",0));# unless $i == 0; &mov($B,&DWP(($i+1)*4,$in,"",0)); &bswap($A); &bswap($B); &mov(&swtmp($i+0),$A); &mov(&swtmp($i+1),$B); } &comment("We now have the X array on the stack"); &comment("starting at sp-4"); } # Rules of engagement # F is always trashable at the start, the running total. # E becomes the next F so it can be trashed after it has been 'accumulated' # F becomes A in the next round. We don't need to access it much. # During the X update part, the result ends up in $X[$n0]. sub BODY_00_15 { local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; -return if $n & 1; &comment("00_15 $n"); - &mov($f,$c); - - &mov($tmp1,$a); - &xor($f,$d); # F2 - - &rotl($tmp1,5); # A2 - - &and($f,$b); # F3 - &add($tmp1,$e); - - &rotr($b,1); # B1 <- F - &mov($e,&swtmp($n)); # G1 - - &rotr($b,1); # B1 <- F - &xor($f,$d); # F4 - - &lea($tmp1,&DWP($K,$tmp1,$e,1)); - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - &mov($f,$c); - - &add($a,$tmp1); # MOVED DOWN - &xor($f,$d); # F2 - &mov($tmp1,$a); - &and($f,$b); # F3 - - &rotl($tmp1,5); # A2 - - &add($tmp1,$e); - &mov($e,&swtmp($n)); # G1 - - &rotr($b,1); # B1 <- F - &xor($f,$d); # F4 - - &rotr($b,1); # B1 <- F - &lea($tmp1,&DWP($K,$tmp1,$e,1)); - - &add($f,$tmp1); + &mov($f,$c); # f to hold F_00_19(b,c,d) + &rotl($tmp1,5); # tmp1=ROTATE(a,5) + &xor($f,$d); + &and($f,$b); + &rotr($b,2); # b=ROTATE(b,30) + &add($tmp1,$e); # tmp1+=e; + &mov($e,&swtmp($n)); # e becomes volatile and + # is loaded with xi + &xor($f,$d); # f holds F_00_19(b,c,d) + &lea($tmp1,&DWP($K,$tmp1,$e,1));# tmp1+=K_00_19+xi + + &add($f,$tmp1); # f+=tmp1 } sub BODY_16_19 { local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; local($n0,$n1,$n2,$n3,$np)=&Na($n); -return if $n & 1; &comment("16_19 $n"); - &nop() if ($pos < 0); -&mov($tmp1,&swtmp($n0)); # X1 - &mov($f,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$c); # F1 -&rotl($f,1); # X8 - slot - &xor($tmp1,$d); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &and($tmp1,$b); # F3 -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &xor($tmp1,$d); # F4 -&mov($e,$a); # A1 - &add($f,$tmp1); # tot+=F(); - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($f,$e); # tot+=a - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&rotr($c,1); #&rotr($b,1); # B1 <- F # MOVED DOWN - &xor($f,$tmp1); # X7 - slot -&rotl($f,1); # X8 - slot - &mov($tmp1,$c); # F1 -&xor($tmp1,$d); # F2 - &mov(&swtmp($n0),$f); # X9 - anytime -&and($tmp1,$b); # F3 - &lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - -&xor($tmp1,$d); # F4 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($f,$e); # tot+=a - -&rotr($b,1); # B1 <- F - &add($f,$tmp1); # tot+=F(); - + &mov($f,&swtmp($n1)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$c); # tmp1 to hold F_00_19(b,c,d) + &xor($f,&swtmp($n0)); + &xor($tmp1,$d); + &xor($f,&swtmp($n2)); + &and($tmp1,$b); # tmp1 holds F_00_19(b,c,d) + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &rotr($b,2); # b=ROTATE(b,30) + &xor($tmp1,$d); # tmp1=F_00_19(b,c,d) + &rotl($f,1); # f=ROATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_00_19+e + &mov($e,$a); # e becomes volatile + &add($f,$tmp1); # f+=F_00_19(b,c,d) + &rotl($e,5); # e=ROTATE(a,5) + &add($f,$e); # f+=ROTATE(a,5) } sub BODY_20_39 { local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; &comment("20_39 $n"); local($n0,$n1,$n2,$n3,$np)=&Na($n); -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$b); # F1 -&rotl($f,1); # X8 - slot - &xor($tmp1,$c); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &xor($tmp1,$d); # F3 - -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -if ($n != 79) # last loop - { - &rotr($b,1); # B1 <- F - &add($e,$tmp1); # tmp1=F()+a - - &rotr($b,1); # B2 <- F - &add($f,$e); # tot+=tmp1; - } -else - { - &add($e,$tmp1); # tmp1=F()+a - &mov($tmp1,&wparam(0)); - - &rotr($b,1); # B1 <- F - &add($f,$e); # tot+=tmp1; - - &rotr($b,1); # B2 <- F - } + &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$b); # tmp1 to hold F_20_39(b,c,d) + &xor($f,&swtmp($n1)); + &rotr($b,2); # b=ROTATE(b,30) + &xor($f,&swtmp($n2)); + &xor($tmp1,$c); + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d) + &rotl($f,1); # f=ROTATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_20_39+e + &mov($e,$a); # e becomes volatile + &rotl($e,5); # e=ROTATE(a,5) + &add($f,$tmp1); # f+=F_20_39(b,c,d) + &add($f,$e); # f+=ROTATE(a,5) } sub BODY_40_59 { local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; &comment("40_59 $n"); - return if $n & 1; local($n0,$n1,$n2,$n3,$np)=&Na($n); -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$b); # F1 -&rotl($f,1); # X8 - slot - &or($tmp1,$c); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &and($tmp1,$d); # F3 - -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$b); # F4 - -&rotr($b,1); # B1 <- F - &and($e,$c); # F5 - -&or($tmp1,$e); # F6 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&add($tmp1,$e); # tmp1=F()+a - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - &mov($f,&swtmp($n0)); # X1 -&add($a,$tmp1); # tot+=tmp1; # moved was add f,tmp1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&rotr($c,1); # B2 <- F # moved was rotr b,1 - &xor($f,$tmp1); # X7 - slot -&rotl($f,1); # X8 - slot - &mov($tmp1,$b); # F1 -&mov(&swtmp($n0),$f); # X9 - anytime - &or($tmp1,$c); # F2 -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$b); # F4 -&and($tmp1,$d); # F3 - &and($e,$c); # F5 - -&or($tmp1,$e); # F6 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($tmp1,$e); # tmp1=F()+a - -&rotr($b,1); # B2 <- F - &add($f,$tmp1); # tot+=tmp1; + &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$b); # tmp1 to hold F_40_59(b,c,d) + &xor($f,&swtmp($n1)); + &or($tmp1,$c); + &xor($f,&swtmp($n2)); + &and($tmp1,$d); + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &rotl($f,1); # f=ROTATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_40_59+e + &mov($e,$b); # e becomes volatile and is used + # to calculate F_40_59(b,c,d) + &rotr($b,2); # b=ROTATE(b,30) + &and($e,$c); + &or($tmp1,$e); # tmp1 holds F_40_59(b,c,d) + &mov($e,$a); + &rotl($e,5); # e=ROTATE(a,5) + &add($tmp1,$e); # tmp1+=ROTATE(a,5) + &add($f,$tmp1); # f+=tmp1; } sub BODY_60_79 { &BODY_20_39(@_); } sub sha1_block_host { local($name, $sclabel)=@_; &function_begin_B($name,""); # parameter 1 is the MD5_CTX structure. # A 0 # B 4 # C 8 # D 12 # E 16 &mov("ecx", &wparam(2)); &push("esi"); &shl("ecx",6); &mov("esi", &wparam(1)); &push("ebp"); &add("ecx","esi"); # offset to leave on &push("ebx"); &mov("ebp", &wparam(0)); &push("edi"); &mov($D, &DWP(12,"ebp","",0)); &stack_push(18+9); &mov($E, &DWP(16,"ebp","",0)); &mov($C, &DWP( 8,"ebp","",0)); &mov(&swtmp(17),"ecx"); &comment("First we need to setup the X array"); for ($i=0; $i<16; $i+=2) { &mov($A,&DWP(($i+0)*4,"esi","",0));# unless $i == 0; &mov($B,&DWP(($i+1)*4,"esi","",0)); &mov(&swtmp($i+0),$A); &mov(&swtmp($i+1),$B); } &jmp($sclabel); &function_end_B($name); } sub sha1_block_data { local($name)=@_; &function_begin_B($name,""); # parameter 1 is the MD5_CTX structure. # A 0 # B 4 # C 8 # D 12 # E 16 &mov("ecx", &wparam(2)); &push("esi"); &shl("ecx",6); &mov("esi", &wparam(1)); &push("ebp"); &add("ecx","esi"); # offset to leave on &push("ebx"); &mov("ebp", &wparam(0)); &push("edi"); &mov($D, &DWP(12,"ebp","",0)); &stack_push(18+9); &mov($E, &DWP(16,"ebp","",0)); &mov($C, &DWP( 8,"ebp","",0)); &mov(&swtmp(17),"ecx"); &comment("First we need to setup the X array"); &set_label("start") unless $normal; &X_expand("esi"); &mov(&wparam(1),"esi"); &set_label("shortcut", 0, 1); &comment(""); &comment("Start processing"); # odd start &mov($A, &DWP( 0,"ebp","",0)); &mov($B, &DWP( 4,"ebp","",0)); $X="esp"; &BODY_00_15(-2,$K[0],$X, 0,$A,$B,$C,$D,$E,$T); &BODY_00_15( 0,$K[0],$X, 1,$T,$A,$B,$C,$D,$E); &BODY_00_15( 0,$K[0],$X, 2,$E,$T,$A,$B,$C,$D); &BODY_00_15( 0,$K[0],$X, 3,$D,$E,$T,$A,$B,$C); &BODY_00_15( 0,$K[0],$X, 4,$C,$D,$E,$T,$A,$B); &BODY_00_15( 0,$K[0],$X, 5,$B,$C,$D,$E,$T,$A); &BODY_00_15( 0,$K[0],$X, 6,$A,$B,$C,$D,$E,$T); &BODY_00_15( 0,$K[0],$X, 7,$T,$A,$B,$C,$D,$E); &BODY_00_15( 0,$K[0],$X, 8,$E,$T,$A,$B,$C,$D); &BODY_00_15( 0,$K[0],$X, 9,$D,$E,$T,$A,$B,$C); &BODY_00_15( 0,$K[0],$X,10,$C,$D,$E,$T,$A,$B); &BODY_00_15( 0,$K[0],$X,11,$B,$C,$D,$E,$T,$A); &BODY_00_15( 0,$K[0],$X,12,$A,$B,$C,$D,$E,$T); &BODY_00_15( 0,$K[0],$X,13,$T,$A,$B,$C,$D,$E); &BODY_00_15( 0,$K[0],$X,14,$E,$T,$A,$B,$C,$D); &BODY_00_15( 1,$K[0],$X,15,$D,$E,$T,$A,$B,$C); &BODY_16_19(-1,$K[0],$X,16,$C,$D,$E,$T,$A,$B); &BODY_16_19( 0,$K[0],$X,17,$B,$C,$D,$E,$T,$A); &BODY_16_19( 0,$K[0],$X,18,$A,$B,$C,$D,$E,$T); &BODY_16_19( 1,$K[0],$X,19,$T,$A,$B,$C,$D,$E); &BODY_20_39(-1,$K[1],$X,20,$E,$T,$A,$B,$C,$D); &BODY_20_39( 0,$K[1],$X,21,$D,$E,$T,$A,$B,$C); &BODY_20_39( 0,$K[1],$X,22,$C,$D,$E,$T,$A,$B); &BODY_20_39( 0,$K[1],$X,23,$B,$C,$D,$E,$T,$A); &BODY_20_39( 0,$K[1],$X,24,$A,$B,$C,$D,$E,$T); &BODY_20_39( 0,$K[1],$X,25,$T,$A,$B,$C,$D,$E); &BODY_20_39( 0,$K[1],$X,26,$E,$T,$A,$B,$C,$D); &BODY_20_39( 0,$K[1],$X,27,$D,$E,$T,$A,$B,$C); &BODY_20_39( 0,$K[1],$X,28,$C,$D,$E,$T,$A,$B); &BODY_20_39( 0,$K[1],$X,29,$B,$C,$D,$E,$T,$A); &BODY_20_39( 0,$K[1],$X,30,$A,$B,$C,$D,$E,$T); &BODY_20_39( 0,$K[1],$X,31,$T,$A,$B,$C,$D,$E); &BODY_20_39( 0,$K[1],$X,32,$E,$T,$A,$B,$C,$D); &BODY_20_39( 0,$K[1],$X,33,$D,$E,$T,$A,$B,$C); &BODY_20_39( 0,$K[1],$X,34,$C,$D,$E,$T,$A,$B); &BODY_20_39( 0,$K[1],$X,35,$B,$C,$D,$E,$T,$A); &BODY_20_39( 0,$K[1],$X,36,$A,$B,$C,$D,$E,$T); &BODY_20_39( 0,$K[1],$X,37,$T,$A,$B,$C,$D,$E); &BODY_20_39( 0,$K[1],$X,38,$E,$T,$A,$B,$C,$D); &BODY_20_39( 1,$K[1],$X,39,$D,$E,$T,$A,$B,$C); &BODY_40_59(-1,$K[2],$X,40,$C,$D,$E,$T,$A,$B); &BODY_40_59( 0,$K[2],$X,41,$B,$C,$D,$E,$T,$A); &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); &BODY_40_59( 0,$K[2],$X,44,$E,$T,$A,$B,$C,$D); &BODY_40_59( 0,$K[2],$X,45,$D,$E,$T,$A,$B,$C); &BODY_40_59( 0,$K[2],$X,46,$C,$D,$E,$T,$A,$B); &BODY_40_59( 0,$K[2],$X,47,$B,$C,$D,$E,$T,$A); &BODY_40_59( 0,$K[2],$X,48,$A,$B,$C,$D,$E,$T); &BODY_40_59( 0,$K[2],$X,49,$T,$A,$B,$C,$D,$E); &BODY_40_59( 0,$K[2],$X,50,$E,$T,$A,$B,$C,$D); &BODY_40_59( 0,$K[2],$X,51,$D,$E,$T,$A,$B,$C); &BODY_40_59( 0,$K[2],$X,52,$C,$D,$E,$T,$A,$B); &BODY_40_59( 0,$K[2],$X,53,$B,$C,$D,$E,$T,$A); &BODY_40_59( 0,$K[2],$X,54,$A,$B,$C,$D,$E,$T); &BODY_40_59( 0,$K[2],$X,55,$T,$A,$B,$C,$D,$E); &BODY_40_59( 0,$K[2],$X,56,$E,$T,$A,$B,$C,$D); &BODY_40_59( 0,$K[2],$X,57,$D,$E,$T,$A,$B,$C); &BODY_40_59( 0,$K[2],$X,58,$C,$D,$E,$T,$A,$B); &BODY_40_59( 1,$K[2],$X,59,$B,$C,$D,$E,$T,$A); &BODY_60_79(-1,$K[3],$X,60,$A,$B,$C,$D,$E,$T); &BODY_60_79( 0,$K[3],$X,61,$T,$A,$B,$C,$D,$E); &BODY_60_79( 0,$K[3],$X,62,$E,$T,$A,$B,$C,$D); &BODY_60_79( 0,$K[3],$X,63,$D,$E,$T,$A,$B,$C); &BODY_60_79( 0,$K[3],$X,64,$C,$D,$E,$T,$A,$B); &BODY_60_79( 0,$K[3],$X,65,$B,$C,$D,$E,$T,$A); &BODY_60_79( 0,$K[3],$X,66,$A,$B,$C,$D,$E,$T); &BODY_60_79( 0,$K[3],$X,67,$T,$A,$B,$C,$D,$E); &BODY_60_79( 0,$K[3],$X,68,$E,$T,$A,$B,$C,$D); &BODY_60_79( 0,$K[3],$X,69,$D,$E,$T,$A,$B,$C); &BODY_60_79( 0,$K[3],$X,70,$C,$D,$E,$T,$A,$B); &BODY_60_79( 0,$K[3],$X,71,$B,$C,$D,$E,$T,$A); &BODY_60_79( 0,$K[3],$X,72,$A,$B,$C,$D,$E,$T); &BODY_60_79( 0,$K[3],$X,73,$T,$A,$B,$C,$D,$E); &BODY_60_79( 0,$K[3],$X,74,$E,$T,$A,$B,$C,$D); &BODY_60_79( 0,$K[3],$X,75,$D,$E,$T,$A,$B,$C); &BODY_60_79( 0,$K[3],$X,76,$C,$D,$E,$T,$A,$B); &BODY_60_79( 0,$K[3],$X,77,$B,$C,$D,$E,$T,$A); &BODY_60_79( 0,$K[3],$X,78,$A,$B,$C,$D,$E,$T); &BODY_60_79( 2,$K[3],$X,79,$T,$A,$B,$C,$D,$E); &comment("End processing"); &comment(""); # D is the tmp value # E -> A # T -> B # A -> C # B -> D # C -> E # D -> T - # The last 2 have been moved into the last loop - # &mov($tmp1,&wparam(0)); + &mov($tmp1,&wparam(0)); &mov($D, &DWP(12,$tmp1,"",0)); &add($D,$B); &mov($B, &DWP( 4,$tmp1,"",0)); &add($B,$T); &mov($T, $A); &mov($A, &DWP( 0,$tmp1,"",0)); &mov(&DWP(12,$tmp1,"",0),$D); &add($A,$E); &mov($E, &DWP(16,$tmp1,"",0)); &add($E,$C); &mov($C, &DWP( 8,$tmp1,"",0)); &add($C,$T); &mov(&DWP( 0,$tmp1,"",0),$A); &mov("esi",&wparam(1)); &mov(&DWP( 8,$tmp1,"",0),$C); &add("esi",64); &mov("eax",&swtmp(17)); &mov(&DWP(16,$tmp1,"",0),$E); &cmp("esi","eax"); &mov(&DWP( 4,$tmp1,"",0),$B); &jl(&label("start")); &stack_pop(18+9); &pop("edi"); &pop("ebx"); &pop("ebp"); &pop("esi"); &ret(); # keep a note of shortcut label so it can be used outside # block. my $sclabel = &label("shortcut"); &function_end_B($name); # Putting this here avoids problems with MASM in debugging mode &sha1_block_host("sha1_block_asm_host_order", $sclabel); } diff --git a/crypto/openssl/crypto/stack/Makefile.ssl b/crypto/openssl/crypto/stack/Makefile.ssl index e4acfe6aba22..7120fb804a07 100644 --- a/crypto/openssl/crypto/stack/Makefile.ssl +++ b/crypto/openssl/crypto/stack/Makefile.ssl @@ -1,88 +1,88 @@ # # SSLeay/crypto/stack/Makefile # DIR= stack TOP= ../.. CC= cc INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC=stack.c LIBOBJ=stack.o SRC= $(LIBSRC) EXHEADER= stack.h safestack.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. stack.o: ../../e_os.h ../../include/openssl/bio.h stack.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h stack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h stack.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h stack.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h stack.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h stack.o: ../cryptlib.h stack.c diff --git a/crypto/openssl/crypto/threads/mttest.c b/crypto/openssl/crypto/threads/mttest.c index 54d598565d53..7588966cb219 100644 --- a/crypto/openssl/crypto/threads/mttest.c +++ b/crypto/openssl/crypto/threads/mttest.c @@ -1,1095 +1,1096 @@ /* crypto/threads/mttest.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include #ifdef LINUX #include #endif #ifdef OPENSSL_SYS_WIN32 #include #endif #ifdef SOLARIS #include #include #endif #ifdef IRIX #include #include #endif #ifdef PTHREADS #include #endif #include #include #include #include "../../e_os.h" #include #include #include #include #define TEST_SERVER_CERT "../../apps/server.pem" #define TEST_CLIENT_CERT "../../apps/client.pem" #define MAX_THREAD_NUMBER 100 int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *xs); void thread_setup(void); void thread_cleanup(void); void do_threads(SSL_CTX *s_ctx,SSL_CTX *c_ctx); void irix_locking_callback(int mode,int type,char *file,int line); void solaris_locking_callback(int mode,int type,char *file,int line); void win32_locking_callback(int mode,int type,char *file,int line); void pthreads_locking_callback(int mode,int type,char *file,int line); unsigned long irix_thread_id(void ); unsigned long solaris_thread_id(void ); unsigned long pthreads_thread_id(void ); BIO *bio_err=NULL; BIO *bio_stdout=NULL; static char *cipher=NULL; int verbose=0; #ifdef FIONBIO static int s_nbio=0; #endif int thread_number=10; int number_of_loops=10; int reconnect=0; int cache_stats=0; static const char rnd_seed[] = "string to make the random number generator think it has entropy"; int doit(char *ctx[4]); static void print_stats(FILE *fp, SSL_CTX *ctx) { fprintf(fp,"%4ld items in the session cache\n", SSL_CTX_sess_number(ctx)); fprintf(fp,"%4d client connects (SSL_connect())\n", SSL_CTX_sess_connect(ctx)); fprintf(fp,"%4d client connects that finished\n", SSL_CTX_sess_connect_good(ctx)); fprintf(fp,"%4d server connects (SSL_accept())\n", SSL_CTX_sess_accept(ctx)); fprintf(fp,"%4d server connects that finished\n", SSL_CTX_sess_accept_good(ctx)); fprintf(fp,"%4d session cache hits\n",SSL_CTX_sess_hits(ctx)); fprintf(fp,"%4d session cache misses\n",SSL_CTX_sess_misses(ctx)); fprintf(fp,"%4d session cache timeouts\n",SSL_CTX_sess_timeouts(ctx)); } static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); fprintf(stderr,"\n"); fprintf(stderr," -server_auth - check server certificate\n"); fprintf(stderr," -client_auth - do client authentication\n"); fprintf(stderr," -v - more output\n"); fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); fprintf(stderr," -CAfile arg - PEM format file of CA's\n"); fprintf(stderr," -threads arg - number of threads\n"); fprintf(stderr," -loops arg - number of 'connections', per thread\n"); fprintf(stderr," -reconnect - reuse session-id's\n"); fprintf(stderr," -stats - server session-id cache stats\n"); fprintf(stderr," -cert arg - server certificate/key\n"); fprintf(stderr," -ccert arg - client certificate/key\n"); fprintf(stderr," -ssl3 - just SSLv3n\n"); } int main(int argc, char *argv[]) { char *CApath=NULL,*CAfile=NULL; int badop=0; int ret=1; int client_auth=0; int server_auth=0; SSL_CTX *s_ctx=NULL; SSL_CTX *c_ctx=NULL; char *scert=TEST_SERVER_CERT; char *ccert=TEST_CLIENT_CERT; SSL_METHOD *ssl_method=SSLv23_method(); RAND_seed(rnd_seed, sizeof rnd_seed); if (bio_err == NULL) bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); if (bio_stdout == NULL) bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE); argc--; argv++; while (argc >= 1) { if (strcmp(*argv,"-server_auth") == 0) server_auth=1; else if (strcmp(*argv,"-client_auth") == 0) client_auth=1; else if (strcmp(*argv,"-reconnect") == 0) reconnect=1; else if (strcmp(*argv,"-stats") == 0) cache_stats=1; else if (strcmp(*argv,"-ssl3") == 0) ssl_method=SSLv3_method(); else if (strcmp(*argv,"-ssl2") == 0) ssl_method=SSLv2_method(); else if (strcmp(*argv,"-CApath") == 0) { if (--argc < 1) goto bad; CApath= *(++argv); } else if (strcmp(*argv,"-CAfile") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); } else if (strcmp(*argv,"-cert") == 0) { if (--argc < 1) goto bad; scert= *(++argv); } else if (strcmp(*argv,"-ccert") == 0) { if (--argc < 1) goto bad; ccert= *(++argv); } else if (strcmp(*argv,"-threads") == 0) { if (--argc < 1) goto bad; thread_number= atoi(*(++argv)); if (thread_number == 0) thread_number=1; if (thread_number > MAX_THREAD_NUMBER) thread_number=MAX_THREAD_NUMBER; } else if (strcmp(*argv,"-loops") == 0) { if (--argc < 1) goto bad; number_of_loops= atoi(*(++argv)); if (number_of_loops == 0) number_of_loops=1; } else { fprintf(stderr,"unknown option %s\n",*argv); badop=1; break; } argc--; argv++; } if (badop) { bad: sv_usage(); goto end; } - if (cipher == NULL) cipher=getenv("SSL_CIPHER"); + if (cipher == NULL && OPENSSL_issetugid() == 0) + cipher=getenv("SSL_CIPHER"); SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); c_ctx=SSL_CTX_new(ssl_method); s_ctx=SSL_CTX_new(ssl_method); if ((c_ctx == NULL) || (s_ctx == NULL)) { ERR_print_errors(bio_err); goto end; } SSL_CTX_set_session_cache_mode(s_ctx, SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER); SSL_CTX_set_session_cache_mode(c_ctx, SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER); if (!SSL_CTX_use_certificate_file(s_ctx,scert,SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); } else if (!SSL_CTX_use_RSAPrivateKey_file(s_ctx,scert,SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); goto end; } if (client_auth) { SSL_CTX_use_certificate_file(c_ctx,ccert, SSL_FILETYPE_PEM); SSL_CTX_use_RSAPrivateKey_file(c_ctx,ccert, SSL_FILETYPE_PEM); } if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { fprintf(stderr,"SSL_load_verify_locations\n"); ERR_print_errors(bio_err); goto end; } if (client_auth) { fprintf(stderr,"client authentication\n"); SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); } if (server_auth) { fprintf(stderr,"server authentication\n"); SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, verify_callback); } thread_setup(); do_threads(s_ctx,c_ctx); thread_cleanup(); end: if (c_ctx != NULL) { fprintf(stderr,"Client SSL_CTX stats then free it\n"); print_stats(stderr,c_ctx); SSL_CTX_free(c_ctx); } if (s_ctx != NULL) { fprintf(stderr,"Server SSL_CTX stats then free it\n"); print_stats(stderr,s_ctx); if (cache_stats) { fprintf(stderr,"-----\n"); lh_stats(SSL_CTX_sessions(s_ctx),stderr); fprintf(stderr,"-----\n"); /* lh_node_stats(SSL_CTX_sessions(s_ctx),stderr); fprintf(stderr,"-----\n"); */ lh_node_usage_stats(SSL_CTX_sessions(s_ctx),stderr); fprintf(stderr,"-----\n"); } SSL_CTX_free(s_ctx); fprintf(stderr,"done free\n"); } exit(ret); return(0); } #define W_READ 1 #define W_WRITE 2 #define C_DONE 1 #define S_DONE 2 int ndoit(SSL_CTX *ssl_ctx[2]) { int i; int ret; char *ctx[4]; ctx[0]=(char *)ssl_ctx[0]; ctx[1]=(char *)ssl_ctx[1]; if (reconnect) { ctx[2]=(char *)SSL_new(ssl_ctx[0]); ctx[3]=(char *)SSL_new(ssl_ctx[1]); } else { ctx[2]=NULL; ctx[3]=NULL; } fprintf(stdout,"started thread %lu\n",CRYPTO_thread_id()); for (i=0; iref (%3d,%3d)\n", CRYPTO_thread_id(),i, ssl_ctx[0]->references, ssl_ctx[1]->references); */ /* pthread_delay_np(&tm);*/ ret=doit(ctx); if (ret != 0) { fprintf(stdout,"error[%d] %lu - %d\n", i,CRYPTO_thread_id(),ret); return(ret); } } fprintf(stdout,"DONE %lu\n",CRYPTO_thread_id()); if (reconnect) { SSL_free((SSL *)ctx[2]); SSL_free((SSL *)ctx[3]); } return(0); } int doit(char *ctx[4]) { SSL_CTX *s_ctx,*c_ctx; static char cbuf[200],sbuf[200]; SSL *c_ssl=NULL; SSL *s_ssl=NULL; BIO *c_to_s=NULL; BIO *s_to_c=NULL; BIO *c_bio=NULL; BIO *s_bio=NULL; int c_r,c_w,s_r,s_w; int c_want,s_want; int i; int done=0; int c_write,s_write; int do_server=0,do_client=0; s_ctx=(SSL_CTX *)ctx[0]; c_ctx=(SSL_CTX *)ctx[1]; if (ctx[2] != NULL) s_ssl=(SSL *)ctx[2]; else s_ssl=SSL_new(s_ctx); if (ctx[3] != NULL) c_ssl=(SSL *)ctx[3]; else c_ssl=SSL_new(c_ctx); if ((s_ssl == NULL) || (c_ssl == NULL)) goto err; c_to_s=BIO_new(BIO_s_mem()); s_to_c=BIO_new(BIO_s_mem()); if ((s_to_c == NULL) || (c_to_s == NULL)) goto err; c_bio=BIO_new(BIO_f_ssl()); s_bio=BIO_new(BIO_f_ssl()); if ((c_bio == NULL) || (s_bio == NULL)) goto err; SSL_set_connect_state(c_ssl); SSL_set_bio(c_ssl,s_to_c,c_to_s); BIO_set_ssl(c_bio,c_ssl,(ctx[2] == NULL)?BIO_CLOSE:BIO_NOCLOSE); SSL_set_accept_state(s_ssl); SSL_set_bio(s_ssl,c_to_s,s_to_c); BIO_set_ssl(s_bio,s_ssl,(ctx[3] == NULL)?BIO_CLOSE:BIO_NOCLOSE); c_r=0; s_r=1; c_w=1; s_w=0; c_want=W_WRITE; s_want=0; c_write=1,s_write=0; /* We can always do writes */ for (;;) { do_server=0; do_client=0; i=(int)BIO_pending(s_bio); if ((i && s_r) || s_w) do_server=1; i=(int)BIO_pending(c_bio); if ((i && c_r) || c_w) do_client=1; if (do_server && verbose) { if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", SSL_state_string_long(s_ssl)); else if (s_write) printf("server:SSL_write()\n"); else printf("server:SSL_read()\n"); } if (do_client && verbose) { if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", SSL_state_string_long(c_ssl)); else if (c_write) printf("client:SSL_write()\n"); else printf("client:SSL_read()\n"); } if (!do_client && !do_server) { fprintf(stdout,"ERROR IN STARTUP\n"); break; } if (do_client && !(done & C_DONE)) { if (c_write) { i=BIO_write(c_bio,"hello from client\n",18); if (i < 0) { c_r=0; c_w=0; if (BIO_should_retry(c_bio)) { if (BIO_should_read(c_bio)) c_r=1; if (BIO_should_write(c_bio)) c_w=1; } else { fprintf(stderr,"ERROR in CLIENT\n"); ERR_print_errors_fp(stderr); return(1); } } else if (i == 0) { fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); return(1); } else { /* ok */ c_write=0; } } else { i=BIO_read(c_bio,cbuf,100); if (i < 0) { c_r=0; c_w=0; if (BIO_should_retry(c_bio)) { if (BIO_should_read(c_bio)) c_r=1; if (BIO_should_write(c_bio)) c_w=1; } else { fprintf(stderr,"ERROR in CLIENT\n"); ERR_print_errors_fp(stderr); return(1); } } else if (i == 0) { fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); return(1); } else { done|=C_DONE; #ifdef undef fprintf(stdout,"CLIENT:from server:"); fwrite(cbuf,1,i,stdout); fflush(stdout); #endif } } } if (do_server && !(done & S_DONE)) { if (!s_write) { i=BIO_read(s_bio,sbuf,100); if (i < 0) { s_r=0; s_w=0; if (BIO_should_retry(s_bio)) { if (BIO_should_read(s_bio)) s_r=1; if (BIO_should_write(s_bio)) s_w=1; } else { fprintf(stderr,"ERROR in SERVER\n"); ERR_print_errors_fp(stderr); return(1); } } else if (i == 0) { fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); return(1); } else { s_write=1; s_w=1; #ifdef undef fprintf(stdout,"SERVER:from client:"); fwrite(sbuf,1,i,stdout); fflush(stdout); #endif } } else { i=BIO_write(s_bio,"hello from server\n",18); if (i < 0) { s_r=0; s_w=0; if (BIO_should_retry(s_bio)) { if (BIO_should_read(s_bio)) s_r=1; if (BIO_should_write(s_bio)) s_w=1; } else { fprintf(stderr,"ERROR in SERVER\n"); ERR_print_errors_fp(stderr); return(1); } } else if (i == 0) { fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); return(1); } else { s_write=0; s_r=1; done|=S_DONE; } } } if ((done & S_DONE) && (done & C_DONE)) break; } SSL_set_shutdown(c_ssl,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); SSL_set_shutdown(s_ssl,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); #ifdef undef fprintf(stdout,"DONE\n"); #endif err: /* We have to set the BIO's to NULL otherwise they will be * free()ed twice. Once when th s_ssl is SSL_free()ed and * again when c_ssl is SSL_free()ed. * This is a hack required because s_ssl and c_ssl are sharing the same * BIO structure and SSL_set_bio() and SSL_free() automatically * BIO_free non NULL entries. * You should not normally do this or be required to do this */ if (s_ssl != NULL) { s_ssl->rbio=NULL; s_ssl->wbio=NULL; } if (c_ssl != NULL) { c_ssl->rbio=NULL; c_ssl->wbio=NULL; } /* The SSL's are optionally freed in the following calls */ if (c_to_s != NULL) BIO_free(c_to_s); if (s_to_c != NULL) BIO_free(s_to_c); if (c_bio != NULL) BIO_free(c_bio); if (s_bio != NULL) BIO_free(s_bio); return(0); } int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { char *s, buf[256]; if (verbose) { s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf,256); if (s != NULL) { if (ok) fprintf(stderr,"depth=%d %s\n", ctx->error_depth,buf); else fprintf(stderr,"depth=%d error=%d %s\n", ctx->error_depth,ctx->error,buf); } } return(ok); } #define THREAD_STACK_SIZE (16*1024) #ifdef OPENSSL_SYS_WIN32 static HANDLE *lock_cs; void thread_setup(void) { int i; lock_cs=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE)); for (i=0; i end.wDayOfWeek) end.wDayOfWeek+=7; ret=(end.wDayOfWeek-start.wDayOfWeek)*24; ret=(ret+end.wHour-start.wHour)*60; ret=(ret+end.wMinute-start.wMinute)*60; ret=(ret+end.wSecond-start.wSecond); ret+=(end.wMilliseconds-start.wMilliseconds)/1000.0; printf("win32 threads done - %.3f seconds\n",ret); } #endif /* OPENSSL_SYS_WIN32 */ #ifdef SOLARIS static mutex_t *lock_cs; /*static rwlock_t *lock_cs; */ static long *lock_count; void thread_setup(void) { int i; lock_cs=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(mutex_t)); lock_count=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); for (i=0; ireferences,c_ctx->references); } unsigned long solaris_thread_id(void) { unsigned long ret; ret=(unsigned long)thr_self(); return(ret); } #endif /* SOLARIS */ #ifdef IRIX static usptr_t *arena; static usema_t **lock_cs; void thread_setup(void) { int i; char filename[20]; strcpy(filename,"/tmp/mttest.XXXXXX"); mktemp(filename); usconfig(CONF_STHREADIOOFF); usconfig(CONF_STHREADMALLOCOFF); usconfig(CONF_INITUSERS,100); usconfig(CONF_LOCKTYPE,US_DEBUGPLUS); arena=usinit(filename); unlink(filename); lock_cs=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *)); for (i=0; ireferences,c_ctx->references); } unsigned long irix_thread_id(void) { unsigned long ret; ret=(unsigned long)getpid(); return(ret); } #endif /* IRIX */ #ifdef PTHREADS static pthread_mutex_t *lock_cs; static long *lock_count; void thread_setup(void) { int i; lock_cs=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); lock_count=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); for (i=0; ireferences,c_ctx->references); } unsigned long pthreads_thread_id(void) { unsigned long ret; ret=(unsigned long)pthread_self(); return(ret); } #endif /* PTHREADS */ diff --git a/crypto/openssl/crypto/txt_db/Makefile.ssl b/crypto/openssl/crypto/txt_db/Makefile.ssl index 313f75313b78..6221dfae4d10 100644 --- a/crypto/openssl/crypto/txt_db/Makefile.ssl +++ b/crypto/openssl/crypto/txt_db/Makefile.ssl @@ -1,88 +1,88 @@ # # SSLeay/crypto/txt_db/Makefile # DIR= txt_db TOP= ../.. CC= cc INCLUDES= CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC=txt_db.c LIBOBJ=txt_db.o SRC= $(LIBSRC) EXHEADER= txt_db.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. txt_db.o: ../../e_os.h ../../include/openssl/bio.h txt_db.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h txt_db.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h txt_db.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h txt_db.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h txt_db.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h txt_db.o: ../../include/openssl/txt_db.h ../cryptlib.h txt_db.c diff --git a/crypto/openssl/crypto/ui/Makefile.ssl b/crypto/openssl/crypto/ui/Makefile.ssl index 90ae7d4a4a24..ba46951d1c39 100644 --- a/crypto/openssl/crypto/ui/Makefile.ssl +++ b/crypto/openssl/crypto/ui/Makefile.ssl @@ -1,117 +1,117 @@ # # OpenSSL/crypto/ui/Makefile # DIR= ui TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile #TEST= uitest.c TEST= APPS= COMPATSRC= ui_compat.c COMPATOBJ= ui_compat.o LIB=$(TOP)/libcrypto.a LIBSRC= ui_err.c ui_lib.c ui_openssl.c ui_util.c $(COMPATSRC) LIBOBJ= ui_err.o ui_lib.o ui_openssl.o ui_util.o $(COMPATOBJ) SRC= $(LIBSRC) EXHEADER= ui.h ui_compat.h HEADER= $(EXHEADER) ui_locl.h ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. ui_compat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h ui_compat.o: ../../include/openssl/opensslconf.h ui_compat.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ui_compat.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ui_compat.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ui_compat.o: ui_compat.c ui_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h ui_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h ui_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h ui_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ui_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ui_err.o: ../../include/openssl/ui.h ui_err.c ui_lib.o: ../../e_os.h ../../include/openssl/bio.h ui_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h ui_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h ui_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h ui_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ui_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ui_lib.o: ../../include/openssl/ui.h ../cryptlib.h ui_lib.c ui_locl.h ui_openssl.o: ../../e_os.h ../../include/openssl/bio.h ui_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h ui_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h ui_openssl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h ui_openssl.o: ../../include/openssl/opensslv.h ui_openssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ui_openssl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ui_openssl.o: ../cryptlib.h ui_locl.h ui_openssl.c ui_util.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h ui_util.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h ui_util.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ui_util.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ui_util.o: ui_util.c diff --git a/crypto/openssl/crypto/ui/ui_lib.c b/crypto/openssl/crypto/ui/ui_lib.c index 13e5f20dcb2a..dbc9711a2def 100644 --- a/crypto/openssl/crypto/ui/ui_lib.c +++ b/crypto/openssl/crypto/ui/ui_lib.c @@ -1,901 +1,902 @@ /* crypto/ui/ui_lib.c -*- mode:C; c-file-style: "eay" -*- */ /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL * project 2001. */ /* ==================================================================== * Copyright (c) 2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include #include #include "ui_locl.h" #include "cryptlib.h" IMPLEMENT_STACK_OF(UI_STRING_ST) static const UI_METHOD *default_UI_meth=NULL; UI *UI_new(void) { return(UI_new_method(NULL)); } UI *UI_new_method(const UI_METHOD *method) { UI *ret; ret=(UI *)OPENSSL_malloc(sizeof(UI)); if (ret == NULL) { UIerr(UI_F_UI_NEW_METHOD,ERR_R_MALLOC_FAILURE); return NULL; } if (method == NULL) ret->meth=UI_get_default_method(); else ret->meth=method; ret->strings=NULL; ret->user_data=NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data); return ret; } static void free_string(UI_STRING *uis) { if (uis->flags & OUT_STRING_FREEABLE) { OPENSSL_free((char *)uis->out_string); switch(uis->type) { case UIT_BOOLEAN: OPENSSL_free((char *)uis->_.boolean_data.action_desc); OPENSSL_free((char *)uis->_.boolean_data.ok_chars); OPENSSL_free((char *)uis->_.boolean_data.cancel_chars); break; default: break; } } OPENSSL_free(uis); } void UI_free(UI *ui) { if (ui == NULL) return; sk_UI_STRING_pop_free(ui->strings,free_string); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_UI, ui, &ui->ex_data); OPENSSL_free(ui); } static int allocate_string_stack(UI *ui) { if (ui->strings == NULL) { ui->strings=sk_UI_STRING_new_null(); if (ui->strings == NULL) { return -1; } } return 0; } static UI_STRING *general_allocate_prompt(UI *ui, const char *prompt, int prompt_freeable, enum UI_string_types type, int input_flags, char *result_buf) { UI_STRING *ret = NULL; if (prompt == NULL) { UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,ERR_R_PASSED_NULL_PARAMETER); } else if ((type == UIT_PROMPT || type == UIT_VERIFY || type == UIT_BOOLEAN) && result_buf == NULL) { UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,UI_R_NO_RESULT_BUFFER); } else if ((ret = (UI_STRING *)OPENSSL_malloc(sizeof(UI_STRING)))) { ret->out_string=prompt; ret->flags=prompt_freeable ? OUT_STRING_FREEABLE : 0; ret->input_flags=input_flags; ret->type=type; ret->result_buf=result_buf; } return ret; } static int general_allocate_string(UI *ui, const char *prompt, int prompt_freeable, enum UI_string_types type, int input_flags, char *result_buf, int minsize, int maxsize, const char *test_buf) { int ret = -1; UI_STRING *s = general_allocate_prompt(ui, prompt, prompt_freeable, type, input_flags, result_buf); if (s) { if (allocate_string_stack(ui) >= 0) { s->_.string_data.result_minsize=minsize; s->_.string_data.result_maxsize=maxsize; s->_.string_data.test_buf=test_buf; ret=sk_UI_STRING_push(ui->strings, s); /* sk_push() returns 0 on error. Let's addapt that */ if (ret <= 0) ret--; } else free_string(s); } return ret; } static int general_allocate_boolean(UI *ui, const char *prompt, const char *action_desc, const char *ok_chars, const char *cancel_chars, int prompt_freeable, enum UI_string_types type, int input_flags, char *result_buf) { int ret = -1; UI_STRING *s; const char *p; if (ok_chars == NULL) { UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,ERR_R_PASSED_NULL_PARAMETER); } else if (cancel_chars == NULL) { UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,ERR_R_PASSED_NULL_PARAMETER); } else { for(p = ok_chars; *p; p++) { if (strchr(cancel_chars, *p)) { UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN, UI_R_COMMON_OK_AND_CANCEL_CHARACTERS); } } s = general_allocate_prompt(ui, prompt, prompt_freeable, type, input_flags, result_buf); if (s) { if (allocate_string_stack(ui) >= 0) { s->_.boolean_data.action_desc = action_desc; s->_.boolean_data.ok_chars = ok_chars; s->_.boolean_data.cancel_chars = cancel_chars; ret=sk_UI_STRING_push(ui->strings, s); /* sk_push() returns 0 on error. Let's addapt that */ if (ret <= 0) ret--; } else free_string(s); } } return ret; } /* Returns the index to the place in the stack or -1 for error. Uses a direct reference to the prompt. */ int UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize) { return general_allocate_string(ui, prompt, 0, UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL); } /* Same as UI_add_input_string(), excepts it takes a copy of the prompt */ int UI_dup_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize) { char *prompt_copy=NULL; if (prompt) { prompt_copy=BUF_strdup(prompt); if (prompt_copy == NULL) { UIerr(UI_F_UI_DUP_INPUT_STRING,ERR_R_MALLOC_FAILURE); return 0; } } return general_allocate_string(ui, prompt_copy, 1, UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL); } int UI_add_verify_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize, const char *test_buf) { return general_allocate_string(ui, prompt, 0, UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf); } int UI_dup_verify_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize, const char *test_buf) { char *prompt_copy=NULL; if (prompt) { prompt_copy=BUF_strdup(prompt); if (prompt_copy == NULL) { UIerr(UI_F_UI_DUP_VERIFY_STRING,ERR_R_MALLOC_FAILURE); return -1; } } return general_allocate_string(ui, prompt_copy, 1, UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf); } int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc, const char *ok_chars, const char *cancel_chars, int flags, char *result_buf) { return general_allocate_boolean(ui, prompt, action_desc, ok_chars, cancel_chars, 0, UIT_BOOLEAN, flags, result_buf); } int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc, const char *ok_chars, const char *cancel_chars, int flags, char *result_buf) { char *prompt_copy = NULL; char *action_desc_copy = NULL; char *ok_chars_copy = NULL; char *cancel_chars_copy = NULL; if (prompt) { prompt_copy=BUF_strdup(prompt); if (prompt_copy == NULL) { UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE); goto err; } } if (action_desc) { action_desc_copy=BUF_strdup(action_desc); if (action_desc_copy == NULL) { UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE); goto err; } } if (ok_chars) { ok_chars_copy=BUF_strdup(ok_chars); if (ok_chars_copy == NULL) { UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE); goto err; } } if (cancel_chars) { cancel_chars_copy=BUF_strdup(cancel_chars); if (cancel_chars_copy == NULL) { UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE); goto err; } } return general_allocate_boolean(ui, prompt_copy, action_desc_copy, ok_chars_copy, cancel_chars_copy, 1, UIT_BOOLEAN, flags, result_buf); err: if (prompt_copy) OPENSSL_free(prompt_copy); if (action_desc_copy) OPENSSL_free(action_desc_copy); if (ok_chars_copy) OPENSSL_free(ok_chars_copy); if (cancel_chars_copy) OPENSSL_free(cancel_chars_copy); return -1; } int UI_add_info_string(UI *ui, const char *text) { return general_allocate_string(ui, text, 0, UIT_INFO, 0, NULL, 0, 0, NULL); } int UI_dup_info_string(UI *ui, const char *text) { char *text_copy=NULL; if (text) { text_copy=BUF_strdup(text); if (text_copy == NULL) { UIerr(UI_F_UI_DUP_INFO_STRING,ERR_R_MALLOC_FAILURE); return -1; } } return general_allocate_string(ui, text_copy, 1, UIT_INFO, 0, NULL, 0, 0, NULL); } int UI_add_error_string(UI *ui, const char *text) { return general_allocate_string(ui, text, 0, UIT_ERROR, 0, NULL, 0, 0, NULL); } int UI_dup_error_string(UI *ui, const char *text) { char *text_copy=NULL; if (text) { text_copy=BUF_strdup(text); if (text_copy == NULL) { UIerr(UI_F_UI_DUP_ERROR_STRING,ERR_R_MALLOC_FAILURE); return -1; } } return general_allocate_string(ui, text_copy, 1, UIT_ERROR, 0, NULL, 0, 0, NULL); } char *UI_construct_prompt(UI *ui, const char *object_desc, const char *object_name) { char *prompt = NULL; if (ui->meth->ui_construct_prompt) prompt = ui->meth->ui_construct_prompt(ui, object_desc, object_name); else { char prompt1[] = "Enter "; char prompt2[] = " for "; char prompt3[] = ":"; int len = 0; if (object_desc == NULL) return NULL; len = sizeof(prompt1) - 1 + strlen(object_desc); if (object_name) len += sizeof(prompt2) - 1 + strlen(object_name); len += sizeof(prompt3) - 1; prompt = (char *)OPENSSL_malloc(len + 1); - strcpy(prompt, prompt1); - strcat(prompt, object_desc); + BUF_strlcpy(prompt, prompt1, len + 1); + BUF_strlcat(prompt, object_desc, len + 1); if (object_name) { - strcat(prompt, prompt2); - strcat(prompt, object_name); + BUF_strlcat(prompt, prompt2, len + 1); + BUF_strlcat(prompt, object_name, len + 1); } - strcat(prompt, prompt3); + BUF_strlcat(prompt, prompt3, len + 1); } return prompt; } void *UI_add_user_data(UI *ui, void *user_data) { void *old_data = ui->user_data; ui->user_data = user_data; return old_data; } void *UI_get0_user_data(UI *ui) { return ui->user_data; } const char *UI_get0_result(UI *ui, int i) { if (i < 0) { UIerr(UI_F_UI_GET0_RESULT,UI_R_INDEX_TOO_SMALL); return NULL; } if (i >= sk_UI_STRING_num(ui->strings)) { UIerr(UI_F_UI_GET0_RESULT,UI_R_INDEX_TOO_LARGE); return NULL; } return UI_get0_result_string(sk_UI_STRING_value(ui->strings, i)); } static int print_error(const char *str, size_t len, UI *ui) { UI_STRING uis; memset(&uis, 0, sizeof(uis)); uis.type = UIT_ERROR; uis.out_string = str; if (ui->meth->ui_write_string && !ui->meth->ui_write_string(ui, &uis)) return -1; return 0; } int UI_process(UI *ui) { int i, ok=0; if (ui->meth->ui_open_session && !ui->meth->ui_open_session(ui)) return -1; if (ui->flags & UI_FLAG_PRINT_ERRORS) ERR_print_errors_cb( (int (*)(const char *, size_t, void *))print_error, (void *)ui); for(i=0; istrings); i++) { if (ui->meth->ui_write_string && !ui->meth->ui_write_string(ui, sk_UI_STRING_value(ui->strings, i))) { ok=-1; goto err; } } if (ui->meth->ui_flush) switch(ui->meth->ui_flush(ui)) { case -1: /* Interrupt/Cancel/something... */ ok = -2; goto err; case 0: /* Errors */ ok = -1; goto err; default: /* Success */ ok = 0; break; } for(i=0; istrings); i++) { if (ui->meth->ui_read_string) { switch(ui->meth->ui_read_string(ui, sk_UI_STRING_value(ui->strings, i))) { case -1: /* Interrupt/Cancel/something... */ ok = -2; goto err; case 0: /* Errors */ ok = -1; goto err; default: /* Success */ ok = 0; break; } } } err: if (ui->meth->ui_close_session && !ui->meth->ui_close_session(ui)) return -1; return ok; } int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)()) { if (ui == NULL) { UIerr(UI_F_UI_CTRL,ERR_R_PASSED_NULL_PARAMETER); return -1; } switch(cmd) { case UI_CTRL_PRINT_ERRORS: { int save_flag = !!(ui->flags & UI_FLAG_PRINT_ERRORS); if (i) ui->flags |= UI_FLAG_PRINT_ERRORS; else ui->flags &= ~UI_FLAG_PRINT_ERRORS; return save_flag; } case UI_CTRL_IS_REDOABLE: return !!(ui->flags & UI_FLAG_REDOABLE); default: break; } UIerr(UI_F_UI_CTRL,UI_R_UNKNOWN_CONTROL_COMMAND); return -1; } int UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_UI, argl, argp, new_func, dup_func, free_func); } int UI_set_ex_data(UI *r, int idx, void *arg) { return(CRYPTO_set_ex_data(&r->ex_data,idx,arg)); } void *UI_get_ex_data(UI *r, int idx) { return(CRYPTO_get_ex_data(&r->ex_data,idx)); } void UI_set_default_method(const UI_METHOD *meth) { default_UI_meth=meth; } const UI_METHOD *UI_get_default_method(void) { if (default_UI_meth == NULL) { default_UI_meth=UI_OpenSSL(); } return default_UI_meth; } const UI_METHOD *UI_get_method(UI *ui) { return ui->meth; } const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth) { ui->meth=meth; return ui->meth; } UI_METHOD *UI_create_method(char *name) { UI_METHOD *ui_method = (UI_METHOD *)OPENSSL_malloc(sizeof(UI_METHOD)); if (ui_method) memset(ui_method, 0, sizeof(*ui_method)); ui_method->name = BUF_strdup(name); return ui_method; } /* BIG FSCKING WARNING!!!! If you use this on a statically allocated method (that is, it hasn't been allocated using UI_create_method(), you deserve anything Murphy can throw at you and more! You have been warned. */ void UI_destroy_method(UI_METHOD *ui_method) { OPENSSL_free(ui_method->name); ui_method->name = NULL; OPENSSL_free(ui_method); } int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui)) { if (method) { method->ui_open_session = opener; return 0; } else return -1; } int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis)) { if (method) { method->ui_write_string = writer; return 0; } else return -1; } int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui)) { if (method) { method->ui_flush = flusher; return 0; } else return -1; } int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis)) { if (method) { method->ui_read_string = reader; return 0; } else return -1; } int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui)) { if (method) { method->ui_close_session = closer; return 0; } else return -1; } int (*UI_method_get_opener(UI_METHOD *method))(UI*) { if (method) return method->ui_open_session; else return NULL; } int (*UI_method_get_writer(UI_METHOD *method))(UI*,UI_STRING*) { if (method) return method->ui_write_string; else return NULL; } int (*UI_method_get_flusher(UI_METHOD *method))(UI*) { if (method) return method->ui_flush; else return NULL; } int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*) { if (method) return method->ui_read_string; else return NULL; } int (*UI_method_get_closer(UI_METHOD *method))(UI*) { if (method) return method->ui_close_session; else return NULL; } enum UI_string_types UI_get_string_type(UI_STRING *uis) { if (!uis) return UIT_NONE; return uis->type; } int UI_get_input_flags(UI_STRING *uis) { if (!uis) return 0; return uis->input_flags; } const char *UI_get0_output_string(UI_STRING *uis) { if (!uis) return NULL; return uis->out_string; } const char *UI_get0_action_string(UI_STRING *uis) { if (!uis) return NULL; switch(uis->type) { case UIT_PROMPT: case UIT_BOOLEAN: return uis->_.boolean_data.action_desc; default: return NULL; } } const char *UI_get0_result_string(UI_STRING *uis) { if (!uis) return NULL; switch(uis->type) { case UIT_PROMPT: case UIT_VERIFY: return uis->result_buf; default: return NULL; } } const char *UI_get0_test_string(UI_STRING *uis) { if (!uis) return NULL; switch(uis->type) { case UIT_VERIFY: return uis->_.string_data.test_buf; default: return NULL; } } int UI_get_result_minsize(UI_STRING *uis) { if (!uis) return -1; switch(uis->type) { case UIT_PROMPT: case UIT_VERIFY: return uis->_.string_data.result_minsize; default: return -1; } } int UI_get_result_maxsize(UI_STRING *uis) { if (!uis) return -1; switch(uis->type) { case UIT_PROMPT: case UIT_VERIFY: return uis->_.string_data.result_maxsize; default: return -1; } } int UI_set_result(UI *ui, UI_STRING *uis, const char *result) { int l = strlen(result); ui->flags &= ~UI_FLAG_REDOABLE; if (!uis) return -1; switch (uis->type) { case UIT_PROMPT: case UIT_VERIFY: { char number1[DECIMAL_SIZE(uis->_.string_data.result_minsize)+1]; char number2[DECIMAL_SIZE(uis->_.string_data.result_maxsize)+1]; BIO_snprintf(number1, sizeof(number1), "%d", uis->_.string_data.result_minsize); BIO_snprintf(number2, sizeof(number2), "%d", uis->_.string_data.result_maxsize); if (l < uis->_.string_data.result_minsize) { ui->flags |= UI_FLAG_REDOABLE; UIerr(UI_F_UI_SET_RESULT,UI_R_RESULT_TOO_SMALL); ERR_add_error_data(5,"You must type in ", number1," to ",number2," characters"); return -1; } if (l > uis->_.string_data.result_maxsize) { ui->flags |= UI_FLAG_REDOABLE; UIerr(UI_F_UI_SET_RESULT,UI_R_RESULT_TOO_LARGE); ERR_add_error_data(5,"You must type in ", number1," to ",number2," characters"); return -1; } } if (!uis->result_buf) { UIerr(UI_F_UI_SET_RESULT,UI_R_NO_RESULT_BUFFER); return -1; } - strcpy(uis->result_buf, result); + BUF_strlcpy(uis->result_buf, result, + uis->_.string_data.result_maxsize + 1); break; case UIT_BOOLEAN: { const char *p; if (!uis->result_buf) { UIerr(UI_F_UI_SET_RESULT,UI_R_NO_RESULT_BUFFER); return -1; } uis->result_buf[0] = '\0'; for(p = result; *p; p++) { if (strchr(uis->_.boolean_data.ok_chars, *p)) { uis->result_buf[0] = uis->_.boolean_data.ok_chars[0]; break; } if (strchr(uis->_.boolean_data.cancel_chars, *p)) { uis->result_buf[0] = uis->_.boolean_data.cancel_chars[0]; break; } } default: break; } } return 0; } diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl index 6a5a87969190..3a3452536c5a 100644 --- a/crypto/openssl/crypto/x509/Makefile.ssl +++ b/crypto/openssl/crypto/x509/Makefile.ssl @@ -1,594 +1,594 @@ # # SSLeay/crypto/x509/Makefile # DIR= x509 TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile README TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \ x509_obj.c x509_req.c x509spki.c x509_vfy.c \ x509_set.c x509cset.c x509rset.c x509_err.c \ x509name.c x509_v3.c x509_ext.c x509_att.c \ x509type.c x509_lu.c x_all.c x509_txt.c \ x509_trs.c by_file.c by_dir.c LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \ x509_obj.o x509_req.o x509spki.o x509_vfy.o \ x509_set.o x509cset.o x509rset.o x509_err.o \ x509name.o x509_v3.o x509_ext.o x509_att.o \ x509type.o x509_lu.o x_all.o x509_txt.o \ x509_trs.o by_file.o by_dir.o SRC= $(LIBSRC) EXHEADER= x509.h x509_vfy.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. by_dir.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h by_dir.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h by_dir.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h by_dir.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h by_dir.o: ../../include/openssl/des.h ../../include/openssl/des_old.h by_dir.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h by_dir.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h by_dir.o: ../../include/openssl/evp.h ../../include/openssl/idea.h by_dir.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h by_dir.o: ../../include/openssl/md4.h ../../include/openssl/md5.h by_dir.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h by_dir.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h by_dir.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h by_dir.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h by_dir.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h by_dir.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h by_dir.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h by_dir.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h by_dir.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h by_dir.o: ../cryptlib.h by_dir.c by_file.o: ../../e_os.h ../../include/openssl/aes.h by_file.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h by_file.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h by_file.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h by_file.o: ../../include/openssl/crypto.h ../../include/openssl/des.h by_file.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h by_file.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h by_file.o: ../../include/openssl/err.h ../../include/openssl/evp.h by_file.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h by_file.o: ../../include/openssl/md2.h ../../include/openssl/md4.h by_file.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h by_file.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h by_file.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h by_file.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h by_file.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h by_file.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h by_file.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h by_file.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h by_file.o: ../../include/openssl/sha.h ../../include/openssl/stack.h by_file.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h by_file.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h by_file.o: ../../include/openssl/x509_vfy.h ../cryptlib.h by_file.c x509_att.o: ../../e_os.h ../../include/openssl/aes.h x509_att.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_att.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h x509_att.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x509_att.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x509_att.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x509_att.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x509_att.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x509_att.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_att.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_att.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_att.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_att.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_att.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_att.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_att.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_att.c x509_cmp.o: ../../e_os.h ../../include/openssl/aes.h x509_cmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_cmp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h x509_cmp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x509_cmp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x509_cmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x509_cmp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x509_cmp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x509_cmp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_cmp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_cmp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_cmp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_cmp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_cmp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_cmp.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_cmp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_cmp.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_cmp.c x509_d2.o: ../../e_os.h ../../include/openssl/aes.h x509_d2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_d2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509_d2.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509_d2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509_d2.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509_d2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509_d2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509_d2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509_d2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h x509_d2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h x509_d2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h x509_d2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h x509_d2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h x509_d2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x509_d2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h x509_d2.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h x509_d2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_d2.c x509_def.o: ../../e_os.h ../../include/openssl/aes.h x509_def.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_def.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_def.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509_def.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509_def.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509_def.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509_def.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509_def.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509_def.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509_def.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509_def.o: ../../include/openssl/opensslconf.h x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_def.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_def.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_def.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_def.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_def.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_def.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_def.o: ../cryptlib.h x509_def.c x509_err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h x509_err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h x509_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h x509_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h x509_err.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x509_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x509_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x509_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x509_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x509_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x509_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_err.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_err.o: x509_err.c x509_ext.o: ../../e_os.h ../../include/openssl/aes.h x509_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h x509_ext.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x509_ext.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x509_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x509_ext.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x509_ext.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x509_ext.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_ext.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_ext.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_ext.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_ext.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_ext.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_ext.c x509_lu.o: ../../e_os.h ../../include/openssl/aes.h x509_lu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_lu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_lu.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h x509_lu.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x509_lu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x509_lu.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x509_lu.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x509_lu.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x509_lu.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x509_lu.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x509_lu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x509_lu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_lu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_lu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_lu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_lu.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_lu.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_lu.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_lu.c x509_obj.o: ../../e_os.h ../../include/openssl/aes.h x509_obj.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_obj.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_obj.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509_obj.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509_obj.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509_obj.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509_obj.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509_obj.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509_obj.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509_obj.o: ../../include/openssl/opensslconf.h x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_obj.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_obj.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_obj.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_obj.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_obj.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_obj.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_obj.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_obj.o: ../cryptlib.h x509_obj.c x509_r2x.o: ../../e_os.h ../../include/openssl/aes.h x509_r2x.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_r2x.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_r2x.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509_r2x.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509_r2x.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509_r2x.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509_r2x.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509_r2x.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509_r2x.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509_r2x.o: ../../include/openssl/opensslconf.h x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_r2x.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_r2x.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_r2x.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_r2x.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_r2x.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_r2x.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_r2x.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_r2x.o: ../cryptlib.h x509_r2x.c x509_req.o: ../../e_os.h ../../include/openssl/aes.h x509_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509_req.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509_req.o: ../../include/openssl/opensslconf.h x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_req.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h x509_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_req.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_req.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_req.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_req.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_req.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_req.o: ../cryptlib.h x509_req.c x509_set.o: ../../e_os.h ../../include/openssl/aes.h x509_set.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_set.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509_set.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509_set.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509_set.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509_set.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509_set.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509_set.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509_set.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509_set.o: ../../include/openssl/opensslconf.h x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_set.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_set.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_set.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_set.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_set.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_set.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_set.o: ../cryptlib.h x509_set.c x509_trs.o: ../../e_os.h ../../include/openssl/aes.h x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h x509_trs.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x509_trs.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x509_trs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x509_trs.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x509_trs.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x509_trs.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_trs.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_trs.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_trs.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_trs.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_trs.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_trs.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_trs.c x509_txt.o: ../../e_os.h ../../include/openssl/aes.h x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_txt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509_txt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509_txt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509_txt.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509_txt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509_txt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509_txt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509_txt.o: ../../include/openssl/opensslconf.h x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_txt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_txt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_txt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_txt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_txt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_txt.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_txt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_txt.o: ../cryptlib.h x509_txt.c x509_v3.o: ../../e_os.h ../../include/openssl/aes.h x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h x509_v3.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x509_v3.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x509_v3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x509_v3.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x509_v3.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x509_v3.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_v3.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_v3.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_v3.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_v3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_v3.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_v3.c x509_vfy.o: ../../e_os.h ../../include/openssl/aes.h x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509_vfy.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x509_vfy.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x509_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x509_vfy.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x509_vfy.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x509_vfy.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509_vfy.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509_vfy.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509_vfy.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509_vfy.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509_vfy.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_vfy.c x509cset.o: ../../e_os.h ../../include/openssl/aes.h x509cset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509cset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509cset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509cset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509cset.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509cset.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509cset.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509cset.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509cset.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509cset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509cset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509cset.o: ../../include/openssl/opensslconf.h x509cset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509cset.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509cset.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509cset.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509cset.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509cset.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509cset.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509cset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509cset.o: ../cryptlib.h x509cset.c x509name.o: ../../e_os.h ../../include/openssl/aes.h x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509name.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509name.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509name.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509name.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509name.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509name.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509name.o: ../../include/openssl/opensslconf.h x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509name.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509name.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509name.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509name.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509name.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509name.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509name.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509name.o: ../cryptlib.h x509name.c x509rset.o: ../../e_os.h ../../include/openssl/aes.h x509rset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509rset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509rset.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509rset.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509rset.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509rset.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509rset.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509rset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509rset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509rset.o: ../../include/openssl/opensslconf.h x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509rset.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509rset.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509rset.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509rset.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509rset.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509rset.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509rset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509rset.o: ../cryptlib.h x509rset.c x509spki.o: ../../e_os.h ../../include/openssl/aes.h x509spki.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509spki.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509spki.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509spki.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509spki.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509spki.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509spki.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509spki.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509spki.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509spki.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509spki.o: ../../include/openssl/opensslconf.h x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509spki.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509spki.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509spki.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509spki.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509spki.o: ../cryptlib.h x509spki.c x509type.o: ../../e_os.h ../../include/openssl/aes.h x509type.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h x509type.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h x509type.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h x509type.o: ../../include/openssl/crypto.h ../../include/openssl/des.h x509type.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h x509type.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h x509type.o: ../../include/openssl/err.h ../../include/openssl/evp.h x509type.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h x509type.o: ../../include/openssl/md2.h ../../include/openssl/md4.h x509type.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h x509type.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h x509type.o: ../../include/openssl/opensslconf.h x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x509type.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x509type.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x509type.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x509type.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x509type.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x509type.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x509type.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509type.o: ../cryptlib.h x509type.c x_all.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h x_all.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h x_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h x_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h x_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h x_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h x_all.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h x_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h x_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h x_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h x_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h x_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h x_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h x_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h x_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h x_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h x_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_all.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h x_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x_all.o: ../cryptlib.h x_all.c diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c index 448bd7e69cca..6207340472e4 100644 --- a/crypto/openssl/crypto/x509/by_dir.c +++ b/crypto/openssl/crypto/x509/by_dir.c @@ -1,351 +1,381 @@ /* crypto/x509/by_dir.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "cryptlib.h" #ifndef NO_SYS_TYPES_H # include #endif #ifdef MAC_OS_pre_X # include #else # include #endif #include #include typedef struct lookup_dir_st { BUF_MEM *buffer; int num_dirs; char **dirs; int *dirs_type; int num_dirs_alloced; } BY_DIR; static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, char **ret); static int new_dir(X509_LOOKUP *lu); static void free_dir(X509_LOOKUP *lu); static int add_cert_dir(BY_DIR *ctx,const char *dir,int type); static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name, X509_OBJECT *ret); X509_LOOKUP_METHOD x509_dir_lookup= { "Load certs from files in a directory", new_dir, /* new */ free_dir, /* free */ NULL, /* init */ NULL, /* shutdown */ dir_ctrl, /* ctrl */ get_cert_by_subject, /* get_by_subject */ NULL, /* get_by_issuer_serial */ NULL, /* get_by_fingerprint */ NULL, /* get_by_alias */ }; X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void) { return(&x509_dir_lookup); } static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, char **retp) { int ret=0; BY_DIR *ld; char *dir; ld=(BY_DIR *)ctx->method_data; switch (cmd) { case X509_L_ADD_DIR: if (argl == X509_FILETYPE_DEFAULT) { ret=add_cert_dir(ld,X509_get_default_cert_dir(), X509_FILETYPE_PEM); if (!ret) { X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR); } else { dir=(char *)Getenv(X509_get_default_cert_dir_env()); ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM); } } else ret=add_cert_dir(ld,argp,(int)argl); break; } return(ret); } static int new_dir(X509_LOOKUP *lu) { BY_DIR *a; if ((a=(BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL) return(0); if ((a->buffer=BUF_MEM_new()) == NULL) { OPENSSL_free(a); return(0); } a->num_dirs=0; a->dirs=NULL; a->dirs_type=NULL; a->num_dirs_alloced=0; lu->method_data=(char *)a; return(1); } static void free_dir(X509_LOOKUP *lu) { BY_DIR *a; int i; a=(BY_DIR *)lu->method_data; for (i=0; inum_dirs; i++) if (a->dirs[i] != NULL) OPENSSL_free(a->dirs[i]); if (a->dirs != NULL) OPENSSL_free(a->dirs); if (a->dirs_type != NULL) OPENSSL_free(a->dirs_type); if (a->buffer != NULL) BUF_MEM_free(a->buffer); OPENSSL_free(a); } static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) { int j,len; int *ip; const char *s,*ss,*p; char **pp; if (dir == NULL || !*dir) { X509err(X509_F_ADD_CERT_DIR,X509_R_INVALID_DIRECTORY); return 0; } s=dir; p=s; for (;;) { if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) { ss=s; s=p+1; len=(int)(p-ss); if (len == 0) continue; for (j=0; jnum_dirs; j++) if (strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0) continue; if (ctx->num_dirs_alloced < (ctx->num_dirs+1)) { ctx->num_dirs_alloced+=10; pp=(char **)OPENSSL_malloc(ctx->num_dirs_alloced* sizeof(char *)); ip=(int *)OPENSSL_malloc(ctx->num_dirs_alloced* sizeof(int)); if ((pp == NULL) || (ip == NULL)) { X509err(X509_F_ADD_CERT_DIR,ERR_R_MALLOC_FAILURE); return(0); } memcpy(pp,ctx->dirs,(ctx->num_dirs_alloced-10)* sizeof(char *)); memcpy(ip,ctx->dirs_type,(ctx->num_dirs_alloced-10)* sizeof(int)); if (ctx->dirs != NULL) OPENSSL_free(ctx->dirs); if (ctx->dirs_type != NULL) OPENSSL_free(ctx->dirs_type); ctx->dirs=pp; ctx->dirs_type=ip; } ctx->dirs_type[ctx->num_dirs]=type; ctx->dirs[ctx->num_dirs]=(char *)OPENSSL_malloc((unsigned int)len+1); if (ctx->dirs[ctx->num_dirs] == NULL) return(0); strncpy(ctx->dirs[ctx->num_dirs],ss,(unsigned int)len); ctx->dirs[ctx->num_dirs][len]='\0'; ctx->num_dirs++; } if (*p == '\0') break; p++; } return(1); } static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, X509_OBJECT *ret) { BY_DIR *ctx; union { struct { X509 st_x509; X509_CINF st_x509_cinf; } x509; struct { X509_CRL st_crl; X509_CRL_INFO st_crl_info; } crl; } data; int ok=0; int i,j,k; unsigned long h; BUF_MEM *b=NULL; struct stat st; X509_OBJECT stmp,*tmp; const char *postfix=""; if (name == NULL) return(0); stmp.type=type; if (type == X509_LU_X509) { data.x509.st_x509.cert_info= &data.x509.st_x509_cinf; data.x509.st_x509_cinf.subject=name; stmp.data.x509= &data.x509.st_x509; postfix=""; } else if (type == X509_LU_CRL) { data.crl.st_crl.crl= &data.crl.st_crl_info; data.crl.st_crl_info.issuer=name; stmp.data.crl= &data.crl.st_crl; postfix="r"; } else { X509err(X509_F_GET_CERT_BY_SUBJECT,X509_R_WRONG_LOOKUP_TYPE); goto finish; } if ((b=BUF_MEM_new()) == NULL) { X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_BUF_LIB); goto finish; } ctx=(BY_DIR *)xl->method_data; h=X509_NAME_hash(name); for (i=0; inum_dirs; i++) { j=strlen(ctx->dirs[i])+1+8+6+1+1; if (!BUF_MEM_grow(b,j)) { X509err(X509_F_GET_CERT_BY_SUBJECT,ERR_R_MALLOC_FAILURE); goto finish; } k=0; for (;;) { - sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h, - postfix,k); + char c = '/'; +#ifdef OPENSSL_SYS_VMS + c = ctx->dirs[i][strlen(ctx->dirs[i])-1]; + if (c != ':' && c != '>' && c != ']') + { + /* If no separator is present, we assume the + directory specifier is a logical name, and + add a colon. We really should use better + VMS routines for merging things like this, + but this will do for now... + -- Richard Levitte */ + c = ':'; + } + else + { + c = '\0'; + } +#endif + if (c == '\0') + { + /* This is special. When c == '\0', no + directory separator should be added. */ + BIO_snprintf(b->data,b->max, + "%s%08lx.%s%d",ctx->dirs[i],h, + postfix,k); + } + else + { + BIO_snprintf(b->data,b->max, + "%s%c%08lx.%s%d",ctx->dirs[i],c,h, + postfix,k); + } k++; if (stat(b->data,&st) < 0) break; /* found one. */ if (type == X509_LU_X509) { if ((X509_load_cert_file(xl,b->data, ctx->dirs_type[i])) == 0) break; } else if (type == X509_LU_CRL) { if ((X509_load_crl_file(xl,b->data, ctx->dirs_type[i])) == 0) break; } /* else case will caught higher up */ } /* we have added it to the cache so now pull * it out again */ CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp); if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j); else tmp = NULL; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); if (tmp != NULL) { ok=1; ret->type=tmp->type; memcpy(&ret->data,&tmp->data,sizeof(ret->data)); /* If we were going to up the reference count, * we would need to do it on a perl 'type' * basis */ /* CRYPTO_add(&tmp->data.x509->references,1, CRYPTO_LOCK_X509);*/ goto finish; } } finish: if (b != NULL) BUF_MEM_free(b); return(ok); } diff --git a/crypto/openssl/crypto/x509/x509.h b/crypto/openssl/crypto/x509/x509.h index eaad5685a8f8..8d0c7e2e1792 100644 --- a/crypto/openssl/crypto/x509/x509.h +++ b/crypto/openssl/crypto/x509/x509.h @@ -1,1262 +1,1258 @@ /* crypto/x509/x509.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #ifndef HEADER_X509_H #define HEADER_X509_H #include #ifndef OPENSSL_NO_BUFFER #include #endif #ifndef OPENSSL_NO_EVP #include #endif #ifndef OPENSSL_NO_BIO #include #endif #include #include #include #ifndef OPENSSL_NO_RSA #include #endif #ifndef OPENSSL_NO_DSA #include #endif #ifndef OPENSSL_NO_DH #include #endif #ifndef OPENSSL_NO_SHA #include #endif #include #include #ifdef __cplusplus extern "C" { #endif #ifdef OPENSSL_SYS_WIN32 /* Under Win32 this is defined in wincrypt.h */ #undef X509_NAME #endif #define X509_FILETYPE_PEM 1 #define X509_FILETYPE_ASN1 2 #define X509_FILETYPE_DEFAULT 3 #define X509v3_KU_DIGITAL_SIGNATURE 0x0080 #define X509v3_KU_NON_REPUDIATION 0x0040 #define X509v3_KU_KEY_ENCIPHERMENT 0x0020 #define X509v3_KU_DATA_ENCIPHERMENT 0x0010 #define X509v3_KU_KEY_AGREEMENT 0x0008 #define X509v3_KU_KEY_CERT_SIGN 0x0004 #define X509v3_KU_CRL_SIGN 0x0002 #define X509v3_KU_ENCIPHER_ONLY 0x0001 #define X509v3_KU_DECIPHER_ONLY 0x8000 #define X509v3_KU_UNDEF 0xffff typedef struct X509_objects_st { int nid; int (*a2i)(); int (*i2a)(); } X509_OBJECTS; struct X509_algor_st { ASN1_OBJECT *algorithm; ASN1_TYPE *parameter; } /* X509_ALGOR */; DECLARE_STACK_OF(X509_ALGOR) DECLARE_ASN1_SET_OF(X509_ALGOR) typedef struct X509_val_st { ASN1_TIME *notBefore; ASN1_TIME *notAfter; } X509_VAL; typedef struct X509_pubkey_st { X509_ALGOR *algor; ASN1_BIT_STRING *public_key; EVP_PKEY *pkey; } X509_PUBKEY; typedef struct X509_sig_st { X509_ALGOR *algor; ASN1_OCTET_STRING *digest; } X509_SIG; typedef struct X509_name_entry_st { ASN1_OBJECT *object; ASN1_STRING *value; int set; int size; /* temp variable */ } X509_NAME_ENTRY; DECLARE_STACK_OF(X509_NAME_ENTRY) DECLARE_ASN1_SET_OF(X509_NAME_ENTRY) /* we always keep X509_NAMEs in 2 forms. */ struct X509_name_st { STACK_OF(X509_NAME_ENTRY) *entries; int modified; /* true if 'bytes' needs to be built */ #ifndef OPENSSL_NO_BUFFER BUF_MEM *bytes; #else char *bytes; #endif unsigned long hash; /* Keep the hash around for lookups */ } /* X509_NAME */; DECLARE_STACK_OF(X509_NAME) #define X509_EX_V_NETSCAPE_HACK 0x8000 #define X509_EX_V_INIT 0x0001 typedef struct X509_extension_st { ASN1_OBJECT *object; ASN1_BOOLEAN critical; ASN1_OCTET_STRING *value; } X509_EXTENSION; DECLARE_STACK_OF(X509_EXTENSION) DECLARE_ASN1_SET_OF(X509_EXTENSION) /* a sequence of these are used */ typedef struct x509_attributes_st { ASN1_OBJECT *object; int single; /* 0 for a set, 1 for a single item (which is wrong) */ union { char *ptr; /* 0 */ STACK_OF(ASN1_TYPE) *set; /* 1 */ ASN1_TYPE *single; } value; } X509_ATTRIBUTE; DECLARE_STACK_OF(X509_ATTRIBUTE) DECLARE_ASN1_SET_OF(X509_ATTRIBUTE) typedef struct X509_req_info_st { ASN1_ENCODING enc; ASN1_INTEGER *version; X509_NAME *subject; X509_PUBKEY *pubkey; /* d=2 hl=2 l= 0 cons: cont: 00 */ STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ } X509_REQ_INFO; typedef struct X509_req_st { X509_REQ_INFO *req_info; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; int references; } X509_REQ; typedef struct x509_cinf_st { ASN1_INTEGER *version; /* [ 0 ] default of v1 */ ASN1_INTEGER *serialNumber; X509_ALGOR *signature; X509_NAME *issuer; X509_VAL *validity; X509_NAME *subject; X509_PUBKEY *key; ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */ ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */ STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ } X509_CINF; /* This stuff is certificate "auxiliary info" * it contains details which are useful in certificate * stores and databases. When used this is tagged onto * the end of the certificate itself */ typedef struct x509_cert_aux_st { STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */ STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */ ASN1_UTF8STRING *alias; /* "friendly name" */ ASN1_OCTET_STRING *keyid; /* key id of private key */ STACK_OF(X509_ALGOR) *other; /* other unspecified info */ } X509_CERT_AUX; struct x509_st { X509_CINF *cert_info; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; int valid; int references; char *name; CRYPTO_EX_DATA ex_data; /* These contain copies of various extension values */ long ex_pathlen; unsigned long ex_flags; unsigned long ex_kusage; unsigned long ex_xkusage; unsigned long ex_nscert; ASN1_OCTET_STRING *skid; struct AUTHORITY_KEYID_st *akid; #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif X509_CERT_AUX *aux; } /* X509 */; DECLARE_STACK_OF(X509) DECLARE_ASN1_SET_OF(X509) /* This is used for a table of trust checking functions */ typedef struct x509_trust_st { int trust; int flags; int (*check_trust)(struct x509_trust_st *, X509 *, int); char *name; int arg1; void *arg2; } X509_TRUST; DECLARE_STACK_OF(X509_TRUST) /* standard trust ids */ #define X509_TRUST_DEFAULT -1 /* Only valid in purpose settings */ #define X509_TRUST_COMPAT 1 #define X509_TRUST_SSL_CLIENT 2 #define X509_TRUST_SSL_SERVER 3 #define X509_TRUST_EMAIL 4 #define X509_TRUST_OBJECT_SIGN 5 #define X509_TRUST_OCSP_SIGN 6 #define X509_TRUST_OCSP_REQUEST 7 /* Keep these up to date! */ #define X509_TRUST_MIN 1 #define X509_TRUST_MAX 7 /* trust_flags values */ #define X509_TRUST_DYNAMIC 1 #define X509_TRUST_DYNAMIC_NAME 2 /* check_trust return codes */ #define X509_TRUST_TRUSTED 1 #define X509_TRUST_REJECTED 2 #define X509_TRUST_UNTRUSTED 3 /* Flags for X509_print_ex() */ #define X509_FLAG_COMPAT 0 #define X509_FLAG_NO_HEADER 1L #define X509_FLAG_NO_VERSION (1L << 1) #define X509_FLAG_NO_SERIAL (1L << 2) #define X509_FLAG_NO_SIGNAME (1L << 3) #define X509_FLAG_NO_ISSUER (1L << 4) #define X509_FLAG_NO_VALIDITY (1L << 5) #define X509_FLAG_NO_SUBJECT (1L << 6) #define X509_FLAG_NO_PUBKEY (1L << 7) #define X509_FLAG_NO_EXTENSIONS (1L << 8) #define X509_FLAG_NO_SIGDUMP (1L << 9) #define X509_FLAG_NO_AUX (1L << 10) #define X509_FLAG_NO_ATTRIBUTES (1L << 11) /* Flags specific to X509_NAME_print_ex() */ /* The field separator information */ #define XN_FLAG_SEP_MASK (0xf << 16) #define XN_FLAG_COMPAT 0 /* Traditional SSLeay: use old X509_NAME_print */ #define XN_FLAG_SEP_COMMA_PLUS (1 << 16) /* RFC2253 ,+ */ #define XN_FLAG_SEP_CPLUS_SPC (2 << 16) /* ,+ spaced: more readable */ #define XN_FLAG_SEP_SPLUS_SPC (3 << 16) /* ;+ spaced */ #define XN_FLAG_SEP_MULTILINE (4 << 16) /* One line per field */ #define XN_FLAG_DN_REV (1 << 20) /* Reverse DN order */ /* How the field name is shown */ #define XN_FLAG_FN_MASK (0x3 << 21) #define XN_FLAG_FN_SN 0 /* Object short name */ #define XN_FLAG_FN_LN (1 << 21) /* Object long name */ #define XN_FLAG_FN_OID (2 << 21) /* Always use OIDs */ #define XN_FLAG_FN_NONE (3 << 21) /* No field names */ #define XN_FLAG_SPC_EQ (1 << 23) /* Put spaces round '=' */ /* This determines if we dump fields we don't recognise: * RFC2253 requires this. */ #define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) #define XN_FLAG_FN_ALIGN (1 << 25) /* Align field names to 20 characters */ /* Complete set of RFC2253 flags */ #define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \ XN_FLAG_SEP_COMMA_PLUS | \ XN_FLAG_DN_REV | \ XN_FLAG_FN_SN | \ XN_FLAG_DUMP_UNKNOWN_FIELDS) /* readable oneline form */ #define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \ ASN1_STRFLGS_ESC_QUOTE | \ XN_FLAG_SEP_CPLUS_SPC | \ XN_FLAG_SPC_EQ | \ XN_FLAG_FN_SN) /* readable multiline form */ #define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \ ASN1_STRFLGS_ESC_MSB | \ XN_FLAG_SEP_MULTILINE | \ XN_FLAG_SPC_EQ | \ XN_FLAG_FN_LN | \ XN_FLAG_FN_ALIGN) typedef struct X509_revoked_st { ASN1_INTEGER *serialNumber; ASN1_TIME *revocationDate; STACK_OF(X509_EXTENSION) /* optional */ *extensions; int sequence; /* load sequence */ } X509_REVOKED; DECLARE_STACK_OF(X509_REVOKED) DECLARE_ASN1_SET_OF(X509_REVOKED) typedef struct X509_crl_info_st { ASN1_INTEGER *version; X509_ALGOR *sig_alg; X509_NAME *issuer; ASN1_TIME *lastUpdate; ASN1_TIME *nextUpdate; STACK_OF(X509_REVOKED) *revoked; STACK_OF(X509_EXTENSION) /* [0] */ *extensions; } X509_CRL_INFO; struct X509_crl_st { /* actual signature */ X509_CRL_INFO *crl; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; int references; } /* X509_CRL */; DECLARE_STACK_OF(X509_CRL) DECLARE_ASN1_SET_OF(X509_CRL) typedef struct private_key_st { int version; /* The PKCS#8 data types */ X509_ALGOR *enc_algor; ASN1_OCTET_STRING *enc_pkey; /* encrypted pub key */ /* When decrypted, the following will not be NULL */ EVP_PKEY *dec_pkey; /* used to encrypt and decrypt */ int key_length; char *key_data; int key_free; /* true if we should auto free key_data */ /* expanded version of 'enc_algor' */ EVP_CIPHER_INFO cipher; int references; } X509_PKEY; #ifndef OPENSSL_NO_EVP typedef struct X509_info_st { X509 *x509; X509_CRL *crl; X509_PKEY *x_pkey; EVP_CIPHER_INFO enc_cipher; int enc_len; char *enc_data; int references; } X509_INFO; DECLARE_STACK_OF(X509_INFO) #endif /* The next 2 structures and their 8 routines were sent to me by * Pat Richard and are used to manipulate * Netscapes spki structures - useful if you are writing a CA web page */ typedef struct Netscape_spkac_st { X509_PUBKEY *pubkey; ASN1_IA5STRING *challenge; /* challenge sent in atlas >= PR2 */ } NETSCAPE_SPKAC; typedef struct Netscape_spki_st { NETSCAPE_SPKAC *spkac; /* signed public key and challenge */ X509_ALGOR *sig_algor; ASN1_BIT_STRING *signature; } NETSCAPE_SPKI; /* Netscape certificate sequence structure */ typedef struct Netscape_certificate_sequence { ASN1_OBJECT *type; STACK_OF(X509) *certs; } NETSCAPE_CERT_SEQUENCE; /* Unused (and iv length is wrong) typedef struct CBCParameter_st { unsigned char iv[8]; } CBC_PARAM; */ /* Password based encryption structure */ typedef struct PBEPARAM_st { ASN1_OCTET_STRING *salt; ASN1_INTEGER *iter; } PBEPARAM; /* Password based encryption V2 structures */ typedef struct PBE2PARAM_st { X509_ALGOR *keyfunc; X509_ALGOR *encryption; } PBE2PARAM; typedef struct PBKDF2PARAM_st { ASN1_TYPE *salt; /* Usually OCTET STRING but could be anything */ ASN1_INTEGER *iter; ASN1_INTEGER *keylength; X509_ALGOR *prf; } PBKDF2PARAM; /* PKCS#8 private key info structure */ typedef struct pkcs8_priv_key_info_st { int broken; /* Flag for various broken formats */ #define PKCS8_OK 0 #define PKCS8_NO_OCTET 1 #define PKCS8_EMBEDDED_PARAM 2 #define PKCS8_NS_DB 3 ASN1_INTEGER *version; X509_ALGOR *pkeyalg; ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */ STACK_OF(X509_ATTRIBUTE) *attributes; } PKCS8_PRIV_KEY_INFO; #ifdef __cplusplus } #endif #include #include #ifdef __cplusplus extern "C" { #endif #ifdef SSLEAY_MACROS #define X509_verify(a,r) ASN1_verify((int (*)())i2d_X509_CINF,a->sig_alg,\ a->signature,(char *)a->cert_info,r) #define X509_REQ_verify(a,r) ASN1_verify((int (*)())i2d_X509_REQ_INFO, \ a->sig_alg,a->signature,(char *)a->req_info,r) #define X509_CRL_verify(a,r) ASN1_verify((int (*)())i2d_X509_CRL_INFO, \ a->sig_alg, a->signature,(char *)a->crl,r) #define X509_sign(x,pkey,md) \ ASN1_sign((int (*)())i2d_X509_CINF, x->cert_info->signature, \ x->sig_alg, x->signature, (char *)x->cert_info,pkey,md) #define X509_REQ_sign(x,pkey,md) \ ASN1_sign((int (*)())i2d_X509_REQ_INFO,x->sig_alg, NULL, \ x->signature, (char *)x->req_info,pkey,md) #define X509_CRL_sign(x,pkey,md) \ ASN1_sign((int (*)())i2d_X509_CRL_INFO,x->crl->sig_alg,x->sig_alg, \ x->signature, (char *)x->crl,pkey,md) #define NETSCAPE_SPKI_sign(x,pkey,md) \ ASN1_sign((int (*)())i2d_NETSCAPE_SPKAC, x->sig_algor,NULL, \ x->signature, (char *)x->spkac,pkey,md) #define X509_dup(x509) (X509 *)ASN1_dup((int (*)())i2d_X509, \ (char *(*)())d2i_X509,(char *)x509) #define X509_ATTRIBUTE_dup(xa) (X509_ATTRIBUTE *)ASN1_dup(\ (int (*)())i2d_X509_ATTRIBUTE, \ (char *(*)())d2i_X509_ATTRIBUTE,(char *)xa) #define X509_EXTENSION_dup(ex) (X509_EXTENSION *)ASN1_dup( \ (int (*)())i2d_X509_EXTENSION, \ (char *(*)())d2i_X509_EXTENSION,(char *)ex) #define d2i_X509_fp(fp,x509) (X509 *)ASN1_d2i_fp((char *(*)())X509_new, \ (char *(*)())d2i_X509, (fp),(unsigned char **)(x509)) #define i2d_X509_fp(fp,x509) ASN1_i2d_fp(i2d_X509,fp,(unsigned char *)x509) #define d2i_X509_bio(bp,x509) (X509 *)ASN1_d2i_bio((char *(*)())X509_new, \ (char *(*)())d2i_X509, (bp),(unsigned char **)(x509)) #define i2d_X509_bio(bp,x509) ASN1_i2d_bio(i2d_X509,bp,(unsigned char *)x509) #define X509_CRL_dup(crl) (X509_CRL *)ASN1_dup((int (*)())i2d_X509_CRL, \ (char *(*)())d2i_X509_CRL,(char *)crl) #define d2i_X509_CRL_fp(fp,crl) (X509_CRL *)ASN1_d2i_fp((char *(*)()) \ X509_CRL_new,(char *(*)())d2i_X509_CRL, (fp),\ (unsigned char **)(crl)) #define i2d_X509_CRL_fp(fp,crl) ASN1_i2d_fp(i2d_X509_CRL,fp,\ (unsigned char *)crl) #define d2i_X509_CRL_bio(bp,crl) (X509_CRL *)ASN1_d2i_bio((char *(*)()) \ X509_CRL_new,(char *(*)())d2i_X509_CRL, (bp),\ (unsigned char **)(crl)) #define i2d_X509_CRL_bio(bp,crl) ASN1_i2d_bio(i2d_X509_CRL,bp,\ (unsigned char *)crl) #define PKCS7_dup(p7) (PKCS7 *)ASN1_dup((int (*)())i2d_PKCS7, \ (char *(*)())d2i_PKCS7,(char *)p7) #define d2i_PKCS7_fp(fp,p7) (PKCS7 *)ASN1_d2i_fp((char *(*)()) \ PKCS7_new,(char *(*)())d2i_PKCS7, (fp),\ (unsigned char **)(p7)) #define i2d_PKCS7_fp(fp,p7) ASN1_i2d_fp(i2d_PKCS7,fp,\ (unsigned char *)p7) #define d2i_PKCS7_bio(bp,p7) (PKCS7 *)ASN1_d2i_bio((char *(*)()) \ PKCS7_new,(char *(*)())d2i_PKCS7, (bp),\ (unsigned char **)(p7)) #define i2d_PKCS7_bio(bp,p7) ASN1_i2d_bio(i2d_PKCS7,bp,\ (unsigned char *)p7) #define X509_REQ_dup(req) (X509_REQ *)ASN1_dup((int (*)())i2d_X509_REQ, \ (char *(*)())d2i_X509_REQ,(char *)req) #define d2i_X509_REQ_fp(fp,req) (X509_REQ *)ASN1_d2i_fp((char *(*)())\ X509_REQ_new, (char *(*)())d2i_X509_REQ, (fp),\ (unsigned char **)(req)) #define i2d_X509_REQ_fp(fp,req) ASN1_i2d_fp(i2d_X509_REQ,fp,\ (unsigned char *)req) #define d2i_X509_REQ_bio(bp,req) (X509_REQ *)ASN1_d2i_bio((char *(*)())\ X509_REQ_new, (char *(*)())d2i_X509_REQ, (bp),\ (unsigned char **)(req)) #define i2d_X509_REQ_bio(bp,req) ASN1_i2d_bio(i2d_X509_REQ,bp,\ (unsigned char *)req) #define RSAPublicKey_dup(rsa) (RSA *)ASN1_dup((int (*)())i2d_RSAPublicKey, \ (char *(*)())d2i_RSAPublicKey,(char *)rsa) #define RSAPrivateKey_dup(rsa) (RSA *)ASN1_dup((int (*)())i2d_RSAPrivateKey, \ (char *(*)())d2i_RSAPrivateKey,(char *)rsa) #define d2i_RSAPrivateKey_fp(fp,rsa) (RSA *)ASN1_d2i_fp((char *(*)())\ RSA_new,(char *(*)())d2i_RSAPrivateKey, (fp), \ (unsigned char **)(rsa)) #define i2d_RSAPrivateKey_fp(fp,rsa) ASN1_i2d_fp(i2d_RSAPrivateKey,fp, \ (unsigned char *)rsa) #define d2i_RSAPrivateKey_bio(bp,rsa) (RSA *)ASN1_d2i_bio((char *(*)())\ RSA_new,(char *(*)())d2i_RSAPrivateKey, (bp), \ (unsigned char **)(rsa)) #define i2d_RSAPrivateKey_bio(bp,rsa) ASN1_i2d_bio(i2d_RSAPrivateKey,bp, \ (unsigned char *)rsa) #define d2i_RSAPublicKey_fp(fp,rsa) (RSA *)ASN1_d2i_fp((char *(*)())\ RSA_new,(char *(*)())d2i_RSAPublicKey, (fp), \ (unsigned char **)(rsa)) #define i2d_RSAPublicKey_fp(fp,rsa) ASN1_i2d_fp(i2d_RSAPublicKey,fp, \ (unsigned char *)rsa) #define d2i_RSAPublicKey_bio(bp,rsa) (RSA *)ASN1_d2i_bio((char *(*)())\ RSA_new,(char *(*)())d2i_RSAPublicKey, (bp), \ (unsigned char **)(rsa)) #define i2d_RSAPublicKey_bio(bp,rsa) ASN1_i2d_bio(i2d_RSAPublicKey,bp, \ (unsigned char *)rsa) #define d2i_DSAPrivateKey_fp(fp,dsa) (DSA *)ASN1_d2i_fp((char *(*)())\ DSA_new,(char *(*)())d2i_DSAPrivateKey, (fp), \ (unsigned char **)(dsa)) #define i2d_DSAPrivateKey_fp(fp,dsa) ASN1_i2d_fp(i2d_DSAPrivateKey,fp, \ (unsigned char *)dsa) #define d2i_DSAPrivateKey_bio(bp,dsa) (DSA *)ASN1_d2i_bio((char *(*)())\ DSA_new,(char *(*)())d2i_DSAPrivateKey, (bp), \ (unsigned char **)(dsa)) #define i2d_DSAPrivateKey_bio(bp,dsa) ASN1_i2d_bio(i2d_DSAPrivateKey,bp, \ (unsigned char *)dsa) #define X509_ALGOR_dup(xn) (X509_ALGOR *)ASN1_dup((int (*)())i2d_X509_ALGOR,\ (char *(*)())d2i_X509_ALGOR,(char *)xn) #define X509_NAME_dup(xn) (X509_NAME *)ASN1_dup((int (*)())i2d_X509_NAME, \ (char *(*)())d2i_X509_NAME,(char *)xn) #define X509_NAME_ENTRY_dup(ne) (X509_NAME_ENTRY *)ASN1_dup( \ (int (*)())i2d_X509_NAME_ENTRY, \ (char *(*)())d2i_X509_NAME_ENTRY,\ (char *)ne) #define X509_digest(data,type,md,len) \ ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len) #define X509_NAME_digest(data,type,md,len) \ ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len) #ifndef PKCS7_ISSUER_AND_SERIAL_digest #define PKCS7_ISSUER_AND_SERIAL_digest(data,type,md,len) \ ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,\ (char *)data,md,len) #endif #endif #define X509_EXT_PACK_UNKNOWN 1 #define X509_EXT_PACK_STRING 2 #define X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version) /* #define X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */ #define X509_get_notBefore(x) ((x)->cert_info->validity->notBefore) #define X509_get_notAfter(x) ((x)->cert_info->validity->notAfter) #define X509_extract_key(x) X509_get_pubkey(x) /*****/ #define X509_REQ_get_version(x) ASN1_INTEGER_get((x)->req_info->version) #define X509_REQ_get_subject_name(x) ((x)->req_info->subject) #define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) #define X509_name_cmp(a,b) X509_NAME_cmp((a),(b)) #define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm)) #define X509_CRL_get_version(x) ASN1_INTEGER_get((x)->crl->version) #define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate) #define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate) #define X509_CRL_get_issuer(x) ((x)->crl->issuer) #define X509_CRL_get_REVOKED(x) ((x)->crl->revoked) /* This one is only used so that a binary form can output, as in * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) */ #define X509_get_X509_PUBKEY(x) ((x)->cert_info->key) const char *X509_verify_cert_error_string(long n); #ifndef SSLEAY_MACROS #ifndef OPENSSL_NO_EVP int X509_verify(X509 *a, EVP_PKEY *r); int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r); int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r); int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r); NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len); char * NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *x); EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x); int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey); int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki); int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig); int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_pubkey_digest(const X509 *data,const EVP_MD *type, unsigned char *md, unsigned int *len); int X509_digest(const X509 *data,const EVP_MD *type, unsigned char *md, unsigned int *len); int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type, unsigned char *md, unsigned int *len); int X509_REQ_digest(const X509_REQ *data,const EVP_MD *type, unsigned char *md, unsigned int *len); int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type, unsigned char *md, unsigned int *len); #endif #ifndef OPENSSL_NO_FP_API X509 *d2i_X509_fp(FILE *fp, X509 **x509); int i2d_X509_fp(FILE *fp,X509 *x509); X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl); int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl); X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req); int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req); #ifndef OPENSSL_NO_RSA RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa); int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa); RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa); int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa); RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa); int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa); #endif #ifndef OPENSSL_NO_DSA DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa); int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); #endif X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8); int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8); PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf); int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf); int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key); int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey); EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey); EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); #endif #ifndef OPENSSL_NO_BIO X509 *d2i_X509_bio(BIO *bp,X509 **x509); int i2d_X509_bio(BIO *bp,X509 *x509); X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl); int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl); X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req); int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req); #ifndef OPENSSL_NO_RSA RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa); int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa); RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa); int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa); RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa); int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa); #endif #ifndef OPENSSL_NO_DSA DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa); int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa); DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa); #endif X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8); int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8); PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf); int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf); int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key); int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey); EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey); EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); #endif X509 *X509_dup(X509 *x509); X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa); X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex); X509_CRL *X509_CRL_dup(X509_CRL *crl); X509_REQ *X509_REQ_dup(X509_REQ *req); X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); X509_NAME *X509_NAME_dup(X509_NAME *xn); X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); -#ifndef OPENSSL_NO_RSA -RSA *RSAPublicKey_dup(RSA *rsa); -RSA *RSAPrivateKey_dup(RSA *rsa); -#endif #endif /* !SSLEAY_MACROS */ int X509_cmp_time(ASN1_TIME *s, time_t *t); int X509_cmp_current_time(ASN1_TIME *s); ASN1_TIME * X509_time_adj(ASN1_TIME *s, long adj, time_t *t); ASN1_TIME * X509_gmtime_adj(ASN1_TIME *s, long adj); const char * X509_get_default_cert_area(void ); const char * X509_get_default_cert_dir(void ); const char * X509_get_default_cert_file(void ); const char * X509_get_default_cert_dir_env(void ); const char * X509_get_default_cert_file_env(void ); const char * X509_get_default_private_dir(void ); X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey); DECLARE_ASN1_FUNCTIONS(X509_ALGOR) DECLARE_ASN1_FUNCTIONS(X509_VAL) DECLARE_ASN1_FUNCTIONS(X509_PUBKEY) int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key); int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain); int i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp); EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,unsigned char **pp, long length); #ifndef OPENSSL_NO_RSA int i2d_RSA_PUBKEY(RSA *a,unsigned char **pp); RSA * d2i_RSA_PUBKEY(RSA **a,unsigned char **pp, long length); #endif #ifndef OPENSSL_NO_DSA int i2d_DSA_PUBKEY(DSA *a,unsigned char **pp); DSA * d2i_DSA_PUBKEY(DSA **a,unsigned char **pp, long length); #endif DECLARE_ASN1_FUNCTIONS(X509_SIG) DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO) DECLARE_ASN1_FUNCTIONS(X509_REQ) DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE) X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value); DECLARE_ASN1_FUNCTIONS(X509_EXTENSION) DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY) DECLARE_ASN1_FUNCTIONS(X509_NAME) int X509_NAME_set(X509_NAME **xn, X509_NAME *name); DECLARE_ASN1_FUNCTIONS(X509_CINF) DECLARE_ASN1_FUNCTIONS(X509) DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int X509_set_ex_data(X509 *r, int idx, void *arg); void *X509_get_ex_data(X509 *r, int idx); int i2d_X509_AUX(X509 *a,unsigned char **pp); X509 * d2i_X509_AUX(X509 **a,unsigned char **pp,long length); int X509_alias_set1(X509 *x, unsigned char *name, int len); int X509_keyid_set1(X509 *x, unsigned char *id, int len); unsigned char * X509_alias_get0(X509 *x, int *len); int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int); int X509_TRUST_set(int *t, int trust); int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); void X509_trust_clear(X509 *x); void X509_reject_clear(X509 *x); DECLARE_ASN1_FUNCTIONS(X509_REVOKED) DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO) DECLARE_ASN1_FUNCTIONS(X509_CRL) int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); X509_PKEY * X509_PKEY_new(void ); void X509_PKEY_free(X509_PKEY *a); int i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp); X509_PKEY * d2i_X509_PKEY(X509_PKEY **a,unsigned char **pp,long length); DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI) DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC) DECLARE_ASN1_FUNCTIONS(NETSCAPE_CERT_SEQUENCE) #ifndef OPENSSL_NO_EVP X509_INFO * X509_INFO_new(void); void X509_INFO_free(X509_INFO *a); char * X509_NAME_oneline(X509_NAME *a,char *buf,int size); int ASN1_verify(int (*i2d)(), X509_ALGOR *algor1, ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey); int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data, unsigned char *md,unsigned int *len); int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *signature, char *data,EVP_PKEY *pkey, const EVP_MD *type); int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data, unsigned char *md,unsigned int *len); int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1, ASN1_BIT_STRING *signature,void *data,EVP_PKEY *pkey); int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *signature, void *data, EVP_PKEY *pkey, const EVP_MD *type); #endif int X509_set_version(X509 *x,long version); int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial); ASN1_INTEGER * X509_get_serialNumber(X509 *x); int X509_set_issuer_name(X509 *x, X509_NAME *name); X509_NAME * X509_get_issuer_name(X509 *a); int X509_set_subject_name(X509 *x, X509_NAME *name); X509_NAME * X509_get_subject_name(X509 *a); int X509_set_notBefore(X509 *x, ASN1_TIME *tm); int X509_set_notAfter(X509 *x, ASN1_TIME *tm); int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); EVP_PKEY * X509_get_pubkey(X509 *x); ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x); int X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */); int X509_REQ_set_version(X509_REQ *x,long version); int X509_REQ_set_subject_name(X509_REQ *req,X509_NAME *name); int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey); EVP_PKEY * X509_REQ_get_pubkey(X509_REQ *req); int X509_REQ_extension_nid(int nid); int * X509_REQ_get_extension_nids(void); void X509_REQ_set_extension_nids(int *nids); STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, int nid); int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts); int X509_REQ_get_attr_count(const X509_REQ *req); int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos); int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj, int lastpos); X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc); X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr); int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len); int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int type, const unsigned char *bytes, int len); int X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int type, const unsigned char *bytes, int len); int X509_CRL_set_version(X509_CRL *x, long version); int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name); int X509_CRL_set_lastUpdate(X509_CRL *x, ASN1_TIME *tm); int X509_CRL_set_nextUpdate(X509_CRL *x, ASN1_TIME *tm); int X509_CRL_sort(X509_CRL *crl); int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); int X509_check_private_key(X509 *x509,EVP_PKEY *pkey); int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b); unsigned long X509_issuer_and_serial_hash(X509 *a); int X509_issuer_name_cmp(const X509 *a, const X509 *b); unsigned long X509_issuer_name_hash(X509 *a); int X509_subject_name_cmp(const X509 *a, const X509 *b); unsigned long X509_subject_name_hash(X509 *x); int X509_cmp(const X509 *a, const X509 *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); unsigned long X509_NAME_hash(X509_NAME *x); int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); #ifndef OPENSSL_NO_FP_API int X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag); int X509_print_fp(FILE *bp,X509 *x); int X509_CRL_print_fp(FILE *bp,X509_CRL *x); int X509_REQ_print_fp(FILE *bp,X509_REQ *req); int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags); #endif #ifndef OPENSSL_NO_BIO int X509_NAME_print(BIO *bp, X509_NAME *name, int obase); int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags); int X509_print_ex(BIO *bp,X509 *x, unsigned long nmflag, unsigned long cflag); int X509_print(BIO *bp,X509 *x); int X509_ocspid_print(BIO *bp,X509 *x); int X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent); int X509_CRL_print(BIO *bp,X509_CRL *x); int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag); int X509_REQ_print(BIO *bp,X509_REQ *req); #endif int X509_NAME_entry_count(X509_NAME *name); int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf,int len); int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,int len); /* NOTE: you should be passsing -1, not 0 as lastpos. The functions that use * lastpos, search after that position on. */ int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos); int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj, int lastpos); X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc); X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc); int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set); int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set); int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, char *field, int type, unsigned char *bytes, int len); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len); int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type,unsigned char *bytes, int len); int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj); int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, unsigned char *bytes, int len); ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x); int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos); int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x, ASN1_OBJECT *obj,int lastpos); int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x, int crit, int lastpos); X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc); X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc); STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc); int X509_get_ext_count(X509 *x); int X509_get_ext_by_NID(X509 *x, int nid, int lastpos); int X509_get_ext_by_OBJ(X509 *x,ASN1_OBJECT *obj,int lastpos); int X509_get_ext_by_critical(X509 *x, int crit, int lastpos); X509_EXTENSION *X509_get_ext(X509 *x, int loc); X509_EXTENSION *X509_delete_ext(X509 *x, int loc); int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); void * X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx); int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags); int X509_CRL_get_ext_count(X509_CRL *x); int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos); int X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int lastpos); int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos); X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc); X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc); void * X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx); int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit, unsigned long flags); int X509_REVOKED_get_ext_count(X509_REVOKED *x); int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos); int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x,ASN1_OBJECT *obj,int lastpos); int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos); X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc); X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc); int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc); void * X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx); int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit, unsigned long flags); X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit, ASN1_OCTET_STRING *data); X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj,int crit,ASN1_OCTET_STRING *data); int X509_EXTENSION_set_object(X509_EXTENSION *ex,ASN1_OBJECT *obj); int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit); int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data); ASN1_OBJECT * X509_EXTENSION_get_object(X509_EXTENSION *ex); ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne); int X509_EXTENSION_get_critical(X509_EXTENSION *ex); int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x); int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid, int lastpos); int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj, int lastpos); X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc); X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc); STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, X509_ATTRIBUTE *attr); STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x, const ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len); STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x, int nid, int type, const unsigned char *bytes, int len); STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, int type, const unsigned char *bytes, int len); X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, int atrtype, const void *data, int len); X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int atrtype, const void *data, int len); X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr, const char *atrname, int type, const unsigned char *bytes, int len); int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj); int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len); void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype, void *data); int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr); ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx); int X509_verify_cert(X509_STORE_CTX *ctx); /* lookup a cert from a X509 STACK */ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,X509_NAME *name, ASN1_INTEGER *serial); X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name); DECLARE_ASN1_FUNCTIONS(PBEPARAM) DECLARE_ASN1_FUNCTIONS(PBE2PARAM) DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM) X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt, int saltlen); X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, unsigned char *salt, int saltlen); /* PKCS#8 utilities */ DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8); PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey); PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken); PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken); int X509_check_trust(X509 *x, int id, int flags); int X509_TRUST_get_count(void); X509_TRUST * X509_TRUST_get0(int idx); int X509_TRUST_get_by_id(int id); int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), char *name, int arg1, void *arg2); void X509_TRUST_cleanup(void); int X509_TRUST_get_flags(X509_TRUST *xp); char *X509_TRUST_get0_name(X509_TRUST *xp); int X509_TRUST_get_trust(X509_TRUST *xp); /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ void ERR_load_X509_strings(void); /* Error codes for the X509 functions. */ /* Function codes. */ #define X509_F_ADD_CERT_DIR 100 #define X509_F_BY_FILE_CTRL 101 #define X509_F_DIR_CTRL 102 #define X509_F_GET_CERT_BY_SUBJECT 103 #define X509_F_NETSCAPE_SPKI_B64_DECODE 129 #define X509_F_NETSCAPE_SPKI_B64_ENCODE 130 #define X509_F_X509V3_ADD_EXT 104 #define X509_F_X509_ADD_ATTR 135 #define X509_F_X509_ATTRIBUTE_CREATE_BY_NID 136 #define X509_F_X509_ATTRIBUTE_CREATE_BY_OBJ 137 #define X509_F_X509_ATTRIBUTE_CREATE_BY_TXT 140 #define X509_F_X509_ATTRIBUTE_GET0_DATA 139 #define X509_F_X509_ATTRIBUTE_SET1_DATA 138 #define X509_F_X509_CHECK_PRIVATE_KEY 128 #define X509_F_X509_EXTENSION_CREATE_BY_NID 108 #define X509_F_X509_EXTENSION_CREATE_BY_OBJ 109 #define X509_F_X509_GET_PUBKEY_PARAMETERS 110 #define X509_F_X509_LOAD_CERT_CRL_FILE 132 #define X509_F_X509_LOAD_CERT_FILE 111 #define X509_F_X509_LOAD_CRL_FILE 112 #define X509_F_X509_NAME_ADD_ENTRY 113 #define X509_F_X509_NAME_ENTRY_CREATE_BY_NID 114 #define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT 131 #define X509_F_X509_NAME_ENTRY_SET_OBJECT 115 #define X509_F_X509_NAME_ONELINE 116 #define X509_F_X509_NAME_PRINT 117 #define X509_F_X509_PRINT_FP 118 #define X509_F_X509_PUBKEY_GET 119 #define X509_F_X509_PUBKEY_SET 120 #define X509_F_X509_REQ_PRINT 121 #define X509_F_X509_REQ_PRINT_FP 122 #define X509_F_X509_REQ_TO_X509 123 #define X509_F_X509_STORE_ADD_CERT 124 #define X509_F_X509_STORE_ADD_CRL 125 #define X509_F_X509_STORE_CTX_INIT 143 #define X509_F_X509_STORE_CTX_NEW 142 #define X509_F_X509_STORE_CTX_PURPOSE_INHERIT 134 #define X509_F_X509_TO_X509_REQ 126 #define X509_F_X509_TRUST_ADD 133 #define X509_F_X509_TRUST_SET 141 #define X509_F_X509_VERIFY_CERT 127 /* Reason codes. */ #define X509_R_BAD_X509_FILETYPE 100 #define X509_R_BASE64_DECODE_ERROR 118 #define X509_R_CANT_CHECK_DH_KEY 114 #define X509_R_CERT_ALREADY_IN_HASH_TABLE 101 #define X509_R_ERR_ASN1_LIB 102 #define X509_R_INVALID_DIRECTORY 113 #define X509_R_INVALID_FIELD_NAME 119 #define X509_R_INVALID_TRUST 123 #define X509_R_KEY_TYPE_MISMATCH 115 #define X509_R_KEY_VALUES_MISMATCH 116 #define X509_R_LOADING_CERT_DIR 103 #define X509_R_LOADING_DEFAULTS 104 #define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105 #define X509_R_SHOULD_RETRY 106 #define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN 107 #define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY 108 #define X509_R_UNKNOWN_KEY_TYPE 117 #define X509_R_UNKNOWN_NID 109 #define X509_R_UNKNOWN_PURPOSE_ID 121 #define X509_R_UNKNOWN_TRUST_ID 120 #define X509_R_UNSUPPORTED_ALGORITHM 111 #define X509_R_WRONG_LOOKUP_TYPE 112 #define X509_R_WRONG_TYPE 122 #ifdef __cplusplus } #endif #endif diff --git a/crypto/openssl/crypto/x509/x509_txt.c b/crypto/openssl/crypto/x509/x509_txt.c index 4f83db8ba2f5..e31ebc6741a0 100644 --- a/crypto/openssl/crypto/x509/x509_txt.c +++ b/crypto/openssl/crypto/x509/x509_txt.c @@ -1,156 +1,162 @@ /* crypto/x509/x509_txt.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "cryptlib.h" #include #include #include #include #include #include const char *X509_verify_cert_error_string(long n) { static char buf[100]; switch ((int)n) { case X509_V_OK: return("ok"); case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: return("unable to get issuer certificate"); case X509_V_ERR_UNABLE_TO_GET_CRL: return("unable to get certificate CRL"); case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: return("unable to decrypt certificate's signature"); case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: return("unable to decrypt CRL's signature"); case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: return("unable to decode issuer public key"); case X509_V_ERR_CERT_SIGNATURE_FAILURE: return("certificate signature failure"); case X509_V_ERR_CRL_SIGNATURE_FAILURE: return("CRL signature failure"); case X509_V_ERR_CERT_NOT_YET_VALID: return("certificate is not yet valid"); case X509_V_ERR_CRL_NOT_YET_VALID: return("CRL is not yet valid"); case X509_V_ERR_CERT_HAS_EXPIRED: return("certificate has expired"); case X509_V_ERR_CRL_HAS_EXPIRED: return("CRL has expired"); case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: return("format error in certificate's notBefore field"); case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: return("format error in certificate's notAfter field"); case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: return("format error in CRL's lastUpdate field"); case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: return("format error in CRL's nextUpdate field"); case X509_V_ERR_OUT_OF_MEM: return("out of memory"); case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: return("self signed certificate"); case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: return("self signed certificate in certificate chain"); case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: return("unable to get local issuer certificate"); case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: return("unable to verify the first certificate"); case X509_V_ERR_CERT_CHAIN_TOO_LONG: return("certificate chain too long"); case X509_V_ERR_CERT_REVOKED: return("certificate revoked"); case X509_V_ERR_INVALID_CA: return ("invalid CA certificate"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: return ("certificate not trusted"); case X509_V_ERR_CERT_REJECTED: return ("certificate rejected"); case X509_V_ERR_APPLICATION_VERIFICATION: return("application verification failure"); case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: return("subject issuer mismatch"); case X509_V_ERR_AKID_SKID_MISMATCH: return("authority and subject key identifier mismatch"); case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: return("authority and issuer serial number mismatch"); case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: return("key usage does not include certificate signing"); case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); + case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: + return("key usage does not include CRL signing"); + + case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: + return("unhandled critical CRL extension"); + default: - sprintf(buf,"error number %ld",n); + BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); } } diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 2bb21b443ec0..2e4d0b823abe 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -1,1187 +1,1228 @@ /* crypto/x509/x509_vfy.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "cryptlib.h" #include #include #include #include #include #include #include #include static int null_callback(int ok,X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); static int check_chain_purpose(X509_STORE_CTX *ctx); static int check_trust(X509_STORE_CTX *ctx); static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); static int internal_verify(X509_STORE_CTX *ctx); const char *X509_version="X.509" OPENSSL_VERSION_PTEXT; static int null_callback(int ok, X509_STORE_CTX *e) { return ok; } #if 0 static int x509_subject_cmp(X509 **a, X509 **b) { return X509_subject_name_cmp(*a,*b); } #endif int X509_verify_cert(X509_STORE_CTX *ctx) { X509 *x,*xtmp,*chain_ss=NULL; X509_NAME *xn; int depth,i,ok=0; int num; int (*cb)(); STACK_OF(X509) *sktmp=NULL; if (ctx->cert == NULL) { X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } cb=ctx->verify_cb; /* first we make sure the chain we are going to build is * present and that the first entry is in place */ if (ctx->chain == NULL) { if ( ((ctx->chain=sk_X509_new_null()) == NULL) || (!sk_X509_push(ctx->chain,ctx->cert))) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; } CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); ctx->last_untrusted=1; } /* We use a temporary STACK so we can chop and hack at it */ if (ctx->untrusted != NULL && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; } num=sk_X509_num(ctx->chain); x=sk_X509_value(ctx->chain,num-1); depth=ctx->depth; for (;;) { /* If we have enough, we break */ if (depth < num) break; /* FIXME: If this happens, we should take * note of it and, if appropriate, use the * X509_V_ERR_CERT_CHAIN_TOO_LONG error * code later. */ /* If we are self signed, we break */ xn=X509_get_issuer_name(x); if (ctx->check_issued(ctx, x,x)) break; /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) { xtmp=find_issuer(ctx, sktmp,x); if (xtmp != NULL) { if (!sk_X509_push(ctx->chain,xtmp)) { X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); goto end; } CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); sk_X509_delete_ptr(sktmp,xtmp); ctx->last_untrusted++; x=xtmp; num++; /* reparse the full chain for * the next one */ continue; } } break; } /* at this point, chain should contain a list of untrusted * certificates. We now need to add at least one trusted one, * if possible, otherwise we complain. */ /* Examine last certificate in chain and see if it * is self signed. */ i=sk_X509_num(ctx->chain); x=sk_X509_value(ctx->chain,i-1); xn = X509_get_subject_name(x); if (ctx->check_issued(ctx, x, x)) { /* we have a self signed certificate */ if (sk_X509_num(ctx->chain) == 1) { /* We have a single self signed certificate: see if * we can find it in the store. We must have an exact * match to avoid possible impersonation. */ ok = ctx->get_issuer(&xtmp, ctx, x); if ((ok <= 0) || X509_cmp(x, xtmp)) { ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; ctx->current_cert=x; ctx->error_depth=i-1; if (ok == 1) X509_free(xtmp); ok=cb(0,ctx); if (!ok) goto end; } else { /* We have a match: replace certificate with store version * so we get any trust settings. */ X509_free(x); x = xtmp; sk_X509_set(ctx->chain, i - 1, x); ctx->last_untrusted=0; } } else { /* extract and save self signed certificate for later use */ chain_ss=sk_X509_pop(ctx->chain); ctx->last_untrusted--; num--; x=sk_X509_value(ctx->chain,num-1); } } /* We now lookup certs from the certificate store */ for (;;) { /* If we have enough, we break */ if (depth < num) break; /* If we are self signed, we break */ xn=X509_get_issuer_name(x); if (ctx->check_issued(ctx,x,x)) break; ok = ctx->get_issuer(&xtmp, ctx, x); if (ok < 0) return ok; if (ok == 0) break; x = xtmp; if (!sk_X509_push(ctx->chain,x)) { X509_free(xtmp); X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); return 0; } num++; } /* we now have our chain, lets check it... */ xn=X509_get_issuer_name(x); /* Is last certificate looked up self signed? */ if (!ctx->check_issued(ctx,x,x)) { if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num) ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; else ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; ctx->current_cert=x; } else { sk_X509_push(ctx->chain,chain_ss); num++; ctx->last_untrusted=num; ctx->current_cert=chain_ss; ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; chain_ss=NULL; } ctx->error_depth=num-1; ok=cb(0,ctx); if (!ok) goto end; } /* We have the chain complete: now we need to check its purpose */ if (ctx->purpose > 0) ok = check_chain_purpose(ctx); if (!ok) goto end; /* The chain extensions are OK: check trust */ if (ctx->trust > 0) ok = check_trust(ctx); if (!ok) goto end; /* We may as well copy down any DSA parameters that are required */ X509_get_pubkey_parameters(NULL,ctx->chain); /* Check revocation status: we do this after copying parameters * because they may be needed for CRL signature verification. */ ok = ctx->check_revocation(ctx); if(!ok) goto end; /* At this point, we have a chain and just need to verify it */ if (ctx->verify != NULL) ok=ctx->verify(ctx); else ok=internal_verify(ctx); if (0) { end: X509_get_pubkey_parameters(NULL,ctx->chain); } if (sktmp != NULL) sk_X509_free(sktmp); if (chain_ss != NULL) X509_free(chain_ss); return ok; } /* Given a STACK_OF(X509) find the issuer of cert (if any) */ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; X509 *issuer; for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) return issuer; } return NULL; } /* Given a possible certificate and issuer check them */ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { int ret; ret = X509_check_issued(issuer, x); if (ret == X509_V_OK) return 1; /* If we haven't asked for issuer errors don't set ctx */ if (!(ctx->flags & X509_V_FLAG_CB_ISSUER_CHECK)) return 0; ctx->error = ret; ctx->current_cert = x; ctx->current_issuer = issuer; return ctx->verify_cb(0, ctx); return 0; } /* Alternative lookup method: look from a STACK stored in other_ctx */ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { *issuer = find_issuer(ctx, ctx->other_ctx, x); if (*issuer) { CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); return 1; } else return 0; } /* Check a certificate chains extensions for consistency * with the supplied purpose */ static int check_chain_purpose(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else int i, ok=0; X509 *x; int (*cb)(); cb=ctx->verify_cb; /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { + int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; } - if (!X509_check_purpose(x, ctx->purpose, i)) + ret = X509_check_purpose(x, ctx->purpose, i); + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) { if (i) ctx->error = X509_V_ERR_INVALID_CA; else ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; } /* Check pathlen */ if ((i > 1) && (x->ex_pathlen != -1) && (i > (x->ex_pathlen + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; } } ok = 1; end: return ok; #endif } static int check_trust(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else int i, ok; X509 *x; int (*cb)(); cb=ctx->verify_cb; /* For now just check the last certificate in the chain */ i = sk_X509_num(ctx->chain) - 1; x = sk_X509_value(ctx->chain, i); ok = X509_check_trust(x, ctx->trust, 0); if (ok == X509_TRUST_TRUSTED) return 1; ctx->error_depth = i; ctx->current_cert = x; if (ok == X509_TRUST_REJECTED) ctx->error = X509_V_ERR_CERT_REJECTED; else ctx->error = X509_V_ERR_CERT_UNTRUSTED; ok = cb(0, ctx); return ok; #endif } static int check_revocation(X509_STORE_CTX *ctx) { int i, last, ok; if (!(ctx->flags & X509_V_FLAG_CRL_CHECK)) return 1; if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL) last = sk_X509_num(ctx->chain) - 1; else last = 0; for(i = 0; i <= last; i++) { ctx->error_depth = i; ok = check_cert(ctx); if (!ok) return ok; } return 1; } static int check_cert(X509_STORE_CTX *ctx) { X509_CRL *crl = NULL; X509 *x; int ok, cnum; cnum = ctx->error_depth; x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; /* Try to retrieve relevant CRL */ ok = ctx->get_crl(ctx, &crl, x); /* If error looking up CRL, nothing we can do except * notify callback */ if(!ok) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; ok = ctx->verify_cb(0, ctx); goto err; } ctx->current_crl = crl; ok = ctx->check_crl(ctx, crl); if (!ok) goto err; ok = ctx->cert_crl(ctx, crl, x); err: ctx->current_crl = NULL; X509_CRL_free(crl); return ok; } /* Retrieve CRL corresponding to certificate: currently just a * subject lookup: maybe use AKID later... * Also might look up any included CRLs too (e.g PKCS#7 signedData). */ static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x) { int ok; X509_OBJECT xobj; ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj); if (!ok) return 0; *crl = xobj.data.crl; return 1; } /* Check CRL validity */ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; EVP_PKEY *ikey = NULL; int ok = 0, chnum, cnum, i; time_t *ptime; cnum = ctx->error_depth; chnum = sk_X509_num(ctx->chain) - 1; /* Find CRL issuer: if not last certificate then issuer * is next certificate in chain. */ if(cnum < chnum) issuer = sk_X509_value(ctx->chain, cnum + 1); else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self signed, can't check signature */ if(!ctx->check_issued(ctx, issuer, issuer)) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; ok = ctx->verify_cb(0, ctx); if(!ok) goto err; } } if(issuer) { + /* Check for cRLSign bit if keyUsage present */ + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & KU_CRL_SIGN)) + { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + ok = ctx->verify_cb(0, ctx); + if(!ok) goto err; + } /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); if(!ikey) { ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; } else { /* Verify CRL signature */ if(X509_CRL_verify(crl, ikey) <= 0) { ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; } } } /* OK, CRL signature valid check times */ if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->check_time; else ptime = NULL; i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; } if (i > 0) { ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; } if(X509_CRL_get_nextUpdate(crl)) { i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; } if (i < 0) { ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; ok = ctx->verify_cb(0, ctx); if (!ok) goto err; } } ok = 1; err: EVP_PKEY_free(ikey); return ok; } /* Check certificate against CRL */ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { int idx, ok; X509_REVOKED rtmp; + STACK_OF(X509_EXTENSION) *exts; + X509_EXTENSION *ext; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); - /* Not found: OK */ - if(idx == -1) return 1; - /* Otherwise revoked: want something cleverer than + /* If found assume revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. */ - ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - return ok; + if(idx >= 0) + { + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + if (!ok) return 0; + } + + if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) + return 1; + + /* See if we have any critical CRL extensions: since we + * currently don't handle any CRL extensions the CRL must be + * rejected. + * This code accesses the X509_CRL structure directly: applications + * shouldn't do this. + */ + + exts = crl->crl->extensions; + + for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) + { + ext = sk_X509_EXTENSION_value(exts, idx); + if (ext->critical > 0) + { + ctx->error = + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if(!ok) return 0; + break; + } + } + return 1; } static int internal_verify(X509_STORE_CTX *ctx) { int i,ok=0,n; X509 *xs,*xi; EVP_PKEY *pkey=NULL; time_t *ptime; int (*cb)(); cb=ctx->verify_cb; n=sk_X509_num(ctx->chain); ctx->error_depth=n-1; n--; xi=sk_X509_value(ctx->chain,n); if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->check_time; else ptime = NULL; if (ctx->check_issued(ctx, xi, xi)) xs=xi; else { if (n <= 0) { ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; ctx->current_cert=xi; ok=cb(0,ctx); goto end; } else { n--; ctx->error_depth=n; xs=sk_X509_value(ctx->chain,n); } } /* ctx->error=0; not needed */ while (n >= 0) { ctx->error_depth=n; if (!xs->valid) { if ((pkey=X509_get_pubkey(xi)) == NULL) { ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->current_cert=xi; ok=(*cb)(0,ctx); if (!ok) goto end; } else if (X509_verify(xs,pkey) <= 0) /* XXX For the final trusted self-signed cert, * this is a waste of time. That check should * optional so that e.g. 'openssl x509' can be * used to detect invalid self-signatures, but * we don't verify again and again in SSL * handshakes and the like once the cert has * been declared trusted. */ { ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->current_cert=xs; ok=(*cb)(0,ctx); if (!ok) { EVP_PKEY_free(pkey); goto end; } } EVP_PKEY_free(pkey); pkey=NULL; i=X509_cmp_time(X509_get_notBefore(xs), ptime); if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx->current_cert=xs; ok=(*cb)(0,ctx); if (!ok) goto end; } if (i > 0) { ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; ctx->current_cert=xs; ok=(*cb)(0,ctx); if (!ok) goto end; } xs->valid=1; } i=X509_cmp_time(X509_get_notAfter(xs), ptime); if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx->current_cert=xs; ok=(*cb)(0,ctx); if (!ok) goto end; } if (i < 0) { ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; ctx->current_cert=xs; ok=(*cb)(0,ctx); if (!ok) goto end; } /* The last error (if any) is still in the error value */ ctx->current_cert=xs; ok=(*cb)(1,ctx); if (!ok) goto end; n--; if (n >= 0) { xi=xs; xs=sk_X509_value(ctx->chain,n); } } ok=1; end: return ok; } int X509_cmp_current_time(ASN1_TIME *ctm) { return X509_cmp_time(ctm, NULL); } int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) { char *str; ASN1_TIME atm; long offset; char buff1[24],buff2[24],*p; int i,j; p=buff1; i=ctm->length; str=(char *)ctm->data; if (ctm->type == V_ASN1_UTCTIME) { if ((i < 11) || (i > 17)) return 0; memcpy(p,str,10); p+=10; str+=10; } else { if (i < 13) return 0; memcpy(p,str,12); p+=12; str+=12; } if ((*str == 'Z') || (*str == '-') || (*str == '+')) { *(p++)='0'; *(p++)='0'; } else { *(p++)= *(str++); *(p++)= *(str++); /* Skip any fractional seconds... */ if (*str == '.') { str++; while ((*str >= '0') && (*str <= '9')) str++; } } *(p++)='Z'; *(p++)='\0'; if (*str == 'Z') offset=0; else { if ((*str != '+') && (str[5] != '-')) return 0; offset=((str[1]-'0')*10+(str[2]-'0'))*60; offset+=(str[3]-'0')*10+(str[4]-'0'); if (*str == '-') offset= -offset; } atm.type=ctm->type; atm.length=sizeof(buff2); atm.data=(unsigned char *)buff2; X509_time_adj(&atm,-offset*60, cmp_time); if (ctm->type == V_ASN1_UTCTIME) { i=(buff1[0]-'0')*10+(buff1[1]-'0'); if (i < 50) i+=100; /* cf. RFC 2459 */ j=(buff2[0]-'0')*10+(buff2[1]-'0'); if (j < 50) j+=100; if (i < j) return -1; if (i > j) return 1; } i=strcmp(buff1,buff2); if (i == 0) /* wait a second then return younger :-) */ return -1; else return i; } ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) { return X509_time_adj(s, adj, NULL); } ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm) { time_t t; int type = -1; if (in_tm) t = *in_tm; else time(&t); t+=adj; if (s) type = s->type; if (type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t); if (type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_set(s, t); return ASN1_TIME_set(s, t); } int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) { EVP_PKEY *ktmp=NULL,*ktmp2; int i,j; if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; for (i=0; i= 0; j--) { ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); EVP_PKEY_copy_parameters(ktmp2,ktmp); EVP_PKEY_free(ktmp2); } if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); EVP_PKEY_free(ktmp); return 1; } int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { /* This function is (usually) called only once, by * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, new_func, dup_func, free_func); } int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) { return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); } void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) { return CRYPTO_get_ex_data(&ctx->ex_data,idx); } int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) { return ctx->error; } void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) { ctx->error=err; } int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) { return ctx->error_depth; } X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) { return ctx->current_cert; } STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) { return ctx->chain; } STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) { int i; X509 *x; STACK_OF(X509) *chain; if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; for (i = 0; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); } return chain; } void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { ctx->cert=x; } void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->untrusted=sk; } int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); } int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); } /* This function is used to set the X509_STORE_CTX purpose and trust * values. This is intended to be used when another structure has its * own trust and purpose values which (if set) will be inherited by * the ctx. If they aren't set then we will usually have a default * purpose in mind which should then be used to set the trust value. * An example of this is SSL use: an SSL structure will have its own * purpose and trust settings which the application can set: if they * aren't set then we use the default of SSL client/server. */ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust) { int idx; /* If purpose not set use default */ if (!purpose) purpose = def_purpose; /* If we have a purpose then check it is valid */ if (purpose) { X509_PURPOSE *ptmp; idx = X509_PURPOSE_get_by_id(purpose); if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); return 0; } ptmp = X509_PURPOSE_get0(idx); if (ptmp->trust == X509_TRUST_DEFAULT) { idx = X509_PURPOSE_get_by_id(def_purpose); if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_PURPOSE_ID); return 0; } ptmp = X509_PURPOSE_get0(idx); } /* If trust not set then get from purpose default */ if (!trust) trust = ptmp->trust; } if (trust) { idx = X509_TRUST_get_by_id(trust); if (idx == -1) { X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, X509_R_UNKNOWN_TRUST_ID); return 0; } } if (purpose && !ctx->purpose) ctx->purpose = purpose; if (trust && !ctx->trust) ctx->trust = trust; return 1; } X509_STORE_CTX *X509_STORE_CTX_new(void) { X509_STORE_CTX *ctx; ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); if (!ctx) { X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); return NULL; } memset(ctx, 0, sizeof(X509_STORE_CTX)); return ctx; } void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { X509_STORE_CTX_cleanup(ctx); OPENSSL_free(ctx); } int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain) { ctx->ctx=store; ctx->current_method=0; ctx->cert=x509; ctx->untrusted=chain; ctx->last_untrusted=0; ctx->check_time=0; ctx->other_ctx=NULL; ctx->valid=0; ctx->chain=NULL; ctx->depth=9; ctx->error=0; ctx->error_depth=0; ctx->current_cert=NULL; ctx->current_issuer=NULL; /* Inherit callbacks and flags from X509_STORE if not set * use defaults. */ if (store) { ctx->purpose=store->purpose; ctx->trust=store->trust; ctx->flags = store->flags; ctx->cleanup = store->cleanup; } else { ctx->purpose = 0; ctx->trust = 0; ctx->flags = 0; ctx->cleanup = 0; } if (store && store->check_issued) ctx->check_issued = store->check_issued; else ctx->check_issued = check_issued; if (store && store->get_issuer) ctx->get_issuer = store->get_issuer; else ctx->get_issuer = X509_STORE_CTX_get1_issuer; if (store && store->verify_cb) ctx->verify_cb = store->verify_cb; else ctx->verify_cb = null_callback; if (store && store->verify) ctx->verify = store->verify; else ctx->verify = internal_verify; if (store && store->check_revocation) ctx->check_revocation = store->check_revocation; else ctx->check_revocation = check_revocation; if (store && store->get_crl) ctx->get_crl = store->get_crl; else ctx->get_crl = get_crl; if (store && store->check_crl) ctx->check_crl = store->check_crl; else ctx->check_crl = check_crl; if (store && store->cert_crl) ctx->cert_crl = store->cert_crl; else ctx->cert_crl = cert_crl; /* This memset() can't make any sense anyway, so it's removed. As * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a * corresponding "new" here and remove this bogus initialisation. */ /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data))) { OPENSSL_free(ctx); X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); return 0; } return 1; } /* Set alternative lookup method: just a STACK of trusted certificates. * This avoids X509_STORE nastiness where it isn't needed. */ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->other_ctx = sk; ctx->get_issuer = get_issuer_sk; } void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) { if (ctx->cleanup) ctx->cleanup(ctx); if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain,X509_free); ctx->chain=NULL; } CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); } void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags) { ctx->flags |= flags; } void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t) { ctx->check_time = t; ctx->flags |= X509_V_FLAG_USE_CHECK_TIME; } void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) { ctx->verify_cb=verify_cb; } IMPLEMENT_STACK_OF(X509) IMPLEMENT_ASN1_SET_OF(X509) IMPLEMENT_STACK_OF(X509_NAME) IMPLEMENT_STACK_OF(X509_ATTRIBUTE) IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) diff --git a/crypto/openssl/crypto/x509/x509_vfy.h b/crypto/openssl/crypto/x509/x509_vfy.h index f0be21f4525c..198495884cfa 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.h +++ b/crypto/openssl/crypto/x509/x509_vfy.h @@ -1,407 +1,416 @@ /* crypto/x509/x509_vfy.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #ifndef HEADER_X509_H #include /* openssl/x509.h ends up #include-ing this file at about the only * appropriate moment. */ #endif #ifndef HEADER_X509_VFY_H #define HEADER_X509_VFY_H #ifndef OPENSSL_NO_LHASH #include #endif #include #include #include #ifdef __cplusplus extern "C" { #endif /* Outer object */ typedef struct x509_hash_dir_st { int num_dirs; char **dirs; int *dirs_type; int num_dirs_alloced; } X509_HASH_DIR_CTX; typedef struct x509_file_st { int num_paths; /* number of paths to files or directories */ int num_alloced; char **paths; /* the list of paths or directories */ int *path_type; } X509_CERT_FILE_CTX; /*******************************/ /* SSL_CTX -> X509_STORE -> X509_LOOKUP ->X509_LOOKUP_METHOD -> X509_LOOKUP ->X509_LOOKUP_METHOD SSL -> X509_STORE_CTX ->X509_STORE The X509_STORE holds the tables etc for verification stuff. A X509_STORE_CTX is used while validating a single certificate. The X509_STORE has X509_LOOKUPs for looking up certs. The X509_STORE then calls a function to actually verify the certificate chain. */ #define X509_LU_RETRY -1 #define X509_LU_FAIL 0 #define X509_LU_X509 1 #define X509_LU_CRL 2 #define X509_LU_PKEY 3 typedef struct x509_object_st { /* one of the above types */ int type; union { char *ptr; X509 *x509; X509_CRL *crl; EVP_PKEY *pkey; } data; } X509_OBJECT; typedef struct x509_lookup_st X509_LOOKUP; DECLARE_STACK_OF(X509_LOOKUP) DECLARE_STACK_OF(X509_OBJECT) /* This is a static that defines the function interface */ typedef struct x509_lookup_method_st { const char *name; int (*new_item)(X509_LOOKUP *ctx); void (*free)(X509_LOOKUP *ctx); int (*init)(X509_LOOKUP *ctx); int (*shutdown)(X509_LOOKUP *ctx); int (*ctrl)(X509_LOOKUP *ctx,int cmd,const char *argc,long argl, char **ret); int (*get_by_subject)(X509_LOOKUP *ctx,int type,X509_NAME *name, X509_OBJECT *ret); int (*get_by_issuer_serial)(X509_LOOKUP *ctx,int type,X509_NAME *name, ASN1_INTEGER *serial,X509_OBJECT *ret); int (*get_by_fingerprint)(X509_LOOKUP *ctx,int type, unsigned char *bytes,int len, X509_OBJECT *ret); int (*get_by_alias)(X509_LOOKUP *ctx,int type,char *str,int len, X509_OBJECT *ret); } X509_LOOKUP_METHOD; /* This is used to hold everything. It is used for all certificate * validation. Once we have a certificate chain, the 'verify' * function is then called to actually check the cert chain. */ struct x509_store_st { /* The following is a cache of trusted certs */ int cache; /* if true, stash any hits */ STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */ /* These are external lookup methods */ STACK_OF(X509_LOOKUP) *get_cert_methods; /* The following fields are not used by X509_STORE but are * inherited by X509_STORE_CTX when it is initialised. */ unsigned long flags; /* Various verify flags */ int purpose; int trust; /* Callbacks for various operations */ int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ int (*cleanup)(X509_STORE_CTX *ctx); CRYPTO_EX_DATA ex_data; int references; int depth; /* how deep to look (still unused -- X509_STORE_CTX's depth is used) */ } /* X509_STORE */; #define X509_STORE_set_depth(ctx,d) ((ctx)->depth=(d)) #define X509_STORE_set_verify_cb_func(ctx,func) ((ctx)->verify_cb=(func)) #define X509_STORE_set_verify_func(ctx,func) ((ctx)->verify=(func)) /* This is the functions plus an instance of the local variables. */ struct x509_lookup_st { int init; /* have we been started */ int skip; /* don't use us. */ X509_LOOKUP_METHOD *method; /* the functions */ char *method_data; /* method data */ X509_STORE *store_ctx; /* who owns us */ } /* X509_LOOKUP */; /* This is a used when verifying cert chains. Since the * gathering of the cert chain can take some time (and have to be * 'retried', this needs to be kept and passed around. */ struct x509_store_ctx_st /* X509_STORE_CTX */ { X509_STORE *ctx; int current_method; /* used when looking up certs */ /* The following are set by the caller */ X509 *cert; /* The cert to check */ STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ int purpose; /* purpose to check untrusted certificates */ int trust; /* trust setting to check */ time_t check_time; /* time to make verify at */ unsigned long flags; /* Various verify flags */ void *other_ctx; /* Other info for use with get_issuer() */ /* Callbacks for various operations */ int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ int (*cleanup)(X509_STORE_CTX *ctx); /* The following is built up */ int depth; /* how far to go looking up certs */ int valid; /* if 0, rebuild chain */ int last_untrusted; /* index of last untrusted cert */ STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ /* When something goes wrong, this is why */ int error_depth; int error; X509 *current_cert; X509 *current_issuer; /* cert currently being tested as valid issuer */ X509_CRL *current_crl; /* current CRL */ CRYPTO_EX_DATA ex_data; } /* X509_STORE_CTX */; #define X509_STORE_CTX_set_depth(ctx,d) ((ctx)->depth=(d)) #define X509_STORE_CTX_set_app_data(ctx,data) \ X509_STORE_CTX_set_ex_data(ctx,0,data) #define X509_STORE_CTX_get_app_data(ctx) \ X509_STORE_CTX_get_ex_data(ctx,0) #define X509_L_FILE_LOAD 1 #define X509_L_ADD_DIR 2 #define X509_LOOKUP_load_file(x,name,type) \ X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL) #define X509_LOOKUP_add_dir(x,name,type) \ X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL) #define X509_V_OK 0 /* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */ #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 #define X509_V_ERR_UNABLE_TO_GET_CRL 3 #define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 #define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 #define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 #define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 #define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 #define X509_V_ERR_CERT_NOT_YET_VALID 9 #define X509_V_ERR_CERT_HAS_EXPIRED 10 #define X509_V_ERR_CRL_NOT_YET_VALID 11 #define X509_V_ERR_CRL_HAS_EXPIRED 12 #define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 #define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 #define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 #define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 #define X509_V_ERR_OUT_OF_MEM 17 #define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 #define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 #define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 #define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 #define X509_V_ERR_CERT_REVOKED 23 #define X509_V_ERR_INVALID_CA 24 #define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 #define X509_V_ERR_INVALID_PURPOSE 26 #define X509_V_ERR_CERT_UNTRUSTED 27 #define X509_V_ERR_CERT_REJECTED 28 /* These are 'informational' when looking for issuer cert */ #define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 #define X509_V_ERR_AKID_SKID_MISMATCH 30 #define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 #define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 /* Certificate verify flags */ -#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 /* Send issuer+subject checks to verify_cb */ -#define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */ -#define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */ -#define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */ -#define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */ +/* Send issuer+subject checks to verify_cb */ +#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 +/* Use check time instead of current time */ +#define X509_V_FLAG_USE_CHECK_TIME 0x2 +/* Lookup CRLs */ +#define X509_V_FLAG_CRL_CHECK 0x4 +/* Lookup CRLs for whole chain */ +#define X509_V_FLAG_CRL_CHECK_ALL 0x8 +/* Ignore unhandled critical extensions */ +#define X509_V_FLAG_IGNORE_CRITICAL 0x10 +/* Disable workarounds for broken certificates */ +#define X509_V_FLAG_X509_STRICT 0x20 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name); X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x); void X509_OBJECT_up_ref_count(X509_OBJECT *a); void X509_OBJECT_free_contents(X509_OBJECT *a); X509_STORE *X509_STORE_new(void ); void X509_STORE_free(X509_STORE *v); void X509_STORE_set_flags(X509_STORE *ctx, long flags); int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); int X509_STORE_set_trust(X509_STORE *ctx, int trust); X509_STORE_CTX *X509_STORE_CTX_new(void); int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); void X509_STORE_CTX_free(X509_STORE_CTX *ctx); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain); void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m); X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); X509_LOOKUP_METHOD *X509_LOOKUP_file(void); int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); int X509_STORE_get_by_subject(X509_STORE_CTX *vs,int type,X509_NAME *name, X509_OBJECT *ret); int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); #ifndef OPENSSL_NO_STDIO int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type); int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type); int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type); #endif X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); void X509_LOOKUP_free(X509_LOOKUP *ctx); int X509_LOOKUP_init(X509_LOOKUP *ctx); int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, X509_OBJECT *ret); int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, ASN1_INTEGER *serial, X509_OBJECT *ret); int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, unsigned char *bytes, int len, X509_OBJECT *ret); int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len, X509_OBJECT *ret); int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); #ifndef OPENSSL_NO_STDIO int X509_STORE_load_locations (X509_STORE *ctx, const char *file, const char *dir); int X509_STORE_set_default_paths(X509_STORE *ctx); #endif int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx,int idx,void *data); void * X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx); int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s); int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x); void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk); int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust); void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags); void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t); void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); #ifdef __cplusplus } #endif #endif diff --git a/crypto/openssl/crypto/x509/x509type.c b/crypto/openssl/crypto/x509/x509type.c index f78c2a6b4380..c25959a74282 100644 --- a/crypto/openssl/crypto/x509/x509type.c +++ b/crypto/openssl/crypto/x509/x509type.c @@ -1,115 +1,115 @@ /* crypto/x509/x509type.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include "cryptlib.h" #include #include #include int X509_certificate_type(X509 *x, EVP_PKEY *pkey) { EVP_PKEY *pk; int ret=0,i; if (x == NULL) return(0); if (pkey == NULL) pk=X509_get_pubkey(x); else pk=pkey; if (pk == NULL) return(0); switch (pk->type) { case EVP_PKEY_RSA: ret=EVP_PK_RSA|EVP_PKT_SIGN; /* if (!sign only extension) */ ret|=EVP_PKT_ENC; break; case EVP_PKEY_DSA: ret=EVP_PK_DSA|EVP_PKT_SIGN; break; case EVP_PKEY_DH: ret=EVP_PK_DH|EVP_PKT_EXCH; break; default: break; } i=X509_get_signature_type(x); switch (i) { case EVP_PKEY_RSA: ret|=EVP_PKS_RSA; break; case EVP_PKEY_DSA: ret|=EVP_PKS_DSA; break; default: break; } - if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look + if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); return(ret); } diff --git a/crypto/openssl/crypto/x509v3/Makefile.ssl b/crypto/openssl/crypto/x509v3/Makefile.ssl index 5ca169c37cd6..66df90c34624 100644 --- a/crypto/openssl/crypto/x509v3/Makefile.ssl +++ b/crypto/openssl/crypto/x509v3/Makefile.ssl @@ -1,603 +1,603 @@ # # SSLeay/crypto/x509v3/Makefile # DIR= x509v3 TOP= ../.. CC= cc INCLUDES= -I.. -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile README TEST= APPS= LIB=$(TOP)/libcrypto.a LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \ v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \ v3_ocsp.c v3_akeya.c LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \ v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \ v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \ v3_ocsp.o v3_akeya.o SRC= $(LIBSRC) EXHEADER= x509v3.h HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. v3_akey.o: ../../e_os.h ../../include/openssl/aes.h v3_akey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_akey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_akey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_akey.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_akey.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_akey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_akey.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_akey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_akey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_akey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_akey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_akey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_akey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_akey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_akey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_akey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_akey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_akey.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_akey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_akey.o: ../cryptlib.h v3_akey.c v3_akeya.o: ../../e_os.h ../../include/openssl/aes.h v3_akeya.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_akeya.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_akeya.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_akeya.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_akeya.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_akeya.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_akeya.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_akeya.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_akeya.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_akeya.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_akeya.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_akeya.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_akeya.o: ../../include/openssl/opensslconf.h v3_akeya.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_akeya.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_akeya.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_akeya.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_akeya.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_akeya.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_akeya.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_akeya.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_akeya.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_akeya.c v3_alt.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h v3_alt.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_alt.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_alt.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_alt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_alt.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_alt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_alt.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_alt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_alt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_alt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_alt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_alt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_alt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_alt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_alt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_alt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_alt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_alt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_alt.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_alt.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_alt.o: ../cryptlib.h v3_alt.c v3_bcons.o: ../../e_os.h ../../include/openssl/aes.h v3_bcons.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_bcons.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_bcons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_bcons.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_bcons.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_bcons.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_bcons.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_bcons.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_bcons.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_bcons.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_bcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_bcons.o: ../../include/openssl/opensslconf.h v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_bcons.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_bcons.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_bcons.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_bcons.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_bcons.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_bcons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_bcons.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bcons.c v3_bitst.o: ../../e_os.h ../../include/openssl/aes.h v3_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h v3_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h v3_bitst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h v3_bitst.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h v3_bitst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h v3_bitst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h v3_bitst.o: ../../include/openssl/md4.h ../../include/openssl/md5.h v3_bitst.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_bitst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_bitst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_bitst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_bitst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_bitst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bitst.c v3_conf.o: ../../e_os.h ../../include/openssl/aes.h v3_conf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_conf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h v3_conf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h v3_conf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h v3_conf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h v3_conf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h v3_conf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h v3_conf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h v3_conf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_conf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_conf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_conf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_conf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_conf.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_conf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_conf.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_conf.c v3_cpols.o: ../../e_os.h ../../include/openssl/aes.h v3_cpols.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_cpols.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_cpols.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_cpols.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_cpols.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_cpols.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_cpols.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_cpols.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_cpols.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_cpols.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_cpols.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_cpols.o: ../../include/openssl/opensslconf.h v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_cpols.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_cpols.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_cpols.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_cpols.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_cpols.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_cpols.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_cpols.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_cpols.c v3_crld.o: ../../e_os.h ../../include/openssl/aes.h v3_crld.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_crld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_crld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_crld.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_crld.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_crld.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_crld.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_crld.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_crld.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_crld.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_crld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_crld.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_crld.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_crld.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_crld.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_crld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_crld.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_crld.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_crld.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_crld.o: ../cryptlib.h v3_crld.c v3_enum.o: ../../e_os.h ../../include/openssl/aes.h v3_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_enum.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h v3_enum.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h v3_enum.o: ../../include/openssl/des.h ../../include/openssl/des_old.h v3_enum.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h v3_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h v3_enum.o: ../../include/openssl/evp.h ../../include/openssl/idea.h v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h v3_enum.o: ../../include/openssl/md4.h ../../include/openssl/md5.h v3_enum.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_enum.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_enum.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_enum.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_enum.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_enum.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_enum.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_enum.c v3_extku.o: ../../e_os.h ../../include/openssl/aes.h v3_extku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_extku.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_extku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_extku.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_extku.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_extku.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_extku.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_extku.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_extku.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_extku.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_extku.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_extku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_extku.o: ../../include/openssl/opensslconf.h v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_extku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_extku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_extku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_extku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_extku.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_extku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_extku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_extku.c v3_genn.o: ../../e_os.h ../../include/openssl/aes.h v3_genn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_genn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_genn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_genn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_genn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_genn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_genn.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_genn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_genn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_genn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_genn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_genn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_genn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_genn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_genn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_genn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_genn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_genn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_genn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_genn.o: ../cryptlib.h v3_genn.c v3_ia5.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h v3_ia5.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_ia5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_ia5.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_ia5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_ia5.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_ia5.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_ia5.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_ia5.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_ia5.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_ia5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_ia5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_ia5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_ia5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_ia5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_ia5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_ia5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_ia5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_ia5.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_ia5.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_ia5.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_ia5.o: ../cryptlib.h v3_ia5.c v3_info.o: ../../e_os.h ../../include/openssl/aes.h v3_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_info.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_info.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_info.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_info.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_info.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_info.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_info.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_info.o: ../cryptlib.h v3_info.c v3_int.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h v3_int.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_int.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_int.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_int.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_int.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_int.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_int.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_int.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_int.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_int.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_int.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_int.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_int.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_int.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_int.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_int.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_int.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_int.o: ../cryptlib.h v3_int.c v3_lib.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h v3_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_lib.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_lib.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_lib.o: ../cryptlib.h ext_dat.h v3_lib.c v3_ocsp.o: ../../e_os.h ../../include/openssl/aes.h v3_ocsp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_ocsp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h v3_ocsp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h v3_ocsp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h v3_ocsp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h v3_ocsp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h v3_ocsp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h v3_ocsp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h v3_ocsp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_ocsp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_ocsp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_ocsp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_ocsp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_ocsp.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_ocsp.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_ocsp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_ocsp.o: ../cryptlib.h v3_ocsp.c v3_pku.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_pku.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h v3_pku.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h v3_pku.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h v3_pku.o: ../../include/openssl/des.h ../../include/openssl/des_old.h v3_pku.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h v3_pku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/idea.h v3_pku.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h v3_pku.o: ../../include/openssl/md4.h ../../include/openssl/md5.h v3_pku.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h v3_pku.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h v3_pku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_pku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_pku.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_pku.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_pku.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_pku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_pku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pku.c v3_prn.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h v3_prn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_prn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_prn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_prn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_prn.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_prn.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_prn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_prn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_prn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_prn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_prn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_prn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_prn.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_prn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_prn.o: ../cryptlib.h v3_prn.c v3_purp.o: ../../e_os.h ../../include/openssl/aes.h v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_purp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h v3_purp.o: ../../include/openssl/des.h ../../include/openssl/des_old.h v3_purp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h v3_purp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h v3_purp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h v3_purp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_purp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_purp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_purp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_purp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_purp.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_purp.c v3_skey.o: ../../e_os.h ../../include/openssl/aes.h v3_skey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h v3_skey.o: ../../include/openssl/des.h ../../include/openssl/des_old.h v3_skey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h v3_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h v3_skey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h v3_skey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h v3_skey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_skey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_skey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_skey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_skey.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_skey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_skey.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_skey.c v3_sxnet.o: ../../e_os.h ../../include/openssl/aes.h v3_sxnet.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_sxnet.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_sxnet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_sxnet.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_sxnet.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_sxnet.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_sxnet.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_sxnet.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_sxnet.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_sxnet.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_sxnet.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_sxnet.o: ../../include/openssl/opensslconf.h v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h v3_sxnet.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h v3_sxnet.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h v3_sxnet.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_sxnet.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_sxnet.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h v3_sxnet.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_sxnet.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_sxnet.c v3_utl.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h v3_utl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3_utl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_utl.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3_utl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3_utl.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3_utl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3_utl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3_utl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3_utl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3_utl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3_utl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3_utl.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3_utl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_utl.o: ../cryptlib.h v3_utl.c v3err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h v3err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h v3err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3err.o: ../../include/openssl/cast.h ../../include/openssl/conf.h v3err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h v3err.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h v3err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h v3err.o: ../../include/openssl/err.h ../../include/openssl/evp.h v3err.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h v3err.o: ../../include/openssl/md2.h ../../include/openssl/md4.h v3err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h v3err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h v3err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h v3err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h v3err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h v3err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h v3err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h v3err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3err.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h v3err.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h v3err.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3err.o: v3err.c diff --git a/crypto/openssl/crypto/x509v3/v3_alt.c b/crypto/openssl/crypto/x509v3/v3_alt.c index 0e9e7dcb4fda..58b935a3b6b8 100644 --- a/crypto/openssl/crypto/x509v3/v3_alt.c +++ b/crypto/openssl/crypto/x509v3/v3_alt.c @@ -1,457 +1,458 @@ /* v3_alt.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 1999. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include #include static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p); static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens); X509V3_EXT_METHOD v3_alt[] = { { NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), 0,0,0,0, 0,0, (X509V3_EXT_I2V)i2v_GENERAL_NAMES, (X509V3_EXT_V2I)v2i_subject_alt, NULL, NULL, NULL}, { NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), 0,0,0,0, 0,0, (X509V3_EXT_I2V)i2v_GENERAL_NAMES, (X509V3_EXT_V2I)v2i_issuer_alt, NULL, NULL, NULL}, }; STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret) { int i; GENERAL_NAME *gen; for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gen = sk_GENERAL_NAME_value(gens, i); ret = i2v_GENERAL_NAME(method, gen, ret); } if(!ret) return sk_CONF_VALUE_new_null(); return ret; } STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret) { unsigned char *p; char oline[256]; switch (gen->type) { case GEN_OTHERNAME: X509V3_add_value("othername","", &ret); break; case GEN_X400: X509V3_add_value("X400Name","", &ret); break; case GEN_EDIPARTY: X509V3_add_value("EdiPartyName","", &ret); break; case GEN_EMAIL: X509V3_add_value_uchar("email",gen->d.ia5->data, &ret); break; case GEN_DNS: X509V3_add_value_uchar("DNS",gen->d.ia5->data, &ret); break; case GEN_URI: X509V3_add_value_uchar("URI",gen->d.ia5->data, &ret); break; case GEN_DIRNAME: X509_NAME_oneline(gen->d.dirn, oline, 256); X509V3_add_value("DirName",oline, &ret); break; case GEN_IPADD: p = gen->d.ip->data; /* BUG: doesn't support IPV6 */ if(gen->d.ip->length != 4) { X509V3_add_value("IP Address","", &ret); break; } - sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); + BIO_snprintf(oline, sizeof oline, + "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); X509V3_add_value("IP Address",oline, &ret); break; case GEN_RID: i2t_ASN1_OBJECT(oline, 256, gen->d.rid); X509V3_add_value("Registered ID",oline, &ret); break; } return ret; } int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) { unsigned char *p; switch (gen->type) { case GEN_OTHERNAME: BIO_printf(out, "othername:"); break; case GEN_X400: BIO_printf(out, "X400Name:"); break; case GEN_EDIPARTY: /* Maybe fix this: it is supported now */ BIO_printf(out, "EdiPartyName:"); break; case GEN_EMAIL: BIO_printf(out, "email:%s",gen->d.ia5->data); break; case GEN_DNS: BIO_printf(out, "DNS:%s",gen->d.ia5->data); break; case GEN_URI: BIO_printf(out, "URI:%s",gen->d.ia5->data); break; case GEN_DIRNAME: BIO_printf(out, "DirName: "); X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE); break; case GEN_IPADD: p = gen->d.ip->data; /* BUG: doesn't support IPV6 */ if(gen->d.ip->length != 4) { BIO_printf(out,"IP Address:"); break; } BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]); break; case GEN_RID: BIO_printf(out, "Registered ID"); i2a_ASN1_OBJECT(out, gen->d.rid); break; } return 1; } static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) { GENERAL_NAMES *gens = NULL; CONF_VALUE *cnf; int i; if(!(gens = sk_GENERAL_NAME_new_null())) { X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE); return NULL; } for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { cnf = sk_CONF_VALUE_value(nval, i); if(!name_cmp(cnf->name, "issuer") && cnf->value && !strcmp(cnf->value, "copy")) { if(!copy_issuer(ctx, gens)) goto err; } else { GENERAL_NAME *gen; if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; sk_GENERAL_NAME_push(gens, gen); } } return gens; err: sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); return NULL; } /* Append subject altname of issuer to issuer alt name of subject */ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) { GENERAL_NAMES *ialt; GENERAL_NAME *gen; X509_EXTENSION *ext; int i; if(ctx && (ctx->flags == CTX_TEST)) return 1; if(!ctx || !ctx->issuer_cert) { X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_NO_ISSUER_DETAILS); goto err; } i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1); if(i < 0) return 1; if(!(ext = X509_get_ext(ctx->issuer_cert, i)) || !(ialt = X509V3_EXT_d2i(ext)) ) { X509V3err(X509V3_F_COPY_ISSUER,X509V3_R_ISSUER_DECODE_ERROR); goto err; } for(i = 0; i < sk_GENERAL_NAME_num(ialt); i++) { gen = sk_GENERAL_NAME_value(ialt, i); if(!sk_GENERAL_NAME_push(gens, gen)) { X509V3err(X509V3_F_COPY_ISSUER,ERR_R_MALLOC_FAILURE); goto err; } } sk_GENERAL_NAME_free(ialt); return 1; err: return 0; } static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) { GENERAL_NAMES *gens = NULL; CONF_VALUE *cnf; int i; if(!(gens = sk_GENERAL_NAME_new_null())) { X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE); return NULL; } for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { cnf = sk_CONF_VALUE_value(nval, i); if(!name_cmp(cnf->name, "email") && cnf->value && !strcmp(cnf->value, "copy")) { if(!copy_email(ctx, gens, 0)) goto err; } else if(!name_cmp(cnf->name, "email") && cnf->value && !strcmp(cnf->value, "move")) { if(!copy_email(ctx, gens, 1)) goto err; } else { GENERAL_NAME *gen; if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; sk_GENERAL_NAME_push(gens, gen); } } return gens; err: sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); return NULL; } /* Copy any email addresses in a certificate or request to * GENERAL_NAMES */ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) { X509_NAME *nm; ASN1_IA5STRING *email = NULL; X509_NAME_ENTRY *ne; GENERAL_NAME *gen = NULL; int i; if(ctx->flags == CTX_TEST) return 1; if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) { X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS); goto err; } /* Find the subject name */ if(ctx->subject_cert) nm = X509_get_subject_name(ctx->subject_cert); else nm = X509_REQ_get_subject_name(ctx->subject_req); /* Now add any email address(es) to STACK */ i = -1; while((i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i)) >= 0) { ne = X509_NAME_get_entry(nm, i); email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne)); if (move_p) { X509_NAME_delete_entry(nm, i); i--; } if(!email || !(gen = GENERAL_NAME_new())) { X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE); goto err; } gen->d.ia5 = email; email = NULL; gen->type = GEN_EMAIL; if(!sk_GENERAL_NAME_push(gens, gen)) { X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE); goto err; } gen = NULL; } return 1; err: GENERAL_NAME_free(gen); M_ASN1_IA5STRING_free(email); return 0; } GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) { GENERAL_NAME *gen; GENERAL_NAMES *gens = NULL; CONF_VALUE *cnf; int i; if(!(gens = sk_GENERAL_NAME_new_null())) { X509V3err(X509V3_F_V2I_GENERAL_NAMES,ERR_R_MALLOC_FAILURE); return NULL; } for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { cnf = sk_CONF_VALUE_value(nval, i); if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; sk_GENERAL_NAME_push(gens, gen); } return gens; err: sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); return NULL; } GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf) { char is_string = 0; int type; GENERAL_NAME *gen = NULL; char *name, *value; name = cnf->name; value = cnf->value; if(!value) { X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE); return NULL; } if(!(gen = GENERAL_NAME_new())) { X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); return NULL; } if(!name_cmp(name, "email")) { is_string = 1; type = GEN_EMAIL; } else if(!name_cmp(name, "URI")) { is_string = 1; type = GEN_URI; } else if(!name_cmp(name, "DNS")) { is_string = 1; type = GEN_DNS; } else if(!name_cmp(name, "RID")) { ASN1_OBJECT *obj; if(!(obj = OBJ_txt2obj(value,0))) { X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT); ERR_add_error_data(2, "value=", value); goto err; } gen->d.rid = obj; type = GEN_RID; } else if(!name_cmp(name, "IP")) { int i1,i2,i3,i4; unsigned char ip[4]; if((sscanf(value, "%d.%d.%d.%d",&i1,&i2,&i3,&i4) != 4) || (i1 < 0) || (i1 > 255) || (i2 < 0) || (i2 > 255) || (i3 < 0) || (i3 > 255) || (i4 < 0) || (i4 > 255) ) { X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS); ERR_add_error_data(2, "value=", value); goto err; } ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4; if(!(gen->d.ip = M_ASN1_OCTET_STRING_new()) || !ASN1_STRING_set(gen->d.ip, ip, 4)) { X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); goto err; } type = GEN_IPADD; } else { X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION); ERR_add_error_data(2, "name=", name); goto err; } if(is_string) { if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) || !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value, strlen(value))) { X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); goto err; } } gen->type = type; return gen; err: GENERAL_NAME_free(gen); return NULL; } diff --git a/crypto/openssl/crypto/x509v3/v3_crld.c b/crypto/openssl/crypto/x509v3/v3_crld.c index 894a8b94d802..f90829c574e7 100644 --- a/crypto/openssl/crypto/x509v3/v3_crld.c +++ b/crypto/openssl/crypto/x509v3/v3_crld.c @@ -1,162 +1,162 @@ /* v3_crld.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 1999. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include #include #include #include static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *extlist); static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); X509V3_EXT_METHOD v3_crld = { NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS), 0,0,0,0, 0,0, (X509V3_EXT_I2V)i2v_crld, (X509V3_EXT_V2I)v2i_crld, 0,0, NULL }; static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld, STACK_OF(CONF_VALUE) *exts) { DIST_POINT *point; int i; for(i = 0; i < sk_DIST_POINT_num(crld); i++) { point = sk_DIST_POINT_value(crld, i); if(point->distpoint) { if(point->distpoint->type == 0) exts = i2v_GENERAL_NAMES(NULL, point->distpoint->name.fullname, exts); else X509V3_add_value("RelativeName","", &exts); } if(point->reasons) X509V3_add_value("reasons","", &exts); if(point->CRLissuer) X509V3_add_value("CRLissuer","", &exts); } return exts; } static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) { STACK_OF(DIST_POINT) *crld = NULL; GENERAL_NAMES *gens = NULL; GENERAL_NAME *gen = NULL; CONF_VALUE *cnf; int i; if(!(crld = sk_DIST_POINT_new_null())) goto merr; for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { DIST_POINT *point; cnf = sk_CONF_VALUE_value(nval, i); if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; if(!(gens = GENERAL_NAMES_new())) goto merr; if(!sk_GENERAL_NAME_push(gens, gen)) goto merr; gen = NULL; if(!(point = DIST_POINT_new())) goto merr; if(!sk_DIST_POINT_push(crld, point)) { DIST_POINT_free(point); goto merr; } if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr; point->distpoint->name.fullname = gens; point->distpoint->type = 0; gens = NULL; } return crld; merr: X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE); err: GENERAL_NAME_free(gen); GENERAL_NAMES_free(gens); sk_DIST_POINT_pop_free(crld, DIST_POINT_free); return NULL; } IMPLEMENT_STACK_OF(DIST_POINT) IMPLEMENT_ASN1_SET_OF(DIST_POINT) ASN1_CHOICE(DIST_POINT_NAME) = { ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0), ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1) } ASN1_CHOICE_END(DIST_POINT_NAME) IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME) ASN1_SEQUENCE(DIST_POINT) = { ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0), ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1), ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2) } ASN1_SEQUENCE_END(DIST_POINT) IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT) ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) = - ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, DIST_POINT, DIST_POINT) + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT) ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS) IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS) diff --git a/crypto/openssl/crypto/x509v3/v3_info.c b/crypto/openssl/crypto/x509v3/v3_info.c index e269df1373b0..53e3f4885904 100644 --- a/crypto/openssl/crypto/x509v3/v3_info.c +++ b/crypto/openssl/crypto/x509v3/v3_info.c @@ -1,193 +1,194 @@ /* v3_info.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 1999. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include #include #include #include static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo, STACK_OF(CONF_VALUE) *ret); static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); X509V3_EXT_METHOD v3_info = { NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), 0,0,0,0, 0,0, (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS, (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS, 0,0, NULL}; X509V3_EXT_METHOD v3_sinfo = { NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), 0,0,0,0, 0,0, (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS, (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS, 0,0, NULL}; ASN1_SEQUENCE(ACCESS_DESCRIPTION) = { ASN1_SIMPLE(ACCESS_DESCRIPTION, method, ASN1_OBJECT), ASN1_SIMPLE(ACCESS_DESCRIPTION, location, GENERAL_NAME) } ASN1_SEQUENCE_END(ACCESS_DESCRIPTION) IMPLEMENT_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) ASN1_ITEM_TEMPLATE(AUTHORITY_INFO_ACCESS) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, ACCESS_DESCRIPTION) ASN1_ITEM_TEMPLATE_END(AUTHORITY_INFO_ACCESS) IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo, STACK_OF(CONF_VALUE) *ret) { ACCESS_DESCRIPTION *desc; - int i; + int i,nlen; char objtmp[80], *ntmp; CONF_VALUE *vtmp; for(i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) { desc = sk_ACCESS_DESCRIPTION_value(ainfo, i); ret = i2v_GENERAL_NAME(method, desc->location, ret); if(!ret) break; vtmp = sk_CONF_VALUE_value(ret, i); i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method); - ntmp = OPENSSL_malloc(strlen(objtmp) + strlen(vtmp->name) + 5); + nlen = strlen(objtmp) + strlen(vtmp->name) + 5; + ntmp = OPENSSL_malloc(nlen); if(!ntmp) { X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS, ERR_R_MALLOC_FAILURE); return NULL; } - strcpy(ntmp, objtmp); - strcat(ntmp, " - "); - strcat(ntmp, vtmp->name); + BUF_strlcpy(ntmp, objtmp, nlen); + BUF_strlcat(ntmp, " - ", nlen); + BUF_strlcat(ntmp, vtmp->name, nlen); OPENSSL_free(vtmp->name); vtmp->name = ntmp; } if(!ret) return sk_CONF_VALUE_new_null(); return ret; } static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) { AUTHORITY_INFO_ACCESS *ainfo = NULL; CONF_VALUE *cnf, ctmp; ACCESS_DESCRIPTION *acc; int i, objlen; char *objtmp, *ptmp; if(!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) { X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE); return NULL; } for(i = 0; i < sk_CONF_VALUE_num(nval); i++) { cnf = sk_CONF_VALUE_value(nval, i); if(!(acc = ACCESS_DESCRIPTION_new()) || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) { X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE); goto err; } ptmp = strchr(cnf->name, ';'); if(!ptmp) { X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_INVALID_SYNTAX); goto err; } objlen = ptmp - cnf->name; ctmp.name = ptmp + 1; ctmp.value = cnf->value; GENERAL_NAME_free(acc->location); if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp))) goto err; if(!(objtmp = OPENSSL_malloc(objlen + 1))) { X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE); goto err; } strncpy(objtmp, cnf->name, objlen); objtmp[objlen] = 0; acc->method = OBJ_txt2obj(objtmp, 0); if(!acc->method) { X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,X509V3_R_BAD_OBJECT); ERR_add_error_data(2, "value=", objtmp); OPENSSL_free(objtmp); goto err; } OPENSSL_free(objtmp); } return ainfo; err: sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free); return NULL; } int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a) { i2a_ASN1_OBJECT(bp, a->method); #ifdef UNDEF i2a_GENERAL_NAME(bp, a->location); #endif return 2; } diff --git a/crypto/openssl/crypto/x509v3/v3_purp.c b/crypto/openssl/crypto/x509v3/v3_purp.c index 4d145f71fd03..b3d1ae5d1cc8 100644 --- a/crypto/openssl/crypto/x509v3/v3_purp.c +++ b/crypto/openssl/crypto/x509v3/v3_purp.c @@ -1,629 +1,630 @@ /* v3_purp.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 2001. */ /* ==================================================================== - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include #include static void x509v3_cache_extensions(X509 *x); static int ca_check(const X509 *x); static int check_ssl_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); static int purpose_smime(const X509 *x, int ca); static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b); static void xptable_free(X509_PURPOSE *p); static X509_PURPOSE xstandard[] = { {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL}, {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL}, {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL}, {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL}, {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL}, {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL}, {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL}, {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL}, }; #define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE)) IMPLEMENT_STACK_OF(X509_PURPOSE) static STACK_OF(X509_PURPOSE) *xptable = NULL; static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b) { return (*a)->purpose - (*b)->purpose; } /* As much as I'd like to make X509_check_purpose use a "const" X509* * I really can't because it does recalculate hashes and do other non-const * things. */ int X509_check_purpose(X509 *x, int id, int ca) { int idx; const X509_PURPOSE *pt; if(!(x->ex_flags & EXFLAG_SET)) { CRYPTO_w_lock(CRYPTO_LOCK_X509); x509v3_cache_extensions(x); CRYPTO_w_unlock(CRYPTO_LOCK_X509); } if(id == -1) return 1; idx = X509_PURPOSE_get_by_id(id); if(idx == -1) return -1; pt = X509_PURPOSE_get0(idx); return pt->check_purpose(pt, x, ca); } int X509_PURPOSE_set(int *p, int purpose) { if(X509_PURPOSE_get_by_id(purpose) == -1) { X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE); return 0; } *p = purpose; return 1; } int X509_PURPOSE_get_count(void) { if(!xptable) return X509_PURPOSE_COUNT; return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT; } X509_PURPOSE * X509_PURPOSE_get0(int idx) { if(idx < 0) return NULL; if(idx < X509_PURPOSE_COUNT) return xstandard + idx; return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); } int X509_PURPOSE_get_by_sname(char *sname) { int i; X509_PURPOSE *xptmp; for(i = 0; i < X509_PURPOSE_get_count(); i++) { xptmp = X509_PURPOSE_get0(i); if(!strcmp(xptmp->sname, sname)) return i; } return -1; } int X509_PURPOSE_get_by_id(int purpose) { X509_PURPOSE tmp; int idx; if((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) return purpose - X509_PURPOSE_MIN; tmp.purpose = purpose; if(!xptable) return -1; idx = sk_X509_PURPOSE_find(xptable, &tmp); if(idx == -1) return -1; return idx + X509_PURPOSE_COUNT; } int X509_PURPOSE_add(int id, int trust, int flags, int (*ck)(const X509_PURPOSE *, const X509 *, int), char *name, char *sname, void *arg) { int idx; X509_PURPOSE *ptmp; /* This is set according to what we change: application can't set it */ flags &= ~X509_PURPOSE_DYNAMIC; /* This will always be set for application modified trust entries */ flags |= X509_PURPOSE_DYNAMIC_NAME; /* Get existing entry if any */ idx = X509_PURPOSE_get_by_id(id); /* Need a new entry */ if(idx == -1) { if(!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) { X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); return 0; } ptmp->flags = X509_PURPOSE_DYNAMIC; } else ptmp = X509_PURPOSE_get0(idx); /* OPENSSL_free existing name if dynamic */ if(ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) { OPENSSL_free(ptmp->name); OPENSSL_free(ptmp->sname); } /* dup supplied name */ ptmp->name = BUF_strdup(name); ptmp->sname = BUF_strdup(sname); if(!ptmp->name || !ptmp->sname) { X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); return 0; } /* Keep the dynamic flag of existing entry */ ptmp->flags &= X509_PURPOSE_DYNAMIC; /* Set all other flags */ ptmp->flags |= flags; ptmp->purpose = id; ptmp->trust = trust; ptmp->check_purpose = ck; ptmp->usr_data = arg; /* If its a new entry manage the dynamic table */ if(idx == -1) { if(!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) { X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); return 0; } if (!sk_X509_PURPOSE_push(xptable, ptmp)) { X509V3err(X509V3_F_X509_PURPOSE_ADD,ERR_R_MALLOC_FAILURE); return 0; } } return 1; } static void xptable_free(X509_PURPOSE *p) { if(!p) return; if (p->flags & X509_PURPOSE_DYNAMIC) { if (p->flags & X509_PURPOSE_DYNAMIC_NAME) { OPENSSL_free(p->name); OPENSSL_free(p->sname); } OPENSSL_free(p); } } void X509_PURPOSE_cleanup(void) { int i; sk_X509_PURPOSE_pop_free(xptable, xptable_free); for(i = 0; i < X509_PURPOSE_COUNT; i++) xptable_free(xstandard + i); xptable = NULL; } int X509_PURPOSE_get_id(X509_PURPOSE *xp) { return xp->purpose; } char *X509_PURPOSE_get0_name(X509_PURPOSE *xp) { return xp->name; } char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp) { return xp->sname; } int X509_PURPOSE_get_trust(X509_PURPOSE *xp) { return xp->trust; } static int nid_cmp(int *a, int *b) { return *a - *b; } int X509_supported_extension(X509_EXTENSION *ex) { /* This table is a list of the NIDs of supported extensions: * that is those which are used by the verify process. If * an extension is critical and doesn't appear in this list * then the verify process will normally reject the certificate. * The list must be kept in numerical order because it will be * searched using bsearch. */ static int supported_nids[] = { NID_netscape_cert_type, /* 71 */ NID_key_usage, /* 83 */ NID_subject_alt_name, /* 85 */ NID_basic_constraints, /* 87 */ NID_ext_key_usage /* 126 */ }; int ex_nid; ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); if (ex_nid == NID_undef) return 0; if (OBJ_bsearch((char *)&ex_nid, (char *)supported_nids, sizeof(supported_nids)/sizeof(int), sizeof(int), (int (*)(const void *, const void *))nid_cmp)) return 1; return 0; } static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; ASN1_BIT_STRING *usage; ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; int i; if(x->ex_flags & EXFLAG_SET) return; #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif /* Does subject name match issuer ? */ if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) x->ex_flags |= EXFLAG_SS; /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { if(bs->ca) x->ex_flags |= EXFLAG_CA; if(bs->pathlen) { if((bs->pathlen->type == V_ASN1_NEG_INTEGER) || !bs->ca) { x->ex_flags |= EXFLAG_INVALID; x->ex_pathlen = 0; } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); } else x->ex_pathlen = -1; BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; } /* Handle key usage */ if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { if(usage->length > 0) { x->ex_kusage = usage->data[0]; if(usage->length > 1) x->ex_kusage |= usage->data[1] << 8; } else x->ex_kusage = 0; x->ex_flags |= EXFLAG_KUSAGE; ASN1_BIT_STRING_free(usage); } x->ex_xkusage = 0; if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { x->ex_flags |= EXFLAG_XKUSAGE; for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) { case NID_server_auth: x->ex_xkusage |= XKU_SSL_SERVER; break; case NID_client_auth: x->ex_xkusage |= XKU_SSL_CLIENT; break; case NID_email_protect: x->ex_xkusage |= XKU_SMIME; break; case NID_code_sign: x->ex_xkusage |= XKU_CODE_SIGN; break; case NID_ms_sgc: case NID_ns_sgc: x->ex_xkusage |= XKU_SGC; break; case NID_OCSP_sign: x->ex_xkusage |= XKU_OCSP_SIGN; break; case NID_time_stamp: x->ex_xkusage |= XKU_TIMESTAMP; break; case NID_dvcs: x->ex_xkusage |= XKU_DVCS; break; } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); } if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { if(ns->length > 0) x->ex_nscert = ns->data[0]; else x->ex_nscert = 0; x->ex_flags |= EXFLAG_NSCERT; ASN1_BIT_STRING_free(ns); } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); if (!X509_EXTENSION_get_critical(ex)) continue; if (!X509_supported_extension(ex)) { x->ex_flags |= EXFLAG_CRITICAL; break; } } x->ex_flags |= EXFLAG_SET; } /* CA checks common to all purposes * return codes: * 0 not a CA * 1 is a CA * 2 basicConstraints absent so "maybe" a CA * 3 basicConstraints absent but self signed V1. + * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) #define xku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) #define ns_reject(x, usage) \ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) static int ca_check(const X509 *x) { /* keyUsage if present should allow cert signing */ if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; if(x->ex_flags & EXFLAG_BCONS) { if(x->ex_flags & EXFLAG_CA) return 1; /* If basicConstraints says not a CA then say so */ else return 0; } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; /* If key usage present it must have certSign so tolerate it */ - else if (x->ex_flags & EXFLAG_KUSAGE) return 3; + else if (x->ex_flags & EXFLAG_KUSAGE) return 4; else return 2; } } /* Check SSL CA: common checks for SSL client and server */ static int check_ssl_ca(const X509 *x) { int ca_ret; ca_ret = ca_check(x); if(!ca_ret) return 0; /* check nsCertType if present */ if(x->ex_flags & EXFLAG_NSCERT) { if(x->ex_nscert & NS_SSL_CA) return ca_ret; return 0; } if(ca_ret != 2) return ca_ret; else return 0; } static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { if(xku_reject(x,XKU_SSL_CLIENT)) return 0; if(ca) return check_ssl_ca(x); /* We need to do digital signatures with it */ if(ku_reject(x,KU_DIGITAL_SIGNATURE)) return 0; /* nsCertType if present should allow SSL client use */ if(ns_reject(x, NS_SSL_CLIENT)) return 0; return 1; } static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0; if(ca) return check_ssl_ca(x); if(ns_reject(x, NS_SSL_SERVER)) return 0; /* Now as for keyUsage: we'll at least need to sign OR encipher */ if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT)) return 0; return 1; } static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { int ret; ret = check_purpose_ssl_server(xp, x, ca); if(!ret || ca) return ret; /* We need to encipher or Netscape complains */ if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; return ret; } /* common S/MIME checks */ static int purpose_smime(const X509 *x, int ca) { if(xku_reject(x,XKU_SMIME)) return 0; if(ca) { int ca_ret; ca_ret = ca_check(x); if(!ca_ret) return 0; /* check nsCertType if present */ if(x->ex_flags & EXFLAG_NSCERT) { if(x->ex_nscert & NS_SMIME_CA) return ca_ret; return 0; } if(ca_ret != 2) return ca_ret; else return 0; } if(x->ex_flags & EXFLAG_NSCERT) { if(x->ex_nscert & NS_SMIME) return 1; /* Workaround for some buggy certificates */ if(x->ex_nscert & NS_SSL_CLIENT) return 2; return 0; } return 1; } static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { int ret; ret = purpose_smime(x, ca); if(!ret || ca) return ret; if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; return ret; } static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) { int ret; ret = purpose_smime(x, ca); if(!ret || ca) return ret; if(ku_reject(x, KU_KEY_ENCIPHERMENT)) return 0; return ret; } static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { if(ca) { int ca_ret; if((ca_ret = ca_check(x)) != 2) return ca_ret; else return 0; } if(ku_reject(x, KU_CRL_SIGN)) return 0; return 1; } /* OCSP helper: this is *not* a full OCSP check. It just checks that * each CA is valid. Additional checks must be made on the chain. */ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) { /* Must be a valid CA */ if(ca) { int ca_ret; ca_ret = ca_check(x); if(ca_ret != 2) return ca_ret; if(x->ex_flags & EXFLAG_NSCERT) { if(x->ex_nscert & NS_ANY_CA) return ca_ret; return 0; } return 0; } /* leaf certificate is checked in OCSP_verify() */ return 1; } static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) { return 1; } /* Various checks to see if one certificate issued the second. * This can be used to prune a set of possible issuer certificates * which have been looked up using some simple method such as by * subject name. * These are: * 1. Check issuer_name(subject) == subject_name(issuer) * 2. If akid(subject) exists check it matches issuer * 3. If key_usage(issuer) exists check it supports certificate signing * returns 0 for OK, positive for reason for mismatch, reasons match * codes for X509_verify_cert() */ int X509_check_issued(X509 *issuer, X509 *subject) { if(X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; x509v3_cache_extensions(issuer); x509v3_cache_extensions(subject); if(subject->akid) { /* Check key ids (if present) */ if(subject->akid->keyid && issuer->skid && ASN1_OCTET_STRING_cmp(subject->akid->keyid, issuer->skid) ) return X509_V_ERR_AKID_SKID_MISMATCH; /* Check serial number */ if(subject->akid->serial && ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), subject->akid->serial)) return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; /* Check issuer name */ if(subject->akid->issuer) { /* Ugh, for some peculiar reason AKID includes * SEQUENCE OF GeneralName. So look for a DirName. * There may be more than one but we only take any * notice of the first. */ GENERAL_NAMES *gens; GENERAL_NAME *gen; X509_NAME *nm = NULL; int i; gens = subject->akid->issuer; for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) { gen = sk_GENERAL_NAME_value(gens, i); if(gen->type == GEN_DIRNAME) { nm = gen->d.dirn; break; } } if(nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } } if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; } diff --git a/crypto/openssl/doc/apps/config.pod b/crypto/openssl/doc/apps/config.pod index ce874a42ce13..8f823fa6d69d 100644 --- a/crypto/openssl/doc/apps/config.pod +++ b/crypto/openssl/doc/apps/config.pod @@ -1,138 +1,272 @@ =pod =head1 NAME config - OpenSSL CONF library configuration files =head1 DESCRIPTION The OpenSSL CONF library can be used to read configuration files. It is used for the OpenSSL master configuration file B and in a few other places like B files and certificate extension -files for the B utility. +files for the B utility. OpenSSL applications can also use the +CONF library for their own purposes. A configuration file is divided into a number of sections. Each section starts with a line B<[ section_name ]> and ends when a new section is started or end of file is reached. A section name can consist of alphanumeric characters and underscores. The first section of a configuration file is special and is referred to as the B section this is usually unnamed and is from the start of file until the first named section. When a name is being looked up it is first looked up in a named section (if any) and then the default section. The environment is mapped onto a section called B. Comments can be included by preceding them with the B<#> character Each section in a configuration file consists of a number of name and value pairs of the form B The B string can contain any alphanumeric characters as well as a few punctuation symbols such as B<.> B<,> B<;> and B<_>. The B string consists of the string following the B<=> character until end of line with any leading and trailing white space removed. The value string undergoes variable expansion. This can be done by including the form B<$var> or B<${var}>: this will substitute the value of the named variable in the current section. It is also possible to substitute a value from another section using the syntax B<$section::name> or B<${section::name}>. By using the form B<$ENV::name> environment variables can be substituted. It is also possible to assign values to environment variables by using the name B, this will work if the program looks up environment variables using the B library instead of calling B directly. It is possible to escape certain characters by using any kind of quote or the B<\> character. By making the last character of a line a B<\> a B string can be spread across multiple lines. In addition the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized. +=head1 OPENSSL LIBRARY CONFIGURATION + +In OpenSSL 0.9.7 and later applications can automatically configure certain +aspects of OpenSSL using the master OpenSSL configuration file, or optionally +an alternative configuration file. The B utility includes this +functionality: any sub command uses the master OpenSSL configuration file +unless an option is used in the sub command to use an alternative configuration +file. + +To enable library configuration the default section needs to contain an +appropriate line which points to the main configuration section. The default +name is B which is used by the B utility. Other +applications may use an alternative name such as B. + +The configuration section should consist of a set of name value pairs which +contain specific module configuration information. The B represents +the name of the I the meaning of the B is +module specific: it may, for example, represent a further configuration +section containing configuration module specific information. E.g. + + openssl_conf = openssl_init + + [openssl_init] + + oid_section = new_oids + engines = engine_section + + [new_oids] + + ... new oids here ... + + [engine_section] + + ... engine stuff here ... + +Currently there are two configuration modules. One for ASN1 objects another +for ENGINE configuration. + +=head2 ASN1 OBJECT CONFIGURATION MODULE + +This module has the name B. The value of this variable points +to a section containing name value pairs of OIDs: the name is the OID short +and long name, the value is the numerical form of the OID. Although some of +the B utility sub commands already have their own ASN1 OBJECT section +functionality not all do. By using the ASN1 OBJECT configuration module +B the B utility sub commands can see the new objects as well +as any compliant applications. For example: + + [new_oids] + + some_new_oid = 1.2.3.4 + some_other_oid = 1.2.3.5 + +=head2 ENGINE CONFIGURATION MODULE + +This ENGINE configuration module has the name B. The value of this +variable points to a section containing further ENGINE configuration +information. + +The section pointed to by B is a table of engine names (though see +B below) and further sections containing configuration informations +specific to each ENGINE. + +Each ENGINE specific section is used to set default algorithms, load +dynamic, perform initialization and send ctrls. The actual operation performed +depends on the I name which is the name of the name value pair. The +currently supported commands are listed below. + +For example: + + [engine_section] + + # Configure ENGINE named "foo" + foo = foo_section + # Configure ENGINE named "bar" + bar = bar_section + + [foo_section] + ... foo ENGINE specific commands ... + + [bar_section] + ... "bar" ENGINE specific commands ... + +The command B is used to give the ENGINE name. If used this +command must be first. For example: + + [engine_section] + # This would normally handle an ENGINE named "foo" + foo = foo_section + + [foo_section] + # Override default name and use "myfoo" instead. + engine_id = myfoo + +The command B loads and adds an ENGINE from the given path. It +is equivalent to sending the ctrls B with the path argument followed +by B with value 2 and B to the dynamic ENGINE. If this is +not the required behaviour then alternative ctrls can be sent directly +to the dynamic ENGINE using ctrl commands. + +The command B determines whether to initialize the ENGINE. If the value +is B<0> the ENGINE will not be initialized, if B<1> and attempt it made to +initialized the ENGINE immediately. If the B command is not present +then an attempt will be made to initialize the ENGINE after all commands in +its section have been processed. + +The command B sets the default algorithms an ENGINE will +supply using the functions B + +If the name matches none of the above command names it is assumed to be a +ctrl command which is sent to the ENGINE. The value of the command is the +argument to the ctrl command. If the value is the string B then no +value is sent to the command. + +For example: + + + [engine_section] + + # Configure ENGINE named "foo" + foo = foo_section + + [foo_section] + # Load engine from DSO + dynamic_path = /some/path/fooengine.so + # A foo specific ctrl. + some_ctrl = some_value + # Another ctrl that doesn't take a value. + other_ctrl = EMPTY + # Supply all default algorithms + default_algorithms = ALL + =head1 NOTES If a configuration file attempts to expand a variable that doesn't exist then an error is flagged and the file will not load. This can happen if an attempt is made to expand an environment variable that doesn't -exist. For example the default OpenSSL master configuration file used -the value of B which may not be defined on non Unix systems. +exist. For example in a previous version of OpenSSL the default OpenSSL +master configuration file used the value of B which may not be +defined on non Unix systems and would cause an error. This can be worked around by including a B section to provide a default value: then if the environment lookup fails the default value will be used instead. For this to work properly the default value must be defined earlier in the configuration file than the expansion. See the B section for an example of how to do this. If the same variable exists in the same section then all but the last value will be silently ignored. In certain circumstances such as with DNs the same field may occur multiple times. This is usually worked around by ignoring any characters before an initial B<.> e.g. 1.OU="My first OU" 2.OU="My Second OU" =head1 EXAMPLES Here is a sample configuration file using some of the features mentioned above. # This is the default section. HOME=/temp RANDFILE= ${ENV::HOME}/.rnd configdir=$ENV::HOME/config [ section_one ] # We are now in section one. # Quotes permit leading and trailing whitespace any = " any variable name " other = A string that can \ cover several lines \ by including \\ characters message = Hello World\n [ section_two ] greeting = $section_one::message This next example shows how to expand environment variables safely. Suppose you want a variable called B to refer to a temporary filename. The directory it is placed in can determined by the the B or B environment variables but they may not be set to any value at all. If you just include the environment variable names and the variable doesn't exist then this will cause an error when an attempt is made to load the configuration file. By making use of the default section both values can be looked up with B taking priority and B used if neither is defined: TMP=/tmp # The above value is used if TMP isn't in the environment TEMP=$ENV::TMP # The above value is used if TEMP isn't in the environment tmpfile=${ENV::TEMP}/tmp.filename =head1 BUGS Currently there is no way to include characters using the octal B<\nnn> form. Strings are all null terminated so nulls cannot form part of the value. The escaping isn't quite right: if you want to use sequences like B<\n> you can't use any quote escaping on the same line. Files are loaded in a single pass. This means that an variable expansion will only work if the variables referenced are defined earlier in the file. =head1 SEE ALSO L, L, L =cut diff --git a/crypto/openssl/doc/apps/openssl.pod b/crypto/openssl/doc/apps/openssl.pod index 07dd80eabe56..dc0f49ddca63 100644 --- a/crypto/openssl/doc/apps/openssl.pod +++ b/crypto/openssl/doc/apps/openssl.pod @@ -1,344 +1,345 @@ =pod =head1 NAME openssl - OpenSSL command line tool =head1 SYNOPSIS B I [ I ] [ I ] B [ B | B | B ] B BI [ I ] =head1 DESCRIPTION OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. The B program is a command line tool for using the various cryptography functions of OpenSSL's B library from the shell. It can be used for o Creation of RSA, DH and DSA key parameters o Creation of X.509 certificates, CSRs and CRLs o Calculation of Message Digests o Encryption and Decryption with Ciphers o SSL/TLS Client and Server Tests o Handling of S/MIME signed or encrypted mail =head1 COMMAND SUMMARY The B program provides a rich variety of commands (I in the SYNOPSIS above), each of which often has a wealth of options and arguments (I and I in the SYNOPSIS). The pseudo-commands B, B, and B output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, respectively, that are available in the present B utility. The pseudo-command BI tests whether a command of the specified name is available. If no command named I exists, it returns 0 (success) and prints BI; otherwise it returns 1 and prints I. In both cases, the output goes to B and nothing is printed to B. Additional command line arguments are always ignored. Since for each cipher there is a command of the same name, this provides an easy way for shell scripts to test for the availability of ciphers in the B program. (BI is not able to detect pseudo-commands such as B, BI<...>B<-commands>, or BI itself.) =head2 STANDARD COMMANDS =over 10 =item L|asn1parse(1)> Parse an ASN.1 sequence. =item L|ca(1)> Certificate Authority (CA) Management. =item L|ciphers(1)> Cipher Suite Description Determination. =item L|crl(1)> Certificate Revocation List (CRL) Management. =item L|crl2pkcs7(1)> CRL to PKCS#7 Conversion. =item L|dgst(1)> Message Digest Calculation. =item B Diffie-Hellman Parameter Management. Obsoleted by L|dhparam(1)>. =item L|dsa(1)> DSA Data Management. =item L|dsaparam(1)> DSA Parameter Generation. =item L|enc(1)> Encoding with Ciphers. =item L|errstr(1)> Error Number to Error String Conversion. =item L|dhparam(1)> Generation and Management of Diffie-Hellman Parameters. =item B Generation of Diffie-Hellman Parameters. Obsoleted by L|dhparam(1)>. =item L|gendsa(1)> Generation of DSA Parameters. =item L|genrsa(1)> Generation of RSA Parameters. =item L|ocsp(1)> Online Certificate Status Protocol utility. =item L|passwd(1)> Generation of hashed passwords. =item L|pkcs12(1)> PKCS#12 Data Management. =item L|pkcs7(1)> PKCS#7 Data Management. =item L|rand(1)> Generate pseudo-random bytes. =item L|req(1)> X.509 Certificate Signing Request (CSR) Management. =item L|rsa(1)> RSA Data Management. =item L|rsautl(1)> RSA utility for signing, verification, encryption, and decryption. =item L|s_client(1)> This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL B library. =item L|s_server(1)> This implements a generic SSL/TLS server which accepts connections from remote clients speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL B library. It provides both an own command line oriented protocol for testing SSL functions and a simple HTTP response facility to emulate an SSL/TLS-aware webserver. =item L|s_time(1)> SSL Connection Timer. =item L|sess_id(1)> SSL Session Data Management. =item L|smime(1)> S/MIME mail processing. =item L|speed(1)> Algorithm Speed Measurement. =item L|verify(1)> X.509 Certificate Verification. =item L|version(1)> OpenSSL Version Information. =item L|x509(1)> X.509 Certificate Data Management. =back =head2 MESSAGE DIGEST COMMANDS =over 10 =item B MD2 Digest =item B MD5 Digest =item B MDC2 Digest =item B RMD-160 Digest =item B SHA Digest =item B SHA-1 Digest =back =head2 ENCODING AND CIPHER COMMANDS =over 10 =item B Base64 Encoding =item B Blowfish Cipher =item B CAST Cipher =item B CAST5 Cipher =item B DES Cipher =item B Triple-DES Cipher =item B IDEA Cipher =item B RC2 Cipher =item B RC4 Cipher =item B RC5 Cipher =back =head1 PASS PHRASE ARGUMENTS Several commands accept password arguments, typically using B<-passin> and B<-passout> for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off. =over 10 =item B the actual password is B. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. =item B obtain the password from the environment variable B. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. =item B the first line of B is the password. If the same B argument is supplied to B<-passin> and B<-passout> arguments then the first line will be used for the input password and the next line for the output password. B need not refer to a regular file: it could for example refer to a device or named pipe. =item B read the password from the file descriptor B. This can be used to send the data via a pipe for example. =item B read the password from standard input. =back =head1 SEE ALSO L, L, L, L, L, L, L, L, L, L, L, L, L, L, L, L, L, L, L, L, L, L, L, -L, L, L, +L, L, +L, L, L, L, L, L, L =head1 HISTORY The openssl(1) document appeared in OpenSSL 0.9.2. The BIB<-commands> pseudo-commands were added in OpenSSL 0.9.3; the BI pseudo-commands were added in OpenSSL 0.9.5a. For notes on the availability of other commands, see their individual manual pages. =cut diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod index d061326c1fca..8d19079973a4 100644 --- a/crypto/openssl/doc/apps/s_client.pod +++ b/crypto/openssl/doc/apps/s_client.pod @@ -1,250 +1,250 @@ =pod =head1 NAME s_client - SSL/TLS client program =head1 SYNOPSIS B B -[B<-connect> host:port>] +[B<-connect host:port>] [B<-verify depth>] [B<-cert filename>] [B<-key filename>] [B<-CApath directory>] [B<-CAfile filename>] [B<-reconnect>] [B<-pause>] [B<-showcerts>] [B<-debug>] [B<-msg>] [B<-nbio_test>] [B<-state>] [B<-nbio>] [B<-crlf>] [B<-ign_eof>] [B<-quiet>] [B<-ssl2>] [B<-ssl3>] [B<-tls1>] [B<-no_ssl2>] [B<-no_ssl3>] [B<-no_tls1>] [B<-bugs>] [B<-cipher cipherlist>] [B<-starttls protocol>] [B<-engine id>] [B<-rand file(s)>] =head1 DESCRIPTION The B command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a I useful diagnostic tool for SSL servers. =head1 OPTIONS =over 4 =item B<-connect host:port> This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 4433. =item B<-cert certname> The certificate to use, if one is requested by the server. The default is not to use a certificate. =item B<-key keyfile> The private key to use. If not specified then the certificate file will be used. =item B<-verify depth> The verify depth to use. This specifies the maximum length of the server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. =item B<-CApath directory> The directory to use for server certificate verification. This directory must be in "hash format", see B for more information. These are also used when building the client certificate chain. =item B<-CAfile file> A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. =item B<-reconnect> reconnects to the same server 5 times using the same session ID, this can be used as a test that session caching is working. =item B<-pause> pauses 1 second between each read and write call. =item B<-showcerts> display the whole server certificate chain: normally only the server certificate itself is displayed. =item B<-prexit> print session information when the program exits. This will always attempt to print out information even if the connection fails. Normally information will only be printed out once if the connection succeeds. This option is useful because the cipher in use may be renegotiated or the connection may fail because a client certificate is required or is requested only after an attempt is made to access a certain URL. Note: the output produced by this option is not always accurate because a connection might never have been established. =item B<-state> prints out the SSL session states. =item B<-debug> print extensive debugging information including a hex dump of all traffic. =item B<-msg> show all protocol messages with hex dump. =item B<-nbio_test> tests non-blocking I/O =item B<-nbio> turns on non-blocking I/O =item B<-crlf> this option translated a line feed from the terminal into CR+LF as required by some servers. =item B<-ign_eof> inhibit shutting down the connection when end of file is reached in the input. =item B<-quiet> inhibit printing of session and certificate information. This implicitly turns on B<-ign_eof> as well. =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. Unfortunately there are a lot of ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only work if TLS is turned off with the B<-no_tls> option others will only support SSL v2 and may need the B<-ssl2> option. =item B<-bugs> there are several known bug in SSL and TLS implementations. Adding this option enables various workarounds. =item B<-cipher cipherlist> this allows the cipher list sent by the client to be modified. Although the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B command for more information. =item B<-starttls protocol> send the protocol-specific message(s) to switch to TLS for communication. B is a keyword for the intended protocol. Currently, the only supported keywords are "smtp" and "pop3". =item B<-engine id> specifying an engine (by it's unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. =item B<-rand file(s)> a file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. =back =head1 CONNECTED COMMANDS If a connection is established with an SSL server then any data received from the server is displayed and any key presses will be sent to the server. When used interactively (which means neither B<-quiet> nor B<-ign_eof> have been given), the session will be renegotiated if the line begins with an B, and if the line begins with a B or if end of file is reached, the connection will be closed down. =head1 NOTES B can be used to debug SSL servers. To connect to an SSL HTTP server the command: openssl s_client -connect servername:443 would typically be used (https uses port 443). If the connection succeeds then an HTTP command can be given such as "GET /" to retrieve a web page. If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> can be tried +B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried in case it is a buggy server. In particular you should play with these options B submitting a bug report to an OpenSSL mailing list. A frequent problem when attempting to get client certificates working is that a web client complains it has no certificates or gives an empty list to choose from. This is normally because the server is not sending the clients certificate authority in its "acceptable CA list" when it requests a certificate. By using B the CA list can be viewed and checked. However some servers only request client authentication after a specific URL is requested. To obtain the list in this case it -is necessary to use the B<-prexit> command and send an HTTP request +is necessary to use the B<-prexit> option and send an HTTP request for an appropriate page. If a certificate is specified on the command line using the B<-cert> option it will not be used unless the server specifically requests a client certificate. Therefor merely including a client certificate on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the B<-showcerts> option can be used to show the whole chain. =head1 BUGS Because this program has a lot of options and also because some of the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical SSL client program would be much simpler. The B<-verify> option should really exit if the server verification fails. The B<-prexit> option is a bit of a hack. We should really report information whenever a session is renegotiated. =head1 SEE ALSO L, L, L =cut diff --git a/crypto/openssl/doc/apps/s_time.pod b/crypto/openssl/doc/apps/s_time.pod new file mode 100644 index 000000000000..5a38aa2e0394 --- /dev/null +++ b/crypto/openssl/doc/apps/s_time.pod @@ -0,0 +1,173 @@ + +=pod + +=head1 NAME + +s_time - SSL/TLS performance timing program + +=head1 SYNOPSIS + +B B +[B<-connect host:port>] +[B<-www page>] +[B<-cert filename>] +[B<-key filename>] +[B<-CApath directory>] +[B<-CAfile filename>] +[B<-reuse>] +[B<-new>] +[B<-verify depth>] +[B<-nbio>] +[B<-time seconds>] +[B<-ssl2>] +[B<-ssl3>] +[B<-bugs>] +[B<-cipher cipherlist>] + +=head1 DESCRIPTION + +The B command implements a generic SSL/TLS client which connects to a +remote host using SSL/TLS. It can request a page from the server and includes +the time to transfer the payload data in its timing measurements. It measures +the number of connections within a given timeframe, the amount of data +transferred (if any), and calculates the average time spent for one connection. + +=head1 OPTIONS + +=over 4 + +=item B<-connect host:port> + +This specifies the host and optional port to connect to. + +=item B<-www page> + +This specifies the page to GET from the server. A value of '/' gets the +index.htm[l] page. If this parameter is not specified, then B will only +perform the handshake to establish SSL connections but not transfer any +payload data. + +=item B<-cert certname> + +The certificate to use, if one is requested by the server. The default is +not to use a certificate. The file is in PEM format. + +=item B<-key keyfile> + +The private key to use. If not specified then the certificate file will +be used. The file is in PEM format. + +=item B<-verify depth> + +The verify depth to use. This specifies the maximum length of the +server certificate chain and turns on server certificate verification. +Currently the verify operation continues after errors so all the problems +with a certificate chain can be seen. As a side effect the connection +will never fail due to a server certificate verify failure. + +=item B<-CApath directory> + +The directory to use for server certificate verification. This directory +must be in "hash format", see B for more information. These are +also used when building the client certificate chain. + +=item B<-CAfile file> + +A file containing trusted certificates to use during server authentication +and to use when attempting to build the client certificate chain. + +=item B<-new> + +performs the timing test using a new session ID for each connection. +If neither B<-new> nor B<-reuse> are specified, they are both on by default +and executed in sequence. + +=item B<-reuse> + +performs the timing test using the same session ID; this can be used as a test +that session caching is working. If neither B<-new> nor B<-reuse> are +specified, they are both on by default and executed in sequence. + +=item B<-nbio> + +turns on non-blocking I/O. + +=item B<-ssl2>, B<-ssl3> + +these options disable the use of certain SSL or TLS protocols. By default +the initial handshake uses a method which should be compatible with all +servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. +The timing program is not as rich in options to turn protocols on and off as +the L program and may not connect to all servers. + +Unfortunately there are a lot of ancient and broken servers in use which +cannot handle this technique and will fail to connect. Some servers only +work if TLS is turned off with the B<-ssl3> option; others +will only support SSL v2 and may need the B<-ssl2> option. + +=item B<-bugs> + +there are several known bug in SSL and TLS implementations. Adding this +option enables various workarounds. + +=item B<-cipher cipherlist> + +this allows the cipher list sent by the client to be modified. Although +the server determines which cipher suite is used it should take the first +supported cipher in the list sent by the client. +See the L command for more information. + +=item B<-time length> + +specifies how long (in seconds) B should establish connections and +optionally transfer payload data from a server. Server and client performance +and the link speed determine how many connections B can establish. + +=back + +=head1 NOTES + +B can be used to measure the performance of an SSL connection. +To connect to an SSL HTTP server and get the default page the command + + openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] + +would typically be used (https uses port 443). 'commoncipher' is a cipher to +which both client and server can agree, see the L command +for details. + +If the handshake fails then there are several possible causes, if it is +nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, +B<-ssl3> options can be tried +in case it is a buggy server. In particular you should play with these +options B submitting a bug report to an OpenSSL mailing list. + +A frequent problem when attempting to get client certificates working +is that a web client complains it has no certificates or gives an empty +list to choose from. This is normally because the server is not sending +the clients certificate authority in its "acceptable CA list" when it +requests a certificate. By using L the CA list can be +viewed and checked. However some servers only request client authentication +after a specific URL is requested. To obtain the list in this case it +is necessary to use the B<-prexit> option of L and +send an HTTP request for an appropriate page. + +If a certificate is specified on the command line using the B<-cert> +option it will not be used unless the server specifically requests +a client certificate. Therefor merely including a client certificate +on the command line is no guarantee that the certificate works. + +=head1 BUGS + +Because this program does not have all the options of the +L program to turn protocols on and off, you may not be +able to measure the performance of all protocols with all servers. + +The B<-verify> option should really exit if the server verification +fails. + +=head1 SEE ALSO + +L, L, L + +=cut diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod index 2453dd2738d1..84b673f791ea 100644 --- a/crypto/openssl/doc/apps/smime.pod +++ b/crypto/openssl/doc/apps/smime.pod @@ -1,375 +1,378 @@ =pod =head1 NAME smime - S/MIME utility =head1 SYNOPSIS B B [B<-encrypt>] [B<-decrypt>] [B<-sign>] [B<-verify>] [B<-pk7out>] [B<-des>] [B<-des3>] [B<-rc2-40>] [B<-rc2-64>] [B<-rc2-128>] +[B<-aes128>] +[B<-aes192>] +[B<-aes256>] [B<-in file>] [B<-certfile file>] [B<-signer file>] [B<-recip file>] [B<-inform SMIME|PEM|DER>] [B<-passin arg>] [B<-inkey file>] [B<-out file>] [B<-outform SMIME|PEM|DER>] [B<-content file>] [B<-to addr>] [B<-from ad>] [B<-subject s>] [B<-text>] [B<-rand file(s)>] [cert.pem]... =head1 DESCRIPTION The B command handles S/MIME mail. It can encrypt, decrypt, sign and verify S/MIME messages. =head1 COMMAND OPTIONS There are five operation options that set the type of operation to be performed. The meaning of the other options varies according to the operation type. =over 4 =item B<-encrypt> encrypt mail for the given recipient certificates. Input file is the message to be encrypted. The output file is the encrypted mail in MIME format. =item B<-decrypt> decrypt mail using the supplied certificate and private key. Expects an encrypted mail message in MIME format for the input file. The decrypted mail is written to the output file. =item B<-sign> sign mail using the supplied certificate and private key. Input file is the message to be signed. The signed message in MIME format is written to the output file. =item B<-verify> verify signed mail. Expects a signed mail message on input and outputs the signed data. Both clear text and opaque signing is supported. =item B<-pk7out> takes an input message and writes out a PEM encoded PKCS#7 structure. =item B<-in filename> the input message to be encrypted or signed or the MIME message to be decrypted or verified. =item B<-inform SMIME|PEM|DER> this specifies the input format for the PKCS#7 structure. The default is B which reads an S/MIME format message. B and B format change this to expect PEM and DER format PKCS#7 structures instead. This currently only affects the input format of the PKCS#7 structure, if no PKCS#7 structure is being input (for example with B<-encrypt> or B<-sign>) this option has no effect. =item B<-out filename> the message text that has been decrypted or verified or the output MIME format message that has been signed or verified. =item B<-outform SMIME|PEM|DER> this specifies the output format for the PKCS#7 structure. The default is B which write an S/MIME format message. B and B format change this to write PEM and DER format PKCS#7 structures instead. This currently only affects the output format of the PKCS#7 structure, if no PKCS#7 structure is being output (for example with B<-verify> or B<-decrypt>) this option has no effect. =item B<-content filename> This specifies a file containing the detached content, this is only useful with the B<-verify> command. This is only usable if the PKCS#7 structure is using the detached signature form where the content is not included. This option will override any content if the input format is S/MIME and it uses the multipart/signed MIME content type. =item B<-text> this option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs. =item B<-CAfile file> a file containing trusted CA certificates, only used with B<-verify>. =item B<-CApath dir> a directory containing trusted CA certificates, only used with B<-verify>. This directory must be a standard certificate directory: that is a hash of each subject name (using B) should be linked to each certificate. -=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128> +=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256> -the encryption algorithm to use. DES (56 bits), triple DES (168 bits) -or 40, 64 or 128 bit RC2 respectively if not specified 40 bit RC2 is -used. Only used with B<-encrypt>. +the encryption algorithm to use. DES (56 bits), triple DES (168 bits), +40, 64 or 128 bit RC2 or 128, 192 or 256 bit AES respectively. If not +specified 40 bit RC2 is used. Only used with B<-encrypt>. =item B<-nointern> when verifying a message normally certificates (if any) included in the message are searched for the signing certificate. With this option only the certificates specified in the B<-certfile> option are used. The supplied certificates can still be used as untrusted CAs however. =item B<-noverify> do not verify the signers certificate of a signed message. =item B<-nochain> do not do chain verification of signers certificates: that is don't use the certificates in the signed message as untrusted CAs. =item B<-nosigs> don't try to verify the signatures on the message. =item B<-nocerts> when signing a message the signer's certificate is normally included with this option it is excluded. This will reduce the size of the signed message but the verifier must have a copy of the signers certificate available locally (passed using the B<-certfile> option for example). =item B<-noattr> normally when a message is signed a set of attributes are included which include the signing time and supported symmetric algorithms. With this option they are not included. =item B<-binary> normally the input message is converted to "canonical" format which is effectively using CR and LF as end of line: as required by the S/MIME specification. When this option is present no translation occurs. This is useful when handling binary data which may not be in MIME format. =item B<-nodetach> when signing a message use opaque signing: this form is more resistant to translation by mail relays but it cannot be read by mail agents that do not support S/MIME. Without this option cleartext signing with the MIME type multipart/signed is used. =item B<-certfile file> allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for the signers certificates. The certificates should be in PEM format. =item B<-signer file> the signers certificate when signing a message. If a message is being verified then the signers certificates will be written to this file if the verification was successful. =item B<-recip file> the recipients certificate when decrypting a message. This certificate must match one of the recipients of the message or an error occurs. =item B<-inkey file> the private key to use when signing or decrypting. This must match the corresponding certificate. If this option is not specified then the private key must be included in the certificate file specified with the B<-recip> or B<-signer> file. =item B<-passin arg> the private key password source. For more information about the format of B see the B section in L. =item B<-rand file(s)> a file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. =item B one or more certificates of message recipients: used when encrypting a message. =item B<-to, -from, -subject> the relevant mail headers. These are included outside the signed portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. =back =head1 NOTES The MIME message must be sent without any blank lines between the headers and the output. Some mail programs will automatically add a blank line. Piping the mail directly to sendmail is one way to achieve the correct format. The supplied message to be signed or encrypted must include the necessary MIME headers or many S/MIME clients wont display it properly (if at all). You can use the B<-text> option to automatically add plain text headers. A "signed and encrypted" message is one where a signed message is then encrypted. This can be produced by encrypting an already signed message: see the examples section. This version of the program only allows one signer per message but it will verify multiple signers on received messages. Some S/MIME clients choke if a message contains multiple signers. It is possible to sign messages "in parallel" by signing an already signed message. The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 encrypted data is used for other purposes. =head1 EXIT CODES =over 4 =item 0 the operation was completely successfully. =item 1 an error occurred parsing the command options. =item 2 one of the input files could not be read. =item 3 an error occurred creating the PKCS#7 file or when reading the MIME message. =item 4 an error occurred decrypting or verifying the message. =item 5 the message was verified correctly but an error occurred writing out the signers certificates. =back =head1 EXAMPLES Create a cleartext signed message: openssl smime -sign -in message.txt -text -out mail.msg \ -signer mycert.pem Create and opaque signed message openssl smime -sign -in message.txt -text -out mail.msg -nodetach \ -signer mycert.pem Create a signed message, include some additional certificates and read the private key from another file: openssl smime -sign -in in.txt -text -out mail.msg \ -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Send a signed message under Unix directly to sendmail, including headers: openssl smime -sign -in in.txt -text -signer mycert.pem \ -from steve@openssl.org -to someone@somewhere \ -subject "Signed message" | sendmail someone@somewhere Verify a message and extract the signer's certificate if successful: openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt Send encrypted mail using triple DES: openssl smime -encrypt -in in.txt -from steve@openssl.org \ -to someone@somewhere -subject "Encrypted message" \ -des3 user.pem -out mail.msg Sign and encrypt mail: openssl smime -sign -in ml.txt -signer my.pem -text \ | openssl smime -encrypt -out mail.msg \ -from steve@openssl.org -to someone@somewhere \ -subject "Signed and Encrypted message" -des3 user.pem Note: the encryption command does not include the B<-text> option because the message being encrypted already has MIME headers. Decrypt mail: openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem The output from Netscape form signing is a PKCS#7 structure with the detached signature format. You can use this program to verify the signature by line wrapping the base64 encoded structure and surrounding it with: -----BEGIN PKCS7----- -----END PKCS7----- and using the command, openssl smime -verify -inform PEM -in signature.pem -content content.txt alternatively you can base64 decode the signature and use openssl smime -verify -inform DER -in signature.der -content content.txt =head1 BUGS The MIME parser isn't very clever: it seems to handle most messages that I've thrown at it but it may choke on others. The code currently will only write out the signer's certificate to a file: if the signer has a separate encryption certificate this must be manually extracted. There should be some heuristic that determines the correct encryption certificate. Ideally a database should be maintained of a certificates for each email address. The code doesn't currently take note of the permitted symmetric encryption algorithms as supplied in the SMIMECapabilities signed attribute. this means the user has to manually include the correct encryption algorithm. It should store the list of permitted ciphers in a database and only use those. No revocation checking is done on the signer's certificate. The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 structures may cause parsing errors. =cut diff --git a/crypto/openssl/doc/crypto/BIO_f_ssl.pod b/crypto/openssl/doc/crypto/BIO_f_ssl.pod index a56ee2b92f2b..f0b731731f50 100644 --- a/crypto/openssl/doc/crypto/BIO_f_ssl.pod +++ b/crypto/openssl/doc/crypto/BIO_f_ssl.pod @@ -1,313 +1,313 @@ =pod =head1 NAME BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes, BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl, BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id, BIO_ssl_shutdown - SSL BIO =head1 SYNOPSIS #include #include BIO_METHOD *BIO_f_ssl(void); #define BIO_set_ssl(b,ssl,c) BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)ssl) #define BIO_get_ssl(b,sslp) BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp) #define BIO_set_ssl_mode(b,client) BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL) #define BIO_set_ssl_renegotiate_bytes(b,num) \ BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL); #define BIO_set_ssl_renegotiate_timeout(b,seconds) \ BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL); #define BIO_get_num_renegotiates(b) \ BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL); BIO *BIO_new_ssl(SSL_CTX *ctx,int client); BIO *BIO_new_ssl_connect(SSL_CTX *ctx); BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx); int BIO_ssl_copy_session_id(BIO *to,BIO *from); void BIO_ssl_shutdown(BIO *bio); #define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL) =head1 DESCRIPTION BIO_f_ssl() returns the SSL BIO method. This is a filter BIO which is a wrapper round the OpenSSL SSL routines adding a BIO "flavour" to SSL I/O. I/O performed on an SSL BIO communicates using the SSL protocol with the SSLs read and write BIOs. If an SSL connection is not established then an attempt is made to establish one on the first I/O call. If a BIO is appended to an SSL BIO using BIO_push() it is automatically used as the SSL BIOs read and write BIOs. Calling BIO_reset() on an SSL BIO closes down any current SSL connection by calling SSL_shutdown(). BIO_reset() is then sent to the next BIO in the chain: this will typically disconnect the underlying transport. The SSL BIO is then reset to the initial accept or connect state. If the close flag is set when an SSL BIO is freed then the internal SSL structure is also freed using SSL_free(). BIO_set_ssl() sets the internal SSL pointer of BIO B to B using the close flag B. BIO_get_ssl() retrieves the SSL pointer of BIO B, it can then be manipulated using the standard SSL library functions. BIO_set_ssl_mode() sets the SSL BIO mode to B. If B is 1 client mode is set. If B is 0 server mode is set. BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count to B. When set after every B bytes of I/O (read and write) the SSL session is automatically renegotiated. B must be at least 512 bytes. BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout to B. When the renegotiate timeout elapses the session is automatically renegotiated. BIO_get_num_renegotiates() returns the total number of session renegotiations due to I/O or timeout. BIO_new_ssl() allocates an SSL BIO using SSL_CTX B and using client mode if B is non zero. BIO_new_ssl_connect() creates a new BIO chain consisting of an SSL BIO (using B) followed by a connect BIO. BIO_new_buffer_ssl_connect() creates a new BIO chain consisting of a buffering BIO, an SSL BIO (using B) and a connect BIO. BIO_ssl_copy_session_id() copies an SSL session id between BIO chains B and B. It does this by locating the SSL BIOs in each chain and calling SSL_copy_session_id() on the internal SSL pointer. BIO_ssl_shutdown() closes down an SSL connection on BIO chain B. It does this by locating the SSL BIO in the chain and calling SSL_shutdown() on its internal SSL pointer. BIO_do_handshake() attempts to complete an SSL handshake on the supplied BIO and establish the SSL connection. It returns 1 if the connection was established successfully. A zero or negative value is returned if the connection could not be established, the call BIO_should_retry() should be used for non blocking connect BIOs to determine if the call should be retried. If an SSL connection has already been established this call has no effect. =head1 NOTES SSL BIOs are exceptional in that if the underlying transport is non blocking they can still request a retry in exceptional circumstances. Specifically this will happen if a session renegotiation takes place during a BIO_read() operation, one case where this happens is when SGC or step up occurs. In OpenSSL 0.9.6 and later the SSL flag SSL_AUTO_RETRY can be set to disable this behaviour. That is when this flag is set an SSL BIO using a blocking transport will never request a retry. Since unknown BIO_ctrl() operations are sent through filter BIOs the servers name and port can be set using BIO_set_host() on the BIO returned by BIO_new_ssl_connect() without having to locate the connect BIO first. Applications do not have to call BIO_do_handshake() but may wish to do so to separate the handshake process from other I/O processing. =head1 RETURN VALUES TBA =head1 EXAMPLE This SSL/TLS client example, attempts to retrieve a page from an SSL/TLS web server. The I/O routines are identical to those of the unencrypted example in L. BIO *sbio, *out; int len; char tmpbuf[1024]; SSL_CTX *ctx; SSL *ssl; ERR_load_crypto_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); /* We would seed the PRNG here if the platform didn't * do it automatically */ ctx = SSL_CTX_new(SSLv23_client_method()); /* We'd normally set some stuff like the verify paths and * mode here because as things stand this will connect to * any server whose certificate is signed by any CA. */ sbio = BIO_new_ssl_connect(ctx); BIO_get_ssl(sbio, &ssl); if(!ssl) { fprintf(stderr, "Can't locate SSL pointer\n"); /* whatever ... */ } /* Don't want any retries */ SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* We might want to do other things with ssl here */ BIO_set_conn_hostname(sbio, "localhost:https"); out = BIO_new_fp(stdout, BIO_NOCLOSE); if(BIO_do_connect(sbio) <= 0) { fprintf(stderr, "Error connecting to server\n"); ERR_print_errors_fp(stderr); /* whatever ... */ } if(BIO_do_handshake(sbio) <= 0) { fprintf(stderr, "Error establishing SSL connection\n"); ERR_print_errors_fp(stderr); /* whatever ... */ } /* Could examine ssl here to get connection info */ BIO_puts(sbio, "GET / HTTP/1.0\n\n"); for(;;) { len = BIO_read(sbio, tmpbuf, 1024); if(len <= 0) break; BIO_write(out, tmpbuf, len); } BIO_free_all(sbio); BIO_free(out); Here is a simple server example. It makes use of a buffering BIO to allow lines to be read from the SSL BIO using BIO_gets. It creates a pseudo web page containing the actual request from a client and also echoes the request to standard output. BIO *sbio, *bbio, *acpt, *out; int len; char tmpbuf[1024]; SSL_CTX *ctx; SSL *ssl; ERR_load_crypto_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); /* Might seed PRNG here */ ctx = SSL_CTX_new(SSLv23_server_method()); if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) { fprintf(stderr, "Error setting up SSL_CTX\n"); ERR_print_errors_fp(stderr); return 0; } /* Might do other things here like setting verify locations and * DH and/or RSA temporary key callbacks */ /* New SSL BIO setup as server */ sbio=BIO_new_ssl(ctx,0); BIO_get_ssl(sbio, &ssl); if(!ssl) { fprintf(stderr, "Can't locate SSL pointer\n"); /* whatever ... */ } /* Don't want any retries */ SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* Create the buffering BIO */ bbio = BIO_new(BIO_f_buffer()); /* Add to chain */ sbio = BIO_push(bbio, sbio); acpt=BIO_new_accept("4433"); /* By doing this when a new connection is established * we automatically have sbio inserted into it. The * BIO chain is now 'swallowed' by the accept BIO and * will be freed when the accept BIO is freed. */ BIO_set_accept_bios(acpt,sbio); out = BIO_new_fp(stdout, BIO_NOCLOSE); /* Setup accept BIO */ if(BIO_do_accept(acpt) <= 0) { fprintf(stderr, "Error setting up accept BIO\n"); ERR_print_errors_fp(stderr); return 0; } /* Now wait for incoming connection */ if(BIO_do_accept(acpt) <= 0) { fprintf(stderr, "Error in connection\n"); ERR_print_errors_fp(stderr); return 0; } /* We only want one connection so remove and free * accept BIO */ sbio = BIO_pop(acpt); BIO_free_all(acpt); if(BIO_do_handshake(sbio) <= 0) { fprintf(stderr, "Error in SSL handshake\n"); ERR_print_errors_fp(stderr); return 0; } - BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n"); - BIO_puts(sbio, "
\r\nConnection Established\r\nRequest headers:\r\n");
+ BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n");
+ BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n");
  BIO_puts(sbio, "--------------------------------------------------\r\n");
 
  for(;;) {
  	len = BIO_gets(sbio, tmpbuf, 1024);
         if(len <= 0) break;
 	BIO_write(sbio, tmpbuf, len);
 	BIO_write(out, tmpbuf, len);
 	/* Look for blank line signifying end of headers*/
 	if((tmpbuf[0] == '\r') || (tmpbuf[0] == '\n')) break;
  }
 
  BIO_puts(sbio, "--------------------------------------------------\r\n");
- BIO_puts(sbio, "
\r\n"); + BIO_puts(sbio, "\r\n"); /* Since there is a buffering BIO present we had better flush it */ BIO_flush(sbio); BIO_free_all(sbio); =head1 SEE ALSO TBA diff --git a/crypto/openssl/doc/crypto/CONF_modules_free.pod b/crypto/openssl/doc/crypto/CONF_modules_free.pod new file mode 100644 index 000000000000..af8ae6a5c92d --- /dev/null +++ b/crypto/openssl/doc/crypto/CONF_modules_free.pod @@ -0,0 +1,47 @@ +=pod + +=head1 NAME + + CONF_modules_free, CONF_modules_load, CONF_modules_unload - + OpenSSL configuration cleanup functions + +=head1 SYNOPSIS + + #include + + void CONF_modules_free(void); + void CONF_modules_unload(int all); + void CONF_modules_finish(void); + +=head1 DESCRIPTION + +CONF_modules_free() closes down and frees up all memory allocated by all +configuration modules. + +CONF_modules_finish() calls each configuration modules B handler +to free up any configuration that module may have performed. + +CONF_modules_unload() finishes and unloads configuration modules. If +B is set to B<0> only modules loaded from DSOs will be unloads. If +B is B<1> all modules, including builtin modules will be unloaded. + +=head1 NOTES + +Normally applications will only call CONF_modules_free() at application to +tidy up any configuration performed. + +=head1 RETURN VALUE + +None of the functions return a value. + +=head1 SEE ALSO + +L, L, +L + +=head1 HISTORY + +CONF_modules_free(), CONF_modules_unload(), and CONF_modules_finish() +first appeared in OpenSSL 0.9.7. + +=cut diff --git a/crypto/openssl/doc/crypto/CONF_modules_load_file.pod b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod new file mode 100644 index 000000000000..9965d69bf2ec --- /dev/null +++ b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod @@ -0,0 +1,60 @@ +=pod + +=head1 NAME + + CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions + +=head1 SYNOPSIS + + #include + + int CONF_modules_load_file(const char *filename, const char *appname, + unsigned long flags); + int CONF_modules_load(const CONF *cnf, const char *appname, + unsigned long flags); + +=head1 DESCRIPTION + +The function CONF_modules_load_file() configures OpenSSL using file +B and application name B. If B is NULL +the standard OpenSSL configuration file is used. If B is +NULL the standard OpenSSL application name B is used. +The behaviour can be cutomized using B. + +CONF_modules_load() is idential to CONF_modules_load_file() except it +read configuration information from B. + +=head1 NOTES + +The following B are currently recognized: + +B if set errors returned by individual +configuration modules are ignored. If not set the first module error is +considered fatal and no further modules are loads. + +Normally any modules errors will add error information to the error queue. If +B is set no error information is added. + +If B is set configuration module loading from DSOs is +disabled. + +B if set will make CONF_load_modules_file() +ignore missing configuration files. Normally a missing configuration file +return an error. + +=head1 RETURN VALUE + +These functions return 1 for success and a zero or negative value for +failure. If module errors are not ignored the return code will reflect the +return value of the failing module (this will always be zero or negative). + +=head1 SEE ALSO + +L, L, +L, L + +=head1 HISTORY + +CONF_modules_load_file and CONF_modules_load first appeared in OpenSSL 0.9.7. + +=cut diff --git a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod index 5ce4add0821c..016381f3e994 100644 --- a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod +++ b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod @@ -1,67 +1,67 @@ =pod =head1 NAME - EVP_BytesToKey - password based encryption routine +EVP_BytesToKey - password based encryption routine =head1 SYNOPSIS #include int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md, const unsigned char *salt, const unsigned char *data, int datal, int count, unsigned char *key,unsigned char *iv); =head1 DESCRIPTION EVP_BytesToKey() derives a key and IV from various parameters. B is the cipher to derive the key and IV for. B is the message digest to use. The B paramter is used as a salt in the derivation: it should point to an 8 byte buffer or NULL if no salt is used. B is a buffer containing B bytes which is used to derive the keying data. B is the iteration count to use. The derived key and IV will be written to B and B respectively. =head1 NOTES A typical application of this function is to derive keying material for an encryption algorithm from a password in the B parameter. Increasing the B parameter slows down the algorithm which makes it harder for an attacker to peform a brute force attack using a large number of candidate passwords. If the total key and IV length is less than the digest length and B is used then the derivation algorithm is compatible with PKCS#5 v1.5 otherwise a non standard extension is used to derive the extra data. Newer applications should use more standard algorithms such as PKCS#5 v2.0 for key derivation. =head1 KEY DERIVATION ALGORITHM The key and IV is derived by concatenating D_1, D_2, etc until enough data is available for the key and IV. D_i is defined as: D_i = HASH^count(D_(i-1) || data || salt) where || denotes concatentaion, D_0 is empty, HASH is the digest algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data) is HASH(HASH(data)) and so on. The initial bytes are used for the key and the subsequent bytes for the IV. =head1 RETURN VALUES EVP_BytesToKey() returns the size of the derived key in bytes. =head1 SEE ALSO L, L, L, =head1 HISTORY =cut diff --git a/crypto/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/openssl/doc/crypto/EVP_DigestInit.pod index 5901c3952660..1cb315e739dd 100644 --- a/crypto/openssl/doc/crypto/EVP_DigestInit.pod +++ b/crypto/openssl/doc/crypto/EVP_DigestInit.pod @@ -1,256 +1,256 @@ =pod =head1 NAME EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, -EVP_MD_CTX_copy_ex EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, +EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2, EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines =head1 SYNOPSIS #include void EVP_MD_CTX_init(EVP_MD_CTX *ctx); EVP_MD_CTX *EVP_MD_CTX_create(void); int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt); int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in); int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in); #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */ #define EVP_MD_type(e) ((e)->type) #define EVP_MD_pkey_type(e) ((e)->pkey_type) #define EVP_MD_size(e) ((e)->md_size) #define EVP_MD_block_size(e) ((e)->block_size) #define EVP_MD_CTX_md(e) (e)->digest) #define EVP_MD_CTX_size(e) EVP_MD_size((e)->digest) #define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest) #define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest) const EVP_MD *EVP_md_null(void); const EVP_MD *EVP_md2(void); const EVP_MD *EVP_md5(void); const EVP_MD *EVP_sha(void); const EVP_MD *EVP_sha1(void); const EVP_MD *EVP_dss(void); const EVP_MD *EVP_dss1(void); const EVP_MD *EVP_mdc2(void); const EVP_MD *EVP_ripemd160(void); const EVP_MD *EVP_get_digestbyname(const char *name); #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a)) =head1 DESCRIPTION The EVP digest routines are a high level interface to message digests. EVP_MD_CTX_init() initializes digest contet B. EVP_MD_CTX_create() allocates, initializes and returns a digest contet. EVP_DigestInit_ex() sets up digest context B to use a digest B from ENGINE B. B must be initialized before calling this function. B will typically be supplied by a functionsuch as EVP_sha1(). If B is NULL then the default implementation of digest B is used. EVP_DigestUpdate() hashes B bytes of data at B into the digest context B. This function can be called several times on the same B to hash additional data. EVP_DigestFinal_ex() retrieves the digest value from B and places it in B. If the B parameter is not NULL then the number of bytes of data written (i.e. the length of the digest) will be written to the integer at B, at most B bytes will be written. After calling EVP_DigestFinal_ex() no additional calls to EVP_DigestUpdate() can be made, but EVP_DigestInit_ex() can be called to initialize a new digest operation. EVP_MD_CTX_cleanup() cleans up digest context B, it should be called after a digest context is no longer needed. EVP_MD_CTX_destroy() cleans up digest context B and frees up the space allocated to it, it should be called only on a context created using EVP_MD_CTX_create(). EVP_MD_CTX_copy_ex() can be used to copy the message digest state from B to B. This is useful if large amounts of data are to be hashed which only differ in the last few bytes. B must be initialized before calling this function. EVP_DigestInit() behaves in the same way as EVP_DigestInit_ex() except the passed context B does not have to be initialized, and it always uses the default digest implementation. EVP_DigestFinal() is similar to EVP_DigestFinal_ex() except the digest contet B is automatically cleaned up. EVP_MD_CTX_copy() is similar to EVP_MD_CTX_copy_ex() except the destination B does not have to be initialized. EVP_MD_size() and EVP_MD_CTX_size() return the size of the message digest when passed an B or an B structure, i.e. the size of the hash. EVP_MD_block_size() and EVP_MD_CTX_block_size() return the block size of the message digest when passed an B or an B structure. EVP_MD_type() and EVP_MD_CTX_type() return the NID of the OBJECT IDENTIFIER representing the given message digest when passed an B structure. For example EVP_MD_type(EVP_sha1()) returns B. This function is normally used when setting ASN1 OIDs. EVP_MD_CTX_md() returns the B structure corresponding to the passed B. EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated with this digest. For example EVP_sha1() is associated with RSA so this will return B. This "link" between digests and signature algorithms may not be retained in future versions of OpenSSL. EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160() return B structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest algorithms respectively. The associated signature algorithm is RSA in each case. EVP_dss() and EVP_dss1() return B structures for SHA and SHA1 digest algorithms but using DSS (DSA) for the signature algorithm. EVP_md_null() is a "null" message digest that does nothing: i.e. the hash it returns is of zero length. EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj() return an B structure when passed a digest name, a digest NID or an ASN1_OBJECT structure respectively. The digest table must be initialized using, for example, OpenSSL_add_all_digests() for these functions to work. =head1 RETURN VALUES EVP_DigestInit_ex(), EVP_DigestUpdate() and EVP_DigestFinal_ex() return 1 for success and 0 for failure. EVP_MD_CTX_copy_ex() returns 1 if successful or 0 for failure. EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the corresponding OBJECT IDENTIFIER or NID_undef if none exists. EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size(e), EVP_MD_size(), EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block size in bytes. EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(), EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the corresponding EVP_MD structures. EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj() return either an B structure or NULL if an error occurs. =head1 NOTES The B interface to message digests should almost always be used in preference to the low level interfaces. This is because the code then becomes transparent to the digest used and much more flexible. SHA1 is the digest of choice for new applications. The other digest algorithms are still in common use. For most applications the B parameter to EVP_DigestInit_ex() will be set to NULL to use the default digest implementation. The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are obsolete but are retained to maintain compatibility with existing code. New applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context instead of initializing and cleaning it up on each call and allow non default implementations of digests to be specified. In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use memory leaks will occur. =head1 EXAMPLE This example digests the data "Test Message\n" and "Hello World\n", using the digest name passed on the command line. #include #include main(int argc, char *argv[]) { EVP_MD_CTX mdctx; const EVP_MD *md; char mess1[] = "Test Message\n"; char mess2[] = "Hello World\n"; unsigned char md_value[EVP_MAX_MD_SIZE]; int md_len, i; OpenSSL_add_all_digests(); if(!argv[1]) { printf("Usage: mdtest digestname\n"); exit(1); } md = EVP_get_digestbyname(argv[1]); if(!md) { printf("Unknown message digest %s\n", argv[1]); exit(1); } EVP_MD_CTX_init(&mdctx); EVP_DigestInit_ex(&mdctx, md, NULL); EVP_DigestUpdate(&mdctx, mess1, strlen(mess1)); EVP_DigestUpdate(&mdctx, mess2, strlen(mess2)); EVP_DigestFinal_ex(&mdctx, md_value, &md_len); EVP_MD_CTX_cleanup(&mdctx); printf("Digest is: "); for(i = 0; i < md_len; i++) printf("%02x", md_value[i]); printf("\n"); } =head1 BUGS The link between digests and signing algorithms results in a situation where EVP_sha1() must be used with RSA and EVP_dss1() must be used with DSS even though they are identical digests. =head1 SEE ALSO L, L, L, L, L, L, L, L =head1 HISTORY EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are available in all versions of SSLeay and OpenSSL. EVP_MD_CTX_init(), EVP_MD_CTX_create(), EVP_MD_CTX_copy_ex(), EVP_MD_CTX_cleanup(), EVP_MD_CTX_destroy(), EVP_DigestInit_ex() and EVP_DigestFinal_ex() were added in OpenSSL 0.9.7. EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(), EVP_dss1(), EVP_mdc2() and EVP_ripemd160() were changed to return truely const EVP_MD * in OpenSSL 0.9.7. =cut diff --git a/crypto/openssl/doc/crypto/OPENSSL_config.pod b/crypto/openssl/doc/crypto/OPENSSL_config.pod new file mode 100644 index 000000000000..16600620ccf3 --- /dev/null +++ b/crypto/openssl/doc/crypto/OPENSSL_config.pod @@ -0,0 +1,82 @@ +=pod + +=head1 NAME + +OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions + +=head1 SYNOPSIS + + #include + + void OPENSSL_config(const char *config_name); + void OPENSSL_no_config(void); + +=head1 DESCRIPTION + +OPENSSL_config() configures OpenSSL using the standard B +configuration file name using B. If B is NULL then +the default name B will be used. Any errors are ignored. Further +calls to OPENSSL_config() will have no effect. The configuration file format +is documented in the L manual page. + +OPENSSL_no_config() disables configuration. If called before OPENSSL_config() +no configuration takes place. + +=head1 NOTES + +It is B recommended that B new applications call OPENSSL_config() +or the more sophisticated functions such as CONF_modules_load() during +initialization (that is before starting any threads). By doing this +an application does not need to keep track of all configuration options +and some new functionality can be supported automatically. + +It is also possible to automatically call OPENSSL_config() when an application +calls OPENSSL_add_all_algorithms() by compiling an application with the +preprocessor symbol B #define'd. In this way configuration +can be added without source changes. + +The environment variable B can be set to specify the location +of the configuration file. + +Currently ASN1 OBJECTs and ENGINE configuration can be performed future +versions of OpenSSL will add new configuration options. + +There are several reasons why calling the OpenSSL configuration routines is +advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7. +In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be +used (among other things) to load dynamic ENGINEs from shared libraries (DSOs). +However very few applications currently support the control interface and so +very few can load and use dynamic ENGINEs. Equally in future more sophisticated +ENGINEs will require certain control operations to customize them. If an +application calls OPENSSL_config() it doesn't need to know or care about +ENGINE control operations because they can be performed by editing a +configuration file. + +Applications should free up configuration at application closedown by calling +CONF_modules_free(). + +=head1 RESTRICTIONS + +The OPENSSL_config() function is designed to be a very simple "call it and +forget it" function. As a result its behaviour is somewhat limited. It ignores +all errors silently and it can only load from the standard configuration file +location for example. + +It is however B better than nothing. Applications which need finer +control over their configuration functionality should use the configuration +functions such as CONF_load_modules() directly. + +=head1 RETURN VALUES + +Neither OPENSSL_config() nor OPENSSL_no_config() return a value. + +=head1 SEE ALSO + +L, L, +L + +=head1 HISTORY + +OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7 + +=cut diff --git a/crypto/openssl/doc/crypto/OPENSSL_load_builtin_modules.pod b/crypto/openssl/doc/crypto/OPENSSL_load_builtin_modules.pod new file mode 100644 index 000000000000..f14dfaf005dd --- /dev/null +++ b/crypto/openssl/doc/crypto/OPENSSL_load_builtin_modules.pod @@ -0,0 +1,51 @@ +=pod + +=head1 NAME + +OPENSSL_load_builtin_modules - add standard configuration modules + +=head1 SYNOPSIS + + #include + + void OPENSSL_load_builtin_modules(void); + void ASN1_add_oid_module(void); + ENGINE_add_conf_module(); + +=head1 DESCRIPTION + +The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL +configuration modules to the internal list. They can then be used by the +OpenSSL configuration code. + +ASN1_add_oid_module() adds just the ASN1 OBJECT module. + +ENGINE_add_conf_module() adds just the ENGINE configuration module. + +=head1 NOTES + +If the simple configuration function OPENSSL_config() is called then +OPENSSL_load_builtin_modules() is called automatically. + +Applications which use the configuration functions directly will need to +call OPENSSL_load_builtin_modules() themselves I any other +configuration code. + +Applications should call OPENSSL_load_builtin_modules() to load all +configuration modules instead of adding modules selectively: otherwise +functionality may be missing from the application if an when new +modules are added. + +=head1 RETURN VALUE + +None of the functions return a value. + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +These functions first appeared in OpenSSL 0.9.7. + +=cut diff --git a/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod b/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod index 486c90343078..e63411b5bba0 100644 --- a/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod +++ b/crypto/openssl/doc/crypto/OpenSSL_add_all_algorithms.pod @@ -1,66 +1,66 @@ =pod =head1 NAME OpenSSL_add_all_algorithms, OpenSSL_add_all_ciphers, OpenSSL_add_all_digests - add algorithms to internal table =head1 SYNOPSIS #include void OpenSSL_add_all_algorithms(void); void OpenSSL_add_all_ciphers(void); void OpenSSL_add_all_digests(void); void EVP_cleanup(void); =head1 DESCRIPTION OpenSSL keeps an internal table of digest algorithms and ciphers. It uses this table to lookup ciphers via functions such as EVP_get_cipher_byname(). OpenSSL_add_all_digests() adds all digest algorithms to the table. OpenSSL_add_all_algorithms() adds all algorithms to the table (digests and ciphers). OpenSSL_add_all_ciphers() adds all encryption algorithms to the table including password based encryption algorithms. EVP_cleanup() removes all ciphers and digests from the table. =head1 RETURN VALUES None of the functions return a value. =head1 NOTES -A typical application will will call OpenSSL_add_all_algorithms() initially and +A typical application will call OpenSSL_add_all_algorithms() initially and EVP_cleanup() before exiting. An application does not need to add algorithms to use them explicitly, for example by EVP_sha1(). It just needs to add them if it (or any of the functions it calls) needs to lookup algorithms. The cipher and digest lookup functions are used in many parts of the library. If the table is not initialized several functions will misbehave and complain they cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME libraries. This is a common query in the OpenSSL mailing lists. Calling OpenSSL_add_all_algorithms() links in all algorithms: as a result a statically linked executable can be quite large. If this is important it is possible to just add the required ciphers and digests. =head1 BUGS Although the functions do not return error codes it is possible for them to fail. This will only happen as a result of a memory allocation failure so this is not too much of a problem in practice. =head1 SEE ALSO L, L, L =cut diff --git a/crypto/openssl/doc/crypto/RSA_print.pod b/crypto/openssl/doc/crypto/RSA_print.pod index e28d107d1c6e..c971e91f4db6 100644 --- a/crypto/openssl/doc/crypto/RSA_print.pod +++ b/crypto/openssl/doc/crypto/RSA_print.pod @@ -1,49 +1,49 @@ =pod =head1 NAME RSA_print, RSA_print_fp, DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp, DHparams_print, DHparams_print_fp - print cryptographic parameters =head1 SYNOPSIS #include int RSA_print(BIO *bp, RSA *x, int offset); int RSA_print_fp(FILE *fp, RSA *x, int offset); #include int DSAparams_print(BIO *bp, DSA *x); int DSAparams_print_fp(FILE *fp, DSA *x); int DSA_print(BIO *bp, DSA *x, int offset); int DSA_print_fp(FILE *fp, DSA *x, int offset); #include int DHparams_print(BIO *bp, DH *x); int DHparams_print_fp(FILE *fp, DH *x); =head1 DESCRIPTION A human-readable hexadecimal output of the components of the RSA key, DSA parameters or key or DH parameters is printed to B or B. The output lines are indented by B spaces. =head1 RETURN VALUES These functions return 1 on success, 0 on error. =head1 SEE ALSO L, L, L, L =head1 HISTORY RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(), DH_print_fp() are available in all versions of SSLeay and OpenSSL. -DSAparams_print() and DSAparams_print_pf() were added in SSLeay 0.8. +DSAparams_print() and DSAparams_print_fp() were added in SSLeay 0.8. =cut diff --git a/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod b/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod index 6ebd30427b88..22c1b50f2288 100644 --- a/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod +++ b/crypto/openssl/doc/crypto/d2i_DSAPublicKey.pod @@ -1,82 +1,83 @@ =pod =head1 NAME d2i_DSAPublicKey, i2d_DSAPublicKey, d2i_DSAPrivateKey, i2d_DSAPrivateKey, d2i_DSA_PUBKEY, i2d_DSA_PUBKEY, d2i_DSA_SIG, i2d_DSA_SIG - DSA key encoding and parsing functions. =head1 SYNOPSIS #include + #include DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length); int i2d_DSAPublicKey(const DSA *a, unsigned char **pp); DSA * d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length); int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp); DSA * d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length); int i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); DSA * d2i_DSAparams(DSA **a, const unsigned char **pp, long length); int i2d_DSAparams(const DSA *a, unsigned char **pp); DSA * d2i_DSA_SIG(DSA_SIG **a, const unsigned char **pp, long length); int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp); =head1 DESCRIPTION d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key components structure. -d2i_DSA_PUKEY() and i2d_DSA_PUKEY() decode and encode an DSA public key using a -SubjectPublicKeyInfo (certificate public key) structure. +d2i_DSA_PUBKEY() and i2d_DSA_PUBKEY() decode and encode an DSA public key using +a SubjectPublicKeyInfo (certificate public key) structure. d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key components. d2i_DSAparams(), i2d_DSAparams() decode and encode the DSA parameters using a B structure as defined in RFC2459. d2i_DSA_SIG(), i2d_DSA_SIG() decode and encode a DSA signature using a B structure as defined in RFC2459. The usage of all of these functions is similar to the d2i_X509() and i2d_X509() described in the L manual page. =head1 NOTES The B structure passed to the private key encoding functions should have all the private key components present. The data encoded by the private key functions is unencrypted and therefore offers no private key security. The B functions should be used in preference to the B functions when encoding public keys because they use a standard format. The B functions use an non standard format the actual data encoded depends on the value of the B field of the B key parameter. If B is zero then only the B field is encoded as an B. If B is 1 then a B consisting of the B

, B, B and B respectively fields are encoded. The B functions also use a non standard structure consiting consisting of a SEQUENCE containing the B

, B, B and B and B fields respectively. =head1 SEE ALSO L =head1 HISTORY TBA =cut diff --git a/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod b/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod index 7c71bcbf3dbd..279b29c873c0 100644 --- a/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod +++ b/crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod @@ -1,66 +1,67 @@ =pod =head1 NAME d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, d2i_RSA_PUBKEY, i2d_RSA_PUBKEY, i2d_Netscape_RSA, d2i_Netscape_RSA - RSA public and private key encoding functions. =head1 SYNOPSIS #include + #include RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length); int i2d_RSAPublicKey(RSA *a, unsigned char **pp); RSA * d2i_RSA_PUBKEY(RSA **a, unsigned char **pp, long length); int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp); RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length); int i2d_RSAPrivateKey(RSA *a, unsigned char **pp); int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)()); RSA * d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)()); =head1 DESCRIPTION d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey structure. -d2i_RSA_PUKEY() and i2d_RSA_PUKEY() decode and encode an RSA public key using a -SubjectPublicKeyInfo (certificate public key) structure. +d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY() decode and encode an RSA public key using +a SubjectPublicKeyInfo (certificate public key) structure. d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey structure. d2i_Netscape_RSA(), i2d_Netscape_RSA() decode and encode an RSA private key in NET format. The usage of all of these functions is similar to the d2i_X509() and i2d_X509() described in the L manual page. =head1 NOTES The B structure passed to the private key encoding functions should have all the PKCS#1 private key components present. The data encoded by the private key functions is unencrypted and therefore offers no private key security. The NET format functions are present to provide compatibility with certain very old software. This format has some severe security weaknesses and should be avoided if possible. =head1 SEE ALSO L =head1 HISTORY TBA =cut diff --git a/crypto/openssl/doc/crypto/des.pod b/crypto/openssl/doc/crypto/des.pod index 528c73acac61..6f0cf1cc5e5f 100644 --- a/crypto/openssl/doc/crypto/des.pod +++ b/crypto/openssl/doc/crypto/des.pod @@ -1,358 +1,358 @@ =pod =head1 NAME DES_random_key, DES_set_key, DES_key_sched, DES_set_key_checked, DES_set_key_unchecked, DES_set_odd_parity, DES_is_weak_key, DES_ecb_encrypt, DES_ecb2_encrypt, DES_ecb3_encrypt, DES_ncbc_encrypt, DES_cfb_encrypt, DES_ofb_encrypt, DES_pcbc_encrypt, DES_cfb64_encrypt, DES_ofb64_encrypt, DES_xcbc_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt, DES_ede2_ofb64_encrypt, DES_ede3_cbc_encrypt, DES_ede3_cbcm_encrypt, DES_ede3_cfb64_encrypt, DES_ede3_ofb64_encrypt, DES_cbc_cksum, DES_quad_cksum, DES_string_to_key, DES_string_to_2keys, DES_fcrypt, DES_crypt, DES_enc_read, DES_enc_write - DES encryption =head1 SYNOPSIS #include void DES_random_key(DES_cblock *ret); int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule); int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule); int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule); void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule); void DES_set_odd_parity(DES_cblock *key); int DES_is_weak_key(const_DES_cblock *key); void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, DES_key_schedule *ks, int enc); void DES_ecb2_encrypt(const_DES_cblock *input, DES_cblock *output, DES_key_schedule *ks1, DES_key_schedule *ks2, int enc); void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, int enc); void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output, long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc); void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc); void DES_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits, long length, DES_key_schedule *schedule, DES_cblock *ivec); void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output, long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc); void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *schedule, DES_cblock *ivec, int *num, int enc); void DES_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *schedule, DES_cblock *ivec, int *num); void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output, long length, DES_key_schedule *schedule, DES_cblock *ivec, const_DES_cblock *inw, const_DES_cblock *outw, int enc); void DES_ede2_cbc_encrypt(const unsigned char *input, unsigned char *output, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_cblock *ivec, int enc); void DES_ede2_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_cblock *ivec, int *num, int enc); void DES_ede2_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_cblock *ivec, int *num); void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, int enc); void DES_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec1, DES_cblock *ivec2, int enc); void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, int *num, int enc); void DES_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, int *num); DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output, long length, DES_key_schedule *schedule, const_DES_cblock *ivec); DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[], long length, int out_count, DES_cblock *seed); void DES_string_to_key(const char *str, DES_cblock *key); void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2); char *DES_fcrypt(const char *buf, const char *salt, char *ret); char *DES_crypt(const char *buf, const char *salt); int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched, DES_cblock *iv); int DES_enc_write(int fd, const void *buf, int len, DES_key_schedule *sched, DES_cblock *iv); =head1 DESCRIPTION This library contains a fast implementation of the DES encryption algorithm. There are two phases to the use of DES encryption. The first is the generation of a I from a key, the second is the actual encryption. A DES key is of type I. This type is consists of 8 bytes with odd parity. The least significant bit in each byte is the parity bit. The key schedule is an expanded form of the key; it is used to speed the encryption process. DES_random_key() generates a random key. The PRNG must be seeded prior to using this function (see L). If the PRNG could not generate a secure key, 0 is returned. Before a DES key can be used, it must be converted into the architecture dependent I via the DES_set_key_checked() or DES_set_key_unchecked() function. DES_set_key_checked() will check that the key passed is of odd parity and is not a week or semi-weak key. If the parity is wrong, then -1 is returned. If the key is a weak key, then -2 is returned. If an error is returned, the key schedule is not generated. DES_set_key() works like DES_set_key_checked() if the I flag is non-zero, otherwise like DES_set_key_unchecked(). These functions are available for compatibility; it is recommended to use a function that does not depend on a global variable. DES_set_odd_parity() sets the parity of the passed I to odd. DES_is_weak_key() returns 1 is the passed key is a weak key, 0 if it is ok. The probability that a randomly generated key is weak is 1/2^52, so it is not really worth checking for them. The following routines mostly operate on an input and output stream of Is. DES_ecb_encrypt() is the basic DES encryption routine that encrypts or decrypts a single 8-byte I in I (ECB) mode. It always transforms the input data, pointed to by I, into the output data, pointed to by the I argument. If the I argument is non-zero (DES_ENCRYPT), the I (cleartext) is encrypted in to the I (ciphertext) using the key_schedule specified by the I argument, previously set via I. If I is zero (DES_DECRYPT), the I (now ciphertext) is decrypted into the I (now cleartext). Input and output may overlap. DES_ecb_encrypt() does not return a value. DES_ecb3_encrypt() encrypts/decrypts the I block by using three-key Triple-DES encryption in ECB mode. This involves encrypting the input with I, decrypting with the key schedule I, and then encrypting with I. This routine greatly reduces the chances of brute force breaking of DES and has the advantage of if I, I and I are the same, it is equivalent to just encryption using ECB mode and I as the key. The macro DES_ecb2_encrypt() is provided to perform two-key Triple-DES encryption by using I for the final encryption. DES_ncbc_encrypt() encrypts/decrypts using the I (CBC) mode of DES. If the I argument is non-zero, the routine cipher-block-chain encrypts the cleartext data pointed to by the I argument into the ciphertext pointed to by the I argument, using the key schedule provided by the I argument, and initialization vector provided by the I argument. If the I argument is not an integral multiple of eight bytes, the last block is copied to a temporary area and zero filled. The output is always an integral multiple of eight bytes. DES_xcbc_encrypt() is RSA's DESX mode of DES. It uses I and I to 'whiten' the encryption. I and I are secret (unlike the iv) and are as such, part of the key. So the key is sort of 24 bytes. This is much better than CBC DES. DES_ede3_cbc_encrypt() implements outer triple CBC DES encryption with three keys. This means that each DES operation inside the CBC mode is really an C. This mode is used by SSL. The DES_ede2_cbc_encrypt() macro implements two-key Triple-DES by reusing I for the final encryption. C. This form of Triple-DES is used by the RSAREF library. DES_pcbc_encrypt() encrypt/decrypts using the propagating cipher block chaining mode used by Kerberos v4. Its parameters are the same as DES_ncbc_encrypt(). DES_cfb_encrypt() encrypt/decrypts using cipher feedback mode. This method takes an array of characters as input and outputs and array of characters. It does not require any padding to 8 character groups. Note: the I variable is changed and the new changed value needs to be passed to the next call to this function. Since this function runs a complete DES ECB encryption per I, this function is only suggested for use when sending small numbers of characters. DES_cfb64_encrypt() implements CFB mode of DES with 64bit feedback. Why is this useful you ask? Because this routine will allow you to encrypt an arbitrary number of bytes, no 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec and num. num contains 'how far' we are though ivec. If this does not make much sense, read more about cfb mode of DES :-). DES_ede3_cfb64_encrypt() and DES_ede2_cfb64_encrypt() is the same as DES_cfb64_encrypt() except that Triple-DES is used. DES_ofb_encrypt() encrypts using output feedback mode. This method takes an array of characters as input and outputs and array of characters. It does not require any padding to 8 character groups. Note: the I variable is changed and the new changed value needs to be passed to the next call to this function. Since this function runs a complete DES ECB encryption per numbits, this function is only suggested for use when sending small numbers of characters. DES_ofb64_encrypt() is the same as DES_cfb64_encrypt() using Output Feed Back mode. DES_ede3_ofb64_encrypt() and DES_ede2_ofb64_encrypt() is the same as DES_ofb64_encrypt(), using Triple-DES. The following functions are included in the DES library for compatibility with the MIT Kerberos library. DES_cbc_cksum() produces an 8 byte checksum based on the input stream (via CBC encryption). The last 4 bytes of the checksum are returned and the complete 8 bytes are placed in I. This function is used by Kerberos v4. Other applications should use L etc. instead. DES_quad_cksum() is a Kerberos v4 function. It returns a 4 byte checksum from the input bytes. The algorithm can be iterated over the input, depending on I, 1, 2, 3 or 4 times. If I is non-NULL, the 8 bytes generated by each pass are written into I. The following are DES-based transformations: DES_fcrypt() is a fast version of the Unix crypt(3) function. This version takes only a small amount of space relative to other fast crypt() implementations. This is different to the normal crypt in that the third parameter is the buffer that the return value is written into. It needs to be at least 14 bytes long. This function is thread safe, unlike the normal crypt. DES_crypt() is a faster replacement for the normal system crypt(). This function calls DES_fcrypt() with a static array passed as the third parameter. This emulates the normal non-thread safe semantics of crypt(3). DES_enc_write() writes I bytes to file descriptor I from buffer I. The data is encrypted via I (default) using I for the key and I as a starting vector. The actual data send down I consists of 4 bytes (in network byte order) containing the length of the following encrypted data. The encrypted data then follows, padded with random data out to a multiple of 8 bytes. DES_enc_read() is used to read I bytes from file descriptor I into buffer I. The data being read from I is assumed to have come from DES_enc_write() and is decrypted using I for the key schedule and I for the initial vector. B The data format used by DES_enc_write() and DES_enc_read() has a cryptographic weakness: When asked to write more than MAXWRITE bytes, DES_enc_write() will split the data into several chunks that are all encrypted using the same IV. So don't use these functions unless you are sure you know what you do (in which case you might not want to use them anyway). They cannot handle non-blocking sockets. DES_enc_read() uses an internal state and thus cannot be used on multiple files. I is used to specify the encryption mode to use with DES_enc_read() and DES_end_write(). If set to I (the default), DES_pcbc_encrypt is used. If set to I DES_cbc_encrypt is used. =head1 NOTES Single-key DES is insecure due to its short key size. ECB mode is -not suitable for most applications; see L. +not suitable for most applications; see L. The L library provides higher-level encryption functions. =head1 BUGS DES_3cbc_encrypt() is flawed and must not be used in applications. DES_cbc_encrypt() does not modify B; use DES_ncbc_encrypt() instead. DES_cfb_encrypt() and DES_ofb_encrypt() operates on input of 8 bits. What this means is that if you set numbits to 12, and length to 2, the first 12 bits will come from the 1st input byte and the low half of the second input byte. The second 12 bits will have the low 8 bits taken from the 3rd input byte and the top 4 bits taken from the 4th input byte. The same holds for output. This function has been implemented this way because most people will be using a multiple of 8 and because once you get into pulling bytes input bytes apart things get ugly! DES_string_to_key() is available for backward compatibility with the MIT library. New applications should use a cryptographic hash function. The same applies for DES_string_to_2key(). =head1 CONFORMING TO ANSI X3.106 The B library was written to be source code compatible with the MIT Kerberos library. =head1 SEE ALSO crypt(3), L, L, L =head1 HISTORY In OpenSSL 0.9.7, all des_ functions were renamed to DES_ to avoid clashes with older versions of libdes. Compatibility des_ functions are provided for a short while, as well as crypt(). Declarations for these are in . There is no DES_ variant for des_random_seed(). This will happen to other functions as well if they are deemed redundant (des_random_seed() just calls RAND_seed() and is present for backward compatibility only), buggy or already scheduled for removal. des_cbc_cksum(), des_cbc_encrypt(), des_ecb_encrypt(), des_is_weak_key(), des_key_sched(), des_pcbc_encrypt(), des_quad_cksum(), des_random_key() and des_string_to_key() are available in the MIT Kerberos library; des_check_key_parity(), des_fixup_key_parity() and des_is_weak_key() are available in newer versions of that library. des_set_key_checked() and des_set_key_unchecked() were added in OpenSSL 0.9.5. des_generate_random_block(), des_init_random_number_generator(), des_new_random_key(), des_set_random_generator_seed() and des_set_sequence_number() and des_rand_data() are used in newer versions of Kerberos but are not implemented here. des_random_key() generated cryptographically weak random data in SSLeay and in OpenSSL prior version 0.9.5, as well as in the original MIT library. =head1 AUTHOR Eric Young (eay@cryptsoft.com). Modified for the OpenSSL project (http://www.openssl.org). =cut diff --git a/crypto/openssl/doc/crypto/pem.pod b/crypto/openssl/doc/crypto/pem.pod index a4f8cc33376a..8613114452e8 100644 --- a/crypto/openssl/doc/crypto/pem.pod +++ b/crypto/openssl/doc/crypto/pem.pod @@ -1,476 +1,476 @@ =pod =head1 NAME PEM - PEM routines =head1 SYNOPSIS #include EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u); EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u); int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u); int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u); int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u); int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid, char *kstr, int klen, pem_password_cb *cb, void *u); int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid, char *kstr, int klen, pem_password_cb *cb, void *u); EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u); EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x); int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x); RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x, pem_password_cb *cb, void *u); RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x, pem_password_cb *cb, void *u); int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u); int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u); RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x, pem_password_cb *cb, void *u); RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x, pem_password_cb *cb, void *u); int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x); int PEM_write_RSAPublicKey(FILE *fp, RSA *x); RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x, pem_password_cb *cb, void *u); RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x, pem_password_cb *cb, void *u); int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x); int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x); DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x, pem_password_cb *cb, void *u); DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x, pem_password_cb *cb, void *u); int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u); int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u); DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x, pem_password_cb *cb, void *u); DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x, pem_password_cb *cb, void *u); int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x); int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x); DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u); DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u); int PEM_write_bio_DSAparams(BIO *bp, DSA *x); int PEM_write_DSAparams(FILE *fp, DSA *x); DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u); DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u); int PEM_write_bio_DHparams(BIO *bp, DH *x); int PEM_write_DHparams(FILE *fp, DH *x); X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u); X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u); int PEM_write_bio_X509(BIO *bp, X509 *x); int PEM_write_X509(FILE *fp, X509 *x); X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u); X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u); int PEM_write_bio_X509_AUX(BIO *bp, X509 *x); int PEM_write_X509_AUX(FILE *fp, X509 *x); X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x, pem_password_cb *cb, void *u); X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x, pem_password_cb *cb, void *u); int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x); int PEM_write_X509_REQ(FILE *fp, X509_REQ *x); int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x); int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x); X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x, pem_password_cb *cb, void *u); X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x, pem_password_cb *cb, void *u); int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x); int PEM_write_X509_CRL(FILE *fp, X509_CRL *x); PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u); PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u); int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x); int PEM_write_PKCS7(FILE *fp, PKCS7 *x); NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE **x, pem_password_cb *cb, void *u); NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE **x, pem_password_cb *cb, void *u); int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE *x); int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE *x); =head1 DESCRIPTION The PEM functions read or write structures in PEM format. In this sense PEM format is simply base64 encoded data surrounded by header lines. For more details about the meaning of arguments see the B section. Each operation has four functions associated with it. For clarity the term "B functions" will be used to collectively refer to the PEM_read_bio_foobar(), PEM_read_foobar(), PEM_write_bio_foobar() and PEM_write_foobar() functions. The B functions read or write a private key in PEM format using an EVP_PKEY structure. The write routines use "traditional" private key format and can handle both RSA and DSA private keys. The read functions can additionally transparently handle PKCS#8 format encrypted and unencrypted keys too. PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey() write a private key in an EVP_PKEY structure in PKCS#8 EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption algorithms. The B argument specifies the encryption algoritm to use: unlike all other PEM routines the encryption is applied at the PKCS#8 level and not in the PEM headers. If B is NULL then no encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead. PEM_write_bio_PKCS8PrivateKey_nid() and PEM_write_PKCS8PrivateKey_nid() also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm to use is specified in the B parameter and should be the NID of the corresponding OBJECT IDENTIFIER (see NOTES section). The B functions process a public key using an EVP_PKEY structure. The public key is encoded as a SubjectPublicKeyInfo structure. The B functions process an RSA private key using an RSA structure. It handles the same formats as the B functions but an error occurs if the private key is not RSA. The B functions process an RSA public key using an RSA structure. The public key is encoded using a PKCS#1 RSAPublicKey structure. The B functions also process an RSA public key using an RSA structure. However the public key is encoded using a SubjectPublicKeyInfo structure and an error occurs if the public key is not RSA. The B functions process a DSA private key using a DSA structure. It handles the same formats as the B functions but an error occurs if the private key is not DSA. The B functions process a DSA public key using a DSA structure. The public key is encoded using a SubjectPublicKeyInfo structure and an error occurs if the public key is not DSA. The B functions process DSA parameters using a DSA structure. The parameters are encoded using a foobar structure. The B functions process DH parameters using a DH structure. The parameters are encoded using a PKCS#3 DHparameter structure. The B functions process an X509 certificate using an X509 structure. They will also process a trusted X509 certificate but any trust settings are discarded. The B functions process a trusted X509 certificate using an X509 structure. The B and B functions process a PKCS#10 certificate request using an X509_REQ structure. The B write functions use B in the header whereas the B functions use B (as required by some CAs). The B read functions will handle either form so there are no B read functions. The B functions process an X509 CRL using an X509_CRL structure. The B functions process a PKCS#7 ContentInfo using a PKCS7 structure. The B functions process a Netscape Certificate Sequence using a NETSCAPE_CERT_SEQUENCE structure. =head1 PEM FUNCTION ARGUMENTS The PEM functions have many common arguments. The B BIO parameter (if present) specifies the BIO to read from or write to. The B FILE parameter (if present) specifies the FILE pointer to read from or write to. The PEM read functions all take an argument B and return a B pointer. Where B is whatever structure the function uses. If B is NULL then the parameter is ignored. If B is not NULL but B<*x> is NULL then the structure returned will be written to B<*x>. If neither B nor B<*x> is NULL then an attempt is made to reuse the structure at B<*x> (but see BUGS and EXAMPLES sections). Irrespective of the value of B a pointer to the structure is always returned (or NULL if an error occurred). The PEM functions which write private keys take an B parameter which specifies the encryption algorithm to use, encryption is done at the PEM level. If this parameter is set to NULL then the private key is written in unencrypted form. The B argument is the callback to use when querying for the pass phrase used for encrypted PEM structures (normally only private keys). For the PEM write routines if the B parameter is not NULL then B bytes at B are used as the passphrase and B is ignored. If the B parameters is set to NULL and the B parameter is not NULL then the B parameter is interpreted as a null terminated string to use as the passphrase. If both B and B are NULL then the default callback routine is used which will typically prompt for the passphrase on the current terminal with echoing turned off. The default passphrase callback is sometimes inappropriate (for example in a GUI application) so an alternative can be supplied. The callback routine has the following form: int cb(char *buf, int size, int rwflag, void *u); B is the buffer to write the passphrase to. B is the maximum length of the passphrase (i.e. the size of buf). B is a flag which is set to 0 when reading and 1 when writing. A typical routine will ask the user to verify the passphrase (for example by prompting for it twice) if B is 1. The B parameter has the same value as the B parameter passed to the PEM routine. It allows arbitrary data to be passed to the callback by the application (for example a window handle in a GUI application). The callback B return the number of characters in the passphrase or 0 if an error occurred. =head1 EXAMPLES Although the PEM routines take several arguments in almost all applications most of them are set to 0 or NULL. Read a certificate in PEM format from a BIO: X509 *x; - x = PEM_read_bio(bp, NULL, 0, NULL); + x = PEM_read_bio_X509(bp, NULL, 0, NULL); if (x == NULL) { /* Error */ } Alternative method: X509 *x = NULL; if (!PEM_read_bio_X509(bp, &x, 0, NULL)) { /* Error */ } Write a certificate to a BIO: if (!PEM_write_bio_X509(bp, x)) { /* Error */ } Write an unencrypted private key to a FILE pointer: if (!PEM_write_PrivateKey(fp, key, NULL, NULL, 0, 0, NULL)) { /* Error */ } Write a private key (using traditional format) to a BIO using triple DES encryption, the pass phrase is prompted for: if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL)) { /* Error */ } Write a private key (using PKCS#8 format) to a BIO using triple DES encryption, using the pass phrase "hello": if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, "hello")) { /* Error */ } Read a private key from a BIO using the pass phrase "hello": key = PEM_read_bio_PrivateKey(bp, NULL, 0, "hello"); if (key == NULL) { /* Error */ } Read a private key from a BIO using a pass phrase callback: key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key"); if (key == NULL) { /* Error */ } Skeleton pass phrase callback: int pass_cb(char *buf, int size, int rwflag, void *u); { int len; char *tmp; /* We'd probably do something else if 'rwflag' is 1 */ printf("Enter pass phrase for \"%s\"\n", u); /* get pass phrase, length 'len' into 'tmp' */ tmp = "hello"; len = strlen(tmp); if (len <= 0) return 0; /* if too long, truncate */ if (len > size) len = size; memcpy(buf, tmp, len); return len; } =head1 NOTES The old B write routines are retained for compatibility. New applications should write private keys using the PEM_write_bio_PKCS8PrivateKey() or PEM_write_PKCS8PrivateKey() routines because they are more secure (they use an iteration count of 2048 whereas the traditional routines use a count of 1) unless compatibility with older versions of OpenSSL is important. The B read routines can be used in all applications because they handle all formats transparently. A frequent cause of problems is attempting to use the PEM routines like this: X509 *x; PEM_read_bio_X509(bp, &x, 0, NULL); this is a bug because an attempt will be made to reuse the data at B which is an uninitialised pointer. =head1 PEM ENCRYPTION FORMAT This old B routines use a non standard technique for encryption. The private key (or other data) takes the following form: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89 ...base64 encoded data... -----END RSA PRIVATE KEY----- The line beginning DEK-Info contains two comma separated pieces of information: the encryption algorithm name as used by EVP_get_cipherbyname() and an 8 byte B encoded as a set of hexadecimal digits. After this is the base64 encoded encrypted data. The encryption key is determined using EVP_bytestokey(), using B and an iteration count of 1. The IV used is the value of B and *not* the IV returned by EVP_bytestokey(). =head1 BUGS The PEM read routines in some versions of OpenSSL will not correctly reuse an existing structure. Therefore the following: - PEM_read_bio(bp, &x, 0, NULL); + PEM_read_bio_X509(bp, &x, 0, NULL); where B already contains a valid certificate, may not work, whereas: X509_free(x); - x = PEM_read_bio(bp, NULL, 0, NULL); + x = PEM_read_bio_X509(bp, NULL, 0, NULL); is guaranteed to work. =head1 RETURN CODES The read routines return either a pointer to the structure read or NULL is an error occurred. The write routines return 1 for success or 0 for failure. diff --git a/crypto/openssl/doc/crypto/ui.pod b/crypto/openssl/doc/crypto/ui.pod index 2b3535a74618..6df68d604a82 100644 --- a/crypto/openssl/doc/crypto/ui.pod +++ b/crypto/openssl/doc/crypto/ui.pod @@ -1,194 +1,194 @@ =pod =head1 NAME UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string, UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean, UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string, -UI_add_error_string, UI_dup_error_string, UI_construct_prompt +UI_add_error_string, UI_dup_error_string, UI_construct_prompt, UI_add_user_data, UI_get0_user_data, UI_get0_result, UI_process, UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method, UI_set_method, UI_OpenSSL, ERR_load_UI_strings - New User Interface =head1 SYNOPSIS #include typedef struct ui_st UI; typedef struct ui_method_st UI_METHOD; UI *UI_new(void); UI *UI_new_method(const UI_METHOD *method); void UI_free(UI *ui); int UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize); int UI_dup_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize); int UI_add_verify_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize, const char *test_buf); int UI_dup_verify_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize, const char *test_buf); int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc, const char *ok_chars, const char *cancel_chars, int flags, char *result_buf); int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc, const char *ok_chars, const char *cancel_chars, int flags, char *result_buf); int UI_add_info_string(UI *ui, const char *text); int UI_dup_info_string(UI *ui, const char *text); int UI_add_error_string(UI *ui, const char *text); int UI_dup_error_string(UI *ui, const char *text); /* These are the possible flags. They can be or'ed together. */ #define UI_INPUT_FLAG_ECHO 0x01 #define UI_INPUT_FLAG_DEFAULT_PWD 0x02 char *UI_construct_prompt(UI *ui_method, const char *object_desc, const char *object_name); void *UI_add_user_data(UI *ui, void *user_data); void *UI_get0_user_data(UI *ui); const char *UI_get0_result(UI *ui, int i); int UI_process(UI *ui); int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)()); #define UI_CTRL_PRINT_ERRORS 1 #define UI_CTRL_IS_REDOABLE 2 void UI_set_default_method(const UI_METHOD *meth); const UI_METHOD *UI_get_default_method(void); const UI_METHOD *UI_get_method(UI *ui); const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth); UI_METHOD *UI_OpenSSL(void); =head1 DESCRIPTION UI stands for User Interface, and is general purpose set of routines to prompt the user for text-based information. Through user-written methods (see L), prompting can be done in any way imaginable, be it plain text prompting, through dialog boxes or from a cell phone. All the functions work through a context of the type UI. This context contains all the information needed to prompt correctly as well as a reference to a UI_METHOD, which is an ordered vector of functions that carry out the actual prompting. The first thing to do is to create a UI with UI_new() or UI_new_method(), then add information to it with the UI_add or UI_dup functions. Also, user-defined random data can be passed down to the underlying method through calls to UI_add_user_data. The default UI method doesn't care about these data, but other methods might. Finally, use UI_process() to actually perform the prompting and UI_get0_result() to find the result to the prompt. A UI can contain more than one prompt, which are performed in the given sequence. Each prompt gets an index number which is returned by the UI_add and UI_dup functions, and has to be used to get the corresponding result with UI_get0_result(). The functions are as follows: UI_new() creates a new UI using the default UI method. When done with this UI, it should be freed using UI_free(). UI_new_method() creates a new UI using the given UI method. When done with this UI, it should be freed using UI_free(). UI_OpenSSL() returns the built-in UI method (note: not the default one, since the default can be changed. See further on). This method is the most machine/OS dependent part of OpenSSL and normally generates the most problems when porting. UI_free() removes a UI from memory, along with all other pieces of memory that's connected to it, like duplicated input strings, results and others. UI_add_input_string() and UI_add_verify_string() add a prompt to the UI, as well as flags and a result buffer and the desired minimum and maximum sizes of the result. The given information is used to prompt for information, for example a password, and to verify a password (i.e. having the user enter it twice and check that the same string was entered twice). UI_add_verify_string() takes and extra argument that should be a pointer to the result buffer of the input string that it's supposed to verify, or verification will fail. UI_add_input_boolean() adds a prompt to the UI that's supposed to be answered in a boolean way, with a single character for yes and a different character for no. A set of characters that can be used to cancel the prompt is given as well. The prompt itself is really divided in two, one part being the descriptive text (given through the I argument) and one describing the possible answers (given through the I argument). UI_add_info_string() and UI_add_error_string() add strings that are shown at the same time as the prompt for extra information or to show an error string. The difference between the two is only conceptual. With the builtin method, there's no technical difference between them. Other methods may make a difference between them, however. The flags currently supported are UI_INPUT_FLAG_ECHO, which is relevant for UI_add_input_string() and will have the users response be echoed (when prompting for a password, this flag should obviously not be used, and UI_INPUT_FLAG_DEFAULT_PWD, which means that a default password of some sort will be used (completely depending on the application and the UI method). UI_dup_input_string(), UI_dup_verify_string(), UI_dup_input_boolean(), UI_dup_info_string() and UI_dup_error_string() are basically the same as their UI_add counterparts, except that they make their own copies of all strings. UI_construct_prompt() is a helper function that can be used to create a prompt from two pieces of information: an description and a name. The default constructor (if there is none provided by the method used) creates a string "Enter I for I:". With the description "pass phrase" and the file name "foo.key", that becomes "Enter pass phrase for foo.key:". Other methods may create whatever string and may include encodings that will be processed by the other method functions. UI_add_user_data() adds a piece of memory for the method to use at any time. The builtin UI method doesn't care about this info. Note that several calls to this function doesn't add data, it replaces the previous blob with the one given as argument. UI_get0_user_data() retrieves the data that has last been given to the UI with UI_add_user_data(). UI_get0_result() returns a pointer to the result buffer associated with the information indexed by I. UI_process() goes through the information given so far, does all the printing and prompting and returns. UI_ctrl() adds extra control for the application author. For now, it understands two commands: UI_CTRL_PRINT_ERRORS, which makes UI_process() print the OpenSSL error stack as part of processing the UI, and UI_CTRL_IS_REDOABLE, which returns a flag saying if the used UI can be used again or not. UI_set_default_method() changes the default UI method to the one given. UI_get_default_method() returns a pointer to the current default UI method. UI_get_method() returns the UI method associated with a given UI. UI_set_method() changes the UI method associated with a given UI. =head1 SEE ALSO L, L =head1 HISTORY The UI section was first introduced in OpenSSL 0.9.7. =head1 AUTHOR Richard Levitte (richard@levitte.org) for the OpenSSL project (http://www.openssl.org). =cut diff --git a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod b/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod index 2a987391147c..42fa66b19751 100644 --- a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod +++ b/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod @@ -1,70 +1,70 @@ =pod =head1 NAME SSL_COMP_add_compression_method - handle SSL/TLS integrated compression methods =head1 SYNOPSIS #include int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm); =head1 DESCRIPTION SSL_COMP_add_compression_method() adds the compression method B with the identifier B to the list of available compression methods. This list is globally maintained for all SSL operations within this application. It cannot be set for specific SSL_CTX or SSL objects. =head1 NOTES The TLS standard (or SSLv3) allows the integration of compression methods into the communication. The TLS RFC does however not specify compression methods or their corresponding identifiers, so there is currently no compatible way to integrate compression with unknown peers. It is therefore currently not recommended to integrate compression into applications. Applications for non-public use may agree on certain compression methods. Using different compression methods with the same identifier will lead to connection failure. An OpenSSL client speaking a protocol that allows compression (SSLv3, TLSv1) will unconditionally send the list of all compression methods enabled with SSL_COMP_add_compression_method() to the server during the handshake. Unlike the mechanisms to set a cipher list, there is no method available to restrict the list of compression method on a per connection basis. An OpenSSL server will match the identifiers listed by a client against its own compression methods and will unconditionally activate compression when a matching identifier is found. There is no way to restrict the list of compression methods supported on a per connection basis. The OpenSSL library has the compression methods B and (when especially enabled during compilation) B available. =head1 WARNINGS Once the identities of the compression methods for the TLS protocol have been standardized, the compression API will most likely be changed. Using it in the current state is not recommended. =head1 RETURN VALUES SSL_COMP_add_compression_method() may return the following values: =over 4 -=item 1 +=item 0 The operation succeeded. -=item 0 +=item 1 The operation failed. Check the error queue to find out the reason. =back =head1 SEE ALSO L =cut diff --git a/crypto/openssl/doc/ssleay.txt b/crypto/openssl/doc/ssleay.txt index c6049d5e53ba..d44d2f04a022 100644 --- a/crypto/openssl/doc/ssleay.txt +++ b/crypto/openssl/doc/ssleay.txt @@ -1,7030 +1,7030 @@ Bundle of old SSLeay documentation files [OBSOLETE!] *** WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! *** OBSOLETE means that nothing in this document should be trusted. This document is provided mostly for historical purposes (it wasn't even up to date at the time SSLeay 0.8.1 was released) and as inspiration. If you copy some snippet of code from this document, please _check_ that it really is correct from all points of view. For example, you can check with the other documents in this directory tree, or by comparing with relevant parts of the include files. People have done the mistake of trusting what's written here. Please don't do that. *** WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! *** ==== readme ======================================================== This is the old 0.6.6 docuementation. Most of the cipher stuff is still relevent but I'm working (very slowly) on new docuemtation. The current version can be found online at http://www.cryptsoft.com/ssleay/doc ==== API.doc ======================================================== SSL - SSLv2/v3/v23 etc. BIO - methods and how they plug together MEM - memory allocation callback CRYPTO - locking for threads EVP - Ciphers/Digests/signatures RSA - methods X509 - certificate retrieval X509 - validation X509 - X509v3 extensions Objects - adding object identifiers ASN.1 - parsing PEM - parsing ==== ssl/readme ===================================================== 22 Jun 1996 This file belongs in ../apps, but I'll leave it here because it deals with SSL :-) It is rather dated but it gives you an idea of how things work. === 17 Jul 1995 I have been changing things quite a bit and have not fully updated this file, so take what you read with a grain of salt eric === The s_client and s_server programs can be used to test SSL capable IP/port addresses and the verification of the X509 certificates in use by these services. I strongly advise having a look at the code to get an idea of how to use the authentication under SSLeay. Any feedback on changes and improvements would be greatly accepted. This file will probably be gibberish unless you have read rfc1421, rfc1422, rfc1423 and rfc1424 which describe PEM authentication. A Brief outline (and examples) how to use them to do so. NOTE: The environment variable SSL_CIPER is used to specify the prefered cipher to use, play around with setting it's value to combinations of RC4-MD5, EXP-RC4-MD5, CBC-DES-MD5, CBC3-DES-MD5, CFB-DES-NULL in a : separated list. This directory contains 3 X509 certificates which can be used by these programs. client.pem: a file containing a certificate and private key to be used by s_client. server.pem :a file containing a certificate and private key to be used by s_server. eay1024.pem:the certificate used to sign client.pem and server.pem. This would be your CA's certificate. There is also a link from the file a8556381.0 to eay1024.PEM. The value a8556381 is returned by 'x509 -hash -noout to exit. Flags are as follows. -host arg : Arg is the host or IP address to connect to. -port arg : Arg is the port to connect to (https is 443). -verify arg : Turn on authentication of the server certificate. : Arg specifies the 'depth', this will covered below. -cert arg : The optional certificate to use. This certificate : will be returned to the server if the server : requests it for client authentication. -key arg : The private key that matches the certificate : specified by the -cert option. If this is not : specified (but -cert is), the -cert file will be : searched for the Private key. Both files are : assumed to be in PEM format. -CApath arg : When to look for certificates when 'verifying' the : certificate from the server. -CAfile arg : A file containing certificates to be used for : 'verifying' the server certificate. -reconnect : Once a connection has been made, drop it and : reconnect with same session-id. This is for testing :-). The '-verify n' parameter specifies not only to verify the servers certificate but to also only take notice of 'n' levels. The best way to explain is to show via examples. Given s_server -cert server.PEM is running. s_client CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify error:num=1:unable to get issuer certificate verify return:1 CIPHER is CBC-DES-MD5 What has happened is that the 'SSLeay demo server' certificate's issuer ('CA') could not be found but because verify is not on, we don't care and the connection has been made anyway. It is now 'up' using CBC-DES-MD5 mode. This is an unauthenticate secure channel. You may not be talking to the right person but the data going to them is encrypted. s_client -verify 0 CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify error:num=1:unable to get issuer certificate verify return:1 CIPHER is CBC-DES-MD5 We are 'verifying' but only to depth 0, so since the 'SSLeay demo server' certificate passed the date and checksum, we are happy to proceed. s_client -verify 1 CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify error:num=1:unable to get issuer certificate verify return:0 ERROR verify error:unable to get issuer certificate In this case we failed to make the connection because we could not authenticate the certificate because we could not find the 'CA' certificate. s_client -verify 1 -CAfile eay1024.PEM CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server verify return:1 depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify return:1 CIPHER is CBC-DES-MD5 We loaded the certificates from the file eay1024.PEM. Everything checked out and so we made the connection. s_client -verify 1 -CApath . CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server verify return:1 depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify return:1 CIPHER is CBC-DES-MD5 We looked in out local directory for issuer certificates and 'found' a8556381.0 and so everything is ok. It is worth noting that 'CA' is a self certified certificate. If you are passed one of these, it will fail to 'verify' at depth 0 because we need to lookup the certifier of a certificate from some information that we trust and keep locally. SSL_CIPHER=CBC3-DES-MD5:RC4-MD5 export SSL_CIPHER s_client -verify 10 -CApath . -reconnect CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server verify return:1 depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify return:1 drop the connection and reconnect with the same session id CIPHER is CBC3-DES-MD5 This has done a full connection and then re-estabished it with the same session id but a new socket. No RSA stuff occures on the second connection. Note that we said we would prefer to use CBC3-DES-MD5 encryption and so, since the server supports it, we are. ===== s_server This program accepts SSL connections on a specified port Once connected, it will estabish an SSL connection and optionaly attempt to authenticate the client. A 2 directional channel will be open. Any text typed will be sent to the other end. Type Q to exit. Flags are as follows. -port arg : Arg is the port to listen on. -verify arg : Turn on authentication of the client if they have a : certificate. Arg specifies the 'depth'. -Verify arg : Turn on authentication of the client. If they don't : have a valid certificate, drop the connection. -cert arg : The certificate to use. This certificate : will be passed to the client. If it is not : specified, it will default to server.PEM -key arg : The private key that matches the certificate : specified by the -cert option. If this is not : specified (but -cert is), the -cert file will be : searched for the Private key. Both files are : assumed to be in PEM format. Default is server.PEM -CApath arg : When to look for certificates when 'verifying' the : certificate from the client. -CAfile arg : A file containing certificates to be used for : 'verifying' the client certificate. For the following 'demo' I will specify the s_server command and the s_client command and then list the output from the s_server. s_server s_client CONNECTED CIPHER is CBC-DES-MD5 Everything up and running s_server -verify 0 s_client CONNECTED CIPHER is CBC-DES-MD5 Ok since no certificate was returned and we don't care. s_server -verify 0 ./s_client -cert client.PEM CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify error:num=1:unable to get issuer certificate verify return:1 CIPHER is CBC-DES-MD5 Ok since we were only verifying to level 0 s_server -verify 4 s_client -cert client.PEM CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify error:num=1:unable to get issuer certificate verify return:0 ERROR verify error:unable to get issuer certificate Bad because we could not authenticate the returned certificate. s_server -verify 4 -CApath . s_client -cert client.PEM CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client verify return:1 depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify return:1 CIPHER is CBC-DES-MD5 Ok because we could authenticate the returned certificate :-). s_server -Verify 0 -CApath . s_client CONNECTED ERROR SSL error:function is:REQUEST_CERTIFICATE :error is :client end did not return a certificate Error because no certificate returned. s_server -Verify 4 -CApath . s_client -cert client.PEM CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client verify return:1 depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify return:1 CIPHER is CBC-DES-MD5 Full authentication of the client. So in summary to do full authentication of both ends s_server -Verify 9 -CApath . s_client -cert client.PEM -CApath . -verify 9 From the server side CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo client verify return:1 depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify return:1 CIPHER is CBC-DES-MD5 From the client side CONNECTED depth=0 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server verify return:1 depth=1 /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA verify return:1 CIPHER is CBC-DES-MD5 For general probing of the 'internet https' servers for the distribution area, run s_client -host www.netscape.com -port 443 -verify 4 -CApath ../rsa/hash Then enter GET / and you should be talking to the https server on that host. www.rsa.com was refusing to respond to connections on 443 when I was testing. have fun :-). eric ==== a_verify.doc ======================================================== From eay@mincom.com Fri Oct 4 18:29:06 1996 Received: by orb.mincom.oz.au id AA29080 (5.65c/IDA-1.4.4 for eay); Fri, 4 Oct 1996 08:29:07 +1000 Date: Fri, 4 Oct 1996 08:29:06 +1000 (EST) From: Eric Young X-Sender: eay@orb To: wplatzer Cc: Eric Young , SSL Mailing List Subject: Re: Netscape's Public Key In-Reply-To: <19961003134837.NTM0049@iaik.tu-graz.ac.at> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: On Thu, 3 Oct 1996, wplatzer wrote: > I get Public Key from Netscape (Gold 3.0b4), but cannot do anything > with it... It looks like (asn1parse): > > 0:d=0 hl=3 l=180 cons: SEQUENCE > 3:d=1 hl=2 l= 96 cons: SEQUENCE > 5:d=2 hl=2 l= 92 cons: SEQUENCE > 7:d=3 hl=2 l= 13 cons: SEQUENCE > 9:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption > 20:d=4 hl=2 l= 0 prim: NULL > 22:d=3 hl=2 l= 75 prim: BIT STRING > 99:d=2 hl=2 l= 0 prim: IA5STRING : > 101:d=1 hl=2 l= 13 cons: SEQUENCE > 103:d=2 hl=2 l= 9 prim: OBJECT :md5withRSAEncryption > 114:d=2 hl=2 l= 0 prim: NULL > 116:d=1 hl=2 l= 65 prim: BIT STRING > > The first BIT STRING is the public key and the second BIT STRING is > the signature. > But a public key consists of the public exponent and the modulus. Are > both numbers in the first BIT STRING? > Is there a document simply describing this coding stuff (checking > signature, get the public key, etc.)? Minimal in SSLeay. If you want to see what the modulus and exponent are, try asn1parse -offset 25 -length 75 next_bio list. Extra commands are normally implemented as macros calling BIO_ctrl(). - BIO_number_read(BIO *bio) - the number of bytes processed by BIO_read(bio,.). - BIO_number_written(BIO *bio) - the number of bytes written by BIO_write(bio,.). - BIO_reset(BIO *bio) - 'reset' the BIO. - BIO_eof(BIO *bio) - non zero if we are at the current end of input. - BIO_set_close(BIO *bio, int close_flag) - set the close flag. - BIO_get_close(BIO *bio) - return the close flag. BIO_pending(BIO *bio) - return the number of bytes waiting to be read (normally buffered internally). - BIO_flush(BIO *bio) - output any data waiting to be output. - BIO_should_retry(BIO *io) - after a BIO_read/BIO_write operation returns 0 or -1, a call to this function will return non zero if you should retry the call later (this is for non-blocking IO). - BIO_should_read(BIO *io) - we should retry when data can be read. - BIO_should_write(BIO *io) - we should retry when data can be written. - BIO_method_name(BIO *io) - return a string for the method name. - BIO_method_type(BIO *io) - return the unique ID of the BIO method. - BIO_set_callback(BIO *io, long (*callback)(BIO *io, int cmd, char *argp, int argi, long argl, long ret); - sets the debug callback. - BIO_get_callback(BIO *io) - return the assigned function as mentioned above. - BIO_set_callback_arg(BIO *io, char *arg) - assign some data against the BIO. This is normally used by the debug callback but could in reality be used for anything. To get an idea of how all this works, have a look at the code in the default debug callback mentioned above. The callback can modify the return values. Details of the BIO_METHOD structure. typedef struct bio_method_st { int type; char *name; int (*bwrite)(); int (*bread)(); int (*bputs)(); int (*bgets)(); long (*ctrl)(); int (*create)(); int (*destroy)(); } BIO_METHOD; The 'type' is the numeric type of the BIO, these are listed in buffer.h; 'Name' is a textual representation of the BIO 'type'. The 7 function pointers point to the respective function methods, some of which can be NULL if not implemented. The BIO structure typedef struct bio_st { BIO_METHOD *method; long (*callback)(BIO * bio, int mode, char *argp, int argi, long argl, long ret); char *cb_arg; /* first argument for the callback */ int init; int shutdown; int flags; /* extra storage */ int num; char *ptr; struct bio_st *next_bio; /* used by filter BIOs */ int references; unsigned long num_read; unsigned long num_write; } BIO; - 'Method' is the BIO method. - 'callback', when configured, is called before and after each BIO method is called for that particular BIO. This is intended primarily for debugging and of informational feedback. - 'init' is 0 when the BIO can be used for operation. Often, after a BIO is created, a number of operations may need to be performed before it is available for use. An example is for BIO_s_sock(). A socket needs to be assigned to the BIO before it can be used. - 'shutdown', this flag indicates if the underlying comunication primative being used should be closed/freed when the BIO is closed. - 'flags' is used to hold extra state. It is primarily used to hold information about why a non-blocking operation failed and to record startup protocol information for the SSL BIO. - 'num' and 'ptr' are used to hold instance specific state like file descriptors or local data structures. - 'next_bio' is used by filter BIOs to hold the pointer of the next BIO in the chain. written data is sent to this BIO and data read is taken from it. - 'references' is used to indicate the number of pointers to this structure. This needs to be '1' before a call to BIO_free() is made if the BIO_free() function is to actually free() the structure, otherwise the reference count is just decreased. The actual BIO subsystem does not really use this functionality but it is useful when used in more advanced applicaion. - num_read and num_write are the total number of bytes read/written via the 'read()' and 'write()' methods. BIO_ctrl operations. The following is the list of standard commands passed as the second parameter to BIO_ctrl() and should be supported by all BIO as best as possible. Some are optional, some are manditory, in any case, where is makes sense, a filter BIO should pass such requests to underlying BIO's. - BIO_CTRL_RESET - Reset the BIO back to an initial state. - BIO_CTRL_EOF - return 0 if we are not at the end of input, non 0 if we are. - BIO_CTRL_INFO - BIO specific special command, normal information return. - BIO_CTRL_SET - set IO specific parameter. - BIO_CTRL_GET - get IO specific parameter. - BIO_CTRL_GET_CLOSE - Get the close on BIO_free() flag, one of BIO_CLOSE or BIO_NOCLOSE. - BIO_CTRL_SET_CLOSE - Set the close on BIO_free() flag. - BIO_CTRL_PENDING - Return the number of bytes available for instant reading - BIO_CTRL_FLUSH - Output pending data, return number of bytes output. - BIO_CTRL_SHOULD_RETRY - After an IO error (-1 returned) should we 'retry' when IO is possible on the underlying IO object. - BIO_CTRL_RETRY_TYPE - What kind of IO are we waiting on. The following command is a special BIO_s_file() specific option. - BIO_CTRL_SET_FILENAME - specify a file to open for IO. The BIO_CTRL_RETRY_TYPE needs a little more explanation. When performing non-blocking IO, or say reading on a memory BIO, when no data is present (or cannot be written), BIO_read() and/or BIO_write() will return -1. BIO_should_retry(bio) will return true if this is due to an IO condition rather than an actual error. In the case of BIO_s_mem(), a read when there is no data will return -1 and a should retry when there is more 'read' data. The retry type is deduced from 2 macros BIO_should_read(bio) and BIO_should_write(bio). Now while it may appear obvious that a BIO_read() failure should indicate that a retry should be performed when more read data is available, this is often not true when using things like an SSL BIO. During the SSL protocol startup multiple reads and writes are performed, triggered by any SSL_read or SSL_write. So to write code that will transparently handle either a socket or SSL BIO, i=BIO_read(bio,..) if (I == -1) { if (BIO_should_retry(bio)) { if (BIO_should_read(bio)) { /* call us again when BIO can be read */ } if (BIO_should_write(bio)) { /* call us again when BIO can be written */ } } } At this point in time only read and write conditions can be used but in the future I can see the situation for other conditions, specifically with SSL there could be a condition of a X509 certificate lookup taking place and so the non- blocking BIO_read would require a retry when the certificate lookup subsystem has finished it's lookup. This is all makes more sense and is easy to use in a event loop type setup. When using the SSL BIO, either SSL_read() or SSL_write()s can be called during the protocol startup and things will still work correctly. The nice aspect of the use of the BIO_should_retry() macro is that all the errno codes that indicate a non-fatal error are encapsulated in one place. The Windows specific error codes and WSAGetLastError() calls are also hidden from the application. Notes on each BIO method. Normally buffer.h is just required but depending on the BIO_METHOD, ssl.h or evp.h will also be required. BIO_METHOD *BIO_s_mem(void); - BIO_set_mem_buf(BIO *bio, BUF_MEM *bm, int close_flag) - set the underlying BUF_MEM structure for the BIO to use. - BIO_get_mem_ptr(BIO *bio, char **pp) - if pp is not NULL, set it to point to the memory array and return the number of bytes available. A read/write BIO. Any data written is appended to the memory array and any read is read from the front. This BIO can be used for read/write at the same time. BIO_gets() is supported in the fgets() sense. BIO_CTRL_INFO can be used to retrieve pointers to the memory buffer and it's length. BIO_METHOD *BIO_s_file(void); - BIO_set_fp(BIO *bio, FILE *fp, int close_flag) - set 'FILE *' to use. - BIO_get_fp(BIO *bio, FILE **fp) - get the 'FILE *' in use. - BIO_read_filename(BIO *bio, char *name) - read from file. - BIO_write_filename(BIO *bio, char *name) - write to file. - BIO_append_filename(BIO *bio, char *name) - append to file. This BIO sits over the normal system fread()/fgets() type functions. Gets() is supported. This BIO in theory could be used for read and write but it is best to think of each BIO of this type as either a read or a write BIO, not both. BIO_METHOD *BIO_s_socket(void); BIO_METHOD *BIO_s_fd(void); - BIO_sock_should_retry(int i) - the underlying function used to determine if a call should be retried; the argument is the '0' or '-1' returned by the previous BIO operation. - BIO_fd_should_retry(int i) - same as the - BIO_sock_should_retry() except that it is different internally. - BIO_set_fd(BIO *bio, int fd, int close_flag) - set the file descriptor to use - BIO_get_fd(BIO *bio, int *fd) - get the file descriptor. These two methods are very similar. Gets() is not supported, if you want this functionality, put a BIO_f_buffer() onto it. This BIO is bi-directional if the underlying file descriptor is. This is normally the case for sockets but not the case for stdio descriptors. BIO_METHOD *BIO_s_null(void); Read and write as much data as you like, it all disappears into this BIO. BIO_METHOD *BIO_f_buffer(void); - BIO_get_buffer_num_lines(BIO *bio) - return the number of complete lines in the buffer. - BIO_set_buffer_size(BIO *bio, long size) - set the size of the buffers. This type performs input and output buffering. It performs both at the same time. The size of the buffer can be set via the set buffer size option. Data buffered for output is only written when the buffer fills. BIO_METHOD *BIO_f_ssl(void); - BIO_set_ssl(BIO *bio, SSL *ssl, int close_flag) - the SSL structure to use. - BIO_get_ssl(BIO *bio, SSL **ssl) - get the SSL structure in use. The SSL bio is a little different from normal BIOs because the underlying SSL structure is a little different. A SSL structure performs IO via a read and write BIO. These can be different and are normally set via the SSL_set_rbio()/SSL_set_wbio() calls. The SSL_set_fd() calls are just wrappers that create socket BIOs and then call SSL_set_bio() where the read and write BIOs are the same. The BIO_push() operation makes the SSLs IO BIOs the same, so make sure the BIO pushed is capable of two directional traffic. If it is not, you will have to install the BIOs via the more conventional SSL_set_bio() call. BIO_pop() will retrieve the 'SSL read' BIO. BIO_METHOD *BIO_f_md(void); - BIO_set_md(BIO *bio, EVP_MD *md) - set the message digest to use. - BIO_get_md(BIO *bio, EVP_MD **mdp) - return the digest method in use in mdp, return 0 if not set yet. - BIO_reset() reinitializes the digest (EVP_DigestInit()) and passes the reset to the underlying BIOs. All data read or written via BIO_read() or BIO_write() to this BIO will be added to the calculated digest. This implies that this BIO is only one directional. If read and write operations are performed, two separate BIO_f_md() BIOs are reuqired to generate digests on both the input and the output. BIO_gets(BIO *bio, char *md, int size) will place the generated digest into 'md' and return the number of bytes. The EVP_MAX_MD_SIZE should probably be used to size the 'md' array. Reading the digest will also reset it. BIO_METHOD *BIO_f_cipher(void); - BIO_reset() reinitializes the cipher. - BIO_flush() should be called when the last bytes have been output to flush the final block of block ciphers. - BIO_get_cipher_status(BIO *b), when called after the last read from a cipher BIO, returns non-zero if the data decrypted correctly, otherwise, 0. - BIO_set_cipher(BIO *b, EVP_CIPHER *c, unsigned char *key, unsigned char *iv, int encrypt) This function is used to setup a cipher BIO. The length of key and iv are specified by the choice of EVP_CIPHER. Encrypt is 1 to encrypt and 0 to decrypt. BIO_METHOD *BIO_f_base64(void); - BIO_flush() should be called when the last bytes have been output. This BIO base64 encodes when writing and base64 decodes when reading. It will scan the input until a suitable begin line is found. After reading data, BIO_reset() will reset the BIO to start scanning again. Do not mix reading and writing on the same base64 BIO. It is meant as a single stream BIO. Directions type both BIO_s_mem() one/both BIO_s_file() both BIO_s_fd() both BIO_s_socket() both BIO_s_null() both BIO_f_buffer() one BIO_f_md() one BIO_f_cipher() one BIO_f_base64() both BIO_f_ssl() It is easy to mix one and two directional BIOs, all one has to do is to keep two separate BIO pointers for reading and writing and be careful about usage of underlying BIOs. The SSL bio by it's very nature has to be two directional but the BIO_push() command will push the one BIO into the SSL BIO for both reading and writing. The best example program to look at is apps/enc.c and/or perhaps apps/dgst.c. ==== blowfish.doc ======================================================== The Blowfish library. Blowfish is a block cipher that operates on 64bit (8 byte) quantities. It uses variable size key, but 128bit (16 byte) key would normally be considered good. It can be used in all the modes that DES can be used. This library implements the ecb, cbc, cfb64, ofb64 modes. Blowfish is quite a bit faster that DES, and much faster than IDEA or RC2. It is one of the faster block ciphers. For all calls that have an 'input' and 'output' variables, they can be the same. This library requires the inclusion of 'blowfish.h'. All of the encryption functions take what is called an BF_KEY as an argument. An BF_KEY is an expanded form of the Blowfish key. For all modes of the Blowfish algorithm, the BF_KEY used for decryption is the same one that was used for encryption. The define BF_ENCRYPT is passed to specify encryption for the functions that require an encryption/decryption flag. BF_DECRYPT is passed to specify decryption. Please note that any of the encryption modes specified in my DES library could be used with Blowfish. I have only implemented ecb, cbc, cfb64 and ofb64 for the following reasons. - ecb is the basic Blowfish encryption. - cbc is the normal 'chaining' form for block ciphers. - cfb64 can be used to encrypt single characters, therefore input and output do not need to be a multiple of 8. - ofb64 is similar to cfb64 but is more like a stream cipher, not as secure (not cipher feedback) but it does not have an encrypt/decrypt mode. - If you want triple Blowfish, thats 384 bits of key and you must be totally obsessed with security. Still, if you want it, it is simple enough to copy the function from the DES library and change the des_encrypt to BF_encrypt; an exercise left for the paranoid reader :-). The functions are as follows: void BF_set_key( BF_KEY *ks; int len; unsigned char *key; BF_set_key converts an 'len' byte key into a BF_KEY. A 'ks' is an expanded form of the 'key' which is used to perform actual encryption. It can be regenerated from the Blowfish key so it only needs to be kept when encryption or decryption is about to occur. Don't save or pass around BF_KEY's since they are CPU architecture dependent, 'key's are not. Blowfish is an interesting cipher in that it can be used with a variable length key. 'len' is the length of 'key' to be used as the key. A 'len' of 16 is recomended by me, but blowfish can use upto 72 bytes. As a warning, blowfish has a very very slow set_key function, it actually runs BF_encrypt 521 times. void BF_encrypt(unsigned long *data, BF_KEY *key); void BF_decrypt(unsigned long *data, BF_KEY *key); These are the Blowfish encryption function that gets called by just about every other Blowfish routine in the library. You should not use this function except to implement 'modes' of Blowfish. I say this because the functions that call this routine do the conversion from 'char *' to long, and this needs to be done to make sure 'non-aligned' memory access do not occur. Data is a pointer to 2 unsigned long's and key is the BF_KEY to use. void BF_ecb_encrypt( unsigned char *in, unsigned char *out, BF_KEY *key, int encrypt); This is the basic Electronic Code Book form of Blowfish (in DES this mode is called Electronic Code Book so I'm going to use the term for blowfish as well. Input is encrypted into output using the key represented by key. Depending on the encrypt, encryption or decryption occurs. Input is 8 bytes long and output is 8 bytes. void BF_cbc_encrypt( unsigned char *in, unsigned char *out, long length, BF_KEY *ks, unsigned char *ivec, int encrypt); This routine implements Blowfish in Cipher Block Chaining mode. Input, which should be a multiple of 8 bytes is encrypted (or decrypted) to output which will also be a multiple of 8 bytes. The number of bytes is in length (and from what I've said above, should be a multiple of 8). If length is not a multiple of 8, bad things will probably happen. ivec is the initialisation vector. This function updates iv after each call so that it can be passed to the next call to BF_cbc_encrypt(). void BF_cfb64_encrypt( unsigned char *in, unsigned char *out, long length, BF_KEY *schedule, unsigned char *ivec, int *num, int encrypt); This is one of the more useful functions in this Blowfish library, it implements CFB mode of Blowfish with 64bit feedback. This allows you to encrypt an arbitrary number of bytes, you do not require 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec and num. Num contains 'how far' we are though ivec. 'Encrypt' is used to indicate encryption or decryption. CFB64 mode operates by using the cipher to generate a stream of bytes which is used to encrypt the plain text. The cipher text is then encrypted to generate the next 64 bits to be xored (incrementally) with the next 64 bits of plain text. As can be seen from this, to encrypt or decrypt, the same 'cipher stream' needs to be generated but the way the next block of data is gathered for encryption is different for encryption and decryption. void BF_ofb64_encrypt( unsigned char *in, unsigned char *out, long length, BF_KEY *schedule, unsigned char *ivec, int *num); This functions implements OFB mode of Blowfish with 64bit feedback. This allows you to encrypt an arbitrary number of bytes, you do not require 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec and num. Num contains 'how far' we are though ivec. This is in effect a stream cipher, there is no encryption or decryption mode. For reading passwords, I suggest using des_read_pw_string() from my DES library. To generate a password from a text string, I suggest using MD5 (or MD2) to produce a 16 byte message digest that can then be passed directly to BF_set_key(). ===== For more information about the specific Blowfish modes in this library (ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the documentation on my DES library. What is said about DES is directly applicable for Blowfish. ==== bn.doc ======================================================== The Big Number library. #include "bn.h" when using this library. This big number library was written for use in implementing the RSA and DH public key encryption algorithms. As such, features such as negative numbers have not been extensively tested but they should work as expected. This library uses dynamic memory allocation for storing its data structures and so there are no limit on the size of the numbers manipulated by these routines but there is always the requirement to check return codes from functions just in case a memory allocation error has occurred. The basic object in this library is a BIGNUM. It is used to hold a single large integer. This type should be considered opaque and fields should not be modified or accessed directly. typedef struct bignum_st { int top; /* Index of last used d. */ BN_ULONG *d; /* Pointer to an array of 'BITS2' bit chunks. */ int max; /* Size of the d array. */ int neg; } BIGNUM; The big number is stored in a malloced array of BN_ULONG's. A BN_ULONG can be either 16, 32 or 64 bits in size, depending on the 'number of bits' specified in bn.h. The 'd' field is this array. 'max' is the size of the 'd' array that has been allocated. 'top' is the 'last' entry being used, so for a value of 4, bn.d[0]=4 and bn.top=1. 'neg' is 1 if the number is negative. When a BIGNUM is '0', the 'd' field can be NULL and top == 0. Various routines in this library require the use of 'temporary' BIGNUM variables during their execution. Due to the use of dynamic memory allocation to create BIGNUMs being rather expensive when used in conjunction with repeated subroutine calls, the BN_CTX structure is used. This structure contains BN_CTX BIGNUMs. BN_CTX is the maximum number of temporary BIGNUMs any publicly exported function will use. #define BN_CTX 12 typedef struct bignum_ctx { int tos; /* top of stack */ BIGNUM *bn[BN_CTX]; /* The variables */ } BN_CTX; The functions that follow have been grouped according to function. Most arithmetic functions return a result in the first argument, sometimes this first argument can also be an input parameter, sometimes it cannot. These restrictions are documented. extern BIGNUM *BN_value_one; There is one variable defined by this library, a BIGNUM which contains the number 1. This variable is useful for use in comparisons and assignment. Get Size functions. int BN_num_bits(BIGNUM *a); This function returns the size of 'a' in bits. int BN_num_bytes(BIGNUM *a); This function (macro) returns the size of 'a' in bytes. For conversion of BIGNUMs to byte streams, this is the number of bytes the output string will occupy. If the output byte format specifies that the 'top' bit indicates if the number is signed, so an extra '0' byte is required if the top bit on a positive number is being written, it is upto the application to make this adjustment. Like I said at the start, I don't really support negative numbers :-). Creation/Destruction routines. BIGNUM *BN_new(); Return a new BIGNUM object. The number initially has a value of 0. If there is an error, NULL is returned. void BN_free(BIGNUM *a); Free()s a BIGNUM. void BN_clear(BIGNUM *a); Sets 'a' to a value of 0 and also zeros all unused allocated memory. This function is used to clear a variable of 'sensitive' data that was held in it. void BN_clear_free(BIGNUM *a); This function zeros the memory used by 'a' and then free()'s it. This function should be used to BN_free() BIGNUMS that have held sensitive numeric values like RSA private key values. Both this function and BN_clear tend to only be used by RSA and DH routines. BN_CTX *BN_CTX_new(void); Returns a new BN_CTX. NULL on error. void BN_CTX_free(BN_CTX *c); Free a BN_CTX structure. The BIGNUMs in 'c' are BN_clear_free()ed. BIGNUM *bn_expand(BIGNUM *b, int bits); This is an internal function that should not normally be used. It ensures that 'b' has enough room for a 'bits' bit number. It is mostly used by the various BIGNUM routines. If there is an error, NULL is returned. if not, 'b' is returned. BIGNUM *BN_copy(BIGNUM *to, BIGNUM *from); The 'from' is copied into 'to'. NULL is returned if there is an error, otherwise 'to' is returned. BIGNUM *BN_dup(BIGNUM *a); A new BIGNUM is created and returned containing the value of 'a'. NULL is returned on error. Comparison and Test Functions. int BN_is_zero(BIGNUM *a) Return 1 if 'a' is zero, else 0. int BN_is_one(a) Return 1 is 'a' is one, else 0. int BN_is_word(a,w) Return 1 if 'a' == w, else 0. 'w' is a BN_ULONG. int BN_cmp(BIGNUM *a, BIGNUM *b); Return -1 if 'a' is less than 'b', 0 if 'a' and 'b' are the same and 1 is 'a' is greater than 'b'. This is a signed comparison. int BN_ucmp(BIGNUM *a, BIGNUM *b); This function is the same as BN_cmp except that the comparison ignores the sign of the numbers. Arithmetic Functions For all of these functions, 0 is returned if there is an error and 1 is returned for success. The return value should always be checked. eg. if (!BN_add(r,a,b)) goto err; Unless explicitly mentioned, the 'return' value can be one of the 'parameters' to the function. int BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b); Add 'a' and 'b' and return the result in 'r'. This is r=a+b. int BN_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b); Subtract 'a' from 'b' and put the result in 'r'. This is r=a-b. int BN_lshift(BIGNUM *r, BIGNUM *a, int n); Shift 'a' left by 'n' bits. This is r=a*(2^n). int BN_lshift1(BIGNUM *r, BIGNUM *a); Shift 'a' left by 1 bit. This form is more efficient than BN_lshift(r,a,1). This is r=a*2. int BN_rshift(BIGNUM *r, BIGNUM *a, int n); Shift 'a' right by 'n' bits. This is r=int(a/(2^n)). int BN_rshift1(BIGNUM *r, BIGNUM *a); Shift 'a' right by 1 bit. This form is more efficient than BN_rshift(r,a,1). This is r=int(a/2). int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b); Multiply a by b and return the result in 'r'. 'r' must not be either 'a' or 'b'. It has to be a different BIGNUM. This is r=a*b. int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx); Multiply a by a and return the result in 'r'. 'r' must not be 'a'. This function is alot faster than BN_mul(r,a,a). This is r=a*a. int BN_div(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx); Divide 'm' by 'd' and return the result in 'dv' and the remainder in 'rem'. Either of 'dv' or 'rem' can be NULL in which case that value is not returned. 'ctx' needs to be passed as a source of temporary BIGNUM variables. This is dv=int(m/d), rem=m%d. int BN_mod(BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx); Find the remainder of 'm' divided by 'd' and return it in 'rem'. 'ctx' holds the temporary BIGNUMs required by this function. This function is more efficient than BN_div(NULL,rem,m,d,ctx); This is rem=m%d. int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *m,BN_CTX *ctx); Multiply 'a' by 'b' and return the remainder when divided by 'm'. 'ctx' holds the temporary BIGNUMs required by this function. This is r=(a*b)%m. int BN_mod_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,BN_CTX *ctx); Raise 'a' to the 'p' power and return the remainder when divided by 'm'. 'ctx' holds the temporary BIGNUMs required by this function. This is r=(a^p)%m. int BN_reciprocal(BIGNUM *r, BIGNUM *m, BN_CTX *ctx); Return the reciprocal of 'm'. 'ctx' holds the temporary variables required. This function returns -1 on error, otherwise it returns the number of bits 'r' is shifted left to make 'r' into an integer. This number of bits shifted is required in BN_mod_mul_reciprocal(). This is r=(1/m)<<(BN_num_bits(m)+1). int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y, BIGNUM *m, BIGNUM *i, int nb, BN_CTX *ctx); This function is used to perform an efficient BN_mod_mul() operation. If one is going to repeatedly perform BN_mod_mul() with the same modulus is worth calculating the reciprocal of the modulus and then using this function. This operation uses the fact that a/b == a*r where r is the reciprocal of b. On modern computers multiplication is very fast and big number division is very slow. 'x' is multiplied by 'y' and then divided by 'm' and the remainder is returned. 'i' is the reciprocal of 'm' and 'nb' is the number of bits as returned from BN_reciprocal(). Normal usage is as follows. bn=BN_reciprocal(i,m); for (...) { BN_mod_mul_reciprocal(r,x,y,m,i,bn,ctx); } This is r=(x*y)%m. Internally it is approximately r=(x*y)-m*(x*y/m) or r=(x*y)-m*((x*y*i) >> bn) This function is used in BN_mod_exp() and BN_is_prime(). Assignment Operations int BN_one(BIGNUM *a) Set 'a' to hold the value one. This is a=1. int BN_zero(BIGNUM *a) Set 'a' to hold the value zero. This is a=0. int BN_set_word(BIGNUM *a, unsigned long w); Set 'a' to hold the value of 'w'. 'w' is an unsigned long. This is a=w. unsigned long BN_get_word(BIGNUM *a); Returns 'a' in an unsigned long. Not remarkably, often 'a' will be biger than a word, in which case 0xffffffffL is returned. Word Operations These functions are much more efficient that the normal bignum arithmetic operations. BN_ULONG BN_mod_word(BIGNUM *a, unsigned long w); Return the remainder of 'a' divided by 'w'. This is return(a%w). int BN_add_word(BIGNUM *a, unsigned long w); Add 'w' to 'a'. This function does not take the sign of 'a' into account. This is a+=w; Bit operations. int BN_is_bit_set(BIGNUM *a, int n); This function return 1 if bit 'n' is set in 'a' else 0. int BN_set_bit(BIGNUM *a, int n); This function sets bit 'n' to 1 in 'a'. This is a&= ~(1< 0, the call is aborted and the returned <= 0 value is returned. The second time the callback is called, the 'cmd' value also has BIO_CB_RETURN logically 'or'ed with it. The 'ret' value is the value returned from the actuall function call and whatever the callback returns is returned from the BIO function. BIO_set_callback(b,cb) can be used to set the callback function (b is a BIO), and BIO_set_callback_arg(b,arg) can be used to set the cb_arg argument in the BIO strucutre. This field is only intended to be used by application, primarily in the callback function since it is accessable since the BIO is passed. -------------------------- The PEM library. The pem library only really uses one type of callback, static int def_callback(char *buf, int num, int verify); which is used to return a password string if required. 'buf' is the buffer to put the string in. 'num' is the size of 'buf' and 'verify' is used to indicate that the password should be checked. This last flag is mostly used when reading a password for encryption. For all of these functions, a NULL callback will call the above mentioned default callback. This default function does not work under Windows 3.1. For other machines, it will use an application defined prompt string (EVP_set_pw_prompt(), which defines a library wide prompt string) if defined, otherwise it will use it's own PEM password prompt. It will then call EVP_read_pw_string() to get a password from the console. If your application wishes to use nice fancy windows to retrieve passwords, replace this function. The callback should return the number of bytes read into 'buf'. If the number of bytes <= 0, it is considered an error. Functions that take this callback are listed below. For the 'read' type functions, the callback will only be required if the PEM data is encrypted. For the Write functions, normally a password can be passed in 'kstr', of 'klen' bytes which will be used if the 'enc' cipher is not NULL. If 'kstr' is NULL, the callback will be used to retrieve a password. int PEM_do_header (EVP_CIPHER_INFO *cipher, unsigned char *data,long *len, int (*callback)()); char *PEM_ASN1_read_bio(char *(*d2i)(),char *name,BIO *bp,char **x,int (*cb)()); char *PEM_ASN1_read(char *(*d2i)(),char *name,FILE *fp,char **x,int (*cb)()); int PEM_ASN1_write_bio(int (*i2d)(),char *name,BIO *bp,char *x, EVP_CIPHER *enc,unsigned char *kstr,int klen,int (*callback)()); int PEM_ASN1_write(int (*i2d)(),char *name,FILE *fp,char *x, EVP_CIPHER *enc,unsigned char *kstr,int klen,int (*callback)()); STACK *PEM_X509_INFO_read(FILE *fp, STACK *sk, int (*cb)()); STACK *PEM_X509_INFO_read_bio(BIO *fp, STACK *sk, int (*cb)()); #define PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb) #define PEM_write_DSAPrivateKey(fp,x,enc,kstr,klen,cb) #define PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb) #define PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb) #define PEM_read_SSL_SESSION(fp,x,cb) #define PEM_read_X509(fp,x,cb) #define PEM_read_X509_REQ(fp,x,cb) #define PEM_read_X509_CRL(fp,x,cb) #define PEM_read_RSAPrivateKey(fp,x,cb) #define PEM_read_DSAPrivateKey(fp,x,cb) #define PEM_read_PrivateKey(fp,x,cb) #define PEM_read_PKCS7(fp,x,cb) #define PEM_read_DHparams(fp,x,cb) #define PEM_read_bio_SSL_SESSION(bp,x,cb) #define PEM_read_bio_X509(bp,x,cb) #define PEM_read_bio_X509_REQ(bp,x,cb) #define PEM_read_bio_X509_CRL(bp,x,cb) #define PEM_read_bio_RSAPrivateKey(bp,x,cb) #define PEM_read_bio_DSAPrivateKey(bp,x,cb) #define PEM_read_bio_PrivateKey(bp,x,cb) #define PEM_read_bio_PKCS7(bp,x,cb) #define PEM_read_bio_DHparams(bp,x,cb) int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)()); RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)()); Now you will notice that macros like #define PEM_write_X509(fp,x) \ PEM_ASN1_write((int (*)())i2d_X509,PEM_STRING_X509,fp, \ (char *)x, NULL,NULL,0,NULL) Don't do encryption normally. If you want to PEM encrypt your X509 structure, either just call PEM_ASN1_write directly or just define you own macro variant. As you can see, this macro just sets all encryption related parameters to NULL. -------------------------- The SSL library. #define SSL_set_info_callback(ssl,cb) #define SSL_CTX_set_info_callback(ctx,cb) void callback(SSL *ssl,int location,int ret) This callback is called each time around the SSL_connect()/SSL_accept() state machine. So it will be called each time the SSL protocol progresses. It is mostly present for use when debugging. When SSL_connect() or SSL_accept() return, the location flag is SSL_CB_ACCEPT_EXIT or SSL_CB_CONNECT_EXIT and 'ret' is the value about to be returned. Have a look at the SSL_CB_* defines in ssl.h. If an info callback is defined against the SSL_CTX, it is called unless there is one set against the SSL. Have a look at void client_info_callback() in apps/s_client() for an example. Certificate verification. void SSL_set_verify(SSL *s, int mode, int (*callback) ()); void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*callback)()); This callback is used to help verify client and server X509 certificates. It is actually passed to X509_cert_verify(), along with the SSL structure so you have to read about X509_cert_verify() :-). The SSL_CTX version is used if the SSL version is not defined. X509_cert_verify() is the function used by the SSL part of the library to verify certificates. This function is nearly always defined by the application. void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(),char *arg); int callback(char *arg,SSL *s,X509 *xs,STACK *cert_chain); This call is used to replace the SSLeay certificate verification code. The 'arg' is kept in the SSL_CTX and is passed to the callback. If the callback returns 0, the certificate is rejected, otherwise it is accepted. The callback is replacing the X509_cert_verify() call. This feature is not often used, but if you wished to implement some totally different certificate authentication system, this 'hook' is vital. SSLeay keeps a cache of session-ids against each SSL_CTX. These callbacks can be used to notify the application when a SSL_SESSION is added to the cache or to retrieve a SSL_SESSION that is not in the cache from the application. #define SSL_CTX_sess_set_get_cb(ctx,cb) SSL_SESSION *callback(SSL *s,char *session_id,int session_id_len,int *copy); If defined, this callback is called to return the SESSION_ID for the session-id in 'session_id', of 'session_id_len' bytes. 'copy' is set to 1 if the server is to 'take a copy' of the SSL_SESSION structure. It is 0 if the SSL_SESSION is being 'passed in' so the SSLeay library is now responsible for 'free()ing' the structure. Basically it is used to indicate if the reference count on the SSL_SESSION structure needs to be incremented. #define SSL_CTX_sess_set_new_cb(ctx,cb) int callback(SSL *s, SSL_SESSION *sess); When a new connection is established, if the SSL_SESSION is going to be added to the cache, this callback is called. Return 1 if a 'copy' is required, otherwise, return 0. This return value just causes the reference count to be incremented (on return of a 1), this means the application does not need to worry about incrementing the refernece count (and the locking that implies in a multi-threaded application). void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx,int (*cb)()); This sets the SSL password reading function. It is mostly used for windowing applications and used by PEM_read_bio_X509() and PEM_read_bio_RSAPrivateKey() calls inside the SSL library. The only reason this is present is because the calls to PEM_* functions is hidden in the SSLeay library so you have to pass in the callback some how. #define SSL_CTX_set_client_cert_cb(ctx,cb) int callback(SSL *s,X509 **x509, EVP_PKEY **pkey); Called when a client certificate is requested but there is not one set against the SSL_CTX or the SSL. If the callback returns 1, x509 and pkey need to point to valid data. The library will free these when required so if the application wants to keep these around, increment their reference counts. If 0 is returned, no client cert is available. If -1 is returned, it is assumed that the callback needs to be called again at a later point in time. SSL_connect will return -1 and SSL_want_x509_lookup(ssl) returns true. Remember that application data can be attached to an SSL structure via the SSL_set_app_data(SSL *ssl,char *data) call. -------------------------- The X509 library. int X509_cert_verify(CERTIFICATE_CTX *ctx,X509 *xs, int (*cb)(), int *error,char *arg,STACK *cert_chain); int verify_callback(int ok,X509 *xs,X509 *xi,int depth,int error,char *arg, STACK *cert_chain); X509_cert_verify() is used to authenticate X509 certificates. The 'ctx' holds the details of the various caches and files used to locate certificates. 'xs' is the certificate to verify and 'cb' is the application callback (more detail later). 'error' will be set to the error code and 'arg' is passed to the 'cb' callback. Look at the VERIFY_* defines in crypto/x509/x509.h When ever X509_cert_verify() makes a 'negative' decision about a certitificate, the callback is called. If everything checks out, the callback is called with 'VERIFY_OK' or 'VERIFY_ROOT_OK' (for a self signed cert that is not the passed certificate). The callback is passed the X509_cert_verify opinion of the certificate in 'ok', the certificate in 'xs', the issuer certificate in 'xi', the 'depth' of the certificate in the verification 'chain', the VERIFY_* code in 'error' and the argument passed to X509_cert_verify() in 'arg'. cert_chain is a list of extra certs to use if they are not in the cache. The callback can be used to look at the error reason, and then return 0 for an 'error' or '1' for ok. This will override the X509_cert_verify() opinion of the certificates validity. Processing will continue depending on the return value. If one just wishes to use the callback for informational reason, just return the 'ok' parameter. -------------------------- The BN and DH library. BIGNUM *BN_generate_prime(int bits,int strong,BIGNUM *add, BIGNUM *rem,void (*callback)(int,int)); int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int), Read doc/bn.doc for the description of these 2. DH *DH_generate_parameters(int prime_len,int generator, void (*callback)(int,int)); Read doc/bn.doc for the description of the callback, since it is just passed to BN_generate_prime(), except that it is also called as callback(3,0) by this function. -------------------------- The CRYPTO library. void CRYPTO_set_locking_callback(void (*func)(int mode,int type,char *file, int line)); void CRYPTO_set_add_lock_callback(int (*func)(int *num,int mount, int type,char *file, int line)); void CRYPTO_set_id_callback(unsigned long (*func)(void)); Read threads.doc for info on these ones. ==== cipher.doc ======================================================== The Cipher subroutines. These routines require "evp.h" to be included. These functions are a higher level interface to the various cipher routines found in this library. As such, they allow the same code to be used to encrypt and decrypt via different ciphers with only a change in an initial parameter. These routines also provide buffering for block ciphers. These routines all take a pointer to the following structure to specify which cipher to use. If you wish to use a new cipher with these routines, you would probably be best off looking an how an existing cipher is implemented and copying it. At this point in time, I'm not going to go into many details. This structure should be considered opaque typedef struct pem_cipher_st { int type; int block_size; int key_len; int iv_len; void (*enc_init)(); /* init for encryption */ void (*dec_init)(); /* init for decryption */ void (*do_cipher)(); /* encrypt data */ } EVP_CIPHER; The type field is the object NID of the cipher type (read the section on Objects for an explanation of what a NID is). The cipher block_size is how many bytes need to be passed to the cipher at a time. Key_len is the length of the key the cipher requires and iv_len is the length of the initialisation vector required. enc_init is the function called to initialise the ciphers context for encryption and dec_init is the function to initialise for decryption (they need to be different, especially for the IDEA cipher). One reason for specifying the Cipher via a pointer to a structure is that if you only use des-cbc, only the des-cbc routines will be included when you link the program. If you passed an integer that specified which cipher to use, the routine that mapped that integer to a set of cipher functions would cause all the ciphers to be link into the code. This setup also allows new ciphers to be added by the application (with some restrictions). The thirteen ciphers currently defined in this library are EVP_CIPHER *EVP_des_ecb(); /* DES in ecb mode, iv=0, block=8, key= 8 */ EVP_CIPHER *EVP_des_ede(); /* DES in ecb ede mode, iv=0, block=8, key=16 */ EVP_CIPHER *EVP_des_ede3(); /* DES in ecb ede mode, iv=0, block=8, key=24 */ EVP_CIPHER *EVP_des_cfb(); /* DES in cfb mode, iv=8, block=1, key= 8 */ EVP_CIPHER *EVP_des_ede_cfb(); /* DES in ede cfb mode, iv=8, block=1, key=16 */ EVP_CIPHER *EVP_des_ede3_cfb();/* DES in ede cfb mode, iv=8, block=1, key=24 */ EVP_CIPHER *EVP_des_ofb(); /* DES in ofb mode, iv=8, block=1, key= 8 */ EVP_CIPHER *EVP_des_ede_ofb(); /* DES in ede ofb mode, iv=8, block=1, key=16 */ EVP_CIPHER *EVP_des_ede3_ofb();/* DES in ede ofb mode, iv=8, block=1, key=24 */ EVP_CIPHER *EVP_des_cbc(); /* DES in cbc mode, iv=8, block=8, key= 8 */ EVP_CIPHER *EVP_des_ede_cbc(); /* DES in cbc ede mode, iv=8, block=8, key=16 */ EVP_CIPHER *EVP_des_ede3_cbc();/* DES in cbc ede mode, iv=8, block=8, key=24 */ EVP_CIPHER *EVP_desx_cbc(); /* DES in desx cbc mode,iv=8, block=8, key=24 */ EVP_CIPHER *EVP_rc4(); /* RC4, iv=0, block=1, key=16 */ EVP_CIPHER *EVP_idea_ecb(); /* IDEA in ecb mode, iv=0, block=8, key=16 */ EVP_CIPHER *EVP_idea_cfb(); /* IDEA in cfb mode, iv=8, block=1, key=16 */ EVP_CIPHER *EVP_idea_ofb(); /* IDEA in ofb mode, iv=8, block=1, key=16 */ EVP_CIPHER *EVP_idea_cbc(); /* IDEA in cbc mode, iv=8, block=8, key=16 */ EVP_CIPHER *EVP_rc2_ecb(); /* RC2 in ecb mode, iv=0, block=8, key=16 */ EVP_CIPHER *EVP_rc2_cfb(); /* RC2 in cfb mode, iv=8, block=1, key=16 */ EVP_CIPHER *EVP_rc2_ofb(); /* RC2 in ofb mode, iv=8, block=1, key=16 */ EVP_CIPHER *EVP_rc2_cbc(); /* RC2 in cbc mode, iv=8, block=8, key=16 */ EVP_CIPHER *EVP_bf_ecb(); /* Blowfish in ecb mode,iv=0, block=8, key=16 */ EVP_CIPHER *EVP_bf_cfb(); /* Blowfish in cfb mode,iv=8, block=1, key=16 */ EVP_CIPHER *EVP_bf_ofb(); /* Blowfish in ofb mode,iv=8, block=1, key=16 */ EVP_CIPHER *EVP_bf_cbc(); /* Blowfish in cbc mode,iv=8, block=8, key=16 */ The meaning of the compound names is as follows. des The base cipher is DES. idea The base cipher is IDEA rc4 The base cipher is RC4-128 rc2 The base cipher is RC2-128 ecb Electronic Code Book form of the cipher. cbc Cipher Block Chaining form of the cipher. cfb 64 bit Cipher Feedback form of the cipher. ofb 64 bit Output Feedback form of the cipher. ede The cipher is used in Encrypt, Decrypt, Encrypt mode. The first and last keys are the same. ede3 The cipher is used in Encrypt, Decrypt, Encrypt mode. All the Cipher routines take a EVP_CIPHER_CTX pointer as an argument. The state of the cipher is kept in this structure. typedef struct EVP_CIPHER_Ctx_st { EVP_CIPHER *cipher; int encrypt; /* encrypt or decrypt */ int buf_len; /* number we have left */ unsigned char buf[8]; union { .... /* cipher specific stuff */ } c; } EVP_CIPHER_CTX; Cipher is a pointer the the EVP_CIPHER for the current context. The encrypt flag indicates encryption or decryption. buf_len is the number of bytes currently being held in buf. The 'c' union holds the cipher specify context. The following functions are to be used. int EVP_read_pw_string( char *buf, int len, char *prompt, int verify, This function is the same as des_read_pw_string() (des.doc). void EVP_set_pw_prompt(char *prompt); This function sets the 'default' prompt to use to use in EVP_read_pw_string when the prompt parameter is NULL. If the prompt parameter is NULL, this 'default prompt' feature is turned off. Be warned, this is a global variable so weird things will happen if it is used under Win16 and care must be taken with a multi-threaded version of the library. char *EVP_get_pw_prompt(); This returns a pointer to the default prompt string. NULL if it is not set. int EVP_BytesToKey( EVP_CIPHER *type, EVP_MD *md, unsigned char *salt, unsigned char *data, int datal, int count, unsigned char *key, unsigned char *iv); This function is used to generate a key and an initialisation vector for a specified cipher from a key string and a salt. Type specifies the cipher the 'key' is being generated for. Md is the message digest algorithm to use to generate the key and iv. The salt is an optional 8 byte object that is used to help seed the key generator. If the salt value is NULL, it is just not used. Datal is the number of bytes to use from 'data' in the key generation. This function returns the key size for the specified cipher, if data is NULL, this value is returns and no other computation is performed. Count is the number of times to loop around the key generator. I would suggest leaving it's value as 1. Key and iv are the structures to place the returning iv and key in. If they are NULL, no value is generated for that particular value. The algorithm used is as follows /* M[] is an array of message digests * MD() is the message digest function */ M[0]=MD(data . salt); for (i=1; i key=M[0.. 8], iv=M[ 9 .. 16]. For key=16, iv=0 => key=M[0..16]. For key=16, iv=8 => key=M[0..16], iv=M[17 .. 24]. For key=24, iv=8 => key=M[0..24], iv=M[25 .. 32]. This routine will produce DES-CBC keys and iv that are compatible with the PKCS-5 standard when md2 or md5 are used. If md5 is used, the salt is NULL and count is 1, this routine will produce the password to key mapping normally used with RC4. I have attempted to logically extend the PKCS-5 standard to generate keys and iv for ciphers that require more than 16 bytes, if anyone knows what the correct standard is, please inform me. When using sha or sha1, things are a bit different under this scheme, since sha produces a 20 byte digest. So for ciphers requiring 24 bits of data, 20 will come from the first MD and 4 will come from the second. I have considered having a separate function so this 'routine' can be used without the requirement of passing a EVP_CIPHER *, but I have decided to not bother. If you wish to use the function without official EVP_CIPHER structures, just declare a local one and set the key_len and iv_len fields to the length you desire. The following routines perform encryption and decryption 'by parts'. By this I mean that there are groups of 3 routines. An Init function that is used to specify a cipher and initialise data structures. An Update routine that does encryption/decryption, one 'chunk' at a time. And finally a 'Final' function that finishes the encryption/decryption process. All these functions take a EVP_CIPHER pointer to specify which cipher to encrypt/decrypt with. They also take a EVP_CIPHER_CTX object as an argument. This structure is used to hold the state information associated with the operation in progress. void EVP_EncryptInit( EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *key, unsigned char *iv); This function initialise a EVP_CIPHER_CTX for encryption using the cipher passed in the 'type' field. The cipher is initialised to use 'key' as the key and 'iv' for the initialisation vector (if one is required). If the type, key or iv is NULL, the value currently in the EVP_CIPHER_CTX is reused. So to perform several decrypt using the same cipher, key and iv, initialise with the cipher, key and iv the first time and then for subsequent calls, reuse 'ctx' but pass NULL for type, key and iv. You must make sure to pass a key that is large enough for a particular cipher. I would suggest using the EVP_BytesToKey() function. void EVP_EncryptUpdate( EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); This function takes 'inl' bytes from 'in' and outputs bytes encrypted by the cipher 'ctx' was initialised with into 'out'. The number of bytes written to 'out' is put into outl. If a particular cipher encrypts in blocks, less or more bytes than input may be output. Currently the largest block size used by supported ciphers is 8 bytes, so 'out' should have room for 'inl+7' bytes. Normally EVP_EncryptInit() is called once, followed by lots and lots of calls to EVP_EncryptUpdate, followed by a single EVP_EncryptFinal call. void EVP_EncryptFinal( EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); Because quite a large number of ciphers are block ciphers, there is often an incomplete block to write out at the end of the encryption. EVP_EncryptFinal() performs processing on this last block. The last block in encoded in such a way that it is possible to determine how many bytes in the last block are valid. For 8 byte block size ciphers, if only 5 bytes in the last block are valid, the last three bytes will be filled with the value 3. If only 2 were valid, the other 6 would be filled with sixes. If all 8 bytes are valid, a extra 8 bytes are appended to the cipher stream containing nothing but 8 eights. These last bytes are output into 'out' and the number of bytes written is put into 'outl' These last bytes are output into 'out' and the number of bytes written is put into 'outl'. This form of block cipher finalisation is compatible with PKCS-5. Please remember that even if you are using ciphers like RC4 that has no blocking and so the function will not write anything into 'out', it would still be a good idea to pass a variable for 'out' that can hold 8 bytes just in case the cipher is changed some time in the future. It should also be remembered that the EVP_CIPHER_CTX contains the password and so when one has finished encryption with a particular EVP_CIPHER_CTX, it is good practice to zero the structure (ie. memset(ctx,0,sizeof(EVP_CIPHER_CTX)). void EVP_DecryptInit( EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *key, unsigned char *iv); This function is basically the same as EVP_EncryptInit() accept that is prepares the EVP_CIPHER_CTX for decryption. void EVP_DecryptUpdate( EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); This function is basically the same as EVP_EncryptUpdate() except that it performs decryption. There is one fundamental difference though. 'out' can not be the same as 'in' for any ciphers with a block size greater than 1 if more than one call to EVP_DecryptUpdate() will be made. This is because this routine can hold a 'partial' block between calls. When a partial block is decrypted (due to more bytes being passed via this function, they will be written to 'out' overwriting the input bytes in 'in' that have not been read yet. From this it should also be noted that 'out' should be at least one 'block size' larger than 'inl'. This problem only occurs on the second and subsequent call to EVP_DecryptUpdate() when using a block cipher. int EVP_DecryptFinal( EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); This function is different to EVP_EncryptFinal in that it 'removes' any padding bytes appended when the data was encrypted. Due to the way in which 1 to 8 bytes may have been appended when encryption using a block cipher, 'out' can end up with 0 to 7 bytes being put into it. When decoding the padding bytes, it is possible to detect an incorrect decryption. If the decryption appears to be wrong, 0 is returned. If everything seems ok, 1 is returned. For ciphers with a block size of 1 (RC4), this function would normally not return any bytes and would always return 1. Just because this function returns 1 does not mean the decryption was correct. It would normally be wrong due to either the wrong key/iv or corruption of the cipher data fed to EVP_DecryptUpdate(). As for EVP_EncryptFinal, it is a good idea to zero the EVP_CIPHER_CTX after use since the structure contains the key used to decrypt the data. The following Cipher routines are convenience routines that call either EVP_EncryptXxx or EVP_DecryptXxx depending on weather the EVP_CIPHER_CTX was setup to encrypt or decrypt. void EVP_CipherInit( EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *key, unsigned char *iv, int enc); This function take arguments that are the same as EVP_EncryptInit() and EVP_DecryptInit() except for the extra 'enc' flag. If 1, the EVP_CIPHER_CTX is setup for encryption, if 0, decryption. void EVP_CipherUpdate( EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); Again this function calls either EVP_EncryptUpdate() or EVP_DecryptUpdate() depending on state in the 'ctx' structure. As noted for EVP_DecryptUpdate(), when this routine is used for decryption with block ciphers, 'out' should not be the same as 'in'. int EVP_CipherFinal( EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); This routine call EVP_EncryptFinal() or EVP_DecryptFinal() depending on the state information in 'ctx'. 1 is always returned if the mode is encryption, otherwise the return value is the return value of EVP_DecryptFinal(). ==== cipher.m ======================================================== Date: Tue, 15 Oct 1996 08:16:14 +1000 (EST) From: Eric Young X-Sender: eay@orb To: Roland Haring Cc: ssl-users@mincom.com Subject: Re: Symmetric encryption with ssleay In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: ssl-lists-owner@mincom.com Precedence: bulk Status: RO X-Status: On Fri, 11 Oct 1996, Roland Haring wrote: > THE_POINT: > Would somebody be so kind to give me the minimum basic > calls I need to do to libcrypto.a to get some text encrypted > and decrypted again? ...hopefully with code included to do > base64 encryption and decryption ... e.g. that sign-it.c code > posted some while ago was a big help :-) (please, do not point > me to apps/enc.c where I suspect my Heissenbug to be hidden :-) Ok, the base64 encoding stuff in 'enc.c' does the wrong thing sometimes when the data is less than a line long (this is for decoding). I'll dig up the exact fix today and post it. I am taking longer on 0.6.5 than I intended so I'll just post this patch. The documentation to read is in doc/cipher.doc, doc/encode.doc (very sparse :-). and perhaps doc/digest.doc, The basic calls to encrypt with say triple DES are Given char key[EVP_MAX_KEY_LENGTH]; char iv[EVP_MAX_IV_LENGTH]; EVP_CIPHER_CTX ctx; unsigned char out[512+8]; int outl; /* optional generation of key/iv data from text password using md5 * via an upward compatable verson of PKCS#5. */ EVP_BytesToKey(EVP_des_ede3_cbc,EVP_md5,NULL,passwd,strlen(passwd), key,iv); /* Initalise the EVP_CIPHER_CTX */ EVP_EncryptInit(ctx,EVP_des_ede3_cbc,key,iv); while (....) { /* This is processing 512 bytes at a time, the bytes are being * copied into 'out', outl bytes are output. 'out' should not be the * same as 'in' for reasons mentioned in the documentation. */ EVP_EncryptUpdate(ctx,out,&outl,in,512); } /* Output the last 'block'. If the cipher is a block cipher, the last * block is encoded in such a way so that a wrong decryption will normally be * detected - again, one of the PKCS standards. */ EVP_EncryptFinal(ctx,out,&outl); To decrypt, use the EVP_DecryptXXXXX functions except that EVP_DecryptFinal() will return 0 if the decryption fails (only detectable on block ciphers). You can also use EVP_CipherInit() EVP_CipherUpdate() EVP_CipherFinal() which does either encryption or decryption depending on an extra parameter to EVP_CipherInit(). To do the base64 encoding, EVP_EncodeInit() EVP_EncodeUpdate() EVP_EncodeFinal() EVP_DecodeInit() EVP_DecodeUpdate() EVP_DecodeFinal() where the encoding is quite simple, but the decoding can be a bit more fun (due to dud input). EVP_DecodeUpdate() returns -1 for an error on an input line, 0 if the 'last line' was just processed, and 1 if more lines should be submitted. EVP_DecodeFinal() returns -1 for an error or 1 if things are ok. So the loop becomes EVP_DecodeInit(....) for (;;) { i=EVP_DecodeUpdate(....); if (i < 0) goto err; /* process the data */ if (i == 0) break; } EVP_DecodeFinal(....); /* process the data */ The problem in 'enc.c' is that I was stuff the processing up after the EVP_DecodeFinal(...) when the for(..) loop was not being run (one line of base64 data) and this was because 'enc.c' tries to scan over a file until it hits the first valid base64 encoded line. hope this helps a bit. eric -- Eric Young | BOOL is tri-state according to Bill Gates. AARNet: eay@mincom.oz.au | RTFM Win32 GetMessage(). ==== conf.doc ======================================================== The CONF library. The CONF library is a simple set of routines that can be used to configure programs. It is a superset of the genenv() function with some extra structure. The library consists of 5 functions. LHASH *CONF_load(LHASH *config,char *file); This function is called to load in a configuration file. Multiple configuration files can be loaded, with each subsequent 'load' overwriting any already defined 'variables'. If there is an error, NULL is returned. If config is NULL, a new LHASH structure is created and returned, otherwise the new data in the 'file' is loaded into the 'config' structure. void CONF_free(LHASH *config); This function free()s the data in config. char *CONF_get_string(LHASH *config,char *section,char *name); This function returns the string found in 'config' that corresponds to the 'section' and 'name' specified. Classes and the naming system used will be discussed later in this document. If the variable is not defined, an NULL is returned. long CONF_get_long(LHASH *config,char *section, char *name); This function is the same as CONF_get_string() except that it converts the string to an long and returns it. If variable is not a number or the variable does not exist, 0 is returned. This is a little problematic but I don't know of a simple way around it. STACK *CONF_get_section(LHASH *config, char *section); This function returns a 'stack' of CONF_VALUE items that are all the items defined in a particular section. DO NOT free() any of the variable returned. They will disappear when CONF_free() is called. The 'lookup' model. The configuration file is divided into 'sections'. Each section is started by a line of the form '[ section ]'. All subsequent variable definitions are of this section. A variable definition is a simple alpha-numeric name followed by an '=' and then the data. A section or variable name can be described by a regular expression of the following form '[A-Za-z0-9_]+'. The value of the variable is the text after the '=' until the end of the line, stripped of leading and trailing white space. At this point I should mention that a '#' is a comment character, \ is the escape character, and all three types of quote can be used to stop any special interpretation of the data. Now when the data is being loaded, variable expansion can occur. This is done by expanding any $NAME sequences into the value represented by the variable NAME. If the variable is not in the current section, the different section can be specified by using the $SECTION::NAME form. The ${NAME} form also works and is very useful for expanding variables inside strings. When a variable is looked up, there are 2 special section. 'default', which is the initial section, and 'ENV' which is the processes environment variables (accessed via getenv()). When a variable is looked up, it is first 'matched' with it's section (if one was specified), if this fails, the 'default' section is matched. If the 'lhash' variable passed was NULL, the environment is searched. Now why do we bother with sections? So we can have multiple programs using the same configuration file, or multiple instances of the same program using different variables. It also provides a nice mechanism to override the processes environment variables (eg ENV::HOME=/tmp). If there is a program specific variable missing, we can have default values. Multiple configuration files can be loaded, with each new value clearing any predefined values. A system config file can provide 'default' values, and application/usr specific files can provide overriding values. Examples # This is a simple example SSLEAY_HOME = /usr/local/ssl ENV::PATH = $SSLEAY_HOME/bin:$PATH # override my path [X509] cert_dir = $SSLEAY_HOME/certs # /usr/local/ssl/certs [SSL] CIPHER = DES-EDE-MD5:RC4-MD5 USER_CERT = $HOME/${USER}di'r 5' # /home/eay/eaydir 5 USER_CERT = $HOME/\${USER}di\'r # /home/eay/${USER}di'r USER_CERT = "$HOME/${US"ER}di\'r # $HOME/${USER}di'r TEST = 1234\ 5678\ 9ab # TEST=123456789ab TTT = 1234\n\n # TTT=1234 ==== des.doc ======================================================== The DES library. Please note that this library was originally written to operate with eBones, a version of Kerberos that had had encryption removed when it left the USA and then put back in. As such there are some routines that I will advise not using but they are still in the library for historical reasons. For all calls that have an 'input' and 'output' variables, they can be the same. This library requires the inclusion of 'des.h'. All of the encryption functions take what is called a des_key_schedule as an argument. A des_key_schedule is an expanded form of the des key. A des_key is 8 bytes of odd parity, the type used to hold the key is a des_cblock. A des_cblock is an array of 8 bytes, often in this library description I will refer to input bytes when the function specifies des_cblock's as input or output, this just means that the variable should be a multiple of 8 bytes. The define DES_ENCRYPT is passed to specify encryption, DES_DECRYPT to specify decryption. The functions and global variable are as follows: int des_check_key; DES keys are supposed to be odd parity. If this variable is set to a non-zero value, des_set_key() will check that the key has odd parity and is not one of the known weak DES keys. By default this variable is turned off; void des_set_odd_parity( des_cblock *key ); This function takes a DES key (8 bytes) and sets the parity to odd. int des_is_weak_key( des_cblock *key ); This function returns a non-zero value if the DES key passed is a weak, DES key. If it is a weak key, don't use it, try a different one. If you are using 'random' keys, the chances of hitting a weak key are 1/2^52 so it is probably not worth checking for them. int des_set_key( des_cblock *key, des_key_schedule schedule); Des_set_key converts an 8 byte DES key into a des_key_schedule. A des_key_schedule is an expanded form of the key which is used to perform actual encryption. It can be regenerated from the DES key so it only needs to be kept when encryption or decryption is about to occur. Don't save or pass around des_key_schedule's since they are CPU architecture dependent, DES keys are not. If des_check_key is non zero, zero is returned if the key has the wrong parity or the key is a weak key, else 1 is returned. int des_key_sched( des_cblock *key, des_key_schedule schedule); An alternative name for des_set_key(). int des_rw_mode; /* defaults to DES_PCBC_MODE */ This flag holds either DES_CBC_MODE or DES_PCBC_MODE (default). This specifies the function to use in the enc_read() and enc_write() functions. void des_encrypt( unsigned long *data, des_key_schedule ks, int enc); This is the DES encryption function that gets called by just about every other DES routine in the library. You should not use this function except to implement 'modes' of DES. I say this because the functions that call this routine do the conversion from 'char *' to long, and this needs to be done to make sure 'non-aligned' memory access do not occur. The characters are loaded 'little endian', have a look at my source code for more details on how I use this function. Data is a pointer to 2 unsigned long's and ks is the des_key_schedule to use. enc, is non zero specifies encryption, zero if decryption. void des_encrypt2( unsigned long *data, des_key_schedule ks, int enc); This functions is the same as des_encrypt() except that the DES initial permutation (IP) and final permutation (FP) have been left out. As for des_encrypt(), you should not use this function. It is used by the routines in my library that implement triple DES. IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same as des_encrypt() des_encrypt() des_encrypt() except faster :-). void des_ecb_encrypt( des_cblock *input, des_cblock *output, des_key_schedule ks, int enc); This is the basic Electronic Code Book form of DES, the most basic form. Input is encrypted into output using the key represented by ks. If enc is non zero (DES_ENCRYPT), encryption occurs, otherwise decryption occurs. Input is 8 bytes long and output is 8 bytes. (the des_cblock structure is 8 chars). void des_ecb3_encrypt( des_cblock *input, des_cblock *output, des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3, int enc); This is the 3 key EDE mode of ECB DES. What this means is that the 8 bytes of input is encrypted with ks1, decrypted with ks2 and then encrypted again with ks3, before being put into output; C=E(ks3,D(ks2,E(ks1,M))). There is a macro, des_ecb2_encrypt() that only takes 2 des_key_schedules that implements, C=E(ks1,D(ks2,E(ks1,M))) in that the final encrypt is done with ks1. void des_cbc_encrypt( des_cblock *input, des_cblock *output, long length, des_key_schedule ks, des_cblock *ivec, int enc); This routine implements DES in Cipher Block Chaining mode. Input, which should be a multiple of 8 bytes is encrypted (or decrypted) to output which will also be a multiple of 8 bytes. The number of bytes is in length (and from what I've said above, should be a multiple of 8). If length is not a multiple of 8, I'm not being held responsible :-). ivec is the initialisation vector. This function does not modify this variable. To correctly implement cbc mode, you need to do one of 2 things; copy the last 8 bytes of cipher text for use as the next ivec in your application, or use des_ncbc_encrypt(). Only this routine has this problem with updating the ivec, all other routines that are implementing cbc mode update ivec. void des_ncbc_encrypt( des_cblock *input, des_cblock *output, long length, des_key_schedule sk, des_cblock *ivec, int enc); For historical reasons, des_cbc_encrypt() did not update the ivec with the value requires so that subsequent calls to des_cbc_encrypt() would 'chain'. This was needed so that the same 'length' values would not need to be used when decrypting. des_ncbc_encrypt() does the right thing. It is the same as des_cbc_encrypt accept that ivec is updates with the correct value to pass in subsequent calls to des_ncbc_encrypt(). I advise using des_ncbc_encrypt() instead of des_cbc_encrypt(); void des_xcbc_encrypt( des_cblock *input, des_cblock *output, long length, des_key_schedule sk, des_cblock *ivec, des_cblock *inw, des_cblock *outw, int enc); This is RSA's DESX mode of DES. It uses inw and outw to 'whiten' the encryption. inw and outw are secret (unlike the iv) and are as such, part of the key. So the key is sort of 24 bytes. This is much better than cbc des. void des_3cbc_encrypt( des_cblock *input, des_cblock *output, long length, des_key_schedule sk1, des_key_schedule sk2, des_cblock *ivec1, des_cblock *ivec2, int enc); This function is flawed, do not use it. I have left it in the library because it is used in my des(1) program and will function correctly when used by des(1). If I removed the function, people could end up unable to decrypt files. This routine implements outer triple cbc encryption using 2 ks and 2 ivec's. Use des_ede2_cbc_encrypt() instead. void des_ede3_cbc_encrypt( des_cblock *input, des_cblock *output, long length, des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3, des_cblock *ivec, int enc); This function implements outer triple CBC DES encryption with 3 keys. What this means is that each 'DES' operation inside the cbc mode is really an C=E(ks3,D(ks2,E(ks1,M))). Again, this is cbc mode so an ivec is requires. This mode is used by SSL. There is also a des_ede2_cbc_encrypt() that only uses 2 des_key_schedule's, the first being reused for the final encryption. C=E(ks1,D(ks2,E(ks1,M))). This form of triple DES is used by the RSAref library. void des_pcbc_encrypt( des_cblock *input, des_cblock *output, long length, des_key_schedule ks, des_cblock *ivec, int enc); This is Propagating Cipher Block Chaining mode of DES. It is used by Kerberos v4. It's parameters are the same as des_ncbc_encrypt(). void des_cfb_encrypt( unsigned char *in, unsigned char *out, int numbits, long length, des_key_schedule ks, des_cblock *ivec, int enc); Cipher Feedback Back mode of DES. This implementation 'feeds back' in numbit blocks. The input (and output) is in multiples of numbits bits. numbits should to be a multiple of 8 bits. Length is the number of bytes input. If numbits is not a multiple of 8 bits, the extra bits in the bytes will be considered padding. So if numbits is 12, for each 2 input bytes, the 4 high bits of the second byte will be ignored. So to encode 72 bits when using a numbits of 12 take 12 bytes. To encode 72 bits when using numbits of 9 will take 16 bytes. To encode 80 bits when using numbits of 16 will take 10 bytes. etc, etc. This padding will apply to both input and output. void des_cfb64_encrypt( unsigned char *in, unsigned char *out, long length, des_key_schedule ks, des_cblock *ivec, int *num, int enc); This is one of the more useful functions in this DES library, it implements CFB mode of DES with 64bit feedback. Why is this useful you ask? Because this routine will allow you to encrypt an arbitrary number of bytes, no 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec and num. num contains 'how far' we are though ivec. If this does not make much sense, read more about cfb mode of DES :-). void des_ede3_cfb64_encrypt( unsigned char *in, unsigned char *out, long length, des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3, des_cblock *ivec, int *num, int enc); Same as des_cfb64_encrypt() accept that the DES operation is triple DES. As usual, there is a macro for des_ede2_cfb64_encrypt() which reuses ks1. void des_ofb_encrypt( unsigned char *in, unsigned char *out, int numbits, long length, des_key_schedule ks, des_cblock *ivec); This is a implementation of Output Feed Back mode of DES. It is the same as des_cfb_encrypt() in that numbits is the size of the units dealt with during input and output (in bits). void des_ofb64_encrypt( unsigned char *in, unsigned char *out, long length, des_key_schedule ks, des_cblock *ivec, int *num); The same as des_cfb64_encrypt() except that it is Output Feed Back mode. void des_ede3_ofb64_encrypt( unsigned char *in, unsigned char *out, long length, des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3, des_cblock *ivec, int *num); Same as des_ofb64_encrypt() accept that the DES operation is triple DES. As usual, there is a macro for des_ede2_ofb64_encrypt() which reuses ks1. int des_read_pw_string( char *buf, int length, char *prompt, int verify); This routine is used to get a password from the terminal with echo turned off. Buf is where the string will end up and length is the size of buf. Prompt is a string presented to the 'user' and if verify is set, the key is asked for twice and unless the 2 copies match, an error is returned. A return code of -1 indicates a system error, 1 failure due to use interaction, and 0 is success. unsigned long des_cbc_cksum( des_cblock *input, des_cblock *output, long length, des_key_schedule ks, des_cblock *ivec); This function produces an 8 byte checksum from input that it puts in output and returns the last 4 bytes as a long. The checksum is generated via cbc mode of DES in which only the last 8 byes are kept. I would recommend not using this function but instead using the EVP_Digest routines, or at least using MD5 or SHA. This function is used by Kerberos v4 so that is why it stays in the library. char *des_fcrypt( const char *buf, const char *salt char *ret); This is my fast version of the unix crypt(3) function. This version takes only a small amount of space relative to other fast crypt() implementations. This is different to the normal crypt in that the third parameter is the buffer that the return value is written into. It needs to be at least 14 bytes long. This function is thread safe, unlike the normal crypt. char *crypt( const char *buf, const char *salt); This function calls des_fcrypt() with a static array passed as the third parameter. This emulates the normal non-thread safe semantics of crypt(3). void des_string_to_key( char *str, des_cblock *key); This function takes str and converts it into a DES key. I would recommend using MD5 instead and use the first 8 bytes of output. When I wrote the first version of these routines back in 1990, MD5 did not exist but I feel these routines are still sound. This routines is compatible with the one in MIT's libdes. void des_string_to_2keys( char *str, des_cblock *key1, des_cblock *key2); This function takes str and converts it into 2 DES keys. I would recommend using MD5 and using the 16 bytes as the 2 keys. I have nothing against these 2 'string_to_key' routines, it's just that if you say that your encryption key is generated by using the 16 bytes of an MD5 hash, every-one knows how you generated your keys. int des_read_password( des_cblock *key, char *prompt, int verify); This routine combines des_read_pw_string() with des_string_to_key(). int des_read_2passwords( des_cblock *key1, des_cblock *key2, char *prompt, int verify); This routine combines des_read_pw_string() with des_string_to_2key(). void des_random_seed( des_cblock key); This routine sets a starting point for des_random_key(). void des_random_key( des_cblock ret); This function return a random key. Make sure to 'seed' the random number generator (with des_random_seed()) before using this function. I personally now use a MD5 based random number system. int des_enc_read( int fd, char *buf, int len, des_key_schedule ks, des_cblock *iv); This function will write to a file descriptor the encrypted data from buf. This data will be preceded by a 4 byte 'byte count' and will be padded out to 8 bytes. The encryption is either CBC of PCBC depending on the value of des_rw_mode. If it is DES_PCBC_MODE, pcbc is used, if DES_CBC_MODE, cbc is used. The default is to use DES_PCBC_MODE. int des_enc_write( int fd, char *buf, int len, des_key_schedule ks, des_cblock *iv); This routines read stuff written by des_enc_read() and decrypts it. I have used these routines quite a lot but I don't believe they are suitable for non-blocking io. If you are after a full authentication/encryption over networks, have a look at SSL instead. unsigned long des_quad_cksum( des_cblock *input, des_cblock *output, long length, int out_count, des_cblock *seed); This is a function from Kerberos v4 that is not anything to do with DES but was needed. It is a cksum that is quicker to generate than des_cbc_cksum(); I personally would use MD5 routines now. ===== Modes of DES Quite a bit of the following information has been taken from AS 2805.5.2 Australian Standard Electronic funds transfer - Requirements for interfaces, Part 5.2: Modes of operation for an n-bit block cipher algorithm Appendix A There are several different modes in which DES can be used, they are as follows. Electronic Codebook Mode (ECB) (des_ecb_encrypt()) - 64 bits are enciphered at a time. - The order of the blocks can be rearranged without detection. - The same plaintext block always produces the same ciphertext block (for the same key) making it vulnerable to a 'dictionary attack'. - An error will only affect one ciphertext block. Cipher Block Chaining Mode (CBC) (des_cbc_encrypt()) - a multiple of 64 bits are enciphered at a time. - The CBC mode produces the same ciphertext whenever the same plaintext is encrypted using the same key and starting variable. - The chaining operation makes the ciphertext blocks dependent on the current and all preceding plaintext blocks and therefore blocks can not be rearranged. - The use of different starting variables prevents the same plaintext enciphering to the same ciphertext. - An error will affect the current and the following ciphertext blocks. Cipher Feedback Mode (CFB) (des_cfb_encrypt()) - a number of bits (j) <= 64 are enciphered at a time. - The CFB mode produces the same ciphertext whenever the same plaintext is encrypted using the same key and starting variable. - The chaining operation makes the ciphertext variables dependent on the current and all preceding variables and therefore j-bit variables are chained together and can not be rearranged. - The use of different starting variables prevents the same plaintext enciphering to the same ciphertext. - The strength of the CFB mode depends on the size of k (maximal if j == k). In my implementation this is always the case. - Selection of a small value for j will require more cycles through the encipherment algorithm per unit of plaintext and thus cause greater processing overheads. - Only multiples of j bits can be enciphered. - An error will affect the current and the following ciphertext variables. Output Feedback Mode (OFB) (des_ofb_encrypt()) - a number of bits (j) <= 64 are enciphered at a time. - The OFB mode produces the same ciphertext whenever the same plaintext enciphered using the same key and starting variable. More over, in the OFB mode the same key stream is produced when the same key and start variable are used. Consequently, for security reasons a specific start variable should be used only once for a given key. - The absence of chaining makes the OFB more vulnerable to specific attacks. - The use of different start variables values prevents the same plaintext enciphering to the same ciphertext, by producing different key streams. - Selection of a small value for j will require more cycles through the encipherment algorithm per unit of plaintext and thus cause greater processing overheads. - Only multiples of j bits can be enciphered. - OFB mode of operation does not extend ciphertext errors in the resultant plaintext output. Every bit error in the ciphertext causes only one bit to be in error in the deciphered plaintext. - OFB mode is not self-synchronising. If the two operation of encipherment and decipherment get out of synchronism, the system needs to be re-initialised. - Each re-initialisation should use a value of the start variable different from the start variable values used before with the same key. The reason for this is that an identical bit stream would be produced each time from the same parameters. This would be susceptible to a ' known plaintext' attack. Triple ECB Mode (des_ecb3_encrypt()) - Encrypt with key1, decrypt with key2 and encrypt with key3 again. - As for ECB encryption but increases the key length to 168 bits. There are theoretic attacks that can be used that make the effective key length 112 bits, but this attack also requires 2^56 blocks of memory, not very likely, even for the NSA. - If both keys are the same it is equivalent to encrypting once with just one key. - If the first and last key are the same, the key length is 112 bits. There are attacks that could reduce the key space to 55 bit's but it requires 2^56 blocks of memory. - If all 3 keys are the same, this is effectively the same as normal ecb mode. Triple CBC Mode (des_ede3_cbc_encrypt()) - Encrypt with key1, decrypt with key2 and then encrypt with key3. - As for CBC encryption but increases the key length to 168 bits with the same restrictions as for triple ecb mode. ==== digest.doc ======================================================== The Message Digest subroutines. These routines require "evp.h" to be included. These functions are a higher level interface to the various message digest routines found in this library. As such, they allow the same code to be used to digest via different algorithms with only a change in an initial parameter. They are basically just a front-end to the MD2, MD5, SHA and SHA1 routines. These routines all take a pointer to the following structure to specify which message digest algorithm to use. typedef struct evp_md_st { int type; int pkey_type; int md_size; void (*init)(); void (*update)(); void (*final)(); int required_pkey_type; /*EVP_PKEY_xxx */ int (*sign)(); int (*verify)(); } EVP_MD; If additional message digest algorithms are to be supported, a structure of this type needs to be declared and populated and then the Digest routines can be used with that algorithm. The type field is the object NID of the digest type (read the section on Objects for an explanation). The pkey_type is the Object type to use when the a message digest is generated by there routines and then is to be signed with the pkey algorithm. Md_size is the size of the message digest returned. Init, update and final are the relevant functions to perform the message digest function by parts. One reason for specifying the message digest to use via this mechanism is that if you only use md5, only the md5 routines will be included in you linked program. If you passed an integer that specified which message digest to use, the routine that mapped that integer to a set of message digest functions would cause all the message digests functions to be link into the code. This setup also allows new message digest functions to be added by the application. The six message digests defined in this library are EVP_MD *EVP_md2(void); /* RSA sign/verify */ EVP_MD *EVP_md5(void); /* RSA sign/verify */ EVP_MD *EVP_sha(void); /* RSA sign/verify */ EVP_MD *EVP_sha1(void); /* RSA sign/verify */ EVP_MD *EVP_dss(void); /* DSA sign/verify */ EVP_MD *EVP_dss1(void); /* DSA sign/verify */ All the message digest routines take a EVP_MD_CTX pointer as an argument. The state of the message digest is kept in this structure. typedef struct pem_md_ctx_st { EVP_MD *digest; union { unsigned char base[4]; /* this is used in my library as a * 'pointer' to all union elements * structures. */ MD2_CTX md2; MD5_CTX md5; SHA_CTX sha; } md; } EVP_MD_CTX; The Digest functions are as follows. void EVP_DigestInit( EVP_MD_CTX *ctx, EVP_MD *type); This function is used to initialise the EVP_MD_CTX. The message digest that will associated with 'ctx' is specified by 'type'. void EVP_DigestUpdate( EVP_MD_CTX *ctx, unsigned char *data, unsigned int cnt); This function is used to pass more data to the message digest function. 'cnt' bytes are digested from 'data'. void EVP_DigestFinal( EVP_MD_CTX *ctx, unsigned char *md, unsigned int *len); This function finishes the digestion and puts the message digest into 'md'. The length of the message digest is put into len; EVP_MAX_MD_SIZE is the size of the largest message digest that can be returned from this function. Len can be NULL if the size of the digest is not required. ==== encode.doc ======================================================== void EVP_EncodeInit(EVP_ENCODE_CTX *ctx); void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out, int *outl,unsigned char *in,int inl); void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl); int EVP_EncodeBlock(unsigned char *t, unsigned char *f, int n); void EVP_DecodeInit(EVP_ENCODE_CTX *ctx); int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl, unsigned char *in, int inl); int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl); int EVP_DecodeBlock(unsigned char *t, unsigned char *f, int n); ==== envelope.doc ======================================================== The following routines are use to create 'digital' envelopes. By this I mean that they perform various 'higher' level cryptographic functions. Have a read of 'cipher.doc' and 'digest.doc' since those routines are used by these functions. cipher.doc contains documentation about the cipher part of the envelope library and digest.doc contatins the description of the message digests supported. To 'sign' a document involves generating a message digest and then encrypting the digest with an private key. #define EVP_SignInit(a,b) EVP_DigestInit(a,b) #define EVP_SignUpdate(a,b,c) EVP_DigestUpdate(a,b,c) Due to the fact this operation is basically just an extended message digest, the first 2 functions are macro calls to Digest generating functions. int EVP_SignFinal( EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, EVP_PKEY *pkey); This finalisation function finishes the generation of the message digest and then encrypts the digest (with the correct message digest object identifier) with the EVP_PKEY private key. 'ctx' is the message digest context. 'md' will end up containing the encrypted message digest. This array needs to be EVP_PKEY_size(pkey) bytes long. 's' will actually contain the exact length. 'pkey' of course is the private key. It is one of EVP_PKEY_RSA or EVP_PKEY_DSA type. If there is an error, 0 is returned, otherwise 1. Verify is used to check an signed message digest. #define EVP_VerifyInit(a,b) EVP_DigestInit(a,b) #define EVP_VerifyUpdate(a,b,c) EVP_DigestUpdate(a,b,c) Since the first step is to generate a message digest, the first 2 functions are macros. int EVP_VerifyFinal( EVP_MD_CTX *ctx, unsigned char *md, unsigned int s, EVP_PKEY *pkey); This function finishes the generation of the message digest and then compares it with the supplied encrypted message digest. 'md' contains the 's' bytes of encrypted message digest. 'pkey' is used to public key decrypt the digest. It is then compared with the message digest just generated. If they match, 1 is returned else 0. int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek, int *ekl, unsigned char *iv, EVP_PKEY **pubk, int npubk); Must have at least one public key, error is 0. I should also mention that the buffers pointed to by 'ek' need to be EVP_PKEY_size(pubk[n]) is size. #define EVP_SealUpdate(a,b,c,d,e) EVP_EncryptUpdate(a,b,c,d,e) void EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl); int EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek, int ekl,unsigned char *iv,EVP_PKEY *priv); 0 on failure #define EVP_OpenUpdate(a,b,c,d,e) EVP_DecryptUpdate(a,b,c,d,e) int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); Decrypt final return code ==== error.doc ======================================================== The error routines. The 'error' system I've implemented is intended to server 2 purpose, to record the reason why a command failed and to record where in the libraries the failure occurred. It is more or less setup to record a 'trace' of which library components were being traversed when the error occurred. When an error is recorded, it is done so a as single unsigned long which is composed of three parts. The top byte is the 'library' number, the middle 12 bytes is the function code, and the bottom 12 bits is the 'reason' code. Each 'library', or should a say, 'section' of the SSLeay library has a different unique 'library' error number. Each function in the library has a number that is unique for that library. Each 'library' also has a number for each 'error reason' that is only unique for that 'library'. Due to the way these error routines record a 'error trace', there is an array per thread that is used to store the error codes. The various functions in this library are used to access and manipulate this array. void ERR_put_error(int lib, int func,int reason); This routine records an error in library 'lib', function 'func' and reason 'reason'. As errors get 'put' into the buffer, they wrap around and overwrite old errors if too many are written. It is assumed that the last errors are the most important. unsigned long ERR_get_error(void ); This function returns the last error added to the error buffer. In effect it is popping the value off the buffer so repeated calls will continue to return values until there are no more errors to return in which case 0 is returned. unsigned long ERR_peek_error(void ); This function returns the value of the last error added to the error buffer but does not 'pop' it from the buffer. void ERR_clear_error(void ); This function clears the error buffer, discarding all unread errors. While the above described error system obviously produces lots of different error number, a method for 'reporting' these errors in a human readable form is required. To achieve this, each library has the option of 'registering' error strings. typedef struct ERR_string_data_st { unsigned long error; char *string; } ERR_STRING_DATA; The 'ERR_STRING_DATA' contains an error code and the corresponding text string. To add new function error strings for a library, the ERR_STRING_DATA needs to be 'registered' with the library. void ERR_load_strings(unsigned long lib,ERR_STRING_DATA *err); This function 'registers' the array of ERR_STRING_DATA pointed to by 'err' as error text strings for the error library 'lib'. void ERR_free_strings(void); This function free()s all the loaded error strings. char *ERR_error_string(unsigned long error,char *buf); This function returns a text string that is a human readable version of the error represented by 'error'. Buff should be at least 120 bytes long and if it is NULL, the return value is a pointer to a static variable that will contain the error string, otherwise 'buf' is returned. If there is not a text string registered for a particular error, a text string containing the error number is returned instead. void ERR_print_errors(BIO *bp); void ERR_print_errors_fp(FILE *fp); This function is a convenience routine that prints the error string for each error until all errors have been accounted for. char *ERR_lib_error_string(unsigned long e); char *ERR_func_error_string(unsigned long e); char *ERR_reason_error_string(unsigned long e); The above three functions return the 3 different components strings for the error 'e'. ERR_error_string() uses these functions. void ERR_load_ERR_strings(void ); This function 'registers' the error strings for the 'ERR' module. void ERR_load_crypto_strings(void ); This function 'register' the error strings for just about every library in the SSLeay package except for the SSL routines. There is no need to ever register any error text strings and you will probably save in program size. If on the other hand you do 'register' all errors, it is quite easy to determine why a particular routine failed. As a final footnote as to why the error system is designed as it is. 1) I did not want a single 'global' error code. 2) I wanted to know which subroutine a failure occurred in. 3) For Windows NT etc, it should be simple to replace the 'key' routines with code to pass error codes back to the application. 4) I wanted the option of meaningful error text strings. Late breaking news - the changes to support threads. Each 'thread' has an 'ERR_STATE' state associated with it. ERR_STATE *ERR_get_state(void ) will return the 'state' for the calling thread/process. ERR_remove_state(unsigned long pid); will 'free()' this state. If pid == 0 the current 'thread/process' will have it's error state removed. If you do not remove the error state of a thread, this could be considered a form of memory leak, so just after 'reaping' a thread that has died, call ERR_remove_state(pid). Have a read of thread.doc for more details for what is required for multi-threading support. All the other error routines will work correctly when using threads. ==== idea.doc ======================================================== The IDEA library. IDEA is a block cipher that operates on 64bit (8 byte) quantities. It uses a 128bit (16 byte) key. It can be used in all the modes that DES can be used. This library implements the ecb, cbc, cfb64 and ofb64 modes. For all calls that have an 'input' and 'output' variables, they can be the same. This library requires the inclusion of 'idea.h'. All of the encryption functions take what is called an IDEA_KEY_SCHEDULE as an argument. An IDEA_KEY_SCHEDULE is an expanded form of the idea key. For all modes of the IDEA algorithm, the IDEA_KEY_SCHEDULE used for decryption is different to the one used for encryption. The define IDEA_ENCRYPT is passed to specify encryption for the functions that require an encryption/decryption flag. IDEA_DECRYPT is passed to specify decryption. For some mode there is no encryption/decryption flag since this is determined by the IDEA_KEY_SCHEDULE. So to encrypt you would do the following idea_set_encrypt_key(key,encrypt_ks); idea_ecb_encrypt(...,encrypt_ks); idea_cbc_encrypt(....,encrypt_ks,...,IDEA_ENCRYPT); To Decrypt idea_set_encrypt_key(key,encrypt_ks); idea_set_decrypt_key(encrypt_ks,decrypt_ks); idea_ecb_encrypt(...,decrypt_ks); idea_cbc_encrypt(....,decrypt_ks,...,IDEA_DECRYPT); Please note that any of the encryption modes specified in my DES library could be used with IDEA. I have only implemented ecb, cbc, cfb64 and ofb64 for the following reasons. - ecb is the basic IDEA encryption. - cbc is the normal 'chaining' form for block ciphers. - cfb64 can be used to encrypt single characters, therefore input and output do not need to be a multiple of 8. - ofb64 is similar to cfb64 but is more like a stream cipher, not as secure (not cipher feedback) but it does not have an encrypt/decrypt mode. - If you want triple IDEA, thats 384 bits of key and you must be totally obsessed with security. Still, if you want it, it is simple enough to copy the function from the DES library and change the des_encrypt to idea_encrypt; an exercise left for the paranoid reader :-). The functions are as follows: void idea_set_encrypt_key( unsigned char *key; IDEA_KEY_SCHEDULE *ks); idea_set_encrypt_key converts a 16 byte IDEA key into an IDEA_KEY_SCHEDULE. The IDEA_KEY_SCHEDULE is an expanded form of the key which can be used to perform IDEA encryption. An IDEA_KEY_SCHEDULE is an expanded form of the key which is used to perform actual encryption. It can be regenerated from the IDEA key so it only needs to be kept when encryption is about to occur. Don't save or pass around IDEA_KEY_SCHEDULE's since they are CPU architecture dependent, IDEA keys are not. void idea_set_decrypt_key( IDEA_KEY_SCHEDULE *encrypt_ks, IDEA_KEY_SCHEDULE *decrypt_ks); This functions converts an encryption IDEA_KEY_SCHEDULE into a decryption IDEA_KEY_SCHEDULE. For all decryption, this conversion of the key must be done. In some modes of IDEA, an encryption/decryption flag is also required, this is because these functions involve block chaining and the way this is done changes depending on which of encryption of decryption is being done. Please note that there is no quick way to generate the decryption key schedule other than generating the encryption key schedule and then converting it. void idea_encrypt( unsigned long *data, IDEA_KEY_SCHEDULE *ks); This is the IDEA encryption function that gets called by just about every other IDEA routine in the library. You should not use this function except to implement 'modes' of IDEA. I say this because the functions that call this routine do the conversion from 'char *' to long, and this needs to be done to make sure 'non-aligned' memory access do not occur. Data is a pointer to 2 unsigned long's and ks is the IDEA_KEY_SCHEDULE to use. Encryption or decryption depends on the IDEA_KEY_SCHEDULE. void idea_ecb_encrypt( unsigned char *input, unsigned char *output, IDEA_KEY_SCHEDULE *ks); This is the basic Electronic Code Book form of IDEA (in DES this mode is called Electronic Code Book so I'm going to use the term for idea as well :-). Input is encrypted into output using the key represented by ks. Depending on the IDEA_KEY_SCHEDULE, encryption or decryption occurs. Input is 8 bytes long and output is 8 bytes. void idea_cbc_encrypt( unsigned char *input, unsigned char *output, long length, IDEA_KEY_SCHEDULE *ks, unsigned char *ivec, int enc); This routine implements IDEA in Cipher Block Chaining mode. Input, which should be a multiple of 8 bytes is encrypted (or decrypted) to output which will also be a multiple of 8 bytes. The number of bytes is in length (and from what I've said above, should be a multiple of 8). If length is not a multiple of 8, bad things will probably happen. ivec is the initialisation vector. This function updates iv after each call so that it can be passed to the next call to idea_cbc_encrypt(). void idea_cfb64_encrypt( unsigned char *in, unsigned char *out, long length, des_key_schedule ks, des_cblock *ivec, int *num, int enc); This is one of the more useful functions in this IDEA library, it implements CFB mode of IDEA with 64bit feedback. This allows you to encrypt an arbitrary number of bytes, you do not require 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec and num. Num contains 'how far' we are though ivec. Enc is used to indicate encryption or decryption. One very important thing to remember is that when decrypting, use the encryption form of the key. CFB64 mode operates by using the cipher to generate a stream of bytes which is used to encrypt the plain text. The cipher text is then encrypted to generate the next 64 bits to be xored (incrementally) with the next 64 bits of plain text. As can be seen from this, to encrypt or decrypt, the same 'cipher stream' needs to be generated but the way the next block of data is gathered for encryption is different for encryption and decryption. What this means is that to encrypt idea_set_encrypt_key(key,ks); idea_cfb64_encrypt(...,ks,..,IDEA_ENCRYPT) do decrypt idea_set_encrypt_key(key,ks) idea_cfb64_encrypt(...,ks,...,IDEA_DECRYPT) Note: The same IDEA_KEY_SCHEDULE but different encryption flags. For idea_cbc or idea_ecb, idea_set_decrypt_key() would need to be used to generate the IDEA_KEY_SCHEDULE for decryption. The reason I'm stressing this point is that I just wasted 3 hours today trying to decrypt using this mode and the decryption form of the key :-(. void idea_ofb64_encrypt( unsigned char *in, unsigned char *out, long length, des_key_schedule ks, des_cblock *ivec, int *num); This functions implements OFB mode of IDEA with 64bit feedback. This allows you to encrypt an arbitrary number of bytes, you do not require 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec and num. Num contains 'how far' we are though ivec. This is in effect a stream cipher, there is no encryption or decryption mode. The same key and iv should be used to encrypt and decrypt. For reading passwords, I suggest using des_read_pw_string() from my DES library. To generate a password from a text string, I suggest using MD5 (or MD2) to produce a 16 byte message digest that can then be passed directly to idea_set_encrypt_key(). ===== For more information about the specific IDEA modes in this library (ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the documentation on my DES library. What is said about DES is directly applicable for IDEA. ==== legal.doc ======================================================== From eay@mincom.com Thu Jun 27 00:25:45 1996 Received: by orb.mincom.oz.au id AA15821 (5.65c/IDA-1.4.4 for eay); Wed, 26 Jun 1996 14:25:45 +1000 Date: Wed, 26 Jun 1996 14:25:45 +1000 (EST) From: Eric Young X-Sender: eay@orb To: Ken Toll Cc: Eric Young , ssl-talk@netscape.com Subject: Re: Unidentified subject! In-Reply-To: <9606261950.ZM28943@ren.digitalage.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: O X-Status: This is a little off topic but since SSLeay is a free implementation of the SSLv2 protocol, I feel it is worth responding on the topic of if it is actually legal for Americans to use free cryptographic software. On Wed, 26 Jun 1996, Ken Toll wrote: > Is the U.S the only country that SSLeay cannot be used commercially > (because of RSAref) or is that going to be an issue with every country > that a client/server application (non-web browser/server) is deployed > and sold? >From what I understand, the software patents that apply to algorithms like RSA and DH only apply in the USA. The IDEA algorithm I believe is patened in europe (USA?), but considing how little it is used by other SSL implementations, it quite easily be left out of the SSLeay build (this can be done with a compile flag). Actually if the RSA patent did apply outside the USA, it could be rather interesting since RSA is not alowed to let RSA toolkits outside of the USA [1], and since these are the only forms that they will alow the algorithm to be used in, it would mean that non-one outside of the USA could produce public key software which would be a very strong statment for international patent law to make :-). This logic is a little flawed but it still points out some of the more interesting permutations of USA patent law and ITAR restrictions. Inside the USA there is also the unresolved issue of RC4/RC2 which were made public on sci.crypt in Sep 1994 (RC4) and Feb 1996 (RC2). I have copies of the origional postings if people are interested. RSA I believe claim that they were 'trade-secrets' and that some-one broke an NDA in revealing them. Other claim they reverse engineered the algorithms from compiled binaries. If the algorithms were reverse engineered, I belive RSA had no legal leg to stand on. If an NDA was broken, I don't know. Regardless, RSA, I belive, is willing to go to court over the issue so licencing is probably the best idea, or at least talk to them. If there are people who actually know more about this, pease let me know, I don't want to vilify or spread miss-information if I can help it. If you are not producing a web browser, it is easy to build SSLeay with RC2/RC4 removed. Since RC4 is the defacto standard cipher in all web software (and it is damn fast) it is more or less required for www use. For non www use of SSL, especially for an application where interoperability with other vendors is not critical just leave it out. Removing IDEA, RC2 and RC4 would only leave DES and Triple DES but they should be ok. Considing that Triple DES can encrypt at rates of 410k/sec on a pentium 100, and 940k/sec on a P6/200, this is quite reasonable performance. Single DES clocks in at 1160k/s and 2467k/s respectivly is actually quite fast for those not so paranoid (56 bit key).[1] > Is it possible to get a certificate for commercial use outside of the U.S.? yes. Thawte Consulting issues certificates (they are the people who sell the Sioux httpd server and are based in South Africa) Verisign will issue certificates for Sioux (sold from South Africa), so this proves that they will issue certificate for OS use if they are happy with the quality of the software. (The above mentioned companies just the ones that I know for sure are issuing certificates outside the USA). There is always the point that if you are using SSL for an intra net, SSLeay provides programs that can be used so you can issue your own certificates. They need polishing but at least it is a good starting point. I am not doing anything outside Australian law by implementing these algorithms (to the best of my knowedge). It is another example of how the world legal system does not cope with the internet very well. I may start making shared libraries available (I have now got DLL's for Windows). This will mean that distributions into the usa could be shipped with a version with a reduced cipher set and the versions outside could use the DLL/shared library with all the ciphers (and without RSAref). This could be completly hidden from the application, so this would not even require a re-linking. This is the reverse of what people were talking about doing to get around USA export regulations :-) eric [1]: The RSAref2.0 tookit is available on at least 3 ftp sites in Europe and one in South Africa. [2]: Since I always get questions when I post benchmark numbers :-), DES performace figures are in 1000's of bytes per second in cbc mode using an 8192 byte buffer. The pentium 100 was running Windows NT 3.51 DLLs and the 686/200 was running NextStep. I quote pentium 100 benchmarks because it is basically the 'entry level' computer that most people buy for personal use. Windows 95 is the OS shipping on those boxes, so I'll give NT numbers (the same Win32 runtime environment). The 686 numbers are present as an indication of where we will be in a few years. -- Eric Young | BOOL is tri-state according to Bill Gates. AARNet: eay@mincom.oz.au | RTFM Win32 GetMessage(). ==== lhash.doc ======================================================== The LHASH library. I wrote this library in 1991 and have since forgotten why I called it lhash. It implements a hash table from an article I read at the time from 'Communications of the ACM'. What makes this hash table different is that as the table fills, the hash table is increased (or decreased) in size via realloc(). When a 'resize' is done, instead of all hashes being redistributed over twice as many 'buckets', one bucket is split. So when an 'expand' is done, there is only a minimal cost to redistribute some values. Subsequent inserts will cause more single 'bucket' redistributions but there will never be a sudden large cost due to redistributing all the 'buckets'. The state for a particular hash table is kept in the LHASH structure. The LHASH structure also records statistics about most aspects of accessing the hash table. This is mostly a legacy of my writing this library for the reasons of implementing what looked like a nice algorithm rather than for a particular software product. Internal stuff you probably don't want to know about. The decision to increase or decrease the hash table size is made depending on the 'load' of the hash table. The load is the number of items in the hash table divided by the size of the hash table. The default values are as follows. If (hash->up_load < load) => expand. if (hash->down_load > load) => contract. The 'up_load' has a default value of 1 and 'down_load' has a default value of 2. These numbers can be modified by the application by just playing with the 'up_load' and 'down_load' variables. The 'load' is kept in a form which is multiplied by 256. So hash->up_load=8*256; will cause a load of 8 to be set. If you are interested in performance the field to watch is num_comp_calls. The hash library keeps track of the 'hash' value for each item so when a lookup is done, the 'hashes' are compared, if there is a match, then a full compare is done, and hash->num_comp_calls is incremented. If num_comp_calls is not equal to num_delete plus num_retrieve it means that your hash function is generating hashes that are the same for different values. It is probably worth changing your hash function if this is the case because even if your hash table has 10 items in a 'bucked', it can be searched with 10 'unsigned long' compares and 10 linked list traverses. This will be much less expensive that 10 calls to you compare function. LHASH *lh_new( unsigned long (*hash)(), int (*cmp)()); This function is used to create a new LHASH structure. It is passed function pointers that are used to store and retrieve values passed into the hash table. The 'hash' function is a hashing function that will return a hashed value of it's passed structure. 'cmp' is passed 2 parameters, it returns 0 is they are equal, otherwise, non zero. If there are any problems (usually malloc failures), NULL is returned, otherwise a new LHASH structure is returned. The hash value is normally truncated to a power of 2, so make sure that your hash function returns well mixed low order bits. void lh_free( LHASH *lh); This function free()s a LHASH structure. If there is malloced data in the hash table, it will not be freed. Consider using the lh_doall function to deallocate any remaining entries in the hash table. char *lh_insert( LHASH *lh, char *data); This function inserts the data pointed to by data into the lh hash table. If there is already and entry in the hash table entry, the value being replaced is returned. A NULL is returned if the new entry does not clash with an entry already in the table (the normal case) or on a malloc() failure (perhaps I should change this....). The 'char *data' is exactly what is passed to the hash and comparison functions specified in lh_new(). char *lh_delete( LHASH *lh, char *data); This routine deletes an entry from the hash table. The value being deleted is returned. NULL is returned if there is no such value in the hash table. char *lh_retrieve( LHASH *lh, char *data); If 'data' is in the hash table it is returned, else NULL is returned. The way these routines would normally be uses is that a dummy structure would have key fields populated and then ret=lh_retrieve(hash,&dummy);. Ret would now be a pointer to a fully populated structure. void lh_doall( LHASH *lh, void (*func)(char *a)); This function will, for every entry in the hash table, call function 'func' with the data item as parameters. This function can be quite useful when used as follows. void cleanup(STUFF *a) { STUFF_free(a); } lh_doall(hash,cleanup); lh_free(hash); This can be used to free all the entries, lh_free() then cleans up the 'buckets' that point to nothing. Be careful when doing this. If you delete entries from the hash table, in the call back function, the table may decrease in size, moving item that you are currently on down lower in the hash table. This could cause some entries to be skipped. The best solution to this problem is to set lh->down_load=0 before you start. This will stop the hash table ever being decreased in size. void lh_doall_arg( LHASH *lh; void(*func)(char *a,char *arg)); char *arg; This function is the same as lh_doall except that the function called will be passed 'arg' as the second argument. unsigned long lh_strhash( char *c); This function is a demo string hashing function. Since the LHASH routines would normally be passed structures, this routine would not normally be passed to lh_new(), rather it would be used in the function passed to lh_new(). The next three routines print out various statistics about the state of the passed hash table. These numbers are all kept in the lhash structure. void lh_stats( LHASH *lh, FILE *out); This function prints out statistics on the size of the hash table, how many entries are in it, and the number and result of calls to the routines in this library. void lh_node_stats( LHASH *lh, FILE *out); For each 'bucket' in the hash table, the number of entries is printed. void lh_node_usage_stats( LHASH *lh, FILE *out); This function prints out a short summary of the state of the hash table. It prints what I call the 'load' and the 'actual load'. The load is the average number of data items per 'bucket' in the hash table. The 'actual load' is the average number of items per 'bucket', but only for buckets which contain entries. So the 'actual load' is the average number of searches that will need to find an item in the hash table, while the 'load' is the average number that will be done to record a miss. ==== md2.doc ======================================================== The MD2 library. MD2 is a message digest algorithm that can be used to condense an arbitrary length message down to a 16 byte hash. The functions all need to be passed a MD2_CTX which is used to hold the MD2 context during multiple MD2_Update() function calls. The normal method of use for this library is as follows MD2_Init(...); MD2_Update(...); ... MD2_Update(...); MD2_Final(...); This library requires the inclusion of 'md2.h'. The main negative about MD2 is that it is slow, especially when compared to MD5. The functions are as follows: void MD2_Init( MD2_CTX *c); This function needs to be called to initiate a MD2_CTX structure for use. void MD2_Update( MD2_CTX *c; unsigned char *data; unsigned long len); This updates the message digest context being generated with 'len' bytes from the 'data' pointer. The number of bytes can be any length. void MD2_Final( unsigned char *md; MD2_CTX *c; This function is called when a message digest of the data digested with MD2_Update() is wanted. The message digest is put in the 'md' array and is MD2_DIGEST_LENGTH (16) bytes long. unsigned char *MD2( unsigned long n; unsigned char *d; unsigned char *md; This function performs a MD2_Init(), followed by a MD2_Update() followed by a MD2_Final() (using a local MD2_CTX). The resulting digest is put into 'md' if it is not NULL. Regardless of the value of 'md', the message digest is returned from the function. If 'md' was NULL, the message digest returned is being stored in a static structure. ==== md5.doc ======================================================== The MD5 library. MD5 is a message digest algorithm that can be used to condense an arbitrary length message down to a 16 byte hash. The functions all need to be passed a MD5_CTX which is used to hold the MD5 context during multiple MD5_Update() function calls. This library also contains random number routines that are based on MD5 The normal method of use for this library is as follows MD5_Init(...); MD5_Update(...); ... MD5_Update(...); MD5_Final(...); This library requires the inclusion of 'md5.h'. The functions are as follows: void MD5_Init( MD5_CTX *c); This function needs to be called to initiate a MD5_CTX structure for use. void MD5_Update( MD5_CTX *c; unsigned char *data; unsigned long len); This updates the message digest context being generated with 'len' bytes from the 'data' pointer. The number of bytes can be any length. void MD5_Final( unsigned char *md; MD5_CTX *c; This function is called when a message digest of the data digested with MD5_Update() is wanted. The message digest is put in the 'md' array and is MD5_DIGEST_LENGTH (16) bytes long. unsigned char *MD5( unsigned char *d; unsigned long n; unsigned char *md; This function performs a MD5_Init(), followed by a MD5_Update() followed by a MD5_Final() (using a local MD5_CTX). The resulting digest is put into 'md' if it is not NULL. Regardless of the value of 'md', the message digest is returned from the function. If 'md' was NULL, the message digest returned is being stored in a static structure. ==== memory.doc ======================================================== In the interests of debugging SSLeay, there is an option to compile using some simple memory leak checking. All malloc(), free() and realloc() calls in SSLeay now go via Malloc(), Free() and Realloc() (except those in crypto/lhash). If CRYPTO_MDEBUG is defined, these calls are #defined to CRYPTO_malloc(), CRYPTO_free() and CRYPTO_realloc(). If it is not defined, they are #defined to malloc(), free() and realloc(). the CRYPTO_malloc() routines by default just call the underlying library functons. If CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) is called, memory leak detection is turned on. CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) turns it off. When turned on, each Malloc() or Realloc() call is recored along with the file and line number from where the call was made. (This is done using the lhash library which always uses normal system malloc(3) routines). void CRYPTO_mem_leaks(BIO *b); void CRYPTO_mem_leaks_fp(FILE *fp); These both print out the list of memory that has not been free()ed. This will probably be rather hard to read, but if you look for the 'top level' structure allocation, this will often give an idea as to what is not being free()ed. I don't expect people to use this stuff normally. ==== ca.1 ======================================================== From eay@orb.mincom.oz.au Thu Dec 28 23:56:45 1995 Received: by orb.mincom.oz.au id AA07374 (5.65c/IDA-1.4.4 for eay); Thu, 28 Dec 1995 13:56:45 +1000 Date: Thu, 28 Dec 1995 13:56:45 +1000 (EST) From: Eric Young X-Sender: eay@orb To: sameer Cc: ssleay@mincom.oz.au Subject: Re: 'ca' In-Reply-To: <199512230440.UAA23410@infinity.c2.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: On Fri, 22 Dec 1995, sameer wrote: > I could use documentation on 'ca'. Thanks. Very quickly. The ca program uses the ssleay.conf file for most of its configuration ./ca -help -verbose - Talk alot while doing things -config file - A config file. If you don't want to use the default config file -name arg - The particular CA definition to use In the config file, the section to use for parameters. This lets multiple setups to be contained in the one file. By default, the default_ca variable is looked up in the [ ca ] section. So in the shipped ssleay.conf, the CA definition used is CA_default. It could be any other name. -gencrl days - Generate a new CRL, days is when the next CRL is due This will generate a new certificate revocion list. -days arg - number of days to certify the certificate for When certifiying certificates, this is the number of days to use. -md arg - md to use, one of md2, md5, sha or sha1 -policy arg - The CA 'policy' to support I'll describe this later, but there are 2 policies definied in the shipped ssleay.conf -keyfile arg - PEM RSA private key file -key arg - key to decode the RSA private key if it is encrypted since we need to keep the CA's RSA key encrypted -cert - The CA certificate -in file - The input PEM encoded certificate request(s) -out file - Where to put the output file(s) -outdir dir - Where to put output certificates The -out options concatinates all the output certificied certificates to one file, -outdir puts them in a directory, named by serial number. -infiles .... - The last argument, requests to process The certificate requests to process, -in is the same. Just about all the above have default values defined in ssleay.conf. The key variables in ssleay.conf are (for the pariticular '-name' being used, in the default, it is CA_default). dir is where all the CA database stuff is kept. certs is where all the previously issued certificates are kept. The database is a simple text database containing the following tab separated fields. status: a value of 'R' - revoked, 'E' -expired or 'V' valid. issued date: When the certificate was certified. revoked date: When it was revoked, blank if not revoked. serial number: The certificate serial number. certificate: Where the certificate is located. CN: The name of the certificate. The demo file has quite a few made up values it it. The last 2 were added by the ca program and are acurate. The CA program does not update the 'certificate' file correctly right now. The serial field should be unique as should the CN/status combination. The ca program checks these at startup. What still needs to be wrtten is a program to 'regenerate' the data base file from the issued certificate list (and a CRL list). Back to the CA_default variables. Most of the variables are commented. policy is the default policy. Ok for policies, they define the order and which fields must be present in the certificate request and what gets filled in. So a value of countryName = match means that the country name must match the CA certificate. organizationalUnitName = optional The org.Unit,Name does not have to be present and commonName = supplied commonName must be supplied in the certificate request. For the 'policy_match' polocy, the order of the attributes in the generated certiticate would be countryName stateOrProvinceName organizationName organizationalUnitName commonName emailAddress Have a play, it sort of makes sense. If you think about how the persona requests operate, it is similar to the 'policy_match' policy and the 'policy_anything' is similar to what versign is doing. I hope this helps a bit. Some backend scripts are definitly needed to update the database and to make certificate revocion easy. All certificates issued should also be kept forever (or until they expire?) hope this helps eric (who has to run off an buy some cheap knee pads for the caving in 4 days time :-) -- Eric Young | Signature removed since it was generating AARNet: eay@mincom.oz.au | more followups than the message contents :-) ==== ms3-ca.doc ======================================================== Date: Mon, 9 Jun 97 08:00:33 +0200 From: Holger.Reif@PrakInf.TU-Ilmenau.DE (Holger Reif) Subject: ms3-ca.doc Organization: TU Ilmenau, Fak. IA, FG Telematik Content-Length: 14575 Status: RO X-Status: Loading client certs into MSIE 3.01 =================================== This document conatains all the information necessary to succesfully set up some scripts to issue client certs to Microsoft Internet Explorer. It includes the required knowledge about the model MSIE uses for client certification and includes complete sample scripts ready to play with. The scripts were tested against a modified ca program of SSLeay 0.6.6 and should work with the regular ca program that comes with version 0.8.0. I haven't tested against MSIE 4.0 You can use the information contained in this document in either way you want. However if you feel it saved you a lot of time I ask you to be as fair as to mention my name: Holger Reif . 1.) The model used by MSIE -------------------------- The Internet Explorer doesn't come with a embedded engine for installing client certs like Netscape's Navigator. It rather uses the CryptoAPI (CAPI) defined by Microsoft. CAPI comes with WindowsNT 4.0 or is installed together with Internet Explorer since 3.01. The advantage of this approach is a higher flexibility because the certificates in the (per user) system open certificate store may be used by other applications as well. The drawback however is that you need to do a bit more work to get a client cert issued. CAPI defines functions which will handle basic cryptographic work, eg. generating keys, encrypting some data, signing text or building a certificate request. The procedure is as follows: A CAPI function generates you a key pair and saves it into the certificate store. After that one builds a Distinguished Name. Together with that key pair another CAPI function forms a PKCS#10 request which you somehow need to submit to a CA. Finally the issued cert is given to a yet another CAPI function which saves it into the certificate store. The certificate store with the user's keys and certs is in the registry. You will find it under HKEY_CURRENT_USER/Software/Microsoft/Cryptography/ (I leave it to you as a little exercise to figure out what all the entries mean ;-). Note that the keys are protected only with the user's usual Windows login password. 2.) The practical usage ----------------------- Unfortunatly since CAPI is a system API you can't access its functions from HTML code directly. For this purpose Microsoft provides a wrapper called certenr3.dll. This DLL accesses the CAPI functions and provides an interface usable from Visual Basic Script. One needs to install that library on the computer which wants to have client cert. The easiest way is to load it as an ActiveX control (certenr3.dll is properly authenticode signed by MS ;-). If you have ever enrolled e cert request at a CA you will have installed it. At time of writing certenr3.dll is contained in http://www.microsoft.com/workshop/prog/security/csa/certenr3.exe. It comes with an README file which explains the available functions. It is labeled beta but every CA seems to use it anyway. The license.txt allows you the usage for your own purposes (as far as I understood) and a somehow limited distribution. The two functions of main interest are GenerateKeyPair and AcceptCredentials. For complete explanation of all possible parameters see the README file. Here are only minimal required parameters and their values. GenerateKeyPair(sessionID, FASLE, szName, 0, "ClientAuth", TRUE, FALSE, 1) - sessionID is a (locally to that computer) unique string to correlate the generated key pair with a cert installed later. - szName is the DN of the form "C=DE; S=Thueringen; L=Ilmenau; CN=Holger Reif; 1.2.840.113549.1.9.1=reif@prakinf.tu-ilmenau.de". Note that S is the abreviation for StateOrProvince. The recognized abreviation include CN, O, C, OU, G, I, L, S, T. If the abreviation is unknown (eg. for PKCS#9 email addr) you need to use the full object identifier. The starting point for searching them could be crypto/objects.h since all OIDs know to SSLeay are listed there. - note: the possible ninth parameter which should give a default name to the certificate storage location doesn't seem to work. Changes to the constant values in the call above doesn't seem to make sense. You can't generate PKCS#10 extensions with that function. The result of GenerateKeyPair is the base64 encoded PKCS#10 request. However it has a little strange format that SSLeay doesn't accept. (BTW I feel the decision of rejecting that format as standard conforming.) It looks like follows: 1st line with 76 chars 2nd line with 76 chars ... (n-2)th line with 76 chars (n-1)th line contains a multiple of 4 chars less then 76 (possible empty) (n)th line has zero or 4 chars (then with 1 or 2 equal signs - the original text's lenght wasn'T a multiple of 3) The line separator has two chars: 0x0d 0x0a AcceptCredentials(sessionID, credentials, 0, FALSE) - sessionID needs to be the same as while generating the key pair - credentials is the base64 encoded PKCS#7 object containing the cert. CRL's and CA certs are not required simply just the client cert. (It seems to me that both are not even checked somehow.) The only format of the base64 encoded object I succesfully used was all characters in a very long string without line feeds or carriage returns. (Hey, it doesn't matter, only a computer reads it!) The result should be S_OK. For error handling see the example that comes with certenr3.dll. A note about ASN.1 character encodings. certenr3.dll seems to know only about 2 of them: UniversalString and PrintableString. First it is definitely wrong for an email address which is IA5STRING (checked by ssleay's ca). Second unfortunately MSIE (at least until version 3.02) can't handle UniversalString correctly - they just blow up you cert store! Therefore ssleay's ca (starting from version 0.8.0) tries to convert the encodings automatically to IA5STRING or TeletexString. The beef is it will work only for the latin-1 (western) charset. Microsoft still has to do abit of homework... 3.) An example -------------- At least you need two steps: generating the key & request and then installing the certificate. A real world CA would have some more steps involved, eg. accepting some license. Note that both scripts shown below are just experimental state without any warrenty! First how to generate a request. Note that we can't use a static page because of the sessionID. I generate it from system time plus pid and hope it is unique enough. Your are free to feed it through md5 to get more impressive ID's ;-) Then the intended text is read in with sed which inserts the sessionID. -----BEGIN ms-enroll.cgi----- #!/bin/sh SESSION_ID=`date '+%y%m%d%H%M%S'`$$ echo Content-type: text/html echo sed s/template_for_sessId/$SESSION_ID/ < Certificate Enrollment Test Page

enrollment for a personal cert



Country
State
Location
Organization
Organizational Unit
Name
eMail Address


EOF -----END ms-enroll.cgi----- Second, how to extract the request and feed the certificate back? We need to "normalize" the base64 encoding of the PKCS#10 format which means regenerating the lines and wrapping with BEGIN and END line. This is done by gawk. The request is taken by ca the normal way. Then the cert needs to be packed into a PKCS#7 structure (note: the use of a CRL is necessary for crl2pkcs7 as of version 0.6.6. Starting with 0.8.0 it it might probably be ommited). Finally we need to format the PKCS#7 object and generate the HTML text. I use two templates to have a clearer script. 1st note: postit2 is slightly modified from a program I found at ncsa's ftp site. Grab it from http://www.easterngraphics.com/certs/IX9704/postit2.c. You need utils.c from there too. 2nd note: I'm note quite sure wether the gawk script really handles all possible inputs for the request right! Today I don't use this construction anymore myself. 3d note: the cert must be of version 3! This could be done with the nsComment line in ssleay.cnf... ------BEGIN ms-gencert.cgi----- #!/bin/sh FILE="/tmp/"`date '+%y%m%d%H%M%S'-`$$ rm -f "$FILE".* HOME=`pwd`; export HOME # as ssleay.cnf insists on having such an env var cd /usr/local/ssl #where demoCA (as named in ssleay.conf) is located postit2 -s " " -i 0x0d > "$FILE".inp # process the FORM vars SESSION_ID=`gawk '$1 == "SessionId" { print $2; exit }' "$FILE".inp` gawk \ 'BEGIN { \ OFS = ""; \ print "-----BEGIN CERTIFICATE REQUEST-----"; \ req_seen=0 \ } \ $1 == "Request" { \ req_seen=1; \ if (length($2) == 72) print($2); \ lastline=$2; \ next; \ } \ { \ if (req_seen == 1) { \ if (length($1) >= 72) print($1); \ else if (length(lastline) < 72) { \ req_seen=0; \ print (lastline,$1); \ } \ lastline=$1; \ } \ } \ END { \ print "-----END CERTIFICATE REQUEST-----"; \ }' > "$FILE".pem < "$FILE".inp ssleay ca -batch -in "$FILE".pem -key passwd -out "$FILE".out ssleay crl2pkcs7 -certfile "$FILE".out -out "$FILE".pkcs7 -in demoCA/crl.pem sed s/template_for_sessId/$SESSION_ID/ "$FILE".cert /usr/local/bin/gawk \ 'BEGIN { \ OFS = ""; \ dq = sprintf("%c",34); \ } \ $0 ~ "PKCS7" { next; } \ { \ print dq$0dq" & _"; \ }' <"$FILE".pkcs7 >> "$FILE".cert cat ms-enroll2b.html >>"$FILE".cert echo Content-type: text/html echo Content-length: `wc -c "$FILE".cert` echo cat "$FILE".cert rm -f "$FILE".* -----END ms-gencert.cgi----- ----BEGIN ms-enroll2a.html---- Certificate Acceptance Test Page

Your personal certificate



Press the button!



----END ms-enroll2b.html---- 4.) What do do with the cert? ----------------------------- The cert is visible (without restarting MSIE) under the following menu: View->Options->Security->Personal certs. You can examine it's contents at least partially. To use it for client authentication you need to use SSL3.0 (fortunately SSLeay supports it with 0.8.0). Furthermore MSIE is told to only supports a kind of automatic selection of certs (I personally wasn't able to test it myself). But there is a requirement that the issuer of the server cert and the issuer of the client cert needs to be the same (according to a developer from MS). Which means: you need may more then one cert to talk to all servers... I'm sure we will get a bit more experience after ApacheSSL is available for SSLeay 0.8.8. I hope you enjoyed reading and that in future questions on this topic will rarely appear on ssl-users@moncom.com ;-) Ilmenau, 9th of June 1997 Holger Reif -- read you later - Holger Reif ---------------------------------------- Signaturprojekt Deutsche Einheit TU Ilmenau - Informatik - Telematik (Verdamp lang her) Holger.Reif@PrakInf.TU-Ilmenau.DE Alt wie ein Baum werden, um ueber http://Remus.PrakInf.TU-Ilmenau.DE/Reif/ alle 7 Bruecken gehen zu koennen ==== ns-ca.doc ======================================================== The following documentation was supplied by Jeff Barber, who provided the patch to the CA program to add this functionality. eric -- Jeff Barber Email: jeffb@issl.atl.hp.com Hewlett Packard Phone: (404) 648-9503 Internet and System Security Lab Fax: (404) 648-9516 oo ---------------------cut /\ here for ns-ca.doc ------------------------------ This document briefly describes how to use SSLeay to implement a certificate authority capable of dynamically serving up client certificates for version 3.0 beta 5 (and presumably later) versions of the Netscape Navigator. Before describing how this is done, it's important to understand a little about how the browser implements its client certificate support. This is documented in some detail in the URLs based at . Here's a brief overview: - The Navigator supports a new HTML tag "KEYGEN" which will cause the browser to generate an RSA key pair when you submit a form containing the tag. The public key, along with an optional challenge (supposedly provided for use in certificate revocation but I don't use it) is signed, DER-encoded, base-64 encoded and sent to the web server as the value of the variable whose NAME is provided in the KEYGEN tag. The private key is stored by the browser in a local key database. This "Signed Public Key And Challenge" (SPKAC) arrives formatted into 64 character lines (which are of course URL-encoded when sent via HTTP -- i.e. spaces, newlines and most punctuatation are encoded as "%HH" where HH is the hex equivalent of the ASCII code). Note that the SPKAC does not contain the other usual attributes of a certificate request, especially the subject name fields. These must be otherwise encoded in the form for submission along with the SPKAC. - Either immediately (in response to this form submission), or at some later date (a real CA will probably verify your identity in some way before issuing the certificate), a web server can send a certificate based on the public key and other attributes back to the browser by encoding it in DER (the binary form) and sending it to the browser as MIME type: "Content-type: application/x-x509-user-cert" The browser uses the public key encoded in the certificate to associate the certificate with the appropriate private key in its local key database. Now, the certificate is "installed". - When a server wants to require authentication based on client certificates, it uses the right signals via the SSL protocol to trigger the Navigator to ask you which certificate you want to send. Whether the certificate is accepted is dependent on CA certificates and so forth installed in the server and is beyond the scope of this document. Now, here's how the SSLeay package can be used to provide client certficates: - You prepare a file for input to the SSLeay ca application. The file contains a number of "name = value" pairs that identify the subject. The names here are the same subject name component identifiers used in the CA section of the lib/ssleay.conf file, such as "emailAddress", "commonName" "organizationName" and so forth. Both the long version and the short version (e.g. "Email", "CN", "O") can be used. One more name is supported: this one is "SPKAC". Its value is simply the value of the base-64 encoded SPKAC sent by the browser (with all the newlines and other space charaters removed -- and newline escapes are NOT supported). [ As of SSLeay 0.6.4, multiple lines are supported. Put a \ at the end of each line and it will be joined with the previous line with the '\n' removed - eay ] Here's a sample input file: C = US SP = Georgia O = Some Organization, Inc. OU = Netscape Compatibility Group CN = John X. Doe Email = jxdoe@someorg.com SPKAC = MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwmk6FMJ4uAVIYbcvIOx5+bDGTfvL8X5gE+R67ccMk6rCSGbVQz2cetyQtnI+VIs0NwdD6wjuSuVtVFbLoHonowIDAQABFgAwDQYJKoZIhvcNAQEEBQADQQBFZDUWFl6BJdomtN1Bi53mwijy1rRgJ4YirF15yBEDM3DjAQkKXHYOIX+qpz4KXKnl6EYxTnGSFL5wWt8X2iyx - You execute the ca command (either from a CGI program run out of the web server, or as a later manual task) giving it the above file as input. For example, if the file were named /tmp/cert.req, you'd run: $SSLDIR/bin/ca -spkac /tmp/cert.req -out /tmp/cert The output is in DER format (binary) if a -out argument is provided, as above; otherwise, it's in the PEM format (base-64 encoded DER). Also, the "-batch" switch is implied by the "-spkac" so you don't get asked whether to complete the signing (probably it shouldn't work this way but I was only interested in hacking together an online CA that could be used for issuing test certificates). The "-spkac" capability doesn't support multiple files (I think). Any CHALLENGE provided in the SPKAC is simply ignored. The interactions between the identification fields you provide and those identified in your lib/ssleay.conf are the same as if you did an ordinary "ca -in infile -out outfile" -- that is, if something is marked as required in the ssleay.conf file and it isn't found in the -spkac file, the certificate won't be issued. - Now, you pick up the output from /tmp/cert and pass it back to the Navigator prepending the Content-type string described earlier. - In order to run the ca command out of a CGI program, you must provide a password to decrypt the CA's private key. You can do this by using "echo MyKeyPassword | $SSLDIR/bin/ca ..." I think there's a way to not encrypt the key file in the first place, but I didn't see how to do that, so I made a small change to the library that allows the password to be accepted from a pipe. Either way is UTTERLY INSECURE and a real CA would never do that. [ You can use the 'ssleay rsa' command to remove the password from the private key, or you can use the '-key' option to the ca command to specify the decryption key on the command line or use the -nodes option when generating the key. ca will try to clear the command line version of the password but for quite a few operating systems, this is not possible. - eric ] So, what do you have to do to make use of this stuff to create an online demo CA capability with SSLeay? 1 Create an HTML form for your users. The form should contain fields for all of the required or optional fields in ssleay.conf. The form must contain a KEYGEN tag somewhere with at least a NAME attribute. 2 Create a CGI program to process the form input submitted by the browser. The CGI program must URL-decode the variables and create the file described above, containing subject identification info as well as the SPKAC block. It should then run the the ca program with the -spkac option. If it works (check the exit status), return the new certificate with the appropriate MIME type. If not, return the output of the ca command with MIME type "text/plain". 3 Set up your web server to accept connections signed by your demo CA. This probably involves obtaining the PEM-encoded CA certificate (ordinarily in $SSLDIR/CA/cacert.pem) and installing it into a server database. See your server manual for instructions. ==== obj.doc ======================================================== The Object library. As part of my Crypto library, I found I required a method of identifying various objects. These objects normally had 3 different values associated with them, a short text name, a long (or lower case) text name, and an ASN.1 Object Identifier (which is a sequence of numbers). This library contains a static list of objects and functions to lookup according to one type and to return the other types. To use these routines, 'Object.h' needs to be included. For each supported object, #define entries are defined as follows #define SN_Algorithm "Algorithm" #define LN_algorithm "algorithm" #define NID_algorithm 38 #define OBJ_algorithm 1L,3L,14L,3L,2L SN_ stands for short name. LN_ stands for either long name or lowercase name. NID_ stands for Numeric ID. I each object has a unique NID and this should be used internally to identify objects. OBJ_ stands for ASN.1 Object Identifier or ASN1_OBJECT as defined in the ASN1 routines. These values are used in ASN1 encoding. The following functions are to be used to return pointers into a static definition of these types. What this means is "don't try to free() any pointers returned from these functions. ASN1_OBJECT *OBJ_nid2obj( int n); Return the ASN1_OBJECT that corresponds to a NID of n. char *OBJ_nid2ln( int n); Return the long/lower case name of the object represented by the NID of n. char *OBJ_nid2sn( int n); Return the short name for the object represented by the NID of n. ASN1_OBJECT *OBJ_dup( ASN1_OBJECT *o); Duplicate and return a new ASN1_OBJECT that is the same as the passed parameter. int OBJ_obj2nid( ASN1_OBJECT *o); Given ASN1_OBJECT o, return the NID that corresponds. int OBJ_ln2nid( char *s); Given the long/lower case name 's', return the NID of the object. int OBJ_sn2nid( char *s); Given the short name 's', return the NID of the object. char *OBJ_bsearch( char *key, char *base, int num, int size, int (*cmp)()); Since I have come across a few platforms that do not have the bsearch() function, OBJ_bsearch is my version of that function. Feel free to use this function, but you may as well just use the normal system bsearch(3) if it is present. This version also has tolerance of being passed NULL pointers. ==== keys =========================================================== EVP_PKEY_DSA EVP_PKEY_DSA2 EVP_PKEY_DSA3 EVP_PKEY_DSA4 EVP_PKEY_RSA EVP_PKEY_RSA2 valid DSA pkey types NID_dsa NID_dsaWithSHA NID_dsaWithSHA1 NID_dsaWithSHA1_2 valid RSA pkey types NID_rsaEncryption NID_rsa NID_dsaWithSHA NID_dsaWithSHA DSA SHA NID_dsa NID_dsaWithSHA1 DSA SHA1 NID_md2 NID_md2WithRSAEncryption RSA-pkcs1 MD2 NID_md5 NID_md5WithRSAEncryption RSA-pkcs1 MD5 NID_mdc2 NID_mdc2WithRSA RSA-none MDC2 NID_ripemd160 NID_ripemd160WithRSA RSA-pkcs1 RIPEMD160 NID_sha NID_shaWithRSAEncryption RSA-pkcs1 SHA NID_sha1 NID_sha1WithRSAEncryption RSA-pkcs1 SHA1 ==== rand.doc ======================================================== My Random number library. These routines can be used to generate pseudo random numbers and can be used to 'seed' the pseudo random number generator (RNG). The RNG make no effort to reproduce the same random number stream with each execution. Various other routines in the SSLeay library 'seed' the RNG when suitable 'random' input data is available. Read the section at the end for details on the design of the RNG. void RAND_bytes( unsigned char *buf, int num); This routine puts 'num' random bytes into 'buf'. One should make sure RAND_seed() has been called before using this routine. void RAND_seed( unsigned char *buf, int num); This routine adds more 'seed' data the RNG state. 'num' bytes are added to the RNG state, they are taken from 'buf'. This routine can be called with sensitive data such as user entered passwords. This sensitive data is in no way recoverable from the RAND library routines or state. Try to pass as much data from 'random' sources as possible into the RNG via this function. Also strongly consider using the RAND_load_file() and RAND_write_file() routines. void RAND_cleanup(); When a program has finished with the RAND library, if it so desires, it can 'zero' all RNG state. The following 3 routines are convenience routines that can be used to 'save' and 'restore' data from/to the RNG and it's state. Since the more 'random' data that is feed as seed data the better, why not keep it around between executions of the program? Of course the application should pass more 'random' data in via RAND_seed() and make sure no-one can read the 'random' data file. char *RAND_file_name( char *buf, int size); This routine returns a 'default' name for the location of a 'rand' file. The 'rand' file should keep a sequence of random bytes used to initialise the RNG. The filename is put in 'buf'. Buf is 'size' bytes long. Buf is returned if things go well, if they do not, NULL is returned. The 'rand' file name is generated in the following way. First, if there is a 'RANDFILE' environment variable, it is returned. Second, if there is a 'HOME' environment variable, $HOME/.rand is returned. Third, NULL is returned. NULL is also returned if a buf would overflow. int RAND_load_file( char *file, long number); This function 'adds' the 'file' into the RNG state. It does this by doing a RAND_seed() on the value returned from a stat() system call on the file and if 'number' is non-zero, upto 'number' bytes read from the file. The number of bytes passed to RAND_seed() is returned. int RAND_write_file( char *file), RAND_write_file() writes N random bytes to the file 'file', where N is the size of the internal RND state (currently 1k). This is a suitable method of saving RNG state for reloading via RAND_load_file(). What follows is a description of this RNG and a description of the rational behind it's design. It should be noted that this RNG is intended to be used to generate 'random' keys for various ciphers including generation of DH and RSA keys. It should also be noted that I have just created a system that I am happy with. It may be overkill but that does not worry me. I have not spent that much time on this algorithm so if there are glaring errors, please let me know. Speed has not been a consideration in the design of these routines. First up I will state the things I believe I need for a good RNG. 1) A good hashing algorithm to mix things up and to convert the RNG 'state' to random numbers. 2) An initial source of random 'state'. 3) The state should be very large. If the RNG is being used to generate 4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum). If your RNG state only has 128 bits, you are obviously limiting the search space to 128 bits, not 2048. I'm probably getting a little carried away on this last point but it does indicate that it may not be a bad idea to keep quite a lot of RNG state. It should be easier to break a cipher than guess the RNG seed data. 4) Any RNG seed data should influence all subsequent random numbers generated. This implies that any random seed data entered will have an influence on all subsequent random numbers generated. 5) When using data to seed the RNG state, the data used should not be extractable from the RNG state. I believe this should be a requirement because one possible source of 'secret' semi random data would be a private key or a password. This data must not be disclosed by either subsequent random numbers or a 'core' dump left by a program crash. 6) Given the same initial 'state', 2 systems should deviate in their RNG state (and hence the random numbers generated) over time if at all possible. 7) Given the random number output stream, it should not be possible to determine the RNG state or the next random number. The algorithm is as follows. There is global state made up of a 1023 byte buffer (the 'state'), a working message digest ('md') and a counter ('count'). Whenever seed data is added, it is inserted into the 'state' as follows. The input is chopped up into units of 16 bytes (or less for the last block). Each of these blocks is run through the MD5 message digest. The data passed to the MD5 digest is the current 'md', the same number of bytes from the 'state' (the location determined by in incremented looping index) as the current 'block' and the new key data 'block'. The result of this is kept in 'md' and also xored into the 'state' at the same locations that were used as input into the MD5. I believe this system addresses points 1 (MD5), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of MD5 and xor). When bytes are extracted from the RNG, the following process is used. For each group of 8 bytes (or less), we do the following, Input into MD5, the top 8 bytes from 'md', the byte that are to be overwritten by the random bytes and bytes from the 'state' (incrementing looping index). From this digest output (which is kept in 'md'), the top (upto) 8 bytes are returned to the caller and the bottom (upto) 8 bytes are xored into the 'state'. Finally, after we have finished 'generation' random bytes for the called, 'count' (which is incremented) and 'md' are fed into MD5 and the results are kept in 'md'. I believe the above addressed points 1 (use of MD5), 6 (by hashing into the 'state' the 'old' data from the caller that is about to be overwritten) and 7 (by not using the 8 bytes given to the caller to update the 'state', but they are used to update 'md'). So of the points raised, only 2 is not addressed, but sources of random data will always be a problem. ==== rc2.doc ======================================================== The RC2 library. RC2 is a block cipher that operates on 64bit (8 byte) quantities. It uses variable size key, but 128bit (16 byte) key would normally be considered good. It can be used in all the modes that DES can be used. This library implements the ecb, cbc, cfb64, ofb64 modes. I have implemented this library from an article posted to sci.crypt on 11-Feb-1996. I personally don't know how far to trust the RC2 cipher. While it is capable of having a key of any size, not much reseach has publically been done on it at this point in time (Apr-1996) since the cipher has only been public for a few months :-) It is of a similar speed to DES and IDEA, so unless it is required for meeting some standard (SSLv2, perhaps S/MIME), it would probably be advisable to stick to IDEA, or for the paranoid, Tripple DES. Mind you, having said all that, I should mention that I just read alot and implement ciphers, I'm a 'babe in the woods' when it comes to evaluating ciphers :-). For all calls that have an 'input' and 'output' variables, they can be the same. This library requires the inclusion of 'rc2.h'. All of the encryption functions take what is called an RC2_KEY as an argument. An RC2_KEY is an expanded form of the RC2 key. For all modes of the RC2 algorithm, the RC2_KEY used for decryption is the same one that was used for encryption. The define RC2_ENCRYPT is passed to specify encryption for the functions that require an encryption/decryption flag. RC2_DECRYPT is passed to specify decryption. Please note that any of the encryption modes specified in my DES library could be used with RC2. I have only implemented ecb, cbc, cfb64 and ofb64 for the following reasons. - ecb is the basic RC2 encryption. - cbc is the normal 'chaining' form for block ciphers. - cfb64 can be used to encrypt single characters, therefore input and output do not need to be a multiple of 8. - ofb64 is similar to cfb64 but is more like a stream cipher, not as secure (not cipher feedback) but it does not have an encrypt/decrypt mode. - If you want triple RC2, thats 384 bits of key and you must be totally obsessed with security. Still, if you want it, it is simple enough to copy the function from the DES library and change the des_encrypt to RC2_encrypt; an exercise left for the paranoid reader :-). The functions are as follows: void RC2_set_key( RC2_KEY *ks; int len; unsigned char *key; int bits; RC2_set_key converts an 'len' byte key into a RC2_KEY. A 'ks' is an expanded form of the 'key' which is used to perform actual encryption. It can be regenerated from the RC2 key so it only needs to be kept when encryption or decryption is about to occur. Don't save or pass around RC2_KEY's since they are CPU architecture dependent, 'key's are not. RC2 is an interesting cipher in that it can be used with a variable length key. 'len' is the length of 'key' to be used as the key. A 'len' of 16 is recomended. The 'bits' argument is an interesting addition which I only found out about in Aug 96. BSAFE uses this parameter to 'limit' the number of bits used for the key. To use the 'key' unmodified, set bits to 1024. This is what old versions of my RC2 library did (SSLeay 0.6.3). RSAs BSAFE library sets this parameter to be 128 if 128 bit keys are being used. So to be compatable with BSAFE, set it to 128, if you don't want to reduce RC2's key length, leave it at 1024. void RC2_encrypt( unsigned long *data, RC2_KEY *key, int encrypt); This is the RC2 encryption function that gets called by just about every other RC2 routine in the library. You should not use this function except to implement 'modes' of RC2. I say this because the functions that call this routine do the conversion from 'char *' to long, and this needs to be done to make sure 'non-aligned' memory access do not occur. Data is a pointer to 2 unsigned long's and key is the RC2_KEY to use. Encryption or decryption is indicated by 'encrypt'. which can have the values RC2_ENCRYPT or RC2_DECRYPT. void RC2_ecb_encrypt( unsigned char *in, unsigned char *out, RC2_KEY *key, int encrypt); This is the basic Electronic Code Book form of RC2 (in DES this mode is called Electronic Code Book so I'm going to use the term for rc2 as well. Input is encrypted into output using the key represented by key. Depending on the encrypt, encryption or decryption occurs. Input is 8 bytes long and output is 8 bytes. void RC2_cbc_encrypt( unsigned char *in, unsigned char *out, long length, RC2_KEY *ks, unsigned char *ivec, int encrypt); This routine implements RC2 in Cipher Block Chaining mode. Input, which should be a multiple of 8 bytes is encrypted (or decrypted) to output which will also be a multiple of 8 bytes. The number of bytes is in length (and from what I've said above, should be a multiple of 8). If length is not a multiple of 8, bad things will probably happen. ivec is the initialisation vector. This function updates iv after each call so that it can be passed to the next call to RC2_cbc_encrypt(). void RC2_cfb64_encrypt( unsigned char *in, unsigned char *out, long length, RC2_KEY *schedule, unsigned char *ivec, int *num, int encrypt); This is one of the more useful functions in this RC2 library, it implements CFB mode of RC2 with 64bit feedback. This allows you to encrypt an arbitrary number of bytes, you do not require 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec and num. Num contains 'how far' we are though ivec. 'Encrypt' is used to indicate encryption or decryption. CFB64 mode operates by using the cipher to generate a stream of bytes which is used to encrypt the plain text. The cipher text is then encrypted to generate the next 64 bits to be xored (incrementally) with the next 64 bits of plain text. As can be seen from this, to encrypt or decrypt, the same 'cipher stream' needs to be generated but the way the next block of data is gathered for encryption is different for encryption and decryption. void RC2_ofb64_encrypt( unsigned char *in, unsigned char *out, long length, RC2_KEY *schedule, unsigned char *ivec, int *num); This functions implements OFB mode of RC2 with 64bit feedback. This allows you to encrypt an arbitrary number of bytes, you do not require 8 byte padding. Each call to this routine will encrypt the input bytes to output and then update ivec and num. Num contains 'how far' we are though ivec. This is in effect a stream cipher, there is no encryption or decryption mode. For reading passwords, I suggest using des_read_pw_string() from my DES library. To generate a password from a text string, I suggest using MD5 (or MD2) to produce a 16 byte message digest that can then be passed directly to RC2_set_key(). ===== For more information about the specific RC2 modes in this library (ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the documentation on my DES library. What is said about DES is directly applicable for RC2. ==== rc4.doc ======================================================== The RC4 library. RC4 is a stream cipher that operates on a byte stream. It can be used with any length key but I would recommend normally using 16 bytes. This library requires the inclusion of 'rc4.h'. The RC4 encryption function takes what is called an RC4_KEY as an argument. The RC4_KEY is generated by the RC4_set_key function from the key bytes. RC4, being a stream cipher, does not have an encryption or decryption mode. It produces a stream of bytes that the input stream is xor'ed against and so decryption is just a case of 'encrypting' again with the same key. I have only put in one 'mode' for RC4 which is the normal one. This means there is no initialisation vector and there is no feedback of the cipher text into the cipher. This implies that you should not ever use the same key twice if you can help it. If you do, you leave yourself open to known plain text attacks; if you know the plain text and corresponding cipher text in one message, all messages that used the same key can have the cipher text decoded for the corresponding positions in the cipher stream. The main positive feature of RC4 is that it is a very fast cipher; about 4 times faster that DES. This makes it ideally suited to protocols where the key is randomly chosen, like SSL. The functions are as follows: void RC4_set_key( RC4_KEY *key; int len; unsigned char *data); This function initialises the RC4_KEY structure with the key passed in 'data', which is 'len' bytes long. The key data can be any length but 16 bytes seems to be a good number. void RC4( RC4_KEY *key; unsigned long len; unsigned char *in; unsigned char *out); Do the actual RC4 encryption/decryption. Using the 'key', 'len' bytes are transformed from 'in' to 'out'. As mentioned above, decryption is the operation as encryption. ==== ref.doc ======================================================== I have lots more references etc, and will update this list in the future, 30 Aug 1996 - eay SSL The SSL Protocol - from Netscapes. RC4 Newsgroups: sci.crypt From: sterndark@netcom.com (David Sterndark) Subject: RC4 Algorithm revealed. Message-ID: RC2 Newsgroups: sci.crypt From: pgut01@cs.auckland.ac.nz (Peter Gutmann) Subject: Specification for Ron Rivests Cipher No.2 Message-ID: <4fk39f$f70@net.auckland.ac.nz> MD2 RFC1319 The MD2 Message-Digest Algorithm MD5 RFC1321 The MD5 Message-Digest Algorithm X509 Certificates RFC1421 Privacy Enhancement for Internet Electronic Mail: Part I RFC1422 Privacy Enhancement for Internet Electronic Mail: Part II RFC1423 Privacy Enhancement for Internet Electronic Mail: Part III RFC1424 Privacy Enhancement for Internet Electronic Mail: Part IV RSA and various standard encoding PKCS#1 RSA Encryption Standard PKCS#5 Password-Based Encryption Standard PKCS#7 Cryptographic Message Syntax Standard A Layman's Guide to a Subset of ASN.1, BER, and DER An Overview of the PKCS Standards Some Examples of the PKCS Standards IDEA Chapter 3 The Block Cipher IDEA RSA, prime number generation and bignum algorithms Introduction To Algorithms, Thomas Cormen, Charles Leiserson, Ronald Rivest, Section 29 Arithmetic Circuits Section 33 Number-Theoretic Algorithms Fast Private Key algorithm Fast Decipherment Algorithm for RSA Public-Key Cryptosystem J.-J. Quisquater and C. Couvreur, Electronics Letters, 14th October 1982, Vol. 18 No. 21 Prime number generation and bignum algorithms. PGP-2.3a ==== rsa.doc ======================================================== The RSA encryption and utility routines. The RSA routines are built on top of a big number library (the BN library). There are support routines in the X509 library for loading and manipulating the various objects in the RSA library. When errors are returned, read about the ERR library for how to access the error codes. All RSA encryption is done according to the PKCS-1 standard which is compatible with PEM and RSAref. This means that any values being encrypted must be less than the size of the modulus in bytes, minus 10, bytes long. This library uses RAND_bytes()() for it's random data, make sure to feed RAND_seed() with lots of interesting and varied data before using these routines. The RSA library has one specific data type, the RSA structure. It is composed of 8 BIGNUM variables (see the BN library for details) and can hold either a private RSA key or a public RSA key. Some RSA libraries have different structures for public and private keys, I don't. For my libraries, a public key is determined by the fact that the RSA->d value is NULL. These routines will operate on any size RSA keys. While I'm sure 4096 bit keys are very very secure, they take a lot longer to process that 1024 bit keys :-). The function in the RSA library are as follows. RSA *RSA_new(); This function creates a new RSA object. The sub-fields of the RSA type are also malloced so you should always use this routine to create RSA variables. void RSA_free( RSA *rsa); This function 'frees' an RSA structure. This routine should always be used to free the RSA structure since it will also 'free' any sub-fields of the RSA type that need freeing. int RSA_size( RSA *rsa); This function returns the size of the RSA modulus in bytes. Why do I need this you may ask, well the reason is that when you encrypt with RSA, the output string will be the size of the RSA modulus. So the output for the RSA_encrypt and the input for the RSA_decrypt routines need to be RSA_size() bytes long, because this is how many bytes are expected. For the following 4 RSA encryption routines, it should be noted that RSA_private_decrypt() should be used on the output from RSA_public_encrypt() and RSA_public_decrypt() should be used on the output from RSA_private_encrypt(). int RSA_public_encrypt( int from_len; unsigned char *from unsigned char *to RSA *rsa); This function implements RSA public encryption, the rsa variable should be a public key (but can be a private key). 'from_len' bytes taken from 'from' and encrypted and put into 'to'. 'to' needs to be at least RSA_size(rsa) bytes long. The number of bytes written into 'to' is returned. -1 is returned on an error. The operation performed is to = from^rsa->e mod rsa->n. int RSA_private_encrypt( int from_len; unsigned char *from unsigned char *to RSA *rsa); This function implements RSA private encryption, the rsa variable should be a private key. 'from_len' bytes taken from 'from' and encrypted and put into 'to'. 'to' needs to be at least RSA_size(rsa) bytes long. The number of bytes written into 'to' is returned. -1 is returned on an error. The operation performed is to = from^rsa->d mod rsa->n. int RSA_public_decrypt( int from_len; unsigned char *from unsigned char *to RSA *rsa); This function implements RSA public decryption, the rsa variable should be a public key (but can be a private key). 'from_len' bytes are taken from 'from' and decrypted. The decrypted data is put into 'to'. The number of bytes encrypted is returned. -1 is returned to indicate an error. The operation performed is to = from^rsa->e mod rsa->n. int RSA_private_decrypt( int from_len; unsigned char *from unsigned char *to RSA *rsa); This function implements RSA private decryption, the rsa variable should be a private key. 'from_len' bytes are taken from 'from' and decrypted. The decrypted data is put into 'to'. The number of bytes encrypted is returned. -1 is returned to indicate an error. The operation performed is to = from^rsa->d mod rsa->n. int RSA_mod_exp( BIGNUM *n; BIGNUM *p; RSA *rsa); Normally you will never use this routine. This is really an internal function which is called by RSA_private_encrypt() and RSA_private_decrypt(). It performs n=n^p mod rsa->n except that it uses the 5 extra variables in the RSA structure to make this more efficient. RSA *RSA_generate_key( int bits; unsigned long e; void (*callback)(); char *cb_arg; This routine is used to generate RSA private keys. It takes quite a period of time to run and should only be used to generate initial private keys that should then be stored for later use. The passed callback function will be called periodically so that feedback can be given as to how this function is progressing. 'bits' is the length desired for the modulus, so it would be 1024 to generate a 1024 bit private key. 'e' is the value to use for the public exponent 'e'. Traditionally it is set to either 3 or 0x10001. The callback function (if not NULL) is called in the following situations. when we have generated a suspected prime number to test, callback(0,num1++,cb_arg). When it passes a prime number test, callback(1,num2++,cb_arg). When it is rejected as one of the 2 primes required due to gcd(prime,e value) != 0, callback(2,num3++,cb_arg). When finally accepted as one of the 2 primes, callback(3,num4++,cb_arg). ==== rsaref.doc ======================================================== This package can be compiled to use the RSAref library. This library is not allowed outside of the USA but inside the USA it is claimed by RSA to be the only RSA public key library that can be used besides BSAFE.. There are 2 files, rsaref/rsaref.c and rsaref/rsaref.h that contain the glue code to use RSAref. These files were written by looking at the PGP source code and seeing which routines it used to access RSAref. I have also been sent by some-one a copy of the RSAref header file that contains the library error codes. [ Jun 1996 update - I have recently gotten hold of RSAref 2.0 from South Africa and have been doing some performace tests. ] They have now been tested against the recently announced RSAEURO library. There are 2 ways to use SSLeay and RSAref. First, to build so that the programs must be linked with RSAref, add '-DRSAref' to CFLAG in the top level makefile and -lrsaref (or where ever you are keeping RSAref) to EX_LIBS. To build a makefile via util/mk1mf.pl to do this, use the 'rsaref' option. The second method is to build as per normal and link applications with the RSAglue library. The correct library order would be cc -o cmd cmd.o -lssl -lRSAglue -lcrypto -lrsaref -ldes The RSAglue library is built in the rsa directory and is NOT automatically installed. Be warned that the RSAEURO library, that is claimed to be compatible with RSAref contains a different value for the maximum number of bits supported. This changes structure sizes and so if you are using RSAEURO, change the value of RSAref_MAX_BITS in rsa/rsaref.h ==== s_mult.doc ======================================================== s_mult is a test program I hacked up on a Sunday for testing non-blocking IO. It has a select loop at it's centre that handles multiple readers and writers. Try the following command ssleay s_mult -echo -nbio -ssl -v echo - sends any sent text back to the sender nbio - turns on non-blocking IO ssl - accept SSL connections, default is normal text v - print lots type Q to quit In another window, run the following ssleay s_client -pause new_session_cb is a function pointer to a function of type int new_session_callback(SSL *ssl,SSL_SESSION *new); This function, if set in the SSL_CTX structure is called whenever a new SSL_SESSION is added to the cache. If the callback returns non-zero, it means that the application will have to do a SSL_SESSION_free() on the structure (this is to do with the cache keeping the reference counts correct, without the application needing to know about it. The 'active' parameter is the current SSL session for which this connection was created. void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,int (*cb)()); to set the callback, int (*cb)() SSL_CTX_sess_get_new_cb(SSL_CTX *ctx) to get the callback. If the 'get session' callback is set, when a session id is looked up and it is not in the session-id cache, this callback is called. The callback is of the form SSL_SESSION *get_session_callback(unsigned char *sess_id,int sess_id_len, int *copy); The get_session_callback is intended to return null if no session id is found. The reference count on the SSL_SESSION in incremented by the SSL library, if copy is 1. Otherwise, the reference count is not modified. void SSL_CTX_sess_set_get_cb(ctx,cb) sets the callback and int (*cb)()SSL_CTX_sess_get_get_cb(ctx) returns the callback. These callbacks are basically indended to be used by processes to send their session-id's to other processes. I currently have not implemented non-blocking semantics for these callbacks, it is upto the appication to make the callbacks effiecent if they require blocking (perhaps by 'saving' them and then 'posting them' when control returns from the SSL_accept(). LHASH *SSL_CTX_sessions(SSL_CTX *ctx) This returns the session cache. The lhash strucutre can be accessed for statistics about the cache. void lh_stats(LHASH *lh, FILE *out); void lh_node_stats(LHASH *lh, FILE *out); void lh_node_usage_stats(LHASH *lh, FILE *out); can be used to print details about it's activity and current state. You can also delve directly into the lhash structure for 14 different counters that are kept against the structure. When I wrote the lhash library, I was interested in gathering statistics :-). Have a read of doc/lhash.doc in the SSLeay distribution area for more details on the lhash library. Now as mentioned ealier, when a SSL is created, it needs a SSL_CTX. SSL * SSL_new(SSL_CTX *); This stores a session. A session is secret information shared between 2 SSL contexts. It will only be created if both ends of the connection have authenticated their peer to their satisfaction. It basically contains the information required to use a particular secret key cipher. To retrieve the SSL_CTX being used by a SSL, SSL_CTX *SSL_get_SSL_CTX(SSL *s); Now when a SSL session is established between to programs, the 'session' information that is cached in the SSL_CTX can me manipulated by the following functions. int SSL_set_session(SSL *s, SSL_SESSION *session); This will set the SSL_SESSION to use for the next SSL_connect(). If you use this function on an already 'open' established SSL connection, 'bad things will happen'. This function is meaning-less when used on a ssl strucutre that is just about to be used in a SSL_accept() call since the SSL_accept() will either create a new session or retrieve one from the cache. SSL_SESSION *SSL_get_session(SSL *s); This will return the SSL_SESSION for the current SSL, NULL if there is no session associated with the SSL structure. The SSL sessions are kept in the SSL_CTX in a hash table, to remove a session void SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c); and to add one int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); SSL_CTX_add_session() returns 1 if the session was already in the cache (so it was not added). Whenever a new session is created via SSL_connect()/SSL_accept(), they are automatically added to the cache, depending on the session_cache_mode settings. SSL_set_session() does not add it to the cache. Just call SSL_CTX_add_session() if you do want the session added. For a 'client' this would not normally be the case. SSL_CTX_add_session() is not normally ever used, except for doing 'evil' things which the next 2 funtions help you do. int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length); These 2 functions are in the standard ASN1 library form and can be used to load and save to a byte format, the SSL_SESSION structure. With these functions, you can save and read these structures to a files or arbitary byte string. The PEM_write_SSL_SESSION(fp,x) and PEM_read_SSL_SESSION(fp,x,cb) will write to a file pointer in base64 encoding. What you can do with this, is pass session information between separate processes. Please note, that you will probably also need to modify the timeout information on the SSL_SESSIONs. long SSL_get_time(SSL_SESSION *s) will return the 'time' that the session was loaded. The timeout is relative to this time. This information is saved when the SSL_SESSION is converted to binarary but it is stored in as a unix long, which is rather OS dependant, but easy to convert back. long SSL_set_time(SSL_SESSION *s,long t) will set the above mentioned time. The time value is just the value returned from time(3), and should really be defined by be to be time_t. long SSL_get_timeout(SSL_SESSION *s); long SSL_set_timeout(SSL_SESSION *s,long t); These 2 retrieve and set the timeout which is just a number of secconds from the 'SSL_get_time()' value. When this time period has elapesed, the session will no longer be in the cache (well it will actually be removed the next time it is attempted to be retrieved, so you could 'bump' the timeout so it remains valid). The 'time' and 'timeout' are set on a session when it is created, not reset each time it is reused. If you did wish to 'bump it', just after establishing a connection, do a SSL_set_time(ssl,time(NULL)); You can also use SSL_CTX_set_timeout(SSL_CTX *ctx,unsigned long t) and SSL_CTX_get_timeout(SSL_CTX *ctx) to manipulate the default timeouts for all SSL connections created against a SSL_CTX. If you set a timeout in an SSL_CTX, all new SSL's created will inherit the timeout. It can be over written by the SSL_set_timeout(SSL *s,unsigned long t) function call. If you 'set' the timeout back to 0, the system default will be used. SSL_SESSION *SSL_SESSION_new(); void SSL_SESSION_free(SSL_SESSION *ses); These 2 functions are used to create and dispose of SSL_SESSION functions. You should not ever normally need to use them unless you are using i2d_SSL_SESSION() and/or d2i_SSL_SESSION(). If you 'load' a SSL_SESSION via d2i_SSL_SESSION(), you will need to SSL_SESSION_free() it. Both SSL_set_session() and SSL_CTX_add_session() will 'take copies' of the structure (via reference counts) when it is passed to them. SSL_CTX_flush_sessions(ctx,time); The first function will clear all sessions from the cache, which have expired relative to 'time' (which could just be time(NULL)). SSL_CTX_flush_sessions(ctx,0); This is a special case that clears everything. As a final comment, a 'session' is not enough to establish a new connection. If a session has timed out, a certificate and private key need to have been associated with the SSL structure. SSL_copy_session_id(SSL *to,SSL *from); will copy not only the session strucutre but also the private key and certificate associated with 'from'. EXAMPLES. So lets play at being a weird SSL server. /* setup a context */ ctx=SSL_CTX_new(); /* Lets load some session from binary into the cache, why one would do * this is not toally clear, but passing between programs does make sense * Perhaps you are using 4096 bit keys and are happy to keep them * valid for a week, to avoid the RSA overhead of 15 seconds, I'm not toally * sure, perhaps this is a process called from an SSL inetd and this is being * passed to the application. */ session=d2i_SSL_SESSION(....) SSL_CTX_add_session(ctx,session); /* Lets even add a session from a file */ session=PEM_read_SSL_SESSION(....) SSL_CTX_add_session(ctx,session); /* create a new SSL structure */ ssl=SSL_new(ctx); /* At this point we want to be able to 'create' new session if * required, so we need a certificate and RSAkey. */ SSL_use_RSAPrivateKey_file(ssl,...) SSL_use_certificate_file(ssl,...) /* Now since we are a server, it make little sence to load a session against * the ssl strucutre since a SSL_accept() will either create a new session or * grab an existing one from the cache. */ /* grab a socket descriptor */ fd=accept(...); /* associated it with the ssl strucutre */ SSL_set_fd(ssl,fd); SSL_accept(ssl); /* 'do' SSL using out cert and RSA key */ /* Lets print out the session details or lets save it to a file, * perhaps with a secret key cipher, so that we can pass it to the FBI * when they want to decode the session :-). While we have RSA * this does not matter much but when I do SSLv3, this will allow a mechanism * for the server/client to record the information needed to decode * the traffic that went over the wire, even when using Diffie-Hellman */ PEM_write_SSL_SESSION(SSL_get_session(ssl),stdout,....) Lets 'connect' back to the caller using the same session id. ssl2=SSL_new(ctx); fd2=connect(them); SSL_set_fd(ssl2,fd2); SSL_set_session(ssl2,SSL_get_session(ssl)); SSL_connect(ssl2); /* what the hell, lets accept no more connections using this session */ SSL_CTX_remove_session(SSL_get_SSL_CTX(ssl),SSL_get_session(ssl)); /* we could have just as easily used ssl2 since they both are using the * same session. * You will note that both ssl and ssl2 are still using the session, and * the SSL_SESSION structure will be free()ed when both ssl and ssl2 * finish using the session. Also note that you could continue to initiate * connections using this session by doing SSL_get_session(ssl) to get the * existing session, but SSL_accept() will not be able to find it to * use for incoming connections. * Of corse, the session will timeout at the far end and it will no * longer be accepted after a while. The time and timeout are ignored except * by SSL_accept(). */ /* Since we have had our server running for 10 weeks, and memory is getting * short, perhaps we should clear the session cache to remove those * 100000 session entries that have expired. Some may consider this * a memory leak :-) */ SSL_CTX_flush_sessions(ctx,time(NULL)); /* Ok, after a bit more time we wish to flush all sessions from the cache * so that all new connections will be authenticated and incure the * public key operation overhead */ SSL_CTX_flush_sessions(ctx,0); /* As a final note, to copy everything to do with a SSL, use */ SSL_copy_session_id(SSL *to,SSL *from); /* as this also copies the certificate and RSA key so new session can * be established using the same details */ ==== sha.doc ======================================================== The SHA (Secure Hash Algorithm) library. SHA is a message digest algorithm that can be used to condense an arbitrary length message down to a 20 byte hash. The functions all need to be passed a SHA_CTX which is used to hold the SHA context during multiple SHA_Update() function calls. The normal method of use for this library is as follows This library contains both SHA and SHA-1 digest algorithms. SHA-1 is an update to SHA (which should really be called SHA-0 now) which tweaks the algorithm slightly. The SHA-1 algorithm is used by simply using SHA1_Init(), SHA1_Update(), SHA1_Final() and SHA1() instead of the SHA*() calls SHA_Init(...); SHA_Update(...); ... SHA_Update(...); SHA_Final(...); This library requires the inclusion of 'sha.h'. The functions are as follows: void SHA_Init( SHA_CTX *c); This function needs to be called to initiate a SHA_CTX structure for use. void SHA_Update( SHA_CTX *c; unsigned char *data; unsigned long len); This updates the message digest context being generated with 'len' bytes from the 'data' pointer. The number of bytes can be any length. void SHA_Final( unsigned char *md; SHA_CTX *c; This function is called when a message digest of the data digested with SHA_Update() is wanted. The message digest is put in the 'md' array and is SHA_DIGEST_LENGTH (20) bytes long. unsigned char *SHA( unsigned char *d; unsigned long n; unsigned char *md; This function performs a SHA_Init(), followed by a SHA_Update() followed by a SHA_Final() (using a local SHA_CTX). The resulting digest is put into 'md' if it is not NULL. Regardless of the value of 'md', the message digest is returned from the function. If 'md' was NULL, the message digest returned is being stored in a static structure. ==== speed.doc ======================================================== To get an idea of the performance of this library, use ssleay speed perl util/sp-diff.pl file1 file2 will print out the relative differences between the 2 files which are expected to be the output from the speed program. The performace of the library is very dependant on the Compiler quality and various flags used to build. --- These are some numbers I did comparing RSAref and SSLeay on a Pentium 100. [ These numbers are all out of date, as of SSL - 0.6.1 the RSA operations are about 2 times faster, so check the version number ] RSA performance. SSLeay 0.6.0 Pentium 100, 32meg, Windows NT Workstation 3.51 linux - gcc v 2.7.0 -O3 -fomit-frame-pointer -m486 and Windows NT - Windows NT 3.51 - Visual C++ 4.1 - 586 code + 32bit assember Windows 3.1 - Windows NT 3.51 - Visual C++ 1.52c - 286 code + 32bit assember NT Dos Shell- Windows NT 3.51 - Visual C++ 1.52c - 286 code + 16bit assember Times are how long it takes to do an RSA private key operation. 512bits 1024bits ------------------------------- SSLeay NT dll 0.042s 0.202s see above SSLeay linux 0.046s 0.218s Assember inner loops (normal build) SSLeay linux 0.067s 0.380s Pure C code with BN_LLONG defined SSLeay W3.1 dll 0.108s 0.478s see above SSLeay linux 0.109s 0.713s C without BN_LLONG. RSAref2.0 linux 0.149s 0.936s SSLeay MS-DOS 0.197s 1.049s see above 486DX66, 32meg, Windows NT Server 3.51 512bits 1024bits ------------------------------- SSLeay NT dll 0.084s 0.495s <- SSLeay 0.6.3 SSLeay NT dll 0.154s 0.882s SSLeay W3.1 dll 0.335s 1.538s SSLeay MS-DOS 0.490s 2.790s What I find cute is that I'm still faster than RSAref when using standard C, without using the 'long long' data type :-), %35 faster for 512bit and we scale up to 3.2 times faster for the 'default linux' build. I should mention that people should 'try' to use either x86-lnx.s (elf), x86-lnxa.s or x86-sol.s for any x86 based unix they are building on. The only problems with be with syntax but the performance gain is quite large, especially for servers. The code is very simple, you just need to modify the 'header'. The message is, if you are stuck using RSAref, the RSA performance will be bad. Considering the code was compiled for a pentium, the 486DX66 number would indicate 'Use RSAref and turn you Pentium 100 into a 486DX66' :-). [ As of verson 0.6.1, it would be correct to say 'turn you pentium 100 into a 486DX33' :-) ] I won't tell people if the DLL's are using RSAref or my stuff if no-one asks :-). eric PS while I know I could speed things up further, I will probably not do so due to the effort involved. I did do some timings on the SSLeay bignum format -> RSAref number format conversion that occurs each time RSAref is used by SSLeay, and the numbers are trivial. 0.00012s a call for 512bit vs 0.149s for the time spent in the function. 0.00018s for 1024bit vs 0.938s. Insignificant. So the 'way to go', to support faster RSA libraries, if people are keen, is to write 'glue' code in a similar way that I do for RSAref and send it to me :-). My base library still has the advantage of being able to operate on any size numbers, and is not that far from the performance from the leaders in the field. (-%30?) [ Well as of 0.6.1 I am now the leader in the filed on x86 (we at least very close :-) ] I suppose I should also mention some other numbers RSAref numbers, again on my Pentium. DES CBC EDE-DES MD5 RSAref linux 830k/s 302k/s 4390k/s SSLeay linux 855k/s 319k/s 10025k/s SSLeay NT 1158k/s 410k/s 10470k/s SSLeay w31 378k/s 143k/s 2383k/s (fully 16bit) Got to admit that Visual C++ 4.[01] is a damn fine compiler :-) -- Eric Young | BOOL is tri-state according to Bill Gates. AARNet: eay@cryptsoft.com | RTFM Win32 GetMessage(). ==== ssl-ciph.doc ======================================================== This is a quick high level summery of how things work now. Each SSLv2 and SSLv3 cipher is composed of 4 major attributes plus a few extra minor ones. They are 'The key exchange algorithm', which is RSA for SSLv2 but can also be Diffle-Hellman for SSLv3. An 'Authenticion algorithm', which can be RSA, Diffle-Helman, DSS or none. The cipher The MAC digest. A cipher can also be an export cipher and is either an SSLv2 or a SSLv3 ciphers. To specify which ciphers to use, one can either specify all the ciphers, one at a time, or use 'aliases' to specify the preference and order for the ciphers. There are a large number of aliases, but the most importaint are kRSA, kDHr, kDHd and kEDH for key exchange types. aRSA, aDSS, aNULL and aDH for authentication DES, 3DES, RC4, RC2, IDEA and eNULL for ciphers MD5, SHA0 and SHA1 digests Now where this becomes interesting is that these can be put together to specify the order and ciphers you wish to use. To speed this up there are also aliases for certian groups of ciphers. The main ones are SSLv2 - all SSLv2 ciphers SSLv3 - all SSLv3 ciphers EXP - all export ciphers LOW - all low strngth ciphers (no export ciphers, normally single DES) MEDIUM - 128 bit encryption HIGH - Triple DES These aliases can be joined in a : separated list which specifies to add ciphers, move them to the current location and delete them. A simpler way to look at all of this is to use the 'ssleay ciphers -v' command. The default library cipher spec is !ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP which means, first, remove from consideration any ciphers that do not authenticate. Next up, use ciphers using RC4 and RSA. Next include the HIGH, MEDIUM and the LOW security ciphers. Finish up by adding all the export ciphers on the end, then 'pull' all the SSLv2 and export ciphers to the end of the list. The results are $ ssleay ciphers -v '!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP' RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 IDEA-CBC-MD5 SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EXP-EDH-RSA-DES-CBC SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export I would recoment people use the 'ssleay ciphers -v "text"' command to check what they are going to use. Anyway, I'm falling asleep here so I'll do some more tomorrow. eric ==== ssl.doc ======================================================== SSL_CTX_sessions(SSL_CTX *ctx) - the session-id hash table. /* Session-id cache stats */ SSL_CTX_sess_number SSL_CTX_sess_connect SSL_CTX_sess_connect_good SSL_CTX_sess_accept SSL_CTX_sess_accept_good SSL_CTX_sess_hits SSL_CTX_sess_cb_hits SSL_CTX_sess_misses SSL_CTX_sess_timeouts /* Session-id application notification callbacks */ SSL_CTX_sess_set_new_cb SSL_CTX_sess_get_new_cb SSL_CTX_sess_set_get_cb SSL_CTX_sess_get_get_cb /* Session-id cache operation mode */ SSL_CTX_set_session_cache_mode SSL_CTX_get_session_cache_mode /* Set default timeout values to use. */ SSL_CTX_set_timeout SSL_CTX_get_timeout /* Global SSL initalisation informational callback */ SSL_CTX_set_info_callback SSL_CTX_get_info_callback SSL_set_info_callback SSL_get_info_callback /* If the SSL_accept/SSL_connect returned with -1, these indicate when * we should re-call *. SSL_want SSL_want_nothing SSL_want_read SSL_want_write SSL_want_x509_lookup /* Where we are in SSL initalisation, used in non-blocking, perhaps * have a look at ssl/bio_ssl.c */ SSL_state SSL_is_init_finished SSL_in_init SSL_in_connect_init SSL_in_accept_init /* Used to set the 'inital' state so SSL_in_connect_init and SSL_in_accept_init * can be used to work out which function to call. */ SSL_set_connect_state SSL_set_accept_state /* Where to look for certificates for authentication */ SSL_set_default_verify_paths /* calles SSL_load_verify_locations */ SSL_load_verify_locations /* get info from an established connection */ SSL_get_session SSL_get_certificate SSL_get_SSL_CTX SSL_CTX_new SSL_CTX_free SSL_new SSL_clear SSL_free SSL_CTX_set_cipher_list SSL_get_cipher SSL_set_cipher_list SSL_get_cipher_list SSL_get_shared_ciphers SSL_accept SSL_connect SSL_read SSL_write SSL_debug SSL_get_read_ahead SSL_set_read_ahead SSL_set_verify SSL_pending SSL_set_fd SSL_set_rfd SSL_set_wfd SSL_set_bio SSL_get_fd SSL_get_rbio SSL_get_wbio SSL_use_RSAPrivateKey SSL_use_RSAPrivateKey_ASN1 SSL_use_RSAPrivateKey_file SSL_use_PrivateKey SSL_use_PrivateKey_ASN1 SSL_use_PrivateKey_file SSL_use_certificate SSL_use_certificate_ASN1 SSL_use_certificate_file ERR_load_SSL_strings SSL_load_error_strings /* human readable version of the 'state' of the SSL connection. */ SSL_state_string SSL_state_string_long /* These 2 report what kind of IO operation the library was trying to * perform last. Probably not very usefull. */ SSL_rstate_string SSL_rstate_string_long SSL_get_peer_certificate SSL_SESSION_new SSL_SESSION_print_fp SSL_SESSION_print SSL_SESSION_free i2d_SSL_SESSION d2i_SSL_SESSION SSL_get_time SSL_set_time SSL_get_timeout SSL_set_timeout SSL_copy_session_id SSL_set_session SSL_CTX_add_session SSL_CTX_remove_session SSL_CTX_flush_sessions BIO_f_ssl /* used to hold information as to why a certificate verification failed */ SSL_set_verify_result SSL_get_verify_result /* can be used by the application to associate data with an SSL structure. * It needs to be 'free()ed' by the application */ SSL_set_app_data SSL_get_app_data /* The following all set values that are kept in the SSL_CTX but * are used as the default values when an SSL session is created. * They are over writen by the relevent SSL_xxxx functions */ /* SSL_set_verify */ void SSL_CTX_set_default_verify /* This callback, if set, totaly overrides the normal SSLeay verification - * functions and should return 1 on sucesss and 0 on failure */ + * functions and should return 1 on success and 0 on failure */ void SSL_CTX_set_cert_verify_callback /* The following are the same as the equivilent SSL_xxx functions. * Only one copy of this information is kept and if a particular * SSL structure has a local override, it is totally separate structure. */ int SSL_CTX_use_RSAPrivateKey int SSL_CTX_use_RSAPrivateKey_ASN1 int SSL_CTX_use_RSAPrivateKey_file int SSL_CTX_use_PrivateKey int SSL_CTX_use_PrivateKey_ASN1 int SSL_CTX_use_PrivateKey_file int SSL_CTX_use_certificate int SSL_CTX_use_certificate_ASN1 int SSL_CTX_use_certificate_file ==== ssl_ctx.doc ======================================================== This is now a bit dated, quite a few of the SSL_ functions could be SSL_CTX_ functions. I will update this in the future. 30 Aug 1996 From eay@orb.mincom.oz.au Mon Dec 11 21:37:08 1995 Received: by orb.mincom.oz.au id AA00696 (5.65c/IDA-1.4.4 for eay); Mon, 11 Dec 1995 11:37:08 +1000 Date: Mon, 11 Dec 1995 11:37:08 +1000 (EST) From: Eric Young X-Sender: eay@orb To: sameer Cc: Eric Young Subject: Re: PEM_readX509 oesn't seem to be working In-Reply-To: <199512110102.RAA12521@infinity.c2.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: On Sun, 10 Dec 1995, sameer wrote: > OK, that's solved. I've found out that it is saying "no > certificate set" in SSL_accept because s->conn == NULL > so there is some place I need to initialize s->conn that I am > not initializing it. The full order of things for a server should be. ctx=SSL_CTX_new(); /* The next line should not really be using ctx->cert but I'll leave it * this way right now... I don't want a X509_ routine to know about an SSL * structure, there should be an SSL_load_verify_locations... hmm, I may * add it tonight. */ X509_load_verify_locations(ctx->cert,CAfile,CApath); /* Ok now for each new connection we do the following */ con=SSL_new(ctx); SSL_set_fd(con,s); SSL_set_verify(con,verify,verify_callback); /* set the certificate and private key to use. */ SSL_use_certificate_ASN1(con,X509_certificate); SSL_use_RSAPrivateKey_ASN1(con,RSA_private_key); SSL_accept(con); SSL_read(con)/SSL_write(con); There is a bit more than that but that is basically the structure. Create a context and specify where to lookup certificates. foreach connection { create a SSL structure set the certificate and private key do a SSL_accept we should now be ok } eric -- Eric Young | Signature removed since it was generating AARNet: eay@mincom.oz.au | more followups than the message contents :-) ==== ssleay.doc ======================================================== SSLeay: a cryptographic kitchen sink. 1st December 1995 Way back at the start of April 1995, I was looking for a mindless programming project. A friend of mine (Tim Hudson) said "why don't you do SSL, it has DES encryption in it and I would not mind using it in a SSL telnet". While it was true I had written a DES library in previous years, litle did I know what an expansive task SSL would turn into. First of all, the SSL protocol contains DES encryption. Well and good. My DES library was fast and portable. It also contained the RSA's RC4 stream cipher. Again, not a problem, some-one had just posted to sci.crypt something that was claimed to be RC4. It also contained IDEA, I had the specifications, not a problem to implement. MD5, an RFC, trivial, at most I could spend a week or so trying to see if I could speed up the implementation. All in all a nice set of ciphers. Then the first 'expantion of the scope', RSA public key encryption. Since I did not knowing a thing about public key encryption or number theory, this appeared quite a daunting task. Just writing a big number library would be problomatic in itself, let alone making it fast. At this point the scope of 'implementing SSL' expands eponentialy. First of all, the RSA private keys were being kept in ASN.1 format. Thankfully the RSA PKCS series of documents explains this format. So I now needed to be able to encode and decode arbitary ASN.1 objects. The Public keys were embeded in X509 certificates. Hmm... these are not only ASN.1 objects but they make up a heirachy of authentication. To authenticate a X509 certificate one needs to retrieve it's issuers certificate etc etc. Hmm..., so I also need to implement some kind of certificate management software. I would also have to implement software to authenticate certificates. At this point the support code made the SSL part of my library look quite small. Around this time, the first version of SSLeay was released. Ah, but here was the problem, I was not happy with the code so far. As may have become obvious, I had been treating all of this as a learning exersize, so I have completely written the library myself. As such, due to the way it had grown like a fungus, much of the library was not 'elagent' or neat. There were global and static variables all over the place, the SSL part did not even handle non-blocking IO. The Great rewrite began. As of this point in time, the 'Great rewrite' has almost finished. So what follows is an approximate list of what is actually SSLeay 0.5.0 /********* This needs to be updated for 0.6.0+ *************/ --- The library contains the following routines. Please note that most of these functions are not specfic for SSL or any other particular cipher implementation. I have tried to make all the routines as general purpose as possible. So you should not think of this library as an SSL implemtation, but rather as a library of cryptographic functions that also contains SSL. I refer to each of these function groupings as libraries since they are often capable of functioning as independant libraries First up, the general ciphers and message digests supported by the library. MD2 rfc???, a standard 'by parts' interface to this algorithm. MD5 rfc???, the same type of interface as for the MD2 library except a different algorithm. SHA THe Secure Hash Algorithm. Again the same type of interface as MD2/MD5 except the digest is 20 bytes. SHA1 The 'revised' version of SHA. Just about identical to SHA except for one tweak of an inner loop. DES This is my libdes library that has been floating around for the last few years. It has been enhanced for no other reason than completeness. It now supports ecb, cbc, cfb, ofb, cfb64, ofb64 in normal mode and triple DES modes of ecb, cbc, cfb64 and ofb64. cfb64 and ofb64 are functional interfaces to the 64 bit modes of cfb and ofb used in such a way thay they function as single character interfaces. RC4 The RSA Inc. stream cipher. RC2 The RSA Inc. block cipher. IDEA An implmentation of the IDEA cipher, the library supports ecb, cbc, cfb64 and ofb64 modes of operation. Now all the above mentioned ciphers and digests libraries support high speed, minimal 'crap in the way' type interfaces. For fastest and lowest level access, these routines should be used directly. Now there was also the matter of public key crypto systems. These are based on large integer arithmatic. BN This is my large integer library. It supports all the normal arithmentic operations. It uses malloc extensivly and as such has no limits of the size of the numbers being manipulated. If you wish to use 4000 bit RSA moduli, these routines will handle it. This library also contains routines to 'generate' prime numbers and to test for primality. The RSA and DH libraries sit on top of this library. As of this point in time, I don't support SHA, but when I do add it, it will just sit on top of the routines contained in this library. RSA This implements the RSA public key algorithm. It also contains routines that will generate a new private/public key pair. All the RSA functions conform to the PKCS#1 standard. DH This is an implementation of the Diffie-Hellman protocol. There are all the require routines for the protocol, plus extra routines that can be used to generate a strong prime for use with a specified generator. While this last routine is not generally required by applications implementing DH, It is present for completeness and because I thing it is much better to be able to 'generate' your own 'magic' numbers as oposed to using numbers suplied by others. I conform to the PKCS#3 standard where required. You may have noticed the preceeding section mentions the 'generation' of prime numbers. Now this requries the use of 'random numbers'. RAND This psuedo-random number library is based on MD5 at it's core and a large internal state (2k bytes). Once you have entered enough seed data into this random number algorithm I don't feel you will ever need to worry about it generating predictable output. Due to the way I am writing a portable library, I have left the issue of how to get good initial random seed data upto the application but I do have support routines for saving and loading a persistant random number state for use between program runs. Now to make all these ciphers easier to use, a higher level interface was required. In this form, the same function would be used to encrypt 'by parts', via any one of the above mentioned ciphers. EVP The Digital EnVeloPe library is quite large. At it's core are function to perform encryption and decryption by parts while using an initial parameter to specify which of the 17 different ciphers or 4 different message digests to use. On top of these are implmented the digital signature functions, sign, verify, seal and open. Base64 encoding of binary data is also done in this library. PEM rfc???? describe the format for Privacy Enhanced eMail. As part of this standard, methods of encoding digital enveloped data is an ascii format are defined. As such, I use a form of these to encode enveloped data. While at this point in time full support for PEM has not been built into the library, a minimal subset of the secret key and Base64 encoding is present. These reoutines are mostly used to Ascii encode binary data with a 'type' associated with it and perhaps details of private key encryption used to encrypt the data. PKCS7 This is another Digital Envelope encoding standard which uses ASN.1 to encode the data. At this point in time, while there are some routines to encode and decode this binary format, full support is not present. As Mentioned, above, there are several different ways to encode data structures. ASN1 This library is more a set of primatives used to encode the packing and unpacking of data structures. It is used by the X509 certificate standard and by the PKCS standards which are used by this library. It also contains routines for duplicating and signing the structures asocisated with X509. X509 The X509 library contains routines for packing and unpacking, verifying and just about every thing else you would want to do with X509 certificates. PKCS7 PKCS-7 is a standard for encoding digital envelope data structures. At this point in time the routines will load and save DER forms of these structees. They need to be re-worked to support the BER form which is the normal way PKCS-7 is encoded. If the previous 2 sentances don't make much sense, don't worry, this library is not used by this version of SSLeay anyway. OBJ ASN.1 uses 'object identifiers' to identify objects. A set of functions were requred to translate from ASN.1 to an intenger, to a character string. This library provieds these translations Now I mentioned an X509 library. X509 specified a hieachy of certificates which needs to be traversed to authenticate particular certificates. METH This library is used to push 'methods' of retrieving certificates into the library. There are some supplied 'methods' with SSLeay but applications can add new methods if they so desire. This library has not been finished and is not being used in this version. Now all the above are required for use in the initial point of this project. SSL The SSL protocol. This is a full implmentation of SSL v 2. It support both server and client authentication. SSL v 3 support will be added when the SSL v 3 specification is released in it's final form. Now quite a few of the above mentioned libraries rely on a few 'complex' data structures. For each of these I have a library. Lhash This is a hash table library which is used extensivly. STACK An implemetation of a Stack data structure. BUF A simple character array structure that also support a function to check that the array is greater that a certain size, if it is not, it is realloced so that is it. TXT_DB A simple memory based text file data base. The application can specify unique indexes that will be enforced at update time. CONF Most of the programs written for this library require a configuration file. Instead of letting programs constantly re-implment this subsystem, the CONF library provides a consistant and flexable interface to not only configuration files but also environment variables. But what about when something goes wrong? The one advantage (and perhaps disadvantage) of all of these functions being in one library was the ability to implement a single error reporting system. ERR This library is used to report errors. The error system records library number, function number (in the library) and reason number. Multiple errors can be reported so that an 'error' trace is created. The errors can be printed in numeric or textual form. ==== ssluse.doc ======================================================== We have an SSL_CTX which contains global information for lots of SSL connections. The session-id cache and the certificate verificate cache. It also contains default values for use when certificates are used. SSL_CTX default cipher list session-id cache certificate cache default session-id timeout period New session-id callback Required session-id callback session-id stats Informational callback Callback that is set, overrides the SSLeay X509 certificate verification The default Certificate/Private Key pair Default read ahead mode. Default verify mode and verify callback. These are not used if the over ride callback mentioned above is used. Each SSL can have the following defined for it before a connection is made. Certificate Private key Ciphers to use Certificate verify mode and callback IO object to use in the comunication. Some 'read-ahead' mode information. A previous session-id to re-use. A connection is made by using SSL_connect or SSL_accept. When non-blocking IO is being used, there are functions that can be used to determin where and why the SSL_connect or SSL_accept did not complete. This information can be used to recall the functions when the 'error' condition has dissapeared. After the connection has been made, information can be retrived about the SSL session and the session-id values that have been decided apon. The 'peer' certificate can be retrieved. The session-id values include 'start time' 'timeout length' ==== stack.doc ======================================================== The stack data structure is used to store an ordered list of objects. It is basically misnamed to call it a stack but it can function that way and that is what I originally used it for. Due to the way element pointers are kept in a malloc()ed array, the most efficient way to use this structure is to add and delete elements from the end via sk_pop() and sk_push(). If you wish to do 'lookups' sk_find() is quite efficient since it will sort the stack (if required) and then do a binary search to lookup the requested item. This sorting occurs automatically so just sk_push() elements on the stack and don't worry about the order. Do remember that if you do a sk_find(), the order of the elements will change. You should never need to 'touch' this structure directly. typedef struct stack_st { unsigned int num; char **data; int sorted; unsigned int num_alloc; int (*comp)(); } STACK; 'num' holds the number of elements in the stack, 'data' is the array of elements. 'sorted' is 1 is the list has been sorted, 0 if not. num_alloc is the number of 'nodes' allocated in 'data'. When num becomes larger than num_alloc, data is realloced to a larger size. If 'comp' is set, it is a function that is used to compare 2 of the items in the stack. The function should return -1, 0 or 1, depending on the ordering. #define sk_num(sk) ((sk)->num) #define sk_value(sk,n) ((sk)->data[n]) These 2 macros should be used to access the number of elements in the 'stack' and to access a pointer to one of the values. STACK *sk_new(int (*c)()); This creates a new stack. If 'c', the comparison function, is not specified, the various functions that operate on a sorted 'stack' will not work (sk_find()). NULL is returned on failure. void sk_free(STACK *); This function free()'s a stack structure. The elements in the stack will not be freed so one should 'pop' and free all elements from the stack before calling this function or call sk_pop_free() instead. void sk_pop_free(STACK *st; void (*func)()); This function calls 'func' for each element on the stack, passing the element as the argument. sk_free() is then called to free the 'stack' structure. int sk_insert(STACK *sk,char *data,int where); This function inserts 'data' into stack 'sk' at location 'where'. If 'where' is larger that the number of elements in the stack, the element is put at the end. This function tends to be used by other 'stack' functions. Returns 0 on failure, otherwise the number of elements in the new stack. char *sk_delete(STACK *st,int loc); Remove the item a location 'loc' from the stack and returns it. Returns NULL if the 'loc' is out of range. char *sk_delete_ptr(STACK *st, char *p); If the data item pointed to by 'p' is in the stack, it is deleted from the stack and returned. NULL is returned if the element is not in the stack. int sk_find(STACK *st,char *data); Returns the location that contains a value that is equal to the 'data' item. If the comparison function was not set, this function does a linear search. This function actually qsort()s the stack if it is not in order and then uses bsearch() to do the initial search. If the search fails,, -1 is returned. For mutliple items with the same value, the index of the first in the array is returned. int sk_push(STACK *st,char *data); Append 'data' to the stack. 0 is returned if there is a failure (due to a malloc failure), else 1. This is sk_insert(st,data,sk_num(st)); int sk_unshift(STACK *st,char *data); Prepend 'data' to the front (location 0) of the stack. This is sk_insert(st,data,0); char *sk_shift(STACK *st); Return and delete from the stack the first element in the stack. This is sk_delete(st,0); char *sk_pop(STACK *st); Return and delete the last element on the stack. This is sk_delete(st,sk_num(sk)-1); void sk_zero(STACK *st); Removes all items from the stack. It does not 'free' pointers but is a quick way to clear a 'stack of references'. ==== threads.doc ======================================================== How to compile SSLeay for multi-threading. Well basically it is quite simple, set the compiler flags and build. I have only really done much testing under Solaris and Windows NT. If you library supports localtime_r() and gmtime_r() add, -DTHREADS to the makefile parameters. You can probably survive with out this define unless you are going to have multiple threads generating certificates at once. It will not affect the SSL side of things. The approach I have taken to doing locking is to make the application provide callbacks to perform locking and so that the SSLeay library can distinguish between threads (for the error state). To have a look at an example program, 'cd mt; vi mttest.c'. To build under solaris, sh solaris.sh, for Windows NT or Windows 95, win32.bat This will build mttest which will fire up 10 threads that talk SSL to each other 10 times. To enable everything to work, the application needs to call CRYPTO_set_id_callback(id_function); CRYPTO_set_locking_callback(locking_function); before any multithreading is started. id_function does not need to be defined under Windows NT or 95, the correct function will be called if it is not. Under unix, getpid() is call if the id_callback is not defined, for Solaris this is wrong (since threads id's are not pid's) but under Linux it is correct (threads are just processes sharing the data segement). The locking_callback is used to perform locking by the SSLeay library. eg. void solaris_locking_callback(mode,type,file,line) int mode; int type; char *file; int line; { if (mode & CRYPTO_LOCK) mutex_lock(&(lock_cs[type])); else mutex_unlock(&(lock_cs[type])); } Now in this case I have used mutexes instead of read/write locks, since they are faster and there are not many read locks in SSLeay, you may as well always use write locks. file and line are __FILE__ and __LINE__ from the compile and can be usefull when debugging. Now as you can see, 'type' can be one of a range of values, these values are defined in crypto/crypto.h CRYPTO_get_lock_name(type) will return a text version of what the lock is. There are CRYPTO_NUM_LOCKS locks required, so under solaris, the setup for multi-threading can be static mutex_t lock_cs[CRYPTO_NUM_LOCKS]; void thread_setup() { int i; for (i=0; i => string to prompt with # _default => default value for people # _value => Automatically use this value for this field. # _min => minimum number of characters for data (def. 0) # _max => maximum number of characters for data (def. inf.) # All of these entries are optional except for the first one. [ req_dn ] countryName = Country Name (2 letter code) countryName_default = AU stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Queensland localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) organizationName_default = Mincom Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = MTR commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 # The next section is the attributes section. This is exactly the # same as for the previous section except that the resulting objects are # put in the attributes field. [ req_attr ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name ---- Also note that the order that attributes appear in this file is the order they will be put into the distinguished name. Once this request has been generated, it can be sent to a CA for certifying. ---- A few quick examples.... To generate a new request and a new key req -new To generate a new request and a 1058 bit key req -newkey 1058 To generate a new request using a pre-existing key req -new -key key.pem To generate a self signed x509 certificate from a certificate request using a supplied key, and we want to see the text form of the output certificate (which we will put in the file selfSign.pem req -x509 -in req.pem -key key.pem -text -out selfSign.pem Verify that the signature is correct on a certificate request. req -verify -in req.pem Verify that the signature was made using a specified public key. req -verify -in req.pem -key key.pem Print the contents of a certificate request req -text -in req.pem ==== danger ======================================================== If you specify a SSLv2 cipher, and the mode is SSLv23 and the server can talk SSLv3, it will claim there is no cipher since you should be using SSLv3. When tracing debug stuff, remember BIO_s_socket() is different to BIO_s_connect(). BSD/OS assember is not working diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec index 9ce236e0d21e..6a272f69698e 100644 --- a/crypto/openssl/openssl.spec +++ b/crypto/openssl/openssl.spec @@ -1,208 +1,208 @@ %define libmaj 0 %define libmin 9 %define librel 7 -%define librev c +%define librev d Release: 1 %define openssldir /var/ssl Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl #Version: %{libmaj}.%{libmin}.%{librel} Version: %{libmaj}.%{libmin}.%{librel}%{librev} Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz Copyright: Freely distributable Group: System Environment/Libraries Provides: SSL URL: http://www.openssl.org/ Packager: Damien Miller BuildRoot: /var/tmp/%{name}-%{version}-root %description The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation. OpenSSL is based on the excellent SSLeay library developed from Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes. This package contains the base OpenSSL cryptography and SSL/TLS libraries and tools. %package devel Summary: Secure Sockets Layer and cryptography static libraries and headers Group: Development/Libraries Requires: openssl %description devel The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation. OpenSSL is based on the excellent SSLeay library developed from Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes. This package contains the the OpenSSL cryptography and SSL/TLS static libraries and header files required when developing applications. %package doc Summary: OpenSSL miscellaneous files Group: Documentation Requires: openssl %description doc The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation. OpenSSL is based on the excellent SSLeay library developed from Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes. This package contains the the OpenSSL cryptography and SSL/TLS extra documentation and POD files from which the man pages were produced. %prep %setup -q %build %define CONFIG_FLAGS -DSSL_ALLOW_ADH --prefix=/usr --openssldir=%{openssldir} perl util/perlpath.pl /usr/bin/perl %ifarch i386 i486 i586 i686 ./Configure %{CONFIG_FLAGS} linux-elf shared %endif %ifarch ppc ./Configure %{CONFIG_FLAGS} linux-ppc shared %endif %ifarch alpha ./Configure %{CONFIG_FLAGS} linux-alpha shared %endif LD_LIBRARY_PATH=`pwd` make LD_LIBRARY_PATH=`pwd` make rehash LD_LIBRARY_PATH=`pwd` make test %install rm -rf $RPM_BUILD_ROOT make MANDIR=/usr/man MANSUFFIX=ssl INSTALL_PREFIX="$RPM_BUILD_ROOT" install # Make backwards-compatibility symlink to ssleay ln -sf /usr/bin/openssl $RPM_BUILD_ROOT/usr/bin/ssleay %clean rm -rf $RPM_BUILD_ROOT %files %defattr(0644,root,root,0755) %doc CHANGES CHANGES.SSLeay LICENSE NEWS README %attr(0755,root,root) /usr/bin/* %attr(0755,root,root) /usr/lib/*.so* %attr(0755,root,root) %{openssldir}/misc/* %attr(0644,root,root) /usr/man/man[157]/* %config %attr(0644,root,root) %{openssldir}/openssl.cnf %dir %attr(0755,root,root) %{openssldir}/certs %dir %attr(0755,root,root) %{openssldir}/lib %dir %attr(0755,root,root) %{openssldir}/misc %dir %attr(0750,root,root) %{openssldir}/private %files devel %defattr(0644,root,root,0755) %doc CHANGES CHANGES.SSLeay LICENSE NEWS README %attr(0644,root,root) /usr/lib/*.a %attr(0644,root,root) /usr/lib/pkgconfig/openssl.pc %attr(0644,root,root) /usr/include/openssl/* %attr(0644,root,root) /usr/man/man[3]/* %files doc %defattr(0644,root,root,0755) %doc CHANGES CHANGES.SSLeay LICENSE NEWS README %doc doc %post ldconfig %postun ldconfig %changelog * Wed May 7 2003 Richard Levitte - Add /usr/lib/pkgconfig/openssl.pc to the development section. * Thu Mar 22 2001 Richard Levitte - Removed redundant subsection that re-installed libcrypto.a and libssl.a as well. Also remove RSAref stuff completely, since it's not needed any more. * Thu Mar 15 2001 Jeremiah Johnson - Removed redundant subsection that re-installed libcrypto.so.0.9.6 and libssl.so.0.9.6. As well as the subsection that created symlinks for these. make install handles all this. * Sat Oct 21 2000 Horms - Make sure symlinks are created by using -f flag to ln. Otherwise some .so libraries are copied rather than linked in the resulting binary RPM. This causes the package to be larger than neccessary and makes ldconfig complain. * Fri Oct 13 2000 Horms - Make defattr is set for files in all packages so packages built as non-root will still be installed with files owned by root. * Thu Sep 14 2000 Richard Levitte - Changed to adapt to the new (supported) way of making shared libraries - Installs all static libraries, not just libRSAglue.a - Extra documents now end up in a separate document package * Sun Feb 27 2000 Damien Miller - Merged patches to spec - Updated to 0.9.5beta2 (now with manpages) * Sat Feb 5 2000 Michal Jaegermann - added 'linux-alpha' to configuration - fixed nasty absolute links * Tue Jan 25 2000 Bennett Todd - Added -DSSL_ALLOW_ADH, bumped Release to 4 * Thu Oct 14 1999 Damien Miller - Set default permissions - Removed documentation from devel sub-package * Thu Sep 30 1999 Damien Miller - Added "make test" stage - GPG signed * Tue Sep 10 1999 Damien Miller - Updated to version 0.9.4 * Tue May 25 1999 Damien Miller - Updated to version 0.9.3 - Added attributes for all files - Paramatised openssl directory * Sat Mar 20 1999 Carlo M. Arenas Belon - Added "official" bnrec patch and taking other out - making a link from ssleay to openssl binary - putting all changelog together on SPEC file * Fri Mar 5 1999 Henri Gomez - Added bnrec patch * Tue Dec 29 1998 Jonathan Ruano - minimum spec and patches changes for openssl - modified for openssl sources * Sat Aug 8 1998 Khimenko Victor - shared library creating process honours $RPM_OPT_FLAGS - shared libarry supports threads (as well as static library) * Wed Jul 22 1998 Khimenko Victor - building of shared library completely reworked * Tue Jul 21 1998 Khimenko Victor - RPM is BuildRoot'ed * Tue Feb 10 1998 Khimenko Victor - all stuff is moved out of /usr/local diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl index e36a79b2d6ff..3ae3561ac1b3 100644 --- a/crypto/openssl/ssl/Makefile.ssl +++ b/crypto/openssl/ssl/Makefile.ssl @@ -1,1024 +1,1019 @@ # # SSLeay/ssl/Makefile # DIR= ssl TOP= .. CC= cc INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES) CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r # KRB5 stuff KRB5_INCLUDES= CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile README ssl-lib.com install.com TEST=ssltest.c APPS= LIB=$(TOP)/libssl.a SHARED_LIB= libssl$(SHLIB_EXT) LIBSRC= \ s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \ s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \ s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \ t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \ ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \ ssl_ciph.c ssl_stat.c ssl_rsa.c \ ssl_asn1.c ssl_txt.c ssl_algs.c \ bio_ssl.c ssl_err.c kssl.c LIBOBJ= \ s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \ s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \ t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \ ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \ ssl_ciph.o ssl_stat.o ssl_rsa.o \ ssl_asn1.o ssl_txt.o ssl_algs.o \ bio_ssl.o ssl_err.o kssl.o SRC= $(LIBSRC) EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h kssl.h HEADER= $(EXHEADER) ssl_locl.h kssl_lcl.h ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ..; $(MAKE) DIRS=$(DIR) all) -all: lib shared +all: shared lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) $(RANLIB) $(LIB) || echo Never mind. @touch lib -shared: +shared: lib if [ -n "$(SHARED_LIBS)" ]; then \ (cd ..; $(MAKE) $(SHARED_LIB)); \ fi files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS) install: @for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; tags: ctags $(SRC) tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff # DO NOT DELETE THIS LINE -- make depend depends on it. bio_ssl.o: ../include/openssl/aes.h ../include/openssl/asn1.h bio_ssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h bio_ssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h bio_ssl.o: ../include/openssl/cast.h ../include/openssl/comp.h bio_ssl.o: ../include/openssl/crypto.h ../include/openssl/des.h bio_ssl.o: ../include/openssl/des_old.h ../include/openssl/dh.h bio_ssl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h bio_ssl.o: ../include/openssl/err.h ../include/openssl/evp.h bio_ssl.o: ../include/openssl/idea.h ../include/openssl/kssl.h bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h bio_ssl.o: ../include/openssl/md4.h ../include/openssl/md5.h bio_ssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h bio_ssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h bio_ssl.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h bio_ssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h bio_ssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h bio_ssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h bio_ssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h bio_ssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h bio_ssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/ui.h bio_ssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h bio_ssl.o: ../include/openssl/x509_vfy.h bio_ssl.c kssl.o: ../include/openssl/aes.h ../include/openssl/asn1.h kssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h kssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h kssl.o: ../include/openssl/cast.h ../include/openssl/comp.h kssl.o: ../include/openssl/crypto.h ../include/openssl/des.h kssl.o: ../include/openssl/des_old.h ../include/openssl/dh.h kssl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h kssl.o: ../include/openssl/evp.h ../include/openssl/idea.h kssl.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h kssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h kssl.o: ../include/openssl/md4.h ../include/openssl/md5.h kssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h kssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h kssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h kssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h kssl.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h kssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h kssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h kssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h kssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h kssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h kssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h kssl.o: ../include/openssl/tls1.h ../include/openssl/ui.h kssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h kssl.o: ../include/openssl/x509_vfy.h kssl.c s23_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s23_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s23_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h s23_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h s23_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h s23_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s23_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h s23_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s23_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h s23_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h s23_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s23_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h s23_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s23_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h s23_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s23_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s23_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s23_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_clnt.c s23_clnt.o: ssl_locl.h s23_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s23_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s23_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h s23_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h s23_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h s23_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s23_lib.o: ../include/openssl/err.h ../include/openssl/evp.h s23_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s23_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h s23_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h s23_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h s23_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h s23_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h s23_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s23_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s23_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s23_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h s23_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s23_lib.o: ../include/openssl/x509_vfy.h s23_lib.c ssl_locl.h s23_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s23_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s23_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h s23_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h s23_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h s23_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s23_meth.o: ../include/openssl/err.h ../include/openssl/evp.h s23_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s23_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h s23_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h s23_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h s23_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h s23_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h s23_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s23_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s23_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s23_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h s23_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s23_meth.o: ../include/openssl/x509_vfy.h s23_meth.c ssl_locl.h s23_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s23_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s23_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h s23_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h s23_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h s23_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s23_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h s23_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s23_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h s23_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h s23_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h s23_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h s23_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h s23_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s23_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s23_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s23_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h s23_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s23_pkt.o: ../include/openssl/x509_vfy.h s23_pkt.c ssl_locl.h s23_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s23_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s23_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h s23_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h s23_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h s23_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s23_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h s23_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s23_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h s23_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h s23_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s23_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h s23_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s23_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h s23_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s23_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s23_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s23_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_srvr.c s23_srvr.o: ssl_locl.h -s2_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_clnt.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_clnt.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s2_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s2_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h -s2_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h -s2_enc.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_enc.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_enc.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_enc.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s2_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h -s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_enc.c -s2_enc.o: ssl_locl.h -s2_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_lib.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_lib.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s2_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_lib.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h -s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_lib.c -s2_lib.o: ssl_locl.h +s2_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s2_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s2_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s2_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s2_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s2_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s2_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s2_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s2_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_clnt.c +s2_clnt.o: ssl_locl.h +s2_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_enc.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_enc.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s2_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s2_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s2_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_enc.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s2_enc.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s2_enc.o: ../include/openssl/x509_vfy.h s2_enc.c ssl_locl.h +s2_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_lib.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s2_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s2_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s2_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s2_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s2_lib.o: ../include/openssl/x509_vfy.h s2_lib.c ssl_locl.h s2_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s2_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s2_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h s2_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h s2_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h s2_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s2_meth.o: ../include/openssl/err.h ../include/openssl/evp.h s2_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h s2_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h s2_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h s2_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s2_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s2_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h s2_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h s2_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h s2_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h s2_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h s2_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s2_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s2_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s2_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h s2_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s2_meth.o: ../include/openssl/x509_vfy.h s2_meth.c ssl_locl.h -s2_pkt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_pkt.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_pkt.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_pkt.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s2_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_pkt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h -s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c -s2_pkt.o: ssl_locl.h -s2_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_srvr.o: ../include/openssl/des.h ../include/openssl/des_old.h -s2_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_srvr.o: ../include/openssl/md2.h ../include/openssl/md4.h -s2_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s2_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s2_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/ui.h -s2_srvr.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h +s2_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s2_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s2_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s2_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s2_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s2_pkt.o: ../include/openssl/x509_vfy.h s2_pkt.c ssl_locl.h +s2_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s2_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h +s2_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s2_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s2_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s2_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s2_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s2_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s2_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s2_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_srvr.c +s2_srvr.o: ssl_locl.h s3_both.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s3_both.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s3_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_both.o: ../include/openssl/cast.h ../include/openssl/comp.h s3_both.o: ../include/openssl/crypto.h ../include/openssl/des.h s3_both.o: ../include/openssl/des_old.h ../include/openssl/dh.h s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s3_both.o: ../include/openssl/err.h ../include/openssl/evp.h s3_both.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_both.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_both.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_both.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s3_both.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s3_both.o: ../include/openssl/pem.h ../include/openssl/pem2.h s3_both.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h s3_both.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s3_both.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h s3_both.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s3_both.o: ../include/openssl/sha.h ../include/openssl/ssl.h s3_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s3_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_both.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_both.c s3_both.o: ssl_locl.h -s3_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_clnt.o: ../include/openssl/des.h ../include/openssl/des_old.h -s3_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h -s3_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s3_clnt.o: ../include/openssl/md2.h ../include/openssl/md4.h -s3_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -s3_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s3_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s3_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s3_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s3_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s3_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h -s3_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -s3_clnt.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_clnt.c ssl_locl.h +s3_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s3_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s3_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h +s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h +s3_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h +s3_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +s3_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s3_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s3_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s3_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s3_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s3_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s3_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s3_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s3_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s3_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s3_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h +s3_clnt.o: s3_clnt.c ssl_locl.h s3_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s3_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s3_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h s3_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h s3_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s3_enc.o: ../include/openssl/err.h ../include/openssl/evp.h s3_enc.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s3_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h s3_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h s3_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h s3_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h s3_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h s3_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s3_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_enc.o: ../include/openssl/tls1.h ../include/openssl/ui.h s3_enc.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s3_enc.o: ../include/openssl/x509_vfy.h s3_enc.c ssl_locl.h s3_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s3_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s3_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h s3_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h s3_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s3_lib.o: ../include/openssl/err.h ../include/openssl/evp.h s3_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s3_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h s3_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h s3_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h s3_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h s3_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h s3_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s3_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h s3_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s3_lib.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_lib.c ssl_locl.h s3_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s3_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s3_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h s3_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h s3_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s3_meth.o: ../include/openssl/err.h ../include/openssl/evp.h s3_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s3_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h s3_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h s3_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h s3_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h s3_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h s3_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s3_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h s3_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s3_meth.o: ../include/openssl/x509_vfy.h s3_meth.c ssl_locl.h s3_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h s3_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h s3_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h s3_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h s3_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h s3_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h s3_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s3_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h s3_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h s3_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h s3_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h s3_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h s3_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s3_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h s3_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h s3_pkt.o: ../include/openssl/x509_vfy.h s3_pkt.c ssl_locl.h -s3_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_srvr.o: ../include/openssl/des.h ../include/openssl/des_old.h -s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h -s3_srvr.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h +s3_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s3_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s3_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s3_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h s3_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h s3_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s3_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h s3_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s3_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h s3_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h s3_srvr.o: s3_srvr.c ssl_locl.h ssl_algs.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssl_algs.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_algs.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_algs.o: ../include/openssl/cast.h ../include/openssl/comp.h ssl_algs.o: ../include/openssl/crypto.h ../include/openssl/des.h ssl_algs.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_algs.o: ../include/openssl/err.h ../include/openssl/evp.h ssl_algs.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_algs.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_algs.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_algs.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_algs.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_algs.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ssl_algs.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ssl_algs.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_algs.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_algs.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_algs.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_algs.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_algs.o: ../include/openssl/x509_vfy.h ssl_algs.c ssl_locl.h -ssl_asn1.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h -ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h -ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h -ssl_asn1.o: ../include/openssl/des_old.h ../include/openssl/dh.h -ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/kssl.h -ssl_asn1.o: ../include/openssl/lhash.h ../include/openssl/md2.h -ssl_asn1.o: ../include/openssl/md4.h ../include/openssl/md5.h -ssl_asn1.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -ssl_asn1.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_asn1.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h -ssl_asn1.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -ssl_asn1.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/ui.h -ssl_asn1.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_asn1.c ssl_locl.h +ssl_asn1.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_asn1.o: ../include/openssl/asn1_mac.h ../include/openssl/bio.h +ssl_asn1.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/cast.h +ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h +ssl_asn1.o: ../include/openssl/des.h ../include/openssl/des_old.h +ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssl_asn1.o: ../include/openssl/e_os2.h ../include/openssl/err.h +ssl_asn1.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssl_asn1.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssl_asn1.o: ../include/openssl/md2.h ../include/openssl/md4.h +ssl_asn1.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +ssl_asn1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_asn1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ssl_asn1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ssl_asn1.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +ssl_asn1.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +ssl_asn1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ssl_asn1.o: ../include/openssl/sha.h ../include/openssl/ssl.h +ssl_asn1.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ssl_asn1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ssl_asn1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ssl_asn1.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_asn1.c +ssl_asn1.o: ssl_locl.h ssl_cert.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssl_cert.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_cert.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_cert.o: ../include/openssl/cast.h ../include/openssl/comp.h ssl_cert.o: ../include/openssl/conf.h ../include/openssl/crypto.h ssl_cert.o: ../include/openssl/des.h ../include/openssl/des_old.h ssl_cert.o: ../include/openssl/dh.h ../include/openssl/dsa.h ssl_cert.o: ../include/openssl/e_os2.h ../include/openssl/err.h ssl_cert.o: ../include/openssl/evp.h ../include/openssl/idea.h ssl_cert.o: ../include/openssl/kssl.h ../include/openssl/lhash.h ssl_cert.o: ../include/openssl/md2.h ../include/openssl/md4.h ssl_cert.o: ../include/openssl/md5.h ../include/openssl/mdc2.h ssl_cert.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h ssl_cert.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ssl_cert.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ssl_cert.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ssl_cert.o: ../include/openssl/rc2.h ../include/openssl/rc4.h ssl_cert.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h ssl_cert.o: ../include/openssl/rsa.h ../include/openssl/safestack.h ssl_cert.o: ../include/openssl/sha.h ../include/openssl/ssl.h ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_cert.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_cert.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h ssl_cert.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_cert.o: ../include/openssl/x509v3.h ssl_cert.c ssl_locl.h ssl_ciph.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssl_ciph.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_ciph.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_ciph.o: ../include/openssl/cast.h ../include/openssl/comp.h ssl_ciph.o: ../include/openssl/crypto.h ../include/openssl/des.h ssl_ciph.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_ciph.o: ../include/openssl/err.h ../include/openssl/evp.h ssl_ciph.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_ciph.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_ciph.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_ciph.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_ciph.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_ciph.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_ciph.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_ciph.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ssl_ciph.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ssl_ciph.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_ciph.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_ciph.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_ciph.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_ciph.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_ciph.o: ../include/openssl/x509_vfy.h ssl_ciph.c ssl_locl.h ssl_err.o: ../include/openssl/aes.h ../include/openssl/asn1.h ssl_err.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_err.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_err.o: ../include/openssl/cast.h ../include/openssl/comp.h ssl_err.o: ../include/openssl/crypto.h ../include/openssl/des.h ssl_err.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssl_err.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_err.o: ../include/openssl/err.h ../include/openssl/evp.h ssl_err.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_err.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_err.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_err.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_err.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_err.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_err.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ssl_err.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ssl_err.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_err.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_err.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_err.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_err.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_err.o: ../include/openssl/x509_vfy.h ssl_err.c ssl_err2.o: ../include/openssl/aes.h ../include/openssl/asn1.h ssl_err2.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_err2.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_err2.o: ../include/openssl/cast.h ../include/openssl/comp.h ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/des.h ssl_err2.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssl_err2.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_err2.o: ../include/openssl/err.h ../include/openssl/evp.h ssl_err2.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_err2.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_err2.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_err2.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_err2.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_err2.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ssl_err2.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ssl_err2.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_err2.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_err2.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_err2.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c -ssl_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h -ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h -ssl_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h -ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h -ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h -ssl_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h -ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -ssl_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h -ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -ssl_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h -ssl_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h kssl_lcl.h -ssl_lib.o: ssl_lib.c ssl_locl.h +ssl_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_lib.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ssl_lib.o: ../include/openssl/des.h ../include/openssl/des_old.h +ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h +ssl_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssl_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssl_lib.o: ../include/openssl/md2.h ../include/openssl/md4.h +ssl_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +ssl_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ssl_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ssl_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +ssl_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +ssl_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ssl_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h +ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ssl_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ssl_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ssl_lib.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl_lib.o: ../include/openssl/x509v3.h kssl_lcl.h ssl_lib.c ssl_locl.h ssl_rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssl_rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_rsa.o: ../include/openssl/cast.h ../include/openssl/comp.h ssl_rsa.o: ../include/openssl/crypto.h ../include/openssl/des.h ssl_rsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_rsa.o: ../include/openssl/err.h ../include/openssl/evp.h ssl_rsa.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_rsa.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_rsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_rsa.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ssl_rsa.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ssl_rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_rsa.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_rsa.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_rsa.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_rsa.c -ssl_sess.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h -ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_sess.o: ../include/openssl/des.h ../include/openssl/des_old.h -ssl_sess.o: ../include/openssl/dh.h ../include/openssl/dsa.h -ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h -ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h -ssl_sess.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -ssl_sess.o: ../include/openssl/md2.h ../include/openssl/md4.h -ssl_sess.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -ssl_sess.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl_sess.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ssl_sess.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rc2.h -ssl_sess.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -ssl_sess.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -ssl_sess.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/ui.h -ssl_sess.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h -ssl_sess.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_sess.c +ssl_sess.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_sess.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_sess.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_sess.o: ../include/openssl/des_old.h ../include/openssl/dh.h +ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +ssl_sess.o: ../include/openssl/err.h ../include/openssl/evp.h +ssl_sess.o: ../include/openssl/idea.h ../include/openssl/kssl.h +ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h +ssl_sess.o: ../include/openssl/md4.h ../include/openssl/md5.h +ssl_sess.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ssl_sess.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ssl_sess.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +ssl_sess.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +ssl_sess.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +ssl_sess.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ssl_sess.o: ../include/openssl/sha.h ../include/openssl/ssl.h +ssl_sess.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ssl_sess.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ssl_sess.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ssl_sess.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h +ssl_sess.o: ssl_sess.c ssl_stat.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssl_stat.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_stat.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_stat.o: ../include/openssl/cast.h ../include/openssl/comp.h ssl_stat.o: ../include/openssl/crypto.h ../include/openssl/des.h ssl_stat.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_stat.o: ../include/openssl/err.h ../include/openssl/evp.h ssl_stat.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_stat.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_stat.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_stat.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_stat.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_stat.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ssl_stat.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ssl_stat.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_stat.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_stat.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_stat.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_stat.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_stat.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_stat.c ssl_txt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssl_txt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssl_txt.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_txt.o: ../include/openssl/cast.h ../include/openssl/comp.h ssl_txt.o: ../include/openssl/crypto.h ../include/openssl/des.h ssl_txt.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_txt.o: ../include/openssl/err.h ../include/openssl/evp.h ssl_txt.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_txt.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_txt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_txt.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_txt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_txt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ssl_txt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ssl_txt.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_txt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_txt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_txt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssl_txt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssl_txt.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_txt.c t1_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h t1_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h t1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h t1_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h t1_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h t1_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h t1_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h t1_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h t1_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h t1_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h t1_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h t1_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h t1_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h t1_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h t1_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h t1_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h t1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h t1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h t1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h t1_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h t1_clnt.o: t1_clnt.c t1_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h t1_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h t1_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h t1_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h t1_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h t1_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h t1_enc.o: ../include/openssl/err.h ../include/openssl/evp.h t1_enc.o: ../include/openssl/hmac.h ../include/openssl/idea.h t1_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h t1_enc.o: ../include/openssl/md2.h ../include/openssl/md4.h t1_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h t1_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h t1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h t1_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h t1_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h t1_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h t1_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h t1_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h t1_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h t1_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h t1_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h t1_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h t1_enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h t1_enc.o: t1_enc.c t1_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h t1_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h t1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h t1_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h t1_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h t1_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h t1_lib.o: ../include/openssl/err.h ../include/openssl/evp.h t1_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h t1_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h t1_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h t1_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h t1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h t1_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h t1_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h t1_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h t1_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h t1_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h t1_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h t1_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h t1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h t1_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h t1_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h t1_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_lib.c t1_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h t1_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h t1_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h t1_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h t1_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h t1_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h t1_meth.o: ../include/openssl/err.h ../include/openssl/evp.h t1_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h t1_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h t1_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h t1_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h t1_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h t1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h t1_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h t1_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h t1_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h t1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h t1_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h t1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h t1_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h t1_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h t1_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_meth.c t1_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h t1_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h t1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h t1_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h t1_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h t1_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h t1_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h t1_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h t1_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h t1_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h t1_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h t1_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h t1_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h t1_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h t1_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h t1_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h t1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h t1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h t1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h t1_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h t1_srvr.o: t1_srvr.c diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c index 7c45f8ff4e6d..51378897f6e2 100644 --- a/crypto/openssl/ssl/kssl.c +++ b/crypto/openssl/ssl/kssl.c @@ -1,2175 +1,2175 @@ /* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */ /* Written by Vern Staats for the OpenSSL project 2000. */ /* ==================================================================== * Copyright (c) 2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ /* ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl ** ** 19990701 VRS Started. ** 200011?? Jeffrey Altman, Richard Levitte ** Generalized for Heimdal, Newer MIT, & Win32. ** Integrated into main OpenSSL 0.9.7 snapshots. ** 20010413 Simon Wilkinson, VRS ** Real RFC2712 KerberosWrapper replaces AP_REQ. */ #include #define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */ #include #undef _XOPEN_SOURCE /* To avoid clashes with anything else... */ #include #include #include #include #include #ifndef OPENSSL_NO_KRB5 /* * When OpenSSL is built on Windows, we do not want to require that * the Kerberos DLLs be available in order for the OpenSSL DLLs to * work. Therefore, all Kerberos routines are loaded at run time * and we do not link to a .LIB file. */ #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) /* * The purpose of the following pre-processor statements is to provide * compatibility with different releases of MIT Kerberos for Windows. * All versions up to 1.2 used macros. But macros do not allow for * a binary compatible interface for DLLs. Therefore, all macros are * being replaced by function calls. The following code will allow * an OpenSSL DLL built on Windows to work whether or not the macro * or function form of the routines are utilized. */ #ifdef krb5_cc_get_principal #define NO_DEF_KRB5_CCACHE #undef krb5_cc_get_principal #endif #define krb5_cc_get_principal kssl_krb5_cc_get_principal #define krb5_free_data_contents kssl_krb5_free_data_contents #define krb5_free_context kssl_krb5_free_context #define krb5_auth_con_free kssl_krb5_auth_con_free #define krb5_free_principal kssl_krb5_free_principal #define krb5_mk_req_extended kssl_krb5_mk_req_extended #define krb5_get_credentials kssl_krb5_get_credentials #define krb5_cc_default kssl_krb5_cc_default #define krb5_sname_to_principal kssl_krb5_sname_to_principal #define krb5_init_context kssl_krb5_init_context #define krb5_free_ticket kssl_krb5_free_ticket #define krb5_rd_req kssl_krb5_rd_req #define krb5_kt_default kssl_krb5_kt_default #define krb5_kt_resolve kssl_krb5_kt_resolve /* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */ #ifndef krb5_kt_close #define krb5_kt_close kssl_krb5_kt_close #endif /* krb5_kt_close */ #ifndef krb5_kt_get_entry #define krb5_kt_get_entry kssl_krb5_kt_get_entry #endif /* krb5_kt_get_entry */ #define krb5_auth_con_init kssl_krb5_auth_con_init #define krb5_principal_compare kssl_krb5_principal_compare #define krb5_decrypt_tkt_part kssl_krb5_decrypt_tkt_part #define krb5_timeofday kssl_krb5_timeofday #define krb5_rc_default kssl_krb5_rc_default #ifdef krb5_rc_initialize #undef krb5_rc_initialize #endif #define krb5_rc_initialize kssl_krb5_rc_initialize #ifdef krb5_rc_get_lifespan #undef krb5_rc_get_lifespan #endif #define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan #ifdef krb5_rc_destroy #undef krb5_rc_destroy #endif #define krb5_rc_destroy kssl_krb5_rc_destroy #define valid_cksumtype kssl_valid_cksumtype #define krb5_checksum_size kssl_krb5_checksum_size #define krb5_kt_free_entry kssl_krb5_kt_free_entry #define krb5_auth_con_setrcache kssl_krb5_auth_con_setrcache #define krb5_auth_con_getrcache kssl_krb5_auth_con_getrcache #define krb5_get_server_rcache kssl_krb5_get_server_rcache /* Prototypes for built in stubs */ void kssl_krb5_free_data_contents(krb5_context, krb5_data *); void kssl_krb5_free_principal(krb5_context, krb5_principal ); krb5_error_code kssl_krb5_kt_resolve(krb5_context, krb5_const char *, krb5_keytab *); krb5_error_code kssl_krb5_kt_default(krb5_context, krb5_keytab *); krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *); krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, krb5_const krb5_data *, krb5_const_principal, krb5_keytab, krb5_flags *,krb5_ticket **); krb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal, krb5_const_principal); krb5_error_code kssl_krb5_mk_req_extended(krb5_context, krb5_auth_context *, krb5_const krb5_flags, krb5_data *, krb5_creds *, krb5_data * ); krb5_error_code kssl_krb5_init_context(krb5_context *); void kssl_krb5_free_context(krb5_context); krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache *); krb5_error_code kssl_krb5_sname_to_principal(krb5_context, krb5_const char *, krb5_const char *, krb5_int32, krb5_principal *); krb5_error_code kssl_krb5_get_credentials(krb5_context, krb5_const krb5_flags, krb5_ccache, krb5_creds *, krb5_creds * *); krb5_error_code kssl_krb5_auth_con_init(krb5_context, krb5_auth_context *); krb5_error_code kssl_krb5_cc_get_principal(krb5_context context, krb5_ccache cache, krb5_principal *principal); krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context); size_t kssl_krb5_checksum_size(krb5_context context,krb5_cksumtype ctype); krb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype); krb5_error_code krb5_kt_free_entry(krb5_context,krb5_keytab_entry FAR * ); krb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, krb5_auth_context, krb5_rcache); krb5_error_code kssl_krb5_get_server_rcache(krb5_context, krb5_const krb5_data *, krb5_rcache *); krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, krb5_auth_context, krb5_rcache *); /* Function pointers (almost all Kerberos functions are _stdcall) */ static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *) =NULL; static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal ) =NULL; static krb5_error_code(_stdcall *p_krb5_kt_resolve) (krb5_context, krb5_const char *, krb5_keytab *)=NULL; static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context, krb5_keytab *)=NULL; static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context, krb5_ticket *)=NULL; static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context, krb5_auth_context *, krb5_const krb5_data *, krb5_const_principal, krb5_keytab, krb5_flags *, krb5_ticket **)=NULL; static krb5_error_code (_stdcall *p_krb5_mk_req_extended) (krb5_context, krb5_auth_context *, krb5_const krb5_flags, krb5_data *, krb5_creds *, krb5_data * )=NULL; static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL; static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL; static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context, krb5_ccache *)=NULL; static krb5_error_code (_stdcall *p_krb5_sname_to_principal) (krb5_context, krb5_const char *, krb5_const char *, krb5_int32, krb5_principal *)=NULL; static krb5_error_code (_stdcall *p_krb5_get_credentials) (krb5_context, krb5_const krb5_flags, krb5_ccache, krb5_creds *, krb5_creds **)=NULL; static krb5_error_code (_stdcall *p_krb5_auth_con_init) (krb5_context, krb5_auth_context *)=NULL; static krb5_error_code (_stdcall *p_krb5_cc_get_principal) (krb5_context context, krb5_ccache cache, krb5_principal *principal)=NULL; static krb5_error_code (_stdcall *p_krb5_auth_con_free) (krb5_context, krb5_auth_context)=NULL; static krb5_error_code (_stdcall *p_krb5_decrypt_tkt_part) (krb5_context, krb5_const krb5_keyblock *, krb5_ticket *)=NULL; static krb5_error_code (_stdcall *p_krb5_timeofday) (krb5_context context, krb5_int32 *timeret)=NULL; static krb5_error_code (_stdcall *p_krb5_rc_default) (krb5_context context, krb5_rcache *rc)=NULL; static krb5_error_code (_stdcall *p_krb5_rc_initialize) (krb5_context context, krb5_rcache rc, krb5_deltat lifespan)=NULL; static krb5_error_code (_stdcall *p_krb5_rc_get_lifespan) (krb5_context context, krb5_rcache rc, krb5_deltat *lifespan)=NULL; static krb5_error_code (_stdcall *p_krb5_rc_destroy) (krb5_context context, krb5_rcache rc)=NULL; static krb5_boolean (_stdcall *p_krb5_principal_compare) (krb5_context, krb5_const_principal, krb5_const_principal)=NULL; static size_t (_stdcall *p_krb5_checksum_size)(krb5_context context,krb5_cksumtype ctype)=NULL; static krb5_boolean (_stdcall *p_valid_cksumtype)(krb5_cksumtype ctype)=NULL; static krb5_error_code (_stdcall *p_krb5_kt_free_entry) (krb5_context,krb5_keytab_entry * )=NULL; static krb5_error_code (_stdcall * p_krb5_auth_con_setrcache)(krb5_context, krb5_auth_context, krb5_rcache)=NULL; static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context, krb5_const krb5_data *, krb5_rcache *)=NULL; static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, krb5_auth_context, krb5_rcache *)=NULL; static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, krb5_keytab keytab)=NULL; static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, krb5_keytab keytab, krb5_const_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keytab_entry *entry)=NULL; static int krb5_loaded = 0; /* only attempt to initialize func ptrs once */ /* Function to Load the Kerberos 5 DLL and initialize function pointers */ void load_krb5_dll(void) { HANDLE hKRB5_32; krb5_loaded++; hKRB5_32 = LoadLibrary("KRB5_32"); if (!hKRB5_32) return; (FARPROC) p_krb5_free_data_contents = GetProcAddress( hKRB5_32, "krb5_free_data_contents" ); (FARPROC) p_krb5_free_context = GetProcAddress( hKRB5_32, "krb5_free_context" ); (FARPROC) p_krb5_auth_con_free = GetProcAddress( hKRB5_32, "krb5_auth_con_free" ); (FARPROC) p_krb5_free_principal = GetProcAddress( hKRB5_32, "krb5_free_principal" ); (FARPROC) p_krb5_mk_req_extended = GetProcAddress( hKRB5_32, "krb5_mk_req_extended" ); (FARPROC) p_krb5_get_credentials = GetProcAddress( hKRB5_32, "krb5_get_credentials" ); (FARPROC) p_krb5_cc_get_principal = GetProcAddress( hKRB5_32, "krb5_cc_get_principal" ); (FARPROC) p_krb5_cc_default = GetProcAddress( hKRB5_32, "krb5_cc_default" ); (FARPROC) p_krb5_sname_to_principal = GetProcAddress( hKRB5_32, "krb5_sname_to_principal" ); (FARPROC) p_krb5_init_context = GetProcAddress( hKRB5_32, "krb5_init_context" ); (FARPROC) p_krb5_free_ticket = GetProcAddress( hKRB5_32, "krb5_free_ticket" ); (FARPROC) p_krb5_rd_req = GetProcAddress( hKRB5_32, "krb5_rd_req" ); (FARPROC) p_krb5_principal_compare = GetProcAddress( hKRB5_32, "krb5_principal_compare" ); (FARPROC) p_krb5_decrypt_tkt_part = GetProcAddress( hKRB5_32, "krb5_decrypt_tkt_part" ); (FARPROC) p_krb5_timeofday = GetProcAddress( hKRB5_32, "krb5_timeofday" ); (FARPROC) p_krb5_rc_default = GetProcAddress( hKRB5_32, "krb5_rc_default" ); (FARPROC) p_krb5_rc_initialize = GetProcAddress( hKRB5_32, "krb5_rc_initialize" ); (FARPROC) p_krb5_rc_get_lifespan = GetProcAddress( hKRB5_32, "krb5_rc_get_lifespan" ); (FARPROC) p_krb5_rc_destroy = GetProcAddress( hKRB5_32, "krb5_rc_destroy" ); (FARPROC) p_krb5_kt_default = GetProcAddress( hKRB5_32, "krb5_kt_default" ); (FARPROC) p_krb5_kt_resolve = GetProcAddress( hKRB5_32, "krb5_kt_resolve" ); (FARPROC) p_krb5_auth_con_init = GetProcAddress( hKRB5_32, "krb5_auth_con_init" ); (FARPROC) p_valid_cksumtype = GetProcAddress( hKRB5_32, "valid_cksumtype" ); (FARPROC) p_krb5_checksum_size = GetProcAddress( hKRB5_32, "krb5_checksum_size" ); (FARPROC) p_krb5_kt_free_entry = GetProcAddress( hKRB5_32, "krb5_kt_free_entry" ); (FARPROC) p_krb5_auth_con_setrcache = GetProcAddress( hKRB5_32, "krb5_auth_con_setrcache" ); (FARPROC) p_krb5_get_server_rcache = GetProcAddress( hKRB5_32, "krb5_get_server_rcache" ); (FARPROC) p_krb5_auth_con_getrcache = GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" ); (FARPROC) p_krb5_kt_close = GetProcAddress( hKRB5_32, "krb5_kt_close" ); (FARPROC) p_krb5_kt_get_entry = GetProcAddress( hKRB5_32, "krb5_kt_get_entry" ); } /* Stubs for each function to be dynamicly loaded */ void kssl_krb5_free_data_contents(krb5_context CO, krb5_data * data) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_free_data_contents ) p_krb5_free_data_contents(CO,data); } krb5_error_code kssl_krb5_mk_req_extended (krb5_context CO, krb5_auth_context * pACO, krb5_const krb5_flags F, krb5_data * pD1, krb5_creds * pC, krb5_data * pD2) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_mk_req_extended ) return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_auth_con_init(krb5_context CO, krb5_auth_context * pACO) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_auth_con_init ) return(p_krb5_auth_con_init(CO,pACO)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_auth_con_free (krb5_context CO, krb5_auth_context ACO) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_auth_con_free ) return(p_krb5_auth_con_free(CO,ACO)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_get_credentials(krb5_context CO, krb5_const krb5_flags F, krb5_ccache CC, krb5_creds * pCR, krb5_creds ** ppCR) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_get_credentials ) return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_sname_to_principal(krb5_context CO, krb5_const char * pC1, krb5_const char * pC2, krb5_int32 I, krb5_principal * pPR) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_sname_to_principal ) return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_cc_default(krb5_context CO, krb5_ccache * pCC) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_cc_default ) return(p_krb5_cc_default(CO,pCC)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_init_context(krb5_context * pCO) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_init_context ) return(p_krb5_init_context(pCO)); else return KRB5KRB_ERR_GENERIC; } void kssl_krb5_free_context(krb5_context CO) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_free_context ) p_krb5_free_context(CO); } void kssl_krb5_free_principal(krb5_context c, krb5_principal p) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_free_principal ) p_krb5_free_principal(c,p); } krb5_error_code kssl_krb5_kt_resolve(krb5_context con, krb5_const char * sz, krb5_keytab * kt) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_kt_resolve ) return(p_krb5_kt_resolve(con,sz,kt)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_kt_default(krb5_context con, krb5_keytab * kt) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_kt_default ) return(p_krb5_kt_default(con,kt)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_free_ticket(krb5_context con, krb5_ticket * kt) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_free_ticket ) return(p_krb5_free_ticket(con,kt)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon, krb5_const krb5_data * data, krb5_const_principal princ, krb5_keytab keytab, krb5_flags * flags, krb5_ticket ** pptkt) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_rd_req ) return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt)); else return KRB5KRB_ERR_GENERIC; } krb5_boolean krb5_principal_compare(krb5_context con, krb5_const_principal princ1, krb5_const_principal princ2) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_principal_compare ) return(p_krb5_principal_compare(con,princ1,princ2)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code krb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys, krb5_ticket *ticket) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_decrypt_tkt_part ) return(p_krb5_decrypt_tkt_part(con,keys,ticket)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code krb5_timeofday(krb5_context con, krb5_int32 *timeret) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_timeofday ) return(p_krb5_timeofday(con,timeret)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code krb5_rc_default(krb5_context con, krb5_rcache *rc) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_rc_default ) return(p_krb5_rc_default(con,rc)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code krb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_rc_initialize ) return(p_krb5_rc_initialize(con, rc, lifespan)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code krb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_rc_get_lifespan ) return(p_krb5_rc_get_lifespan(con, rc, lifespanp)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code krb5_rc_destroy(krb5_context con, krb5_rcache rc) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_rc_destroy ) return(p_krb5_rc_destroy(con, rc)); else return KRB5KRB_ERR_GENERIC; } size_t krb5_checksum_size(krb5_context context,krb5_cksumtype ctype) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_checksum_size ) return(p_krb5_checksum_size(context, ctype)); else return KRB5KRB_ERR_GENERIC; } krb5_boolean valid_cksumtype(krb5_cksumtype ctype) { if (!krb5_loaded) load_krb5_dll(); if ( p_valid_cksumtype ) return(p_valid_cksumtype(ctype)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code krb5_kt_free_entry(krb5_context con,krb5_keytab_entry * entry) { if (!krb5_loaded) load_krb5_dll(); if ( p_krb5_kt_free_entry ) return(p_krb5_kt_free_entry(con,entry)); else return KRB5KRB_ERR_GENERIC; } /* Structure definitions */ #ifndef NO_DEF_KRB5_CCACHE #ifndef krb5_x #define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) #define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) #endif typedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */ typedef struct _krb5_ccache { krb5_magic magic; struct _krb5_cc_ops FAR *ops; krb5_pointer data; } *krb5_ccache; typedef struct _krb5_cc_ops { krb5_magic magic; char *prefix; char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache); krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *, const char *); krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *); krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache, krb5_principal); krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache); krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache); krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache, krb5_creds *); krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache, krb5_flags, krb5_creds *, krb5_creds *); krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache, krb5_principal *); krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache, krb5_cc_cursor *); krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache, krb5_cc_cursor *, krb5_creds *); krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache, krb5_cc_cursor *); krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache, krb5_flags, krb5_creds *); krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache, krb5_flags); } krb5_cc_ops; #endif /* NO_DEF_KRB5_CCACHE */ krb5_error_code kssl_krb5_cc_get_principal (krb5_context context, krb5_ccache cache, krb5_principal *principal) { if ( p_krb5_cc_get_principal ) return(p_krb5_cc_get_principal(context,cache,principal)); else return(krb5_x ((cache)->ops->get_princ,(context, cache, principal))); } krb5_error_code kssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon, krb5_rcache rcache) { if ( p_krb5_auth_con_setrcache ) return(p_krb5_auth_con_setrcache(con,acon,rcache)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data, krb5_rcache * rcache) { if ( p_krb5_get_server_rcache ) return(p_krb5_get_server_rcache(con,data,rcache)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon, krb5_rcache * prcache) { if ( p_krb5_auth_con_getrcache ) return(p_krb5_auth_con_getrcache(con,acon, prcache)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab) { if ( p_krb5_kt_close ) return(p_krb5_kt_close(context,keytab)); else return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, krb5_const_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keytab_entry *entry) { if ( p_krb5_kt_get_entry ) return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry)); else return KRB5KRB_ERR_GENERIC; } #endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ char *kstring(char *string) { static char *null = "[NULL]"; return ((string == NULL)? null: string); } /* Given KRB5 enctype (basically DES or 3DES), ** return closest match openssl EVP_ encryption algorithm. ** Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes. ** Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK. */ const EVP_CIPHER * kssl_map_enc(krb5_enctype enctype) { switch (enctype) { case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */ case ENCTYPE_DES_CBC_CRC: case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES_CBC_RAW: return EVP_des_cbc(); break; case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ case ENCTYPE_DES3_CBC_SHA: case ENCTYPE_DES3_CBC_RAW: return EVP_des_ede3_cbc(); break; default: return NULL; break; } } /* Return true:1 if p "looks like" the start of the real authenticator ** described in kssl_skip_confound() below. The ASN.1 pattern is ** "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and ** xx and yy are possibly multi-byte length fields. */ int kssl_test_confound(unsigned char *p) { int len = 2; int xx = 0, yy = 0; if (*p++ != 0x62) return 0; if (*p > 0x82) return 0; switch(*p) { case 0x82: p++; xx = (*p++ << 8); xx += *p++; break; case 0x81: p++; xx = *p++; break; case 0x80: return 0; default: xx = *p++; break; } if (*p++ != 0x30) return 0; if (*p > 0x82) return 0; switch(*p) { case 0x82: p++; len+=2; yy = (*p++ << 8); yy += *p++; break; case 0x81: p++; len++; yy = *p++; break; case 0x80: return 0; default: yy = *p++; break; } return (xx - len == yy)? 1: 0; } /* Allocate, fill, and return cksumlens array of checksum lengths. ** This array holds just the unique elements from the krb5_cksumarray[]. ** array[n] == 0 signals end of data. ** ** The krb5_cksumarray[] was an internal variable that has since been ** replaced by a more general method for storing the data. It should ** not be used. Instead we use real API calls and make a guess for ** what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 ** it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. */ size_t *populate_cksumlens(void) { int i, j, n; static size_t *cklens = NULL; #ifdef KRB5_MIT_OLD11 n = krb5_max_cksum; #else n = 0x0010; #endif /* KRB5_MIT_OLD11 */ #ifdef KRB5CHECKAUTH if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1))) return NULL; for (i=0; i < n; i++) { if (!valid_cksumtype(i)) continue; /* array has holes */ for (j=0; j < n; j++) { if (cklens[j] == 0) { cklens[j] = krb5_checksum_size(NULL,i); break; /* krb5 elem was new: add */ } if (cklens[j] == krb5_checksum_size(NULL,i)) { break; /* ignore duplicate elements */ } } } #endif /* KRB5CHECKAUTH */ return cklens; } /* Return pointer to start of real authenticator within authenticator, or ** return NULL on error. ** Decrypted authenticator looks like this: ** [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r] ** This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the ** krb5_auth_con_getcksumtype() function advertised in its krb5.h. */ unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) { int i, conlen; size_t cklen; static size_t *cksumlens = NULL; unsigned char *test_auth; conlen = (etype)? 8: 0; if (!cksumlens && !(cksumlens = populate_cksumlens())) return NULL; for (i=0; (cklen = cksumlens[i]) != 0; i++) { test_auth = a + conlen + cklen; if (kssl_test_confound(test_auth)) return test_auth; } return NULL; } /* Set kssl_err error info when reason text is a simple string ** kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; } */ void kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) { if (kssl_err == NULL) return; kssl_err->reason = reason; BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, text); return; } /* Display contents of krb5_data struct, for debugging */ void print_krb5_data(char *label, krb5_data *kdata) { int i; printf("%s[%d] ", label, kdata->length); for (i=0; i < kdata->length; i++) { if (0 && isprint((int) kdata->data[i])) printf( "%c ", kdata->data[i]); else printf( "%02x ", (unsigned char) kdata->data[i]); } printf("\n"); } /* Display contents of krb5_authdata struct, for debugging */ void print_krb5_authdata(char *label, krb5_authdata **adata) { if (adata == NULL) { printf("%s, authdata==0\n", label); return; } - printf("%s [%p]\n", label, adata); + printf("%s [%p]\n", label, (void *)adata); #if 0 { int i; printf("%s[at%d:%d] ", label, adata->ad_type, adata->length); for (i=0; i < adata->length; i++) { printf((isprint(adata->contents[i]))? "%c ": "%02x", adata->contents[i]); } printf("\n"); } #endif } /* Display contents of krb5_keyblock struct, for debugging */ void print_krb5_keyblock(char *label, krb5_keyblock *keyblk) { int i; if (keyblk == NULL) { printf("%s, keyblk==0\n", label); return; } #ifdef KRB5_HEIMDAL printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype, keyblk->keyvalue->length); for (i=0; i < keyblk->keyvalue->length; i++) { printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]); } printf("\n"); #else printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length); for (i=0; i < keyblk->length; i++) { printf("%02x",keyblk->contents[i]); } printf("\n"); #endif } /* Display contents of krb5_principal_data struct, for debugging ** (krb5_principal is typedef'd == krb5_principal_data *) */ void print_krb5_princ(char *label, krb5_principal_data *princ) { int i, ui, uj; printf("%s principal Realm: ", label); if (princ == NULL) return; for (ui=0; ui < princ->realm.length; ui++) putchar(princ->realm.data[ui]); printf(" (nametype %d) has %d strings:\n", princ->type,princ->length); for (i=0; i < princ->length; i++) { printf("\t%d [%d]: ", i, princ->data[i].length); for (uj=0; uj < princ->data[i].length; uj++) { putchar(princ->data[i].data[uj]); } printf("\n"); } return; } /* Given krb5 service (typically "kssl") and hostname in kssl_ctx, ** Return encrypted Kerberos ticket for service @ hostname. ** If authenp is non-NULL, also return encrypted authenticator, ** whose data should be freed by caller. ** (Originally was: Create Kerberos AP_REQ message for SSL Client.) ** ** 19990628 VRS Started; Returns Kerberos AP_REQ message. ** 20010409 VRS Modified for RFC2712; Returns enc tkt. ** 20010606 VRS May also return optional authenticator. */ krb5_error_code kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, /* OUT */ krb5_data **enc_ticketp, /* UPDATE */ krb5_data *authenp, /* OUT */ KSSL_ERR *kssl_err) { krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; krb5_context krb5context = NULL; krb5_auth_context krb5auth_context = NULL; krb5_ccache krb5ccdef = NULL; krb5_creds krb5creds, *krb5credsp = NULL; krb5_data krb5_app_req; kssl_err_set(kssl_err, 0, ""); memset((char *)&krb5creds, 0, sizeof(krb5creds)); if (!kssl_ctx) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n"); goto err; } else if (!kssl_ctx->service_host) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "kssl_ctx service_host undefined.\n"); goto err; } if ((krb5rc = krb5_init_context(&krb5context)) != 0) { BIO_snprintf(kssl_err->text,KSSL_ERR_MAX, "krb5_init_context() fails: %d\n", krb5rc); kssl_err->reason = SSL_R_KRB5_C_INIT; goto err; } if ((krb5rc = krb5_sname_to_principal(krb5context, kssl_ctx->service_host, (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, KRB5_NT_SRV_HST, &krb5creds.server)) != 0) { BIO_snprintf(kssl_err->text,KSSL_ERR_MAX, "krb5_sname_to_principal() fails for %s/%s\n", kssl_ctx->service_host, (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC); kssl_err->reason = SSL_R_KRB5_C_INIT; goto err; } if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) { kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, "krb5_cc_default fails.\n"); goto err; } if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, &krb5creds.client)) != 0) { kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, "krb5_cc_get_principal() fails.\n"); goto err; } if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, &krb5creds, &krb5credsp)) != 0) { kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED, "krb5_get_credentials() fails.\n"); goto err; } *enc_ticketp = &krb5credsp->ticket; #ifdef KRB5_HEIMDAL kssl_ctx->enctype = krb5credsp->session.keytype; #else kssl_ctx->enctype = krb5credsp->keyblock.enctype; #endif krb5rc = KRB5KRB_ERR_GENERIC; /* caller should free data of krb5_app_req */ /* 20010406 VRS deleted for real KerberosWrapper ** 20010605 VRS reinstated to offer Authenticator to KerberosWrapper */ krb5_app_req.length = 0; if (authenp) { krb5_data krb5in_data; unsigned char *p; long arlen; KRB5_APREQBODY *ap_req; authenp->length = 0; krb5in_data.data = NULL; krb5in_data.length = 0; if ((krb5rc = krb5_mk_req_extended(krb5context, &krb5auth_context, 0, &krb5in_data, krb5credsp, &krb5_app_req)) != 0) { kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ, "krb5_mk_req_extended() fails.\n"); goto err; } arlen = krb5_app_req.length; p = (unsigned char *)krb5_app_req.data; ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen); if (ap_req) { authenp->length = i2d_KRB5_ENCDATA( ap_req->authenticator, NULL); if (authenp->length && (authenp->data = malloc(authenp->length))) { unsigned char *adp = (unsigned char *)authenp->data; authenp->length = i2d_KRB5_ENCDATA( ap_req->authenticator, &adp); } } if (ap_req) KRB5_APREQ_free((KRB5_APREQ *) ap_req); if (krb5_app_req.length) kssl_krb5_free_data_contents(krb5context,&krb5_app_req); } #ifdef KRB5_HEIMDAL if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session)) { kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, "kssl_ctx_setkey() fails.\n"); } #else if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock)) { kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, "kssl_ctx_setkey() fails.\n"); } #endif else krb5rc = 0; err: #ifdef KSSL_DEBUG kssl_ctx_show(kssl_ctx); #endif /* KSSL_DEBUG */ if (krb5creds.client) krb5_free_principal(krb5context, krb5creds.client); if (krb5creds.server) krb5_free_principal(krb5context, krb5creds.server); if (krb5auth_context) krb5_auth_con_free(krb5context, krb5auth_context); if (krb5context) krb5_free_context(krb5context); return (krb5rc); } /* Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket. ** Return Kerberos error code and kssl_err struct on error. ** Allocates krb5_ticket and krb5_principal; caller should free these. ** ** 20010410 VRS Implemented krb5_decode_ticket() as ** old_krb5_decode_ticket(). Missing from MIT1.0.6. ** 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions. ** Re-used some of the old krb5_decode_ticket() ** code here. This tkt should alloc/free just ** like the real thing. */ krb5_error_code kssl_TKT2tkt( /* IN */ krb5_context krb5context, /* IN */ KRB5_TKTBODY *asn1ticket, /* OUT */ krb5_ticket **krb5ticket, /* OUT */ KSSL_ERR *kssl_err ) { krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; krb5_ticket *new5ticket = NULL; ASN1_GENERALSTRING *gstr_svc, *gstr_host; *krb5ticket = NULL; if (asn1ticket == NULL || asn1ticket->realm == NULL || asn1ticket->sname == NULL || sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) { BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "Null field in asn1ticket.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; return KRB5KRB_ERR_GENERIC; } if ((new5ticket = (krb5_ticket *) calloc(1, sizeof(krb5_ticket)))==NULL) { BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "Unable to allocate new krb5_ticket.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */ } gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0); gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1); if ((krb5rc = kssl_build_principal_2(krb5context, &new5ticket->server, asn1ticket->realm->length, (char *)asn1ticket->realm->data, gstr_svc->length, (char *)gstr_svc->data, gstr_host->length, (char *)gstr_host->data)) != 0) { free(new5ticket); BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "Error building ticket server principal.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; return krb5rc; /* or KRB5KRB_ERR_GENERIC; */ } krb5_princ_type(krb5context, new5ticket->server) = asn1ticket->sname->nametype->data[0]; new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0]; new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0]; new5ticket->enc_part.ciphertext.length = asn1ticket->encdata->cipher->length; if ((new5ticket->enc_part.ciphertext.data = calloc(1, asn1ticket->encdata->cipher->length)) == NULL) { free(new5ticket); BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "Error allocating cipher in krb5ticket.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; return KRB5KRB_ERR_GENERIC; } else { memcpy(new5ticket->enc_part.ciphertext.data, asn1ticket->encdata->cipher->data, asn1ticket->encdata->cipher->length); } *krb5ticket = new5ticket; return 0; } /* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"), ** and krb5 AP_REQ message & message length, ** Return Kerberos session key and client principle ** to SSL Server in KSSL_CTX *kssl_ctx. ** ** 19990702 VRS Started. */ krb5_error_code kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, /* IN */ krb5_data *indata, /* OUT */ krb5_ticket_times *ttimes, /* OUT */ KSSL_ERR *kssl_err ) { krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; static krb5_context krb5context = NULL; static krb5_auth_context krb5auth_context = NULL; krb5_ticket *krb5ticket = NULL; KRB5_TKTBODY *asn1ticket = NULL; unsigned char *p; krb5_keytab krb5keytab = NULL; krb5_keytab_entry kt_entry; krb5_principal krb5server; krb5_rcache rcache = NULL; kssl_err_set(kssl_err, 0, ""); if (!kssl_ctx) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n"); goto err; } #ifdef KSSL_DEBUG printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name)); #endif /* KSSL_DEBUG */ if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_init_context() fails.\n"); goto err; } if (krb5auth_context && (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_auth_con_free() fails.\n"); goto err; } else krb5auth_context = NULL; if (!krb5auth_context && (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_auth_con_init() fails.\n"); goto err; } if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context, &rcache))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_auth_con_getrcache() fails.\n"); goto err; } if ((krb5rc = krb5_sname_to_principal(krb5context, NULL, (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, KRB5_NT_SRV_HST, &krb5server)) != 0) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_sname_to_principal() fails.\n"); goto err; } if (rcache == NULL) { if ((krb5rc = krb5_get_server_rcache(krb5context, krb5_princ_component(krb5context, krb5server, 0), &rcache))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_get_server_rcache() fails.\n"); goto err; } } if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache))) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_auth_con_setrcache() fails.\n"); goto err; } /* kssl_ctx->keytab_file == NULL ==> use Kerberos default */ if (kssl_ctx->keytab_file) { krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, &krb5keytab); if (krb5rc) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_kt_resolve() fails.\n"); goto err; } } else { krb5rc = krb5_kt_default(krb5context,&krb5keytab); if (krb5rc) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_kt_default() fails.\n"); goto err; } } /* Actual Kerberos5 krb5_recvauth() has initial conversation here ** o check KRB5_SENDAUTH_BADAUTHVERS ** unless KRB5_RECVAUTH_SKIP_VERSION ** o check KRB5_SENDAUTH_BADAPPLVERS ** o send "0" msg if all OK */ /* 20010411 was using AP_REQ instead of true KerberosWrapper ** ** if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, ** &krb5in_data, krb5server, krb5keytab, ** &ap_option, &krb5ticket)) != 0) { Error } */ p = (unsigned char *)indata->data; if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p, (long) indata->length)) == NULL) { BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "d2i_KRB5_TICKET() ASN.1 decode failure.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } /* Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */ if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket, kssl_err)) != 0) { BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "Error converting ASN.1 ticket to krb5_ticket.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } if (! krb5_principal_compare(krb5context, krb5server, krb5ticket->server)) { krb5rc = KRB5_PRINC_NOMATCH; BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "server principal != ticket principal\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, krb5ticket->server, krb5ticket->enc_part.kvno, krb5ticket->enc_part.enctype, &kt_entry)) != 0) { BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "krb5_kt_get_entry() fails with %x.\n", krb5rc); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key, krb5ticket)) != 0) { BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "krb5_decrypt_tkt_part() failed.\n"); kssl_err->reason = SSL_R_KRB5_S_RD_REQ; goto err; } else { krb5_kt_free_entry(krb5context, &kt_entry); #ifdef KSSL_DEBUG { int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs; printf("Decrypted ticket fields:\n"); printf("\tflags: %X, transit-type: %X", krb5ticket->enc_part2->flags, krb5ticket->enc_part2->transited.tr_type); print_krb5_data("\ttransit-data: ", &(krb5ticket->enc_part2->transited.tr_contents)); printf("\tcaddrs: %p, authdata: %p\n", krb5ticket->enc_part2->caddrs, krb5ticket->enc_part2->authorization_data); if (paddr) { printf("\tcaddrs:\n"); for (i=0; paddr[i] != NULL; i++) { krb5_data d; d.length=paddr[i]->length; d.data=paddr[i]->contents; print_krb5_data("\t\tIP: ", &d); } } printf("\tstart/auth/end times: %d / %d / %d\n", krb5ticket->enc_part2->times.starttime, krb5ticket->enc_part2->times.authtime, krb5ticket->enc_part2->times.endtime); } #endif /* KSSL_DEBUG */ } krb5rc = KRB5_NO_TKT_SUPPLIED; if (!krb5ticket || !krb5ticket->enc_part2 || !krb5ticket->enc_part2->client || !krb5ticket->enc_part2->client->data || !krb5ticket->enc_part2->session) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "bad ticket from krb5_rd_req.\n"); } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, &krb5ticket->enc_part2->client->realm, krb5ticket->enc_part2->client->data, krb5ticket->enc_part2->client->length)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "kssl_ctx_setprinc() fails.\n"); } else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "kssl_ctx_setkey() fails.\n"); } else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) { krb5rc = KRB5KRB_AP_ERR_TKT_INVALID; kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "invalid ticket from krb5_rd_req.\n"); } else krb5rc = 0; kssl_ctx->enctype = krb5ticket->enc_part.enctype; ttimes->authtime = krb5ticket->enc_part2->times.authtime; ttimes->starttime = krb5ticket->enc_part2->times.starttime; ttimes->endtime = krb5ticket->enc_part2->times.endtime; ttimes->renew_till = krb5ticket->enc_part2->times.renew_till; err: #ifdef KSSL_DEBUG kssl_ctx_show(kssl_ctx); #endif /* KSSL_DEBUG */ if (asn1ticket) KRB5_TICKET_free((KRB5_TICKET *) asn1ticket); if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); if (krb5ticket) krb5_free_ticket(krb5context, krb5ticket); if (krb5server) krb5_free_principal(krb5context, krb5server); return (krb5rc); } /* Allocate & return a new kssl_ctx struct. */ KSSL_CTX * kssl_ctx_new(void) { return ((KSSL_CTX *) calloc(1, sizeof(KSSL_CTX))); } /* Frees a kssl_ctx struct and any allocated memory it holds. ** Returns NULL. */ KSSL_CTX * kssl_ctx_free(KSSL_CTX *kssl_ctx) { if (kssl_ctx == NULL) return kssl_ctx; if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); if (kssl_ctx->key) free(kssl_ctx->key); if (kssl_ctx->client_princ) free(kssl_ctx->client_princ); if (kssl_ctx->service_host) free(kssl_ctx->service_host); if (kssl_ctx->service_name) free(kssl_ctx->service_name); if (kssl_ctx->keytab_file) free(kssl_ctx->keytab_file); free(kssl_ctx); return (KSSL_CTX *) NULL; } /* Given an array of (krb5_data *) entity (and optional realm), ** set the plain (char *) client_princ or service_host member ** of the kssl_ctx struct. */ krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, krb5_data *realm, krb5_data *entity, int nentities) { char **princ; int length; int i; if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR; switch (which) { case KSSL_CLIENT: princ = &kssl_ctx->client_princ; break; case KSSL_SERVER: princ = &kssl_ctx->service_host; break; default: return KSSL_CTX_ERR; break; } if (*princ) free(*princ); /* Add up all the entity->lengths */ length = 0; for (i=0; i < nentities; i++) { length += entity[i].length; } /* Add in space for the '/' character(s) (if any) */ length += nentities-1; /* Space for the ('@'+realm+NULL | NULL) */ length += ((realm)? realm->length + 2: 1); if ((*princ = calloc(1, length)) == NULL) return KSSL_CTX_ERR; else { for (i = 0; i < nentities; i++) { strncat(*princ, entity[i].data, entity[i].length); if (i < nentities-1) { strcat (*princ, "/"); } } if (realm) { strcat (*princ, "@"); (void) strncat(*princ, realm->data, realm->length); } } return KSSL_CTX_OK; } /* Set one of the plain (char *) string members of the kssl_ctx struct. ** Default values should be: ** which == KSSL_SERVICE => "khost" (KRB5SVC) ** which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB) */ krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) { char **string; if (!kssl_ctx) return KSSL_CTX_ERR; switch (which) { case KSSL_SERVICE: string = &kssl_ctx->service_name; break; case KSSL_SERVER: string = &kssl_ctx->service_host; break; case KSSL_CLIENT: string = &kssl_ctx->client_princ; break; case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break; default: return KSSL_CTX_ERR; break; } if (*string) free(*string); if (!text) { *string = '\0'; return KSSL_CTX_OK; } if ((*string = calloc(1, strlen(text) + 1)) == NULL) return KSSL_CTX_ERR; else strcpy(*string, text); return KSSL_CTX_OK; } /* Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx ** struct. Clear kssl_ctx->key if Kerberos session key is NULL. */ krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) { int length; krb5_enctype enctype; krb5_octet FAR *contents = NULL; if (!kssl_ctx) return KSSL_CTX_ERR; if (kssl_ctx->key) { OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); free(kssl_ctx->key); } if (session) { #ifdef KRB5_HEIMDAL length = session->keyvalue->length; enctype = session->keytype; contents = session->keyvalue->contents; #else length = session->length; enctype = session->enctype; contents = session->contents; #endif kssl_ctx->enctype = enctype; kssl_ctx->length = length; } else { kssl_ctx->enctype = ENCTYPE_UNKNOWN; kssl_ctx->length = 0; return KSSL_CTX_OK; } if ((kssl_ctx->key = (krb5_octet FAR *) calloc(1, kssl_ctx->length)) == NULL) { kssl_ctx->length = 0; return KSSL_CTX_ERR; } else memcpy(kssl_ctx->key, contents, length); return KSSL_CTX_OK; } /* Display contents of kssl_ctx struct */ void kssl_ctx_show(KSSL_CTX *kssl_ctx) { int i; printf("kssl_ctx: "); if (kssl_ctx == NULL) { printf("NULL\n"); return; } else - printf("%p\n", kssl_ctx); + printf("%p\n", (void *)kssl_ctx); printf("\tservice:\t%s\n", (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL"); printf("\tclient:\t%s\n", (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL"); printf("\tserver:\t%s\n", (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL"); printf("\tkeytab:\t%s\n", (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL"); printf("\tkey [%d:%d]:\t", kssl_ctx->enctype, kssl_ctx->length); for (i=0; i < kssl_ctx->length && kssl_ctx->key; i++) { printf("%02x", kssl_ctx->key[i]); } printf("\n"); return; } int kssl_keytab_is_available(KSSL_CTX *kssl_ctx) { krb5_context krb5context = NULL; krb5_keytab krb5keytab = NULL; krb5_keytab_entry entry; krb5_principal princ = NULL; krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; int rc = 0; if ((krb5rc = krb5_init_context(&krb5context))) return(0); /* kssl_ctx->keytab_file == NULL ==> use Kerberos default */ if (kssl_ctx->keytab_file) { krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, &krb5keytab); if (krb5rc) goto exit; } else { krb5rc = krb5_kt_default(krb5context,&krb5keytab); if (krb5rc) goto exit; } /* the host key we are looking for */ krb5rc = krb5_sname_to_principal(krb5context, NULL, kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC, KRB5_NT_SRV_HST, &princ); krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, princ, 0 /* IGNORE_VNO */, 0 /* IGNORE_ENCTYPE */, &entry); if ( krb5rc == KRB5_KT_NOTFOUND ) { rc = 1; goto exit; } else if ( krb5rc ) goto exit; krb5_kt_free_entry(krb5context, &entry); rc = 1; exit: if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); if (princ) krb5_free_principal(krb5context, princ); if (krb5context) krb5_free_context(krb5context); return(rc); } int kssl_tgt_is_available(KSSL_CTX *kssl_ctx) { krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; krb5_context krb5context = NULL; krb5_ccache krb5ccdef = NULL; krb5_creds krb5creds, *krb5credsp = NULL; int rc = 0; memset((char *)&krb5creds, 0, sizeof(krb5creds)); if (!kssl_ctx) return(0); if (!kssl_ctx->service_host) return(0); if ((krb5rc = krb5_init_context(&krb5context)) != 0) goto err; if ((krb5rc = krb5_sname_to_principal(krb5context, kssl_ctx->service_host, (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, KRB5_NT_SRV_HST, &krb5creds.server)) != 0) goto err; if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) goto err; if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, &krb5creds.client)) != 0) goto err; if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, &krb5creds, &krb5credsp)) != 0) goto err; rc = 1; err: #ifdef KSSL_DEBUG kssl_ctx_show(kssl_ctx); #endif /* KSSL_DEBUG */ if (krb5creds.client) krb5_free_principal(krb5context, krb5creds.client); if (krb5creds.server) krb5_free_principal(krb5context, krb5creds.server); if (krb5context) krb5_free_context(krb5context); return(rc); } #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32) void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data) { #ifdef KRB5_HEIMDAL data->length = 0; if (data->data) free(data->data); #elif defined(KRB5_MIT_OLD11) if (data->data) { krb5_xfree(data->data); data->data = 0; } #else krb5_free_data_contents(NULL, data); #endif } #endif /* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */ /* Given pointers to KerberosTime and struct tm structs, convert the ** KerberosTime string to struct tm. Note that KerberosTime is a ** ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional ** seconds as defined in RFC 1510. ** Return pointer to the (partially) filled in struct tm on success, ** return NULL on failure. */ struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) { char c, *p; if (!k_tm) return NULL; if (gtime == NULL || gtime->length < 14) return NULL; if (gtime->data == NULL) return NULL; p = (char *)>ime->data[14]; c = *p; *p = '\0'; p -= 2; k_tm->tm_sec = atoi(p); *(p+2) = c; c = *p; *p = '\0'; p -= 2; k_tm->tm_min = atoi(p); *(p+2) = c; c = *p; *p = '\0'; p -= 2; k_tm->tm_hour = atoi(p); *(p+2) = c; c = *p; *p = '\0'; p -= 2; k_tm->tm_mday = atoi(p); *(p+2) = c; c = *p; *p = '\0'; p -= 2; k_tm->tm_mon = atoi(p)-1; *(p+2) = c; c = *p; *p = '\0'; p -= 4; k_tm->tm_year = atoi(p)-1900; *(p+4) = c; return k_tm; } /* Helper function for kssl_validate_times(). ** We need context->clockskew, but krb5_context is an opaque struct. ** So we try to sneek the clockskew out through the replay cache. ** If that fails just return a likely default (300 seconds). */ krb5_deltat get_rc_clockskew(krb5_context context) { krb5_rcache rc; krb5_deltat clockskew; if (krb5_rc_default(context, &rc)) return KSSL_CLOCKSKEW; if (krb5_rc_initialize(context, rc, 0)) return KSSL_CLOCKSKEW; if (krb5_rc_get_lifespan(context, rc, &clockskew)) { clockskew = KSSL_CLOCKSKEW; } (void) krb5_rc_destroy(context, rc); return clockskew; } /* kssl_validate_times() combines (and more importantly exposes) ** the MIT KRB5 internal function krb5_validate_times() and the ** in_clock_skew() macro. The authenticator client time is checked ** to be within clockskew secs of the current time and the current ** time is checked to be within the ticket start and expire times. ** Either check may be omitted by supplying a NULL value. ** Returns 0 for valid times, SSL_R_KRB5* error codes otherwise. ** See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c ** 20010420 VRS */ krb5_error_code kssl_validate_times( krb5_timestamp atime, krb5_ticket_times *ttimes) { krb5_deltat skew; krb5_timestamp start, now; krb5_error_code rc; krb5_context context; if ((rc = krb5_init_context(&context))) return SSL_R_KRB5_S_BAD_TICKET; skew = get_rc_clockskew(context); if ((rc = krb5_timeofday(context,&now))) return SSL_R_KRB5_S_BAD_TICKET; krb5_free_context(context); if (atime && labs(atime - now) >= skew) return SSL_R_KRB5_S_TKT_SKEW; if (! ttimes) return 0; start = (ttimes->starttime != 0)? ttimes->starttime: ttimes->authtime; if (start - now > skew) return SSL_R_KRB5_S_TKT_NYV; if ((now - ttimes->endtime) > skew) return SSL_R_KRB5_S_TKT_EXPIRED; #ifdef KSSL_DEBUG printf("kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n", start, atime, now, skew, ttimes->endtime); #endif /* KSSL_DEBUG */ return 0; } /* Decode and decrypt given DER-encoded authenticator, then pass ** authenticator ctime back in *atimep (or 0 if time unavailable). ** Returns krb5_error_code and kssl_err on error. A NULL ** authenticator (authentp->length == 0) is not considered an error. ** Note that kssl_check_authent() makes use of the KRB5 session key; ** you must call kssl_sget_tkt() to get the key before calling this routine. */ krb5_error_code kssl_check_authent( /* IN */ KSSL_CTX *kssl_ctx, /* IN */ krb5_data *authentp, /* OUT */ krb5_timestamp *atimep, /* OUT */ KSSL_ERR *kssl_err ) { krb5_error_code krb5rc = 0; KRB5_ENCDATA *dec_authent = NULL; KRB5_AUTHENTBODY *auth = NULL; krb5_enctype enctype; EVP_CIPHER_CTX ciph_ctx; const EVP_CIPHER *enc = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char *p, *unenc_authent; int outl, unencbufsize; struct tm tm_time, *tm_l, *tm_g; time_t now, tl, tg, tr, tz_offset; EVP_CIPHER_CTX_init(&ciph_ctx); *atimep = 0; kssl_err_set(kssl_err, 0, ""); #ifndef KRB5CHECKAUTH authentp = NULL; #else #if KRB5CHECKAUTH == 0 authentp = NULL; #endif #endif /* KRB5CHECKAUTH */ if (authentp == NULL || authentp->length == 0) return 0; #ifdef KSSL_DEBUG { unsigned int ui; printf("kssl_check_authent: authenticator[%d]:\n",authentp->length); p = authentp->data; for (ui=0; ui < authentp->length; ui++) printf("%02x ",p[ui]); printf("\n"); } #endif /* KSSL_DEBUG */ unencbufsize = 2 * authentp->length; if ((unenc_authent = calloc(1, unencbufsize)) == NULL) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "Unable to allocate authenticator buffer.\n"); krb5rc = KRB5KRB_ERR_GENERIC; goto err; } p = (unsigned char *)authentp->data; if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p, (long) authentp->length)) == NULL) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "Error decoding authenticator.\n"); krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; goto err; } enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */ #if !defined(KRB5_MIT_OLD11) switch ( enctype ) { case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ case ENCTYPE_DES3_CBC_SHA: case ENCTYPE_DES3_CBC_RAW: krb5rc = 0; /* Skip, can't handle derived keys */ goto err; } #endif enc = kssl_map_enc(enctype); memset(iv, 0, sizeof iv); /* per RFC 1510 */ if (enc == NULL) { /* Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1. ** This enctype indicates the authenticator was encrypted ** using key-usage derived keys which openssl cannot decrypt. */ goto err; } if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "EVP_CipherInit error decrypting authenticator.\n"); krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; goto err; } outl = dec_authent->cipher->length; if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "EVP_Cipher error decrypting authenticator.\n"); krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; goto err; } EVP_CIPHER_CTX_cleanup(&ciph_ctx); #ifdef KSSL_DEBUG printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl); for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]); printf("\n"); #endif /* KSSL_DEBUG */ if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "confounded by authenticator.\n"); krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; goto err; } outl -= p - unenc_authent; if ((auth = (KRB5_AUTHENTBODY *) d2i_KRB5_AUTHENT(NULL, &p, (long) outl))==NULL) { kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "Error decoding authenticator body.\n"); krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; goto err; } memset(&tm_time,0,sizeof(struct tm)); if (k_gmtime(auth->ctime, &tm_time) && ((tr = mktime(&tm_time)) != (time_t)(-1))) { now = time(&now); tm_l = localtime(&now); tl = mktime(tm_l); tm_g = gmtime(&now); tg = mktime(tm_g); tz_offset = tg - tl; *atimep = tr - tz_offset; } #ifdef KSSL_DEBUG printf("kssl_check_authent: returns %d for client time ", *atimep); if (auth && auth->ctime && auth->ctime->length && auth->ctime->data) printf("%.*s\n", auth->ctime->length, auth->ctime->data); else printf("NULL\n"); #endif /* KSSL_DEBUG */ err: if (auth) KRB5_AUTHENT_free((KRB5_AUTHENT *) auth); if (dec_authent) KRB5_ENCDATA_free(dec_authent); if (unenc_authent) free(unenc_authent); EVP_CIPHER_CTX_cleanup(&ciph_ctx); return krb5rc; } /* Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host), ** because I dont't know how to stub varargs. ** Returns krb5_error_code == ENOMEM on alloc error, otherwise ** passes back newly constructed principal, which should be freed by caller. */ krb5_error_code kssl_build_principal_2( /* UPDATE */ krb5_context context, /* OUT */ krb5_principal *princ, /* IN */ int rlen, const char *realm, /* IN */ int slen, const char *svc, /* IN */ int hlen, const char *host) { krb5_data *p_data = NULL; krb5_principal new_p = NULL; char *new_r = NULL; if ((p_data = (krb5_data *) calloc(2, sizeof(krb5_data))) == NULL || (new_p = (krb5_principal) calloc(1, sizeof(krb5_principal_data))) == NULL) goto err; new_p->length = 2; new_p->data = p_data; if ((new_r = calloc(1, rlen + 1)) == NULL) goto err; memcpy(new_r, realm, rlen); krb5_princ_set_realm_length(context, new_p, rlen); krb5_princ_set_realm_data(context, new_p, new_r); if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL) goto err; memcpy(new_p->data[0].data, svc, slen); new_p->data[0].length = slen; if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL) goto err; memcpy(new_p->data[1].data, host, hlen); new_p->data[1].length = hlen; krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN; *princ = new_p; return 0; err: if (new_p && new_p[0].data) free(new_p[0].data); if (new_p && new_p[1].data) free(new_p[1].data); if (new_p) free(new_p); if (new_r) free(new_r); return ENOMEM; } #else /* !OPENSSL_NO_KRB5 */ #if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS) static int dummy=(int)&dummy; #endif #endif /* !OPENSSL_NO_KRB5 */ diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c index 1d24dedc918b..43b32eb4159f 100644 --- a/crypto/openssl/ssl/s2_clnt.c +++ b/crypto/openssl/ssl/s2_clnt.c @@ -1,1138 +1,1137 @@ /* ssl/s2_clnt.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 #include #include #include #include #include -#include "cryptlib.h" static SSL_METHOD *ssl2_get_client_method(int ver); static int get_server_finished(SSL *s); static int get_server_verify(SSL *s); static int get_server_hello(SSL *s); static int client_hello(SSL *s); static int client_master_key(SSL *s); static int client_finished(SSL *s); static int client_certificate(SSL *s); static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from, unsigned char *to,int padding); #define BREAK break static SSL_METHOD *ssl2_get_client_method(int ver) { if (ver == SSL2_VERSION) return(SSLv2_client_method()); else return(NULL); } SSL_METHOD *SSLv2_client_method(void) { static int init=1; static SSL_METHOD SSLv2_client_data; if (init) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); if (init) { memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(), sizeof(SSL_METHOD)); SSLv2_client_data.ssl_connect=ssl2_connect; SSLv2_client_data.get_ssl_method=ssl2_get_client_method; init=0; } CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_client_data); } int ssl2_connect(SSL *s) { unsigned long l=time(NULL); BUF_MEM *buf=NULL; int ret= -1; void (*cb)(const SSL *ssl,int type,int val)=NULL; int new_state,state; RAND_add(&l,sizeof(l),0); ERR_clear_error(); clear_sys_error(); if (s->info_callback != NULL) cb=s->info_callback; else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; /* init things to blank */ s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { state=s->state; switch (s->state) { case SSL_ST_BEFORE: case SSL_ST_CONNECT: case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); s->version=SSL2_VERSION; s->type=SSL_ST_CONNECT; buf=s->init_buf; if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL)) { ret= -1; goto end; } if (!BUF_MEM_grow(buf, SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { if (buf == s->init_buf) buf=NULL; ret= -1; goto end; } s->init_buf=buf; buf=NULL; s->init_num=0; s->state=SSL2_ST_SEND_CLIENT_HELLO_A; s->ctx->stats.sess_connect++; s->handshake_func=ssl2_connect; BREAK; case SSL2_ST_SEND_CLIENT_HELLO_A: case SSL2_ST_SEND_CLIENT_HELLO_B: s->shutdown=0; ret=client_hello(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL2_ST_GET_SERVER_HELLO_A; BREAK; case SSL2_ST_GET_SERVER_HELLO_A: case SSL2_ST_GET_SERVER_HELLO_B: ret=get_server_hello(s); if (ret <= 0) goto end; s->init_num=0; if (!s->hit) /* new session */ { s->state=SSL2_ST_SEND_CLIENT_MASTER_KEY_A; BREAK; } else { s->state=SSL2_ST_CLIENT_START_ENCRYPTION; break; } case SSL2_ST_SEND_CLIENT_MASTER_KEY_A: case SSL2_ST_SEND_CLIENT_MASTER_KEY_B: ret=client_master_key(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL2_ST_CLIENT_START_ENCRYPTION; break; case SSL2_ST_CLIENT_START_ENCRYPTION: /* Ok, we now have all the stuff needed to * start encrypting, so lets fire it up :-) */ if (!ssl2_enc_init(s,1)) { ret= -1; goto end; } s->s2->clear_text=0; s->state=SSL2_ST_SEND_CLIENT_FINISHED_A; break; case SSL2_ST_SEND_CLIENT_FINISHED_A: case SSL2_ST_SEND_CLIENT_FINISHED_B: ret=client_finished(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL2_ST_GET_SERVER_VERIFY_A; break; case SSL2_ST_GET_SERVER_VERIFY_A: case SSL2_ST_GET_SERVER_VERIFY_B: ret=get_server_verify(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL2_ST_GET_SERVER_FINISHED_A; break; case SSL2_ST_GET_SERVER_FINISHED_A: case SSL2_ST_GET_SERVER_FINISHED_B: ret=get_server_finished(s); if (ret <= 0) goto end; break; case SSL2_ST_SEND_CLIENT_CERTIFICATE_A: case SSL2_ST_SEND_CLIENT_CERTIFICATE_B: case SSL2_ST_SEND_CLIENT_CERTIFICATE_C: case SSL2_ST_SEND_CLIENT_CERTIFICATE_D: case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: ret=client_certificate(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL2_ST_GET_SERVER_FINISHED_A; break; case SSL_ST_OK: if (s->init_buf != NULL) { BUF_MEM_free(s->init_buf); s->init_buf=NULL; } s->init_num=0; /* ERR_clear_error();*/ /* If we want to cache session-ids in the client * and we successfully add the session-id to the * cache, and there is a callback, then pass it out. * 26/11/96 - eay - only add if not a re-used session. */ ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); if (s->hit) s->ctx->stats.sess_hit++; ret=1; /* s->server=0; */ s->ctx->stats.sess_connect_good++; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); goto end; /* break; */ default: SSLerr(SSL_F_SSL2_CONNECT,SSL_R_UNKNOWN_STATE); return(-1); /* break; */ } if ((cb != NULL) && (s->state != state)) { new_state=s->state; s->state=state; cb(s,SSL_CB_CONNECT_LOOP,1); s->state=new_state; } } end: s->in_handshake--; if (buf != NULL) BUF_MEM_free(buf); if (cb != NULL) cb(s,SSL_CB_CONNECT_EXIT,ret); return(ret); } static int get_server_hello(SSL *s) { unsigned char *buf; unsigned char *p; int i,j; unsigned long len; STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow; buf=(unsigned char *)s->init_buf->data; p=buf; if (s->state == SSL2_ST_GET_SERVER_HELLO_A) { i=ssl2_read(s,(char *)&(buf[s->init_num]),11-s->init_num); if (i < (11-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i)); s->init_num = 11; if (*(p++) != SSL2_MT_SERVER_HELLO) { if (p[-1] != SSL2_MT_ERROR) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_READ_WRONG_PACKET_TYPE); } else SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_PEER_ERROR); return(-1); } #ifdef __APPLE_CC__ /* The Rhapsody 5.5 (a.k.a. MacOS X) compiler bug * workaround. */ s->hit=(i=*(p++))?1:0; #else s->hit=(*(p++))?1:0; #endif s->s2->tmp.cert_type= *(p++); n2s(p,i); if (i < s->version) s->version=i; n2s(p,i); s->s2->tmp.cert_length=i; n2s(p,i); s->s2->tmp.csl=i; n2s(p,i); s->s2->tmp.conn_id_length=i; s->state=SSL2_ST_GET_SERVER_HELLO_B; } /* SSL2_ST_GET_SERVER_HELLO_B */ len = 11 + (unsigned long)s->s2->tmp.cert_length + (unsigned long)s->s2->tmp.csl + (unsigned long)s->s2->tmp.conn_id_length; if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_MESSAGE_TOO_LONG); return -1; } j = (int)len - s->init_num; i = ssl2_read(s,(char *)&(buf[s->init_num]),j); if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i)); if (s->msg_callback) s->msg_callback(0, s->version, 0, buf, (size_t)len, s, s->msg_callback_arg); /* SERVER-HELLO */ /* things are looking good */ p = buf + 11; if (s->hit) { if (s->s2->tmp.cert_length != 0) { SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_LENGTH_NOT_ZERO); return(-1); } if (s->s2->tmp.cert_type != 0) { if (!(s->options & SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)) { SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_TYPE_NOT_ZERO); return(-1); } } if (s->s2->tmp.csl != 0) { SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CIPHER_LIST_NOT_ZERO); return(-1); } } else { #ifdef undef /* very bad */ memset(s->session->session_id,0, SSL_MAX_SSL_SESSION_ID_LENGTH_IN_BYTES); s->session->session_id_length=0; */ #endif /* we need to do this in case we were trying to reuse a * client session but others are already reusing it. * If this was a new 'blank' session ID, the session-id * length will still be 0 */ if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s,0)) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); return(-1); } } if (ssl2_set_certificate(s,s->s2->tmp.cert_type, s->s2->tmp.cert_length,p) <= 0) { ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE); return(-1); } p+=s->s2->tmp.cert_length; if (s->s2->tmp.csl == 0) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_LIST); return(-1); } /* We have just received a list of ciphers back from the * server. We need to get the ones that match, then select * the one we want the most :-). */ /* load the ciphers */ sk=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.csl, &s->session->ciphers); p+=s->s2->tmp.csl; if (sk == NULL) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE); return(-1); } sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp); /* get the array of ciphers we will accept */ cl=SSL_get_ciphers(s); sk_SSL_CIPHER_set_cmp_func(cl,ssl_cipher_ptr_id_cmp); /* * If server preference flag set, choose the first * (highest priority) cipher the server sends, otherwise * client preference has priority. */ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { prio = sk; allow = cl; } else { prio = cl; allow = sk; } /* In theory we could have ciphers sent back that we * don't want to use but that does not matter since we * will check against the list we originally sent and * for performance reasons we should not bother to match * the two lists up just to check. */ for (i=0; i= 0) break; } if (i >= sk_SSL_CIPHER_num(prio)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH); return(-1); } s->session->cipher=sk_SSL_CIPHER_value(prio,i); if (s->session->peer != NULL) /* can't happen*/ { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return(-1); } s->session->peer = s->session->sess_cert->peer_key->x509; /* peer_key->x509 has been set by ssl2_set_certificate. */ CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509); } if (s->session->peer != s->session->sess_cert->peer_key->x509) /* can't happen */ { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return(-1); } s->s2->conn_id_length=s->s2->tmp.conn_id_length; if (s->s2->conn_id_length > sizeof s->s2->conn_id) { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_SSL2_CONNECTION_ID_TOO_LONG); return -1; } memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length); return(1); } static int client_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; /* CIPHER **cipher;*/ int i,n,j; buf=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_SEND_CLIENT_HELLO_A) { if ((s->session == NULL) || (s->session->ssl_version != s->version)) { if (!ssl_get_new_session(s,0)) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); return(-1); } } /* else use the pre-loaded session */ p=buf; /* header */ d=p+9; /* data section */ *(p++)=SSL2_MT_CLIENT_HELLO; /* type */ s2n(SSL2_VERSION,p); /* version */ n=j=0; n=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),d); d+=n; if (n == 0) { SSLerr(SSL_F_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); return(-1); } s2n(n,p); /* cipher spec num bytes */ if ((s->session->session_id_length > 0) && (s->session->session_id_length <= SSL2_MAX_SSL_SESSION_ID_LENGTH)) { i=s->session->session_id_length; s2n(i,p); /* session id length */ memcpy(d,s->session->session_id,(unsigned int)i); d+=i; } else { s2n(0,p); } s->s2->challenge_length=SSL2_CHALLENGE_LENGTH; s2n(SSL2_CHALLENGE_LENGTH,p); /* challenge length */ /*challenge id data*/ RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH); memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH); d+=SSL2_CHALLENGE_LENGTH; s->state=SSL2_ST_SEND_CLIENT_HELLO_B; s->init_num=d-buf; s->init_off=0; } /* SSL2_ST_SEND_CLIENT_HELLO_B */ return(ssl2_do_write(s)); } static int client_master_key(SSL *s) { unsigned char *buf; unsigned char *p,*d; int clear,enc,karg,i; SSL_SESSION *sess; const EVP_CIPHER *c; const EVP_MD *md; buf=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A) { if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); return(-1); } sess=s->session; p=buf; d=p+10; *(p++)=SSL2_MT_CLIENT_MASTER_KEY;/* type */ i=ssl_put_cipher_by_char(s,sess->cipher,p); p+=i; /* make key_arg data */ i=EVP_CIPHER_iv_length(c); sess->key_arg_length=i; if (i > SSL_MAX_KEY_ARG_LENGTH) { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); /* make a master key */ i=EVP_CIPHER_key_length(c); sess->master_key_length=i; if (i > 0) { if (i > sizeof sess->master_key) { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } if (RAND_bytes(sess->master_key,i) <= 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); return(-1); } } if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) enc=8; else if (SSL_C_IS_EXPORT(sess->cipher)) enc=5; else enc=i; if (i < enc) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_CIPHER_TABLE_SRC_ERROR); return(-1); } clear=i-enc; s2n(clear,p); memcpy(d,sess->master_key,(unsigned int)clear); d+=clear; enc=ssl_rsa_public_encrypt(sess->sess_cert,enc, &(sess->master_key[clear]),d, (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); if (enc <= 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PUBLIC_KEY_ENCRYPT_ERROR); return(-1); } #ifdef PKCS1_CHECK if (s->options & SSL_OP_PKCS1_CHECK_1) d[1]++; if (s->options & SSL_OP_PKCS1_CHECK_2) sess->master_key[clear]++; #endif s2n(enc,p); d+=enc; karg=sess->key_arg_length; s2n(karg,p); /* key arg size */ if (karg > sizeof sess->key_arg) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } memcpy(d,sess->key_arg,(unsigned int)karg); d+=karg; s->state=SSL2_ST_SEND_CLIENT_MASTER_KEY_B; s->init_num=d-buf; s->init_off=0; } /* SSL2_ST_SEND_CLIENT_MASTER_KEY_B */ return(ssl2_do_write(s)); } static int client_finished(SSL *s) { unsigned char *p; if (s->state == SSL2_ST_SEND_CLIENT_FINISHED_A) { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_CLIENT_FINISHED; if (s->s2->conn_id_length > sizeof s->s2->conn_id) { SSLerr(SSL_F_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR); return -1; } memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length); s->state=SSL2_ST_SEND_CLIENT_FINISHED_B; s->init_num=s->s2->conn_id_length+1; s->init_off=0; } return(ssl2_do_write(s)); } /* read the data and then respond */ static int client_certificate(SSL *s) { unsigned char *buf; unsigned char *p,*d; int i; unsigned int n; int cert_ch_len; unsigned char *cert_ch; buf=(unsigned char *)s->init_buf->data; /* We have a cert associated with the SSL, so attach it to * the session if it does not have one */ if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A) { i=ssl2_read(s,(char *)&(buf[s->init_num]), SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num); if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num)) return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i)); s->init_num += i; if (s->msg_callback) s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* REQUEST-CERTIFICATE */ /* type=buf[0]; */ /* type eq x509 */ if (buf[1] != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) { ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE); SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_AUTHENTICATION_TYPE); return(-1); } if ((s->cert == NULL) || (s->cert->key->x509 == NULL) || (s->cert->key->privatekey == NULL)) { s->state=SSL2_ST_X509_GET_CLIENT_CERTIFICATE; } else s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C; } cert_ch = buf + 2; cert_ch_len = s->init_num - 2; if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE) { X509 *x509=NULL; EVP_PKEY *pkey=NULL; /* If we get an error we need to * ssl->rwstate=SSL_X509_LOOKUP; * return(error); * We should then be retried when things are ok and we * can get a cert or not */ i=0; if (s->ctx->client_cert_cb != NULL) { i=s->ctx->client_cert_cb(s,&(x509),&(pkey)); } if (i < 0) { s->rwstate=SSL_X509_LOOKUP; return(-1); } s->rwstate=SSL_NOTHING; if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C; if ( !SSL_use_certificate(s,x509) || !SSL_use_PrivateKey(s,pkey)) { i=0; } X509_free(x509); EVP_PKEY_free(pkey); } else if (i == 1) { if (x509 != NULL) X509_free(x509); if (pkey != NULL) EVP_PKEY_free(pkey); SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); i=0; } if (i == 0) { /* We have no client certificate to respond with * so send the correct error message back */ s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_B; p=buf; *(p++)=SSL2_MT_ERROR; s2n(SSL2_PE_NO_CERTIFICATE,p); s->init_off=0; s->init_num=3; /* Write is done at the end */ } } if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_B) { return(ssl2_do_write(s)); } if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_C) { EVP_MD_CTX ctx; /* ok, now we calculate the checksum * do it first so we can reuse buf :-) */ p=buf; EVP_MD_CTX_init(&ctx); EVP_SignInit_ex(&ctx,s->ctx->rsa_md5, NULL); EVP_SignUpdate(&ctx,s->s2->key_material, s->s2->key_material_length); EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len); n=i2d_X509(s->session->sess_cert->peer_key->x509,&p); EVP_SignUpdate(&ctx,buf,(unsigned int)n); p=buf; d=p+6; *(p++)=SSL2_MT_CLIENT_CERTIFICATE; *(p++)=SSL2_CT_X509_CERTIFICATE; n=i2d_X509(s->cert->key->x509,&d); s2n(n,p); if (!EVP_SignFinal(&ctx,d,&n,s->cert->key->privatekey)) { /* this is not good. If things have failed it * means there so something wrong with the key. * We will continue with a 0 length signature */ } EVP_MD_CTX_cleanup(&ctx); s2n(n,p); d+=n; s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_D; s->init_num=d-buf; s->init_off=0; } /* if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_D) */ return(ssl2_do_write(s)); } static int get_server_verify(SSL *s) { unsigned char *p; int i, n, len; p=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_GET_SERVER_VERIFY_A) { i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num); if (i < (1-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i)); s->init_num += i; s->state= SSL2_ST_GET_SERVER_VERIFY_B; if (*p != SSL2_MT_SERVER_VERIFY) { if (p[0] != SSL2_MT_ERROR) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_VERIFY, SSL_R_READ_WRONG_PACKET_TYPE); } else { SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_PEER_ERROR); /* try to read the error message */ i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num); return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i); } return(-1); } } p=(unsigned char *)s->init_buf->data; len = 1 + s->s2->challenge_length; n = len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),n); if (i < n) return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i)); if (s->msg_callback) s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */ p += 1; if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT); return(-1); } return(1); } static int get_server_finished(SSL *s) { unsigned char *buf; unsigned char *p; int i, n, len; buf=(unsigned char *)s->init_buf->data; p=buf; if (s->state == SSL2_ST_GET_SERVER_FINISHED_A) { i=ssl2_read(s,(char *)&(buf[s->init_num]),1-s->init_num); if (i < (1-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i)); s->init_num += i; if (*p == SSL2_MT_REQUEST_CERTIFICATE) { s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_A; return(1); } else if (*p != SSL2_MT_SERVER_FINISHED) { if (p[0] != SSL2_MT_ERROR) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE); } else { SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR); /* try to read the error message */ i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num); return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i); } return(-1); } s->state=SSL2_ST_GET_SERVER_FINISHED_B; } len = 1 + SSL2_SSL_SESSION_ID_LENGTH; n = len - s->init_num; i = ssl2_read(s,(char *)&(buf[s->init_num]), n); if (i < n) /* XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, that's the maximum */ return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i)); s->init_num += i; if (s->msg_callback) s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* SERVER-FINISHED */ if (!s->hit) /* new session */ { /* new session-id */ /* Make sure we were not trying to re-use an old SSL_SESSION * or bad things can happen */ /* ZZZZZZZZZZZZZ */ s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH; memcpy(s->session->session_id,p+1,SSL2_SSL_SESSION_ID_LENGTH); } else { if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) { if ((s->session->session_id_length > sizeof s->session->session_id) || (0 != memcmp(buf + 1, s->session->session_id, (unsigned int)s->session->session_id_length))) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_SSL_SESSION_ID_IS_DIFFERENT); return(-1); } } } s->state = SSL_ST_OK; return(1); } /* loads in the certificate from the server */ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data) { STACK_OF(X509) *sk=NULL; EVP_PKEY *pkey=NULL; SESS_CERT *sc=NULL; int i; X509 *x509=NULL; int ret=0; x509=d2i_X509(NULL,&data,(long)len); if (x509 == NULL) { SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_X509_LIB); goto err; } if ((sk=sk_X509_new_null()) == NULL || !sk_X509_push(sk,x509)) { SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto err; } i=ssl_verify_cert_chain(s,sk); if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) { SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); goto err; } ERR_clear_error(); /* but we keep s->verify_result */ s->session->verify_result = s->verify_result; /* server's cert for this session */ sc=ssl_sess_cert_new(); if (sc == NULL) { ret= -1; goto err; } if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); s->session->sess_cert=sc; sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509=x509; sc->peer_key= &(sc->peer_pkeys[SSL_PKEY_RSA_ENC]); pkey=X509_get_pubkey(x509); x509=NULL; if (pkey == NULL) { SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY); goto err; } if (pkey->type != EVP_PKEY_RSA) { SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_PUBLIC_KEY_NOT_RSA); goto err; } if (!ssl_set_peer_cert_type(sc,SSL2_CT_X509_CERTIFICATE)) goto err; ret=1; err: sk_X509_free(sk); X509_free(x509); EVP_PKEY_free(pkey); return(ret); } static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from, unsigned char *to, int padding) { EVP_PKEY *pkey=NULL; int i= -1; if ((sc == NULL) || (sc->peer_key->x509 == NULL) || ((pkey=X509_get_pubkey(sc->peer_key->x509)) == NULL)) { SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,SSL_R_NO_PUBLICKEY); return(-1); } if (pkey->type != EVP_PKEY_RSA) { SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA); goto end; } /* we have the public key */ i=RSA_public_encrypt(len,from,to,pkey->pkey.rsa,padding); if (i < 0) SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,ERR_R_RSA_LIB); end: EVP_PKEY_free(pkey); return(i); } #else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; # endif #endif diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c index d3b144f1c52c..21a06f76cb07 100644 --- a/crypto/openssl/ssl/s2_enc.c +++ b/crypto/openssl/ssl/s2_enc.c @@ -1,192 +1,191 @@ /* ssl/s2_enc.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 #include -#include "cryptlib.h" int ssl2_enc_init(SSL *s, int client) { /* Max number of bytes needed */ EVP_CIPHER_CTX *rs,*ws; const EVP_CIPHER *c; const EVP_MD *md; int num; if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); return(0); } s->read_hash=md; s->write_hash=md; if ((s->enc_read_ctx == NULL) && ((s->enc_read_ctx=(EVP_CIPHER_CTX *) OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; if ((s->enc_write_ctx == NULL) && ((s->enc_write_ctx=(EVP_CIPHER_CTX *) OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; rs= s->enc_read_ctx; ws= s->enc_write_ctx; EVP_CIPHER_CTX_init(rs); EVP_CIPHER_CTX_init(ws); num=c->key_len; s->s2->key_material_length=num*2; OPENSSL_assert(s->s2->key_material_length <= sizeof s->s2->key_material); if (ssl2_generate_key_material(s) <= 0) return 0; OPENSSL_assert(c->iv_len <= sizeof s->session->key_arg); EVP_EncryptInit_ex(ws,c,NULL,&(s->s2->key_material[(client)?num:0]), s->session->key_arg); EVP_DecryptInit_ex(rs,c,NULL,&(s->s2->key_material[(client)?0:num]), s->session->key_arg); s->s2->read_key= &(s->s2->key_material[(client)?0:num]); s->s2->write_key= &(s->s2->key_material[(client)?num:0]); return(1); err: SSLerr(SSL_F_SSL2_ENC_INIT,ERR_R_MALLOC_FAILURE); return(0); } /* read/writes from s->s2->mac_data using length for encrypt and * decrypt. It sets s->s2->padding and s->[rw]length * if we are encrypting */ void ssl2_enc(SSL *s, int send) { EVP_CIPHER_CTX *ds; unsigned long l; int bs; if (send) { ds=s->enc_write_ctx; l=s->s2->wlength; } else { ds=s->enc_read_ctx; l=s->s2->rlength; } /* check for NULL cipher */ if (ds == NULL) return; bs=ds->cipher->block_size; /* This should be using (bs-1) and bs instead of 7 and 8, but * what the hell. */ if (bs == 8) l=(l+7)/8*8; EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l); } void ssl2_mac(SSL *s, unsigned char *md, int send) { EVP_MD_CTX c; unsigned char sequence[4],*p,*sec,*act; unsigned long seq; unsigned int len; if (send) { seq=s->s2->write_sequence; sec=s->s2->write_key; len=s->s2->wact_data_length; act=s->s2->wact_data; } else { seq=s->s2->read_sequence; sec=s->s2->read_key; len=s->s2->ract_data_length; act=s->s2->ract_data; } p= &(sequence[0]); l2n(seq,p); /* There has to be a MAC algorithm. */ EVP_MD_CTX_init(&c); EVP_DigestInit_ex(&c, s->read_hash, NULL); EVP_DigestUpdate(&c,sec, EVP_CIPHER_CTX_key_length(s->enc_read_ctx)); EVP_DigestUpdate(&c,act,len); /* the above line also does the pad data */ EVP_DigestUpdate(&c,sequence,4); EVP_DigestFinal_ex(&c,md,NULL); EVP_MD_CTX_cleanup(&c); } #else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; # endif #endif diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c index 910b9fe097d4..edcef4dda291 100644 --- a/crypto/openssl/ssl/s2_lib.c +++ b/crypto/openssl/ssl/s2_lib.c @@ -1,526 +1,527 @@ /* ssl/s2_lib.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 #include #include #include #include #include -#include "cryptlib.h" static long ssl2_default_timeout(void ); const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER)) OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ /* NULL_WITH_MD5 v3 */ #if 0 { 1, SSL2_TXT_NULL_WITH_MD5, SSL2_CK_NULL_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2, SSL_EXPORT|SSL_EXP40|SSL_STRONG_NONE, 0, 0, 0, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, #endif /* RC4_128_EXPORT40_WITH_MD5 */ { 1, SSL2_TXT_RC4_128_EXPORT40_WITH_MD5, SSL2_CK_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2, SSL_EXPORT|SSL_EXP40, SSL2_CF_5_BYTE_ENC, 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* RC4_128_WITH_MD5 */ { 1, SSL2_TXT_RC4_128_WITH_MD5, SSL2_CK_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* RC2_128_CBC_EXPORT40_WITH_MD5 */ { 1, SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5, SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2, SSL_EXPORT|SSL_EXP40, SSL2_CF_5_BYTE_ENC, 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* RC2_128_CBC_WITH_MD5 */ { 1, SSL2_TXT_RC2_128_CBC_WITH_MD5, SSL2_CK_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* IDEA_128_CBC_WITH_MD5 */ +#ifndef OPENSSL_NO_IDEA { 1, SSL2_TXT_IDEA_128_CBC_WITH_MD5, SSL2_CK_IDEA_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_SSLV2, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +#endif /* DES_64_CBC_WITH_MD5 */ { 1, SSL2_TXT_DES_64_CBC_WITH_MD5, SSL2_CK_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_SSLV2, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* DES_192_EDE3_CBC_WITH_MD5 */ { 1, SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5, SSL2_CK_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_SSLV2, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* RC4_64_WITH_MD5 */ #if 1 { 1, SSL2_TXT_RC4_64_WITH_MD5, SSL2_CK_RC4_64_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2, SSL_NOT_EXP|SSL_LOW, SSL2_CF_8_BYTE_ENC, 64, 64, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, #endif /* NULL SSLeay (testing) */ #if 0 { 0, SSL2_TXT_NULL, SSL2_CK_NULL, 0, SSL_STRONG_NONE, 0, 0, 0, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, #endif /* end of list :-) */ }; static SSL_METHOD SSLv2_data= { SSL2_VERSION, ssl2_new, /* local */ ssl2_clear, /* local */ ssl2_free, /* local */ ssl_undefined_function, ssl_undefined_function, ssl2_read, ssl2_peek, ssl2_write, ssl2_shutdown, ssl_ok, /* NULL - renegotiate */ ssl_ok, /* NULL - check renegotiate */ ssl2_ctrl, /* local */ ssl2_ctx_ctrl, /* local */ ssl2_get_cipher_by_char, ssl2_put_cipher_by_char, ssl2_pending, ssl2_num_ciphers, ssl2_get_cipher, ssl_bad_method, ssl2_default_timeout, &ssl3_undef_enc_method, ssl_undefined_function, ssl2_callback_ctrl, /* local */ ssl2_ctx_callback_ctrl, /* local */ }; static long ssl2_default_timeout(void) { return(300); } SSL_METHOD *sslv2_base_method(void) { return(&SSLv2_data); } int ssl2_num_ciphers(void) { return(SSL2_NUM_CIPHERS); } SSL_CIPHER *ssl2_get_cipher(unsigned int u) { if (u < SSL2_NUM_CIPHERS) return(&(ssl2_ciphers[SSL2_NUM_CIPHERS-1-u])); else return(NULL); } int ssl2_pending(SSL *s) { return SSL_in_init(s) ? 0 : s->s2->ract_data_length; } int ssl2_new(SSL *s) { SSL2_STATE *s2; if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err; memset(s2,0,sizeof *s2); #if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2 # error "assertion failed" #endif if ((s2->rbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; /* wbuf needs one byte more because when using two-byte headers, * we leave the first byte unused in do_ssl_write (s2_pkt.c) */ if ((s2->wbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err; s->s2=s2; ssl2_clear(s); return(1); err: if (s2 != NULL) { if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf); if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf); OPENSSL_free(s2); } return(0); } void ssl2_free(SSL *s) { SSL2_STATE *s2; if(s == NULL) return; s2=s->s2; if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf); if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf); OPENSSL_cleanse(s2,sizeof *s2); OPENSSL_free(s2); s->s2=NULL; } void ssl2_clear(SSL *s) { SSL2_STATE *s2; unsigned char *rbuf,*wbuf; s2=s->s2; rbuf=s2->rbuf; wbuf=s2->wbuf; memset(s2,0,sizeof *s2); s2->rbuf=rbuf; s2->wbuf=wbuf; s2->clear_text=1; s->packet=s2->rbuf; s->version=SSL2_VERSION; s->packet_length=0; } long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg) { int ret=0; switch(cmd) { case SSL_CTRL_GET_SESSION_REUSED: ret=s->hit; break; default: break; } return(ret); } long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)()) { return(0); } long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { return(0); } long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) { return(0); } /* This function needs to check if the ciphers required are actually * available */ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p) { static int init=1; static SSL_CIPHER *sorted[SSL2_NUM_CIPHERS]; SSL_CIPHER c,*cp= &c,**cpp; unsigned long id; int i; if (init) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); if (init) { for (i=0; ivalid) return(NULL); else return(*cpp); } int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) { long l; if (p != NULL) { l=c->id; if ((l & 0xff000000) != 0x02000000) return(0); p[0]=((unsigned char)(l>>16L))&0xFF; p[1]=((unsigned char)(l>> 8L))&0xFF; p[2]=((unsigned char)(l ))&0xFF; } return(3); } int ssl2_generate_key_material(SSL *s) { unsigned int i; EVP_MD_CTX ctx; unsigned char *km; unsigned char c='0'; const EVP_MD *md5; md5 = EVP_md5(); #ifdef CHARSET_EBCDIC c = os_toascii['0']; /* Must be an ASCII '0', not EBCDIC '0', see SSLv2 docu */ #endif EVP_MD_CTX_init(&ctx); km=s->s2->key_material; if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key) { SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR); return 0; } for (i=0; is2->key_material_length; i += EVP_MD_size(md5)) { if (((km - s->s2->key_material) + EVP_MD_size(md5)) > sizeof s->s2->key_material) { /* EVP_DigestFinal_ex() below would write beyond buffer */ SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR); return 0; } EVP_DigestInit_ex(&ctx, md5, NULL); OPENSSL_assert(s->session->master_key_length >= 0 && s->session->master_key_length < sizeof s->session->master_key); EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length); EVP_DigestUpdate(&ctx,&c,1); c++; EVP_DigestUpdate(&ctx,s->s2->challenge,s->s2->challenge_length); EVP_DigestUpdate(&ctx,s->s2->conn_id,s->s2->conn_id_length); EVP_DigestFinal_ex(&ctx,km,NULL); km += EVP_MD_size(md5); } EVP_MD_CTX_cleanup(&ctx); return 1; } void ssl2_return_error(SSL *s, int err) { if (!s->error) { s->error=3; s->error_code=err; ssl2_write_error(s); } } void ssl2_write_error(SSL *s) { unsigned char buf[3]; int i,error; buf[0]=SSL2_MT_ERROR; buf[1]=(s->error_code>>8)&0xff; buf[2]=(s->error_code)&0xff; /* state=s->rwstate;*/ error=s->error; /* number of bytes left to write */ s->error=0; OPENSSL_assert(error >= 0 && error <= sizeof buf); i=ssl2_write(s,&(buf[3-error]),error); /* if (i == error) s->rwstate=state; */ if (i < 0) s->error=error; else { s->error=error-i; if (s->error == 0) if (s->msg_callback) s->msg_callback(1, s->version, 0, buf, 3, s, s->msg_callback_arg); /* ERROR */ } } int ssl2_shutdown(SSL *s) { s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); return(1); } #else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; # endif #endif diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c index d82f1376135e..a10929a757f9 100644 --- a/crypto/openssl/ssl/s2_pkt.c +++ b/crypto/openssl/ssl/s2_pkt.c @@ -1,738 +1,737 @@ /* ssl/s2_pkt.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 #include #include -#include "cryptlib.h" #define USE_SOCKETS static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend); static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len); static int write_pending(SSL *s, const unsigned char *buf, unsigned int len); static int ssl_mt_error(int n); /* SSL 2.0 imlementation for SSL_read/SSL_peek - * This routine will return 0 to len bytes, decrypted etc if required. */ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) { int n; unsigned char mac[MAX_MAC_SIZE]; unsigned char *p; int i; unsigned int mac_size; ssl2_read_again: if (SSL_in_init(s) && !s->in_handshake) { n=s->handshake_func(s); if (n < 0) return(n); if (n == 0) { SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE); return(-1); } } clear_sys_error(); s->rwstate=SSL_NOTHING; if (len <= 0) return(len); if (s->s2->ract_data_length != 0) /* read from buffer */ { if (len > s->s2->ract_data_length) n=s->s2->ract_data_length; else n=len; memcpy(buf,s->s2->ract_data,(unsigned int)n); if (!peek) { s->s2->ract_data_length-=n; s->s2->ract_data+=n; if (s->s2->ract_data_length == 0) s->rstate=SSL_ST_READ_HEADER; } return(n); } /* s->s2->ract_data_length == 0 * * Fill the buffer, then goto ssl2_read_again. */ if (s->rstate == SSL_ST_READ_HEADER) { if (s->first_packet) { n=read_n(s,5,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0); if (n <= 0) return(n); /* error or non-blocking */ s->first_packet=0; p=s->packet; if (!((p[0] & 0x80) && ( (p[2] == SSL2_MT_CLIENT_HELLO) || (p[2] == SSL2_MT_SERVER_HELLO)))) { SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET); return(-1); } } else { n=read_n(s,2,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0); if (n <= 0) return(n); /* error or non-blocking */ } /* part read stuff */ s->rstate=SSL_ST_READ_BODY; p=s->packet; /* Do header */ /*s->s2->padding=0;*/ s->s2->escape=0; s->s2->rlength=(((unsigned int)p[0])<<8)|((unsigned int)p[1]); if ((p[0] & TWO_BYTE_BIT)) /* Two byte header? */ { s->s2->three_byte_header=0; s->s2->rlength&=TWO_BYTE_MASK; } else { s->s2->three_byte_header=1; s->s2->rlength&=THREE_BYTE_MASK; /* security >s2->escape */ s->s2->escape=((p[0] & SEC_ESC_BIT))?1:0; } } if (s->rstate == SSL_ST_READ_BODY) { n=s->s2->rlength+2+s->s2->three_byte_header; if (n > (int)s->packet_length) { n-=s->packet_length; i=read_n(s,(unsigned int)n,(unsigned int)n,1); if (i <= 0) return(i); /* ERROR */ } p= &(s->packet[2]); s->rstate=SSL_ST_READ_HEADER; if (s->s2->three_byte_header) s->s2->padding= *(p++); else s->s2->padding=0; /* Data portion */ if (s->s2->clear_text) { mac_size = 0; s->s2->mac_data=p; s->s2->ract_data=p; if (s->s2->padding) { SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING); return(-1); } } else { mac_size=EVP_MD_size(s->read_hash); OPENSSL_assert(mac_size <= MAX_MAC_SIZE); s->s2->mac_data=p; s->s2->ract_data= &p[mac_size]; if (s->s2->padding + mac_size > s->s2->rlength) { SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING); return(-1); } } s->s2->ract_data_length=s->s2->rlength; /* added a check for length > max_size in case * encryption was not turned on yet due to an error */ if ((!s->s2->clear_text) && (s->s2->rlength >= mac_size)) { ssl2_enc(s,0); s->s2->ract_data_length-=mac_size; ssl2_mac(s,mac,0); s->s2->ract_data_length-=s->s2->padding; if ( (memcmp(mac,s->s2->mac_data, (unsigned int)mac_size) != 0) || (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) { SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); return(-1); } } INC32(s->s2->read_sequence); /* expect next number */ /* s->s2->ract_data is now available for processing */ /* Possibly the packet that we just read had 0 actual data bytes. * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.) * In this case, returning 0 would be interpreted by the caller * as indicating EOF, so it's not a good idea. Instead, we just * continue reading; thus ssl2_read_internal may have to process * multiple packets before it can return. * * [Note that using select() for blocking sockets *never* guarantees * that the next SSL_read will not block -- the available * data may contain incomplete packets, and except for SSL 2, * renegotiation can confuse things even more.] */ goto ssl2_read_again; /* This should really be * "return ssl2_read(s,buf,len)", * but that would allow for * denial-of-service attacks if a * C compiler is used that does not * recognize end-recursion. */ } else { SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE); return(-1); } } int ssl2_read(SSL *s, void *buf, int len) { return ssl2_read_internal(s, buf, len, 0); } int ssl2_peek(SSL *s, void *buf, int len) { return ssl2_read_internal(s, buf, len, 1); } static int read_n(SSL *s, unsigned int n, unsigned int max, unsigned int extend) { int i,off,newb; /* if there is stuff still in the buffer from a previous read, * and there is more than we want, take some. */ if (s->s2->rbuf_left >= (int)n) { if (extend) s->packet_length+=n; else { s->packet= &(s->s2->rbuf[s->s2->rbuf_offs]); s->packet_length=n; } s->s2->rbuf_left-=n; s->s2->rbuf_offs+=n; return(n); } if (!s->read_ahead) max=n; if (max > (unsigned int)(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) max=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2; /* Else we want more than we have. * First, if there is some left or we want to extend */ off=0; if ((s->s2->rbuf_left != 0) || ((s->packet_length != 0) && extend)) { newb=s->s2->rbuf_left; if (extend) { off=s->packet_length; if (s->packet != s->s2->rbuf) memcpy(s->s2->rbuf,s->packet, (unsigned int)newb+off); } else if (s->s2->rbuf_offs != 0) { memcpy(s->s2->rbuf,&(s->s2->rbuf[s->s2->rbuf_offs]), (unsigned int)newb); s->s2->rbuf_offs=0; } s->s2->rbuf_left=0; } else newb=0; /* off is the offset to start writing too. * r->s2->rbuf_offs is the 'unread data', now 0. * newb is the number of new bytes so far */ s->packet=s->s2->rbuf; while (newb < (int)n) { clear_sys_error(); if (s->rbio != NULL) { s->rwstate=SSL_READING; i=BIO_read(s->rbio,(char *)&(s->s2->rbuf[off+newb]), max-newb); } else { SSLerr(SSL_F_READ_N,SSL_R_READ_BIO_NOT_SET); i= -1; } #ifdef PKT_DEBUG if (s->debug & 0x01) sleep(1); #endif if (i <= 0) { s->s2->rbuf_left+=newb; return(i); } newb+=i; } /* record unread data */ if (newb > (int)n) { s->s2->rbuf_offs=n+off; s->s2->rbuf_left=newb-n; } else { s->s2->rbuf_offs=0; s->s2->rbuf_left=0; } if (extend) s->packet_length+=n; else s->packet_length=n; s->rwstate=SSL_NOTHING; return(n); } int ssl2_write(SSL *s, const void *_buf, int len) { const unsigned char *buf=_buf; unsigned int n,tot; int i; if (SSL_in_init(s) && !s->in_handshake) { i=s->handshake_func(s); if (i < 0) return(i); if (i == 0) { SSLerr(SSL_F_SSL2_WRITE,SSL_R_SSL_HANDSHAKE_FAILURE); return(-1); } } if (s->error) { ssl2_write_error(s); if (s->error) return(-1); } clear_sys_error(); s->rwstate=SSL_NOTHING; if (len <= 0) return(len); tot=s->s2->wnum; s->s2->wnum=0; n=(len-tot); for (;;) { i=do_ssl_write(s,&(buf[tot]),n); if (i <= 0) { s->s2->wnum=tot; return(i); } if ((i == (int)n) || (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)) { return(tot+i); } n-=i; tot+=i; } } static int write_pending(SSL *s, const unsigned char *buf, unsigned int len) { int i; /* s->s2->wpend_len != 0 MUST be true. */ /* check that they have given us the same buffer to * write */ if ((s->s2->wpend_tot > (int)len) || ((s->s2->wpend_buf != buf) && !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))) { SSLerr(SSL_F_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY); return(-1); } for (;;) { clear_sys_error(); if (s->wbio != NULL) { s->rwstate=SSL_WRITING; i=BIO_write(s->wbio, (char *)&(s->s2->write_ptr[s->s2->wpend_off]), (unsigned int)s->s2->wpend_len); } else { SSLerr(SSL_F_WRITE_PENDING,SSL_R_WRITE_BIO_NOT_SET); i= -1; } #ifdef PKT_DEBUG if (s->debug & 0x01) sleep(1); #endif if (i == s->s2->wpend_len) { s->s2->wpend_len=0; s->rwstate=SSL_NOTHING; return(s->s2->wpend_ret); } else if (i <= 0) return(i); s->s2->wpend_off+=i; s->s2->wpend_len-=i; } } static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) { unsigned int j,k,olen,p,mac_size,bs; register unsigned char *pp; olen=len; /* first check if there is data from an encryption waiting to * be sent - it must be sent because the other end is waiting. * This will happen with non-blocking IO. We print it and then * return. */ if (s->s2->wpend_len != 0) return(write_pending(s,buf,len)); /* set mac_size to mac size */ if (s->s2->clear_text) mac_size=0; else mac_size=EVP_MD_size(s->write_hash); /* lets set the pad p */ if (s->s2->clear_text) { if (len > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER) len=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER; p=0; s->s2->three_byte_header=0; /* len=len; */ } else { bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx); j=len+mac_size; /* Two-byte headers allow for a larger record length than * three-byte headers, but we can't use them if we need * padding or if we have to set the escape bit. */ if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) && (!s->s2->escape)) { if (j > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER) j=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER; /* set k to the max number of bytes with 2 * byte header */ k=j-(j%bs); /* how many data bytes? */ len=k-mac_size; s->s2->three_byte_header=0; p=0; } else if ((bs <= 1) && (!s->s2->escape)) { /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */ s->s2->three_byte_header=0; p=0; } else /* we may have to use a 3 byte header */ { /* If s->s2->escape is not set, then * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */ p=(j%bs); p=(p == 0)?0:(bs-p); if (s->s2->escape) { s->s2->three_byte_header=1; if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER; } else s->s2->three_byte_header=(p == 0)?0:1; } } /* Now * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER * holds, and if s->s2->three_byte_header is set, then even * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER. */ /* mac_size is the number of MAC bytes * len is the number of data bytes we are going to send * p is the number of padding bytes * (if it is a two-byte header, then p == 0) */ s->s2->wlength=len; s->s2->padding=p; s->s2->mac_data= &(s->s2->wbuf[3]); s->s2->wact_data= &(s->s2->wbuf[3+mac_size]); /* we copy the data into s->s2->wbuf */ memcpy(s->s2->wact_data,buf,len); if (p) memset(&(s->s2->wact_data[len]),0,p); /* arbitrary padding */ if (!s->s2->clear_text) { s->s2->wact_data_length=len+p; ssl2_mac(s,s->s2->mac_data,1); s->s2->wlength+=p+mac_size; ssl2_enc(s,1); } /* package up the header */ s->s2->wpend_len=s->s2->wlength; if (s->s2->three_byte_header) /* 3 byte header */ { pp=s->s2->mac_data; pp-=3; pp[0]=(s->s2->wlength>>8)&(THREE_BYTE_MASK>>8); if (s->s2->escape) pp[0]|=SEC_ESC_BIT; pp[1]=s->s2->wlength&0xff; pp[2]=s->s2->padding; s->s2->wpend_len+=3; } else { pp=s->s2->mac_data; pp-=2; pp[0]=((s->s2->wlength>>8)&(TWO_BYTE_MASK>>8))|TWO_BYTE_BIT; pp[1]=s->s2->wlength&0xff; s->s2->wpend_len+=2; } s->s2->write_ptr=pp; INC32(s->s2->write_sequence); /* expect next number */ /* lets try to actually write the data */ s->s2->wpend_tot=olen; s->s2->wpend_buf=buf; s->s2->wpend_ret=len; s->s2->wpend_off=0; return(write_pending(s,buf,olen)); } int ssl2_part_read(SSL *s, unsigned long f, int i) { unsigned char *p; int j; if (i < 0) { /* ssl2_return_error(s); */ /* for non-blocking io, * this is not necessarily fatal */ return(i); } else { s->init_num+=i; /* Check for error. While there are recoverable errors, * this function is not called when those must be expected; * any error detected here is fatal. */ if (s->init_num >= 3) { p=(unsigned char *)s->init_buf->data; if (p[0] == SSL2_MT_ERROR) { j=(p[1]<<8)|p[2]; SSLerr((int)f,ssl_mt_error(j)); s->init_num -= 3; if (s->init_num > 0) memmove(p, p+3, s->init_num); } } /* If it's not an error message, we have some error anyway -- * the message was shorter than expected. This too is treated * as fatal (at least if SSL_get_error is asked for its opinion). */ return(0); } } int ssl2_do_write(SSL *s) { int ret; ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num); if (ret == s->init_num) { if (s->msg_callback) s->msg_callback(1, s->version, 0, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg); return(1); } if (ret < 0) return(-1); s->init_off+=ret; s->init_num-=ret; return(0); } static int ssl_mt_error(int n) { int ret; switch (n) { case SSL2_PE_NO_CIPHER: ret=SSL_R_PEER_ERROR_NO_CIPHER; break; case SSL2_PE_NO_CERTIFICATE: ret=SSL_R_PEER_ERROR_NO_CERTIFICATE; break; case SSL2_PE_BAD_CERTIFICATE: ret=SSL_R_PEER_ERROR_CERTIFICATE; break; case SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE: ret=SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE; break; default: ret=SSL_R_UNKNOWN_REMOTE_ERROR_TYPE; break; } return(ret); } #else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; # endif #endif diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c index 62859a2d950e..5da2a54af37f 100644 --- a/crypto/openssl/ssl/s2_srvr.c +++ b/crypto/openssl/ssl/s2_srvr.c @@ -1,1157 +1,1156 @@ /* ssl/s2_srvr.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 #include #include #include #include #include -#include "cryptlib.h" static SSL_METHOD *ssl2_get_server_method(int ver); static int get_client_master_key(SSL *s); static int get_client_hello(SSL *s); static int server_hello(SSL *s); static int get_client_finished(SSL *s); static int server_verify(SSL *s); static int server_finish(SSL *s); static int request_certificate(SSL *s); static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, unsigned char *to,int padding); #define BREAK break static SSL_METHOD *ssl2_get_server_method(int ver) { if (ver == SSL2_VERSION) return(SSLv2_server_method()); else return(NULL); } SSL_METHOD *SSLv2_server_method(void) { static int init=1; static SSL_METHOD SSLv2_server_data; if (init) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); if (init) { memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(), sizeof(SSL_METHOD)); SSLv2_server_data.ssl_accept=ssl2_accept; SSLv2_server_data.get_ssl_method=ssl2_get_server_method; init=0; } CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_server_data); } int ssl2_accept(SSL *s) { unsigned long l=time(NULL); BUF_MEM *buf=NULL; int ret= -1; long num1; void (*cb)(const SSL *ssl,int type,int val)=NULL; int new_state,state; RAND_add(&l,sizeof(l),0); ERR_clear_error(); clear_sys_error(); if (s->info_callback != NULL) cb=s->info_callback; else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; /* init things to blank */ s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); if (s->cert == NULL) { SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET); return(-1); } clear_sys_error(); for (;;) { state=s->state; switch (s->state) { case SSL_ST_BEFORE: case SSL_ST_ACCEPT: case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); s->version=SSL2_VERSION; s->type=SSL_ST_ACCEPT; buf=s->init_buf; if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL)) { ret= -1; goto end; } if (!BUF_MEM_grow(buf,(int) SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { ret= -1; goto end; } s->init_buf=buf; s->init_num=0; s->ctx->stats.sess_accept++; s->handshake_func=ssl2_accept; s->state=SSL2_ST_GET_CLIENT_HELLO_A; BREAK; case SSL2_ST_GET_CLIENT_HELLO_A: case SSL2_ST_GET_CLIENT_HELLO_B: case SSL2_ST_GET_CLIENT_HELLO_C: s->shutdown=0; ret=get_client_hello(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL2_ST_SEND_SERVER_HELLO_A; BREAK; case SSL2_ST_SEND_SERVER_HELLO_A: case SSL2_ST_SEND_SERVER_HELLO_B: ret=server_hello(s); if (ret <= 0) goto end; s->init_num=0; if (!s->hit) { s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_A; BREAK; } else { s->state=SSL2_ST_SERVER_START_ENCRYPTION; BREAK; } case SSL2_ST_GET_CLIENT_MASTER_KEY_A: case SSL2_ST_GET_CLIENT_MASTER_KEY_B: ret=get_client_master_key(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL2_ST_SERVER_START_ENCRYPTION; BREAK; case SSL2_ST_SERVER_START_ENCRYPTION: /* Ok we how have sent all the stuff needed to * start encrypting, the next packet back will * be encrypted. */ if (!ssl2_enc_init(s,0)) { ret= -1; goto end; } s->s2->clear_text=0; s->state=SSL2_ST_SEND_SERVER_VERIFY_A; BREAK; case SSL2_ST_SEND_SERVER_VERIFY_A: case SSL2_ST_SEND_SERVER_VERIFY_B: ret=server_verify(s); if (ret <= 0) goto end; s->init_num=0; if (s->hit) { /* If we are in here, we have been * buffering the output, so we need to * flush it and remove buffering from * future traffic */ s->state=SSL2_ST_SEND_SERVER_VERIFY_C; BREAK; } else { s->state=SSL2_ST_GET_CLIENT_FINISHED_A; break; } case SSL2_ST_SEND_SERVER_VERIFY_C: /* get the number of bytes to write */ num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); if (num1 != 0) { s->rwstate=SSL_WRITING; num1=BIO_flush(s->wbio); if (num1 <= 0) { ret= -1; goto end; } s->rwstate=SSL_NOTHING; } /* flushed and now remove buffering */ s->wbio=BIO_pop(s->wbio); s->state=SSL2_ST_GET_CLIENT_FINISHED_A; BREAK; case SSL2_ST_GET_CLIENT_FINISHED_A: case SSL2_ST_GET_CLIENT_FINISHED_B: ret=get_client_finished(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_A; BREAK; case SSL2_ST_SEND_REQUEST_CERTIFICATE_A: case SSL2_ST_SEND_REQUEST_CERTIFICATE_B: case SSL2_ST_SEND_REQUEST_CERTIFICATE_C: case SSL2_ST_SEND_REQUEST_CERTIFICATE_D: /* don't do a 'request certificate' if we * don't want to, or we already have one, and * we only want to do it once. */ if (!(s->verify_mode & SSL_VERIFY_PEER) || ((s->session->peer != NULL) && (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) { s->state=SSL2_ST_SEND_SERVER_FINISHED_A; break; } else { ret=request_certificate(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL2_ST_SEND_SERVER_FINISHED_A; } BREAK; case SSL2_ST_SEND_SERVER_FINISHED_A: case SSL2_ST_SEND_SERVER_FINISHED_B: ret=server_finish(s); if (ret <= 0) goto end; s->init_num=0; s->state=SSL_ST_OK; break; case SSL_ST_OK: BUF_MEM_free(s->init_buf); ssl_free_wbio_buffer(s); s->init_buf=NULL; s->init_num=0; /* ERR_clear_error();*/ ssl_update_cache(s,SSL_SESS_CACHE_SERVER); s->ctx->stats.sess_accept_good++; /* s->server=1; */ ret=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); goto end; /* BREAK; */ default: SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_UNKNOWN_STATE); ret= -1; goto end; /* BREAK; */ } if ((cb != NULL) && (s->state != state)) { new_state=s->state; s->state=state; cb(s,SSL_CB_ACCEPT_LOOP,1); s->state=new_state; } } end: s->in_handshake--; if (cb != NULL) cb(s,SSL_CB_ACCEPT_EXIT,ret); return(ret); } static int get_client_master_key(SSL *s) { int is_export,i,n,keya,ek; unsigned long len; unsigned char *p; SSL_CIPHER *cp; const EVP_CIPHER *c; const EVP_MD *md; p=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) { i=ssl2_read(s,(char *)&(p[s->init_num]),10-s->init_num); if (i < (10-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i)); s->init_num = 10; if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY) { if (p[-1] != SSL2_MT_ERROR) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE); } else SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR); return(-1); } cp=ssl2_get_cipher_by_char(p); if (cp == NULL) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH); return(-1); } s->session->cipher= cp; p+=3; n2s(p,i); s->s2->tmp.clear=i; n2s(p,i); s->s2->tmp.enc=i; n2s(p,i); s->session->key_arg_length=i; if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG); return -1; } s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; } /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ p=(unsigned char *)s->init_buf->data; if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } keya=s->session->key_arg_length; len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya; if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG); return -1; } n = (int)len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),n); if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i)); if (s->msg_callback) s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */ p += 10; memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]), (unsigned int)keya); if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); return(-1); } i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc, &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); is_export=SSL_C_IS_EXPORT(s->session->cipher); if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); return(0); } if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) { is_export=1; ek=8; } else ek=5; /* bad decrypt */ #if 1 /* If a bad decrypt, continue with protocol but with a * random master secret (Bleichenbacher attack) */ if ((i < 0) || ((!is_export && (i != EVP_CIPHER_key_length(c))) || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i != (unsigned int)EVP_CIPHER_key_length(c)))))) { ERR_clear_error(); if (is_export) i=ek; else i=EVP_CIPHER_key_length(c); RAND_pseudo_bytes(p,i); } #else if (i < 0) { error=1; SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT); } /* incorrect number of key bytes for non export cipher */ else if ((!is_export && (i != EVP_CIPHER_key_length(c))) || (is_export && ((i != ek) || (s->s2->tmp.clear+i != EVP_CIPHER_key_length(c))))) { error=1; SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_WRONG_NUMBER_OF_KEY_BITS); } if (error) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); return(-1); } #endif if (is_export) i+=s->s2->tmp.clear; if (i > SSL_MAX_MASTER_KEY_LENGTH) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } s->session->master_key_length=i; memcpy(s->session->master_key,p,(unsigned int)i); return(1); } static int get_client_hello(SSL *s) { int i,n; unsigned long len; unsigned char *p; STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */ STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */ STACK_OF(SSL_CIPHER) *prio, *allow; int z; /* This is a bit of a hack to check for the correct packet * type the first time round. */ if (s->state == SSL2_ST_GET_CLIENT_HELLO_A) { s->first_packet=1; s->state=SSL2_ST_GET_CLIENT_HELLO_B; } p=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_GET_CLIENT_HELLO_B) { i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num); if (i < (9-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i)); s->init_num = 9; if (*(p++) != SSL2_MT_CLIENT_HELLO) { if (p[-1] != SSL2_MT_ERROR) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_READ_WRONG_PACKET_TYPE); } else SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_PEER_ERROR); return(-1); } n2s(p,i); if (i < s->version) s->version=i; n2s(p,i); s->s2->tmp.cipher_spec_length=i; n2s(p,i); s->s2->tmp.session_id_length=i; n2s(p,i); s->s2->challenge_length=i; if ( (i < SSL2_MIN_CHALLENGE_LENGTH) || (i > SSL2_MAX_CHALLENGE_LENGTH)) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH); return(-1); } s->state=SSL2_ST_GET_CLIENT_HELLO_C; } /* SSL2_ST_GET_CLIENT_HELLO_C */ p=(unsigned char *)s->init_buf->data; len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length; if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG); return -1; } n = (int)len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),n); if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i)); if (s->msg_callback) s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */ p += 9; /* get session-id before cipher stuff so we can get out session * structure if it is cached */ /* session-id */ if ((s->s2->tmp.session_id_length != 0) && (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH)) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_BAD_SSL_SESSION_ID_LENGTH); return(-1); } if (s->s2->tmp.session_id_length == 0) { if (!ssl_get_new_session(s,1)) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); return(-1); } } else { i=ssl_get_prev_session(s,&(p[s->s2->tmp.cipher_spec_length]), s->s2->tmp.session_id_length); if (i == 1) { /* previous session */ s->hit=1; } else if (i == -1) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); return(-1); } else { if (s->cert == NULL) { ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE); SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_NO_CERTIFICATE_SET); return(-1); } if (!ssl_get_new_session(s,1)) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); return(-1); } } } if (!s->hit) { cs=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.cipher_spec_length, &s->session->ciphers); if (cs == NULL) goto mem_err; cl=SSL_get_ciphers(s); if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { prio=sk_SSL_CIPHER_dup(cl); if (prio == NULL) goto mem_err; allow = cs; } else { prio = cs; allow = cl; } for (z=0; zoptions & SSL_OP_CIPHER_SERVER_PREFERENCE) { sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = prio; } /* s->session->ciphers should now have a list of * ciphers that are on both the client and server. * This list is ordered by the order the client sent * the ciphers or in the order of the server's preference * if SSL_OP_CIPHER_SERVER_PREFERENCE was set. */ } p+=s->s2->tmp.cipher_spec_length; /* done cipher selection */ /* session id extracted already */ p+=s->s2->tmp.session_id_length; /* challenge */ if (s->s2->challenge_length > sizeof s->s2->challenge) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); return -1; } memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); return(1); mem_err: SSLerr(SSL_F_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE); return(0); } static int server_hello(SSL *s) { unsigned char *p,*d; int n,hit; STACK_OF(SSL_CIPHER) *sk; p=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) { d=p+11; *(p++)=SSL2_MT_SERVER_HELLO; /* type */ hit=s->hit; *(p++)=(unsigned char)hit; #if 1 if (!hit) { if (s->session->sess_cert != NULL) /* This can't really happen because get_client_hello * has called ssl_get_new_session, which does not set * sess_cert. */ ssl_sess_cert_free(s->session->sess_cert); s->session->sess_cert = ssl_sess_cert_new(); if (s->session->sess_cert == NULL) { SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE); return(-1); } } /* If 'hit' is set, then s->sess_cert may be non-NULL or NULL, * depending on whether it survived in the internal cache * or was retrieved from an external cache. * If it is NULL, we cannot put any useful data in it anyway, * so we don't touch it. */ #else /* That's what used to be done when cert_st and sess_cert_st were * the same. */ if (!hit) { /* else add cert to session */ CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT); if (s->session->sess_cert != NULL) ssl_cert_free(s->session->sess_cert); s->session->sess_cert=s->cert; } else /* We have a session id-cache hit, if the * session-id has no certificate listed against * the 'cert' structure, grab the 'old' one * listed against the SSL connection */ { if (s->session->sess_cert == NULL) { CRYPTO_add(&s->cert->references,1, CRYPTO_LOCK_SSL_CERT); s->session->sess_cert=s->cert; } } #endif if (s->cert == NULL) { ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE); SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED); return(-1); } if (hit) { *(p++)=0; /* no certificate type */ s2n(s->version,p); /* version */ s2n(0,p); /* cert len */ s2n(0,p); /* ciphers len */ } else { /* EAY EAY */ /* put certificate type */ *(p++)=SSL2_CT_X509_CERTIFICATE; s2n(s->version,p); /* version */ n=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); s2n(n,p); /* certificate length */ i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&d); n=0; /* lets send out the ciphers we like in the * prefered order */ sk= s->session->ciphers; n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d); d+=n; s2n(n,p); /* add cipher length */ } /* make and send conn_id */ s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */ s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH; RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length); memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH); d+=SSL2_CONNECTION_ID_LENGTH; s->state=SSL2_ST_SEND_SERVER_HELLO_B; s->init_num=d-(unsigned char *)s->init_buf->data; s->init_off=0; } /* SSL2_ST_SEND_SERVER_HELLO_B */ /* If we are using TCP/IP, the performance is bad if we do 2 * writes without a read between them. This occurs when * Session-id reuse is used, so I will put in a buffering module */ if (s->hit) { if (!ssl_init_wbio_buffer(s,1)) return(-1); } return(ssl2_do_write(s)); } static int get_client_finished(SSL *s) { unsigned char *p; int i, n; unsigned long len; p=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A) { i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num); if (i < 1-s->init_num) return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i)); s->init_num += i; if (*p != SSL2_MT_CLIENT_FINISHED) { if (*p != SSL2_MT_ERROR) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE); } else { SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR); /* try to read the error message */ i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num); return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i); } return(-1); } s->state=SSL2_ST_GET_CLIENT_FINISHED_B; } /* SSL2_ST_GET_CLIENT_FINISHED_B */ if (s->s2->conn_id_length > sizeof s->s2->conn_id) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR); return -1; } len = 1 + (unsigned long)s->s2->conn_id_length; n = (int)len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),n); if (i < n) { return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i)); } if (s->msg_callback) s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */ p += 1; if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT); return(-1); } return(1); } static int server_verify(SSL *s) { unsigned char *p; if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A) { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_VERIFY; if (s->s2->challenge_length > sizeof s->s2->challenge) { SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR); return -1; } memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); /* p+=s->s2->challenge_length; */ s->state=SSL2_ST_SEND_SERVER_VERIFY_B; s->init_num=s->s2->challenge_length+1; s->init_off=0; } return(ssl2_do_write(s)); } static int server_finish(SSL *s) { unsigned char *p; if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A) { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_FINISHED; if (s->session->session_id_length > sizeof s->session->session_id) { SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR); return -1; } memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length); /* p+=s->session->session_id_length; */ s->state=SSL2_ST_SEND_SERVER_FINISHED_B; s->init_num=s->session->session_id_length+1; s->init_off=0; } /* SSL2_ST_SEND_SERVER_FINISHED_B */ return(ssl2_do_write(s)); } /* send the request and check the response */ static int request_certificate(SSL *s) { unsigned char *p,*p2,*buf2; unsigned char *ccd; int i,j,ctype,ret= -1; unsigned long len; X509 *x509=NULL; STACK_OF(X509) *sk=NULL; ccd=s->s2->tmp.ccl; if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A) { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_REQUEST_CERTIFICATE; *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION; RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B; s->init_num=SSL2_MIN_CERT_CHALLENGE_LENGTH+2; s->init_off=0; } if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B) { i=ssl2_do_write(s); if (i <= 0) { ret=i; goto end; } s->init_num=0; s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_C; } if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C) { p=(unsigned char *)s->init_buf->data; i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num); /* try to read 6 octets ... */ if (i < 3-s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3 * (probably NO-CERTIFICATE-ERROR) */ { ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i); goto end; } s->init_num += i; if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) { n2s(p,i); if (i != SSL2_PE_NO_CERTIFICATE) { /* not the error message we expected -- let ssl2_part_read handle it */ s->init_num -= 3; ret = ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE, 3); goto end; } if (s->msg_callback) s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */ /* this is the one place where we can recover from an SSL 2.0 error */ if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE); SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); goto end; } ret=1; goto end; } if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6)) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ); goto end; } if (s->init_num != 6) { SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR); goto end; } /* ok we have a response */ /* certificate type, there is only one right now. */ ctype= *(p++); if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) { ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE); SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_RESPONSE_ARGUMENT); goto end; } n2s(p,i); s->s2->tmp.clen=i; n2s(p,i); s->s2->tmp.rlen=i; s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D; } /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */ p=(unsigned char *)s->init_buf->data; len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen; if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG); goto end; } j = (int)len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),j); if (i < j) { ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i); goto end; } if (s->msg_callback) s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */ p += 6; x509=(X509 *)d2i_X509(NULL,&p,(long)s->s2->tmp.clen); if (x509 == NULL) { SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB); goto msg_end; } if (((sk=sk_X509_new_null()) == NULL) || (!sk_X509_push(sk,x509))) { SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto msg_end; } i=ssl_verify_cert_chain(s,sk); if (i) /* we like the packet, now check the chksum */ { EVP_MD_CTX ctx; EVP_PKEY *pkey=NULL; EVP_MD_CTX_init(&ctx); EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL); EVP_VerifyUpdate(&ctx,s->s2->key_material, s->s2->key_material_length); EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); buf2=OPENSSL_malloc((unsigned int)i); if (buf2 == NULL) { SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto msg_end; } p2=buf2; i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2); EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i); OPENSSL_free(buf2); pkey=X509_get_pubkey(x509); if (pkey == NULL) goto end; i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey); EVP_PKEY_free(pkey); EVP_MD_CTX_cleanup(&ctx); if (i) { if (s->session->peer != NULL) X509_free(s->session->peer); s->session->peer=x509; CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); s->session->verify_result = s->verify_result; ret=1; goto end; } else { SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_CHECKSUM); goto msg_end; } } else { msg_end: ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE); } end: sk_X509_free(sk); X509_free(x509); return(ret); } static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, unsigned char *to, int padding) { RSA *rsa; int i; if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)) { SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_NO_PRIVATEKEY); return(-1); } if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA) { SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA); return(-1); } rsa=c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa; /* we have the public key */ i=RSA_private_decrypt(len,from,to,rsa,padding); if (i < 0) SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB); return(i); } #else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; # endif #endif diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index eb7daebfdfb3..26ce0cb9639d 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -1,1981 +1,1980 @@ /* ssl/s3_clnt.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "ssl_locl.h" #include "kssl_lcl.h" #include #include #include #include #include -#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); static int ssl3_get_server_hello(SSL *s); static int ssl3_get_certificate_request(SSL *s); static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); static int ssl3_get_server_done(SSL *s); static int ssl3_send_client_verify(SSL *s); static int ssl3_send_client_certificate(SSL *s); static int ssl3_send_client_key_exchange(SSL *s); static int ssl3_get_key_exchange(SSL *s); static int ssl3_get_server_certificate(SSL *s); static int ssl3_check_cert_and_algorithm(SSL *s); static SSL_METHOD *ssl3_get_client_method(int ver) { if (ver == SSL3_VERSION) return(SSLv3_client_method()); else return(NULL); } SSL_METHOD *SSLv3_client_method(void) { static int init=1; static SSL_METHOD SSLv3_client_data; if (init) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); if (init) { memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), sizeof(SSL_METHOD)); SSLv3_client_data.ssl_connect=ssl3_connect; SSLv3_client_data.get_ssl_method=ssl3_get_client_method; init=0; } CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_client_data); } int ssl3_connect(SSL *s) { BUF_MEM *buf=NULL; unsigned long Time=time(NULL),l; long num1; void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; int new_state,state,skip=0;; RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); clear_sys_error(); if (s->info_callback != NULL) cb=s->info_callback; else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { state=s->state; switch(s->state) { case SSL_ST_RENEGOTIATE: s->new_session=1; s->state=SSL_ST_CONNECT; s->ctx->stats.sess_connect_renegotiate++; /* break */ case SSL_ST_BEFORE: case SSL_ST_CONNECT: case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version & 0xff00 ) != 0x0300) { SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); ret = -1; goto end; } /* s->version=SSL3_VERSION; */ s->type=SSL_ST_CONNECT; if (s->init_buf == NULL) { if ((buf=BUF_MEM_new()) == NULL) { ret= -1; goto end; } if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) { ret= -1; goto end; } s->init_buf=buf; buf=NULL; } if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } /* setup buffing BIO */ if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } /* don't push the buffering BIO quite yet */ ssl3_init_finished_mac(s); s->state=SSL3_ST_CW_CLNT_HELLO_A; s->ctx->stats.sess_connect++; s->init_num=0; break; case SSL3_ST_CW_CLNT_HELLO_A: case SSL3_ST_CW_CLNT_HELLO_B: s->shutdown=0; ret=ssl3_client_hello(s); if (ret <= 0) goto end; s->state=SSL3_ST_CR_SRVR_HELLO_A; s->init_num=0; /* turn on buffering for the next lot of output */ if (s->bbio != s->wbio) s->wbio=BIO_push(s->bbio,s->wbio); break; case SSL3_ST_CR_SRVR_HELLO_A: case SSL3_ST_CR_SRVR_HELLO_B: ret=ssl3_get_server_hello(s); if (ret <= 0) goto end; if (s->hit) s->state=SSL3_ST_CR_FINISHED_A; else s->state=SSL3_ST_CR_CERT_A; s->init_num=0; break; case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: /* Check if it is anon DH */ if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) { ret=ssl3_get_server_certificate(s); if (ret <= 0) goto end; } else skip=1; s->state=SSL3_ST_CR_KEY_EXCH_A; s->init_num=0; break; case SSL3_ST_CR_KEY_EXCH_A: case SSL3_ST_CR_KEY_EXCH_B: ret=ssl3_get_key_exchange(s); if (ret <= 0) goto end; s->state=SSL3_ST_CR_CERT_REQ_A; s->init_num=0; /* at this point we check that we have the * required stuff from the server */ if (!ssl3_check_cert_and_algorithm(s)) { ret= -1; goto end; } break; case SSL3_ST_CR_CERT_REQ_A: case SSL3_ST_CR_CERT_REQ_B: ret=ssl3_get_certificate_request(s); if (ret <= 0) goto end; s->state=SSL3_ST_CR_SRVR_DONE_A; s->init_num=0; break; case SSL3_ST_CR_SRVR_DONE_A: case SSL3_ST_CR_SRVR_DONE_B: ret=ssl3_get_server_done(s); if (ret <= 0) goto end; if (s->s3->tmp.cert_req) s->state=SSL3_ST_CW_CERT_A; else s->state=SSL3_ST_CW_KEY_EXCH_A; s->init_num=0; break; case SSL3_ST_CW_CERT_A: case SSL3_ST_CW_CERT_B: case SSL3_ST_CW_CERT_C: case SSL3_ST_CW_CERT_D: ret=ssl3_send_client_certificate(s); if (ret <= 0) goto end; s->state=SSL3_ST_CW_KEY_EXCH_A; s->init_num=0; break; case SSL3_ST_CW_KEY_EXCH_A: case SSL3_ST_CW_KEY_EXCH_B: ret=ssl3_send_client_key_exchange(s); if (ret <= 0) goto end; l=s->s3->tmp.new_cipher->algorithms; /* EAY EAY EAY need to check for DH fix cert * sent back */ /* For TLS, cert_req is set to 2, so a cert chain * of nothing is sent, but no verify packet is sent */ if (s->s3->tmp.cert_req == 1) { s->state=SSL3_ST_CW_CERT_VRFY_A; } else { s->state=SSL3_ST_CW_CHANGE_A; s->s3->change_cipher_spec=0; } s->init_num=0; break; case SSL3_ST_CW_CERT_VRFY_A: case SSL3_ST_CW_CERT_VRFY_B: ret=ssl3_send_client_verify(s); if (ret <= 0) goto end; s->state=SSL3_ST_CW_CHANGE_A; s->init_num=0; s->s3->change_cipher_spec=0; break; case SSL3_ST_CW_CHANGE_A: case SSL3_ST_CW_CHANGE_B: ret=ssl3_send_change_cipher_spec(s, SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); if (ret <= 0) goto end; s->state=SSL3_ST_CW_FINISHED_A; s->init_num=0; s->session->cipher=s->s3->tmp.new_cipher; if (s->s3->tmp.new_compression == NULL) s->session->compress_meth=0; else s->session->compress_meth= s->s3->tmp.new_compression->id; if (!s->method->ssl3_enc->setup_key_block(s)) { ret= -1; goto end; } if (!s->method->ssl3_enc->change_cipher_state(s, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { ret= -1; goto end; } break; case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: ret=ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, s->method->ssl3_enc->client_finished_label, s->method->ssl3_enc->client_finished_label_len); if (ret <= 0) goto end; s->state=SSL3_ST_CW_FLUSH; /* clear flags */ s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; if (s->hit) { s->s3->tmp.next_state=SSL_ST_OK; if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { s->state=SSL_ST_OK; s->s3->flags|=SSL3_FLAGS_POP_BUFFER; s->s3->delay_buf_pop_ret=0; } } else { s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; } s->init_num=0; break; case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) goto end; if (s->hit) s->state=SSL3_ST_CW_CHANGE_A; else s->state=SSL_ST_OK; s->init_num=0; break; case SSL3_ST_CW_FLUSH: /* number of bytes to be flushed */ num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); if (num1 > 0) { s->rwstate=SSL_WRITING; num1=BIO_flush(s->wbio); if (num1 <= 0) { ret= -1; goto end; } s->rwstate=SSL_NOTHING; } s->state=s->s3->tmp.next_state; break; case SSL_ST_OK: /* clean a few things up */ ssl3_cleanup_key_block(s); if (s->init_buf != NULL) { BUF_MEM_free(s->init_buf); s->init_buf=NULL; } /* If we are not 'joining' the last two packets, * remove the buffering now */ if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) ssl_free_wbio_buffer(s); /* else do it later in ssl3_write */ s->init_num=0; s->new_session=0; ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); if (s->hit) s->ctx->stats.sess_hit++; ret=1; /* s->server=0; */ s->handshake_func=ssl3_connect; s->ctx->stats.sess_connect_good++; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); goto end; /* break; */ default: SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); ret= -1; goto end; /* break; */ } /* did we do anything */ if (!s->s3->tmp.reuse_message && !skip) { if (s->debug) { if ((ret=BIO_flush(s->wbio)) <= 0) goto end; } if ((cb != NULL) && (s->state != state)) { new_state=s->state; s->state=state; cb(s,SSL_CB_CONNECT_LOOP,1); s->state=new_state; } } skip=0; } end: s->in_handshake--; if (buf != NULL) BUF_MEM_free(buf); if (cb != NULL) cb(s,SSL_CB_CONNECT_EXIT,ret); return(ret); } static int ssl3_client_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; int i,j; unsigned long Time,l; SSL_COMP *comp; buf=(unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { if ((s->session == NULL) || (s->session->ssl_version != s->version) || (s->session->not_resumable)) { if (!ssl_get_new_session(s,0)) goto err; } /* else use the pre-loaded session */ p=s->s3->client_random; Time=time(NULL); /* Time */ l2n(Time,p); RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); /* Do the message type and length last */ d=p= &(buf[4]); *(p++)=s->version>>8; *(p++)=s->version&0xff; s->client_version=s->version; /* Random stuff */ memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; /* Session ID */ if (s->new_session) i=0; else i=s->session->session_id_length; *(p++)=i; if (i != 0) { if (i > sizeof s->session->session_id) { SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto err; } memcpy(p,s->session->session_id,i); p+=i; } /* Ciphers supported */ i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2])); if (i == 0) { SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); goto err; } s2n(i,p); p+=i; /* COMPRESSION */ if (s->ctx->comp_methods == NULL) j=0; else j=sk_SSL_COMP_num(s->ctx->comp_methods); *(p++)=1+j; for (i=0; ictx->comp_methods,i); *(p++)=comp->id; } *(p++)=0; /* Add the NULL method */ l=(p-d); d=buf; *(d++)=SSL3_MT_CLIENT_HELLO; l2n3(l,d); s->state=SSL3_ST_CW_CLNT_HELLO_B; /* number of bytes to write */ s->init_num=p-buf; s->init_off=0; } /* SSL3_ST_CW_CLNT_HELLO_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); err: return(-1); } static int ssl3_get_server_hello(SSL *s) { STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; unsigned char *p,*d; int i,al,ok; unsigned int j; long n; SSL_COMP *comp; n=ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, SSL3_ST_CR_SRVR_HELLO_B, SSL3_MT_SERVER_HELLO, 300, /* ?? */ &ok); if (!ok) return((int)n); d=p=(unsigned char *)s->init_msg; if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) { SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); s->version=(s->version&0xff00)|p[1]; al=SSL_AD_PROTOCOL_VERSION; goto f_err; } p+=2; /* load the server hello data */ /* load the server random */ memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; /* get the session-id */ j= *(p++); if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); goto f_err; } if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { if(s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) { /* actually a client application bug */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; } s->hit=1; } else /* a miss or crap from the other end */ { /* If we were trying for session-id reuse, make a new * SSL_SESSION so we don't stuff up other people */ s->hit=0; if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s,0)) { al=SSL_AD_INTERNAL_ERROR; goto f_err; } } s->session->session_id_length=j; memcpy(s->session->session_id,p,j); /* j could be 0 */ } p+=j; c=ssl_get_cipher_by_char(s,p); if (c == NULL) { /* unknown cipher */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); goto f_err; } p+=ssl_put_cipher_by_char(s,NULL,NULL); sk=ssl_get_ciphers_by_id(s); i=sk_SSL_CIPHER_find(sk,c); if (i < 0) { /* we did not say we would use this cipher */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); goto f_err; } /* Depending on the session caching (internal/external), the cipher and/or cipher_id values may not be set. Make sure that cipher_id is set and use it for comparison. */ if (s->session->cipher) s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); goto f_err; } } s->s3->tmp.new_cipher=c; /* lets get the compression algorithm */ /* COMPRESSION */ j= *(p++); if (j == 0) comp=NULL; else comp=ssl3_comp_find(s->ctx->comp_methods,j); if ((j != 0) && (comp == NULL)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); goto f_err; } else { s->s3->tmp.new_compression=comp; } if (p != (d+n)) { /* wrong packet length */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); goto err; } return(1); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: return(-1); } static int ssl3_get_server_certificate(SSL *s) { int al,i,ok,ret= -1; unsigned long n,nc,llen,l; X509 *x=NULL; unsigned char *p,*d,*q; STACK_OF(X509) *sk=NULL; SESS_CERT *sc; EVP_PKEY *pkey=NULL; int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ n=ssl3_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { s->s3->tmp.reuse_message=1; return(1); } if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); goto f_err; } d=p=(unsigned char *)s->init_msg; if ((sk=sk_X509_new_null()) == NULL) { SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto err; } n2l3(p,llen); if (llen+3 != n) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); goto f_err; } for (nc=0; nc llen) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } q=p; x=d2i_X509(NULL,&q,l); if (x == NULL) { al=SSL_AD_BAD_CERTIFICATE; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); goto f_err; } if (q != (p+l)) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } if (!sk_X509_push(sk,x)) { SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto err; } x=NULL; nc+=l+3; p=q; } i=ssl_verify_cert_chain(s,sk); if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) #ifndef OPENSSL_NO_KRB5 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) != (SSL_aKRB5|SSL_kKRB5) #endif /* OPENSSL_NO_KRB5 */ ) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); goto f_err; } ERR_clear_error(); /* but we keep s->verify_result */ sc=ssl_sess_cert_new(); if (sc == NULL) goto err; if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); s->session->sess_cert=sc; sc->cert_chain=sk; /* Inconsistency alert: cert_chain does include the peer's * certificate, which we don't include in s3_srvr.c */ x=sk_X509_value(sk,0); sk=NULL; /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ pkey=X509_get_pubkey(x); /* VRS: allow null cert if auth == KRB5 */ need_cert = ((s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) == (SSL_aKRB5|SSL_kKRB5))? 0: 1; #ifdef KSSL_DEBUG printf("pkey,x = %p, %p\n", pkey,x); printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, s->s3->tmp.new_cipher->algorithms, need_cert); #endif /* KSSL_DEBUG */ if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) { x=NULL; al=SSL3_AL_FATAL; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); goto f_err; } i=ssl_cert_type(x,pkey); if (need_cert && i < 0) { x=NULL; al=SSL3_AL_FATAL; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_UNKNOWN_CERTIFICATE_TYPE); goto f_err; } if (need_cert) { sc->peer_cert_type=i; CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); /* Why would the following ever happen? * We just created sc a couple of lines ago. */ if (sc->peer_pkeys[i].x509 != NULL) X509_free(sc->peer_pkeys[i].x509); sc->peer_pkeys[i].x509=x; sc->peer_key= &(sc->peer_pkeys[i]); if (s->session->peer != NULL) X509_free(s->session->peer); CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); s->session->peer=x; } else { sc->peer_cert_type=i; sc->peer_key= NULL; if (s->session->peer != NULL) X509_free(s->session->peer); s->session->peer=NULL; } s->session->verify_result = s->verify_result; x=NULL; ret=1; if (0) { f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); } err: EVP_PKEY_free(pkey); X509_free(x); sk_X509_pop_free(sk,X509_free); return(ret); } static int ssl3_get_key_exchange(SSL *s) { #ifndef OPENSSL_NO_RSA unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; #endif EVP_MD_CTX md_ctx; unsigned char *param,*p; int al,i,j,param_len,ok; long n,alg; EVP_PKEY *pkey=NULL; #ifndef OPENSSL_NO_RSA RSA *rsa=NULL; #endif #ifndef OPENSSL_NO_DH DH *dh=NULL; #endif /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { s->s3->tmp.reuse_message=1; return(1); } param=p=(unsigned char *)s->init_msg; if (s->session->sess_cert != NULL) { #ifndef OPENSSL_NO_RSA if (s->session->sess_cert->peer_rsa_tmp != NULL) { RSA_free(s->session->sess_cert->peer_rsa_tmp); s->session->sess_cert->peer_rsa_tmp=NULL; } #endif #ifndef OPENSSL_NO_DH if (s->session->sess_cert->peer_dh_tmp) { DH_free(s->session->sess_cert->peer_dh_tmp); s->session->sess_cert->peer_dh_tmp=NULL; } #endif } else { s->session->sess_cert=ssl_sess_cert_new(); } param_len=0; alg=s->s3->tmp.new_cipher->algorithms; EVP_MD_CTX_init(&md_ctx); #ifndef OPENSSL_NO_RSA if (alg & SSL_kRSA) { if ((rsa=RSA_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); goto err; } n2s(p,i); param_len=i+2; if (param_len > n) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); goto f_err; } if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); goto err; } p+=i; n2s(p,i); param_len+=i+2; if (param_len > n) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); goto f_err; } if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); goto err; } p+=i; n-=param_len; /* this should be because we are using an export cipher */ if (alg & SSL_aRSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); else { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } s->session->sess_cert->peer_rsa_tmp=rsa; rsa=NULL; } #else /* OPENSSL_NO_RSA */ if (0) ; #endif #ifndef OPENSSL_NO_DH else if (alg & SSL_kEDH) { if ((dh=DH_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); goto err; } n2s(p,i); param_len=i+2; if (param_len > n) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); goto f_err; } if (!(dh->p=BN_bin2bn(p,i,NULL))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); goto err; } p+=i; n2s(p,i); param_len+=i+2; if (param_len > n) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); goto f_err; } if (!(dh->g=BN_bin2bn(p,i,NULL))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); goto err; } p+=i; n2s(p,i); param_len+=i+2; if (param_len > n) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); goto f_err; } if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); goto err; } p+=i; n-=param_len; #ifndef OPENSSL_NO_RSA if (alg & SSL_aRSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); #else if (0) ; #endif #ifndef OPENSSL_NO_DSA else if (alg & SSL_aDSS) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); #endif /* else anonymous DH, so no certificate or pkey. */ s->session->sess_cert->peer_dh_tmp=dh; dh=NULL; } else if ((alg & SSL_kDHr) || (alg & SSL_kDHd)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); goto f_err; } #endif /* !OPENSSL_NO_DH */ if (alg & SSL_aFZA) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); goto f_err; } /* p points to the next byte, there are 'n' bytes left */ /* if it was signed, check the signature */ if (pkey != NULL) { n2s(p,i); n-=2; j=EVP_PKEY_size(pkey); if ((i != n) || (n > j) || (n <= 0)) { /* wrong packet length */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); goto f_err; } #ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) { int num; j=0; q=md_buf; for (num=2; num > 0; num--) { EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,param,param_len); EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); q+=i; j+=i; } i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, pkey->pkey.rsa); if (i < 0) { al=SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); goto f_err; } if (i == 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); goto f_err; } } else #endif #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) { /* lets do DSS */ EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL); EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); goto f_err; } } else #endif { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } } else { /* still data left over */ if (!(alg & SSL_aNULL)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } if (n != 0) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); goto f_err; } } EVP_PKEY_free(pkey); EVP_MD_CTX_cleanup(&md_ctx); return(1); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: EVP_PKEY_free(pkey); #ifndef OPENSSL_NO_RSA if (rsa != NULL) RSA_free(rsa); #endif #ifndef OPENSSL_NO_DH if (dh != NULL) DH_free(dh); #endif EVP_MD_CTX_cleanup(&md_ctx); return(-1); } static int ssl3_get_certificate_request(SSL *s) { int ok,ret=0; unsigned long n,nc,l; unsigned int llen,ctype_num,i; X509_NAME *xn=NULL; unsigned char *p,*d,*q; STACK_OF(X509_NAME) *ca_sk=NULL; n=ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A, SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); s->s3->tmp.cert_req=0; if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) { s->s3->tmp.reuse_message=1; return(1); } if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); goto err; } /* TLS does not like anon-DH with client cert */ if (s->version > SSL3_VERSION) { l=s->s3->tmp.new_cipher->algorithms; if (l & SSL_aNULL) { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); goto err; } } d=p=(unsigned char *)s->init_msg; if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) { SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); goto err; } /* get the certificate types */ ctype_num= *(p++); if (ctype_num > SSL3_CT_NUMBER) ctype_num=SSL3_CT_NUMBER; for (i=0; is3->tmp.ctype[i]= p[i]; p+=ctype_num; /* get the CA RDNs */ n2s(p,llen); #if 0 { FILE *out; out=fopen("/tmp/vsign.der","w"); fwrite(p,1,llen,out); fclose(out); } #endif if ((llen+ctype_num+2+1) != n) { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); goto err; } for (nc=0; nc llen) { if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) goto cont; /* netscape bugs */ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); goto err; } q=p; if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) { /* If netscape tolerance is on, ignore errors */ if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) goto cont; else { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); goto err; } } if (q != (p+l)) { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); goto err; } if (!sk_X509_NAME_push(ca_sk,xn)) { SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); goto err; } p+=l; nc+=l+2; } if (0) { cont: ERR_clear_error(); } /* we should setup a certificate to return.... */ s->s3->tmp.cert_req=1; s->s3->tmp.ctype_num=ctype_num; if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); s->s3->tmp.ca_names=ca_sk; ca_sk=NULL; ret=1; err: if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); return(ret); } static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) { return(X509_NAME_cmp(*a,*b)); } static int ssl3_get_server_done(SSL *s) { int ok,ret=0; long n; n=ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A, SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE, 30, /* should be very small, like 0 :-) */ &ok); if (!ok) return((int)n); if (n > 0) { /* should contain no data */ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); return -1; } ret=1; return(ret); } static int ssl3_send_client_key_exchange(SSL *s) { unsigned char *p,*d; int n; unsigned long l; #ifndef OPENSSL_NO_RSA unsigned char *q; EVP_PKEY *pkey=NULL; #endif #ifndef OPENSSL_NO_KRB5 KSSL_ERR kssl_err; #endif /* OPENSSL_NO_KRB5 */ if (s->state == SSL3_ST_CW_KEY_EXCH_A) { d=(unsigned char *)s->init_buf->data; p= &(d[4]); l=s->s3->tmp.new_cipher->algorithms; /* Fool emacs indentation */ if (0) {} #ifndef OPENSSL_NO_RSA else if (l & SSL_kRSA) { RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; if (s->session->sess_cert->peer_rsa_tmp != NULL) rsa=s->session->sess_cert->peer_rsa_tmp; else { pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } rsa=pkey->pkey.rsa; EVP_PKEY_free(pkey); } tmp_buf[0]=s->client_version>>8; tmp_buf[1]=s->client_version&0xff; if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) goto err; s->session->master_key_length=sizeof tmp_buf; q=p; /* Fix buf for TLS and beyond */ if (s->version > SSL3_VERSION) p+=2; n=RSA_public_encrypt(sizeof tmp_buf, tmp_buf,p,rsa,RSA_PKCS1_PADDING); #ifdef PKCS1_CHECK if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; #endif if (n <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); goto err; } /* Fix buf for TLS and beyond */ if (s->version > SSL3_VERSION) { s2n(n,q); n+=2; } s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, tmp_buf,sizeof tmp_buf); OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); } #endif #ifndef OPENSSL_NO_KRB5 else if (l & SSL_kKRB5) { krb5_error_code krb5rc; KSSL_CTX *kssl_ctx = s->kssl_ctx; /* krb5_data krb5_ap_req; */ krb5_data *enc_ticket; krb5_data authenticator, *authp = NULL; EVP_CIPHER_CTX ciph_ctx; EVP_CIPHER *enc = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH + EVP_MAX_IV_LENGTH]; int padl, outl = sizeof(epms); EVP_CIPHER_CTX_init(&ciph_ctx); #ifdef KSSL_DEBUG printf("ssl3_send_client_key_exchange(%lx & %lx)\n", l, SSL_kKRB5); #endif /* KSSL_DEBUG */ authp = NULL; #ifdef KRB5SENDAUTH if (KRB5SENDAUTH) authp = &authenticator; #endif /* KRB5SENDAUTH */ krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, &kssl_err); enc = kssl_map_enc(kssl_ctx->enctype); if (enc == NULL) goto err; #ifdef KSSL_DEBUG { printf("kssl_cget_tkt rtn %d\n", krb5rc); if (krb5rc && kssl_err.text) printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); } #endif /* KSSL_DEBUG */ if (krb5rc) { ssl3_send_alert(s,SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason); goto err; } /* 20010406 VRS - Earlier versions used KRB5 AP_REQ ** in place of RFC 2712 KerberosWrapper, as in: ** ** Send ticket (copy to *p, set n = length) ** n = krb5_ap_req.length; ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); ** if (krb5_ap_req.data) ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); ** ** Now using real RFC 2712 KerberosWrapper ** (Thanks to Simon Wilkinson ) ** Note: 2712 "opaque" types are here replaced ** with a 2-byte length followed by the value. ** Example: ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms ** Where "xx xx" = length bytes. Shown here with ** optional authenticator omitted. */ /* KerberosWrapper.Ticket */ s2n(enc_ticket->length,p); memcpy(p, enc_ticket->data, enc_ticket->length); p+= enc_ticket->length; n = enc_ticket->length + 2; /* KerberosWrapper.Authenticator */ if (authp && authp->length) { s2n(authp->length,p); memcpy(p, authp->data, authp->length); p+= authp->length; n+= authp->length + 2; free(authp->data); authp->data = NULL; authp->length = 0; } else { s2n(0,p);/* null authenticator length */ n+=2; } if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0) goto err; /* 20010420 VRS. Tried it this way; failed. ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, ** kssl_ctx->length); ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); */ memset(iv, 0, sizeof iv); /* per RFC 1510 */ EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, kssl_ctx->key,iv); EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, sizeof tmp_buf); EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); outl += padl; if (outl > sizeof epms) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } EVP_CIPHER_CTX_cleanup(&ciph_ctx); /* KerberosWrapper.EncryptedPreMasterSecret */ s2n(outl,p); memcpy(p, epms, outl); p+=outl; n+=outl + 2; s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(epms, outl); } #endif #ifndef OPENSSL_NO_DH else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr,*dh_clnt; if (s->session->sess_cert->peer_dh_tmp != NULL) dh_srvr=s->session->sess_cert->peer_dh_tmp; else { /* we get them from the cert */ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); goto err; } /* generate a new random key */ if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); goto err; } if (!DH_generate_key(dh_clnt)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); goto err; } /* use the 'p' output buffer for the DH key, but * make sure to clear it out afterwards */ n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); if (n <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); goto err; } /* generate master key from the result */ s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,p,n); /* clean up */ memset(p,0,n); /* send off the data */ n=BN_num_bytes(dh_clnt->pub_key); s2n(n,p); BN_bn2bin(dh_clnt->pub_key,p); n+=2; DH_free(dh_clnt); /* perhaps clean things up a bit EAY EAY EAY EAY*/ } #endif else { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; l2n3(n,d); s->state=SSL3_ST_CW_KEY_EXCH_B; /* number of bytes to write */ s->init_num=n+4; s->init_off=0; } /* SSL3_ST_CW_KEY_EXCH_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); err: return(-1); } static int ssl3_send_client_verify(SSL *s) { unsigned char *p,*d; unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; EVP_PKEY *pkey; #ifndef OPENSSL_NO_RSA unsigned u=0; #endif unsigned long n; #ifndef OPENSSL_NO_DSA int j; #endif if (s->state == SSL3_ST_CW_CERT_VRFY_A) { d=(unsigned char *)s->init_buf->data; p= &(d[4]); pkey=s->cert->key->privatekey; s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2), &(data[MD5_DIGEST_LENGTH])); #ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) { s->method->ssl3_enc->cert_verify_mac(s, &(s->s3->finish_dgst1),&(data[0])); if (RSA_sign(NID_md5_sha1, data, MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, &(p[2]), &u, pkey->pkey.rsa) <= 0 ) { SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); goto err; } s2n(u,p); n=u+2; } else #endif #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) { if (!DSA_sign(pkey->save_type, &(data[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH,&(p[2]), (unsigned int *)&j,pkey->pkey.dsa)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); goto err; } s2n(j,p); n=j+2; } else #endif { SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); goto err; } *(d++)=SSL3_MT_CERTIFICATE_VERIFY; l2n3(n,d); s->state=SSL3_ST_CW_CERT_VRFY_B; s->init_num=(int)n+4; s->init_off=0; } return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); err: return(-1); } static int ssl3_send_client_certificate(SSL *s) { X509 *x509=NULL; EVP_PKEY *pkey=NULL; int i; unsigned long l; if (s->state == SSL3_ST_CW_CERT_A) { if ((s->cert == NULL) || (s->cert->key->x509 == NULL) || (s->cert->key->privatekey == NULL)) s->state=SSL3_ST_CW_CERT_B; else s->state=SSL3_ST_CW_CERT_C; } /* We need to get a client cert */ if (s->state == SSL3_ST_CW_CERT_B) { /* If we get an error, we need to * ssl->rwstate=SSL_X509_LOOKUP; return(-1); * We then get retied later */ i=0; if (s->ctx->client_cert_cb != NULL) i=s->ctx->client_cert_cb(s,&(x509),&(pkey)); if (i < 0) { s->rwstate=SSL_X509_LOOKUP; return(-1); } s->rwstate=SSL_NOTHING; if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { s->state=SSL3_ST_CW_CERT_B; if ( !SSL_use_certificate(s,x509) || !SSL_use_PrivateKey(s,pkey)) i=0; } else if (i == 1) { i=0; SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); } if (x509 != NULL) X509_free(x509); if (pkey != NULL) EVP_PKEY_free(pkey); if (i == 0) { if (s->version == SSL3_VERSION) { s->s3->tmp.cert_req=0; ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); return(1); } else { s->s3->tmp.cert_req=2; } } /* Ok, we have a cert */ s->state=SSL3_ST_CW_CERT_C; } if (s->state == SSL3_ST_CW_CERT_C) { s->state=SSL3_ST_CW_CERT_D; l=ssl3_output_cert_chain(s, (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); s->init_num=(int)l; s->init_off=0; } /* SSL3_ST_CW_CERT_D */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } #define has_bits(i,m) (((i)&(m)) == (m)) static int ssl3_check_cert_and_algorithm(SSL *s) { int i,idx; long algs; EVP_PKEY *pkey=NULL; SESS_CERT *sc; #ifndef OPENSSL_NO_RSA RSA *rsa; #endif #ifndef OPENSSL_NO_DH DH *dh; #endif sc=s->session->sess_cert; if (sc == NULL) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); goto err; } algs=s->s3->tmp.new_cipher->algorithms; /* we don't have a certificate */ if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) return(1); #ifndef OPENSSL_NO_RSA rsa=s->session->sess_cert->peer_rsa_tmp; #endif #ifndef OPENSSL_NO_DH dh=s->session->sess_cert->peer_dh_tmp; #endif /* This is the passed certificate */ idx=sc->peer_cert_type; pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); EVP_PKEY_free(pkey); /* Check that we have a certificate if we require one */ if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); goto f_err; } #ifndef OPENSSL_NO_DSA else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); goto f_err; } #endif #ifndef OPENSSL_NO_RSA if ((algs & SSL_kRSA) && !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); goto f_err; } #endif #ifndef OPENSSL_NO_DH if ((algs & SSL_kEDH) && !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); goto f_err; } else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); goto f_err; } #ifndef OPENSSL_NO_DSA else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); goto f_err; } #endif #endif if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) { #ifndef OPENSSL_NO_RSA if (algs & SSL_kRSA) { if (rsa == NULL - || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) + || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); goto f_err; } } else #endif #ifndef OPENSSL_NO_DH if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { if (dh == NULL - || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) + || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); goto f_err; } } else #endif { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); goto f_err; } } return(1); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); err: return(0); } diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c index 559924d3681b..92efb9597d38 100644 --- a/crypto/openssl/ssl/s3_enc.c +++ b/crypto/openssl/ssl/s3_enc.c @@ -1,697 +1,697 @@ /* ssl/s3_enc.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "ssl_locl.h" #include #include static unsigned char ssl3_pad_1[48]={ 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36, 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36, 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36, 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36, 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36, 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36 }; static unsigned char ssl3_pad_2[48]={ 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c, 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c, 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c, 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c, 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c, 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c }; static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx, const char *sender, int len, unsigned char *p); static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) { EVP_MD_CTX m5; EVP_MD_CTX s1; unsigned char buf[16],smd[SHA_DIGEST_LENGTH]; unsigned char c='A'; int i,j,k; #ifdef CHARSET_EBCDIC c = os_toascii[c]; /*'A' in ASCII */ #endif k=0; EVP_MD_CTX_init(&m5); EVP_MD_CTX_init(&s1); for (i=0; i sizeof buf) { /* bug: 'buf' is too small for this ciphersuite */ SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); return 0; } for (j=0; jsession->master_key, s->session->master_key_length); EVP_DigestUpdate(&s1,s->s3->server_random,SSL3_RANDOM_SIZE); EVP_DigestUpdate(&s1,s->s3->client_random,SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&s1,smd,NULL); EVP_DigestInit_ex(&m5,EVP_md5(), NULL); EVP_DigestUpdate(&m5,s->session->master_key, s->session->master_key_length); EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH); if ((i+MD5_DIGEST_LENGTH) > num) { EVP_DigestFinal_ex(&m5,smd,NULL); memcpy(km,smd,(num-i)); } else EVP_DigestFinal_ex(&m5,km,NULL); km+=MD5_DIGEST_LENGTH; } OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH); EVP_MD_CTX_cleanup(&m5); EVP_MD_CTX_cleanup(&s1); return 1; } int ssl3_change_cipher_state(SSL *s, int which) { unsigned char *p,*key_block,*mac_secret; unsigned char exp_key[EVP_MAX_KEY_LENGTH]; unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms,*key,*iv,*er1,*er2; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; COMP_METHOD *comp; const EVP_MD *m; EVP_MD_CTX md; - int exp,n,i,j,k,cl; + int is_exp,n,i,j,k,cl; int reuse_dd = 0; - exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); + is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; if (s->s3->tmp.new_compression == NULL) comp=NULL; else comp=s->s3->tmp.new_compression->method; key_block=s->s3->tmp.key_block; if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) reuse_dd = 1; else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; dd= s->enc_read_ctx; s->read_hash=m; /* COMPRESS */ if (s->expand != NULL) { COMP_CTX_free(s->expand); s->expand=NULL; } if (comp != NULL) { s->expand=COMP_CTX_new(comp); if (s->expand == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } if (s->s3->rrec.comp == NULL) s->s3->rrec.comp=(unsigned char *) OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } memset(&(s->s3->read_sequence[0]),0,8); mac_secret= &(s->s3->read_mac_secret[0]); } else { if (s->enc_write_ctx != NULL) reuse_dd = 1; else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; dd= s->enc_write_ctx; s->write_hash=m; /* COMPRESS */ if (s->compress != NULL) { COMP_CTX_free(s->compress); s->compress=NULL; } if (comp != NULL) { s->compress=COMP_CTX_new(comp); if (s->compress == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } } memset(&(s->s3->write_sequence[0]),0,8); mac_secret= &(s->s3->write_mac_secret[0]); } if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); EVP_CIPHER_CTX_init(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); - j=exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? - cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; - /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ + j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; + /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { ms= &(p[ 0]); n=i+i; key= &(p[ n]); n+=j+j; iv= &(p[ n]); n+=k+k; er1= &(s->s3->client_random[0]); er2= &(s->s3->server_random[0]); } else { n=i; ms= &(p[ n]); n+=i+j; key= &(p[ n]); n+=j+k; iv= &(p[ n]); n+=k; er1= &(s->s3->server_random[0]); er2= &(s->s3->client_random[0]); } if (n > s->s3->tmp.key_block_length) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); goto err2; } EVP_MD_CTX_init(&md); memcpy(mac_secret,ms,i); - if (exp) + if (is_exp) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). */ EVP_DigestInit_ex(&md,EVP_md5(), NULL); EVP_DigestUpdate(&md,key,j); EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL); key= &(exp_key[0]); if (k > 0) { EVP_DigestInit_ex(&md,EVP_md5(), NULL); EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL); iv= &(exp_iv[0]); } } s->session->key_arg_length=0; EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key)); OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv)); EVP_MD_CTX_cleanup(&md); return(1); err: SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); err2: return(0); } int ssl3_setup_key_block(SSL *s) { unsigned char *p; const EVP_CIPHER *c; const EVP_MD *hash; int num; int ret = 0; SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) return(1); if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) { SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return(0); } s->s3->tmp.new_sym_enc=c; s->s3->tmp.new_hash=hash; s->s3->tmp.new_compression=comp; num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); num*=2; ssl3_cleanup_key_block(s); if ((p=OPENSSL_malloc(num)) == NULL) goto err; s->s3->tmp.key_block_length=num; s->s3->tmp.key_block=p; ret = ssl3_generate_key_block(s,p,num); if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { /* enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ s->s3->need_empty_fragments = 1; if (s->session->cipher != NULL) { if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) s->s3->need_empty_fragments = 0; #ifndef OPENSSL_NO_RC4 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) s->s3->need_empty_fragments = 0; #endif } } return ret; err: SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); return(0); } void ssl3_cleanup_key_block(SSL *s) { if (s->s3->tmp.key_block != NULL) { OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length); OPENSSL_free(s->s3->tmp.key_block); s->s3->tmp.key_block=NULL; } s->s3->tmp.key_block_length=0; } int ssl3_enc(SSL *s, int send) { SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; unsigned long l; int bs,i; const EVP_CIPHER *enc; if (send) { ds=s->enc_write_ctx; rec= &(s->s3->wrec); if (s->enc_write_ctx == NULL) enc=NULL; else enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); } else { ds=s->enc_read_ctx; rec= &(s->s3->rrec); if (s->enc_read_ctx == NULL) enc=NULL; else enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); } if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { memmove(rec->data,rec->input,rec->length); rec->input=rec->data; } else { l=rec->length; bs=EVP_CIPHER_block_size(ds->cipher); /* COMPRESS */ if ((bs != 1) && send) { i=bs-((int)l%bs); /* we need to add 'i-1' padding bytes */ l+=i; rec->length+=i; rec->input[l-1]=(i-1); } if (!send) { if (l == 0 || l%bs != 0) { SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); return 0; } /* otherwise, rec->length >= bs */ } EVP_Cipher(ds,rec->data,rec->input,l); if ((bs != 1) && !send) { i=rec->data[l-1]+1; /* SSL 3.0 bounds the number of padding bytes by the block size; * padding bytes (except the last one) are arbitrary */ if (i > bs) { /* Incorrect padding. SSLerr() and ssl3_alert are done * by caller: we don't want to reveal whether this is * a decryption error or a MAC verification failure * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ return -1; } /* now i <= bs <= rec->length */ rec->length-=i; } } return(1); } void ssl3_init_finished_mac(SSL *s) { EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL); EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL); } void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len) { EVP_DigestUpdate(&(s->s3->finish_dgst1),buf,len); EVP_DigestUpdate(&(s->s3->finish_dgst2),buf,len); } int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p) { return(ssl3_handshake_mac(s,ctx,NULL,0,p)); } int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2, const char *sender, int len, unsigned char *p) { int ret; ret=ssl3_handshake_mac(s,ctx1,sender,len,p); p+=ret; ret+=ssl3_handshake_mac(s,ctx2,sender,len,p); return(ret); } static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx, const char *sender, int len, unsigned char *p) { unsigned int ret; int npad,n; unsigned int i; unsigned char md_buf[EVP_MAX_MD_SIZE]; EVP_MD_CTX ctx; EVP_MD_CTX_init(&ctx); EVP_MD_CTX_copy_ex(&ctx,in_ctx); n=EVP_MD_CTX_size(&ctx); npad=(48/n)*n; if (sender != NULL) EVP_DigestUpdate(&ctx,sender,len); EVP_DigestUpdate(&ctx,s->session->master_key, s->session->master_key_length); EVP_DigestUpdate(&ctx,ssl3_pad_1,npad); EVP_DigestFinal_ex(&ctx,md_buf,&i); EVP_DigestInit_ex(&ctx,EVP_MD_CTX_md(&ctx), NULL); EVP_DigestUpdate(&ctx,s->session->master_key, s->session->master_key_length); EVP_DigestUpdate(&ctx,ssl3_pad_2,npad); EVP_DigestUpdate(&ctx,md_buf,i); EVP_DigestFinal_ex(&ctx,p,&ret); EVP_MD_CTX_cleanup(&ctx); return((int)ret); } int ssl3_mac(SSL *ssl, unsigned char *md, int send) { SSL3_RECORD *rec; unsigned char *mac_sec,*seq; EVP_MD_CTX md_ctx; const EVP_MD *hash; unsigned char *p,rec_char; unsigned int md_size; int npad,i; if (send) { rec= &(ssl->s3->wrec); mac_sec= &(ssl->s3->write_mac_secret[0]); seq= &(ssl->s3->write_sequence[0]); hash=ssl->write_hash; } else { rec= &(ssl->s3->rrec); mac_sec= &(ssl->s3->read_mac_secret[0]); seq= &(ssl->s3->read_sequence[0]); hash=ssl->read_hash; } md_size=EVP_MD_size(hash); npad=(48/md_size)*md_size; /* Chop the digest off the end :-) */ EVP_MD_CTX_init(&md_ctx); EVP_DigestInit_ex( &md_ctx,hash, NULL); EVP_DigestUpdate(&md_ctx,mac_sec,md_size); EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad); EVP_DigestUpdate(&md_ctx,seq,8); rec_char=rec->type; EVP_DigestUpdate(&md_ctx,&rec_char,1); p=md; s2n(rec->length,p); EVP_DigestUpdate(&md_ctx,md,2); EVP_DigestUpdate(&md_ctx,rec->input,rec->length); EVP_DigestFinal_ex( &md_ctx,md,NULL); EVP_DigestInit_ex( &md_ctx,hash, NULL); EVP_DigestUpdate(&md_ctx,mac_sec,md_size); EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad); EVP_DigestUpdate(&md_ctx,md,md_size); EVP_DigestFinal_ex( &md_ctx,md,&md_size); EVP_MD_CTX_cleanup(&md_ctx); for (i=7; i>=0; i--) { ++seq[i]; if (seq[i] != 0) break; } return(md_size); } int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int len) { static const unsigned char *salt[3]={ #ifndef CHARSET_EBCDIC (const unsigned char *)"A", (const unsigned char *)"BB", (const unsigned char *)"CCC", #else (const unsigned char *)"\x41", (const unsigned char *)"\x42\x42", (const unsigned char *)"\x43\x43\x43", #endif }; unsigned char buf[EVP_MAX_MD_SIZE]; EVP_MD_CTX ctx; int i,ret=0; unsigned int n; EVP_MD_CTX_init(&ctx); for (i=0; i<3; i++) { EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL); EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i])); EVP_DigestUpdate(&ctx,p,len); EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]), SSL3_RANDOM_SIZE); EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]), SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&ctx,buf,&n); EVP_DigestInit_ex(&ctx,s->ctx->md5, NULL); EVP_DigestUpdate(&ctx,p,len); EVP_DigestUpdate(&ctx,buf,n); EVP_DigestFinal_ex(&ctx,out,&n); out+=n; ret+=n; } EVP_MD_CTX_cleanup(&ctx); return(ret); } int ssl3_alert_code(int code) { switch (code) { case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); case SSL_AD_DECRYPTION_FAILED: return(SSL3_AD_BAD_RECORD_MAC); case SSL_AD_RECORD_OVERFLOW: return(SSL3_AD_BAD_RECORD_MAC); case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_NO_CERTIFICATE: return(SSL3_AD_NO_CERTIFICATE); case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE); case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); case SSL_AD_UNKNOWN_CA: return(SSL3_AD_BAD_CERTIFICATE); case SSL_AD_ACCESS_DENIED: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_DECODE_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_DECRYPT_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_EXPORT_RESTRICTION: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_PROTOCOL_VERSION: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_INSUFFICIENT_SECURITY:return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_INTERNAL_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_USER_CANCELLED: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_NO_RENEGOTIATION: return(-1); /* Don't send it :-) */ default: return(-1); } } diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index 896b12fc4f38..d04096016ce3 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -1,1797 +1,1799 @@ /* ssl/s3_lib.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include "ssl_locl.h" #include "kssl_lcl.h" #include const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) static long ssl3_default_timeout(void ); OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ /* The RSA ciphers */ /* Cipher 01 */ { 1, SSL3_TXT_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 02 */ { 1, SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* anon DH */ /* Cipher 17 */ { 1, SSL3_TXT_ADH_RC4_40_MD5, SSL3_CK_ADH_RC4_40_MD5, SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 18 */ { 1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 19 */ { 1, SSL3_TXT_ADH_DES_40_CBC_SHA, SSL3_CK_ADH_DES_40_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 1A */ { 1, SSL3_TXT_ADH_DES_64_CBC_SHA, SSL3_CK_ADH_DES_64_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 1B */ { 1, SSL3_TXT_ADH_DES_192_CBC_SHA, SSL3_CK_ADH_DES_192_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* RSA again */ /* Cipher 03 */ { 1, SSL3_TXT_RSA_RC4_40_MD5, SSL3_CK_RSA_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 04 */ { 1, SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 05 */ { 1, SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 06 */ { 1, SSL3_TXT_RSA_RC2_40_MD5, SSL3_CK_RSA_RC2_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 07 */ +#ifndef OPENSSL_NO_IDEA { 1, SSL3_TXT_RSA_IDEA_128_SHA, SSL3_CK_RSA_IDEA_128_SHA, SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +#endif /* Cipher 08 */ { 1, SSL3_TXT_RSA_DES_40_CBC_SHA, SSL3_CK_RSA_DES_40_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 09 */ { 1, SSL3_TXT_RSA_DES_64_CBC_SHA, SSL3_CK_RSA_DES_64_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 0A */ { 1, SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* The DH ciphers */ /* Cipher 0B */ { 0, SSL3_TXT_DH_DSS_DES_40_CBC_SHA, SSL3_CK_DH_DSS_DES_40_CBC_SHA, SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 0C */ { 0, SSL3_TXT_DH_DSS_DES_64_CBC_SHA, SSL3_CK_DH_DSS_DES_64_CBC_SHA, SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 0D */ { 0, SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, SSL3_CK_DH_DSS_DES_192_CBC3_SHA, SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 0E */ { 0, SSL3_TXT_DH_RSA_DES_40_CBC_SHA, SSL3_CK_DH_RSA_DES_40_CBC_SHA, SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 0F */ { 0, SSL3_TXT_DH_RSA_DES_64_CBC_SHA, SSL3_CK_DH_RSA_DES_64_CBC_SHA, SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 10 */ { 0, SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, SSL3_CK_DH_RSA_DES_192_CBC3_SHA, SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* The Ephemeral DH ciphers */ /* Cipher 11 */ { 1, SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, SSL3_CK_EDH_DSS_DES_40_CBC_SHA, SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 12 */ { 1, SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, SSL3_CK_EDH_DSS_DES_64_CBC_SHA, SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 13 */ { 1, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 14 */ { 1, SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, SSL3_CK_EDH_RSA_DES_40_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 15 */ { 1, SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, SSL3_CK_EDH_RSA_DES_64_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 16 */ { 1, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Fortezza */ /* Cipher 1C */ { 0, SSL3_TXT_FZA_DMS_NULL_SHA, SSL3_CK_FZA_DMS_NULL_SHA, SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 1D */ { 0, SSL3_TXT_FZA_DMS_FZA_SHA, SSL3_CK_FZA_DMS_FZA_SHA, SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, #if 0 /* Cipher 1E */ { 0, SSL3_TXT_FZA_DMS_RC4_SHA, SSL3_CK_FZA_DMS_RC4_SHA, SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, #endif #ifndef OPENSSL_NO_KRB5 /* The Kerberos ciphers ** 20000107 VRS: And the first shall be last, ** in hopes of avoiding the lynx ssl renegotiation problem. */ /* Cipher 1E VRS */ { 1, SSL3_TXT_KRB5_DES_64_CBC_SHA, SSL3_CK_KRB5_DES_64_CBC_SHA, SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 1F VRS */ { 1, SSL3_TXT_KRB5_DES_192_CBC3_SHA, SSL3_CK_KRB5_DES_192_CBC3_SHA, SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 112, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 20 VRS */ { 1, SSL3_TXT_KRB5_RC4_128_SHA, SSL3_CK_KRB5_RC4_128_SHA, SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 21 VRS */ { 1, SSL3_TXT_KRB5_IDEA_128_CBC_SHA, SSL3_CK_KRB5_IDEA_128_CBC_SHA, SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 22 VRS */ { 1, SSL3_TXT_KRB5_DES_64_CBC_MD5, SSL3_CK_KRB5_DES_64_CBC_MD5, SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 23 VRS */ { 1, SSL3_TXT_KRB5_DES_192_CBC3_MD5, SSL3_CK_KRB5_DES_192_CBC3_MD5, SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, 112, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 24 VRS */ { 1, SSL3_TXT_KRB5_RC4_128_MD5, SSL3_CK_KRB5_RC4_128_MD5, SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 25 VRS */ { 1, SSL3_TXT_KRB5_IDEA_128_CBC_MD5, SSL3_CK_KRB5_IDEA_128_CBC_MD5, SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 26 VRS */ { 1, SSL3_TXT_KRB5_DES_40_CBC_SHA, SSL3_CK_KRB5_DES_40_CBC_SHA, SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 27 VRS */ { 1, SSL3_TXT_KRB5_RC2_40_CBC_SHA, SSL3_CK_KRB5_RC2_40_CBC_SHA, SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 28 VRS */ { 1, SSL3_TXT_KRB5_RC4_40_SHA, SSL3_CK_KRB5_RC4_40_SHA, SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 29 VRS */ { 1, SSL3_TXT_KRB5_DES_40_CBC_MD5, SSL3_CK_KRB5_DES_40_CBC_MD5, SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 2A VRS */ { 1, SSL3_TXT_KRB5_RC2_40_CBC_MD5, SSL3_CK_KRB5_RC2_40_CBC_MD5, SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 2B VRS */ { 1, SSL3_TXT_KRB5_RC4_40_MD5, SSL3_CK_KRB5_RC4_40_MD5, SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, #endif /* OPENSSL_NO_KRB5 */ #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES /* New TLS Export CipherSuites */ /* Cipher 60 */ { 1, TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, SSL_EXPORT|SSL_EXP56, 0, 56, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 61 */ { 1, TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, SSL_EXPORT|SSL_EXP56, 0, 56, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 62 */ { 1, TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, SSL_EXPORT|SSL_EXP56, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 63 */ { 1, TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, SSL_EXPORT|SSL_EXP56, 0, 56, 56, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 64 */ { 1, TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, SSL_EXPORT|SSL_EXP56, 0, 56, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 65 */ { 1, TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, SSL_EXPORT|SSL_EXP56, 0, 56, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 66 */ { 1, TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS }, #endif /* New AES ciphersuites */ /* Cipher 2F */ { 1, TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 30 */ { 0, TLS1_TXT_DH_DSS_WITH_AES_128_SHA, TLS1_CK_DH_DSS_WITH_AES_128_SHA, SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 31 */ { 0, TLS1_TXT_DH_RSA_WITH_AES_128_SHA, TLS1_CK_DH_RSA_WITH_AES_128_SHA, SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 32 */ { 1, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, TLS1_CK_DHE_DSS_WITH_AES_128_SHA, SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 33 */ { 1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA, SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 34 */ { 1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 35 */ { 1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 36 */ { 0, TLS1_TXT_DH_DSS_WITH_AES_256_SHA, TLS1_CK_DH_DSS_WITH_AES_256_SHA, SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 37 */ { 0, TLS1_TXT_DH_RSA_WITH_AES_256_SHA, TLS1_CK_DH_RSA_WITH_AES_256_SHA, SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 38 */ { 1, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, TLS1_CK_DHE_DSS_WITH_AES_256_SHA, SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 39 */ { 1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA, SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* Cipher 3A */ { 1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, 256, 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* end of list */ }; static SSL3_ENC_METHOD SSLv3_enc_data={ ssl3_enc, ssl3_mac, ssl3_setup_key_block, ssl3_generate_master_secret, ssl3_change_cipher_state, ssl3_final_finish_mac, MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, ssl3_cert_verify_mac, SSL3_MD_CLIENT_FINISHED_CONST,4, SSL3_MD_SERVER_FINISHED_CONST,4, ssl3_alert_code, }; static SSL_METHOD SSLv3_data= { SSL3_VERSION, ssl3_new, ssl3_clear, ssl3_free, ssl_undefined_function, ssl_undefined_function, ssl3_read, ssl3_peek, ssl3_write, ssl3_shutdown, ssl3_renegotiate, ssl3_renegotiate_check, ssl3_ctrl, ssl3_ctx_ctrl, ssl3_get_cipher_by_char, ssl3_put_cipher_by_char, ssl3_pending, ssl3_num_ciphers, ssl3_get_cipher, ssl_bad_method, ssl3_default_timeout, &SSLv3_enc_data, ssl_undefined_function, ssl3_callback_ctrl, ssl3_ctx_callback_ctrl, }; static long ssl3_default_timeout(void) { /* 2 hours, the 24 hours mentioned in the SSLv3 spec * is way too long for http, the cache would over fill */ return(60*60*2); } SSL_METHOD *sslv3_base_method(void) { return(&SSLv3_data); } int ssl3_num_ciphers(void) { return(SSL3_NUM_CIPHERS); } SSL_CIPHER *ssl3_get_cipher(unsigned int u) { if (u < SSL3_NUM_CIPHERS) return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u])); else return(NULL); } int ssl3_pending(SSL *s) { if (s->rstate == SSL_ST_READ_BODY) return 0; return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; } int ssl3_new(SSL *s) { SSL3_STATE *s3; if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; memset(s3,0,sizeof *s3); EVP_MD_CTX_init(&s3->finish_dgst1); EVP_MD_CTX_init(&s3->finish_dgst2); s->s3=s3; s->method->ssl_clear(s); return(1); err: return(0); } void ssl3_free(SSL *s) { if(s == NULL) return; ssl3_cleanup_key_block(s); if (s->s3->rbuf.buf != NULL) OPENSSL_free(s->s3->rbuf.buf); if (s->s3->wbuf.buf != NULL) OPENSSL_free(s->s3->wbuf.buf); if (s->s3->rrec.comp != NULL) OPENSSL_free(s->s3->rrec.comp); #ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); OPENSSL_cleanse(s->s3,sizeof *s->s3); OPENSSL_free(s->s3); s->s3=NULL; } void ssl3_clear(SSL *s) { unsigned char *rp,*wp; size_t rlen, wlen; ssl3_cleanup_key_block(s); if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); if (s->s3->rrec.comp != NULL) { OPENSSL_free(s->s3->rrec.comp); s->s3->rrec.comp=NULL; } #ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif rp = s->s3->rbuf.buf; wp = s->s3->wbuf.buf; rlen = s->s3->rbuf.len; wlen = s->s3->wbuf.len; EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); memset(s->s3,0,sizeof *s->s3); s->s3->rbuf.buf = rp; s->s3->wbuf.buf = wp; s->s3->rbuf.len = rlen; s->s3->wbuf.len = wlen; ssl_free_wbio_buffer(s); s->packet_length=0; s->s3->renegotiate=0; s->s3->total_renegotiations=0; s->s3->num_renegotiations=0; s->s3->in_read_app_data=0; s->version=SSL3_VERSION; } long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { int ret=0; #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) if ( #ifndef OPENSSL_NO_RSA cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB || #endif #ifndef OPENSSL_NO_DSA cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB || #endif 0) { if (!ssl_cert_inst(&s->cert)) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); return(0); } } #endif switch (cmd) { case SSL_CTRL_GET_SESSION_REUSED: ret=s->hit; break; case SSL_CTRL_GET_CLIENT_CERT_REQUEST: break; case SSL_CTRL_GET_NUM_RENEGOTIATIONS: ret=s->s3->num_renegotiations; break; case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: ret=s->s3->num_renegotiations; s->s3->num_renegotiations=0; break; case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: ret=s->s3->total_renegotiations; break; case SSL_CTRL_GET_FLAGS: ret=(int)(s->s3->flags); break; #ifndef OPENSSL_NO_RSA case SSL_CTRL_NEED_TMP_RSA: if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))) ret = 1; break; case SSL_CTRL_SET_TMP_RSA: { RSA *rsa = (RSA *)parg; if (rsa == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); return(ret); } if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); return(ret); } if (s->cert->rsa_tmp != NULL) RSA_free(s->cert->rsa_tmp); s->cert->rsa_tmp = rsa; ret = 1; } break; case SSL_CTRL_SET_TMP_RSA_CB: { SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return(ret); } break; #endif #ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *dh = (DH *)parg; if (dh == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); return(ret); } if ((dh = DHparams_dup(dh)) == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); return(ret); } if (!(s->options & SSL_OP_SINGLE_DH_USE)) { if (!DH_generate_key(dh)) { DH_free(dh); SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); return(ret); } } if (s->cert->dh_tmp != NULL) DH_free(s->cert->dh_tmp); s->cert->dh_tmp = dh; ret = 1; } break; case SSL_CTRL_SET_TMP_DH_CB: { SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return(ret); } break; #endif default: break; } return(ret); } long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) { int ret=0; #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) if ( #ifndef OPENSSL_NO_RSA cmd == SSL_CTRL_SET_TMP_RSA_CB || #endif #ifndef OPENSSL_NO_DSA cmd == SSL_CTRL_SET_TMP_DH_CB || #endif 0) { if (!ssl_cert_inst(&s->cert)) { SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE); return(0); } } #endif switch (cmd) { #ifndef OPENSSL_NO_RSA case SSL_CTRL_SET_TMP_RSA_CB: { s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; } break; #endif #ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; #endif default: break; } return(ret); } long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { CERT *cert; cert=ctx->cert; switch (cmd) { #ifndef OPENSSL_NO_RSA case SSL_CTRL_NEED_TMP_RSA: if ( (cert->rsa_tmp == NULL) && ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))) ) return(1); else return(0); /* break; */ case SSL_CTRL_SET_TMP_RSA: { RSA *rsa; int i; rsa=(RSA *)parg; i=1; if (rsa == NULL) i=0; else { if ((rsa=RSAPrivateKey_dup(rsa)) == NULL) i=0; } if (!i) { SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB); return(0); } else { if (cert->rsa_tmp != NULL) RSA_free(cert->rsa_tmp); cert->rsa_tmp=rsa; return(1); } } /* break; */ case SSL_CTRL_SET_TMP_RSA_CB: { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return(0); } break; #endif #ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *new=NULL,*dh; dh=(DH *)parg; if ((new=DHparams_dup(dh)) == NULL) { SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); return 0; } if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) { if (!DH_generate_key(new)) { SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); DH_free(new); return 0; } } if (cert->dh_tmp != NULL) DH_free(cert->dh_tmp); cert->dh_tmp=new; return 1; } /*break; */ case SSL_CTRL_SET_TMP_DH_CB: { SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return(0); } break; #endif /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: if (ctx->extra_certs == NULL) { if ((ctx->extra_certs=sk_X509_new_null()) == NULL) return(0); } sk_X509_push(ctx->extra_certs,(X509 *)parg); break; default: return(0); } return(1); } long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) { CERT *cert; cert=ctx->cert; switch (cmd) { #ifndef OPENSSL_NO_RSA case SSL_CTRL_SET_TMP_RSA_CB: { cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; } break; #endif #ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; #endif default: return(0); } return(1); } /* This function needs to check if the ciphers required are actually * available */ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) { static int init=1; static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS]; SSL_CIPHER c,*cp= &c,**cpp; unsigned long id; int i; if (init) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); if (init) { for (i=0; ivalid) return(NULL); else return(*cpp); } int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) { long l; if (p != NULL) { l=c->id; if ((l & 0xff000000) != 0x03000000) return(0); p[0]=((unsigned char)(l>> 8L))&0xFF; p[1]=((unsigned char)(l ))&0xFF; } return(2); } SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr) { SSL_CIPHER *c,*ret=NULL; STACK_OF(SSL_CIPHER) *prio, *allow; int i,j,ok; CERT *cert; unsigned long alg,mask,emask; /* Let's see which ciphers we can support */ cert=s->cert; #if 0 /* Do not set the compare functions, because this may lead to a * reordering by "id". We want to keep the original ordering. * We may pay a price in performance during sk_SSL_CIPHER_find(), * but would have to pay with the price of sk_SSL_CIPHER_dup(). */ sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp); sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp); #endif #ifdef CIPHER_DEBUG printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr); for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) { c=sk_SSL_CIPHER_value(srvr,i); printf("%p:%s\n",c,c->name); } printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt); for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) { c=sk_SSL_CIPHER_value(clnt,i); printf("%p:%s\n",c,c->name); } #endif if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { prio = srvr; allow = clnt; } else { prio = clnt; allow = srvr; } for (i=0; imask; emask=cert->export_mask; #ifdef KSSL_DEBUG printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms); #endif /* KSSL_DEBUG */ alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); #ifndef OPENSSL_NO_KRB5 if (alg & SSL_KRB5) { if ( !kssl_keytab_is_available(s->kssl_ctx) ) continue; } #endif /* OPENSSL_NO_KRB5 */ if (SSL_C_IS_EXPORT(c)) { ok=((alg & emask) == alg)?1:0; #ifdef CIPHER_DEBUG printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, c,c->name); #endif } else { ok=((alg & mask) == alg)?1:0; #ifdef CIPHER_DEBUG printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, c->name); #endif } if (!ok) continue; j=sk_SSL_CIPHER_find(allow,c); if (j >= 0) { ret=sk_SSL_CIPHER_value(allow,j); break; } } return(ret); } int ssl3_get_req_cert_type(SSL *s, unsigned char *p) { int ret=0; unsigned long alg; alg=s->s3->tmp.new_cipher->algorithms; #ifndef OPENSSL_NO_DH if (alg & (SSL_kDHr|SSL_kEDH)) { # ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_FIXED_DH; # endif # ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_FIXED_DH; # endif } if ((s->version == SSL3_VERSION) && (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { # ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; # endif # ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; # endif } #endif /* !OPENSSL_NO_DH */ #ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_SIGN; #endif #ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_SIGN; #endif return(ret); } int ssl3_shutdown(SSL *s) { /* Don't do anything much if we have not done the handshake or * we don't want to send messages :-) */ if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE)) { s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); return(1); } if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { s->shutdown|=SSL_SENT_SHUTDOWN; #if 1 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY); #endif /* our shutdown alert has been sent now, and if it still needs * to be written, s->s3->alert_dispatch will be true */ } else if (s->s3->alert_dispatch) { /* resend it if not sent */ #if 1 ssl3_dispatch_alert(s); #endif } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ ssl3_read_bytes(s,0,NULL,0,0); } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && !s->s3->alert_dispatch) return(1); else return(0); } int ssl3_write(SSL *s, const void *buf, int len) { int ret,n; #if 0 if (s->shutdown & SSL_SEND_SHUTDOWN) { s->rwstate=SSL_NOTHING; return(0); } #endif clear_sys_error(); if (s->s3->renegotiate) ssl3_renegotiate_check(s); /* This is an experimental flag that sends the * last handshake message in the same packet as the first * use data - used to see if it helps the TCP protocol during * session-id reuse */ /* The second test is because the buffer may have been removed */ if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) { /* First time through, we write into the buffer */ if (s->s3->delay_buf_pop_ret == 0) { ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, buf,len); if (ret <= 0) return(ret); s->s3->delay_buf_pop_ret=ret; } s->rwstate=SSL_WRITING; n=BIO_flush(s->wbio); if (n <= 0) return(n); s->rwstate=SSL_NOTHING; /* We have flushed the buffer, so remove it */ ssl_free_wbio_buffer(s); s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; ret=s->s3->delay_buf_pop_ret; s->s3->delay_buf_pop_ret=0; } else { ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, buf,len); if (ret <= 0) return(ret); } return(ret); } static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) { int ret; clear_sys_error(); if (s->s3->renegotiate) ssl3_renegotiate_check(s); s->s3->in_read_app_data=1; ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); if ((ret == -1) && (s->s3->in_read_app_data == 2)) { /* ssl3_read_bytes decided to call s->handshake_func, which * called ssl3_read_bytes to read handshake data. * However, ssl3_read_bytes actually found application data * and thinks that application data makes sense here; so disable * handshake processing and try to read application data again. */ s->in_handshake++; ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); s->in_handshake--; } else s->s3->in_read_app_data=0; return(ret); } int ssl3_read(SSL *s, void *buf, int len) { return ssl3_read_internal(s, buf, len, 0); } int ssl3_peek(SSL *s, void *buf, int len) { return ssl3_read_internal(s, buf, len, 1); } int ssl3_renegotiate(SSL *s) { if (s->handshake_func == NULL) return(1); if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return(0); s->s3->renegotiate=1; return(1); } int ssl3_renegotiate_check(SSL *s) { int ret=0; if (s->s3->renegotiate) { if ( (s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) && !SSL_in_init(s)) { /* if we are the server, and we have sent a 'RENEGOTIATE' message, we need to go to SSL_ST_ACCEPT. */ /* SSL_ST_ACCEPT */ s->state=SSL_ST_RENEGOTIATE; s->s3->renegotiate=0; s->s3->num_renegotiations++; s->s3->total_renegotiations++; ret=1; } } return(ret); } diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 881f68b99891..deb3cffabeb5 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -1,2060 +1,2077 @@ /* ssl/s3_srvr.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #define REUSE_CIPHER_BUG #define NETSCAPE_HANG_BUG #include #include "ssl_locl.h" #include "kssl_lcl.h" #include #include #include #include #include +#ifndef OPENSSL_NO_KRB5 #include +#endif #include -#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); static int ssl3_check_client_hello(SSL *s); static int ssl3_send_server_hello(SSL *s); static int ssl3_send_server_key_exchange(SSL *s); static int ssl3_send_certificate_request(SSL *s); static int ssl3_send_server_done(SSL *s); static int ssl3_get_client_key_exchange(SSL *s); static int ssl3_get_client_certificate(SSL *s); static int ssl3_get_cert_verify(SSL *s); static int ssl3_send_hello_request(SSL *s); static SSL_METHOD *ssl3_get_server_method(int ver) { if (ver == SSL3_VERSION) return(SSLv3_server_method()); else return(NULL); } SSL_METHOD *SSLv3_server_method(void) { static int init=1; static SSL_METHOD SSLv3_server_data; if (init) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); if (init) { memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), sizeof(SSL_METHOD)); SSLv3_server_data.ssl_accept=ssl3_accept; SSLv3_server_data.get_ssl_method=ssl3_get_server_method; init=0; } CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_server_data); } int ssl3_accept(SSL *s) { BUF_MEM *buf; unsigned long l,Time=time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; long num1; int ret= -1; int new_state,state,skip=0; RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); clear_sys_error(); if (s->info_callback != NULL) cb=s->info_callback; else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; /* init things to blank */ s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); if (s->cert == NULL) { SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); return(-1); } for (;;) { state=s->state; switch (s->state) { case SSL_ST_RENEGOTIATE: s->new_session=1; /* s->state=SSL_ST_ACCEPT; */ case SSL_ST_BEFORE: case SSL_ST_ACCEPT: case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version>>8) != 3) { SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); return -1; } s->type=SSL_ST_ACCEPT; if (s->init_buf == NULL) { if ((buf=BUF_MEM_new()) == NULL) { ret= -1; goto end; } if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) { ret= -1; goto end; } s->init_buf=buf; } if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } s->init_num=0; if (s->state != SSL_ST_RENEGOTIATE) { /* Ok, we now need to push on a buffering BIO so that * the output is sent in a way that TCP likes :-) */ if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } ssl3_init_finished_mac(s); s->state=SSL3_ST_SR_CLNT_HELLO_A; s->ctx->stats.sess_accept++; } else { /* s->state == SSL_ST_RENEGOTIATE, * we will just send a HelloRequest */ s->ctx->stats.sess_accept_renegotiate++; s->state=SSL3_ST_SW_HELLO_REQ_A; } break; case SSL3_ST_SW_HELLO_REQ_A: case SSL3_ST_SW_HELLO_REQ_B: s->shutdown=0; ret=ssl3_send_hello_request(s); if (ret <= 0) goto end; s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; s->state=SSL3_ST_SW_FLUSH; s->init_num=0; ssl3_init_finished_mac(s); break; case SSL3_ST_SW_HELLO_REQ_C: s->state=SSL_ST_OK; break; case SSL3_ST_SR_CLNT_HELLO_A: case SSL3_ST_SR_CLNT_HELLO_B: case SSL3_ST_SR_CLNT_HELLO_C: s->shutdown=0; ret=ssl3_get_client_hello(s); if (ret <= 0) goto end; s->new_session = 2; s->state=SSL3_ST_SW_SRVR_HELLO_A; s->init_num=0; break; case SSL3_ST_SW_SRVR_HELLO_A: case SSL3_ST_SW_SRVR_HELLO_B: ret=ssl3_send_server_hello(s); if (ret <= 0) goto end; if (s->hit) s->state=SSL3_ST_SW_CHANGE_A; else s->state=SSL3_ST_SW_CERT_A; s->init_num=0; break; case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: /* Check if it is anon DH */ if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) { ret=ssl3_send_server_certificate(s); if (ret <= 0) goto end; } else skip=1; s->state=SSL3_ST_SW_KEY_EXCH_A; s->init_num=0; break; case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_B: l=s->s3->tmp.new_cipher->algorithms; /* clear this, it may get reset by * send_server_key_exchange */ if ((s->options & SSL_OP_EPHEMERAL_RSA) #ifndef OPENSSL_NO_KRB5 && !(l & SSL_KRB5) #endif /* OPENSSL_NO_KRB5 */ ) /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key * even when forbidden by protocol specs * (handshake may fail as clients are not required to * be able to handle this) */ s->s3->tmp.use_rsa_tmp=1; else s->s3->tmp.use_rsa_tmp=0; /* only send if a DH key exchange, fortezza or * RSA but we have a sign only certificate */ if (s->s3->tmp.use_rsa_tmp || (l & (SSL_DH|SSL_kFZA)) || ((l & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) ) ) ) ) { ret=ssl3_send_server_key_exchange(s); if (ret <= 0) goto end; } else skip=1; s->state=SSL3_ST_SW_CERT_REQ_A; s->init_num=0; break; case SSL3_ST_SW_CERT_REQ_A: case SSL3_ST_SW_CERT_REQ_B: if (/* don't request cert unless asked for it: */ !(s->verify_mode & SSL_VERIFY_PEER) || /* if SSL_VERIFY_CLIENT_ONCE is set, * don't request cert during re-negotiation: */ ((s->session->peer != NULL) && (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || /* never request cert in anonymous ciphersuites * (see section "Certificate request" in SSL 3 drafts * and in RFC 2246): */ ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && /* ... except when the application insists on verification * (against the specs, but s3_clnt.c accepts this for SSL 3) */ !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || /* never request cert in Kerberos ciphersuites */ (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) { /* no cert request */ skip=1; s->s3->tmp.cert_request=0; s->state=SSL3_ST_SW_SRVR_DONE_A; } else { s->s3->tmp.cert_request=1; ret=ssl3_send_certificate_request(s); if (ret <= 0) goto end; #ifndef NETSCAPE_HANG_BUG s->state=SSL3_ST_SW_SRVR_DONE_A; #else s->state=SSL3_ST_SW_FLUSH; s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; #endif s->init_num=0; } break; case SSL3_ST_SW_SRVR_DONE_A: case SSL3_ST_SW_SRVR_DONE_B: ret=ssl3_send_server_done(s); if (ret <= 0) goto end; s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; s->state=SSL3_ST_SW_FLUSH; s->init_num=0; break; case SSL3_ST_SW_FLUSH: /* number of bytes to be flushed */ num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); if (num1 > 0) { s->rwstate=SSL_WRITING; num1=BIO_flush(s->wbio); if (num1 <= 0) { ret= -1; goto end; } s->rwstate=SSL_NOTHING; } s->state=s->s3->tmp.next_state; break; case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: /* Check for second client hello (MS SGC) */ ret = ssl3_check_client_hello(s); if (ret <= 0) goto end; if (ret == 2) s->state = SSL3_ST_SR_CLNT_HELLO_C; else { if (s->s3->tmp.cert_request) { ret=ssl3_get_client_certificate(s); if (ret <= 0) goto end; } s->init_num=0; s->state=SSL3_ST_SR_KEY_EXCH_A; } break; case SSL3_ST_SR_KEY_EXCH_A: case SSL3_ST_SR_KEY_EXCH_B: ret=ssl3_get_client_key_exchange(s); if (ret <= 0) goto end; s->state=SSL3_ST_SR_CERT_VRFY_A; s->init_num=0; /* We need to get hashes here so if there is * a client cert, it can be verified */ s->method->ssl3_enc->cert_verify_mac(s, &(s->s3->finish_dgst1), &(s->s3->tmp.cert_verify_md[0])); s->method->ssl3_enc->cert_verify_mac(s, &(s->s3->finish_dgst2), &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); break; case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: /* we should decide if we expected this one */ ret=ssl3_get_cert_verify(s); if (ret <= 0) goto end; s->state=SSL3_ST_SR_FINISHED_A; s->init_num=0; break; case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, SSL3_ST_SR_FINISHED_B); if (ret <= 0) goto end; if (s->hit) s->state=SSL_ST_OK; else s->state=SSL3_ST_SW_CHANGE_A; s->init_num=0; break; case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: s->session->cipher=s->s3->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { ret= -1; goto end; } ret=ssl3_send_change_cipher_spec(s, SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); if (ret <= 0) goto end; s->state=SSL3_ST_SW_FINISHED_A; s->init_num=0; if (!s->method->ssl3_enc->change_cipher_state(s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) { ret= -1; goto end; } break; case SSL3_ST_SW_FINISHED_A: case SSL3_ST_SW_FINISHED_B: ret=ssl3_send_finished(s, SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, s->method->ssl3_enc->server_finished_label, s->method->ssl3_enc->server_finished_label_len); if (ret <= 0) goto end; s->state=SSL3_ST_SW_FLUSH; if (s->hit) s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; else s->s3->tmp.next_state=SSL_ST_OK; s->init_num=0; break; case SSL_ST_OK: /* clean a few things up */ ssl3_cleanup_key_block(s); BUF_MEM_free(s->init_buf); s->init_buf=NULL; /* remove buffering on output */ ssl_free_wbio_buffer(s); s->init_num=0; if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ { /* actually not necessarily a 'new' session unless * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ s->new_session=0; ssl_update_cache(s,SSL_SESS_CACHE_SERVER); s->ctx->stats.sess_accept_good++; /* s->server=1; */ s->handshake_func=ssl3_accept; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); } ret = 1; goto end; /* break; */ default: SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); ret= -1; goto end; /* break; */ } if (!s->s3->tmp.reuse_message && !skip) { if (s->debug) { if ((ret=BIO_flush(s->wbio)) <= 0) goto end; } if ((cb != NULL) && (s->state != state)) { new_state=s->state; s->state=state; cb(s,SSL_CB_ACCEPT_LOOP,1); s->state=new_state; } } skip=0; } end: /* BIO_flush(s->wbio); */ s->in_handshake--; if (cb != NULL) cb(s,SSL_CB_ACCEPT_EXIT,ret); return(ret); } static int ssl3_send_hello_request(SSL *s) { unsigned char *p; if (s->state == SSL3_ST_SW_HELLO_REQ_A) { p=(unsigned char *)s->init_buf->data; *(p++)=SSL3_MT_HELLO_REQUEST; *(p++)=0; *(p++)=0; *(p++)=0; s->state=SSL3_ST_SW_HELLO_REQ_B; /* number of bytes to write */ s->init_num=4; s->init_off=0; } /* SSL3_ST_SW_HELLO_REQ_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } static int ssl3_check_client_hello(SSL *s) { int ok; long n; /* this function is called when we really expect a Certificate message, * so permit appropriate message length */ n=ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); s->s3->tmp.reuse_message = 1; if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { /* Throw away what we have done so far in the current handshake, * which will now be aborted. (A full SSL_clear would be too much.) * I hope that tmp.dh is the only thing that may need to be cleared * when a handshake is not completed ... */ #ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) { DH_free(s->s3->tmp.dh); s->s3->tmp.dh = NULL; } #endif return 2; } return 1; } static int ssl3_get_client_hello(SSL *s) { int i,j,ok,al,ret= -1; long n; unsigned long id; unsigned char *p,*d,*q; SSL_CIPHER *c; SSL_COMP *comp=NULL; STACK_OF(SSL_CIPHER) *ciphers=NULL; /* We do this so that we will respond with our native type. * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, * This down switching should be handled by a different method. * If we are SSLv3, we will respond with SSLv3, even if prompted with * TLSv1. */ if (s->state == SSL3_ST_SR_CLNT_HELLO_A) { s->first_packet=1; s->state=SSL3_ST_SR_CLNT_HELLO_B; } n=ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH, &ok); if (!ok) return((int)n); d=p=(unsigned char *)s->init_msg; /* use version from inside client hello, not from record header * (may differ: see RFC 2246, Appendix E, second paragraph) */ s->client_version=(((int)p[0])<<8)|(int)p[1]; p+=2; if (s->client_version < s->version) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); if ((s->client_version>>8) == SSL3_VERSION_MAJOR) { /* similar to ssl3_get_record, send alert using remote version number */ s->version = s->client_version; } al = SSL_AD_PROTOCOL_VERSION; goto f_err; } /* load the client random */ memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; /* get the session-id */ j= *(p++); s->hit=0; /* Versions before 0.9.7 always allow session reuse during renegotiation * (i.e. when s->new_session is true), option * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. * Maybe this optional behaviour should always have been the default, * but we cannot safely change the default behaviour (or new applications * might be written that become totally unsecure when compiled with * an earlier library version) */ if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s,1)) goto err; } else { i=ssl_get_prev_session(s,p,j); if (i == 1) { /* previous session */ s->hit=1; } else if (i == -1) goto err; else /* i == 0 */ { if (!ssl_get_new_session(s,1)) goto err; } } p+=j; n2s(p,i); if ((i == 0) && (j != 0)) { /* we need a cipher if we are not resuming a session */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; } if ((p+i) >= (d+n)) { /* not enough data */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); goto f_err; } if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) == NULL)) { goto err; } p+=i; /* If it is a hit, check that the cipher is in the list */ if ((s->hit) && (i > 0)) { j=0; id=s->session->cipher->id; #ifdef CIPHER_DEBUG printf("client sent %d ciphers\n",sk_num(ciphers)); #endif for (i=0; iid == id) { j=1; break; } } if (j == 0) { if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Very bad for multi-threading.... */ s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0); } else { /* we need to have the cipher in the cipher * list if we are asked to reuse it */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); goto f_err; } } } /* compression */ i= *(p++); if ((p+i) > (d+n)) { /* not enough data */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); goto f_err; } q=p; for (j=0; j= i) { /* no compress */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); goto f_err; } /* Worst case, we will use the NULL compression, but if we have other * options, we will now look for them. We have i-1 compression * algorithms from the client, starting at q. */ s->s3->tmp.new_compression=NULL; if (s->ctx->comp_methods != NULL) { /* See if we have a match */ int m,nn,o,v,done=0; nn=sk_SSL_COMP_num(s->ctx->comp_methods); for (m=0; mctx->comp_methods,m); v=comp->id; for (o=0; os3->tmp.new_compression=comp; else comp=NULL; } /* TLS does not mind if there is extra stuff */ #if 0 /* SSL 3.0 does not mind either, so we should disable this test * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ if (s->version == SSL3_VERSION) { if (p < (d+n)) { /* wrong number of bytes, * there could be more to follow */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); goto f_err; } } #endif /* Given s->session->ciphers and SSL_get_ciphers, we must * pick a cipher */ if (!s->hit) { s->session->compress_meth=(comp == NULL)?0:comp->id; if (s->session->ciphers != NULL) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers=ciphers; if (ciphers == NULL) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED); goto f_err; } ciphers=NULL; c=ssl3_choose_cipher(s,s->session->ciphers, SSL_get_ciphers(s)); if (c == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); goto f_err; } s->s3->tmp.new_cipher=c; } else { /* Session-id reuse */ #ifdef REUSE_CIPHER_BUG STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *nc=NULL; SSL_CIPHER *ec=NULL; if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) { sk=s->session->ciphers; for (i=0; ialgorithms & SSL_eNULL) nc=c; if (SSL_C_IS_EXPORT(c)) ec=c; } if (nc != NULL) s->s3->tmp.new_cipher=nc; else if (ec != NULL) s->s3->tmp.new_cipher=ec; else s->s3->tmp.new_cipher=s->session->cipher; } else #endif s->s3->tmp.new_cipher=s->session->cipher; } /* we now have the following setup. * client_random * cipher_list - our prefered list of ciphers * ciphers - the clients prefered list of ciphers * compression - basically ignored right now * ssl version is set - sslv3 * s->session - The ssl session has been setup. * s->hit - session reuse flag * s->tmp.new_cipher - the new cipher to use. */ ret=1; if (0) { f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); } err: if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); return(ret); } static int ssl3_send_server_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; int i,sl; unsigned long l,Time; if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf=(unsigned char *)s->init_buf->data; p=s->s3->server_random; Time=time(NULL); /* Time */ l2n(Time,p); RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); /* Do the message type and length last */ d=p= &(buf[4]); *(p++)=s->version>>8; *(p++)=s->version&0xff; /* Random stuff */ memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; /* now in theory we have 3 options to sending back the * session id. If it is a re-use, we send back the * old session-id, if it is a new session, we send * back the new session-id or we send back a 0 length * session-id if we want it to be single use. * Currently I will not implement the '0' length session-id * 12-Jan-98 - I'll now support the '0' length stuff. */ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) s->session->session_id_length=0; sl=s->session->session_id_length; if (sl > sizeof s->session->session_id) { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return -1; } *(p++)=sl; memcpy(p,s->session->session_id,sl); p+=sl; /* put the cipher */ i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); p+=i; /* put the compression method */ if (s->s3->tmp.new_compression == NULL) *(p++)=0; else *(p++)=s->s3->tmp.new_compression->id; /* do the header */ l=(p-d); d=buf; *(d++)=SSL3_MT_SERVER_HELLO; l2n3(l,d); s->state=SSL3_ST_CW_CLNT_HELLO_B; /* number of bytes to write */ s->init_num=p-buf; s->init_off=0; } /* SSL3_ST_CW_CLNT_HELLO_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } static int ssl3_send_server_done(SSL *s) { unsigned char *p; if (s->state == SSL3_ST_SW_SRVR_DONE_A) { p=(unsigned char *)s->init_buf->data; /* do the header */ *(p++)=SSL3_MT_SERVER_DONE; *(p++)=0; *(p++)=0; *(p++)=0; s->state=SSL3_ST_SW_SRVR_DONE_B; /* number of bytes to write */ s->init_num=4; s->init_off=0; } /* SSL3_ST_CW_CLNT_HELLO_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } static int ssl3_send_server_key_exchange(SSL *s) { #ifndef OPENSSL_NO_RSA unsigned char *q; int j,num; RSA *rsa; unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; unsigned int u; #endif #ifndef OPENSSL_NO_DH DH *dh=NULL,*dhp; #endif EVP_PKEY *pkey; unsigned char *p,*d; int al,i; unsigned long type; int n; CERT *cert; BIGNUM *r[4]; int nr[4],kn; BUF_MEM *buf; EVP_MD_CTX md_ctx; EVP_MD_CTX_init(&md_ctx); if (s->state == SSL3_ST_SW_KEY_EXCH_A) { type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; cert=s->cert; buf=s->init_buf; r[0]=r[1]=r[2]=r[3]=NULL; n=0; #ifndef OPENSSL_NO_RSA if (type & SSL_kRSA) { rsa=cert->rsa_tmp; if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { rsa=s->cert->rsa_tmp_cb(s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); if(rsa == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); goto f_err; } RSA_up_ref(rsa); cert->rsa_tmp=rsa; } if (rsa == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); goto f_err; } r[0]=rsa->n; r[1]=rsa->e; s->s3->tmp.use_rsa_tmp=1; } else #endif #ifndef OPENSSL_NO_DH if (type & SSL_kEDH) { dhp=cert->dh_tmp; if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) dhp=s->cert->dh_tmp_cb(s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); if (dhp == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); goto f_err; } if (s->s3->tmp.dh != NULL) { DH_free(dh); SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } if ((dh=DHparams_dup(dhp)) == NULL) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); goto err; } s->s3->tmp.dh=dh; if ((dhp->pub_key == NULL || dhp->priv_key == NULL || (s->options & SSL_OP_SINGLE_DH_USE))) { if(!DH_generate_key(dh)) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); goto err; } } else { dh->pub_key=BN_dup(dhp->pub_key); dh->priv_key=BN_dup(dhp->priv_key); if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); goto err; } } r[0]=dh->p; r[1]=dh->g; r[2]=dh->pub_key; } else #endif { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); goto f_err; } for (i=0; r[i] != NULL; i++) { nr[i]=BN_num_bytes(r[i]); n+=2+nr[i]; } if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) { if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) == NULL) { al=SSL_AD_DECODE_ERROR; goto f_err; } kn=EVP_PKEY_size(pkey); } else { pkey=NULL; kn=0; } if (!BUF_MEM_grow_clean(buf,n+4+kn)) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); goto err; } d=(unsigned char *)s->init_buf->data; p= &(d[4]); for (i=0; r[i] != NULL; i++) { s2n(nr[i],p); BN_bn2bin(r[i],p); p+=nr[i]; } /* not anonymous */ if (pkey != NULL) { /* n is the length of the params, they start at &(d[4]) * and p points to the space at the end. */ #ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) { q=md_buf; j=0; for (num=2; num > 0; num--) { EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(d[4]),n); EVP_DigestFinal_ex(&md_ctx,q, (unsigned int *)&i); q+=i; j+=i; } if (RSA_sign(NID_md5_sha1, md_buf, j, &(p[2]), &u, pkey->pkey.rsa) <= 0) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); goto err; } s2n(u,p); n+=u+2; } else #endif #if !defined(OPENSSL_NO_DSA) if (pkey->type == EVP_PKEY_DSA) { /* lets do DSS */ EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_SignUpdate(&md_ctx,&(d[4]),n); if (!EVP_SignFinal(&md_ctx,&(p[2]), (unsigned int *)&i,pkey)) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); goto err; } s2n(i,p); n+=i+2; } else #endif { /* Is this error check actually needed? */ al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); goto f_err; } } *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; l2n3(n,d); /* we should now have things packed up, so lets send * it off */ s->init_num=n+4; s->init_off=0; } s->state = SSL3_ST_SW_KEY_EXCH_B; EVP_MD_CTX_cleanup(&md_ctx); return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: EVP_MD_CTX_cleanup(&md_ctx); return(-1); } static int ssl3_send_certificate_request(SSL *s) { unsigned char *p,*d; int i,j,nl,off,n; STACK_OF(X509_NAME) *sk=NULL; X509_NAME *name; BUF_MEM *buf; if (s->state == SSL3_ST_SW_CERT_REQ_A) { buf=s->init_buf; d=p=(unsigned char *)&(buf->data[4]); /* get the list of acceptable cert types */ p++; n=ssl3_get_req_cert_type(s,p); d[0]=n; p+=n; n++; off=n; p+=2; n+=2; sk=SSL_get_client_CA_list(s); nl=0; if (sk != NULL) { for (i=0; idata[4+n]); if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) { s2n(j,p); i2d_X509_NAME(name,&p); n+=2+j; nl+=2+j; } else { d=p; i2d_X509_NAME(name,&p); j-=2; s2n(j,d); j+=2; n+=j; nl+=j; } } } /* else no CA names */ p=(unsigned char *)&(buf->data[4+off]); s2n(nl,p); d=(unsigned char *)buf->data; *(d++)=SSL3_MT_CERTIFICATE_REQUEST; l2n3(n,d); /* we should now have things packed up, so lets send * it off */ s->init_num=n+4; s->init_off=0; #ifdef NETSCAPE_HANG_BUG p=(unsigned char *)s->init_buf->data + s->init_num; /* do the header */ *(p++)=SSL3_MT_SERVER_DONE; *(p++)=0; *(p++)=0; *(p++)=0; s->init_num += 4; #endif s->state = SSL3_ST_SW_CERT_REQ_B; } /* SSL3_ST_SW_CERT_REQ_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); err: return(-1); } static int ssl3_get_client_key_exchange(SSL *s) { int i,al,ok; long n; unsigned long l; unsigned char *p; #ifndef OPENSSL_NO_RSA RSA *rsa=NULL; EVP_PKEY *pkey=NULL; #endif #ifndef OPENSSL_NO_DH BIGNUM *pub=NULL; DH *dh_srvr; #endif #ifndef OPENSSL_NO_KRB5 KSSL_ERR kssl_err; #endif /* OPENSSL_NO_KRB5 */ n=ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A, SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, /* ??? */ &ok); if (!ok) return((int)n); p=(unsigned char *)s->init_msg; l=s->s3->tmp.new_cipher->algorithms; #ifndef OPENSSL_NO_RSA if (l & SSL_kRSA) { /* FIX THIS UP EAY EAY EAY EAY */ if (s->s3->tmp.use_rsa_tmp) { if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) rsa=s->cert->rsa_tmp; /* Don't do a callback because rsa_tmp should * be sent already */ if (rsa == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY); goto f_err; } } else { pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; if ( (pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE); goto f_err; } rsa=pkey->pkey.rsa; } /* TLS */ if (s->version > SSL3_VERSION) { n2s(p,i); if (n != i+2) { if (!(s->options & SSL_OP_TLS_D5_BUG)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); goto err; } else p-=2; } else n=i; } i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); al = -1; if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ } if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) { /* The premaster secret must contain the same version number as the * ClientHello to detect version rollback attacks (strangely, the * protocol does not offer such protection for DH ciphersuites). * However, buggy clients exist that send the negotiated protocol * version instead if the server does not support the requested * protocol version. * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) { al=SSL_AD_DECODE_ERROR; /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack * (http://eprint.iacr.org/2003/052/) exploits the version * number check as a "bad version oracle" -- an alert would * reveal that the plaintext corresponding to some ciphertext * made up by the adversary is properly formatted except * that the version number is wrong. To avoid such attacks, * we should treat this just like any other decryption error. */ } } if (al != -1) { /* Some decryption failure -- use random value instead as countermeasure * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding * (see RFC 2246, section 7.4.7.1). */ ERR_clear_error(); i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ } s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, p,i); OPENSSL_cleanse(p,i); } else #endif #ifndef OPENSSL_NO_DH if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { n2s(p,i); if (n != i+2) { if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); goto err; } else { p-=2; i=(int)n; } } if (n == 0L) /* the parameters are in the cert */ { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); goto f_err; } else { if (s->s3->tmp.dh == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); goto f_err; } else dh_srvr=s->s3->tmp.dh; } pub=BN_bin2bn(p,i,NULL); if (pub == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); goto err; } i=DH_compute_key(p,pub,dh_srvr); if (i <= 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); goto err; } DH_free(s->s3->tmp.dh); s->s3->tmp.dh=NULL; BN_clear_free(pub); pub=NULL; s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,p,i); OPENSSL_cleanse(p,i); } else #endif #ifndef OPENSSL_NO_KRB5 if (l & SSL_kKRB5) { krb5_error_code krb5rc; krb5_data enc_ticket; krb5_data authenticator; krb5_data enc_pms; KSSL_CTX *kssl_ctx = s->kssl_ctx; EVP_CIPHER_CTX ciph_ctx; EVP_CIPHER *enc = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH + EVP_MAX_BLOCK_LENGTH]; int padl, outl; krb5_timestamp authtime = 0; krb5_ticket_times ttimes; EVP_CIPHER_CTX_init(&ciph_ctx); if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); n2s(p,i); enc_ticket.length = i; + + if (n < enc_ticket.length + 6) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + enc_ticket.data = (char *)p; p+=enc_ticket.length; n2s(p,i); authenticator.length = i; + + if (n < enc_ticket.length + authenticator.length + 6) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + authenticator.data = (char *)p; p+=authenticator.length; n2s(p,i); enc_pms.length = i; enc_pms.data = (char *)p; p+=enc_pms.length; /* Note that the length is checked again below, ** after decryption */ if(enc_pms.length > sizeof pms) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } if (n != enc_ticket.length + authenticator.length + enc_pms.length + 6) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, &kssl_err)) != 0) { #ifdef KSSL_DEBUG printf("kssl_sget_tkt rtn %d [%d]\n", krb5rc, kssl_err.reason); if (kssl_err.text) printf("kssl_err text= %s\n", kssl_err.text); #endif /* KSSL_DEBUG */ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason); goto err; } /* Note: no authenticator is not considered an error, ** but will return authtime == 0. */ if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, &authtime, &kssl_err)) != 0) { #ifdef KSSL_DEBUG printf("kssl_check_authent rtn %d [%d]\n", krb5rc, kssl_err.reason); if (kssl_err.text) printf("kssl_err text= %s\n", kssl_err.text); #endif /* KSSL_DEBUG */ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason); goto err; } if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc); goto err; } #ifdef KSSL_DEBUG kssl_ctx_show(kssl_ctx); #endif /* KSSL_DEBUG */ enc = kssl_map_enc(kssl_ctx->enctype); if (enc == NULL) goto err; memset(iv, 0, sizeof iv); /* per RFC 1510 */ if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); goto err; } if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, (unsigned char *)enc_pms.data, enc_pms.length)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); goto err; } if (outl > SSL_MAX_MASTER_KEY_LENGTH) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); goto err; } outl += padl; if (outl > SSL_MAX_MASTER_KEY_LENGTH) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } EVP_CIPHER_CTX_cleanup(&ciph_ctx); s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, pms, outl); if (kssl_ctx->client_princ) { int len = strlen(kssl_ctx->client_princ); if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) { s->session->krb5_client_princ_len = len; memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); } } /* Was doing kssl_ctx_free() here, ** but it caused problems for apache. ** kssl_ctx = kssl_ctx_free(kssl_ctx); ** if (s->kssl_ctx) s->kssl_ctx = NULL; */ } else #endif /* OPENSSL_NO_KRB5 */ { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE); goto f_err; } return(1); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) err: #endif return(-1); } static int ssl3_get_cert_verify(SSL *s) { EVP_PKEY *pkey=NULL; unsigned char *p; int al,ok,ret=0; long n; int type=0,i,j; X509 *peer; n=ssl3_get_message(s, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B, -1, 514, /* 514? */ &ok); if (!ok) return((int)n); if (s->session->peer != NULL) { peer=s->session->peer; pkey=X509_get_pubkey(peer); type=X509_certificate_type(peer,pkey); } else { peer=NULL; pkey=NULL; } if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; if ((peer != NULL) && (type | EVP_PKT_SIGN)) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); goto f_err; } ret=1; goto end; } if (peer == NULL) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); al=SSL_AD_UNEXPECTED_MESSAGE; goto f_err; } if (!(type & EVP_PKT_SIGN)) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); al=SSL_AD_ILLEGAL_PARAMETER; goto f_err; } if (s->s3->change_cipher_spec) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); al=SSL_AD_UNEXPECTED_MESSAGE; goto f_err; } /* we now have a signature that we need to verify */ p=(unsigned char *)s->init_msg; n2s(p,i); n-=2; if (i > n) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); al=SSL_AD_DECODE_ERROR; goto f_err; } j=EVP_PKEY_size(pkey); if ((i > j) || (n > j) || (n <= 0)) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); al=SSL_AD_DECODE_ERROR; goto f_err; } #ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) { i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, pkey->pkey.rsa); if (i < 0) { al=SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); goto f_err; } if (i == 0) { al=SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); goto f_err; } } else #endif #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) { j=DSA_verify(pkey->save_type, &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); if (j <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); goto f_err; } } else #endif { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); al=SSL_AD_UNSUPPORTED_CERTIFICATE; goto f_err; } ret=1; if (0) { f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); } end: EVP_PKEY_free(pkey); return(ret); } static int ssl3_get_client_certificate(SSL *s) { int i,ok,al,ret= -1; X509 *x=NULL; unsigned long l,nc,llen,n; unsigned char *p,*d,*q; STACK_OF(X509) *sk=NULL; n=ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok); if (!ok) return((int)n); if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { if ( (s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); al=SSL_AD_HANDSHAKE_FAILURE; goto f_err; } /* If tls asked for a client cert, the client must return a 0 list */ if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); al=SSL_AD_UNEXPECTED_MESSAGE; goto f_err; } s->s3->tmp.reuse_message=1; return(1); } if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); goto f_err; } d=p=(unsigned char *)s->init_msg; if ((sk=sk_X509_new_null()) == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto err; } n2l3(p,llen); if (llen+3 != n) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH); goto f_err; } for (nc=0; nc llen) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } q=p; x=d2i_X509(NULL,&p,l); if (x == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB); goto err; } if (p != (q+l)) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); goto f_err; } if (!sk_X509_push(sk,x)) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); goto err; } x=NULL; nc+=l+3; } if (sk_X509_num(sk) <= 0) { /* TLS does not mind 0 certs returned */ if (s->version == SSL3_VERSION) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED); goto f_err; } /* Fail for TLS only if we required a certificate */ else if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); al=SSL_AD_HANDSHAKE_FAILURE; goto f_err; } } else { i=ssl_verify_cert_chain(s,sk); if (!i) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); goto f_err; } } if (s->session->peer != NULL) /* This should not be needed */ X509_free(s->session->peer); s->session->peer=sk_X509_shift(sk); s->session->verify_result = s->verify_result; /* With the current implementation, sess_cert will always be NULL * when we arrive here. */ if (s->session->sess_cert == NULL) { s->session->sess_cert = ssl_sess_cert_new(); if (s->session->sess_cert == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); goto err; } } if (s->session->sess_cert->cert_chain != NULL) sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); s->session->sess_cert->cert_chain=sk; /* Inconsistency alert: cert_chain does *not* include the * peer's own certificate, while we do include it in s3_clnt.c */ sk=NULL; ret=1; if (0) { f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); } err: if (x != NULL) X509_free(x); if (sk != NULL) sk_X509_pop_free(sk,X509_free); return(ret); } int ssl3_send_server_certificate(SSL *s) { unsigned long l; X509 *x; if (s->state == SSL3_ST_SW_CERT_A) { x=ssl_get_server_send_cert(s); if (x == NULL && /* VRS: allow null cert if auth == KRB5 */ (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) != (SSL_aKRB5|SSL_kKRB5)) { SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); return(0); } l=ssl3_output_cert_chain(s,x); s->state=SSL3_ST_SW_CERT_B; s->init_num=(int)l; s->init_off=0; } /* SSL3_ST_SW_CERT_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index 4ae845825949..913bd40eea4a 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -1,1854 +1,1854 @@ /* ssl/ssl.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #ifndef HEADER_SSL_H #define HEADER_SSL_H #include #ifndef OPENSSL_NO_COMP #include #endif #ifndef OPENSSL_NO_BIO #include #endif #ifndef OPENSSL_NO_X509 #include #endif #include #include #include #ifdef __cplusplus extern "C" { #endif /* SSLeay version number for ASN.1 encoding of the session information */ /* Version 0 - initial version * Version 1 - added the optional peer certificate */ #define SSL_SESSION_ASN1_VERSION 0x0001 /* text strings for the ciphers */ #define SSL_TXT_NULL_WITH_MD5 SSL2_TXT_NULL_WITH_MD5 #define SSL_TXT_RC4_128_WITH_MD5 SSL2_TXT_RC4_128_WITH_MD5 #define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5 #define SSL_TXT_RC2_128_CBC_WITH_MD5 SSL2_TXT_RC2_128_CBC_WITH_MD5 #define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 #define SSL_TXT_IDEA_128_CBC_WITH_MD5 SSL2_TXT_IDEA_128_CBC_WITH_MD5 #define SSL_TXT_DES_64_CBC_WITH_MD5 SSL2_TXT_DES_64_CBC_WITH_MD5 #define SSL_TXT_DES_64_CBC_WITH_SHA SSL2_TXT_DES_64_CBC_WITH_SHA #define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 #define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA /* VRS Additional Kerberos5 entries */ #define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA #define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA #define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA #define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA #define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 #define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 #define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5 #define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 #define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA #define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA #define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA #define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 #define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5 #define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5 #define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA #define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 #define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA #define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 #define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA #define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 #define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256 #define SSL_MAX_SSL_SESSION_ID_LENGTH 32 #define SSL_MAX_SID_CTX_LENGTH 32 #define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES (512/8) #define SSL_MAX_KEY_ARG_LENGTH 8 #define SSL_MAX_MASTER_KEY_LENGTH 48 /* These are used to specify which ciphers to use and not to use */ #define SSL_TXT_LOW "LOW" #define SSL_TXT_MEDIUM "MEDIUM" #define SSL_TXT_HIGH "HIGH" #define SSL_TXT_kFZA "kFZA" #define SSL_TXT_aFZA "aFZA" #define SSL_TXT_eFZA "eFZA" #define SSL_TXT_FZA "FZA" #define SSL_TXT_aNULL "aNULL" #define SSL_TXT_eNULL "eNULL" #define SSL_TXT_NULL "NULL" #define SSL_TXT_kKRB5 "kKRB5" #define SSL_TXT_aKRB5 "aKRB5" #define SSL_TXT_KRB5 "KRB5" #define SSL_TXT_kRSA "kRSA" #define SSL_TXT_kDHr "kDHr" #define SSL_TXT_kDHd "kDHd" #define SSL_TXT_kEDH "kEDH" #define SSL_TXT_aRSA "aRSA" #define SSL_TXT_aDSS "aDSS" #define SSL_TXT_aDH "aDH" #define SSL_TXT_DSS "DSS" #define SSL_TXT_DH "DH" #define SSL_TXT_EDH "EDH" #define SSL_TXT_ADH "ADH" #define SSL_TXT_RSA "RSA" #define SSL_TXT_DES "DES" #define SSL_TXT_3DES "3DES" #define SSL_TXT_RC4 "RC4" #define SSL_TXT_RC2 "RC2" #define SSL_TXT_IDEA "IDEA" #define SSL_TXT_AES "AES" #define SSL_TXT_MD5 "MD5" #define SSL_TXT_SHA1 "SHA1" #define SSL_TXT_SHA "SHA" #define SSL_TXT_EXP "EXP" #define SSL_TXT_EXPORT "EXPORT" #define SSL_TXT_EXP40 "EXPORT40" #define SSL_TXT_EXP56 "EXPORT56" #define SSL_TXT_SSLV2 "SSLv2" #define SSL_TXT_SSLV3 "SSLv3" #define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_ALL "ALL" /* * COMPLEMENTOF* definitions. These identifiers are used to (de-select) * ciphers normally not being used. * Example: "RC4" will activate all ciphers using RC4 including ciphers * without authentication, which would normally disabled by DEFAULT (due * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" * will make sure that it is also disabled in the specific selection. * COMPLEMENTOF* identifiers are portable between version, as adjustments * to the default cipher setup will also be included here. * * COMPLEMENTOFDEFAULT does not experience the same special treatment that * DEFAULT gets, as only selection is being done and no sorting as needed * for DEFAULT. */ #define SSL_TXT_CMPALL "COMPLEMENTOFALL" #define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ #define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ #define SSL_SENT_SHUTDOWN 1 #define SSL_RECEIVED_SHUTDOWN 2 #ifdef __cplusplus } #endif #include #include #include #include #ifdef __cplusplus extern "C" { #endif #if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2) #define OPENSSL_NO_SSL2 #endif #define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 #define SSL_FILETYPE_PEM X509_FILETYPE_PEM /* This is needed to stop compilers complaining about the * 'struct ssl_st *' function parameters used to prototype callbacks * in SSL_CTX. */ typedef struct ssl_st *ssl_crock_st; /* used to hold info on the particular ciphers used */ typedef struct ssl_cipher_st { int valid; const char *name; /* text name */ unsigned long id; /* id, 4 bytes, first is version */ unsigned long algorithms; /* what ciphers are used */ unsigned long algo_strength; /* strength and export flags */ unsigned long algorithm2; /* Extra flags */ int strength_bits; /* Number of bits really used */ int alg_bits; /* Number of bits for algorithm */ unsigned long mask; /* used for matching */ unsigned long mask_strength; /* also used for matching */ } SSL_CIPHER; DECLARE_STACK_OF(SSL_CIPHER) typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ typedef struct ssl_method_st { int version; int (*ssl_new)(SSL *s); void (*ssl_clear)(SSL *s); void (*ssl_free)(SSL *s); int (*ssl_accept)(SSL *s); int (*ssl_connect)(SSL *s); int (*ssl_read)(SSL *s,void *buf,int len); int (*ssl_peek)(SSL *s,void *buf,int len); int (*ssl_write)(SSL *s,const void *buf,int len); int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); int (*ssl_renegotiate_check)(SSL *s); long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg); long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg); SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr); int (*ssl_pending)(SSL *s); int (*num_ciphers)(void); SSL_CIPHER *(*get_cipher)(unsigned ncipher); struct ssl_method_st *(*get_ssl_method)(int version); long (*get_timeout)(void); struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ int (*ssl_version)(); long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)()); long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)()); } SSL_METHOD; /* Lets make this into an ASN.1 type structure as follows * SSL_SESSION_ID ::= SEQUENCE { * version INTEGER, -- structure version number * SSLversion INTEGER, -- SSL version number * Cipher OCTET_STRING, -- the 3 byte cipher ID * Session_ID OCTET_STRING, -- the Session ID * Master_key OCTET_STRING, -- the master key * KRB5_principal OCTET_STRING -- optional Kerberos principal * Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate * Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context * Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer' * Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX * } * Look in ssl/ssl_asn1.c for more details * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). */ typedef struct ssl_session_st { int ssl_version; /* what ssl version session info is * being kept in here? */ /* only really used in SSLv2 */ unsigned int key_arg_length; unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; int master_key_length; unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; /* session_id - valid? */ unsigned int session_id_length; unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; /* this is used to determine whether the session is being reused in * the appropriate context. It is up to the application to set this, * via SSL_new */ unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; #ifndef OPENSSL_NO_KRB5 unsigned int krb5_client_princ_len; unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH]; #endif /* OPENSSL_NO_KRB5 */ int not_resumable; /* The cert is the certificate used to establish this connection */ struct sess_cert_st /* SESS_CERT */ *sess_cert; /* This is the cert for the other end. * On clients, it will be the same as sess_cert->peer_key->x509 * (the latter is not enough as sess_cert is not retained * in the external representation of sessions, see ssl_asn1.c). */ X509 *peer; /* when app_verify_callback accepts a session where the peer's certificate * is not ok, we must remember the error for session reuse: */ long verify_result; /* only for servers */ int references; long timeout; long time; int compress_meth; /* Need to lookup the method */ SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this * needs to be used to load * the 'cipher' structure */ STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ CRYPTO_EX_DATA ex_data; /* application specific data */ /* These are used to make removal of session-ids more * efficient and to implement a maximum cache size. */ struct ssl_session_st *prev,*next; } SSL_SESSION; #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) * the workaround is not needed. Unfortunately some broken SSL/TLS * implementations cannot handle it at all, which is why we include * it in SSL_OP_ALL. */ #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */ /* SSL_OP_ALL: various bug workarounds that should be rather harmless. * This used to be 0x000FFFFFL before 0.9.7. */ #define SSL_OP_ALL 0x00000FFFL /* As server, disallow session resumption on renegotiation */ #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L /* Set to always use the tmp_rsa key when doing RSA operations, * even when this violates protocol specs */ #define SSL_OP_EPHEMERAL_RSA 0x00200000L /* Set on servers to choose the cipher according to the server's * preferences */ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L /* If set, a server will allow a client to issue a SSLv3.0 version number * as latest version supported in the premaster secret, even when TLSv1.0 * (version 3.1) was announced in the client hello. Normally this is * forbidden to prevent version rollback attacks. */ #define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L #define SSL_OP_NO_SSLv2 0x01000000L #define SSL_OP_NO_SSLv3 0x02000000L #define SSL_OP_NO_TLSv1 0x04000000L /* The next flag deliberately changes the ciphertest, this is a check * for the PKCS#1 attack */ #define SSL_OP_PKCS1_CHECK_1 0x08000000L #define SSL_OP_PKCS1_CHECK_2 0x10000000L #define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success * when just a single record has been written): */ #define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L /* Make it possible to retry SSL_write() with changed buffer location * (buffer contents must stay the same!); this is not the default to avoid * the misconception that non-blocking SSL_write() behaves like * non-blocking write(): */ #define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L /* Never bother the application with retries if the transport * is blocking: */ #define SSL_MODE_AUTO_RETRY 0x00000004L /* Don't attempt to automatically build certificate chain */ #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ #define SSL_CTX_set_options(ctx,op) \ SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) #define SSL_CTX_get_options(ctx) \ SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL) #define SSL_set_options(ssl,op) \ SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) #define SSL_get_options(ssl) \ SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL) #define SSL_CTX_set_mode(ctx,op) \ SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) #define SSL_CTX_get_mode(ctx) \ SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL) #define SSL_set_mode(ssl,op) \ SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL) #define SSL_get_mode(ssl) \ SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL) void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) #if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) #define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */ #else #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */ #endif #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20) /* This callback type is used inside SSL_CTX, SSL, and in the functions that set * them. It is used to override the generation of SSL/TLS session IDs in a * server. Return value should be zero on an error, non-zero to proceed. Also, * callbacks should themselves check if the id they generate is unique otherwise * the SSL handshake will fail with an error - callbacks can do this using the * 'ssl' value they're passed by; * SSL_has_matching_session_id(ssl, id, *id_len) * The length value passed in is set at the maximum size the session ID can be. * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback * can alter this length to be less if desired, but under SSLv2 session IDs are * supposed to be fixed at 16 bytes so the id will be padded after the callback * returns in this case. It is also an error for the callback to set the size to * zero. */ typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id, unsigned int *id_len); typedef struct ssl_comp_st { int id; char *name; #ifndef OPENSSL_NO_COMP COMP_METHOD *method; #else char *method; #endif } SSL_COMP; DECLARE_STACK_OF(SSL_COMP) struct ssl_ctx_st { SSL_METHOD *method; STACK_OF(SSL_CIPHER) *cipher_list; /* same as above but sorted for lookup */ STACK_OF(SSL_CIPHER) *cipher_list_by_id; struct x509_store_st /* X509_STORE */ *cert_store; struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSIONs */ /* Most session-ids that will be cached, default is * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */ unsigned long session_cache_size; struct ssl_session_st *session_cache_head; struct ssl_session_st *session_cache_tail; /* This can have one of 2 values, ored together, * SSL_SESS_CACHE_CLIENT, * SSL_SESS_CACHE_SERVER, * Default is SSL_SESSION_CACHE_SERVER, which means only * SSL_accept which cache SSL_SESSIONS. */ int session_cache_mode; /* If timeout is not 0, it is the default timeout value set * when SSL_new() is called. This has been put in to make * life easier to set things up */ long session_timeout; /* If this callback is not null, it will be called each * time a session id is added to the cache. If this function * returns 1, it means that the callback will do a * SSL_SESSION_free() when it has finished using it. Otherwise, * on 0, it means the callback has finished with it. * If remove_session_cb is not null, it will be called when * a session-id is removed from the cache. After the call, * OpenSSL will SSL_SESSION_free() it. */ int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess); void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess); SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy); struct { int sess_connect; /* SSL new conn - started */ int sess_connect_renegotiate;/* SSL reneg - requested */ int sess_connect_good; /* SSL new conne/reneg - finished */ int sess_accept; /* SSL new accept - started */ int sess_accept_renegotiate;/* SSL reneg - requested */ int sess_accept_good; /* SSL accept/reneg - finished */ int sess_miss; /* session lookup misses */ int sess_timeout; /* reuse attempt on timeouted session */ int sess_cache_full; /* session removed due to full cache */ int sess_hit; /* session reuse actually done */ int sess_cb_hit; /* session-id that was not * in the cache was * passed back via the callback. This * indicates that the application is * supplying session-id's from other * processes - spooky :-) */ } stats; int references; /* if defined, these override the X509_verify_cert() calls */ int (*app_verify_callback)(X509_STORE_CTX *, void *); void *app_verify_arg; /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored * ('app_verify_callback' was called with just one argument) */ /* Default password callback. */ pem_password_cb *default_passwd_callback; /* Default password callback user data. */ void *default_passwd_callback_userdata; /* get client cert callback */ int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); CRYPTO_EX_DATA ex_data; const EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */ const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ STACK_OF(X509) *extra_certs; STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ /* Default values used when no per-SSL value is defined follow */ void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */ /* what we put in client cert requests */ STACK_OF(X509_NAME) *client_CA; /* Default values to use in SSL structures follow (these are copied by SSL_new) */ unsigned long options; unsigned long mode; long max_cert_list; struct cert_st /* CERT */ *cert; int read_ahead; /* callback that allows applications to peek at protocol messages */ void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); void *msg_callback_arg; int verify_mode; int verify_depth; unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ /* Default generate session ID callback. */ GEN_SESSION_CB generate_session_id; int purpose; /* Purpose setting */ int trust; /* Trust setting */ int quiet_shutdown; }; #define SSL_SESS_CACHE_OFF 0x0000 #define SSL_SESS_CACHE_CLIENT 0x0001 #define SSL_SESS_CACHE_SERVER 0x0002 #define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER) #define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080 /* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */ #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 #define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200 #define SSL_SESS_CACHE_NO_INTERNAL \ (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE) struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx); #define SSL_CTX_sess_number(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL) #define SSL_CTX_sess_connect(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL) #define SSL_CTX_sess_connect_good(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL) #define SSL_CTX_sess_connect_renegotiate(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL) #define SSL_CTX_sess_accept(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL) #define SSL_CTX_sess_accept_renegotiate(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL) #define SSL_CTX_sess_accept_good(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL) #define SSL_CTX_sess_hits(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL) #define SSL_CTX_sess_cb_hits(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL) #define SSL_CTX_sess_misses(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL) #define SSL_CTX_sess_timeouts(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL) #define SSL_CTX_sess_cache_full(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) #define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb)) #define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb) #define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb)) #define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb) #define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb)) #define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb) #define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb)) #define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback) #define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb)) #define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb) #define SSL_NOTHING 1 #define SSL_WRITING 2 #define SSL_READING 3 #define SSL_X509_LOOKUP 4 /* These will only be used when doing non-blocking IO */ #define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) #define SSL_want_read(s) (SSL_want(s) == SSL_READING) #define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) #define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) struct ssl_st { /* protocol version * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION) */ int version; int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ SSL_METHOD *method; /* SSLv3 */ /* There are 2 BIO's even though they are normally both the * same. This is so data can be read and written to different * handlers */ #ifndef OPENSSL_NO_BIO BIO *rbio; /* used by SSL_read */ BIO *wbio; /* used by SSL_write */ BIO *bbio; /* used during session-id reuse to concatenate * messages */ #else char *rbio; /* used by SSL_read */ char *wbio; /* used by SSL_write */ char *bbio; #endif /* This holds a variable that indicates what we were doing * when a 0 or -1 is returned. This is needed for * non-blocking IO so we know what request needs re-doing when * in SSL_accept or SSL_connect */ int rwstate; /* true when we are actually in SSL_accept() or SSL_connect() */ int in_handshake; int (*handshake_func)(); /* Imagine that here's a boolean member "init" that is * switched as soon as SSL_set_{accept/connect}_state * is called for the first time, so that "state" and * "handshake_func" are properly initialized. But as * handshake_func is == 0 until then, we use this * test instead of an "init" member. */ int server; /* are we the server side? - mostly used by SSL_clear*/ int new_session;/* 1 if we are to use a new session. * 2 if we are a server and are inside a handshake * (i.e. not just sending a HelloRequest) * NB: For servers, the 'new' session may actually be a previously * cached session or even the previous session unless * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ int quiet_shutdown;/* don't send shutdown packets */ int shutdown; /* we have shut things down, 0x01 sent, 0x02 * for received */ int state; /* where we are */ int rstate; /* where we are when reading */ BUF_MEM *init_buf; /* buffer used during init */ void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */ int init_num; /* amount read/written */ int init_off; /* amount read/written */ /* used internally to point at a raw packet */ unsigned char *packet; unsigned int packet_length; struct ssl2_state_st *s2; /* SSLv2 variables */ struct ssl3_state_st *s3; /* SSLv3 variables */ int read_ahead; /* Read as many input bytes as possible * (for non-blocking reads) */ /* callback that allows applications to peek at protocol messages */ void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); void *msg_callback_arg; int hit; /* reusing a previous session */ int purpose; /* Purpose setting */ int trust; /* Trust setting */ /* crypto */ STACK_OF(SSL_CIPHER) *cipher_list; STACK_OF(SSL_CIPHER) *cipher_list_by_id; /* These are the ones being used, the ones in SSL_SESSION are * the ones to be 'copied' into these ones */ EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */ const EVP_MD *read_hash; /* used for mac generation */ #ifndef OPENSSL_NO_COMP COMP_CTX *expand; /* uncompress */ #else char *expand; #endif EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ const EVP_MD *write_hash; /* used for mac generation */ #ifndef OPENSSL_NO_COMP COMP_CTX *compress; /* compression */ #else char *compress; #endif /* session info */ /* client cert? */ /* This is used to hold the server certificate used */ struct cert_st /* CERT */ *cert; /* the session_id_context is used to ensure sessions are only reused * in the appropriate context */ unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; /* This can also be in the session once a session is established */ SSL_SESSION *session; /* Default generate session ID callback. */ GEN_SESSION_CB generate_session_id; /* Used in SSL2 and SSL3 */ int verify_mode; /* 0 don't care about verify failure. * 1 fail if verify fails */ int verify_depth; int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ int error; /* error bytes to be written */ int error_code; /* actual code */ #ifndef OPENSSL_NO_KRB5 KSSL_CTX *kssl_ctx; /* Kerberos 5 context */ #endif /* OPENSSL_NO_KRB5 */ SSL_CTX *ctx; /* set this flag to 1 and a sleep(1) is put into all SSL_read() * and SSL_write() calls, good for nbio debuging :-) */ int debug; /* extra application data */ long verify_result; CRYPTO_EX_DATA ex_data; /* for server side, keep the list of CA_dn we can use */ STACK_OF(X509_NAME) *client_CA; int references; unsigned long options; /* protocol behaviour */ unsigned long mode; /* API behaviour */ long max_cert_list; int first_packet; int client_version; /* what was passed, used for * SSLv3/TLS rollback check */ }; #ifdef __cplusplus } #endif #include #include #include /* This is mostly sslv3 with a few tweaks */ #include #ifdef __cplusplus extern "C" { #endif /* compatibility */ #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) #define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a)) #define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s,0)) #define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx,0)) #define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg)) /* The following are the possible values for ssl->state are are * used to indicate where we are up to in the SSL connection establishment. * The macros that follow are about the only things you should need to use * and even then, only when using non-blocking IO. * It can also be useful to work out where you were when the connection * failed */ #define SSL_ST_CONNECT 0x1000 #define SSL_ST_ACCEPT 0x2000 #define SSL_ST_MASK 0x0FFF #define SSL_ST_INIT (SSL_ST_CONNECT|SSL_ST_ACCEPT) #define SSL_ST_BEFORE 0x4000 #define SSL_ST_OK 0x03 #define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT) #define SSL_CB_LOOP 0x01 #define SSL_CB_EXIT 0x02 #define SSL_CB_READ 0x04 #define SSL_CB_WRITE 0x08 #define SSL_CB_ALERT 0x4000 /* used in callback */ #define SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ) #define SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE) #define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP) #define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT) #define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP) #define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT) #define SSL_CB_HANDSHAKE_START 0x10 #define SSL_CB_HANDSHAKE_DONE 0x20 /* Is the SSL_connection established? */ #define SSL_get_state(a) SSL_state(a) #define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK) #define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT) #define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE) #define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT) #define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT) /* The following 2 states are kept in ssl->rstate when reads fail, * you should not need these */ #define SSL_ST_READ_HEADER 0xF0 #define SSL_ST_READ_BODY 0xF1 #define SSL_ST_READ_DONE 0xF2 /* Obtain latest Finished message * -- that we sent (SSL_get_finished) * -- that we expected from peer (SSL_get_peer_finished). * Returns length (0 == no Finished so far), copies up to 'count' bytes. */ size_t SSL_get_finished(SSL *s, void *buf, size_t count); size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options * are 'ored' with SSL_VERIFY_PEER if they are desired */ #define SSL_VERIFY_NONE 0x00 #define SSL_VERIFY_PEER 0x01 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 #define SSL_VERIFY_CLIENT_ONCE 0x04 #define OpenSSL_add_ssl_algorithms() SSL_library_init() #define SSLeay_add_ssl_algorithms() SSL_library_init() /* this is for backward compatibility */ #if 0 /* NEW_SSLEAY */ #define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c) #define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n) #define SSL_add_session(a,b) SSL_CTX_add_session((a),(b)) #define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b)) #define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b)) #endif /* More backward compatibility */ #define SSL_get_cipher(s) \ SSL_CIPHER_get_name(SSL_get_current_cipher(s)) #define SSL_get_cipher_bits(s,np) \ SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np) #define SSL_get_cipher_version(s) \ SSL_CIPHER_get_version(SSL_get_current_cipher(s)) #define SSL_get_cipher_name(s) \ SSL_CIPHER_get_name(SSL_get_current_cipher(s)) #define SSL_get_time(a) SSL_SESSION_get_time(a) #define SSL_set_time(a,b) SSL_SESSION_set_time((a),(b)) #define SSL_get_timeout(a) SSL_SESSION_get_timeout(a) #define SSL_set_timeout(a,b) SSL_SESSION_set_timeout((a),(b)) #if 1 /*SSLEAY_MACROS*/ #define d2i_SSL_SESSION_bio(bp,s_id) (SSL_SESSION *)ASN1_d2i_bio( \ (char *(*)())SSL_SESSION_new,(char *(*)())d2i_SSL_SESSION, \ (bp),(unsigned char **)(s_id)) #define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio(i2d_SSL_SESSION, \ bp,(unsigned char *)s_id) #define PEM_read_SSL_SESSION(fp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read( \ (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,fp,(char **)x,cb,u) #define PEM_read_bio_SSL_SESSION(bp,x,cb,u) (SSL_SESSION *)PEM_ASN1_read_bio( \ (char *(*)())d2i_SSL_SESSION,PEM_STRING_SSL_SESSION,bp,(char **)x,cb,u) #define PEM_write_SSL_SESSION(fp,x) \ PEM_ASN1_write((int (*)())i2d_SSL_SESSION, \ PEM_STRING_SSL_SESSION,fp, (char *)x, NULL,NULL,0,NULL,NULL) #define PEM_write_bio_SSL_SESSION(bp,x) \ PEM_ASN1_write_bio((int (*)())i2d_SSL_SESSION, \ PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL,NULL) #endif #define SSL_AD_REASON_OFFSET 1000 /* These alert types are for SSLv3 and TLSv1 */ #define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY #define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */ #define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC /* fatal */ #define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED #define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW #define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE/* fatal */ #define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE/* fatal */ #define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not for TLS */ #define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE #define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE #define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED #define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED #define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN #define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER /* fatal */ #define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA /* fatal */ #define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */ #define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */ #define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR #define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */ #define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */ #define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */ #define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */ #define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED #define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 #define SSL_ERROR_WANT_READ 2 #define SSL_ERROR_WANT_WRITE 3 #define SSL_ERROR_WANT_X509_LOOKUP 4 #define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */ #define SSL_ERROR_ZERO_RETURN 6 #define SSL_ERROR_WANT_CONNECT 7 #define SSL_ERROR_WANT_ACCEPT 8 #define SSL_CTRL_NEED_TMP_RSA 1 #define SSL_CTRL_SET_TMP_RSA 2 #define SSL_CTRL_SET_TMP_DH 3 #define SSL_CTRL_SET_TMP_RSA_CB 4 #define SSL_CTRL_SET_TMP_DH_CB 5 #define SSL_CTRL_GET_SESSION_REUSED 6 #define SSL_CTRL_GET_CLIENT_CERT_REQUEST 7 #define SSL_CTRL_GET_NUM_RENEGOTIATIONS 8 #define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10 #define SSL_CTRL_GET_FLAGS 11 #define SSL_CTRL_EXTRA_CHAIN_CERT 12 #define SSL_CTRL_SET_MSG_CALLBACK 13 #define SSL_CTRL_SET_MSG_CALLBACK_ARG 14 /* Stats */ #define SSL_CTRL_SESS_NUMBER 20 #define SSL_CTRL_SESS_CONNECT 21 #define SSL_CTRL_SESS_CONNECT_GOOD 22 #define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23 #define SSL_CTRL_SESS_ACCEPT 24 #define SSL_CTRL_SESS_ACCEPT_GOOD 25 #define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26 #define SSL_CTRL_SESS_HIT 27 #define SSL_CTRL_SESS_CB_HIT 28 #define SSL_CTRL_SESS_MISSES 29 #define SSL_CTRL_SESS_TIMEOUTS 30 #define SSL_CTRL_SESS_CACHE_FULL 31 #define SSL_CTRL_OPTIONS 32 #define SSL_CTRL_MODE 33 #define SSL_CTRL_GET_READ_AHEAD 40 #define SSL_CTRL_SET_READ_AHEAD 41 #define SSL_CTRL_SET_SESS_CACHE_SIZE 42 #define SSL_CTRL_GET_SESS_CACHE_SIZE 43 #define SSL_CTRL_SET_SESS_CACHE_MODE 44 #define SSL_CTRL_GET_SESS_CACHE_MODE 45 #define SSL_CTRL_GET_MAX_CERT_LIST 50 #define SSL_CTRL_SET_MAX_CERT_LIST 51 #define SSL_session_reused(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) #define SSL_num_renegotiations(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL) #define SSL_clear_num_renegotiations(ssl) \ SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL) #define SSL_total_renegotiations(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL) #define SSL_CTX_need_tmp_RSA(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL) #define SSL_CTX_set_tmp_rsa(ctx,rsa) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa) #define SSL_CTX_set_tmp_dh(ctx,dh) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh) #define SSL_need_tmp_RSA(ssl) \ SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL) #define SSL_set_tmp_rsa(ssl,rsa) \ SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa) #define SSL_set_tmp_dh(ssl,dh) \ SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh) #define SSL_CTX_add_extra_chain_cert(ctx,x509) \ SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) #ifndef OPENSSL_NO_BIO BIO_METHOD *BIO_f_ssl(void); BIO *BIO_new_ssl(SSL_CTX *ctx,int client); BIO *BIO_new_ssl_connect(SSL_CTX *ctx); BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx); int BIO_ssl_copy_session_id(BIO *to,BIO *from); void BIO_ssl_shutdown(BIO *ssl_bio); #endif int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str); SSL_CTX *SSL_CTX_new(SSL_METHOD *meth); void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *ctx,long t); long SSL_CTX_get_timeout(SSL_CTX *ctx); X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *); void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *); int SSL_want(SSL *s); int SSL_clear(SSL *s); void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm); SSL_CIPHER *SSL_get_current_cipher(SSL *s); int SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits); char * SSL_CIPHER_get_version(SSL_CIPHER *c); const char * SSL_CIPHER_get_name(SSL_CIPHER *c); int SSL_get_fd(SSL *s); int SSL_get_rfd(SSL *s); int SSL_get_wfd(SSL *s); const char * SSL_get_cipher_list(SSL *s,int n); char * SSL_get_shared_ciphers(SSL *s, char *buf, int len); int SSL_get_read_ahead(SSL * s); int SSL_pending(SSL *s); #ifndef OPENSSL_NO_SOCK int SSL_set_fd(SSL *s, int fd); int SSL_set_rfd(SSL *s, int fd); int SSL_set_wfd(SSL *s, int fd); #endif #ifndef OPENSSL_NO_BIO void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio); BIO * SSL_get_rbio(SSL *s); BIO * SSL_get_wbio(SSL *s); #endif int SSL_set_cipher_list(SSL *s, const char *str); void SSL_set_read_ahead(SSL *s, int yes); int SSL_get_verify_mode(SSL *s); int SSL_get_verify_depth(SSL *s); int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *); void SSL_set_verify(SSL *s, int mode, int (*callback)(int ok,X509_STORE_CTX *ctx)); void SSL_set_verify_depth(SSL *s, int depth); #ifndef OPENSSL_NO_RSA int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); #endif int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len); int SSL_use_certificate(SSL *ssl, X509 *x); int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len); #ifndef OPENSSL_NO_STDIO int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_certificate_file(SSL *ssl, const char *file, int type); int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *file); #ifndef OPENSSL_SYS_VMS #ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *dir); #endif #endif #endif void SSL_load_error_strings(void ); const char *SSL_state_string(const SSL *s); const char *SSL_rstate_string(const SSL *s); const char *SSL_state_string_long(const SSL *s); const char *SSL_rstate_string_long(const SSL *s); long SSL_SESSION_get_time(SSL_SESSION *s); long SSL_SESSION_set_time(SSL_SESSION *s, long t); long SSL_SESSION_get_timeout(SSL_SESSION *s); long SSL_SESSION_set_timeout(SSL_SESSION *s, long t); void SSL_copy_session_id(SSL *to,SSL *from); SSL_SESSION *SSL_SESSION_new(void); unsigned long SSL_SESSION_hash(SSL_SESSION *a); int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b); #ifndef OPENSSL_NO_FP_API int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses); #endif #ifndef OPENSSL_NO_BIO int SSL_SESSION_print(BIO *fp,SSL_SESSION *ses); #endif void SSL_SESSION_free(SSL_SESSION *ses); int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); int SSL_set_session(SSL *to, SSL_SESSION *session); int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c); int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB); int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB); int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, unsigned int id_len); SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length); #ifdef HEADER_X509_H X509 * SSL_get_peer_certificate(SSL *s); #endif STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s); int SSL_CTX_get_verify_mode(SSL_CTX *ctx); int SSL_CTX_get_verify_depth(SSL_CTX *ctx); int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *); void SSL_CTX_set_verify(SSL_CTX *ctx,int mode, int (*callback)(int, X509_STORE_CTX *)); void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg); #ifndef OPENSSL_NO_RSA int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); #endif int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx, unsigned char *d, long len); int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d); void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); int SSL_CTX_check_private_key(SSL_CTX *ctx); int SSL_check_private_key(SSL *ctx); int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, unsigned int sid_ctx_len); SSL * SSL_new(SSL_CTX *ctx); int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, unsigned int sid_ctx_len); int SSL_CTX_set_purpose(SSL_CTX *s, int purpose); int SSL_set_purpose(SSL *s, int purpose); int SSL_CTX_set_trust(SSL_CTX *s, int trust); int SSL_set_trust(SSL *s, int trust); void SSL_free(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); int SSL_read(SSL *ssl,void *buf,int num); int SSL_peek(SSL *ssl,void *buf,int num); int SSL_write(SSL *ssl,const void *buf,int num); long SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg); long SSL_callback_ctrl(SSL *, int, void (*)()); long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg); long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)()); int SSL_get_error(SSL *s,int ret_code); const char *SSL_get_version(SSL *s); /* This sets the 'default' SSL version that SSL_new() will create */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth); SSL_METHOD *SSLv2_method(void); /* SSLv2 */ SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ SSL_METHOD *SSLv3_method(void); /* SSLv3 */ SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */ SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */ SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */ SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s); int SSL_do_handshake(SSL *s); int SSL_renegotiate(SSL *s); int SSL_renegotiate_pending(SSL *s); int SSL_shutdown(SSL *s); SSL_METHOD *SSL_get_ssl_method(SSL *s); int SSL_set_ssl_method(SSL *s,SSL_METHOD *method); const char *SSL_alert_type_string_long(int value); const char *SSL_alert_type_string(int value); const char *SSL_alert_desc_string_long(int value); const char *SSL_alert_desc_string(int value); -void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); +void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); +void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s); int SSL_add_client_CA(SSL *ssl,X509 *x); int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x); void SSL_set_connect_state(SSL *s); void SSL_set_accept_state(SSL *s); long SSL_get_default_timeout(SSL *s); int SSL_library_init(void ); char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size); STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk); SSL *SSL_dup(SSL *ssl); X509 *SSL_get_certificate(SSL *ssl); /* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl); void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode); int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx); void SSL_set_quiet_shutdown(SSL *ssl,int mode); int SSL_get_quiet_shutdown(SSL *ssl); void SSL_set_shutdown(SSL *ssl,int mode); int SSL_get_shutdown(SSL *ssl); int SSL_version(SSL *ssl); int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); #define SSL_get0_session SSL_get_session /* just peek at pointer */ SSL_SESSION *SSL_get_session(SSL *ssl); SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ SSL_CTX *SSL_get_SSL_CTX(SSL *ssl); void SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl,int type,int val)); void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val); int SSL_state(SSL *ssl); void SSL_set_verify_result(SSL *ssl,long v); long SSL_get_verify_result(SSL *ssl); int SSL_set_ex_data(SSL *ssl,int idx,void *data); void *SSL_get_ex_data(SSL *ssl,int idx); int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data); void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx); int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data); void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx); int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int SSL_get_ex_data_X509_STORE_CTX_idx(void ); #define SSL_CTX_sess_set_cache_size(ctx,t) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL) #define SSL_CTX_sess_get_cache_size(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL) #define SSL_CTX_set_session_cache_mode(ctx,m) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL) #define SSL_CTX_get_session_cache_mode(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL) #define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx) #define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m) #define SSL_CTX_get_read_ahead(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) #define SSL_CTX_set_read_ahead(ctx,m) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL) #define SSL_CTX_get_max_cert_list(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL) #define SSL_CTX_set_max_cert_list(ctx,m) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL) #define SSL_get_max_cert_list(ssl) \ SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL) #define SSL_set_max_cert_list(ssl,m) \ SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL) /* NB: the keylength is only applicable when is_export is true */ #ifndef OPENSSL_NO_RSA void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl,int is_export, int keylength)); void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl,int is_export, int keylength)); #endif #ifndef OPENSSL_NO_DH void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl,int is_export, int keylength)); void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl,int is_export, int keylength)); #endif #ifndef OPENSSL_NO_COMP int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm); #else int SSL_COMP_add_compression_method(int id,char *cm); #endif /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ void ERR_load_SSL_strings(void); /* Error codes for the SSL functions. */ /* Function codes. */ #define SSL_F_CLIENT_CERTIFICATE 100 #define SSL_F_CLIENT_FINISHED 238 #define SSL_F_CLIENT_HELLO 101 #define SSL_F_CLIENT_MASTER_KEY 102 #define SSL_F_D2I_SSL_SESSION 103 #define SSL_F_DO_SSL3_WRITE 104 #define SSL_F_GET_CLIENT_FINISHED 105 #define SSL_F_GET_CLIENT_HELLO 106 #define SSL_F_GET_CLIENT_MASTER_KEY 107 #define SSL_F_GET_SERVER_FINISHED 108 #define SSL_F_GET_SERVER_HELLO 109 #define SSL_F_GET_SERVER_VERIFY 110 #define SSL_F_I2D_SSL_SESSION 111 #define SSL_F_READ_N 112 #define SSL_F_REQUEST_CERTIFICATE 113 #define SSL_F_SERVER_FINISH 239 #define SSL_F_SERVER_HELLO 114 #define SSL_F_SERVER_VERIFY 240 #define SSL_F_SSL23_ACCEPT 115 #define SSL_F_SSL23_CLIENT_HELLO 116 #define SSL_F_SSL23_CONNECT 117 #define SSL_F_SSL23_GET_CLIENT_HELLO 118 #define SSL_F_SSL23_GET_SERVER_HELLO 119 #define SSL_F_SSL23_PEEK 237 #define SSL_F_SSL23_READ 120 #define SSL_F_SSL23_WRITE 121 #define SSL_F_SSL2_ACCEPT 122 #define SSL_F_SSL2_CONNECT 123 #define SSL_F_SSL2_ENC_INIT 124 #define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241 #define SSL_F_SSL2_PEEK 234 #define SSL_F_SSL2_READ 125 #define SSL_F_SSL2_READ_INTERNAL 236 #define SSL_F_SSL2_SET_CERTIFICATE 126 #define SSL_F_SSL2_WRITE 127 #define SSL_F_SSL3_ACCEPT 128 #define SSL_F_SSL3_CALLBACK_CTRL 233 #define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 #define SSL_F_SSL3_CLIENT_HELLO 131 #define SSL_F_SSL3_CONNECT 132 #define SSL_F_SSL3_CTRL 213 #define SSL_F_SSL3_CTX_CTRL 133 #define SSL_F_SSL3_ENC 134 #define SSL_F_SSL3_GENERATE_KEY_BLOCK 238 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 #define SSL_F_SSL3_GET_CERT_VERIFY 136 #define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137 #define SSL_F_SSL3_GET_CLIENT_HELLO 138 #define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139 #define SSL_F_SSL3_GET_FINISHED 140 #define SSL_F_SSL3_GET_KEY_EXCHANGE 141 #define SSL_F_SSL3_GET_MESSAGE 142 #define SSL_F_SSL3_GET_RECORD 143 #define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144 #define SSL_F_SSL3_GET_SERVER_DONE 145 #define SSL_F_SSL3_GET_SERVER_HELLO 146 #define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147 #define SSL_F_SSL3_PEEK 235 #define SSL_F_SSL3_READ_BYTES 148 #define SSL_F_SSL3_READ_N 149 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 #define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151 #define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152 #define SSL_F_SSL3_SEND_CLIENT_VERIFY 153 #define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154 #define SSL_F_SSL3_SEND_SERVER_HELLO 242 #define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155 #define SSL_F_SSL3_SETUP_BUFFERS 156 #define SSL_F_SSL3_SETUP_KEY_BLOCK 157 #define SSL_F_SSL3_WRITE_BYTES 158 #define SSL_F_SSL3_WRITE_PENDING 159 #define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215 #define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216 #define SSL_F_SSL_BAD_METHOD 160 #define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 #define SSL_F_SSL_CERT_DUP 221 #define SSL_F_SSL_CERT_INST 222 #define SSL_F_SSL_CERT_INSTANTIATE 214 #define SSL_F_SSL_CERT_NEW 162 #define SSL_F_SSL_CHECK_PRIVATE_KEY 163 #define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230 #define SSL_F_SSL_CIPHER_STRENGTH_SORT 231 #define SSL_F_SSL_CLEAR 164 #define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165 #define SSL_F_SSL_CREATE_CIPHER_LIST 166 #define SSL_F_SSL_CTRL 232 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 #define SSL_F_SSL_CTX_NEW 169 #define SSL_F_SSL_CTX_SET_PURPOSE 226 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219 #define SSL_F_SSL_CTX_SET_SSL_VERSION 170 #define SSL_F_SSL_CTX_SET_TRUST 229 #define SSL_F_SSL_CTX_USE_CERTIFICATE 171 #define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 #define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220 #define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173 #define SSL_F_SSL_CTX_USE_PRIVATEKEY 174 #define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175 #define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176 #define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177 #define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178 #define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179 #define SSL_F_SSL_DO_HANDSHAKE 180 #define SSL_F_SSL_GET_NEW_SESSION 181 #define SSL_F_SSL_GET_PREV_SESSION 217 #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 #define SSL_F_SSL_GET_SIGN_PKEY 183 #define SSL_F_SSL_INIT_WBIO_BUFFER 184 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 #define SSL_F_SSL_NEW 186 #define SSL_F_SSL_READ 223 #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 #define SSL_F_SSL_SESSION_NEW 189 #define SSL_F_SSL_SESSION_PRINT_FP 190 #define SSL_F_SSL_SESS_CERT_NEW 225 #define SSL_F_SSL_SET_CERT 191 #define SSL_F_SSL_SET_FD 192 #define SSL_F_SSL_SET_PKEY 193 #define SSL_F_SSL_SET_PURPOSE 227 #define SSL_F_SSL_SET_RFD 194 #define SSL_F_SSL_SET_SESSION 195 #define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218 #define SSL_F_SSL_SET_TRUST 228 #define SSL_F_SSL_SET_WFD 196 #define SSL_F_SSL_SHUTDOWN 224 #define SSL_F_SSL_UNDEFINED_FUNCTION 197 #define SSL_F_SSL_USE_CERTIFICATE 198 #define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 #define SSL_F_SSL_USE_CERTIFICATE_FILE 200 #define SSL_F_SSL_USE_PRIVATEKEY 201 #define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 #define SSL_F_SSL_USE_PRIVATEKEY_FILE 203 #define SSL_F_SSL_USE_RSAPRIVATEKEY 204 #define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205 #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 #define SSL_F_SSL_VERIFY_CERT_CHAIN 207 #define SSL_F_SSL_WRITE 208 #define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 #define SSL_F_TLS1_ENC 210 #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 #define SSL_F_WRITE_PENDING 212 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 #define SSL_R_BAD_ALERT_RECORD 101 #define SSL_R_BAD_AUTHENTICATION_TYPE 102 #define SSL_R_BAD_CHANGE_CIPHER_SPEC 103 #define SSL_R_BAD_CHECKSUM 104 #define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106 #define SSL_R_BAD_DECOMPRESSION 107 #define SSL_R_BAD_DH_G_LENGTH 108 #define SSL_R_BAD_DH_PUB_KEY_LENGTH 109 #define SSL_R_BAD_DH_P_LENGTH 110 #define SSL_R_BAD_DIGEST_LENGTH 111 #define SSL_R_BAD_DSA_SIGNATURE 112 #define SSL_R_BAD_HELLO_REQUEST 105 #define SSL_R_BAD_LENGTH 271 #define SSL_R_BAD_MAC_DECODE 113 #define SSL_R_BAD_MESSAGE_TYPE 114 #define SSL_R_BAD_PACKET_LENGTH 115 #define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116 #define SSL_R_BAD_RESPONSE_ARGUMENT 117 #define SSL_R_BAD_RSA_DECRYPT 118 #define SSL_R_BAD_RSA_ENCRYPT 119 #define SSL_R_BAD_RSA_E_LENGTH 120 #define SSL_R_BAD_RSA_MODULUS_LENGTH 121 #define SSL_R_BAD_RSA_SIGNATURE 122 #define SSL_R_BAD_SIGNATURE 123 #define SSL_R_BAD_SSL_FILETYPE 124 #define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125 #define SSL_R_BAD_STATE 126 #define SSL_R_BAD_WRITE_RETRY 127 #define SSL_R_BIO_NOT_SET 128 #define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129 #define SSL_R_BN_LIB 130 #define SSL_R_CA_DN_LENGTH_MISMATCH 131 #define SSL_R_CA_DN_TOO_LONG 132 #define SSL_R_CCS_RECEIVED_EARLY 133 #define SSL_R_CERTIFICATE_VERIFY_FAILED 134 #define SSL_R_CERT_LENGTH_MISMATCH 135 #define SSL_R_CHALLENGE_IS_DIFFERENT 136 #define SSL_R_CIPHER_CODE_WRONG_LENGTH 137 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138 #define SSL_R_CIPHER_TABLE_SRC_ERROR 139 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140 #define SSL_R_COMPRESSION_FAILURE 141 #define SSL_R_COMPRESSION_LIBRARY_ERROR 142 #define SSL_R_CONNECTION_ID_IS_DIFFERENT 143 #define SSL_R_CONNECTION_TYPE_NOT_SET 144 #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 #define SSL_R_DATA_LENGTH_TOO_LONG 146 #define SSL_R_DECRYPTION_FAILED 147 #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 1109 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 #define SSL_R_DIGEST_CHECK_FAILED 149 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 1092 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 #define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 #define SSL_R_EXTRA_DATA_IN_MESSAGE 153 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 #define SSL_R_HTTPS_PROXY_REQUEST 155 #define SSL_R_HTTP_REQUEST 156 #define SSL_R_ILLEGAL_PADDING 1110 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 #define SSL_R_KEY_ARG_TOO_LONG 1112 #define SSL_R_KRB5 1104 #define SSL_R_KRB5_C_CC_PRINC 1094 #define SSL_R_KRB5_C_GET_CRED 1095 #define SSL_R_KRB5_C_INIT 1096 #define SSL_R_KRB5_C_MK_REQ 1097 #define SSL_R_KRB5_S_BAD_TICKET 1098 #define SSL_R_KRB5_S_INIT 1099 #define SSL_R_KRB5_S_RD_REQ 1108 #define SSL_R_KRB5_S_TKT_EXPIRED 1105 #define SSL_R_KRB5_S_TKT_NYV 1106 #define SSL_R_KRB5_S_TKT_SKEW 1107 #define SSL_R_LENGTH_MISMATCH 159 #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 #define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 #define SSL_R_MASTER_KEY_TOO_LONG 1112 #define SSL_R_MESSAGE_TOO_LONG 1111 #define SSL_R_MISSING_DH_DSA_CERT 162 #define SSL_R_MISSING_DH_KEY 163 #define SSL_R_MISSING_DH_RSA_CERT 164 #define SSL_R_MISSING_DSA_SIGNING_CERT 165 #define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167 #define SSL_R_MISSING_RSA_CERTIFICATE 168 #define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169 #define SSL_R_MISSING_RSA_SIGNING_CERT 170 #define SSL_R_MISSING_TMP_DH_KEY 171 #define SSL_R_MISSING_TMP_RSA_KEY 172 #define SSL_R_MISSING_TMP_RSA_PKEY 173 #define SSL_R_MISSING_VERIFY_MESSAGE 174 #define SSL_R_NON_SSLV2_INITIAL_PACKET 175 #define SSL_R_NO_CERTIFICATES_RETURNED 176 #define SSL_R_NO_CERTIFICATE_ASSIGNED 177 #define SSL_R_NO_CERTIFICATE_RETURNED 178 #define SSL_R_NO_CERTIFICATE_SET 179 #define SSL_R_NO_CERTIFICATE_SPECIFIED 180 #define SSL_R_NO_CIPHERS_AVAILABLE 181 #define SSL_R_NO_CIPHERS_PASSED 182 #define SSL_R_NO_CIPHERS_SPECIFIED 183 #define SSL_R_NO_CIPHER_LIST 184 #define SSL_R_NO_CIPHER_MATCH 185 #define SSL_R_NO_CLIENT_CERT_RECEIVED 186 #define SSL_R_NO_COMPRESSION_SPECIFIED 187 #define SSL_R_NO_METHOD_SPECIFIED 188 #define SSL_R_NO_PRIVATEKEY 189 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 #define SSL_R_NO_PROTOCOLS_AVAILABLE 191 #define SSL_R_NO_PUBLICKEY 192 #define SSL_R_NO_SHARED_CIPHER 193 #define SSL_R_NO_VERIFY_CALLBACK 194 #define SSL_R_NULL_SSL_CTX 195 #define SSL_R_NULL_SSL_METHOD_PASSED 196 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 #define SSL_R_PACKET_LENGTH_TOO_LONG 198 #define SSL_R_PATH_TOO_LONG 270 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 #define SSL_R_PEER_ERROR 200 #define SSL_R_PEER_ERROR_CERTIFICATE 201 #define SSL_R_PEER_ERROR_NO_CERTIFICATE 202 #define SSL_R_PEER_ERROR_NO_CIPHER 203 #define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204 #define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205 #define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206 #define SSL_R_PROTOCOL_IS_SHUTDOWN 207 #define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208 #define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209 #define SSL_R_PUBLIC_KEY_NOT_RSA 210 #define SSL_R_READ_BIO_NOT_SET 211 #define SSL_R_READ_WRONG_PACKET_TYPE 212 #define SSL_R_RECORD_LENGTH_MISMATCH 213 #define SSL_R_RECORD_TOO_LARGE 214 #define SSL_R_RECORD_TOO_SMALL 1093 #define SSL_R_REQUIRED_CIPHER_MISSING 215 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 #define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 #define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 #define SSL_R_SHORT_READ 219 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 #define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 1114 #define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 #define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044 #define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046 #define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030 #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 #define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223 #define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224 #define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225 #define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 #define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 #define SSL_R_SSL_HANDSHAKE_FAILURE 229 #define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 #define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 1102 #define SSL_R_SSL_SESSION_ID_CONFLICT 1103 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 #define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 1101 #define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 #define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 #define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 #define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236 #define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237 #define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238 #define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239 #define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240 #define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241 #define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242 #define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 #define SSL_R_UNEXPECTED_MESSAGE 244 #define SSL_R_UNEXPECTED_RECORD 245 #define SSL_R_UNINITIALIZED 276 #define SSL_R_UNKNOWN_ALERT_TYPE 246 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 #define SSL_R_UNKNOWN_CIPHER_RETURNED 248 #define SSL_R_UNKNOWN_CIPHER_TYPE 249 #define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250 #define SSL_R_UNKNOWN_PKEY_TYPE 251 #define SSL_R_UNKNOWN_PROTOCOL 252 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 #define SSL_R_UNKNOWN_SSL_VERSION 254 #define SSL_R_UNKNOWN_STATE 255 #define SSL_R_UNSUPPORTED_CIPHER 256 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 #define SSL_R_UNSUPPORTED_OPTION 1091 #define SSL_R_UNSUPPORTED_PROTOCOL 258 #define SSL_R_UNSUPPORTED_SSL_VERSION 259 #define SSL_R_WRITE_BIO_NOT_SET 260 #define SSL_R_WRONG_CIPHER_RETURNED 261 #define SSL_R_WRONG_MESSAGE_TYPE 262 #define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263 #define SSL_R_WRONG_SIGNATURE_LENGTH 264 #define SSL_R_WRONG_SIGNATURE_SIZE 265 #define SSL_R_WRONG_SSL_VERSION 266 #define SSL_R_WRONG_VERSION_NUMBER 267 #define SSL_R_X509_LIB 268 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 #ifdef __cplusplus } #endif #endif diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c index 16bc11b559b1..d8ff8fc4a3dc 100644 --- a/crypto/openssl/ssl/ssl_asn1.c +++ b/crypto/openssl/ssl/ssl_asn1.c @@ -1,399 +1,398 @@ /* ssl/ssl_asn1.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include "ssl_locl.h" #include #include #include -#include "cryptlib.h" typedef struct ssl_session_asn1_st { ASN1_INTEGER version; ASN1_INTEGER ssl_version; ASN1_OCTET_STRING cipher; ASN1_OCTET_STRING master_key; ASN1_OCTET_STRING session_id; ASN1_OCTET_STRING session_id_context; ASN1_OCTET_STRING key_arg; #ifndef OPENSSL_NO_KRB5 ASN1_OCTET_STRING krb5_princ; #endif /* OPENSSL_NO_KRB5 */ ASN1_INTEGER time; ASN1_INTEGER timeout; ASN1_INTEGER verify_result; } SSL_SESSION_ASN1; int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) { #define LSIZE2 (sizeof(long)*2) int v1=0,v2=0,v3=0,v4=0,v5=0; unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2]; unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2]; long l; SSL_SESSION_ASN1 a; M_ASN1_I2D_vars(in); if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0))) return(0); /* Note that I cheat in the following 2 assignments. I know * that if the ASN1_INTEGER passed to ASN1_INTEGER_set * is > sizeof(long)+1, the buffer will not be re-OPENSSL_malloc()ed. * This is a bit evil but makes things simple, no dynamic allocation * to clean up :-) */ a.version.length=LSIZE2; a.version.type=V_ASN1_INTEGER; a.version.data=ibuf1; ASN1_INTEGER_set(&(a.version),SSL_SESSION_ASN1_VERSION); a.ssl_version.length=LSIZE2; a.ssl_version.type=V_ASN1_INTEGER; a.ssl_version.data=ibuf2; ASN1_INTEGER_set(&(a.ssl_version),in->ssl_version); a.cipher.type=V_ASN1_OCTET_STRING; a.cipher.data=buf; if (in->cipher == NULL) l=in->cipher_id; else l=in->cipher->id; if (in->ssl_version == SSL2_VERSION) { a.cipher.length=3; buf[0]=((unsigned char)(l>>16L))&0xff; buf[1]=((unsigned char)(l>> 8L))&0xff; buf[2]=((unsigned char)(l ))&0xff; } else { a.cipher.length=2; buf[0]=((unsigned char)(l>>8L))&0xff; buf[1]=((unsigned char)(l ))&0xff; } a.master_key.length=in->master_key_length; a.master_key.type=V_ASN1_OCTET_STRING; a.master_key.data=in->master_key; a.session_id.length=in->session_id_length; a.session_id.type=V_ASN1_OCTET_STRING; a.session_id.data=in->session_id; a.session_id_context.length=in->sid_ctx_length; a.session_id_context.type=V_ASN1_OCTET_STRING; a.session_id_context.data=in->sid_ctx; a.key_arg.length=in->key_arg_length; a.key_arg.type=V_ASN1_OCTET_STRING; a.key_arg.data=in->key_arg; #ifndef OPENSSL_NO_KRB5 if (in->krb5_client_princ_len) { a.krb5_princ.length=in->krb5_client_princ_len; a.krb5_princ.type=V_ASN1_OCTET_STRING; a.krb5_princ.data=in->krb5_client_princ; } #endif /* OPENSSL_NO_KRB5 */ if (in->time != 0L) { a.time.length=LSIZE2; a.time.type=V_ASN1_INTEGER; a.time.data=ibuf3; ASN1_INTEGER_set(&(a.time),in->time); } if (in->timeout != 0L) { a.timeout.length=LSIZE2; a.timeout.type=V_ASN1_INTEGER; a.timeout.data=ibuf4; ASN1_INTEGER_set(&(a.timeout),in->timeout); } if (in->verify_result != X509_V_OK) { a.verify_result.length=LSIZE2; a.verify_result.type=V_ASN1_INTEGER; a.verify_result.data=ibuf5; ASN1_INTEGER_set(&a.verify_result,in->verify_result); } M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER); M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING); M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING); M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING); #ifndef OPENSSL_NO_KRB5 if (in->krb5_client_princ_len) M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ if (in->key_arg_length > 0) M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING); if (in->time != 0L) M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1); if (in->timeout != 0L) M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2); if (in->peer != NULL) M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3); M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4); if (in->verify_result != X509_V_OK) M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5); M_ASN1_I2D_seq_total(); M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER); M_ASN1_I2D_put(&(a.ssl_version), i2d_ASN1_INTEGER); M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING); M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING); M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING); #ifndef OPENSSL_NO_KRB5 if (in->krb5_client_princ_len) M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ if (in->key_arg_length > 0) M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0); if (in->time != 0L) M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1); if (in->timeout != 0L) M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2); if (in->peer != NULL) M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3); M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4, v4); if (in->verify_result != X509_V_OK) M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5); M_ASN1_I2D_finish(); } SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length) { int version,ssl_version=0,i; long id; ASN1_INTEGER ai,*aip; ASN1_OCTET_STRING os,*osp; M_ASN1_D2I_vars(a,SSL_SESSION *,SSL_SESSION_new); aip= &ai; osp= &os; M_ASN1_D2I_Init(); M_ASN1_D2I_start_sequence(); ai.data=NULL; ai.length=0; M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER); version=(int)ASN1_INTEGER_get(aip); if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } /* we don't care about the version right now :-) */ M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER); ssl_version=(int)ASN1_INTEGER_get(aip); ret->ssl_version=ssl_version; if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } os.data=NULL; os.length=0; M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); if (ssl_version == SSL2_VERSION) { if (os.length != 3) { c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH; goto err; } id=0x02000000L| ((unsigned long)os.data[0]<<16L)| ((unsigned long)os.data[1]<< 8L)| (unsigned long)os.data[2]; } else if ((ssl_version>>8) == 3) { if (os.length != 2) { c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH; goto err; } id=0x03000000L| ((unsigned long)os.data[0]<<8L)| (unsigned long)os.data[1]; } else { SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION); return(NULL); } ret->cipher=NULL; ret->cipher_id=id; M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); if ((ssl_version>>8) == SSL3_VERSION) i=SSL3_MAX_SSL_SESSION_ID_LENGTH; else /* if (ssl_version == SSL2_VERSION) */ i=SSL2_MAX_SSL_SESSION_ID_LENGTH; if (os.length > i) os.length = i; if (os.length > sizeof ret->session_id) /* can't happen */ os.length = sizeof ret->session_id; ret->session_id_length=os.length; OPENSSL_assert(os.length <= sizeof ret->session_id); memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH) ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; else ret->master_key_length=os.length; memcpy(ret->master_key,os.data,ret->master_key_length); os.length=0; #ifndef OPENSSL_NO_KRB5 os.length=0; M_ASN1_D2I_get_opt(osp,d2i_ASN1_OCTET_STRING,V_ASN1_OCTET_STRING); if (os.data) { if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH) ret->krb5_client_princ_len=0; else ret->krb5_client_princ_len=os.length; memcpy(ret->krb5_client_princ,os.data,ret->krb5_client_princ_len); OPENSSL_free(os.data); os.data = NULL; os.length = 0; } else ret->krb5_client_princ_len=0; #endif /* OPENSSL_NO_KRB5 */ M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING); if (os.length > SSL_MAX_KEY_ARG_LENGTH) ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH; else ret->key_arg_length=os.length; memcpy(ret->key_arg,os.data,ret->key_arg_length); if (os.data != NULL) OPENSSL_free(os.data); ai.length=0; M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,1); if (ai.data != NULL) { ret->time=ASN1_INTEGER_get(aip); OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } else ret->time=time(NULL); ai.length=0; M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2); if (ai.data != NULL) { ret->timeout=ASN1_INTEGER_get(aip); OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } else ret->timeout=3; if (ret->peer != NULL) { X509_free(ret->peer); ret->peer=NULL; } M_ASN1_D2I_get_EXP_opt(ret->peer,d2i_X509,3); os.length=0; os.data=NULL; M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,4); if(os.data != NULL) { if (os.length > SSL_MAX_SID_CTX_LENGTH) { ret->sid_ctx_length=os.length; SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH); } else { ret->sid_ctx_length=os.length; memcpy(ret->sid_ctx,os.data,os.length); } OPENSSL_free(os.data); os.data=NULL; os.length=0; } else ret->sid_ctx_length=0; ai.length=0; M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5); if (ai.data != NULL) { ret->verify_result=ASN1_INTEGER_get(aip); OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } else ret->verify_result=X509_V_OK; M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION); } diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c index da90078a378b..2cfb6158787a 100644 --- a/crypto/openssl/ssl/ssl_cert.c +++ b/crypto/openssl/ssl/ssl_cert.c @@ -1,860 +1,860 @@ /*! \file ssl/ssl_cert.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== */ #include #include "e_os.h" #ifndef NO_SYS_TYPES_H # include #endif #if !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) && !defined(NeXT) && !defined(MAC_OS_pre_X) #include #endif #if defined(WIN32) #include #endif #ifdef NeXT #include #define dirent direct #endif #include #include #include #include #include "ssl_locl.h" int SSL_get_ex_data_X509_STORE_CTX_idx(void) { static volatile int ssl_x509_store_ctx_idx= -1; if (ssl_x509_store_ctx_idx < 0) { /* any write lock will do; usually this branch * will only be taken once anyway */ CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); if (ssl_x509_store_ctx_idx < 0) { ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index( 0,"SSL for verify callback",NULL,NULL,NULL); } CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); } return ssl_x509_store_ctx_idx; } CERT *ssl_cert_new(void) { CERT *ret; ret=(CERT *)OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_NEW,ERR_R_MALLOC_FAILURE); return(NULL); } memset(ret,0,sizeof(CERT)); ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]); ret->references=1; return(ret); } CERT *ssl_cert_dup(CERT *cert) { CERT *ret; int i; ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); return(NULL); } memset(ret, 0, sizeof(CERT)); ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; /* or ret->key = ret->pkeys + (cert->key - cert->pkeys), * if you find that more readable */ ret->valid = cert->valid; ret->mask = cert->mask; ret->export_mask = cert->export_mask; #ifndef OPENSSL_NO_RSA if (cert->rsa_tmp != NULL) { RSA_up_ref(cert->rsa_tmp); ret->rsa_tmp = cert->rsa_tmp; } ret->rsa_tmp_cb = cert->rsa_tmp_cb; #endif #ifndef OPENSSL_NO_DH if (cert->dh_tmp != NULL) { /* DH parameters don't have a reference count */ ret->dh_tmp = DHparams_dup(cert->dh_tmp); if (ret->dh_tmp == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB); goto err; } if (cert->dh_tmp->priv_key) { BIGNUM *b = BN_dup(cert->dh_tmp->priv_key); if (!b) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); goto err; } ret->dh_tmp->priv_key = b; } if (cert->dh_tmp->pub_key) { BIGNUM *b = BN_dup(cert->dh_tmp->pub_key); if (!b) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB); goto err; } ret->dh_tmp->pub_key = b; } } ret->dh_tmp_cb = cert->dh_tmp_cb; #endif for (i = 0; i < SSL_PKEY_NUM; i++) { if (cert->pkeys[i].x509 != NULL) { ret->pkeys[i].x509 = cert->pkeys[i].x509; CRYPTO_add(&ret->pkeys[i].x509->references, 1, CRYPTO_LOCK_X509); } if (cert->pkeys[i].privatekey != NULL) { ret->pkeys[i].privatekey = cert->pkeys[i].privatekey; CRYPTO_add(&ret->pkeys[i].privatekey->references, 1, CRYPTO_LOCK_EVP_PKEY); switch(i) { /* If there was anything special to do for * certain types of keys, we'd do it here. * (Nothing at the moment, I think.) */ case SSL_PKEY_RSA_ENC: case SSL_PKEY_RSA_SIGN: /* We have an RSA key. */ break; case SSL_PKEY_DSA_SIGN: /* We have a DSA key. */ break; case SSL_PKEY_DH_RSA: case SSL_PKEY_DH_DSA: /* We have a DH key. */ break; default: /* Can't happen. */ SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG); } } } /* ret->extra_certs *should* exist, but currently the own certificate * chain is held inside SSL_CTX */ ret->references=1; return(ret); #ifndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */ err: #endif #ifndef OPENSSL_NO_RSA if (ret->rsa_tmp != NULL) RSA_free(ret->rsa_tmp); #endif #ifndef OPENSSL_NO_DH if (ret->dh_tmp != NULL) DH_free(ret->dh_tmp); #endif for (i = 0; i < SSL_PKEY_NUM; i++) { if (ret->pkeys[i].x509 != NULL) X509_free(ret->pkeys[i].x509); if (ret->pkeys[i].privatekey != NULL) EVP_PKEY_free(ret->pkeys[i].privatekey); } return NULL; } void ssl_cert_free(CERT *c) { int i; if(c == NULL) return; i=CRYPTO_add(&c->references,-1,CRYPTO_LOCK_SSL_CERT); #ifdef REF_PRINT REF_PRINT("CERT",c); #endif if (i > 0) return; #ifdef REF_CHECK if (i < 0) { fprintf(stderr,"ssl_cert_free, bad reference count\n"); abort(); /* ok */ } #endif #ifndef OPENSSL_NO_RSA if (c->rsa_tmp) RSA_free(c->rsa_tmp); #endif #ifndef OPENSSL_NO_DH if (c->dh_tmp) DH_free(c->dh_tmp); #endif for (i=0; ipkeys[i].x509 != NULL) X509_free(c->pkeys[i].x509); if (c->pkeys[i].privatekey != NULL) EVP_PKEY_free(c->pkeys[i].privatekey); #if 0 if (c->pkeys[i].publickey != NULL) EVP_PKEY_free(c->pkeys[i].publickey); #endif } OPENSSL_free(c); } int ssl_cert_inst(CERT **o) { /* Create a CERT if there isn't already one * (which cannot really happen, as it is initially created in * SSL_CTX_new; but the earlier code usually allows for that one * being non-existant, so we follow that behaviour, as it might * turn out that there actually is a reason for it -- but I'm * not sure that *all* of the existing code could cope with * s->cert being NULL, otherwise we could do without the * initialization in SSL_CTX_new). */ if (o == NULL) { SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER); return(0); } if (*o == NULL) { if ((*o = ssl_cert_new()) == NULL) { SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE); return(0); } } return(1); } SESS_CERT *ssl_sess_cert_new(void) { SESS_CERT *ret; ret = OPENSSL_malloc(sizeof *ret); if (ret == NULL) { SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE); return NULL; } memset(ret, 0 ,sizeof *ret); ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); ret->references = 1; return ret; } void ssl_sess_cert_free(SESS_CERT *sc) { int i; if (sc == NULL) return; i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT); #ifdef REF_PRINT REF_PRINT("SESS_CERT", sc); #endif if (i > 0) return; #ifdef REF_CHECK if (i < 0) { fprintf(stderr,"ssl_sess_cert_free, bad reference count\n"); abort(); /* ok */ } #endif /* i == 0 */ if (sc->cert_chain != NULL) sk_X509_pop_free(sc->cert_chain, X509_free); for (i = 0; i < SSL_PKEY_NUM; i++) { if (sc->peer_pkeys[i].x509 != NULL) X509_free(sc->peer_pkeys[i].x509); #if 0 /* We don't have the peer's private key. These lines are just * here as a reminder that we're still using a not-quite-appropriate * data structure. */ if (sc->peer_pkeys[i].privatekey != NULL) EVP_PKEY_free(sc->peer_pkeys[i].privatekey); #endif } #ifndef OPENSSL_NO_RSA if (sc->peer_rsa_tmp != NULL) RSA_free(sc->peer_rsa_tmp); #endif #ifndef OPENSSL_NO_DH if (sc->peer_dh_tmp != NULL) DH_free(sc->peer_dh_tmp); #endif OPENSSL_free(sc); } int ssl_set_peer_cert_type(SESS_CERT *sc,int type) { sc->peer_cert_type = type; return(1); } int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) { X509 *x; int i; X509_STORE_CTX ctx; if ((sk == NULL) || (sk_X509_num(sk) == 0)) return(0); x=sk_X509_value(sk,0); if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk)) { SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB); return(0); } if (SSL_get_verify_depth(s) >= 0) X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s)); X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s); /* We need to set the verify purpose. The purpose can be determined by * the context: if its a server it will verify SSL client certificates * or vice versa. */ if (s->server) i = X509_PURPOSE_SSL_CLIENT; else i = X509_PURPOSE_SSL_SERVER; X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust); if (s->verify_callback) X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); if (s->ctx->app_verify_callback != NULL) #if 1 /* new with OpenSSL 0.9.7 */ i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); #else i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */ #endif else { #ifndef OPENSSL_NO_X509_VERIFY i=X509_verify_cert(&ctx); #else i=0; ctx.error=X509_V_ERR_APPLICATION_VERIFICATION; SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK); #endif } s->verify_result=ctx.error; X509_STORE_CTX_cleanup(&ctx); return(i); } -static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *list) +static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list) { if (*ca_list != NULL) sk_X509_NAME_pop_free(*ca_list,X509_NAME_free); - *ca_list=list; + *ca_list=name_list; } STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) { int i; STACK_OF(X509_NAME) *ret; X509_NAME *name; ret=sk_X509_NAME_new_null(); for (i=0; iclient_CA),list); + set_client_CA_list(&(s->client_CA),name_list); } -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *list) +void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(ctx->client_CA),list); + set_client_CA_list(&(ctx->client_CA),name_list); } STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx) { return(ctx->client_CA); } STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s) { if (s->type == SSL_ST_CONNECT) { /* we are in the client */ if (((s->version>>8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL)) return(s->s3->tmp.ca_names); else return(NULL); } else { if (s->client_CA != NULL) return(s->client_CA); else return(s->ctx->client_CA); } } static int add_client_CA(STACK_OF(X509_NAME) **sk,X509 *x) { X509_NAME *name; if (x == NULL) return(0); if ((*sk == NULL) && ((*sk=sk_X509_NAME_new_null()) == NULL)) return(0); if ((name=X509_NAME_dup(X509_get_subject_name(x))) == NULL) return(0); if (!sk_X509_NAME_push(*sk,name)) { X509_NAME_free(name); return(0); } return(1); } int SSL_add_client_CA(SSL *ssl,X509 *x) { return(add_client_CA(&(ssl->client_CA),x)); } int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x) { return(add_client_CA(&(ctx->client_CA),x)); } static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b) { return(X509_NAME_cmp(*a,*b)); } #ifndef OPENSSL_NO_STDIO /*! * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed; * it doesn't really have anything to do with clients (except that a common use * for a stack of CAs is to send it to the client). Actually, it doesn't have * much to do with CAs, either, since it will load any old cert. * \param file the file containing one or more certs. * \return a ::STACK containing the certs. */ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { BIO *in; X509 *x=NULL; X509_NAME *xn=NULL; STACK_OF(X509_NAME) *ret,*sk; ret=sk_X509_NAME_new_null(); sk=sk_X509_NAME_new(xname_cmp); in=BIO_new(BIO_s_file_internal()); if ((ret == NULL) || (sk == NULL) || (in == NULL)) { SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,ERR_R_MALLOC_FAILURE); goto err; } if (!BIO_read_filename(in,file)) goto err; for (;;) { if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL) break; if ((xn=X509_get_subject_name(x)) == NULL) goto err; /* check for duplicates */ xn=X509_NAME_dup(xn); if (xn == NULL) goto err; if (sk_X509_NAME_find(sk,xn) >= 0) X509_NAME_free(xn); else { sk_X509_NAME_push(sk,xn); sk_X509_NAME_push(ret,xn); } } if (0) { err: if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free); ret=NULL; } if (sk != NULL) sk_X509_NAME_free(sk); if (in != NULL) BIO_free(in); if (x != NULL) X509_free(x); return(ret); } #endif /*! * Add a file of certs to a stack. * \param stack the stack to add to. * \param file the file to add from. All certs in this file that are not * already in the stack will be added. * \return 1 for success, 0 for failure. Note that in the case of failure some * certs may have been added to \c stack. */ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *file) { BIO *in; X509 *x=NULL; X509_NAME *xn=NULL; int ret=1; int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b); oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp); in=BIO_new(BIO_s_file_internal()); if (in == NULL) { SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,ERR_R_MALLOC_FAILURE); goto err; } if (!BIO_read_filename(in,file)) goto err; for (;;) { if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL) break; if ((xn=X509_get_subject_name(x)) == NULL) goto err; xn=X509_NAME_dup(xn); if (xn == NULL) goto err; if (sk_X509_NAME_find(stack,xn) >= 0) X509_NAME_free(xn); else sk_X509_NAME_push(stack,xn); } if (0) { err: ret=0; } if(in != NULL) BIO_free(in); if(x != NULL) X509_free(x); sk_X509_NAME_set_cmp_func(stack,oldcmp); return ret; } /*! * Add a directory of certs to a stack. * \param stack the stack to append to. * \param dir the directory to append from. All files in this directory will be * examined as potential certs. Any that are acceptable to * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be * included. * \return 1 for success, 0 for failure. Note that in the case of failure some * certs may have been added to \c stack. */ #ifndef OPENSSL_SYS_WIN32 #ifndef OPENSSL_SYS_VMS /* XXXX This may be fixed in the future */ #ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! */ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) { DIR *d; struct dirent *dstruct; int ret = 0; CRYPTO_w_lock(CRYPTO_LOCK_READDIR); d = opendir(dir); /* Note that a side effect is that the CAs will be sorted by name */ if(!d) { SYSerr(SYS_F_OPENDIR, get_last_sys_error()); ERR_add_error_data(3, "opendir('", dir, "')"); SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); goto err; } while((dstruct=readdir(d))) { char buf[1024]; int r; if(strlen(dir)+strlen(dstruct->d_name)+2 > sizeof buf) { SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); goto err; } r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,dstruct->d_name); if (r <= 0 || r >= sizeof buf) goto err; if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) goto err; } ret = 1; err: if (d) closedir(d); CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); return ret; } #endif #endif #else /* OPENSSL_SYS_WIN32 */ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) { WIN32_FIND_DATA FindFileData; HANDLE hFind; int ret = 0; #ifdef OPENSSL_SYS_WINCE WCHAR* wdir = NULL; #endif CRYPTO_w_lock(CRYPTO_LOCK_READDIR); #ifdef OPENSSL_SYS_WINCE /* convert strings to UNICODE */ { BOOL result = FALSE; int i; wdir = malloc((strlen(dir)+1)*2); if (wdir == NULL) goto err_noclose; for (i=0; i<(int)strlen(dir)+1; i++) wdir[i] = (short)dir[i]; } #endif #ifdef OPENSSL_SYS_WINCE hFind = FindFirstFile(wdir, &FindFileData); #else hFind = FindFirstFile(dir, &FindFileData); #endif /* Note that a side effect is that the CAs will be sorted by name */ if(hFind == INVALID_HANDLE_VALUE) { SYSerr(SYS_F_OPENDIR, get_last_sys_error()); ERR_add_error_data(3, "opendir('", dir, "')"); SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); goto err_noclose; } do { char buf[1024]; int r; #ifdef OPENSSL_SYS_WINCE if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf) #else if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf) #endif { SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); goto err; } r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,FindFileData.cFileName); if (r <= 0 || r >= sizeof buf) goto err; if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) goto err; } while (FindNextFile(hFind, &FindFileData) != FALSE); ret = 1; err: FindClose(hFind); err_noclose: #ifdef OPENSSL_SYS_WINCE if (wdir != NULL) free(wdir); #endif CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); return ret; } #endif diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c index 888b667fa12c..44c503eb048e 100644 --- a/crypto/openssl/ssl/ssl_ciph.c +++ b/crypto/openssl/ssl/ssl_ciph.c @@ -1,1139 +1,1146 @@ /* ssl/ssl_ciph.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "ssl_locl.h" #define SSL_ENC_DES_IDX 0 #define SSL_ENC_3DES_IDX 1 #define SSL_ENC_RC4_IDX 2 #define SSL_ENC_RC2_IDX 3 #define SSL_ENC_IDEA_IDX 4 #define SSL_ENC_eFZA_IDX 5 #define SSL_ENC_NULL_IDX 6 #define SSL_ENC_AES128_IDX 7 #define SSL_ENC_AES256_IDX 8 #define SSL_ENC_NUM_IDX 9 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ NULL,NULL,NULL,NULL,NULL,NULL, }; static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; #define SSL_MD_MD5_IDX 0 #define SSL_MD_SHA1_IDX 1 #define SSL_MD_NUM_IDX 2 static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ NULL,NULL, }; #define CIPHER_ADD 1 #define CIPHER_KILL 2 #define CIPHER_DEL 3 #define CIPHER_ORD 4 #define CIPHER_SPECIAL 5 typedef struct cipher_order_st { SSL_CIPHER *cipher; int active; int dead; struct cipher_order_st *next,*prev; } CIPHER_ORDER; static const SSL_CIPHER cipher_aliases[]={ /* Don't include eNULL unless specifically enabled. */ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0}, {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_DSS, 0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_DES, 0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0}, +#ifndef OPENSSL_NO_IDEA {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, +#endif {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0}, {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0}, {0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0}, {0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, {0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, {0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0}, {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0}, {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0}, {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0}, {0,SSL_TXT_EXP ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK}, {0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK}, {0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK}, {0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK}, {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, }; static int init_ciphers=1; static void load_ciphers(void) { init_ciphers=0; ssl_cipher_methods[SSL_ENC_DES_IDX]= EVP_get_cipherbyname(SN_des_cbc); ssl_cipher_methods[SSL_ENC_3DES_IDX]= EVP_get_cipherbyname(SN_des_ede3_cbc); ssl_cipher_methods[SSL_ENC_RC4_IDX]= EVP_get_cipherbyname(SN_rc4); ssl_cipher_methods[SSL_ENC_RC2_IDX]= EVP_get_cipherbyname(SN_rc2_cbc); +#ifndef OPENSSL_NO_IDEA ssl_cipher_methods[SSL_ENC_IDEA_IDX]= EVP_get_cipherbyname(SN_idea_cbc); +#else + ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL; +#endif ssl_cipher_methods[SSL_ENC_AES128_IDX]= EVP_get_cipherbyname(SN_aes_128_cbc); ssl_cipher_methods[SSL_ENC_AES256_IDX]= EVP_get_cipherbyname(SN_aes_256_cbc); ssl_digest_methods[SSL_MD_MD5_IDX]= EVP_get_digestbyname(SN_md5); ssl_digest_methods[SSL_MD_SHA1_IDX]= EVP_get_digestbyname(SN_sha1); } int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, SSL_COMP **comp) { int i; SSL_CIPHER *c; c=s->cipher; if (c == NULL) return(0); if (comp != NULL) { SSL_COMP ctmp; if (s->compress_meth == 0) *comp=NULL; else if (ssl_comp_methods == NULL) { /* bad */ *comp=NULL; } else { ctmp.id=s->compress_meth; i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp); if (i >= 0) *comp=sk_SSL_COMP_value(ssl_comp_methods,i); else *comp=NULL; } } if ((enc == NULL) || (md == NULL)) return(0); switch (c->algorithms & SSL_ENC_MASK) { case SSL_DES: i=SSL_ENC_DES_IDX; break; case SSL_3DES: i=SSL_ENC_3DES_IDX; break; case SSL_RC4: i=SSL_ENC_RC4_IDX; break; case SSL_RC2: i=SSL_ENC_RC2_IDX; break; case SSL_IDEA: i=SSL_ENC_IDEA_IDX; break; case SSL_eNULL: i=SSL_ENC_NULL_IDX; break; case SSL_AES: switch(c->alg_bits) { case 128: i=SSL_ENC_AES128_IDX; break; case 256: i=SSL_ENC_AES256_IDX; break; default: i=-1; break; } break; default: i= -1; break; } if ((i < 0) || (i > SSL_ENC_NUM_IDX)) *enc=NULL; else { if (i == SSL_ENC_NULL_IDX) *enc=EVP_enc_null(); else *enc=ssl_cipher_methods[i]; } switch (c->algorithms & SSL_MAC_MASK) { case SSL_MD5: i=SSL_MD_MD5_IDX; break; case SSL_SHA1: i=SSL_MD_SHA1_IDX; break; default: i= -1; break; } if ((i < 0) || (i > SSL_MD_NUM_IDX)) *md=NULL; else *md=ssl_digest_methods[i]; if ((*enc != NULL) && (*md != NULL)) return(1); else return(0); } #define ITEM_SEP(a) \ (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, CIPHER_ORDER **tail) { if (curr == *tail) return; if (curr == *head) *head=curr->next; if (curr->prev != NULL) curr->prev->next=curr->next; if (curr->next != NULL) /* should always be true */ curr->next->prev=curr->prev; (*tail)->next=curr; curr->prev= *tail; curr->next=NULL; *tail=curr; } static unsigned long ssl_cipher_get_disabled(void) { unsigned long mask; mask = SSL_kFZA; #ifdef OPENSSL_NO_RSA mask |= SSL_aRSA|SSL_kRSA; #endif #ifdef OPENSSL_NO_DSA mask |= SSL_aDSS; #endif #ifdef OPENSSL_NO_DH mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH; #endif #ifdef OPENSSL_NO_KRB5 mask |= SSL_kKRB5|SSL_aKRB5; #endif #ifdef SSL_FORBID_ENULL mask |= SSL_eNULL; #endif mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0; mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0; mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0; mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0; mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; return(mask); } static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, - int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list, + int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { - int i, list_num; + int i, co_list_num; SSL_CIPHER *c; /* * We have num_of_ciphers descriptions compiled in, depending on the * method selected (SSLv2 and/or SSLv3, TLSv1 etc). * These will later be sorted in a linked list with at most num * entries. */ /* Get the initial list of ciphers */ - list_num = 0; /* actual count of ciphers */ + co_list_num = 0; /* actual count of ciphers */ for (i = 0; i < num_of_ciphers; i++) { c = ssl_method->get_cipher(i); /* drop those that use any of that is not available */ if ((c != NULL) && c->valid && !(c->algorithms & mask)) { - list[list_num].cipher = c; - list[list_num].next = NULL; - list[list_num].prev = NULL; - list[list_num].active = 0; - list_num++; + co_list[co_list_num].cipher = c; + co_list[co_list_num].next = NULL; + co_list[co_list_num].prev = NULL; + co_list[co_list_num].active = 0; + co_list_num++; #ifdef KSSL_DEBUG printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms); #endif /* KSSL_DEBUG */ /* if (!sk_push(ca_list,(char *)c)) goto err; */ } } /* * Prepare linked list from list entries */ - for (i = 1; i < list_num - 1; i++) + for (i = 1; i < co_list_num - 1; i++) { - list[i].prev = &(list[i-1]); - list[i].next = &(list[i+1]); + co_list[i].prev = &(co_list[i-1]); + co_list[i].next = &(co_list[i+1]); } - if (list_num > 0) + if (co_list_num > 0) { - (*head_p) = &(list[0]); + (*head_p) = &(co_list[0]); (*head_p)->prev = NULL; - (*head_p)->next = &(list[1]); - (*tail_p) = &(list[list_num - 1]); - (*tail_p)->prev = &(list[list_num - 2]); + (*head_p)->next = &(co_list[1]); + (*tail_p) = &(co_list[co_list_num - 1]); + (*tail_p)->prev = &(co_list[co_list_num - 2]); (*tail_p)->next = NULL; } } static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, int num_of_group_aliases, unsigned long mask, CIPHER_ORDER *head) { CIPHER_ORDER *ciph_curr; SSL_CIPHER **ca_curr; int i; /* * First, add the real ciphers as already collected */ ciph_curr = head; ca_curr = ca_list; while (ciph_curr != NULL) { *ca_curr = ciph_curr->cipher; ca_curr++; ciph_curr = ciph_curr->next; } /* * Now we add the available ones from the cipher_aliases[] table. * They represent either an algorithm, that must be fully * supported (not match any bit in mask) or represent a cipher * strength value (will be added in any case because algorithms=0). */ for (i = 0; i < num_of_group_aliases; i++) { if ((i == 0) || /* always fetch "ALL" */ !(cipher_aliases[i].algorithms & mask)) { *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); ca_curr++; } } *ca_curr = NULL; /* end of list */ } static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, unsigned long algo_strength, unsigned long mask_strength, - int rule, int strength_bits, CIPHER_ORDER *list, + int rule, int strength_bits, CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2; SSL_CIPHER *cp; unsigned long ma, ma_s; #ifdef CIPHER_DEBUG printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n", rule, algorithms, mask, algo_strength, mask_strength, strength_bits); #endif curr = head = *head_p; curr2 = head; tail2 = tail = *tail_p; for (;;) { if ((curr == NULL) || (curr == tail2)) break; curr = curr2; curr2 = curr->next; cp = curr->cipher; /* * Selection criteria is either the number of strength_bits * or the algorithm used. */ if (strength_bits == -1) { ma = mask & cp->algorithms; ma_s = mask_strength & cp->algo_strength; #ifdef CIPHER_DEBUG printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength); printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength); #endif /* * Select: if none of the mask bit was met from the * cipher or not all of the bits were met, the * selection does not apply. */ if (((ma == 0) && (ma_s == 0)) || ((ma & algorithms) != ma) || ((ma_s & algo_strength) != ma_s)) continue; /* does not apply */ } else if (strength_bits != cp->strength_bits) continue; /* does not apply */ #ifdef CIPHER_DEBUG printf("Action = %d\n", rule); #endif /* add the cipher if it has not been added yet. */ if (rule == CIPHER_ADD) { if (!curr->active) { ll_append_tail(&head, curr, &tail); curr->active = 1; } } /* Move the added cipher to this location */ else if (rule == CIPHER_ORD) { if (curr->active) { ll_append_tail(&head, curr, &tail); } } else if (rule == CIPHER_DEL) curr->active = 0; else if (rule == CIPHER_KILL) { if (head == curr) head = curr->next; else curr->prev->next = curr->next; if (tail == curr) tail = curr->prev; curr->active = 0; if (curr->next != NULL) curr->next->prev = curr->prev; if (curr->prev != NULL) curr->prev->next = curr->next; curr->next = NULL; curr->prev = NULL; } } *head_p = head; *tail_p = tail; } -static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p) +static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list, + CIPHER_ORDER **head_p, + CIPHER_ORDER **tail_p) { int max_strength_bits, i, *number_uses; CIPHER_ORDER *curr; /* * This routine sorts the ciphers with descending strength. The sorting * must keep the pre-sorted sequence, so we apply the normal sorting * routine as '+' movement to the end of the list. */ max_strength_bits = 0; curr = *head_p; while (curr != NULL) { if (curr->active && (curr->cipher->strength_bits > max_strength_bits)) max_strength_bits = curr->cipher->strength_bits; curr = curr->next; } number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); if (!number_uses) { SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE); return(0); } memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); /* * Now find the strength_bits values actually used */ curr = *head_p; while (curr != NULL) { if (curr->active) number_uses[curr->cipher->strength_bits]++; curr = curr->next; } /* * Go through the list of used strength_bits values in descending * order. */ for (i = max_strength_bits; i >= 0; i--) if (number_uses[i] > 0) ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i, - list, head_p, tail_p); + co_list, head_p, tail_p); OPENSSL_free(number_uses); return(1); } static int ssl_cipher_process_rulestr(const char *rule_str, - CIPHER_ORDER *list, CIPHER_ORDER **head_p, + CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list) { unsigned long algorithms, mask, algo_strength, mask_strength; const char *l, *start, *buf; int j, multi, found, rule, retval, ok, buflen; char ch; retval = 1; l = rule_str; for (;;) { ch = *l; if (ch == '\0') break; /* done */ if (ch == '-') { rule = CIPHER_DEL; l++; } else if (ch == '+') { rule = CIPHER_ORD; l++; } else if (ch == '!') { rule = CIPHER_KILL; l++; } else if (ch == '@') { rule = CIPHER_SPECIAL; l++; } else { rule = CIPHER_ADD; } if (ITEM_SEP(ch)) { l++; continue; } algorithms = mask = algo_strength = mask_strength = 0; start=l; for (;;) { ch = *l; buf = l; buflen = 0; #ifndef CHARSET_EBCDIC while ( ((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || (ch == '-')) #else while ( isalnum(ch) || (ch == '-')) #endif { ch = *(++l); buflen++; } if (buflen == 0) { /* * We hit something we cannot deal with, * it is no command or separator nor * alphanumeric, so we call this an error. */ SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND); retval = found = 0; l++; break; } if (rule == CIPHER_SPECIAL) { found = 0; /* unused -- avoid compiler warning */ break; /* special treatment */ } /* check for multi-part specification */ if (ch == '+') { multi=1; l++; } else multi=0; /* * Now search for the cipher alias in the ca_list. Be careful * with the strncmp, because the "buflen" limitation * will make the rule "ADH:SOME" and the cipher * "ADH-MY-CIPHER" look like a match for buflen=3. * So additionally check whether the cipher name found * has the correct length. We can save a strlen() call: * just checking for the '\0' at the right place is * sufficient, we have to strncmp() anyway. (We cannot * use strcmp(), because buf is not '\0' terminated.) */ j = found = 0; while (ca_list[j]) { if (!strncmp(buf, ca_list[j]->name, buflen) && (ca_list[j]->name[buflen] == '\0')) { found = 1; break; } else j++; } if (!found) break; /* ignore this entry */ algorithms |= ca_list[j]->algorithms; mask |= ca_list[j]->mask; algo_strength |= ca_list[j]->algo_strength; mask_strength |= ca_list[j]->mask_strength; if (!multi) break; } /* * Ok, we have the rule, now apply it */ if (rule == CIPHER_SPECIAL) { /* special command */ ok = 0; if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) - ok = ssl_cipher_strength_sort(list, + ok = ssl_cipher_strength_sort(co_list, head_p, tail_p); else SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND); if (ok == 0) retval = 0; /* * We do not support any "multi" options * together with "@", so throw away the * rest of the command, if any left, until * end or ':' is found. */ while ((*l != '\0') && ITEM_SEP(*l)) l++; } else if (found) { ssl_cipher_apply_rule(algorithms, mask, algo_strength, mask_strength, rule, -1, - list, head_p, tail_p); + co_list, head_p, tail_p); } else { while ((*l != '\0') && ITEM_SEP(*l)) l++; } if (*l == '\0') break; /* done */ } return(retval); } STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list_by_id, const char *rule_str) { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mask; STACK_OF(SSL_CIPHER) *cipherstack; const char *rule_p; - CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr; + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; SSL_CIPHER **ca_list = NULL; /* * Return with error if nothing to do. */ if (rule_str == NULL) return(NULL); if (init_ciphers) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); if (init_ciphers) load_ciphers(); CRYPTO_w_unlock(CRYPTO_LOCK_SSL); } /* * To reduce the work to do we only want to process the compiled * in algorithms, so we first get the mask of disabled ciphers. */ disabled_mask = ssl_cipher_get_disabled(); /* * Now we have to collect the available ciphers from the compiled * in ciphers. We cannot get more than the number compiled in, so * it is used for allocation. */ num_of_ciphers = ssl_method->num_ciphers(); #ifdef KSSL_DEBUG printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); #endif /* KSSL_DEBUG */ - list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); - if (list == NULL) + co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); + if (co_list == NULL) { SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, - list, &head, &tail); + co_list, &head, &tail); /* * We also need cipher aliases for selecting based on the rule_str. * There might be two types of entries in the rule_str: 1) names * of ciphers themselves 2) aliases for groups of ciphers. * For 1) we need the available ciphers and for 2) the cipher * groups of cipher_aliases added together in one list (otherwise * we would be happy with just the cipher_aliases table). */ num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); if (ca_list == NULL) { - OPENSSL_free(list); + OPENSSL_free(co_list); SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask, head); /* * If the rule_string begins with DEFAULT, apply the default rule * before using the (possibly available) additional rules. */ ok = 1; rule_p = rule_str; if (strncmp(rule_str,"DEFAULT",7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - list, &head, &tail, ca_list); + co_list, &head, &tail, ca_list); rule_p += 7; if (*rule_p == ':') rule_p++; } if (ok && (strlen(rule_p) > 0)) - ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail, + ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail, ca_list); OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ - OPENSSL_free(list); + OPENSSL_free(co_list); return(NULL); } /* * Allocate new "cipherstack" for the result, return with error * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { - OPENSSL_free(list); + OPENSSL_free(co_list); return(NULL); } /* * The cipher selection for the list is done. The ciphers are added * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ for (curr = head; curr != NULL; curr = curr->next) { if (curr->active) { sk_SSL_CIPHER_push(cipherstack, curr->cipher); #ifdef CIPHER_DEBUG printf("<%s>\n",curr->cipher->name); #endif } } - OPENSSL_free(list); /* Not needed any longer */ + OPENSSL_free(co_list); /* Not needed any longer */ /* * The following passage is a little bit odd. If pointer variables * were supplied to hold STACK_OF(SSL_CIPHER) return information, * the old memory pointed to is free()ed. Then, however, the * cipher_list entry will be assigned just a copy of the returned * cipher stack. For cipher_list_by_id a copy of the cipher stack * will be created. See next comment... */ if (cipher_list != NULL) { if (*cipher_list != NULL) sk_SSL_CIPHER_free(*cipher_list); *cipher_list = cipherstack; } if (cipher_list_by_id != NULL) { if (*cipher_list_by_id != NULL) sk_SSL_CIPHER_free(*cipher_list_by_id); *cipher_list_by_id = sk_SSL_CIPHER_dup(cipherstack); } /* * Now it is getting really strange. If something failed during * the previous pointer assignment or if one of the pointers was * not requested, the error condition is met. That might be * discussable. The strange thing is however that in this case * the memory "ret" pointed to is "free()ed" and hence the pointer * cipher_list becomes wild. The memory reserved for * cipher_list_by_id however is not "free()ed" and stays intact. */ if ( (cipher_list_by_id == NULL) || (*cipher_list_by_id == NULL) || (cipher_list == NULL) || (*cipher_list == NULL)) { sk_SSL_CIPHER_free(cipherstack); return(NULL); } sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); return(cipherstack); } char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) { int is_export,pkl,kl; - char *ver,*exp; + char *ver,*exp_str; char *kx,*au,*enc,*mac; unsigned long alg,alg2,alg_s; #ifdef KSSL_DEBUG static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n"; #else static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n"; #endif /* KSSL_DEBUG */ alg=cipher->algorithms; alg_s=cipher->algo_strength; alg2=cipher->algorithm2; is_export=SSL_C_IS_EXPORT(cipher); pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); kl=SSL_C_EXPORT_KEYLENGTH(cipher); - exp=is_export?" export":""; + exp_str=is_export?" export":""; if (alg & SSL_SSLV2) ver="SSLv2"; else if (alg & SSL_SSLV3) ver="SSLv3"; else ver="unknown"; switch (alg&SSL_MKEY_MASK) { case SSL_kRSA: kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; break; case SSL_kDHr: kx="DH/RSA"; break; case SSL_kDHd: kx="DH/DSS"; break; case SSL_kKRB5: /* VRS */ case SSL_KRB5: /* VRS */ kx="KRB5"; break; case SSL_kFZA: kx="Fortezza"; break; case SSL_kEDH: kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; break; default: kx="unknown"; } switch (alg&SSL_AUTH_MASK) { case SSL_aRSA: au="RSA"; break; case SSL_aDSS: au="DSS"; break; case SSL_aDH: au="DH"; break; case SSL_aKRB5: /* VRS */ case SSL_KRB5: /* VRS */ au="KRB5"; break; case SSL_aFZA: case SSL_aNULL: au="None"; break; default: au="unknown"; break; } switch (alg&SSL_ENC_MASK) { case SSL_DES: enc=(is_export && kl == 5)?"DES(40)":"DES(56)"; break; case SSL_3DES: enc="3DES(168)"; break; case SSL_RC4: enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); break; case SSL_RC2: enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; break; case SSL_IDEA: enc="IDEA(128)"; break; case SSL_eFZA: enc="Fortezza"; break; case SSL_eNULL: enc="None"; break; case SSL_AES: switch(cipher->strength_bits) { case 128: enc="AES(128)"; break; case 192: enc="AES(192)"; break; case 256: enc="AES(256)"; break; default: enc="AES(?""?""?)"; break; } break; default: enc="unknown"; break; } switch (alg&SSL_MAC_MASK) { case SSL_MD5: mac="MD5"; break; case SSL_SHA1: mac="SHA1"; break; default: mac="unknown"; break; } if (buf == NULL) { len=128; buf=OPENSSL_malloc(len); if (buf == NULL) return("OPENSSL_malloc Error"); } else if (len < 128) return("Buffer too small"); #ifdef KSSL_DEBUG - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp,alg); + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg); #else - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp); + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); #endif /* KSSL_DEBUG */ return(buf); } char *SSL_CIPHER_get_version(SSL_CIPHER *c) { int i; if (c == NULL) return("(NONE)"); i=(int)(c->id>>24L); if (i == 3) return("TLSv1/SSLv3"); else if (i == 2) return("SSLv2"); else return("unknown"); } /* return the actual cipher being used */ const char *SSL_CIPHER_get_name(SSL_CIPHER *c) { if (c != NULL) return(c->name); return("(NONE)"); } /* number of bits for symmetric cipher */ int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits) { int ret=0; if (c != NULL) { if (alg_bits != NULL) *alg_bits = c->alg_bits; ret = c->strength_bits; } return(ret); } SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) { SSL_COMP *ctmp; int i,nn; if ((n == 0) || (sk == NULL)) return(NULL); nn=sk_SSL_COMP_num(sk); for (i=0; iid == n) return(ctmp); } return(NULL); } static int sk_comp_cmp(const SSL_COMP * const *a, const SSL_COMP * const *b) { return((*a)->id-(*b)->id); } STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return(ssl_comp_methods); } int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { SSL_COMP *comp; STACK_OF(SSL_COMP) *sk; if (cm == NULL || cm->type == NID_undef) return 1; MemCheck_off(); comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); comp->id=id; comp->method=cm; if (ssl_comp_methods == NULL) sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); else sk=ssl_comp_methods; if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp)) { MemCheck_on(); SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); - return(0); + return(1); } else { MemCheck_on(); - return(1); + return(0); } } diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 6d698906884a..ee9a82d5860d 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -1,2320 +1,2319 @@ /*! \file ssl/ssl_lib.c * \brief Version independent SSL functions. */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #ifdef REF_CHECK # include #endif #include #include "ssl_locl.h" #include "kssl_lcl.h" #include #include #include -#include "cryptlib.h" const char *SSL_version_str=OPENSSL_VERSION_TEXT; OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={ /* evil casts, but these functions are only called if there's a library bug */ (int (*)(SSL *,int))ssl_undefined_function, (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, ssl_undefined_function, (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function, (int (*)(SSL*, int))ssl_undefined_function, (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function }; int SSL_clear(SSL *s) { if (s->method == NULL) { SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED); return(0); } if (ssl_clear_bad_session(s)) { SSL_SESSION_free(s->session); s->session=NULL; } s->error=0; s->hit=0; s->shutdown=0; #if 0 /* Disabled since version 1.10 of this file (early return not * needed because SSL_clear is not called when doing renegotiation) */ /* This is set if we are doing dynamic renegotiation so keep * the old cipher. It is sort of a SSL_clear_lite :-) */ if (s->new_session) return(1); #else if (s->new_session) { SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); return 0; } #endif s->type=0; s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT); s->version=s->method->version; s->client_version=s->version; s->rwstate=SSL_NOTHING; s->rstate=SSL_ST_READ_HEADER; #if 0 s->read_ahead=s->ctx->read_ahead; #endif if (s->init_buf != NULL) { BUF_MEM_free(s->init_buf); s->init_buf=NULL; } ssl_clear_cipher_ctx(s); s->first_packet=0; #if 1 /* Check to see if we were changed into a different method, if * so, revert back if we are not doing session-id reuse. */ if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) { s->method->ssl_free(s); s->method=s->ctx->method; if (!s->method->ssl_new(s)) return(0); } else #endif s->method->ssl_clear(s); return(1); } /** Used to change an SSL_CTXs default SSL method type */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth) { STACK_OF(SSL_CIPHER) *sk; ctx->method=meth; sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list), &(ctx->cipher_list_by_id),SSL_DEFAULT_CIPHER_LIST); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return(0); } return(1); } SSL *SSL_new(SSL_CTX *ctx) { SSL *s; if (ctx == NULL) { SSLerr(SSL_F_SSL_NEW,SSL_R_NULL_SSL_CTX); return(NULL); } if (ctx->method == NULL) { SSLerr(SSL_F_SSL_NEW,SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); return(NULL); } s=(SSL *)OPENSSL_malloc(sizeof(SSL)); if (s == NULL) goto err; memset(s,0,sizeof(SSL)); #ifndef OPENSSL_NO_KRB5 s->kssl_ctx = kssl_ctx_new(); #endif /* OPENSSL_NO_KRB5 */ s->options=ctx->options; s->mode=ctx->mode; s->max_cert_list=ctx->max_cert_list; if (ctx->cert != NULL) { /* Earlier library versions used to copy the pointer to * the CERT, not its contents; only when setting new * parameters for the per-SSL copy, ssl_cert_new would be * called (and the direct reference to the per-SSL_CTX * settings would be lost, but those still were indirectly * accessed for various purposes, and for that reason they * used to be known as s->ctx->default_cert). * Now we don't look at the SSL_CTX's CERT after having * duplicated it once. */ s->cert = ssl_cert_dup(ctx->cert); if (s->cert == NULL) goto err; } else s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ s->read_ahead=ctx->read_ahead; s->msg_callback=ctx->msg_callback; s->msg_callback_arg=ctx->msg_callback_arg; s->verify_mode=ctx->verify_mode; s->verify_depth=ctx->verify_depth; s->sid_ctx_length=ctx->sid_ctx_length; OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); s->verify_callback=ctx->default_verify_callback; s->generate_session_id=ctx->generate_session_id; s->purpose = ctx->purpose; s->trust = ctx->trust; s->quiet_shutdown=ctx->quiet_shutdown; CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); s->ctx=ctx; s->verify_result=X509_V_OK; s->method=ctx->method; if (!s->method->ssl_new(s)) goto err; s->references=1; s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; SSL_clear(s); CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); return(s); err: if (s != NULL) { if (s->cert != NULL) ssl_cert_free(s->cert); if (s->ctx != NULL) SSL_CTX_free(s->ctx); /* decrement reference count */ OPENSSL_free(s); } SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE); return(NULL); } int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, unsigned int sid_ctx_len) { if(sid_ctx_len > sizeof ctx->sid_ctx) { SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; } ctx->sid_ctx_length=sid_ctx_len; memcpy(ctx->sid_ctx,sid_ctx,sid_ctx_len); return 1; } int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, unsigned int sid_ctx_len) { if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; } ssl->sid_ctx_length=sid_ctx_len; memcpy(ssl->sid_ctx,sid_ctx,sid_ctx_len); return 1; } int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); ctx->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); return 1; } int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); ssl->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL); return 1; } int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, unsigned int id_len) { /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how * we can "construct" a session to give us the desired check - ie. to * find if there's a session in the hash table that would conflict with * any new session built out of this id/id_len and the ssl_version in * use by this SSL. */ SSL_SESSION r, *p; if(id_len > sizeof r.session_id) return 0; r.ssl_version = ssl->version; r.session_id_length = id_len; memcpy(r.session_id, id, id_len); /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a * callback is calling us to check the uniqueness of a shorter ID, it * must be compared as a padded-out ID because that is what it will be * converted to when the callback has finished choosing it. */ if((r.ssl_version == SSL2_VERSION) && (id_len < SSL2_SSL_SESSION_ID_LENGTH)) { memset(r.session_id + id_len, 0, SSL2_SSL_SESSION_ID_LENGTH - id_len); r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH; } CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r); CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); return (p != NULL); } int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) { return X509_PURPOSE_set(&s->purpose, purpose); } int SSL_set_purpose(SSL *s, int purpose) { return X509_PURPOSE_set(&s->purpose, purpose); } int SSL_CTX_set_trust(SSL_CTX *s, int trust) { return X509_TRUST_set(&s->trust, trust); } int SSL_set_trust(SSL *s, int trust) { return X509_TRUST_set(&s->trust, trust); } void SSL_free(SSL *s) { int i; if(s == NULL) return; i=CRYPTO_add(&s->references,-1,CRYPTO_LOCK_SSL); #ifdef REF_PRINT REF_PRINT("SSL",s); #endif if (i > 0) return; #ifdef REF_CHECK if (i < 0) { fprintf(stderr,"SSL_free, bad reference count\n"); abort(); /* ok */ } #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); if (s->bbio != NULL) { /* If the buffering BIO is in place, pop it off */ if (s->bbio == s->wbio) { s->wbio=BIO_pop(s->wbio); } BIO_free(s->bbio); s->bbio=NULL; } if (s->rbio != NULL) BIO_free_all(s->rbio); if ((s->wbio != NULL) && (s->wbio != s->rbio)) BIO_free_all(s->wbio); if (s->init_buf != NULL) BUF_MEM_free(s->init_buf); /* add extra stuff */ if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list); if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id); /* Make the next call work :-) */ if (s->session != NULL) { ssl_clear_bad_session(s); SSL_SESSION_free(s->session); } ssl_clear_cipher_ctx(s); if (s->cert != NULL) ssl_cert_free(s->cert); /* Free up if allocated */ if (s->ctx) SSL_CTX_free(s->ctx); if (s->client_CA != NULL) sk_X509_NAME_pop_free(s->client_CA,X509_NAME_free); if (s->method != NULL) s->method->ssl_free(s); #ifndef OPENSSL_NO_KRB5 if (s->kssl_ctx != NULL) kssl_ctx_free(s->kssl_ctx); #endif /* OPENSSL_NO_KRB5 */ OPENSSL_free(s); } void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio) { /* If the output buffering BIO is still in place, remove it */ if (s->bbio != NULL) { if (s->wbio == s->bbio) { s->wbio=s->wbio->next_bio; s->bbio->next_bio=NULL; } } if ((s->rbio != NULL) && (s->rbio != rbio)) BIO_free_all(s->rbio); if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio)) BIO_free_all(s->wbio); s->rbio=rbio; s->wbio=wbio; } BIO *SSL_get_rbio(SSL *s) { return(s->rbio); } BIO *SSL_get_wbio(SSL *s) { return(s->wbio); } int SSL_get_fd(SSL *s) { return(SSL_get_rfd(s)); } int SSL_get_rfd(SSL *s) { int ret= -1; BIO *b,*r; b=SSL_get_rbio(s); r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); if (r != NULL) BIO_get_fd(r,&ret); return(ret); } int SSL_get_wfd(SSL *s) { int ret= -1; BIO *b,*r; b=SSL_get_wbio(s); r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); if (r != NULL) BIO_get_fd(r,&ret); return(ret); } #ifndef OPENSSL_NO_SOCK int SSL_set_fd(SSL *s,int fd) { int ret=0; BIO *bio=NULL; bio=BIO_new(BIO_s_socket()); if (bio == NULL) { SSLerr(SSL_F_SSL_SET_FD,ERR_R_BUF_LIB); goto err; } BIO_set_fd(bio,fd,BIO_NOCLOSE); SSL_set_bio(s,bio,bio); ret=1; err: return(ret); } int SSL_set_wfd(SSL *s,int fd) { int ret=0; BIO *bio=NULL; if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) || ((int)BIO_get_fd(s->rbio,NULL) != fd)) { bio=BIO_new(BIO_s_socket()); if (bio == NULL) { SSLerr(SSL_F_SSL_SET_WFD,ERR_R_BUF_LIB); goto err; } BIO_set_fd(bio,fd,BIO_NOCLOSE); SSL_set_bio(s,SSL_get_rbio(s),bio); } else SSL_set_bio(s,SSL_get_rbio(s),SSL_get_rbio(s)); ret=1; err: return(ret); } int SSL_set_rfd(SSL *s,int fd) { int ret=0; BIO *bio=NULL; if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) || ((int)BIO_get_fd(s->wbio,NULL) != fd)) { bio=BIO_new(BIO_s_socket()); if (bio == NULL) { SSLerr(SSL_F_SSL_SET_RFD,ERR_R_BUF_LIB); goto err; } BIO_set_fd(bio,fd,BIO_NOCLOSE); SSL_set_bio(s,bio,SSL_get_wbio(s)); } else SSL_set_bio(s,SSL_get_wbio(s),SSL_get_wbio(s)); ret=1; err: return(ret); } #endif /* return length of latest Finished message we sent, copy to 'buf' */ size_t SSL_get_finished(SSL *s, void *buf, size_t count) { size_t ret = 0; if (s->s3 != NULL) { ret = s->s3->tmp.finish_md_len; if (count > ret) count = ret; memcpy(buf, s->s3->tmp.finish_md, count); } return ret; } /* return length of latest Finished message we expected, copy to 'buf' */ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count) { size_t ret = 0; if (s->s3 != NULL) { ret = s->s3->tmp.peer_finish_md_len; if (count > ret) count = ret; memcpy(buf, s->s3->tmp.peer_finish_md, count); } return ret; } int SSL_get_verify_mode(SSL *s) { return(s->verify_mode); } int SSL_get_verify_depth(SSL *s) { return(s->verify_depth); } int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *) { return(s->verify_callback); } int SSL_CTX_get_verify_mode(SSL_CTX *ctx) { return(ctx->verify_mode); } int SSL_CTX_get_verify_depth(SSL_CTX *ctx) { return(ctx->verify_depth); } int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *) { return(ctx->default_verify_callback); } void SSL_set_verify(SSL *s,int mode, int (*callback)(int ok,X509_STORE_CTX *ctx)) { s->verify_mode=mode; if (callback != NULL) s->verify_callback=callback; } void SSL_set_verify_depth(SSL *s,int depth) { s->verify_depth=depth; } void SSL_set_read_ahead(SSL *s,int yes) { s->read_ahead=yes; } int SSL_get_read_ahead(SSL *s) { return(s->read_ahead); } int SSL_pending(SSL *s) { /* SSL_pending cannot work properly if read-ahead is enabled * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), * and it is impossible to fix since SSL_pending cannot report * errors that may be observed while scanning the new data. * (Note that SSL_pending() is often used as a boolean value, * so we'd better not return -1.) */ return(s->method->ssl_pending(s)); } X509 *SSL_get_peer_certificate(SSL *s) { X509 *r; if ((s == NULL) || (s->session == NULL)) r=NULL; else r=s->session->peer; if (r == NULL) return(r); CRYPTO_add(&r->references,1,CRYPTO_LOCK_X509); return(r); } STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s) { STACK_OF(X509) *r; if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL)) r=NULL; else r=s->session->sess_cert->cert_chain; /* If we are a client, cert_chain includes the peer's own * certificate; if we are a server, it does not. */ return(r); } /* Now in theory, since the calling process own 't' it should be safe to * modify. We need to be able to read f without being hassled */ void SSL_copy_session_id(SSL *t,SSL *f) { CERT *tmp; /* Do we need to to SSL locking? */ SSL_set_session(t,SSL_get_session(f)); /* what if we are setup as SSLv2 but want to talk SSLv3 or * vice-versa */ if (t->method != f->method) { t->method->ssl_free(t); /* cleanup current */ t->method=f->method; /* change method */ t->method->ssl_new(t); /* setup new */ } tmp=t->cert; if (f->cert != NULL) { CRYPTO_add(&f->cert->references,1,CRYPTO_LOCK_SSL_CERT); t->cert=f->cert; } else t->cert=NULL; if (tmp != NULL) ssl_cert_free(tmp); SSL_set_session_id_context(t,f->sid_ctx,f->sid_ctx_length); } /* Fix this so it checks all the valid key/cert options */ int SSL_CTX_check_private_key(SSL_CTX *ctx) { if ( (ctx == NULL) || (ctx->cert == NULL) || (ctx->cert->key->x509 == NULL)) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); return(0); } if (ctx->cert->key->privatekey == NULL) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); return(0); } return(X509_check_private_key(ctx->cert->key->x509, ctx->cert->key->privatekey)); } /* Fix this function so that it takes an optional type parameter */ int SSL_check_private_key(SSL *ssl) { if (ssl == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,ERR_R_PASSED_NULL_PARAMETER); return(0); } if (ssl->cert == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); return 0; } if (ssl->cert->key->x509 == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED); return(0); } if (ssl->cert->key->privatekey == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_PRIVATE_KEY_ASSIGNED); return(0); } return(X509_check_private_key(ssl->cert->key->x509, ssl->cert->key->privatekey)); } int SSL_accept(SSL *s) { if (s->handshake_func == 0) /* Not properly initialized yet */ SSL_set_accept_state(s); return(s->method->ssl_accept(s)); } int SSL_connect(SSL *s) { if (s->handshake_func == 0) /* Not properly initialized yet */ SSL_set_connect_state(s); return(s->method->ssl_connect(s)); } long SSL_get_default_timeout(SSL *s) { return(s->method->get_timeout()); } int SSL_read(SSL *s,void *buf,int num) { if (s->handshake_func == 0) { SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); return -1; } if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { s->rwstate=SSL_NOTHING; return(0); } return(s->method->ssl_read(s,buf,num)); } int SSL_peek(SSL *s,void *buf,int num) { if (s->handshake_func == 0) { SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); return -1; } if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { return(0); } return(s->method->ssl_peek(s,buf,num)); } int SSL_write(SSL *s,const void *buf,int num) { if (s->handshake_func == 0) { SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); return -1; } if (s->shutdown & SSL_SENT_SHUTDOWN) { s->rwstate=SSL_NOTHING; SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN); return(-1); } return(s->method->ssl_write(s,buf,num)); } int SSL_shutdown(SSL *s) { /* Note that this function behaves differently from what one might * expect. Return values are 0 for no success (yet), * 1 for success; but calling it once is usually not enough, * even if blocking I/O is used (see ssl3_shutdown). */ if (s->handshake_func == 0) { SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); return -1; } if ((s != NULL) && !SSL_in_init(s)) return(s->method->ssl_shutdown(s)); else return(1); } int SSL_renegotiate(SSL *s) { if (s->new_session == 0) { s->new_session=1; } return(s->method->ssl_renegotiate(s)); } int SSL_renegotiate_pending(SSL *s) { /* becomes true when negotiation is requested; * false again once a handshake has finished */ return (s->new_session != 0); } long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) { long l; switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: return(s->read_ahead); case SSL_CTRL_SET_READ_AHEAD: l=s->read_ahead; s->read_ahead=larg; return(l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: s->msg_callback_arg = parg; return 1; case SSL_CTRL_OPTIONS: return(s->options|=larg); case SSL_CTRL_MODE: return(s->mode|=larg); case SSL_CTRL_GET_MAX_CERT_LIST: return(s->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: l=s->max_cert_list; s->max_cert_list=larg; return(l); default: return(s->method->ssl_ctrl(s,cmd,larg,parg)); } } long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)()) { switch(cmd) { case SSL_CTRL_SET_MSG_CALLBACK: s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); return 1; default: return(s->method->ssl_callback_ctrl(s,cmd,fp)); } } struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx) { return ctx->sessions; } long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) { long l; switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: return(ctx->read_ahead); case SSL_CTRL_SET_READ_AHEAD: l=ctx->read_ahead; ctx->read_ahead=larg; return(l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: ctx->msg_callback_arg = parg; return 1; case SSL_CTRL_GET_MAX_CERT_LIST: return(ctx->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: l=ctx->max_cert_list; ctx->max_cert_list=larg; return(l); case SSL_CTRL_SET_SESS_CACHE_SIZE: l=ctx->session_cache_size; ctx->session_cache_size=larg; return(l); case SSL_CTRL_GET_SESS_CACHE_SIZE: return(ctx->session_cache_size); case SSL_CTRL_SET_SESS_CACHE_MODE: l=ctx->session_cache_mode; ctx->session_cache_mode=larg; return(l); case SSL_CTRL_GET_SESS_CACHE_MODE: return(ctx->session_cache_mode); case SSL_CTRL_SESS_NUMBER: return(ctx->sessions->num_items); case SSL_CTRL_SESS_CONNECT: return(ctx->stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: return(ctx->stats.sess_connect_good); case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: return(ctx->stats.sess_connect_renegotiate); case SSL_CTRL_SESS_ACCEPT: return(ctx->stats.sess_accept); case SSL_CTRL_SESS_ACCEPT_GOOD: return(ctx->stats.sess_accept_good); case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: return(ctx->stats.sess_accept_renegotiate); case SSL_CTRL_SESS_HIT: return(ctx->stats.sess_hit); case SSL_CTRL_SESS_CB_HIT: return(ctx->stats.sess_cb_hit); case SSL_CTRL_SESS_MISSES: return(ctx->stats.sess_miss); case SSL_CTRL_SESS_TIMEOUTS: return(ctx->stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: return(ctx->stats.sess_cache_full); case SSL_CTRL_OPTIONS: return(ctx->options|=larg); case SSL_CTRL_MODE: return(ctx->mode|=larg); default: return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); } } long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) { switch(cmd) { case SSL_CTRL_SET_MSG_CALLBACK: ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); return 1; default: return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp)); } } int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) { long l; l=a->id-b->id; if (l == 0L) return(0); else return((l > 0)?1:-1); } int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, const SSL_CIPHER * const *bp) { long l; l=(*ap)->id-(*bp)->id; if (l == 0L) return(0); else return((l > 0)?1:-1); } /** return a STACK of the ciphers available for the SSL and in order of * preference */ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s) { if (s != NULL) { if (s->cipher_list != NULL) { return(s->cipher_list); } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { return(s->ctx->cipher_list); } } return(NULL); } /** return a STACK of the ciphers available for the SSL and in order of * algorithm id */ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) { if (s != NULL) { if (s->cipher_list_by_id != NULL) { return(s->cipher_list_by_id); } else if ((s->ctx != NULL) && (s->ctx->cipher_list_by_id != NULL)) { return(s->ctx->cipher_list_by_id); } } return(NULL); } /** The old interface to get the same thing as SSL_get_ciphers() */ const char *SSL_get_cipher_list(SSL *s,int n) { SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; if (s == NULL) return(NULL); sk=SSL_get_ciphers(s); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) return(NULL); c=sk_SSL_CIPHER_value(sk,n); if (c == NULL) return(NULL); return(c->name); } /** specify the ciphers to be used by default by the SSL_CTX */ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { STACK_OF(SSL_CIPHER) *sk; sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list, &ctx->cipher_list_by_id,str); /* XXXX */ return((sk == NULL)?0:1); } /** specify the ciphers to be used by the SSL */ int SSL_set_cipher_list(SSL *s,const char *str) { STACK_OF(SSL_CIPHER) *sk; sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list, &s->cipher_list_by_id,str); /* XXXX */ return((sk == NULL)?0:1); } /* works well for SSLv2, not so good for SSLv3 */ char *SSL_get_shared_ciphers(SSL *s,char *buf,int len) { char *p; const char *cp; STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int i; if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2)) return(NULL); p=buf; sk=s->session->ciphers; for (i=0; iname; *cp; ) { if (len-- == 0) { *p='\0'; return(buf); } else *(p++)= *(cp++); } *(p++)=':'; } p[-1]='\0'; return(buf); } int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p) { int i,j=0; SSL_CIPHER *c; unsigned char *q; #ifndef OPENSSL_NO_KRB5 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx); #endif /* OPENSSL_NO_KRB5 */ if (sk == NULL) return(0); q=p; for (i=0; ialgorithms & SSL_KRB5) && nokrb5) continue; #endif /* OPENSSL_NO_KRB5 */ j=ssl_put_cipher_by_char(s,c,p); p+=j; } return(p-q); } STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, STACK_OF(SSL_CIPHER) **skp) { SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; int i,n; n=ssl_put_cipher_by_char(s,NULL,NULL); if ((num%n) != 0) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return(NULL); } if ((skp == NULL) || (*skp == NULL)) sk=sk_SSL_CIPHER_new_null(); /* change perhaps later */ else { sk= *skp; sk_SSL_CIPHER_zero(sk); } for (i=0; isession_id[0] )| ((unsigned int) a->session_id[1]<< 8L)| ((unsigned long)a->session_id[2]<<16L)| ((unsigned long)a->session_id[3]<<24L); return(l); } /* NB: If this function (or indeed the hash function which uses a sort of * coarser function than this one) is changed, ensure * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being * able to construct an SSL_SESSION that will collide with any existing session * with a matching session ID. */ int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b) { if (a->ssl_version != b->ssl_version) return(1); if (a->session_id_length != b->session_id_length) return(1); return(memcmp(a->session_id,b->session_id,a->session_id_length)); } /* These wrapper functions should remain rather than redeclaring * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each * variable. The reason is that the functions aren't static, they're exposed via * ssl.h. */ static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *) static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *) SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) { SSL_CTX *ret=NULL; if (meth == NULL) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED); return(NULL); } if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; } ret=(SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); if (ret == NULL) goto err; memset(ret,0,sizeof(SSL_CTX)); ret->method=meth; ret->cert_store=NULL; ret->session_cache_mode=SSL_SESS_CACHE_SERVER; ret->session_cache_size=SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; ret->session_cache_head=NULL; ret->session_cache_tail=NULL; /* We take the system default */ ret->session_timeout=meth->get_timeout(); ret->new_session_cb=0; ret->remove_session_cb=0; ret->get_session_cb=0; ret->generate_session_id=0; memset((char *)&ret->stats,0,sizeof(ret->stats)); ret->references=1; ret->quiet_shutdown=0; /* ret->cipher=NULL;*/ /* ret->s2->challenge=NULL; ret->master_key=NULL; ret->key_arg=NULL; ret->s2->conn_id=NULL; */ ret->info_callback=NULL; ret->app_verify_callback=0; ret->app_verify_arg=NULL; ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT; ret->read_ahead=0; ret->msg_callback=0; ret->msg_callback_arg=NULL; ret->verify_mode=SSL_VERIFY_NONE; ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ ret->sid_ctx_length=0; ret->default_verify_callback=NULL; if ((ret->cert=ssl_cert_new()) == NULL) goto err; ret->default_passwd_callback=0; ret->default_passwd_callback_userdata=NULL; ret->client_cert_cb=0; ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash), LHASH_COMP_FN(SSL_SESSION_cmp)); if (ret->sessions == NULL) goto err; ret->cert_store=X509_STORE_new(); if (ret->cert_store == NULL) goto err; ssl_create_cipher_list(ret->method, &ret->cipher_list,&ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; } if ((ret->rsa_md5=EVP_get_digestbyname("ssl2-md5")) == NULL) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); goto err2; } if ((ret->md5=EVP_get_digestbyname("ssl3-md5")) == NULL) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); goto err2; } if ((ret->sha1=EVP_get_digestbyname("ssl3-sha1")) == NULL) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); goto err2; } if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL) goto err; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); ret->extra_certs=NULL; ret->comp_methods=SSL_COMP_get_compression_methods(); return(ret); err: SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); err2: if (ret != NULL) SSL_CTX_free(ret); return(NULL); } #if 0 static void SSL_COMP_free(SSL_COMP *comp) { OPENSSL_free(comp); } #endif void SSL_CTX_free(SSL_CTX *a) { int i; if (a == NULL) return; i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_SSL_CTX); #ifdef REF_PRINT REF_PRINT("SSL_CTX",a); #endif if (i > 0) return; #ifdef REF_CHECK if (i < 0) { fprintf(stderr,"SSL_CTX_free, bad reference count\n"); abort(); /* ok */ } #endif /* * Free internal session cache. However: the remove_cb() may reference * the ex_data of SSL_CTX, thus the ex_data store can only be removed * after the sessions were flushed. * As the ex_data handling routines might also touch the session cache, * the most secure solution seems to be: empty (flush) the cache, then * free ex_data, then finally free the cache. * (See ticket [openssl.org #212].) */ if (a->sessions != NULL) SSL_CTX_flush_sessions(a,0); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); if (a->sessions != NULL) lh_free(a->sessions); if (a->cert_store != NULL) X509_STORE_free(a->cert_store); if (a->cipher_list != NULL) sk_SSL_CIPHER_free(a->cipher_list); if (a->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(a->cipher_list_by_id); if (a->cert != NULL) ssl_cert_free(a->cert); if (a->client_CA != NULL) sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free); if (a->extra_certs != NULL) sk_X509_pop_free(a->extra_certs,X509_free); #if 0 /* This should never be done, since it removes a global database */ if (a->comp_methods != NULL) sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); #else a->comp_methods = NULL; #endif OPENSSL_free(a); } void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) { ctx->default_passwd_callback=cb; } void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u) { ctx->default_passwd_callback_userdata=u; } void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg) { ctx->app_verify_callback=cb; ctx->app_verify_arg=arg; } void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) { ctx->verify_mode=mode; ctx->default_verify_callback=cb; } void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) { ctx->verify_depth=depth; } void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) { CERT_PKEY *cpk; int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; int rsa_enc_export,dh_rsa_export,dh_dsa_export; int rsa_tmp_export,dh_tmp_export,kl; unsigned long mask,emask; if (c == NULL) return; kl=SSL_C_EXPORT_PKEYLENGTH(cipher); #ifndef OPENSSL_NO_RSA rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); rsa_tmp_export=(c->rsa_tmp_cb != NULL || (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); #else rsa_tmp=rsa_tmp_export=0; #endif #ifndef OPENSSL_NO_DH dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); dh_tmp_export=(c->dh_tmp_cb != NULL || (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); #else dh_tmp=dh_tmp_export=0; #endif cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); /* FIX THIS EAY EAY EAY */ dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); mask=0; emask=0; #ifdef CIPHER_DEBUG printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", rsa_tmp,rsa_tmp_export,dh_tmp, rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); #endif if (rsa_enc || (rsa_tmp && rsa_sign)) mask|=SSL_kRSA; if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) emask|=SSL_kRSA; #if 0 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */ if ( (dh_tmp || dh_rsa || dh_dsa) && (rsa_enc || rsa_sign || dsa_sign)) mask|=SSL_kEDH; if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && (rsa_enc || rsa_sign || dsa_sign)) emask|=SSL_kEDH; #endif if (dh_tmp_export) emask|=SSL_kEDH; if (dh_tmp) mask|=SSL_kEDH; if (dh_rsa) mask|=SSL_kDHr; if (dh_rsa_export) emask|=SSL_kDHr; if (dh_dsa) mask|=SSL_kDHd; if (dh_dsa_export) emask|=SSL_kDHd; if (rsa_enc || rsa_sign) { mask|=SSL_aRSA; emask|=SSL_aRSA; } if (dsa_sign) { mask|=SSL_aDSS; emask|=SSL_aDSS; } mask|=SSL_aNULL; emask|=SSL_aNULL; #ifndef OPENSSL_NO_KRB5 mask|=SSL_kKRB5|SSL_aKRB5; emask|=SSL_kKRB5|SSL_aKRB5; #endif c->mask=mask; c->export_mask=emask; c->valid=1; } /* THIS NEEDS CLEANING UP */ X509 *ssl_get_server_send_cert(SSL *s) { unsigned long alg,mask,kalg; CERT *c; int i,is_export; c=s->cert; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); alg=s->s3->tmp.new_cipher->algorithms; is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); mask=is_export?c->export_mask:c->mask; kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); if (kalg & SSL_kDHr) i=SSL_PKEY_DH_RSA; else if (kalg & SSL_kDHd) i=SSL_PKEY_DH_DSA; else if (kalg & SSL_aDSS) i=SSL_PKEY_DSA_SIGN; else if (kalg & SSL_aRSA) { if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) i=SSL_PKEY_RSA_SIGN; else i=SSL_PKEY_RSA_ENC; } else if (kalg & SSL_aKRB5) { /* VRS something else here? */ return(NULL); } else /* if (kalg & SSL_aNULL) */ { SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); return(NULL); } if (c->pkeys[i].x509 == NULL) return(NULL); return(c->pkeys[i].x509); } EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) { unsigned long alg; CERT *c; alg=cipher->algorithms; c=s->cert; if ((alg & SSL_aDSS) && (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey); else if (alg & SSL_aRSA) { if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey); else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey); else return(NULL); } else /* if (alg & SSL_aNULL) */ { SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); return(NULL); } } void ssl_update_cache(SSL *s,int mode) { int i; /* If the session_id_length is 0, we are not supposed to cache it, * and it would be rather hard to do anyway :-) */ if (s->session->session_id_length == 0) return; i=s->ctx->session_cache_mode; if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) || SSL_CTX_add_session(s->ctx,s->session)) && (s->ctx->new_session_cb != NULL)) { CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION); if (!s->ctx->new_session_cb(s,s->session)) SSL_SESSION_free(s->session); } /* auto flush every 255 connections */ if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { if ( (((mode & SSL_SESS_CACHE_CLIENT) ?s->ctx->stats.sess_connect_good :s->ctx->stats.sess_accept_good) & 0xff) == 0xff) { SSL_CTX_flush_sessions(s->ctx,time(NULL)); } } } SSL_METHOD *SSL_get_ssl_method(SSL *s) { return(s->method); } int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth) { int conn= -1; int ret=1; if (s->method != meth) { if (s->handshake_func != NULL) conn=(s->handshake_func == s->method->ssl_connect); if (s->method->version == meth->version) s->method=meth; else { s->method->ssl_free(s); s->method=meth; ret=s->method->ssl_new(s); } if (conn == 1) s->handshake_func=meth->ssl_connect; else if (conn == 0) s->handshake_func=meth->ssl_accept; } return(ret); } int SSL_get_error(SSL *s,int i) { int reason; unsigned long l; BIO *bio; if (i > 0) return(SSL_ERROR_NONE); /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake * etc, where we do encode the error */ if ((l=ERR_peek_error()) != 0) { if (ERR_GET_LIB(l) == ERR_LIB_SYS) return(SSL_ERROR_SYSCALL); else return(SSL_ERROR_SSL); } if ((i < 0) && SSL_want_read(s)) { bio=SSL_get_rbio(s); if (BIO_should_read(bio)) return(SSL_ERROR_WANT_READ); else if (BIO_should_write(bio)) /* This one doesn't make too much sense ... We never try * to write to the rbio, and an application program where * rbio and wbio are separate couldn't even know what it * should wait for. * However if we ever set s->rwstate incorrectly * (so that we have SSL_want_read(s) instead of * SSL_want_write(s)) and rbio and wbio *are* the same, * this test works around that bug; so it might be safer * to keep it. */ return(SSL_ERROR_WANT_WRITE); else if (BIO_should_io_special(bio)) { reason=BIO_get_retry_reason(bio); if (reason == BIO_RR_CONNECT) return(SSL_ERROR_WANT_CONNECT); else if (reason == BIO_RR_ACCEPT) return(SSL_ERROR_WANT_ACCEPT); else return(SSL_ERROR_SYSCALL); /* unknown */ } } if ((i < 0) && SSL_want_write(s)) { bio=SSL_get_wbio(s); if (BIO_should_write(bio)) return(SSL_ERROR_WANT_WRITE); else if (BIO_should_read(bio)) /* See above (SSL_want_read(s) with BIO_should_write(bio)) */ return(SSL_ERROR_WANT_READ); else if (BIO_should_io_special(bio)) { reason=BIO_get_retry_reason(bio); if (reason == BIO_RR_CONNECT) return(SSL_ERROR_WANT_CONNECT); else if (reason == BIO_RR_ACCEPT) return(SSL_ERROR_WANT_ACCEPT); else return(SSL_ERROR_SYSCALL); } } if ((i < 0) && SSL_want_x509_lookup(s)) { return(SSL_ERROR_WANT_X509_LOOKUP); } if (i == 0) { if (s->version == SSL2_VERSION) { /* assume it is the socket being closed */ return(SSL_ERROR_ZERO_RETURN); } else { if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) return(SSL_ERROR_ZERO_RETURN); } } return(SSL_ERROR_SYSCALL); } int SSL_do_handshake(SSL *s) { int ret=1; if (s->handshake_func == NULL) { SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET); return(-1); } s->method->ssl_renegotiate_check(s); if (SSL_in_init(s) || SSL_in_before(s)) { ret=s->handshake_func(s); } return(ret); } /* For the next 2 functions, SSL_clear() sets shutdown and so * one of these calls will reset it */ void SSL_set_accept_state(SSL *s) { s->server=1; s->shutdown=0; s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE; s->handshake_func=s->method->ssl_accept; /* clear the current cipher */ ssl_clear_cipher_ctx(s); } void SSL_set_connect_state(SSL *s) { s->server=0; s->shutdown=0; s->state=SSL_ST_CONNECT|SSL_ST_BEFORE; s->handshake_func=s->method->ssl_connect; /* clear the current cipher */ ssl_clear_cipher_ctx(s); } int ssl_undefined_function(SSL *s) { SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return(0); } SSL_METHOD *ssl_bad_method(int ver) { SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return(NULL); } const char *SSL_get_version(SSL *s) { if (s->version == TLS1_VERSION) return("TLSv1"); else if (s->version == SSL3_VERSION) return("SSLv3"); else if (s->version == SSL2_VERSION) return("SSLv2"); else return("unknown"); } SSL *SSL_dup(SSL *s) { STACK_OF(X509_NAME) *sk; X509_NAME *xn; SSL *ret; int i; if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) return(NULL); ret->version = s->version; ret->type = s->type; ret->method = s->method; if (s->session != NULL) { /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ SSL_copy_session_id(ret,s); } else { /* No session has been established yet, so we have to expect * that s->cert or ret->cert will be changed later -- * they should not both point to the same object, * and thus we can't use SSL_copy_session_id. */ ret->method->ssl_free(ret); ret->method = s->method; ret->method->ssl_new(ret); if (s->cert != NULL) { if (ret->cert != NULL) { ssl_cert_free(ret->cert); } ret->cert = ssl_cert_dup(s->cert); if (ret->cert == NULL) goto err; } SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length); } ret->options=s->options; ret->mode=s->mode; SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s)); SSL_set_read_ahead(ret,SSL_get_read_ahead(s)); ret->msg_callback = s->msg_callback; ret->msg_callback_arg = s->msg_callback_arg; SSL_set_verify(ret,SSL_get_verify_mode(s), SSL_get_verify_callback(s)); SSL_set_verify_depth(ret,SSL_get_verify_depth(s)); ret->generate_session_id = s->generate_session_id; SSL_set_info_callback(ret,SSL_get_info_callback(s)); ret->debug=s->debug; /* copy app data, a little dangerous perhaps */ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) goto err; /* setup rbio, and wbio */ if (s->rbio != NULL) { if (!BIO_dup_state(s->rbio,(char *)&ret->rbio)) goto err; } if (s->wbio != NULL) { if (s->wbio != s->rbio) { if (!BIO_dup_state(s->wbio,(char *)&ret->wbio)) goto err; } else ret->wbio=ret->rbio; } ret->rwstate = s->rwstate; ret->in_handshake = s->in_handshake; ret->handshake_func = s->handshake_func; ret->server = s->server; ret->new_session = s->new_session; ret->quiet_shutdown = s->quiet_shutdown; ret->shutdown=s->shutdown; ret->state=s->state; /* SSL_dup does not really work at any state, though */ ret->rstate=s->rstate; ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */ ret->hit=s->hit; ret->purpose=s->purpose; ret->trust=s->trust; /* dup the cipher_list and cipher_list_by_id stacks */ if (s->cipher_list != NULL) { if ((ret->cipher_list=sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) goto err; } if (s->cipher_list_by_id != NULL) if ((ret->cipher_list_by_id=sk_SSL_CIPHER_dup(s->cipher_list_by_id)) == NULL) goto err; /* Dup the client_CA list */ if (s->client_CA != NULL) { if ((sk=sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; ret->client_CA=sk; for (i=0; ienc_read_ctx != NULL) { EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); OPENSSL_free(s->enc_read_ctx); s->enc_read_ctx=NULL; } if (s->enc_write_ctx != NULL) { EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); OPENSSL_free(s->enc_write_ctx); s->enc_write_ctx=NULL; } if (s->expand != NULL) { COMP_CTX_free(s->expand); s->expand=NULL; } if (s->compress != NULL) { COMP_CTX_free(s->compress); s->compress=NULL; } } /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(SSL *s) { if (s->cert != NULL) return(s->cert->key->x509); else return(NULL); } /* Fix this function so that it takes an optional type parameter */ EVP_PKEY *SSL_get_privatekey(SSL *s) { if (s->cert != NULL) return(s->cert->key->privatekey); else return(NULL); } SSL_CIPHER *SSL_get_current_cipher(SSL *s) { if ((s->session != NULL) && (s->session->cipher != NULL)) return(s->session->cipher); return(NULL); } int ssl_init_wbio_buffer(SSL *s,int push) { BIO *bbio; if (s->bbio == NULL) { bbio=BIO_new(BIO_f_buffer()); if (bbio == NULL) return(0); s->bbio=bbio; } else { bbio=s->bbio; if (s->bbio == s->wbio) s->wbio=BIO_pop(s->wbio); } (void)BIO_reset(bbio); /* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ if (!BIO_set_read_buffer_size(bbio,1)) { SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER,ERR_R_BUF_LIB); return(0); } if (push) { if (s->wbio != bbio) s->wbio=BIO_push(bbio,s->wbio); } else { if (s->wbio == bbio) s->wbio=BIO_pop(bbio); } return(1); } void ssl_free_wbio_buffer(SSL *s) { if (s->bbio == NULL) return; if (s->bbio == s->wbio) { /* remove buffering */ s->wbio=BIO_pop(s->wbio); #ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */ assert(s->wbio != NULL); #endif } BIO_free(s->bbio); s->bbio=NULL; } void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode) { ctx->quiet_shutdown=mode; } int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx) { return(ctx->quiet_shutdown); } void SSL_set_quiet_shutdown(SSL *s,int mode) { s->quiet_shutdown=mode; } int SSL_get_quiet_shutdown(SSL *s) { return(s->quiet_shutdown); } void SSL_set_shutdown(SSL *s,int mode) { s->shutdown=mode; } int SSL_get_shutdown(SSL *s) { return(s->shutdown); } int SSL_version(SSL *s) { return(s->version); } SSL_CTX *SSL_get_SSL_CTX(SSL *ssl) { return(ssl->ctx); } #ifndef OPENSSL_NO_STDIO int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) { return(X509_STORE_set_default_paths(ctx->cert_store)); } int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) { return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); } #endif void SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl,int type,int val)) { ssl->info_callback=cb; } void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val) { return ssl->info_callback; } int SSL_state(SSL *ssl) { return(ssl->state); } void SSL_set_verify_result(SSL *ssl,long arg) { ssl->verify_result=arg; } long SSL_get_verify_result(SSL *ssl) { return(ssl->verify_result); } int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) { return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, new_func, dup_func, free_func); } int SSL_set_ex_data(SSL *s,int idx,void *arg) { return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); } void *SSL_get_ex_data(SSL *s,int idx) { return(CRYPTO_get_ex_data(&s->ex_data,idx)); } int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) { return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, new_func, dup_func, free_func); } int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg) { return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); } void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx) { return(CRYPTO_get_ex_data(&s->ex_data,idx)); } int ssl_ok(SSL *s) { return(1); } X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) { return(ctx->cert_store); } void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store) { if (ctx->cert_store != NULL) X509_STORE_free(ctx->cert_store); ctx->cert_store=store; } int SSL_want(SSL *s) { return(s->rwstate); } /*! * \brief Set the callback for generating temporary RSA keys. * \param ctx the SSL context. * \param cb the callback */ #ifndef OPENSSL_NO_RSA void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl, int is_export, int keylength)) { SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb); } void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl, int is_export, int keylength)) { SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb); } #endif #ifdef DOXYGEN /*! * \brief The RSA temporary key callback function. * \param ssl the SSL session. * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite. * \param keylength if \c is_export is \c TRUE, then \c keylength is the size * of the required key in bits. * \return the temporary RSA key. * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback */ RSA *cb(SSL *ssl,int is_export,int keylength) {} #endif /*! * \brief Set the callback for generating temporary DH keys. * \param ctx the SSL context. * \param dh the callback */ #ifndef OPENSSL_NO_DH void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, int keylength)) { SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); } void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, int keylength)) { SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); } #endif void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) { SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb); } void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) { SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb); } #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) #include "../crypto/bio/bss_file.c" #endif IMPLEMENT_STACK_OF(SSL_CIPHER) IMPLEMENT_STACK_OF(SSL_COMP) diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index fabcdefa6ed6..7016c87d3b2d 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -1,755 +1,754 @@ /* ssl/ssl_sess.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "ssl_locl.h" -#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); SSL_SESSION *SSL_get_session(SSL *ssl) /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ { return(ssl->session); } SSL_SESSION *SSL_get1_session(SSL *ssl) /* variant of SSL_get_session: caller really gets something */ { SSL_SESSION *sess; /* Need to lock this all up rather than just use CRYPTO_add so that * somebody doesn't free ssl->session between when we check it's * non-null and when we up the reference count. */ CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION); sess = ssl->session; if(sess) sess->references++; CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION); return(sess); } int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp, new_func, dup_func, free_func); } int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) { return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); } void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx) { return(CRYPTO_get_ex_data(&s->ex_data,idx)); } SSL_SESSION *SSL_SESSION_new(void) { SSL_SESSION *ss; ss=(SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION)); if (ss == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE); return(0); } memset(ss,0,sizeof(SSL_SESSION)); ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references=1; ss->timeout=60*5+4; /* 5 minute timeout by default */ ss->time=time(NULL); ss->prev=NULL; ss->next=NULL; ss->compress_meth=0; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); return(ss); } /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly * until we have no conflict is going to complete in one iteration pretty much * "most" of the time (btw: understatement). So, if it takes us 10 iterations * and we still can't avoid a conflict - well that's a reasonable point to call * it quits. Either the RAND code is broken or someone is trying to open roughly * very close to 2^128 (or 2^256) SSL sessions to our server. How you might * store that many sessions is perhaps a more interesting question ... */ #define MAX_SESS_ID_ATTEMPTS 10 static int def_generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len) { unsigned int retry = 0; do RAND_pseudo_bytes(id, *id_len); while(SSL_has_matching_session_id(ssl, id, *id_len) && (++retry < MAX_SESS_ID_ATTEMPTS)); if(retry < MAX_SESS_ID_ATTEMPTS) return 1; /* else - woops a session_id match */ /* XXX We should also check the external cache -- * but the probability of a collision is negligible, and * we could not prevent the concurrent creation of sessions * with identical IDs since we currently don't have means * to atomically check whether a session ID already exists * and make a reservation for it if it does not * (this problem applies to the internal cache as well). */ return 0; } int ssl_get_new_session(SSL *s, int session) { /* This gets used by clients and servers. */ unsigned int tmp; SSL_SESSION *ss=NULL; GEN_SESSION_CB cb = def_generate_session_id; if ((ss=SSL_SESSION_new()) == NULL) return(0); /* If the context has a default timeout, use it */ if (s->ctx->session_timeout == 0) ss->timeout=SSL_get_default_timeout(s); else ss->timeout=s->ctx->session_timeout; if (s->session != NULL) { SSL_SESSION_free(s->session); s->session=NULL; } if (session) { if (s->version == SSL2_VERSION) { ss->ssl_version=SSL2_VERSION; ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH; } else if (s->version == SSL3_VERSION) { ss->ssl_version=SSL3_VERSION; ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; } else if (s->version == TLS1_VERSION) { ss->ssl_version=TLS1_VERSION; ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; } else { SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION); SSL_SESSION_free(ss); return(0); } /* Choose which callback will set the session ID */ CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); if(s->generate_session_id) cb = s->generate_session_id; else if(s->ctx->generate_session_id) cb = s->ctx->generate_session_id; CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); /* Choose a session ID */ tmp = ss->session_id_length; if(!cb(s, ss->session_id, &tmp)) { /* The callback failed */ SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); SSL_SESSION_free(ss); return(0); } /* Don't allow the callback to set the session length to zero. * nor set it higher than it was. */ if(!tmp || (tmp > ss->session_id_length)) { /* The callback set an illegal length */ SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); SSL_SESSION_free(ss); return(0); } /* If the session length was shrunk and we're SSLv2, pad it */ if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION)) memset(ss->session_id + tmp, 0, ss->session_id_length - tmp); else ss->session_id_length = tmp; /* Finally, check for a conflict */ if(SSL_has_matching_session_id(s, ss->session_id, ss->session_id_length)) { SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_SSL_SESSION_ID_CONFLICT); SSL_SESSION_free(ss); return(0); } } else { ss->session_id_length=0; } if (s->sid_ctx_length > sizeof ss->sid_ctx) { SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); SSL_SESSION_free(ss); return 0; } memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); ss->sid_ctx_length=s->sid_ctx_length; s->session=ss; ss->ssl_version=s->version; ss->verify_result = X509_V_OK; return(1); } int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len) { /* This is used only by servers. */ SSL_SESSION *ret=NULL,data; int fatal = 0; data.ssl_version=s->version; data.session_id_length=len; if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; memcpy(data.session_id,session_id,len); if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data); if (ret != NULL) /* don't allow other threads to steal it: */ CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); } if (ret == NULL) { int copy=1; s->ctx->stats.sess_miss++; ret=NULL; if (s->ctx->get_session_cb != NULL && (ret=s->ctx->get_session_cb(s,session_id,len,©)) != NULL) { s->ctx->stats.sess_cb_hit++; /* Increment reference count now if the session callback * asks us to do so (note that if the session structures * returned by the callback are shared between threads, * it must handle the reference count itself [i.e. copy == 0], * or things won't be thread-safe). */ if (copy) CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); /* Add the externally cached session to the internal * cache as well if and only if we are supposed to. */ if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) /* The following should not return 1, otherwise, * things are very strange */ SSL_CTX_add_session(s->ctx,ret); } if (ret == NULL) goto err; } /* Now ret is non-NULL, and we own one of its reference counts. */ if((s->verify_mode&SSL_VERIFY_PEER) && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))) { /* We've found the session named by the client, but we don't * want to use it in this context. */ if (s->sid_ctx_length == 0) { /* application should have used SSL[_CTX]_set_session_id_context * -- we could tolerate this and just pretend we never heard * of this session, but then applications could effectively * disable the session cache by accident without anyone noticing */ SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); fatal = 1; goto err; } else { #if 0 /* The client cannot always know when a session is not appropriate, * so we shouldn't generate an error message. */ SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); #endif goto err; /* treat like cache miss */ } } if (ret->cipher == NULL) { unsigned char buf[5],*p; unsigned long l; p=buf; l=ret->cipher_id; l2n(l,p); if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR) ret->cipher=ssl_get_cipher_by_char(s,&(buf[2])); else ret->cipher=ssl_get_cipher_by_char(s,&(buf[1])); if (ret->cipher == NULL) goto err; } #if 0 /* This is way too late. */ /* If a thread got the session, then 'swaped', and another got * it and then due to a time-out decided to 'OPENSSL_free' it we could * be in trouble. So I'll increment it now, then double decrement * later - am I speaking rubbish?. */ CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); #endif if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */ { s->ctx->stats.sess_timeout++; /* remove it from the cache */ SSL_CTX_remove_session(s->ctx,ret); goto err; } s->ctx->stats.sess_hit++; /* ret->time=time(NULL); */ /* rezero timeout? */ /* again, just leave the session * if it is the same session, we have just incremented and * then decremented the reference count :-) */ if (s->session != NULL) SSL_SESSION_free(s->session); s->session=ret; s->verify_result = s->session->verify_result; return(1); err: if (ret != NULL) SSL_SESSION_free(ret); if (fatal) return -1; else return 0; } int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) { int ret=0; SSL_SESSION *s; /* add just 1 reference count for the SSL_CTX's session cache * even though it has two ways of access: each session is in a * doubly linked list and an lhash */ CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION); /* if session c is in already in cache, we take back the increment later */ CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); s=(SSL_SESSION *)lh_insert(ctx->sessions,c); /* s != NULL iff we already had a session with the given PID. * In this case, s == c should hold (then we did not really modify * ctx->sessions), or we're in trouble. */ if (s != NULL && s != c) { /* We *are* in trouble ... */ SSL_SESSION_list_remove(ctx,s); SSL_SESSION_free(s); /* ... so pretend the other session did not exist in cache * (we cannot handle two SSL_SESSION structures with identical * session ID in the same cache, which could happen e.g. when * two threads concurrently obtain the same session from an external * cache) */ s = NULL; } /* Put at the head of the queue unless it is already in the cache */ if (s == NULL) SSL_SESSION_list_add(ctx,c); if (s != NULL) { /* existing cache entry -- decrement previously incremented reference * count because it already takes into account the cache */ SSL_SESSION_free(s); /* s == c */ ret=0; } else { /* new cache entry -- remove old ones if cache has become too large */ ret=1; if (SSL_CTX_sess_get_cache_size(ctx) > 0) { while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) { if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) break; else ctx->stats.sess_cache_full++; } } } CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); return(ret); } int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c) { return remove_session_lock(ctx, c, 1); } static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) { SSL_SESSION *r; int ret=0; if ((c != NULL) && (c->session_id_length != 0)) { if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c) { ret=1; r=(SSL_SESSION *)lh_delete(ctx->sessions,c); SSL_SESSION_list_remove(ctx,c); } if(lck) CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); if (ret) { r->not_resumable=1; if (ctx->remove_session_cb != NULL) ctx->remove_session_cb(ctx,r); SSL_SESSION_free(r); } } else ret=0; return(ret); } void SSL_SESSION_free(SSL_SESSION *ss) { int i; if(ss == NULL) return; i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION); #ifdef REF_PRINT REF_PRINT("SSL_SESSION",ss); #endif if (i > 0) return; #ifdef REF_CHECK if (i < 0) { fprintf(stderr,"SSL_SESSION_free, bad reference count\n"); abort(); /* ok */ } #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg); OPENSSL_cleanse(ss->master_key,sizeof ss->master_key); OPENSSL_cleanse(ss->session_id,sizeof ss->session_id); if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert); if (ss->peer != NULL) X509_free(ss->peer); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); OPENSSL_cleanse(ss,sizeof(*ss)); OPENSSL_free(ss); } int SSL_set_session(SSL *s, SSL_SESSION *session) { int ret=0; SSL_METHOD *meth; if (session != NULL) { meth=s->ctx->method->get_ssl_method(session->ssl_version); if (meth == NULL) meth=s->method->get_ssl_method(session->ssl_version); if (meth == NULL) { SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD); return(0); } if (meth != s->method) { if (!SSL_set_ssl_method(s,meth)) return(0); if (s->ctx->session_timeout == 0) session->timeout=SSL_get_default_timeout(s); else session->timeout=s->ctx->session_timeout; } #ifndef OPENSSL_NO_KRB5 if (s->kssl_ctx && !s->kssl_ctx->client_princ && session->krb5_client_princ_len > 0) { s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1); memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ, session->krb5_client_princ_len); s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0'; } #endif /* OPENSSL_NO_KRB5 */ /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION); if (s->session != NULL) SSL_SESSION_free(s->session); s->session=session; s->verify_result = s->session->verify_result; /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ ret=1; } else { if (s->session != NULL) { SSL_SESSION_free(s->session); s->session=NULL; } meth=s->ctx->method; if (meth != s->method) { if (!SSL_set_ssl_method(s,meth)) return(0); } ret=1; } return(ret); } long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) { if (s == NULL) return(0); s->timeout=t; return(1); } long SSL_SESSION_get_timeout(SSL_SESSION *s) { if (s == NULL) return(0); return(s->timeout); } long SSL_SESSION_get_time(SSL_SESSION *s) { if (s == NULL) return(0); return(s->time); } long SSL_SESSION_set_time(SSL_SESSION *s, long t) { if (s == NULL) return(0); s->time=t; return(t); } long SSL_CTX_set_timeout(SSL_CTX *s, long t) { long l; if (s == NULL) return(0); l=s->session_timeout; s->session_timeout=t; return(l); } long SSL_CTX_get_timeout(SSL_CTX *s) { if (s == NULL) return(0); return(s->session_timeout); } typedef struct timeout_param_st { SSL_CTX *ctx; long time; LHASH *cache; } TIMEOUT_PARAM; static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p) { if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ { /* The reason we don't call SSL_CTX_remove_session() is to * save on locking overhead */ lh_delete(p->cache,s); SSL_SESSION_list_remove(p->ctx,s); s->not_resumable=1; if (p->ctx->remove_session_cb != NULL) p->ctx->remove_session_cb(p->ctx,s); SSL_SESSION_free(s); } } static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *) void SSL_CTX_flush_sessions(SSL_CTX *s, long t) { unsigned long i; TIMEOUT_PARAM tp; tp.ctx=s; tp.cache=s->sessions; if (tp.cache == NULL) return; tp.time=t; CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); i=tp.cache->down_load; tp.cache->down_load=0; lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp); tp.cache->down_load=i; CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); } int ssl_clear_bad_session(SSL *s) { if ( (s->session != NULL) && !(s->shutdown & SSL_SENT_SHUTDOWN) && !(SSL_in_init(s) || SSL_in_before(s))) { SSL_CTX_remove_session(s->ctx,s->session); return(1); } else return(0); } /* locked by SSL_CTX in the calling function */ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) { if ((s->next == NULL) || (s->prev == NULL)) return; if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) { /* last element in list */ if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { /* only one element in list */ ctx->session_cache_head=NULL; ctx->session_cache_tail=NULL; } else { ctx->session_cache_tail=s->prev; s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail); } } else { if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { /* first element in list */ ctx->session_cache_head=s->next; s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head); } else { /* middle of list */ s->next->prev=s->prev; s->prev->next=s->next; } } s->prev=s->next=NULL; } static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) { if ((s->next != NULL) && (s->prev != NULL)) SSL_SESSION_list_remove(ctx,s); if (ctx->session_cache_head == NULL) { ctx->session_cache_head=s; ctx->session_cache_tail=s; s->prev=(SSL_SESSION *)&(ctx->session_cache_head); s->next=(SSL_SESSION *)&(ctx->session_cache_tail); } else { s->next=ctx->session_cache_head; s->next->prev=s; s->prev=(SSL_SESSION *)&(ctx->session_cache_head); ctx->session_cache_head=s; } } diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c index 42289c255b27..28095148e740 100644 --- a/crypto/openssl/ssl/ssltest.c +++ b/crypto/openssl/ssl/ssltest.c @@ -1,1637 +1,1644 @@ /* ssl/ssltest.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly on Linux and GNU platforms. */ #include #include #include #include #include #include #include #define USE_SOCKETS #include "e_os.h" #include #include #include #include #include #ifndef OPENSSL_NO_ENGINE #include #endif #include #include #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly on Compaq platforms (at least with DEC C). Do not try to put it earlier, or IPv6 includes get screwed... */ #ifdef OPENSSL_SYS_WINDOWS #include #else #include OPENSSL_UNISTD #endif #ifdef OPENSSL_SYS_VMS # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" #elif defined(OPENSSL_SYS_WINCE) # define TEST_SERVER_CERT "\\OpenSSL\\server.pem" # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" #else # define TEST_SERVER_CERT "../apps/server.pem" # define TEST_CLIENT_CERT "../apps/client.pem" #endif /* There is really no standard for this, so let's assign some tentative numbers. In any case, these numbers are only for this test */ #define COMP_RLE 1 #define COMP_ZLIB 2 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); #ifndef OPENSSL_NO_RSA static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); static void free_tmp_rsa(void); #endif static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg); #define APP_CALLBACK "Test Callback Argument" static char *app_verify_arg = APP_CALLBACK; #ifndef OPENSSL_NO_DH static DH *get_dh512(void); static DH *get_dh1024(void); static DH *get_dh1024dsa(void); #endif static BIO *bio_err=NULL; static BIO *bio_stdout=NULL; static char *cipher=NULL; static int verbose=0; static int debug=0; #if 0 /* Not used yet. */ #ifdef FIONBIO static int s_nbio=0; #endif #endif static const char rnd_seed[] = "string to make the random number generator think it has entropy"; int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time); int doit(SSL *s_ssl,SSL *c_ssl,long bytes); static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); fprintf(stderr,"\n"); fprintf(stderr," -server_auth - check server certificate\n"); fprintf(stderr," -client_auth - do client authentication\n"); fprintf(stderr," -v - more output\n"); fprintf(stderr," -d - debug output\n"); fprintf(stderr," -reuse - use session-id reuse\n"); fprintf(stderr," -num - number of connections to perform\n"); fprintf(stderr," -bytes - number of bytes to swap between client/server\n"); #ifndef OPENSSL_NO_DH fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); fprintf(stderr," -no_dhe - disable DHE\n"); #endif #ifndef OPENSSL_NO_SSL2 fprintf(stderr," -ssl2 - use SSLv2\n"); #endif #ifndef OPENSSL_NO_SSL3 fprintf(stderr," -ssl3 - use SSLv3\n"); #endif #ifndef OPENSSL_NO_TLS1 fprintf(stderr," -tls1 - use TLSv1\n"); #endif fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); fprintf(stderr," -CAfile arg - PEM format file of CA's\n"); fprintf(stderr," -cert arg - Server certificate file\n"); fprintf(stderr," -key arg - Server key file (default: same as -cert)\n"); fprintf(stderr," -c_cert arg - Client certificate file\n"); fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n"); fprintf(stderr," -cipher arg - The cipher list\n"); fprintf(stderr," -bio_pair - Use BIO pairs\n"); fprintf(stderr," -f - Test even cases that can't work\n"); fprintf(stderr," -time - measure processor time used by client and server\n"); fprintf(stderr," -zlib - use zlib compression\n"); fprintf(stderr," -time - use rle compression\n"); } static void print_details(SSL *c_ssl, const char *prefix) { SSL_CIPHER *ciph; X509 *cert; ciph=SSL_get_current_cipher(c_ssl); BIO_printf(bio_stdout,"%s%s, cipher %s %s", prefix, SSL_get_version(c_ssl), SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph)); cert=SSL_get_peer_certificate(c_ssl); if (cert != NULL) { EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey != NULL) { if (0) ; #ifndef OPENSSL_NO_RSA else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL && pkey->pkey.rsa->n != NULL) { BIO_printf(bio_stdout, ", %d bit RSA", BN_num_bits(pkey->pkey.rsa->n)); } #endif #ifndef OPENSSL_NO_DSA else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL && pkey->pkey.dsa->p != NULL) { BIO_printf(bio_stdout, ", %d bit DSA", BN_num_bits(pkey->pkey.dsa->p)); } #endif EVP_PKEY_free(pkey); } X509_free(cert); } /* The SSL API does not allow us to look at temporary RSA/DH keys, * otherwise we should print their lengths too */ BIO_printf(bio_stdout,"\n"); } static void lock_dbg_cb(int mode, int type, const char *file, int line) { static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ const char *errstr = NULL; int rw; rw = mode & (CRYPTO_READ|CRYPTO_WRITE); if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) { errstr = "invalid mode"; goto err; } if (type < 0 || type >= CRYPTO_NUM_LOCKS) { errstr = "type out of bounds"; goto err; } if (mode & CRYPTO_LOCK) { if (modes[type]) { errstr = "already locked"; /* must not happen in a single-threaded program * (would deadlock) */ goto err; } modes[type] = rw; } else if (mode & CRYPTO_UNLOCK) { if (!modes[type]) { errstr = "not locked"; goto err; } if (modes[type] != rw) { errstr = (rw == CRYPTO_READ) ? "CRYPTO_r_unlock on write lock" : "CRYPTO_w_unlock on read lock"; } modes[type] = 0; } else { errstr = "invalid mode"; goto err; } err: if (errstr) { /* we cannot use bio_err here */ fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", errstr, mode, type, file, line); } } int main(int argc, char *argv[]) { char *CApath=NULL,*CAfile=NULL; int badop=0; int bio_pair=0; int force=0; int tls1=0,ssl2=0,ssl3=0,ret=1; int client_auth=0; int server_auth=0,i; int app_verify=0; char *server_cert=TEST_SERVER_CERT; char *server_key=NULL; char *client_cert=TEST_CLIENT_CERT; char *client_key=NULL; SSL_CTX *s_ctx=NULL; SSL_CTX *c_ctx=NULL; SSL_METHOD *meth=NULL; SSL *c_ssl,*s_ssl; int number=1,reuse=0; long bytes=1L; #ifndef OPENSSL_NO_DH DH *dh; int dhe1024 = 0, dhe1024dsa = 0; #endif int no_dhe = 0; int print_time = 0; clock_t s_time = 0, c_time = 0; int comp = 0; COMP_METHOD *cm = NULL; verbose = 0; debug = 0; cipher = 0; bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); CRYPTO_set_locking_callback(lock_dbg_cb); /* enable memory leak checking unless explicitly disabled */ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); RAND_seed(rnd_seed, sizeof rnd_seed); bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE); argc--; argv++; while (argc >= 1) { if (strcmp(*argv,"-server_auth") == 0) server_auth=1; else if (strcmp(*argv,"-client_auth") == 0) client_auth=1; else if (strcmp(*argv,"-v") == 0) verbose=1; else if (strcmp(*argv,"-d") == 0) debug=1; else if (strcmp(*argv,"-reuse") == 0) reuse=1; else if (strcmp(*argv,"-dhe1024") == 0) { #ifndef OPENSSL_NO_DH dhe1024=1; #else fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv,"-dhe1024dsa") == 0) { #ifndef OPENSSL_NO_DH dhe1024dsa=1; #else fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv,"-no_dhe") == 0) no_dhe=1; else if (strcmp(*argv,"-ssl2") == 0) ssl2=1; else if (strcmp(*argv,"-tls1") == 0) tls1=1; else if (strcmp(*argv,"-ssl3") == 0) ssl3=1; else if (strncmp(*argv,"-num",4) == 0) { if (--argc < 1) goto bad; number= atoi(*(++argv)); if (number == 0) number=1; } else if (strcmp(*argv,"-bytes") == 0) { if (--argc < 1) goto bad; bytes= atol(*(++argv)); if (bytes == 0L) bytes=1L; i=strlen(argv[0]); if (argv[0][i-1] == 'k') bytes*=1024L; if (argv[0][i-1] == 'm') bytes*=1024L*1024L; } else if (strcmp(*argv,"-cert") == 0) { if (--argc < 1) goto bad; server_cert= *(++argv); } else if (strcmp(*argv,"-s_cert") == 0) { if (--argc < 1) goto bad; server_cert= *(++argv); } else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; server_key= *(++argv); } else if (strcmp(*argv,"-s_key") == 0) { if (--argc < 1) goto bad; server_key= *(++argv); } else if (strcmp(*argv,"-c_cert") == 0) { if (--argc < 1) goto bad; client_cert= *(++argv); } else if (strcmp(*argv,"-c_key") == 0) { if (--argc < 1) goto bad; client_key= *(++argv); } else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; cipher= *(++argv); } else if (strcmp(*argv,"-CApath") == 0) { if (--argc < 1) goto bad; CApath= *(++argv); } else if (strcmp(*argv,"-CAfile") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); } else if (strcmp(*argv,"-bio_pair") == 0) { bio_pair = 1; } else if (strcmp(*argv,"-f") == 0) { force = 1; } else if (strcmp(*argv,"-time") == 0) { print_time = 1; } else if (strcmp(*argv,"-zlib") == 0) { comp = COMP_ZLIB; } else if (strcmp(*argv,"-rle") == 0) { comp = COMP_RLE; } else if (strcmp(*argv,"-app_verify") == 0) { app_verify = 1; } else { fprintf(stderr,"unknown option %s\n",*argv); badop=1; break; } argc--; argv++; } if (badop) { bad: sv_usage(); goto end; } if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " "or add one of -ssl2, -ssl3, -tls1, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } if (print_time) { if (!bio_pair) { fprintf(stderr, "Using BIO pair (-bio_pair)\n"); bio_pair = 1; } if (number < 50 && !force) fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); } /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ SSL_library_init(); SSL_load_error_strings(); if (comp == COMP_ZLIB) cm = COMP_zlib(); if (comp == COMP_RLE) cm = COMP_rle(); if (cm != NULL) { if (cm->type != NID_undef) - SSL_COMP_add_compression_method(comp, cm); + { + if (SSL_COMP_add_compression_method(comp, cm) != 0) + { + fprintf(stderr, + "Failed to add compression method\n"); + ERR_print_errors_fp(stderr); + } + } else { fprintf(stderr, "Warning: %s compression not supported\n", (comp == COMP_RLE ? "rle" : (comp == COMP_ZLIB ? "zlib" : "unknown"))); ERR_print_errors_fp(stderr); } } #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) if (ssl2) meth=SSLv2_method(); else if (tls1) meth=TLSv1_method(); else if (ssl3) meth=SSLv3_method(); else meth=SSLv23_method(); #else #ifdef OPENSSL_NO_SSL2 meth=SSLv3_method(); #else meth=SSLv2_method(); #endif #endif c_ctx=SSL_CTX_new(meth); s_ctx=SSL_CTX_new(meth); if ((c_ctx == NULL) || (s_ctx == NULL)) { ERR_print_errors(bio_err); goto end; } if (cipher != NULL) { SSL_CTX_set_cipher_list(c_ctx,cipher); SSL_CTX_set_cipher_list(s_ctx,cipher); } #ifndef OPENSSL_NO_DH if (!no_dhe) { if (dhe1024dsa) { /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); dh=get_dh1024dsa(); } else if (dhe1024) dh=get_dh1024(); else dh=get_dh512(); SSL_CTX_set_tmp_dh(s_ctx,dh); DH_free(dh); } #else (void)no_dhe; #endif #ifndef OPENSSL_NO_RSA SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb); #endif if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, (server_key?server_key:server_cert), SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); goto end; } if (client_auth) { SSL_CTX_use_certificate_file(c_ctx,client_cert, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(c_ctx, (client_key?client_key:client_cert), SSL_FILETYPE_PEM); } if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { /* fprintf(stderr,"SSL_load_verify_locations\n"); */ ERR_print_errors(bio_err); /* goto end; */ } if (client_auth) { BIO_printf(bio_err,"client authentication\n"); SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); if (app_verify) { SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); } } if (server_auth) { BIO_printf(bio_err,"server authentication\n"); SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, verify_callback); if (app_verify) { SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); } } { int session_id_context = 0; SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); } c_ssl=SSL_new(c_ctx); s_ssl=SSL_new(s_ctx); #ifndef OPENSSL_NO_KRB5 if (c_ssl && c_ssl->kssl_ctx) { char localhost[MAXHOSTNAMELEN+2]; if (gethostname(localhost, sizeof localhost-1) == 0) { localhost[sizeof localhost-1]='\0'; if(strlen(localhost) == sizeof localhost-1) { BIO_printf(bio_err,"localhost name too long\n"); goto end; } kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost); } } #endif /* OPENSSL_NO_KRB5 */ for (i=0; i 1) || (bytes > 1L)) BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes); if (print_time) { #ifdef CLOCKS_PER_SEC /* "To determine the time in seconds, the value returned * by the clock function should be divided by the value * of the macro CLOCKS_PER_SEC." * -- ISO/IEC 9899 */ BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" "Approximate total client time: %6.2f s\n", (double)s_time/CLOCKS_PER_SEC, (double)c_time/CLOCKS_PER_SEC); #else /* "`CLOCKS_PER_SEC' undeclared (first use this function)" * -- cc on NeXTstep/OpenStep */ BIO_printf(bio_stdout, "Approximate total server time: %6.2f units\n" "Approximate total client time: %6.2f units\n", (double)s_time, (double)c_time); #endif } SSL_free(s_ssl); SSL_free(c_ssl); end: if (s_ctx != NULL) SSL_CTX_free(s_ctx); if (c_ctx != NULL) SSL_CTX_free(c_ctx); if (bio_stdout != NULL) BIO_free(bio_stdout); #ifndef OPENSSL_NO_RSA free_tmp_rsa(); #endif #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); EVP_cleanup(); CRYPTO_mem_leaks(bio_err); if (bio_err != NULL) BIO_free(bio_err); EXIT(ret); } int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, clock_t *s_time, clock_t *c_time) { long cw_num = count, cr_num = count, sw_num = count, sr_num = count; BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; int ret = 1; size_t bufsiz = 256; /* small buffer for testing */ if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) goto err; if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) goto err; s_ssl_bio = BIO_new(BIO_f_ssl()); if (!s_ssl_bio) goto err; c_ssl_bio = BIO_new(BIO_f_ssl()); if (!c_ssl_bio) goto err; SSL_set_connect_state(c_ssl); SSL_set_bio(c_ssl, client, client); (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); SSL_set_accept_state(s_ssl); SSL_set_bio(s_ssl, server, server); (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); do { /* c_ssl_bio: SSL filter BIO * * client: pseudo-I/O for SSL library * * client_io: client's SSL communication; usually to be * relayed over some I/O facility, but in this * test program, we're the server, too: * * server_io: server's SSL communication * * server: pseudo-I/O for SSL library * * s_ssl_bio: SSL filter BIO * * The client and the server each employ a "BIO pair": * client + client_io, server + server_io. * BIO pairs are symmetric. A BIO pair behaves similar * to a non-blocking socketpair (but both endpoints must * be handled by the same thread). * [Here we could connect client and server to the ends * of a single BIO pair, but then this code would be less * suitable as an example for BIO pairs in general.] * * Useful functions for querying the state of BIO pair endpoints: * * BIO_ctrl_pending(bio) number of bytes we can read now * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil * other side's read attempt * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now * * ..._read_request is never more than ..._write_guarantee; * it depends on the application which one you should use. */ /* We have non-blocking behaviour throughout this test program, but * can be sure that there is *some* progress in each iteration; so * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE * -- we just try everything in each iteration */ { /* CLIENT */ MS_STATIC char cbuf[1024*8]; int i, r; clock_t c_clock = clock(); memset(cbuf, 0, sizeof(cbuf)); if (debug) if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", SSL_state_string_long(c_ssl)); if (cw_num > 0) { /* Write to server. */ if (cw_num > (long)sizeof cbuf) i = sizeof cbuf; else i = (int)cw_num; r = BIO_write(c_ssl_bio, cbuf, i); if (r < 0) { if (!BIO_should_retry(c_ssl_bio)) { fprintf(stderr,"ERROR in CLIENT\n"); goto err; } /* BIO_should_retry(...) can just be ignored here. * The library expects us to call BIO_write with * the same arguments again, and that's what we will * do in the next iteration. */ } else if (r == 0) { fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); goto err; } else { if (debug) printf("client wrote %d\n", r); cw_num -= r; } } if (cr_num > 0) { /* Read from server. */ r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); if (r < 0) { if (!BIO_should_retry(c_ssl_bio)) { fprintf(stderr,"ERROR in CLIENT\n"); goto err; } /* Again, "BIO_should_retry" can be ignored. */ } else if (r == 0) { fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); goto err; } else { if (debug) printf("client read %d\n", r); cr_num -= r; } } /* c_time and s_time increments will typically be very small * (depending on machine speed and clock tick intervals), * but sampling over a large number of connections should * result in fairly accurate figures. We cannot guarantee * a lot, however -- if each connection lasts for exactly * one clock tick, it will be counted only for the client * or only for the server or even not at all. */ *c_time += (clock() - c_clock); } { /* SERVER */ MS_STATIC char sbuf[1024*8]; int i, r; clock_t s_clock = clock(); memset(sbuf, 0, sizeof(sbuf)); if (debug) if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", SSL_state_string_long(s_ssl)); if (sw_num > 0) { /* Write to client. */ if (sw_num > (long)sizeof sbuf) i = sizeof sbuf; else i = (int)sw_num; r = BIO_write(s_ssl_bio, sbuf, i); if (r < 0) { if (!BIO_should_retry(s_ssl_bio)) { fprintf(stderr,"ERROR in SERVER\n"); goto err; } /* Ignore "BIO_should_retry". */ } else if (r == 0) { fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); goto err; } else { if (debug) printf("server wrote %d\n", r); sw_num -= r; } } if (sr_num > 0) { /* Read from client. */ r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); if (r < 0) { if (!BIO_should_retry(s_ssl_bio)) { fprintf(stderr,"ERROR in SERVER\n"); goto err; } /* blah, blah */ } else if (r == 0) { fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); goto err; } else { if (debug) printf("server read %d\n", r); sr_num -= r; } } *s_time += (clock() - s_clock); } { /* "I/O" BETWEEN CLIENT AND SERVER. */ size_t r1, r2; BIO *io1 = server_io, *io2 = client_io; /* we use the non-copying interface for io1 * and the standard BIO_write/BIO_read interface for io2 */ static int prev_progress = 1; int progress = 0; /* io1 to io2 */ do { size_t num; int r; r1 = BIO_ctrl_pending(io1); r2 = BIO_ctrl_get_write_guarantee(io2); num = r1; if (r2 < num) num = r2; if (num) { char *dataptr; if (INT_MAX < num) /* yeah, right */ num = INT_MAX; r = BIO_nread(io1, &dataptr, (int)num); assert(r > 0); assert(r <= (int)num); /* possibly r < num (non-contiguous data) */ num = r; r = BIO_write(io2, dataptr, (int)num); if (r != (int)num) /* can't happen */ { fprintf(stderr, "ERROR: BIO_write could not write " "BIO_ctrl_get_write_guarantee() bytes"); goto err; } progress = 1; if (debug) printf((io1 == client_io) ? "C->S relaying: %d bytes\n" : "S->C relaying: %d bytes\n", (int)num); } } while (r1 && r2); /* io2 to io1 */ { size_t num; int r; r1 = BIO_ctrl_pending(io2); r2 = BIO_ctrl_get_read_request(io1); /* here we could use ..._get_write_guarantee instead of * ..._get_read_request, but by using the latter * we test restartability of the SSL implementation * more thoroughly */ num = r1; if (r2 < num) num = r2; if (num) { char *dataptr; if (INT_MAX < num) num = INT_MAX; if (num > 1) --num; /* test restartability even more thoroughly */ r = BIO_nwrite0(io1, &dataptr); assert(r > 0); if (r < (int)num) num = r; r = BIO_read(io2, dataptr, (int)num); if (r != (int)num) /* can't happen */ { fprintf(stderr, "ERROR: BIO_read could not read " "BIO_ctrl_pending() bytes"); goto err; } progress = 1; r = BIO_nwrite(io1, &dataptr, (int)num); if (r != (int)num) /* can't happen */ { fprintf(stderr, "ERROR: BIO_nwrite() did not accept " "BIO_nwrite0() bytes"); goto err; } if (debug) printf((io2 == client_io) ? "C->S relaying: %d bytes\n" : "S->C relaying: %d bytes\n", (int)num); } } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */ if (!progress && !prev_progress) if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) { fprintf(stderr, "ERROR: got stuck\n"); if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0) { fprintf(stderr, "This can happen for SSL2 because " "CLIENT-FINISHED and SERVER-VERIFY are written \n" "concurrently ..."); if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0) { fprintf(stderr, " ok.\n"); goto end; } } fprintf(stderr, " ERROR.\n"); goto err; } prev_progress = progress; } } while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); if (verbose) print_details(c_ssl, "DONE via BIO pair: "); end: ret = 0; err: ERR_print_errors(bio_err); if (server) BIO_free(server); if (server_io) BIO_free(server_io); if (client) BIO_free(client); if (client_io) BIO_free(client_io); if (s_ssl_bio) BIO_free(s_ssl_bio); if (c_ssl_bio) BIO_free(c_ssl_bio); return ret; } #define W_READ 1 #define W_WRITE 2 #define C_DONE 1 #define S_DONE 2 int doit(SSL *s_ssl, SSL *c_ssl, long count) { MS_STATIC char cbuf[1024*8],sbuf[1024*8]; long cw_num=count,cr_num=count; long sw_num=count,sr_num=count; int ret=1; BIO *c_to_s=NULL; BIO *s_to_c=NULL; BIO *c_bio=NULL; BIO *s_bio=NULL; int c_r,c_w,s_r,s_w; int c_want,s_want; int i,j; int done=0; int c_write,s_write; int do_server=0,do_client=0; memset(cbuf,0,sizeof(cbuf)); memset(sbuf,0,sizeof(sbuf)); c_to_s=BIO_new(BIO_s_mem()); s_to_c=BIO_new(BIO_s_mem()); if ((s_to_c == NULL) || (c_to_s == NULL)) { ERR_print_errors(bio_err); goto err; } c_bio=BIO_new(BIO_f_ssl()); s_bio=BIO_new(BIO_f_ssl()); if ((c_bio == NULL) || (s_bio == NULL)) { ERR_print_errors(bio_err); goto err; } SSL_set_connect_state(c_ssl); SSL_set_bio(c_ssl,s_to_c,c_to_s); BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE); SSL_set_accept_state(s_ssl); SSL_set_bio(s_ssl,c_to_s,s_to_c); BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE); c_r=0; s_r=1; c_w=1; s_w=0; c_want=W_WRITE; s_want=0; c_write=1,s_write=0; /* We can always do writes */ for (;;) { do_server=0; do_client=0; i=(int)BIO_pending(s_bio); if ((i && s_r) || s_w) do_server=1; i=(int)BIO_pending(c_bio); if ((i && c_r) || c_w) do_client=1; if (do_server && debug) { if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", SSL_state_string_long(s_ssl)); /* else if (s_write) printf("server:SSL_write()\n"); else printf("server:SSL_read()\n"); */ } if (do_client && debug) { if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", SSL_state_string_long(c_ssl)); /* else if (c_write) printf("client:SSL_write()\n"); else printf("client:SSL_read()\n"); */ } if (!do_client && !do_server) { fprintf(stdout,"ERROR IN STARTUP\n"); ERR_print_errors(bio_err); break; } if (do_client && !(done & C_DONE)) { if (c_write) { j=(cw_num > (long)sizeof(cbuf)) ?sizeof(cbuf):(int)cw_num; i=BIO_write(c_bio,cbuf,j); if (i < 0) { c_r=0; c_w=0; if (BIO_should_retry(c_bio)) { if (BIO_should_read(c_bio)) c_r=1; if (BIO_should_write(c_bio)) c_w=1; } else { fprintf(stderr,"ERROR in CLIENT\n"); ERR_print_errors(bio_err); goto err; } } else if (i == 0) { fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); goto err; } else { if (debug) printf("client wrote %d\n",i); /* ok */ s_r=1; c_write=0; cw_num-=i; } } else { i=BIO_read(c_bio,cbuf,sizeof(cbuf)); if (i < 0) { c_r=0; c_w=0; if (BIO_should_retry(c_bio)) { if (BIO_should_read(c_bio)) c_r=1; if (BIO_should_write(c_bio)) c_w=1; } else { fprintf(stderr,"ERROR in CLIENT\n"); ERR_print_errors(bio_err); goto err; } } else if (i == 0) { fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); goto err; } else { if (debug) printf("client read %d\n",i); cr_num-=i; if (sw_num > 0) { s_write=1; s_w=1; } if (cr_num <= 0) { s_write=1; s_w=1; done=S_DONE|C_DONE; } } } } if (do_server && !(done & S_DONE)) { if (!s_write) { i=BIO_read(s_bio,sbuf,sizeof(cbuf)); if (i < 0) { s_r=0; s_w=0; if (BIO_should_retry(s_bio)) { if (BIO_should_read(s_bio)) s_r=1; if (BIO_should_write(s_bio)) s_w=1; } else { fprintf(stderr,"ERROR in SERVER\n"); ERR_print_errors(bio_err); goto err; } } else if (i == 0) { ERR_print_errors(bio_err); fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n"); goto err; } else { if (debug) printf("server read %d\n",i); sr_num-=i; if (cw_num > 0) { c_write=1; c_w=1; } if (sr_num <= 0) { s_write=1; s_w=1; c_write=0; } } } else { j=(sw_num > (long)sizeof(sbuf))? sizeof(sbuf):(int)sw_num; i=BIO_write(s_bio,sbuf,j); if (i < 0) { s_r=0; s_w=0; if (BIO_should_retry(s_bio)) { if (BIO_should_read(s_bio)) s_r=1; if (BIO_should_write(s_bio)) s_w=1; } else { fprintf(stderr,"ERROR in SERVER\n"); ERR_print_errors(bio_err); goto err; } } else if (i == 0) { ERR_print_errors(bio_err); fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n"); goto err; } else { if (debug) printf("server wrote %d\n",i); sw_num-=i; s_write=0; c_r=1; if (sw_num <= 0) done|=S_DONE; } } } if ((done & S_DONE) && (done & C_DONE)) break; } if (verbose) print_details(c_ssl, "DONE: "); ret=0; err: /* We have to set the BIO's to NULL otherwise they will be * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and * again when c_ssl is SSL_free()ed. * This is a hack required because s_ssl and c_ssl are sharing the same * BIO structure and SSL_set_bio() and SSL_free() automatically * BIO_free non NULL entries. * You should not normally do this or be required to do this */ if (s_ssl != NULL) { s_ssl->rbio=NULL; s_ssl->wbio=NULL; } if (c_ssl != NULL) { c_ssl->rbio=NULL; c_ssl->wbio=NULL; } if (c_to_s != NULL) BIO_free(c_to_s); if (s_to_c != NULL) BIO_free(s_to_c); if (c_bio != NULL) BIO_free_all(c_bio); if (s_bio != NULL) BIO_free_all(s_bio); return(ret); } static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { char *s,buf[256]; s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf, sizeof buf); if (s != NULL) { if (ok) fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf); else fprintf(stderr,"depth=%d error=%d %s\n", ctx->error_depth,ctx->error,buf); } if (ok == 0) { switch (ctx->error) { case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: ok=1; } } return(ok); } static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) { char *s = NULL,buf[256]; int ok=1; fprintf(stderr, "In app_verify_callback, allowing cert. "); fprintf(stderr, "Arg is: %s\n", (char *)arg); fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n", (unsigned int)ctx, (unsigned int)ctx->cert); if (ctx->cert) s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); if (s != NULL) { fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf); } return(ok); } #ifndef OPENSSL_NO_RSA static RSA *rsa_tmp=NULL; static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) { if (rsa_tmp == NULL) { BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); (void)BIO_flush(bio_err); rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); BIO_printf(bio_err,"\n"); (void)BIO_flush(bio_err); } return(rsa_tmp); } static void free_tmp_rsa(void) { if (rsa_tmp != NULL) { RSA_free(rsa_tmp); rsa_tmp = NULL; } } #endif #ifndef OPENSSL_NO_DH /* These DH parameters have been generated as follows: * $ openssl dhparam -C -noout 512 * $ openssl dhparam -C -noout 1024 * $ openssl dhparam -C -noout -dsaparam 1024 * (The third function has been renamed to avoid name conflicts.) */ static DH *get_dh512() { static unsigned char dh512_p[]={ 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6, 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0, 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F, 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8, 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33, 0x02,0xC5,0xAE,0x23, }; static unsigned char dh512_g[]={ 0x02, }; DH *dh; if ((dh=DH_new()) == NULL) return(NULL); dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); if ((dh->p == NULL) || (dh->g == NULL)) { DH_free(dh); return(NULL); } return(dh); } static DH *get_dh1024() { static unsigned char dh1024_p[]={ 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A, 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2, 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0, 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2, 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C, 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8, 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52, 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1, 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1, 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB, 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53, }; static unsigned char dh1024_g[]={ 0x02, }; DH *dh; if ((dh=DH_new()) == NULL) return(NULL); dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); if ((dh->p == NULL) || (dh->g == NULL)) { DH_free(dh); return(NULL); } return(dh); } static DH *get_dh1024dsa() { static unsigned char dh1024_p[]={ 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00, 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19, 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2, 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55, 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC, 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97, 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D, 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB, 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6, 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E, 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39, }; static unsigned char dh1024_g[]={ 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05, 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3, 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9, 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C, 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65, 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60, 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6, 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7, 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1, 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60, 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2, }; DH *dh; if ((dh=DH_new()) == NULL) return(NULL); dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); if ((dh->p == NULL) || (dh->g == NULL)) { DH_free(dh); return(NULL); } dh->length = 160; return(dh); } #endif diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl index a3339ca5d5b1..373f17a92978 100644 --- a/crypto/openssl/test/Makefile.ssl +++ b/crypto/openssl/test/Makefile.ssl @@ -1,796 +1,796 @@ # # test/Makefile.ssl # DIR= test TOP= .. CC= cc INCLUDES= -I$(TOP) -I../include $(KRB5_INCLUDES) CFLAG= -g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP= /usr/local/ssl MAKEFILE= Makefile.ssl MAKE= make -f $(MAKEFILE) MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) PERL= perl # KRB5 stuff KRB5_INCLUDES= LIBKRB5= PEX_LIBS= EX_LIBS= #-lnsl -lsocket CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile.ssl maketests.com \ tests.com testenc.com tx509.com trsa.com tcrl.com tsid.com treq.com \ tpkcs7.com tpkcs7d.com tverify.com testgen.com testss.com testssl.com \ testca.com VMSca-response.1 VMSca-response.2 DLIBCRYPTO= ../libcrypto.a DLIBSSL= ../libssl.a LIBCRYPTO= -L.. -lcrypto LIBSSL= -L.. -lssl BNTEST= bntest ECTEST= ectest EXPTEST= exptest IDEATEST= ideatest SHATEST= shatest SHA1TEST= sha1test MDC2TEST= mdc2test RMDTEST= rmdtest MD2TEST= md2test MD4TEST= md4test MD5TEST= md5test HMACTEST= hmactest RC2TEST= rc2test RC4TEST= rc4test RC5TEST= rc5test BFTEST= bftest CASTTEST= casttest DESTEST= destest RANDTEST= randtest DHTEST= dhtest DSATEST= dsatest METHTEST= methtest SSLTEST= ssltest RSATEST= rsa_test ENGINETEST= enginetest EVPTEST= evp_test TESTS= alltests EXE= $(BNTEST) $(ECTEST) $(IDEATEST) $(MD2TEST) $(MD4TEST) $(MD5TEST) $(HMACTEST) \ $(RC2TEST) $(RC4TEST) $(RC5TEST) \ $(DESTEST) $(SHATEST) $(SHA1TEST) $(MDC2TEST) $(RMDTEST) \ $(RANDTEST) $(DHTEST) $(ENGINETEST) \ $(BFTEST) $(CASTTEST) $(SSLTEST) $(EXPTEST) $(DSATEST) $(RSATEST) \ $(EVPTEST) # $(METHTEST) OBJ= $(BNTEST).o $(ECTEST).o $(IDEATEST).o $(MD2TEST).o $(MD4TEST).o $(MD5TEST).o \ $(HMACTEST).o \ $(RC2TEST).o $(RC4TEST).o $(RC5TEST).o \ $(DESTEST).o $(SHATEST).o $(SHA1TEST).o $(MDC2TEST).o $(RMDTEST).o \ $(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \ $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ $(EVPTEST).o SRC= $(BNTEST).c $(ECTEST).c $(IDEATEST).c $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ $(HMACTEST).c \ $(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \ $(DESTEST).c $(SHATEST).c $(SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \ $(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \ $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ $(EVPTEST).c EXHEADER= HEADER= $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ..; $(MAKE) DIRS=$(DIR) TESTS=$(TESTS) all) all: exe exe: $(EXE) dummytest files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @@$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile generate: $(SRC) $(SRC): - @$(TOP)/util/point.sh dummytest.c $@ + @sh $(TOP)/util/point.sh dummytest.c $@ errors: install: tags: ctags $(SRC) tests: exe apps $(TESTS) apps: @(cd ..; $(MAKE) DIRS=apps all) SET_SO_PATHS=OSSL_LIBPATH="`cd ..; pwd`"; \ LD_LIBRARY_PATH="$$OSSL_LIBPATH:$$LD_LIBRARY_PATH"; \ DYLD_LIBRARY_PATH="$$OSSL_LIBPATH:$$DYLD_LIBRARY_PATH"; \ SHLIB_PATH="$$OSSL_LIBPATH:$$SHLIB_PATH"; \ LIBPATH="$$OSSL_LIBPATH:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="$${LIBPATH}:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH alltests: \ test_des test_idea test_sha test_md4 test_md5 test_hmac \ test_md2 test_mdc2 \ test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \ test_rand test_bn test_ec test_enc test_x509 test_rsa test_crl test_sid \ test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ test_ss test_ca test_engine test_evp test_ssl test_evp: $(SET_SO_PATHS); ./$(EVPTEST) evptests.txt test_des: $(SET_SO_PATHS); ./$(DESTEST) test_idea: $(SET_SO_PATHS); ./$(IDEATEST) test_sha: $(SET_SO_PATHS); ./$(SHATEST) $(SET_SO_PATHS); ./$(SHA1TEST) test_mdc2: $(SET_SO_PATHS); ./$(MDC2TEST) test_md5: $(SET_SO_PATHS); ./$(MD5TEST) test_md4: $(SET_SO_PATHS); ./$(MD4TEST) test_hmac: $(SET_SO_PATHS); ./$(HMACTEST) test_md2: $(SET_SO_PATHS); ./$(MD2TEST) test_rmd: $(SET_SO_PATHS); ./$(RMDTEST) test_bf: $(SET_SO_PATHS); ./$(BFTEST) test_cast: $(SET_SO_PATHS); ./$(CASTTEST) test_rc2: $(SET_SO_PATHS); ./$(RC2TEST) test_rc4: $(SET_SO_PATHS); ./$(RC4TEST) test_rc5: $(SET_SO_PATHS); ./$(RC5TEST) test_rand: $(SET_SO_PATHS); ./$(RANDTEST) test_enc: @$(SET_SO_PATHS); sh ./testenc test_x509: echo test normal x509v1 certificate $(SET_SO_PATHS); sh ./tx509 2>/dev/null echo test first x509v3 certificate $(SET_SO_PATHS); sh ./tx509 v3-cert1.pem 2>/dev/null echo test second x509v3 certificate $(SET_SO_PATHS); sh ./tx509 v3-cert2.pem 2>/dev/null test_rsa: @$(SET_SO_PATHS); sh ./trsa 2>/dev/null $(SET_SO_PATHS); ./$(RSATEST) test_crl: @$(SET_SO_PATHS); sh ./tcrl 2>/dev/null test_sid: @$(SET_SO_PATHS); sh ./tsid 2>/dev/null test_req: @$(SET_SO_PATHS); sh ./treq 2>/dev/null @$(SET_SO_PATHS); sh ./treq testreq2.pem 2>/dev/null test_pkcs7: @$(SET_SO_PATHS); sh ./tpkcs7 2>/dev/null @$(SET_SO_PATHS); sh ./tpkcs7d 2>/dev/null test_bn: @echo starting big number library test, could take a while... @$(SET_SO_PATHS); ./$(BNTEST) >tmp.bntest @echo quit >>tmp.bntest @echo "running bc" @) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' @echo 'test a^b%c implementations' $(SET_SO_PATHS); ./$(EXPTEST) test_ec: @echo 'test elliptic curves' $(SET_SO_PATHS); ./$(ECTEST) test_verify: @echo "The following command should have some OK's and some failures" @echo "There are definitly a few expired certificates" -$(SET_SO_PATHS); ../apps/openssl verify -CApath ../certs ../certs/*.pem test_dh: @echo "Generate a set of DH parameters" $(SET_SO_PATHS); ./$(DHTEST) test_dsa: @echo "Generate a set of DSA parameters" $(SET_SO_PATHS); ./$(DSATEST) $(SET_SO_PATHS); ./$(DSATEST) -app2_1 test_gen: @echo "Generate and verify a certificate request" @$(SET_SO_PATHS); sh ./testgen test_ss keyU.ss certU.ss certCA.ss: testss @echo "Generate and certify a test certificate" @$(SET_SO_PATHS); sh ./testss test_engine: @echo "Manipulate the ENGINE structures" $(SET_SO_PATHS); ./$(ENGINETEST) test_ssl: keyU.ss certU.ss certCA.ss @echo "test SSL protocol" @$(SET_SO_PATHS); sh ./testssl keyU.ss certU.ss certCA.ss test_ca: @$(SET_SO_PATHS); if ../apps/openssl no-rsa; then \ echo "skipping CA.sh test -- requires RSA"; \ else \ echo "Generate and certify a test certificate via the 'ca' program"; \ sh ./testca; \ fi test_aes: #$(AESTEST) # @echo "test Rijndael" # $(SET_SO_PATHS); ./$(AESTEST) lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss *.srl log $(DLIBSSL): (cd ..; $(MAKE) DIRS=ssl all) $(DLIBCRYPTO): (cd ..; $(MAKE) DIRS=crypto all) $(RSATEST): $(RSATEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(BNTEST): $(BNTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(ECTEST): $(ECTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(EXPTEST): $(EXPTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(IDEATEST): $(IDEATEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(MD2TEST): $(MD2TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(SHATEST): $(SHATEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(SHA1TEST): $(SHA1TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(RMDTEST): $(RMDTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(MDC2TEST): $(MDC2TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(MD4TEST): $(MD4TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(MD5TEST): $(MD5TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(HMACTEST): $(HMACTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(RC2TEST): $(RC2TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(BFTEST): $(BFTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(CASTTEST): $(CASTTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(RC4TEST): $(RC4TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(RC5TEST): $(RC5TEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(DESTEST): $(DESTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(RANDTEST): $(RANDTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(DHTEST): $(DHTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(DSATEST): $(DSATEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(METHTEST): $(METHTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi $(EVPTEST): $(EVPTEST).o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi #$(AESTEST).o: $(AESTEST).c # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c #$(AESTEST): $(AESTEST).o $(DLIBCRYPTO) # if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ # $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ # else \ # LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ # $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ # fi dummytest: dummytest.o $(DLIBCRYPTO) if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ else \ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi # DO NOT DELETE THIS LINE -- make depend depends on it. bftest.o: ../e_os.h ../include/openssl/blowfish.h ../include/openssl/e_os2.h bftest.o: ../include/openssl/opensslconf.h bftest.c bntest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h bntest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h bntest.o: ../include/openssl/bn.h ../include/openssl/buffer.h bntest.o: ../include/openssl/cast.h ../include/openssl/crypto.h bntest.o: ../include/openssl/des.h ../include/openssl/des_old.h bntest.o: ../include/openssl/dh.h ../include/openssl/dsa.h bntest.o: ../include/openssl/e_os2.h ../include/openssl/err.h bntest.o: ../include/openssl/evp.h ../include/openssl/idea.h bntest.o: ../include/openssl/lhash.h ../include/openssl/md2.h bntest.o: ../include/openssl/md4.h ../include/openssl/md5.h bntest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h bntest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h bntest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h bntest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h bntest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h bntest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h bntest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h bntest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h bntest.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h bntest.o: ../include/openssl/x509_vfy.h bntest.c casttest.o: ../e_os.h ../include/openssl/cast.h ../include/openssl/e_os2.h casttest.o: ../include/openssl/opensslconf.h casttest.c destest.o: ../include/openssl/crypto.h ../include/openssl/des.h destest.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h destest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h destest.o: ../include/openssl/safestack.h ../include/openssl/stack.h destest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h destest.o: ../include/openssl/ui_compat.h destest.c dhtest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h dhtest.o: ../include/openssl/e_os2.h ../include/openssl/err.h dhtest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h dhtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h dhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dhtest.c dsatest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h dsatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h dsatest.o: ../include/openssl/err.h ../include/openssl/lhash.h dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h dsatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h dsatest.o: ../include/openssl/symhacks.h dsatest.c ectest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ectest.o: ../include/openssl/bn.h ../include/openssl/crypto.h ectest.o: ../include/openssl/dh.h ../include/openssl/dsa.h ectest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h ectest.o: ../include/openssl/engine.h ../include/openssl/err.h ectest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h ectest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ectest.o: ../include/openssl/rand.h ../include/openssl/rsa.h ectest.o: ../include/openssl/safestack.h ../include/openssl/stack.h ectest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h ectest.c enginetest.o: ../include/openssl/asn1.h ../include/openssl/bio.h enginetest.o: ../include/openssl/bn.h ../include/openssl/buffer.h enginetest.o: ../include/openssl/crypto.h ../include/openssl/dh.h enginetest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h enginetest.o: ../include/openssl/engine.h ../include/openssl/err.h enginetest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h enginetest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h enginetest.o: ../include/openssl/rand.h ../include/openssl/rsa.h enginetest.o: ../include/openssl/safestack.h ../include/openssl/stack.h enginetest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h enginetest.o: enginetest.c evp_test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h evp_test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h evp_test.o: ../include/openssl/bn.h ../include/openssl/cast.h evp_test.o: ../include/openssl/conf.h ../include/openssl/crypto.h evp_test.o: ../include/openssl/des.h ../include/openssl/des_old.h evp_test.o: ../include/openssl/dh.h ../include/openssl/dsa.h evp_test.o: ../include/openssl/e_os2.h ../include/openssl/engine.h evp_test.o: ../include/openssl/err.h ../include/openssl/evp.h evp_test.o: ../include/openssl/idea.h ../include/openssl/lhash.h evp_test.o: ../include/openssl/md2.h ../include/openssl/md4.h evp_test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h evp_test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h evp_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h evp_test.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h evp_test.o: ../include/openssl/rc2.h ../include/openssl/rc4.h evp_test.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h evp_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h evp_test.o: ../include/openssl/sha.h ../include/openssl/stack.h evp_test.o: ../include/openssl/symhacks.h ../include/openssl/ui.h evp_test.o: ../include/openssl/ui_compat.h evp_test.c exptest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h exptest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h exptest.o: ../include/openssl/err.h ../include/openssl/lhash.h exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h exptest.o: ../include/openssl/symhacks.h exptest.c hmactest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h hmactest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h hmactest.o: ../include/openssl/bn.h ../include/openssl/cast.h hmactest.o: ../include/openssl/crypto.h ../include/openssl/des.h hmactest.o: ../include/openssl/des_old.h ../include/openssl/dh.h hmactest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h hmactest.o: ../include/openssl/evp.h ../include/openssl/hmac.h hmactest.o: ../include/openssl/idea.h ../include/openssl/md2.h hmactest.o: ../include/openssl/md4.h ../include/openssl/md5.h hmactest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h hmactest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h hmactest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h hmactest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h hmactest.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h hmactest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h hmactest.o: ../include/openssl/sha.h ../include/openssl/stack.h hmactest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h hmactest.o: ../include/openssl/ui_compat.h hmactest.c ideatest.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/idea.h ideatest.o: ../include/openssl/opensslconf.h ideatest.c md2test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h md2test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h md2test.o: ../include/openssl/bn.h ../include/openssl/cast.h md2test.o: ../include/openssl/crypto.h ../include/openssl/des.h md2test.o: ../include/openssl/des_old.h ../include/openssl/dh.h md2test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h md2test.o: ../include/openssl/evp.h ../include/openssl/idea.h md2test.o: ../include/openssl/md2.h ../include/openssl/md4.h md2test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h md2test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h md2test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h md2test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h md2test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h md2test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h md2test.o: ../include/openssl/safestack.h ../include/openssl/sha.h md2test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h md2test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md2test.c md4test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h md4test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h md4test.o: ../include/openssl/bn.h ../include/openssl/cast.h md4test.o: ../include/openssl/crypto.h ../include/openssl/des.h md4test.o: ../include/openssl/des_old.h ../include/openssl/dh.h md4test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h md4test.o: ../include/openssl/evp.h ../include/openssl/idea.h md4test.o: ../include/openssl/md2.h ../include/openssl/md4.h md4test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h md4test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h md4test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h md4test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h md4test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h md4test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h md4test.o: ../include/openssl/safestack.h ../include/openssl/sha.h md4test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h md4test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md4test.c md5test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h md5test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h md5test.o: ../include/openssl/bn.h ../include/openssl/cast.h md5test.o: ../include/openssl/crypto.h ../include/openssl/des.h md5test.o: ../include/openssl/des_old.h ../include/openssl/dh.h md5test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h md5test.o: ../include/openssl/evp.h ../include/openssl/idea.h md5test.o: ../include/openssl/md2.h ../include/openssl/md4.h md5test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h md5test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h md5test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h md5test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h md5test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h md5test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h md5test.o: ../include/openssl/safestack.h ../include/openssl/sha.h md5test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h md5test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h md5test.c mdc2test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h mdc2test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h mdc2test.o: ../include/openssl/bn.h ../include/openssl/cast.h mdc2test.o: ../include/openssl/crypto.h ../include/openssl/des.h mdc2test.o: ../include/openssl/des_old.h ../include/openssl/dh.h mdc2test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h mdc2test.o: ../include/openssl/evp.h ../include/openssl/idea.h mdc2test.o: ../include/openssl/md2.h ../include/openssl/md4.h mdc2test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h mdc2test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h mdc2test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h mdc2test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h mdc2test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h mdc2test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h mdc2test.o: ../include/openssl/safestack.h ../include/openssl/sha.h mdc2test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h mdc2test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h mdc2test.c randtest.o: ../e_os.h ../include/openssl/e_os2.h randtest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h randtest.o: ../include/openssl/rand.h randtest.c rc2test.o: ../e_os.h ../include/openssl/e_os2.h rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h rc2test.c rc4test.o: ../e_os.h ../include/openssl/e_os2.h rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h rc4test.c rc5test.o: ../e_os.h ../include/openssl/e_os2.h rc5test.o: ../include/openssl/opensslconf.h ../include/openssl/rc5.h rc5test.c rmdtest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h rmdtest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h rmdtest.o: ../include/openssl/bn.h ../include/openssl/cast.h rmdtest.o: ../include/openssl/crypto.h ../include/openssl/des.h rmdtest.o: ../include/openssl/des_old.h ../include/openssl/dh.h rmdtest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h rmdtest.o: ../include/openssl/evp.h ../include/openssl/idea.h rmdtest.o: ../include/openssl/md2.h ../include/openssl/md4.h rmdtest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h rmdtest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h rmdtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h rmdtest.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h rmdtest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h rmdtest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h rmdtest.o: ../include/openssl/safestack.h ../include/openssl/sha.h rmdtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h rmdtest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h rmdtest.c rsa_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h rsa_test.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h rsa_test.o: ../include/openssl/rand.h ../include/openssl/rsa.h rsa_test.o: ../include/openssl/safestack.h ../include/openssl/stack.h rsa_test.o: ../include/openssl/symhacks.h rsa_test.c sha1test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h sha1test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h sha1test.o: ../include/openssl/bn.h ../include/openssl/cast.h sha1test.o: ../include/openssl/crypto.h ../include/openssl/des.h sha1test.o: ../include/openssl/des_old.h ../include/openssl/dh.h sha1test.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h sha1test.o: ../include/openssl/evp.h ../include/openssl/idea.h sha1test.o: ../include/openssl/md2.h ../include/openssl/md4.h sha1test.o: ../include/openssl/md5.h ../include/openssl/mdc2.h sha1test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h sha1test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h sha1test.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h sha1test.o: ../include/openssl/rc4.h ../include/openssl/rc5.h sha1test.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h sha1test.o: ../include/openssl/safestack.h ../include/openssl/sha.h sha1test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h sha1test.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h sha1test.c shatest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h shatest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h shatest.o: ../include/openssl/bn.h ../include/openssl/cast.h shatest.o: ../include/openssl/crypto.h ../include/openssl/des.h shatest.o: ../include/openssl/des_old.h ../include/openssl/dh.h shatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h shatest.o: ../include/openssl/evp.h ../include/openssl/idea.h shatest.o: ../include/openssl/md2.h ../include/openssl/md4.h shatest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h shatest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h shatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h shatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rc2.h shatest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h shatest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h shatest.o: ../include/openssl/safestack.h ../include/openssl/sha.h shatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h shatest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h shatest.c ssltest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h ssltest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h ssltest.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssltest.o: ../include/openssl/cast.h ../include/openssl/comp.h ssltest.o: ../include/openssl/crypto.h ../include/openssl/des.h ssltest.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssltest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssltest.o: ../include/openssl/engine.h ../include/openssl/err.h ssltest.o: ../include/openssl/evp.h ../include/openssl/idea.h ssltest.o: ../include/openssl/kssl.h ../include/openssl/lhash.h ssltest.o: ../include/openssl/md2.h ../include/openssl/md4.h ssltest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h ssltest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ssltest.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ssltest.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ssltest.o: ../include/openssl/rand.h ../include/openssl/rc2.h ssltest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h ssltest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h ssltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssltest.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssltest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssltest.o: ../include/openssl/tls1.h ../include/openssl/ui.h ssltest.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h ssltest.o: ../include/openssl/x509_vfy.h ssltest.c diff --git a/crypto/openssl/tools/Makefile.ssl b/crypto/openssl/tools/Makefile.ssl index bf0cd29c7745..cb33d4a41eee 100644 --- a/crypto/openssl/tools/Makefile.ssl +++ b/crypto/openssl/tools/Makefile.ssl @@ -1,64 +1,64 @@ # # SSLeay/tools/Makefile # DIR= tools TOP= .. CC= cc INCLUDES= -I$(TOP) -I../../include CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile.ssl TEST= APPS= c_rehash MISC_APPS= c_hash c_info c_issuer c_name all: install: @for i in $(APPS) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \ done; @for i in $(MISC_APPS) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \ done; files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO links: - @$(TOP)/util/point.sh Makefile.ssl Makefile + @sh $(TOP)/util/point.sh Makefile.ssl Makefile lint: tags: errors: depend: dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) clean: rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff errors: # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash index e614fb546667..3e9ba1efe490 100644 --- a/crypto/openssl/tools/c_rehash +++ b/crypto/openssl/tools/c_rehash @@ -1,160 +1,160 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # Perl c_rehash script, scan all files in a directory # and add symbolic links to their hash values. my $openssl; my $dir = "/usr/local/ssl"; if(defined $ENV{OPENSSL}) { $openssl = $ENV{OPENSSL}; } else { $openssl = "openssl"; $ENV{OPENSSL} = $openssl; } $ENV{PATH} .= ":$dir/bin"; if(! -x $openssl) { my $found = 0; foreach (split /:/, $ENV{PATH}) { if(-x "$_/$openssl") { $found = 1; last; } } if($found == 0) { print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; exit 0; } } if(@ARGV) { @dirlist = @ARGV; } elsif($ENV{SSL_CERT_DIR}) { @dirlist = split /:/, $ENV{SSL_CERT_DIR}; } else { $dirlist[0] = "$dir/certs"; } foreach (@dirlist) { if(-d $_ and -w $_) { hash_dir($_); } } sub hash_dir { my %hashlist; print "Doing $_[0]\n"; chdir $_[0]; opendir(DIR, "."); my @flist = readdir(DIR); # Delete any existing symbolic links foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { if(-l $_) { unlink $_; } } closedir DIR; FILE: foreach $fname (grep {/\.pem$/} @flist) { # Check to see if certificates and/or CRLs present. my ($cert, $crl) = check_file($fname); if(!$cert && !$crl) { print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; next; } link_hash_cert($fname) if($cert); link_hash_crl($fname) if($crl); } } sub check_file { my ($is_cert, $is_crl) = (0,0); my $fname = $_[0]; open IN, $fname; while() { if(/^-----BEGIN (.*)-----/) { my $hdr = $1; if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { $is_cert = 1; last if($is_crl); } elsif($hdr eq "X509 CRL") { $is_crl = 1; last if($is_cert); } } } close IN; return ($is_cert, $is_crl); } # Link a certificate to its subject name hash value, each hash is of # the form . where n is an integer. If the hash value already exists # then we need to up the value of n, unless its a duplicate in which # case we skip the link. We check for duplicates by comparing the # certificate fingerprints sub link_hash_cert { my $fname = $_[0]; $fname =~ s/'/'\\''/g; my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`; chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; $fprint =~ tr/://d; my $suffix = 0; # Search for an unused hash filename while(exists $hashlist{"$hash.$suffix"}) { # Hash matches: if fingerprint matches its a duplicate cert if($hashlist{"$hash.$suffix"} eq $fprint) { print STDERR "WARNING: Skipping duplicate certificate $fname\n"; return; } $suffix++; } $hash .= ".$suffix"; print "$fname => $hash\n"; $symlink_exists=eval {symlink("",""); 1}; if ($symlink_exists) { symlink $fname, $hash; } else { system ("cp", $fname, $hash); } $hashlist{$hash} = $fprint; } # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { my $fname = $_[0]; $fname =~ s/'/'\\''/g; my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`; chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; $fprint =~ tr/://d; my $suffix = 0; # Search for an unused hash filename while(exists $hashlist{"$hash.r$suffix"}) { # Hash matches: if fingerprint matches its a duplicate cert if($hashlist{"$hash.r$suffix"} eq $fprint) { print STDERR "WARNING: Skipping duplicate CRL $fname\n"; return; } $suffix++; } $hash .= ".r$suffix"; print "$fname => $hash\n"; $symlink_exists=eval {symlink("",""); 1}; if ($symlink_exists) { symlink $fname, $hash; } else { system ("cp", $fname, $hash); } $hashlist{$hash} = $fprint; } diff --git a/crypto/openssl/util/extract-names.pl b/crypto/openssl/util/extract-names.pl index 9f2ad5ef166c..744a8e2324e6 100644 --- a/crypto/openssl/util/extract-names.pl +++ b/crypto/openssl/util/extract-names.pl @@ -1,22 +1,24 @@ #!/usr/bin/perl $/ = ""; # Eat a paragraph at once. while() { chop; s/\n/ /gm; if (/^=head1 /) { $name = 0; } elsif ($name) { if (/ - /) { s/ - .*//; s/,[ \t]+/,/g; + s/^[ \t]+//g; + s/[ \t]+$//g; push @words, split ','; } } if (/^=head1 *NAME *$/) { $name = 1; } } print join("\n", @words),"\n"; diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl index c538f9dffb1d..b4bc0457e54a 100755 --- a/crypto/openssl/util/mk1mf.pl +++ b/crypto/openssl/util/mk1mf.pl @@ -1,934 +1,936 @@ #!/usr/local/bin/perl # A bit of an evil hack but it post processes the file ../MINFO which # is generated by `make files` in the top directory. # This script outputs one mega makefile that has no shell stuff or any # funny stuff # $INSTALLTOP="/usr/local/ssl"; $OPTIONS=""; $ssl_version=""; $banner="\t\@echo Building OpenSSL"; open(IN,") { $ssl_version=$1 if (/^VERSION=(.*)$/); $OPTIONS=$1 if (/^OPTIONS=(.*)$/); $INSTALLTOP=$1 if (/^INSTALLTOP=(.*$)/); } close(IN); die "Makefile.ssl is not the toplevel Makefile!\n" if $ssl_version eq ""; $infile="MINFO"; %ops=( "VC-WIN32", "Microsoft Visual C++ [4-6] - Windows NT or 9X", "VC-CE", "Microsoft eMbedded Visual C++ 3.0 - Windows CE ONLY", "VC-NT", "Microsoft Visual C++ [4-6] - Windows NT ONLY", "VC-W31-16", "Microsoft Visual C++ 1.52 - Windows 3.1 - 286", "VC-WIN16", "Alias for VC-W31-32", "VC-W31-32", "Microsoft Visual C++ 1.52 - Windows 3.1 - 386+", "VC-MSDOS","Microsoft Visual C++ 1.52 - MSDOS", "Mingw32", "GNU C++ - Windows NT or 9x", "Mingw32-files", "Create files with DOS copy ...", "BC-NT", "Borland C++ 4.5 - Windows NT", "BC-W31", "Borland C++ 4.5 - Windows 3.1 - PROBABLY NOT WORKING", "BC-MSDOS","Borland C++ 4.5 - MSDOS", "linux-elf","Linux elf", "ultrix-mips","DEC mips ultrix", "FreeBSD","FreeBSD distribution", "OS2-EMX", "EMX GCC OS/2", "default","cc under unix", ); $platform=""; foreach (@ARGV) { if (!&read_options && !defined($ops{$_})) { print STDERR "unknown option - $_\n"; print STDERR "usage: perl mk1mf.pl [options] [system]\n"; print STDERR "\nwhere [system] can be one of the following\n"; foreach $i (sort keys %ops) { printf STDERR "\t%-10s\t%s\n",$i,$ops{$i}; } print STDERR <<"EOF"; and [options] can be one of no-md2 no-md4 no-md5 no-sha no-mdc2 - Skip this digest no-ripemd no-rc2 no-rc4 no-rc5 no-idea no-des - Skip this symetric cipher no-bf no-cast no-aes no-rsa no-dsa no-dh - Skip this public key cipher no-ssl2 no-ssl3 - Skip this version of SSL just-ssl - remove all non-ssl keys/digest no-asm - No x86 asm no-krb5 - No KRB5 no-ec - No EC no-engine - No engine no-hw - No hw nasm - Use NASM for x86 asm gaswin - Use GNU as with Mingw32 no-socks - No socket code no-err - No error strings dll/shlib - Build shared libraries (MS) debug - Debug build profile - Profiling build gcc - Use Gcc (unix) Values that can be set TMP=tmpdir OUT=outdir SRC=srcdir BIN=binpath INC=header-outdir CC=C-compiler -L -l - extra library flags (unix) - - extra 'cc' flags, added (MS), or replace (unix) EOF exit(1); } $platform=$_; } foreach (grep(!/^$/, split(/ /, $OPTIONS))) { print STDERR "unknown option - $_\n" if !&read_options; } $no_mdc2=1 if ($no_des); $no_ssl3=1 if ($no_md5 || $no_sha); $no_ssl3=1 if ($no_rsa && $no_dh); $no_ssl2=1 if ($no_md5); $no_ssl2=1 if ($no_rsa); $out_def="out"; $inc_def="outinc"; $tmp_def="tmp"; $mkdir="-mkdir"; ($ssl,$crypto)=("ssl","crypto"); $ranlib="echo ranlib"; $cc=(defined($VARS{'CC'}))?$VARS{'CC'}:'cc'; $src_dir=(defined($VARS{'SRC'}))?$VARS{'SRC'}:'.'; $bin_dir=(defined($VARS{'BIN'}))?$VARS{'BIN'}:''; # $bin_dir.=$o causes a core dump on my sparc :-( $NT=0; push(@INC,"util/pl","pl"); if ($platform eq "VC-MSDOS") { $asmbits=16; $msdos=1; require 'VC-16.pl'; } elsif ($platform eq "VC-W31-16") { $asmbits=16; $msdos=1; $win16=1; require 'VC-16.pl'; } elsif (($platform eq "VC-W31-32") || ($platform eq "VC-WIN16")) { $asmbits=32; $msdos=1; $win16=1; require 'VC-16.pl'; } elsif (($platform eq "VC-WIN32") || ($platform eq "VC-NT")) { $NT = 1 if $platform eq "VC-NT"; require 'VC-32.pl'; } elsif ($platform eq "VC-CE") { require 'VC-CE.pl'; } elsif ($platform eq "Mingw32") { require 'Mingw32.pl'; } elsif ($platform eq "Mingw32-files") { require 'Mingw32f.pl'; } elsif ($platform eq "BC-NT") { $bc=1; require 'BC-32.pl'; } elsif ($platform eq "BC-W31") { $bc=1; $msdos=1; $w16=1; require 'BC-16.pl'; } elsif ($platform eq "BC-Q16") { $msdos=1; $w16=1; $shlib=0; $qw=1; require 'BC-16.pl'; } elsif ($platform eq "BC-MSDOS") { $asmbits=16; $msdos=1; require 'BC-16.pl'; } elsif ($platform eq "FreeBSD") { require 'unix.pl'; $cflags='-DTERMIO -D_ANSI_SOURCE -O2 -fomit-frame-pointer'; } elsif ($platform eq "linux-elf") { require "unix.pl"; require "linux.pl"; $unix=1; } elsif ($platform eq "ultrix-mips") { require "unix.pl"; require "ultrix.pl"; $unix=1; } elsif ($platform eq "OS2-EMX") { $wc=1; require 'OS2-EMX.pl'; } else { require "unix.pl"; $unix=1; $cflags.=' -DTERMIO'; } $out_dir=(defined($VARS{'OUT'}))?$VARS{'OUT'}:$out_def.($debug?".dbg":""); $tmp_dir=(defined($VARS{'TMP'}))?$VARS{'TMP'}:$tmp_def.($debug?".dbg":""); $inc_dir=(defined($VARS{'INC'}))?$VARS{'INC'}:$inc_def; $bin_dir=$bin_dir.$o unless ((substr($bin_dir,-1,1) eq $o) || ($bin_dir eq '')); $cflags.=" -DOPENSSL_NO_IDEA" if $no_idea; $cflags.=" -DOPENSSL_NO_AES" if $no_aes; $cflags.=" -DOPENSSL_NO_RC2" if $no_rc2; $cflags.=" -DOPENSSL_NO_RC4" if $no_rc4; $cflags.=" -DOPENSSL_NO_RC5" if $no_rc5; $cflags.=" -DOPENSSL_NO_MD2" if $no_md2; $cflags.=" -DOPENSSL_NO_MD4" if $no_md4; $cflags.=" -DOPENSSL_NO_MD5" if $no_md5; $cflags.=" -DOPENSSL_NO_SHA" if $no_sha; $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1; $cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd; $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2; $cflags.=" -DOPENSSL_NO_BF" if $no_bf; $cflags.=" -DOPENSSL_NO_CAST" if $no_cast; $cflags.=" -DOPENSSL_NO_DES" if $no_des; $cflags.=" -DOPENSSL_NO_RSA" if $no_rsa; $cflags.=" -DOPENSSL_NO_DSA" if $no_dsa; $cflags.=" -DOPENSSL_NO_DH" if $no_dh; $cflags.=" -DOPENSSL_NO_SOCK" if $no_sock; $cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2; $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3; $cflags.=" -DOPENSSL_NO_ERR" if $no_err; $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5; $cflags.=" -DOPENSSL_NO_EC" if $no_ec; $cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine; $cflags.=" -DOPENSSL_NO_HW" if $no_hw; #$cflags.=" -DRSAref" if $rsaref ne ""; ## if ($unix) ## { $cflags="$c_flags" if ($c_flags ne ""); } ##else { $cflags="$c_flags$cflags" if ($c_flags ne ""); } $ex_libs="$l_flags$ex_libs" if ($l_flags ne ""); %shlib_ex_cflags=("SSL" => " -DOPENSSL_BUILD_SHLIBSSL", "CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO"); if ($msdos) { $banner ="\t\@echo Make sure you have run 'perl Configure $platform' in the\n"; $banner.="\t\@echo top level directory, if you don't have perl, you will\n"; $banner.="\t\@echo need to probably edit crypto/bn/bn.h, check the\n"; $banner.="\t\@echo documentation for details.\n"; } # have to do this to allow $(CC) under unix $link="$bin_dir$link" if ($link !~ /^\$/); $INSTALLTOP =~ s|/|$o|g; $defs= <<"EOF"; # This makefile has been automatically generated from the OpenSSL distribution. # This single makefile will build the complete OpenSSL distribution and # by default leave the 'intertesting' output files in .${o}out and the stuff # that needs deleting in .${o}tmp. # The file was generated by running 'make makefile.one', which # does a 'make files', which writes all the environment variables from all # the makefiles to the file call MINFO. This file is used by # util${o}mk1mf.pl to generate makefile.one. # The 'makefile per directory' system suites me when developing this # library and also so I can 'distribute' indervidual library sections. # The one monster makefile better suits building in non-unix # environments. EOF +$defs .= $preamble if defined $preamble; + if ($platform eq "VC-CE") { $defs.= <<"EOF"; !INCLUDE <\$(WCECOMPAT)/wcedefs.mak> EOF } $defs.= <<"EOF"; INSTALLTOP=$INSTALLTOP # Set your compiler options PLATFORM=$platform CC=$bin_dir${cc} CFLAG=$cflags APP_CFLAG=$app_cflag LIB_CFLAG=$lib_cflag SHLIB_CFLAG=$shl_cflag APP_EX_OBJ=$app_ex_obj SHLIB_EX_OBJ=$shlib_ex_obj # add extra libraries to this define, for solaris -lsocket -lnsl would # be added EX_LIBS=$ex_libs # The OpenSSL directory SRC_D=$src_dir LINK=$link LFLAGS=$lflags BN_ASM_OBJ=$bn_asm_obj BN_ASM_SRC=$bn_asm_src BNCO_ASM_OBJ=$bnco_asm_obj BNCO_ASM_SRC=$bnco_asm_src DES_ENC_OBJ=$des_enc_obj DES_ENC_SRC=$des_enc_src BF_ENC_OBJ=$bf_enc_obj BF_ENC_SRC=$bf_enc_src CAST_ENC_OBJ=$cast_enc_obj CAST_ENC_SRC=$cast_enc_src RC4_ENC_OBJ=$rc4_enc_obj RC4_ENC_SRC=$rc4_enc_src RC5_ENC_OBJ=$rc5_enc_obj RC5_ENC_SRC=$rc5_enc_src MD5_ASM_OBJ=$md5_asm_obj MD5_ASM_SRC=$md5_asm_src SHA1_ASM_OBJ=$sha1_asm_obj SHA1_ASM_SRC=$sha1_asm_src RMD160_ASM_OBJ=$rmd160_asm_obj RMD160_ASM_SRC=$rmd160_asm_src # The output directory for everything intersting OUT_D=$out_dir # The output directory for all the temporary muck TMP_D=$tmp_dir # The output directory for the header files INC_D=$inc_dir INCO_D=$inc_dir${o}openssl CP=$cp RM=$rm RANLIB=$ranlib MKDIR=$mkdir MKLIB=$bin_dir$mklib MLFLAGS=$mlflags ASM=$bin_dir$asm ###################################################### # You should not need to touch anything below this point ###################################################### E_EXE=openssl SSL=$ssl CRYPTO=$crypto # BIN_D - Binary output directory # TEST_D - Binary test file output directory # LIB_D - library output directory # Note: if you change these point to different directories then uncomment out # the lines around the 'NB' comment below. # BIN_D=\$(OUT_D) TEST_D=\$(OUT_D) LIB_D=\$(OUT_D) # INCL_D - local library directory # OBJ_D - temp object file directory OBJ_D=\$(TMP_D) INCL_D=\$(TMP_D) O_SSL= \$(LIB_D)$o$plib\$(SSL)$shlibp O_CRYPTO= \$(LIB_D)$o$plib\$(CRYPTO)$shlibp SO_SSL= $plib\$(SSL)$so_shlibp SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp L_SSL= \$(LIB_D)$o$plib\$(SSL)$libp L_CRYPTO= \$(LIB_D)$o$plib\$(CRYPTO)$libp L_LIBS= \$(L_SSL) \$(L_CRYPTO) ###################################################### # Don't touch anything below this point ###################################################### INC=-I\$(INC_D) -I\$(INCL_D) APP_CFLAGS=\$(INC) \$(CFLAG) \$(APP_CFLAG) LIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) SHLIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) \$(SHLIB_CFLAG) LIBS_DEP=\$(O_CRYPTO) \$(O_SSL) ############################################# EOF $rules=<<"EOF"; all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe banner: $banner \$(TMP_D): \$(MKDIR) \$(TMP_D) # NB: uncomment out these lines if BIN_D, TEST_D and LIB_D are different #\$(BIN_D): # \$(MKDIR) \$(BIN_D) # #\$(TEST_D): # \$(MKDIR) \$(TEST_D) \$(LIB_D): \$(MKDIR) \$(LIB_D) \$(INCO_D): \$(INC_D) \$(MKDIR) \$(INCO_D) \$(INC_D): \$(MKDIR) \$(INC_D) headers: \$(HEADER) \$(EXHEADER) @ lib: \$(LIBS_DEP) exe: \$(T_EXE) \$(BIN_D)$o\$(E_EXE)$exep install: \$(MKDIR) \$(INSTALLTOP) \$(MKDIR) \$(INSTALLTOP)${o}bin \$(MKDIR) \$(INSTALLTOP)${o}include \$(MKDIR) \$(INSTALLTOP)${o}include${o}openssl \$(MKDIR) \$(INSTALLTOP)${o}lib \$(CP) \$(INCO_D)${o}*.\[ch\] \$(INSTALLTOP)${o}include${o}openssl \$(CP) \$(BIN_D)$o\$(E_EXE)$exep \$(INSTALLTOP)${o}bin \$(CP) \$(O_SSL) \$(INSTALLTOP)${o}lib \$(CP) \$(O_CRYPTO) \$(INSTALLTOP)${o}lib clean: \$(RM) \$(TMP_D)$o*.* vclean: \$(RM) \$(TMP_D)$o*.* \$(RM) \$(OUT_D)$o*.* EOF my $platform_cpp_symbol = "MK1MF_PLATFORM_$platform"; $platform_cpp_symbol =~ s/-/_/g; if (open(IN,"crypto/buildinf.h")) { # Remove entry for this platform in existing file buildinf.h. my $old_buildinf_h = ""; while () { if (/^\#ifdef $platform_cpp_symbol$/) { while () { last if (/^\#endif/); } } else { $old_buildinf_h .= $_; } } close(IN); open(OUT,">crypto/buildinf.h") || die "Can't open buildinf.h"; print OUT $old_buildinf_h; close(OUT); } open (OUT,">>crypto/buildinf.h") || die "Can't open buildinf.h"; printf OUT <; for (;;) { chop; ($key,$val)=/^([^=]+)=(.*)/; if ($key eq "RELATIVE_DIRECTORY") { if ($lib ne "") { $uc=$lib; $uc =~ s/^lib(.*)\.a/$1/; $uc =~ tr/a-z/A-Z/; $lib_nam{$uc}=$uc; $lib_obj{$uc}.=$libobj." "; } last if ($val eq "FINISHED"); $lib=""; $libobj=""; $dir=$val; } if ($key eq "TEST") { $test.=&var_add($dir,$val); } if (($key eq "PROGS") || ($key eq "E_OBJ")) { $e_exe.=&var_add($dir,$val); } if ($key eq "LIB") { $lib=$val; $lib =~ s/^.*\/([^\/]+)$/$1/; } if ($key eq "EXHEADER") { $exheader.=&var_add($dir,$val); } if ($key eq "HEADER") { $header.=&var_add($dir,$val); } if ($key eq "LIBOBJ") { $libobj=&var_add($dir,$val); } if (!($_=)) { $_="RELATIVE_DIRECTORY=FINISHED\n"; } } close(IN); # Strip of trailing ' ' foreach (keys %lib_obj) { $lib_obj{$_}=&clean_up_ws($lib_obj{$_}); } $test=&clean_up_ws($test); $e_exe=&clean_up_ws($e_exe); $exheader=&clean_up_ws($exheader); $header=&clean_up_ws($header); # First we strip the exheaders from the headers list foreach (split(/\s+/,$exheader)){ $h{$_}=1; } foreach (split(/\s+/,$header)) { $h.=$_." " unless $h{$_}; } chop($h); $header=$h; $defs.=&do_defs("HEADER",$header,"\$(INCL_D)",".h"); $rules.=&do_copy_rule("\$(INCL_D)",$header,".h"); $defs.=&do_defs("EXHEADER",$exheader,"\$(INCO_D)",".h"); $rules.=&do_copy_rule("\$(INCO_D)",$exheader,".h"); $defs.=&do_defs("T_OBJ",$test,"\$(OBJ_D)",$obj); $rules.=&do_compile_rule("\$(OBJ_D)",$test,"\$(APP_CFLAGS)"); $defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj); $rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)'); foreach (values %lib_nam) { $lib_obj=$lib_obj{$_}; local($slib)=$shlib; if (($_ eq "SSL") && $no_ssl2 && $no_ssl3) { $rules.="\$(O_SSL):\n\n"; next; } if (($bn_asm_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj =~ s/\s\S*\/bn_asm\S*/ \$(BN_ASM_OBJ)/; $rules.=&do_asm_rule($bn_asm_obj,$bn_asm_src); } if (($bnco_asm_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj .= "\$(BNCO_ASM_OBJ)"; $rules.=&do_asm_rule($bnco_asm_obj,$bnco_asm_src); } if (($des_enc_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj =~ s/\s\S*des_enc\S*/ \$(DES_ENC_OBJ)/; $lib_obj =~ s/\s\S*\/fcrypt_b\S*\s*/ /; $rules.=&do_asm_rule($des_enc_obj,$des_enc_src); } if (($bf_enc_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj =~ s/\s\S*\/bf_enc\S*/ \$(BF_ENC_OBJ)/; $rules.=&do_asm_rule($bf_enc_obj,$bf_enc_src); } if (($cast_enc_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj =~ s/(\s\S*\/c_enc\S*)/ \$(CAST_ENC_OBJ)/; $rules.=&do_asm_rule($cast_enc_obj,$cast_enc_src); } if (($rc4_enc_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj =~ s/\s\S*\/rc4_enc\S*/ \$(RC4_ENC_OBJ)/; $rules.=&do_asm_rule($rc4_enc_obj,$rc4_enc_src); } if (($rc5_enc_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj =~ s/\s\S*\/rc5_enc\S*/ \$(RC5_ENC_OBJ)/; $rules.=&do_asm_rule($rc5_enc_obj,$rc5_enc_src); } if (($md5_asm_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj =~ s/\s(\S*\/md5_dgst\S*)/ $1 \$(MD5_ASM_OBJ)/; $rules.=&do_asm_rule($md5_asm_obj,$md5_asm_src); } if (($sha1_asm_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj =~ s/\s(\S*\/sha1dgst\S*)/ $1 \$(SHA1_ASM_OBJ)/; $rules.=&do_asm_rule($sha1_asm_obj,$sha1_asm_src); } if (($rmd160_asm_obj ne "") && ($_ eq "CRYPTO")) { $lib_obj =~ s/\s(\S*\/rmd_dgst\S*)/ $1 \$(RMD160_ASM_OBJ)/; $rules.=&do_asm_rule($rmd160_asm_obj,$rmd160_asm_src); } $defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj); $lib=($slib)?" \$(SHLIB_CFLAGS)".$shlib_ex_cflags{$_}:" \$(LIB_CFLAGS)"; $rules.=&do_compile_rule("\$(OBJ_D)",$lib_obj{$_},$lib); } $defs.=&do_defs("T_EXE",$test,"\$(TEST_D)",$exep); foreach (split(/\s+/,$test)) { $t=&bname($_); $tt="\$(OBJ_D)${o}$t${obj}"; $rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)"); } $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)"); $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)"); $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)"); print $defs; if ($platform eq "linux-elf") { print <<"EOF"; # Generate perlasm output files %.cpp: (cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F)) EOF } print "###################################################################\n"; print $rules; ############################################### # strip off any trailing .[och] and append the relative directory # also remembering to do nothing if we are in one of the dropped # directories sub var_add { local($dir,$val)=@_; local(@a,$_,$ret); return("") if $no_engine && $dir =~ /\/engine/; return("") if $no_hw && $dir =~ /\/hw/; return("") if $no_idea && $dir =~ /\/idea/; return("") if $no_aes && $dir =~ /\/aes/; return("") if $no_rc2 && $dir =~ /\/rc2/; return("") if $no_rc4 && $dir =~ /\/rc4/; return("") if $no_rc5 && $dir =~ /\/rc5/; return("") if $no_rsa && $dir =~ /\/rsa/; return("") if $no_rsa && $dir =~ /^rsaref/; return("") if $no_dsa && $dir =~ /\/dsa/; return("") if $no_dh && $dir =~ /\/dh/; return("") if $no_ec && $dir =~ /\/ec/; if ($no_des && $dir =~ /\/des/) { if ($val =~ /read_pwd/) { return("$dir/read_pwd "); } else { return(""); } } return("") if $no_mdc2 && $dir =~ /\/mdc2/; return("") if $no_sock && $dir =~ /\/proxy/; return("") if $no_bf && $dir =~ /\/bf/; return("") if $no_cast && $dir =~ /\/cast/; $val =~ s/^\s*(.*)\s*$/$1/; @a=split(/\s+/,$val); grep(s/\.[och]$//,@a); @a=grep(!/^e_.*_3d$/,@a) if $no_des; @a=grep(!/^e_.*_d$/,@a) if $no_des; @a=grep(!/^e_.*_ae$/,@a) if $no_idea; @a=grep(!/^e_.*_i$/,@a) if $no_aes; @a=grep(!/^e_.*_r2$/,@a) if $no_rc2; @a=grep(!/^e_.*_r5$/,@a) if $no_rc5; @a=grep(!/^e_.*_bf$/,@a) if $no_bf; @a=grep(!/^e_.*_c$/,@a) if $no_cast; @a=grep(!/^e_rc4$/,@a) if $no_rc4; @a=grep(!/(^s2_)|(^s23_)/,@a) if $no_ssl2; @a=grep(!/(^s3_)|(^s23_)/,@a) if $no_ssl3; @a=grep(!/(_sock$)|(_acpt$)|(_conn$)|(^pxy_)/,@a) if $no_sock; @a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2; @a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4; @a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5; @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd; @a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa; @a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa; @a=grep(!/(^pem_seal$)/,@a) if $no_rsa; @a=grep(!/(m_dss$)|(m_dss1$)/,@a) if $no_dsa; @a=grep(!/(^d2i_s_)|(^i2d_s_)|(_dsap$)/,@a) if $no_dsa; @a=grep(!/^n_pkey$/,@a) if $no_rsa || $no_rc4; @a=grep(!/_dhp$/,@a) if $no_dh; @a=grep(!/(^sha[^1])|(_sha$)|(m_dss$)/,@a) if $no_sha; @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1; @a=grep(!/_mdc2$/,@a) if $no_mdc2; @a=grep(!/^engine$/,@a) if $no_engine; @a=grep(!/^hw$/,@a) if $no_hw; @a=grep(!/(^rsa$)|(^genrsa$)/,@a) if $no_rsa; @a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa; @a=grep(!/^gendsa$/,@a) if $no_sha1; @a=grep(!/(^dh$)|(^gendh$)/,@a) if $no_dh; @a=grep(!/(^dh)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1; grep($_="$dir/$_",@a); @a=grep(!/(^|\/)s_/,@a) if $no_sock; @a=grep(!/(^|\/)bio_sock/,@a) if $no_sock; $ret=join(' ',@a)." "; return($ret); } # change things so that each 'token' is only separated by one space sub clean_up_ws { local($w)=@_; $w =~ s/^\s*(.*)\s*$/$1/; $w =~ s/\s+/ /g; return($w); } sub do_defs { local($var,$files,$location,$postfix)=@_; local($_,$ret,$pf); local(*OUT,$tmp,$t); $files =~ s/\//$o/g if $o ne '/'; $ret="$var="; $n=1; $Vars{$var}.=""; foreach (split(/ /,$files)) { $orig=$_; $_=&bname($_) unless /^\$/; if ($n++ == 2) { $n=0; $ret.="\\\n\t"; } if (($_ =~ /bss_file/) && ($postfix eq ".h")) { $pf=".c"; } else { $pf=$postfix; } if ($_ =~ /BN_ASM/) { $t="$_ "; } elsif ($_ =~ /BNCO_ASM/){ $t="$_ "; } elsif ($_ =~ /DES_ENC/) { $t="$_ "; } elsif ($_ =~ /BF_ENC/) { $t="$_ "; } elsif ($_ =~ /CAST_ENC/){ $t="$_ "; } elsif ($_ =~ /RC4_ENC/) { $t="$_ "; } elsif ($_ =~ /RC5_ENC/) { $t="$_ "; } elsif ($_ =~ /MD5_ASM/) { $t="$_ "; } elsif ($_ =~ /SHA1_ASM/){ $t="$_ "; } elsif ($_ =~ /RMD160_ASM/){ $t="$_ "; } else { $t="$location${o}$_$pf "; } $Vars{$var}.="$t "; $ret.=$t; } chop($ret); $ret.="\n\n"; return($ret); } # return the name with the leading path removed sub bname { local($ret)=@_; $ret =~ s/^.*[\\\/]([^\\\/]+)$/$1/; return($ret); } ############################################################## # do a rule for each file that says 'compile' to new direcory # compile the files in '$files' into $to sub do_compile_rule { local($to,$files,$ex)=@_; local($ret,$_,$n); $files =~ s/\//$o/g if $o ne '/'; foreach (split(/\s+/,$files)) { $n=&bname($_); $ret.=&cc_compile_target("$to${o}$n$obj","${_}.c",$ex) } return($ret); } ############################################################## # do a rule for each file that says 'compile' to new direcory sub cc_compile_target { local($target,$source,$ex_flags)=@_; local($ret); $ex_flags.=" -DMK1MF_BUILD -D$platform_cpp_symbol" if ($source =~ /cversion/); $target =~ s/\//$o/g if $o ne "/"; $source =~ s/\//$o/g if $o ne "/"; $ret ="$target: \$(SRC_D)$o$source\n\t"; $ret.="\$(CC) ${ofile}$target $ex_flags -c \$(SRC_D)$o$source\n\n"; return($ret); } ############################################################## sub do_asm_rule { local($target,$src)=@_; local($ret,@s,@t,$i); $target =~ s/\//$o/g if $o ne "/"; $src =~ s/\//$o/g if $o ne "/"; @s=split(/\s+/,$src); @t=split(/\s+/,$target); for ($i=0; $i<=$#s; $i++) { $ret.="$t[$i]: $s[$i]\n"; $ret.="\t\$(ASM) $afile$t[$i] \$(SRC_D)$o$s[$i]\n\n"; } return($ret); } sub do_shlib_rule { local($n,$def)=@_; local($ret,$nn); local($t); ($nn=$n) =~ tr/a-z/A-Z/; $ret.="$n.dll: \$(${nn}OBJ)\n"; if ($vc && $w32) { $ret.="\t\$(MKSHLIB) $efile$n.dll $def @<<\n \$(${nn}OBJ_F)\n<<\n"; } $ret.="\n"; return($ret); } # do a rule for each file that says 'copy' to new direcory on change sub do_copy_rule { local($to,$files,$p)=@_; local($ret,$_,$n,$pp); $files =~ s/\//$o/g if $o ne '/'; foreach (split(/\s+/,$files)) { $n=&bname($_); if ($n =~ /bss_file/) { $pp=".c"; } else { $pp=$p; } $ret.="$to${o}$n$pp: \$(SRC_D)$o$_$pp\n\t\$(CP) \$(SRC_D)$o$_$pp $to${o}$n$pp\n\n"; } return($ret); } sub read_options { if (/^no-rc2$/) { $no_rc2=1; } elsif (/^no-rc4$/) { $no_rc4=1; } elsif (/^no-rc5$/) { $no_rc5=1; } elsif (/^no-idea$/) { $no_idea=1; } elsif (/^no-aes$/) { $no_aes=1; } elsif (/^no-des$/) { $no_des=1; } elsif (/^no-bf$/) { $no_bf=1; } elsif (/^no-cast$/) { $no_cast=1; } elsif (/^no-md2$/) { $no_md2=1; } elsif (/^no-md4$/) { $no_md4=1; } elsif (/^no-md5$/) { $no_md5=1; } elsif (/^no-sha$/) { $no_sha=1; } elsif (/^no-sha1$/) { $no_sha1=1; } elsif (/^no-ripemd$/) { $no_ripemd=1; } elsif (/^no-mdc2$/) { $no_mdc2=1; } elsif (/^no-patents$/) { $no_rc2=$no_rc4=$no_rc5=$no_idea=$no_rsa=1; } elsif (/^no-rsa$/) { $no_rsa=1; } elsif (/^no-dsa$/) { $no_dsa=1; } elsif (/^no-dh$/) { $no_dh=1; } elsif (/^no-hmac$/) { $no_hmac=1; } elsif (/^no-aes$/) { $no_aes=1; } elsif (/^no-asm$/) { $no_asm=1; } elsif (/^nasm$/) { $nasm=1; } elsif (/^gaswin$/) { $gaswin=1; } elsif (/^no-ssl2$/) { $no_ssl2=1; } elsif (/^no-ssl3$/) { $no_ssl3=1; } elsif (/^no-err$/) { $no_err=1; } elsif (/^no-sock$/) { $no_sock=1; } elsif (/^no-krb5$/) { $no_krb5=1; } elsif (/^no-ec$/) { $no_ec=1; } elsif (/^no-engine$/) { $no_engine=1; } elsif (/^no-hw$/) { $no_hw=1; } elsif (/^just-ssl$/) { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1; $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1; $no_ssl2=$no_err=$no_ripemd=$no_rc5=1; $no_aes=1; } elsif (/^rsaref$/) { } elsif (/^gcc$/) { $gcc=1; } elsif (/^debug$/) { $debug=1; } elsif (/^profile$/) { $profile=1; } elsif (/^shlib$/) { $shlib=1; } elsif (/^dll$/) { $shlib=1; } elsif (/^shared$/) { } # We just need to ignore it for now... elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; } elsif (/^-[lL].*$/) { $l_flags.="$_ "; } elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/) { $c_flags.="$_ "; } else { return(0); } return(1); } diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl index cdd2164c4e25..01a1bfda197c 100755 --- a/crypto/openssl/util/mkdef.pl +++ b/crypto/openssl/util/mkdef.pl @@ -1,1369 +1,1397 @@ #!/usr/local/bin/perl -w # # generate a .def file # # It does this by parsing the header files and looking for the # prototyped functions: it then prunes the output. # # Intermediary files are created, call libeay.num and ssleay.num,... # Previously, they had the following format: # # routine-name nnnn # # But that isn't enough for a number of reasons, the first on being that # this format is (needlessly) very Win32-centric, and even then... # One of the biggest problems is that there's no information about what # routines should actually be used, which varies with what crypto algorithms # are disabled. Also, some operating systems (for example VMS with VAX C) # need to keep track of the global variables as well as the functions. # # So, a remake of this script is done so as to include information on the # kind of symbol it is (function or variable) and what algorithms they're # part of. This will allow easy translating to .def files or the corresponding # file in other operating systems (a .opt file for VMS, possibly with a .mar # file). # # The format now becomes: # # routine-name nnnn info # # and the "info" part is actually a colon-separated string of fields with # the following meaning: # # existence:platform:kind:algorithms # # - "existence" can be "EXIST" or "NOEXIST" depending on if the symbol is # found somewhere in the source, # - "platforms" is empty if it exists on all platforms, otherwise it contains # comma-separated list of the platform, just as they are if the symbol exists # for those platforms, or prepended with a "!" if not. This helps resolve # symbol name variants for platforms where the names are too long for the # compiler or linker, or if the systems is case insensitive and there is a # clash, or the symbol is implemented differently (see # EXPORT_VAR_AS_FUNCTION). This script assumes renaming of symbols is found # in the file crypto/symhacks.h. # The semantics for the platforms is that every item is checked against the # environment. For the negative items ("!FOO"), if any of them is false # (i.e. "FOO" is true) in the environment, the corresponding symbol can't be # used. For the positive itms, if all of them are false in the environment, # the corresponding symbol can't be used. Any combination of positive and # negative items are possible, and of course leave room for some redundancy. # - "kind" is "FUNCTION" or "VARIABLE". The meaning of that is obvious. # - "algorithms" is a comma-separated list of algorithm names. This helps # exclude symbols that are part of an algorithm that some user wants to # exclude. # my $debug=0; my $crypto_num= "util/libeay.num"; my $ssl_num= "util/ssleay.num"; my $libname; my $do_update = 0; my $do_rewrite = 1; my $do_crypto = 0; my $do_ssl = 0; my $do_ctest = 0; my $do_ctestall = 0; my $do_checkexist = 0; my $VMSVAX=0; my $VMSAlpha=0; my $VMS=0; my $W32=0; my $W16=0; my $NT=0; my $OS2=0; # Set this to make typesafe STACK definitions appear in DEF my $safe_stack_def = 0; my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT", "EXPORT_VAR_AS_FUNCTION" ); my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" ); my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1", "RIPEMD", "MDC2", "RSA", "DSA", "DH", "EC", "HMAC", "AES", # Envelope "algorithms" "EVP", "X509", "ASN1_TYPEDEFS", # Helper "algorithms" "BIO", "COMP", "BUFFER", "LHASH", "STACK", "ERR", "LOCKING", # External "algorithms" "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" ); my $options=""; open(IN,") { $options=$1 if (/^OPTIONS=(.*)$/); } close(IN); # The following ciphers may be excluded (by Configure). This means functions # defined with ifndef(NO_XXX) are not included in the .def file, and everything # in directory xxx is ignored. my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf; my $no_cast; my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5; my $no_ec; my $no_engine; my $no_hw; my $no_fp_api; foreach (@ARGV, split(/ /, $options)) { $debug=1 if $_ eq "debug"; $W32=1 if $_ eq "32"; $W16=1 if $_ eq "16"; if($_ eq "NT") { $W32 = 1; $NT = 1; } if ($_ eq "VMS-VAX") { $VMS=1; $VMSVAX=1; } if ($_ eq "VMS-Alpha") { $VMS=1; $VMSAlpha=1; } $VMS=1 if $_ eq "VMS"; $OS2=1 if $_ eq "OS2"; $do_ssl=1 if $_ eq "ssleay"; if ($_ eq "ssl") { $do_ssl=1; $libname=$_ } $do_crypto=1 if $_ eq "libeay"; if ($_ eq "crypto") { $do_crypto=1; $libname=$_; } $do_update=1 if $_ eq "update"; $do_rewrite=1 if $_ eq "rewrite"; $do_ctest=1 if $_ eq "ctest"; $do_ctestall=1 if $_ eq "ctestall"; $do_checkexist=1 if $_ eq "exist"; #$safe_stack_def=1 if $_ eq "-DDEBUG_SAFESTACK"; if (/^no-rc2$/) { $no_rc2=1; } elsif (/^no-rc4$/) { $no_rc4=1; } elsif (/^no-rc5$/) { $no_rc5=1; } elsif (/^no-idea$/) { $no_idea=1; } elsif (/^no-des$/) { $no_des=1; $no_mdc2=1; } elsif (/^no-bf$/) { $no_bf=1; } elsif (/^no-cast$/) { $no_cast=1; } elsif (/^no-md2$/) { $no_md2=1; } elsif (/^no-md4$/) { $no_md4=1; } elsif (/^no-md5$/) { $no_md5=1; } elsif (/^no-sha$/) { $no_sha=1; } elsif (/^no-ripemd$/) { $no_ripemd=1; } elsif (/^no-mdc2$/) { $no_mdc2=1; } elsif (/^no-rsa$/) { $no_rsa=1; } elsif (/^no-dsa$/) { $no_dsa=1; } elsif (/^no-dh$/) { $no_dh=1; } elsif (/^no-ec$/) { $no_ec=1; } elsif (/^no-hmac$/) { $no_hmac=1; } elsif (/^no-aes$/) { $no_aes=1; } elsif (/^no-evp$/) { $no_evp=1; } elsif (/^no-lhash$/) { $no_lhash=1; } elsif (/^no-stack$/) { $no_stack=1; } elsif (/^no-err$/) { $no_err=1; } elsif (/^no-buffer$/) { $no_buffer=1; } elsif (/^no-bio$/) { $no_bio=1; } #elsif (/^no-locking$/) { $no_locking=1; } elsif (/^no-comp$/) { $no_comp=1; } elsif (/^no-dso$/) { $no_dso=1; } elsif (/^no-krb5$/) { $no_krb5=1; } elsif (/^no-engine$/) { $no_engine=1; } elsif (/^no-hw$/) { $no_hw=1; } } if (!$libname) { if ($do_ssl) { $libname="SSLEAY"; } if ($do_crypto) { $libname="LIBEAY"; } } # If no platform is given, assume WIN32 if ($W32 + $W16 + $VMS + $OS2 == 0) { $W32 = 1; } # Add extra knowledge if ($W16) { $no_fp_api=1; } if (!$do_ssl && !$do_crypto) { print STDERR "usage: $0 ( ssl | crypto ) [ 16 | 32 | NT | OS2 ]\n"; exit(1); } %ssl_list=&load_numbers($ssl_num); $max_ssl = $max_num; %crypto_list=&load_numbers($crypto_num); $max_crypto = $max_num; my $ssl="ssl/ssl.h"; $ssl.=" ssl/kssl.h"; my $crypto ="crypto/crypto.h"; $crypto.=" crypto/des/des.h crypto/des/des_old.h" ; # unless $no_des; $crypto.=" crypto/idea/idea.h" ; # unless $no_idea; $crypto.=" crypto/rc4/rc4.h" ; # unless $no_rc4; $crypto.=" crypto/rc5/rc5.h" ; # unless $no_rc5; $crypto.=" crypto/rc2/rc2.h" ; # unless $no_rc2; $crypto.=" crypto/bf/blowfish.h" ; # unless $no_bf; $crypto.=" crypto/cast/cast.h" ; # unless $no_cast; $crypto.=" crypto/md2/md2.h" ; # unless $no_md2; $crypto.=" crypto/md4/md4.h" ; # unless $no_md4; $crypto.=" crypto/md5/md5.h" ; # unless $no_md5; $crypto.=" crypto/mdc2/mdc2.h" ; # unless $no_mdc2; $crypto.=" crypto/sha/sha.h" ; # unless $no_sha; $crypto.=" crypto/ripemd/ripemd.h" ; # unless $no_ripemd; $crypto.=" crypto/aes/aes.h" ; # unless $no_aes; $crypto.=" crypto/bn/bn.h"; $crypto.=" crypto/rsa/rsa.h" ; # unless $no_rsa; $crypto.=" crypto/dsa/dsa.h" ; # unless $no_dsa; $crypto.=" crypto/dh/dh.h" ; # unless $no_dh; $crypto.=" crypto/ec/ec.h" ; # unless $no_ec; $crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac; $crypto.=" crypto/engine/engine.h"; # unless $no_engine; $crypto.=" crypto/stack/stack.h" ; # unless $no_stack; $crypto.=" crypto/buffer/buffer.h" ; # unless $no_buffer; $crypto.=" crypto/bio/bio.h" ; # unless $no_bio; $crypto.=" crypto/dso/dso.h" ; # unless $no_dso; $crypto.=" crypto/lhash/lhash.h" ; # unless $no_lhash; $crypto.=" crypto/conf/conf.h"; $crypto.=" crypto/txt_db/txt_db.h"; $crypto.=" crypto/evp/evp.h" ; # unless $no_evp; $crypto.=" crypto/objects/objects.h"; $crypto.=" crypto/pem/pem.h"; #$crypto.=" crypto/meth/meth.h"; $crypto.=" crypto/asn1/asn1.h"; $crypto.=" crypto/asn1/asn1t.h"; $crypto.=" crypto/asn1/asn1_mac.h"; $crypto.=" crypto/err/err.h" ; # unless $no_err; $crypto.=" crypto/pkcs7/pkcs7.h"; $crypto.=" crypto/pkcs12/pkcs12.h"; $crypto.=" crypto/x509/x509.h"; $crypto.=" crypto/x509/x509_vfy.h"; $crypto.=" crypto/x509v3/x509v3.h"; $crypto.=" crypto/rand/rand.h"; $crypto.=" crypto/comp/comp.h" ; # unless $no_comp; $crypto.=" crypto/ocsp/ocsp.h"; $crypto.=" crypto/ui/ui.h crypto/ui/ui_compat.h"; $crypto.=" crypto/krb5/krb5_asn.h"; $crypto.=" crypto/tmdiff.h"; my $symhacks="crypto/symhacks.h"; my @ssl_symbols = &do_defs("SSLEAY", $ssl, $symhacks); my @crypto_symbols = &do_defs("LIBEAY", $crypto, $symhacks); if ($do_update) { if ($do_ssl == 1) { &maybe_add_info("SSLEAY",*ssl_list,@ssl_symbols); if ($do_rewrite == 1) { open(OUT, ">$ssl_num"); &rewrite_numbers(*OUT,"SSLEAY",*ssl_list,@ssl_symbols); } else { open(OUT, ">>$ssl_num"); } &update_numbers(*OUT,"SSLEAY",*ssl_list,$max_ssl,@ssl_symbols); close OUT; } if($do_crypto == 1) { &maybe_add_info("LIBEAY",*crypto_list,@crypto_symbols); if ($do_rewrite == 1) { open(OUT, ">$crypto_num"); &rewrite_numbers(*OUT,"LIBEAY",*crypto_list,@crypto_symbols); } else { open(OUT, ">>$crypto_num"); } &update_numbers(*OUT,"LIBEAY",*crypto_list,$max_crypto,@crypto_symbols); close OUT; } } elsif ($do_checkexist) { &check_existing(*ssl_list, @ssl_symbols) if $do_ssl == 1; &check_existing(*crypto_list, @crypto_symbols) if $do_crypto == 1; } elsif ($do_ctest || $do_ctestall) { print <<"EOF"; /* Test file to check all DEF file symbols are present by trying * to link to all of them. This is *not* intended to be run! */ int main() { EOF &print_test_file(*STDOUT,"SSLEAY",*ssl_list,$do_ctestall,@ssl_symbols) if $do_ssl == 1; &print_test_file(*STDOUT,"LIBEAY",*crypto_list,$do_ctestall,@crypto_symbols) if $do_crypto == 1; print "}\n"; } else { &print_def_file(*STDOUT,$libname,*ssl_list,@ssl_symbols) if $do_ssl == 1; &print_def_file(*STDOUT,$libname,*crypto_list,@crypto_symbols) if $do_crypto == 1; } sub do_defs { my($name,$files,$symhacksfile)=@_; my $file; my @ret; my %syms; my %platform; # For anything undefined, we assume "" my %kind; # For anything undefined, we assume "FUNCTION" my %algorithm; # For anything undefined, we assume "" my %variant; my %variant_cnt; # To be able to allocate "name{n}" if "name" # is the same name as the original. my $cpp; my %unknown_algorithms = (); foreach $file (split(/\s+/,$symhacksfile." ".$files)) { print STDERR "DEBUG: starting on $file:\n" if $debug; open(IN,"<$file") || die "unable to open $file:$!\n"; my $line = "", my $def= ""; my %tag = ( (map { $_ => 0 } @known_platforms), (map { "OPENSSL_SYS_".$_ => 0 } @known_ossl_platforms), (map { "OPENSSL_NO_".$_ => 0 } @known_algorithms), NOPROTO => 0, PERL5 => 0, _WINDLL => 0, CONST_STRICT => 0, TRUE => 1, ); my $symhacking = $file eq $symhacksfile; my @current_platforms = (); my @current_algorithms = (); # params: symbol, alias, platforms, kind # The reason to put this subroutine in a variable is that # it will otherwise create it's own, unshared, version of # %tag and %variant... my $make_variant = sub { my ($s, $a, $p, $k) = @_; my ($a1, $a2); print STDERR "DEBUG: make_variant: Entered with ",$s,", ",$a,", ",(defined($p)?$p:""),", ",(defined($k)?$k:""),"\n" if $debug; if (defined($p)) { $a1 = join(",",$p, grep(!/^$/, map { $tag{$_} == 1 ? $_ : "" } @known_platforms)); } else { $a1 = join(",", grep(!/^$/, map { $tag{$_} == 1 ? $_ : "" } @known_platforms)); } $a2 = join(",", grep(!/^$/, map { $tag{"OPENSSL_SYS_".$_} == 1 ? $_ : "" } @known_ossl_platforms)); print STDERR "DEBUG: make_variant: a1 = $a1; a2 = $a2\n" if $debug; if ($a1 eq "") { $a1 = $a2; } elsif ($a1 ne "" && $a2 ne "") { $a1 .= ",".$a2; } if ($a eq $s) { if (!defined($variant_cnt{$s})) { $variant_cnt{$s} = 0; } $variant_cnt{$s}++; $a .= "{$variant_cnt{$s}}"; } my $toadd = $a.":".$a1.(defined($k)?":".$k:""); my $togrep = $s.'(\{[0-9]+\})?:'.$a1.(defined($k)?":".$k:""); if (!grep(/^$togrep$/, split(/;/, defined($variant{$s})?$variant{$s}:""))) { if (defined($variant{$s})) { $variant{$s} .= ";"; } $variant{$s} .= $toadd; } print STDERR "DEBUG: make_variant: Exit with variant of ",$s," = ",$variant{$s},"\n" if $debug; }; print STDERR "DEBUG: parsing ----------\n" if $debug; while() { last if (/\/\* Error codes for the \w+ functions\. \*\//); if ($line ne '') { $_ = $line . $_; $line = ''; } if (/\\$/) { chomp; # remove eol chop; # remove ending backslash $line = $_; next; } $cpp = 1 if /^\#.*ifdef.*cplusplus/; if ($cpp) { $cpp = 0 if /^\#.*endif/; next; } s/\/\*.*?\*\///gs; # ignore comments if (/\/\*/) { # if we have part $line = $_; # of a comment, next; # continue reading } s/{[^{}]*}//gs; # ignore {} blocks print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne ""; print STDERR "DEBUG: \$_=\"$_\"\n" if $debug; if (/^\#\s*ifndef\s+(.*)/) { push(@tag,"-"); push(@tag,$1); $tag{$1}=-1; print STDERR "DEBUG: $file: found tag $1 = -1\n" if $debug; } elsif (/^\#\s*if\s+!defined\(([^\)]+)\)/) { push(@tag,"-"); if (/^\#\s*if\s+(!defined\(([^\)]+)\)(\s+\&\&\s+!defined\(([^\)]+)\))*)$/) { my $tmp_1 = $1; my $tmp_; foreach $tmp_ (split '\&\&',$tmp_1) { $tmp_ =~ /!defined\(([^\)]+)\)/; print STDERR "DEBUG: $file: found tag $1 = -1\n" if $debug; push(@tag,$1); $tag{$1}=-1; } } else { print STDERR "Warning: $file: complicated expression: $_" if $debug; # because it is O... print STDERR "DEBUG: $file: found tag $1 = -1\n" if $debug; push(@tag,$1); $tag{$1}=-1; } } elsif (/^\#\s*ifdef\s+(.*)/) { push(@tag,"-"); push(@tag,$1); $tag{$1}=1; print STDERR "DEBUG: $file: found tag $1 = 1\n" if $debug; } elsif (/^\#\s*if\s+defined\(([^\)]+)\)/) { push(@tag,"-"); if (/^\#\s*if\s+(defined\(([^\)]+)\)(\s+\|\|\s+defined\(([^\)]+)\))*)$/) { my $tmp_1 = $1; my $tmp_; foreach $tmp_ (split '\|\|',$tmp_1) { $tmp_ =~ /defined\(([^\)]+)\)/; print STDERR "DEBUG: $file: found tag $1 = 1\n" if $debug; push(@tag,$1); $tag{$1}=1; } } else { print STDERR "Warning: $file: complicated expression: $_\n" if $debug; # because it is O... print STDERR "DEBUG: $file: found tag $1 = 1\n" if $debug; push(@tag,$1); $tag{$1}=1; } } elsif (/^\#\s*error\s+(\w+) is disabled\./) { my $tag_i = $#tag; while($tag[$tag_i] ne "-") { if ($tag[$tag_i] eq "OPENSSL_NO_".$1) { $tag{$tag[$tag_i]}=2; print STDERR "DEBUG: $file: chaged tag $1 = 2\n" if $debug; } $tag_i--; } } elsif (/^\#\s*endif/) { my $tag_i = $#tag; while($tag[$tag_i] ne "-") { my $t=$tag[$tag_i]; print STDERR "DEBUG: \$t=\"$t\"\n" if $debug; if ($tag{$t}==2) { $tag{$t}=-1; } else { $tag{$t}=0; } print STDERR "DEBUG: $file: changed tag ",$t," = ",$tag{$t},"\n" if $debug; pop(@tag); if ($t =~ /^OPENSSL_NO_([A-Z0-9_]+)$/) { $t=$1; } else { $t=""; } if ($t ne "" && !grep(/^$t$/, @known_algorithms)) { $unknown_algorithms{$t} = 1; #print STDERR "DEBUG: Added as unknown algorithm: $t\n" if $debug; } $tag_i--; } pop(@tag); } elsif (/^\#\s*else/) { my $tag_i = $#tag; while($tag[$tag_i] ne "-") { my $t=$tag[$tag_i]; $tag{$t}= -$tag{$t}; print STDERR "DEBUG: $file: changed tag ",$t," = ",$tag{$t},"\n" if $debug; $tag_i--; } } elsif (/^\#\s*if\s+1/) { push(@tag,"-"); # Dummy tag push(@tag,"TRUE"); $tag{"TRUE"}=1; print STDERR "DEBUG: $file: found 1\n" if $debug; } elsif (/^\#\s*if\s+0/) { push(@tag,"-"); # Dummy tag push(@tag,"TRUE"); $tag{"TRUE"}=-1; print STDERR "DEBUG: $file: found 0\n" if $debug; } elsif (/^\#\s*define\s+(\w+)\s+(\w+)/ && $symhacking && $tag{'TRUE'} != -1) { # This is for aliasing. When we find an alias, # we have to invert &$make_variant($1,$2); print STDERR "DEBUG: $file: defined $1 = $2\n" if $debug; } if (/^\#/) { @current_platforms = grep(!/^$/, map { $tag{$_} == 1 ? $_ : $tag{$_} == -1 ? "!".$_ : "" } @known_platforms); push @current_platforms , grep(!/^$/, map { $tag{"OPENSSL_SYS_".$_} == 1 ? $_ : $tag{"OPENSSL_SYS_".$_} == -1 ? "!".$_ : "" } @known_ossl_platforms); @current_algorithms = grep(!/^$/, map { $tag{"OPENSSL_NO_".$_} == -1 ? $_ : "" } @known_algorithms); $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; next; } if ($tag{'TRUE'} != -1) { if (/^\s*DECLARE_STACK_OF\s*\(\s*(\w*)\s*\)/) { next; } elsif (/^\s*DECLARE_ASN1_ENCODE_FUNCTIONS\s*\(\s*(\w*)\s*,\s*(\w*)\s*,\s*(\w*)\s*\)/) { $def .= "int d2i_$3(void);"; $def .= "int i2d_$3(void);"; # Variant for platforms that do not # have to access globale variables # in shared libraries through functions $def .= "#INFO:" .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "OPENSSL_EXTERN int $2_it;"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Variant for platforms that have to # access globale variables in shared # libraries through functions &$make_variant("$2_it","$2_it", "EXPORT_VAR_AS_FUNCTION", "FUNCTION"); next; } elsif (/^\s*DECLARE_ASN1_FUNCTIONS_fname\s*\(\s*(\w*)\s*,\s*(\w*)\s*,\s*(\w*)\s*\)/) { $def .= "int d2i_$3(void);"; $def .= "int i2d_$3(void);"; $def .= "int $3_free(void);"; $def .= "int $3_new(void);"; # Variant for platforms that do not # have to access globale variables # in shared libraries through functions $def .= "#INFO:" .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "OPENSSL_EXTERN int $2_it;"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Variant for platforms that have to # access globale variables in shared # libraries through functions &$make_variant("$2_it","$2_it", "EXPORT_VAR_AS_FUNCTION", "FUNCTION"); next; } elsif (/^\s*DECLARE_ASN1_FUNCTIONS\s*\(\s*(\w*)\s*\)/ || /^\s*DECLARE_ASN1_FUNCTIONS_const\s*\(\s*(\w*)\s*\)/) { $def .= "int d2i_$1(void);"; $def .= "int i2d_$1(void);"; $def .= "int $1_free(void);"; $def .= "int $1_new(void);"; # Variant for platforms that do not # have to access globale variables # in shared libraries through functions $def .= "#INFO:" .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "OPENSSL_EXTERN int $1_it;"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Variant for platforms that have to # access globale variables in shared # libraries through functions &$make_variant("$1_it","$1_it", "EXPORT_VAR_AS_FUNCTION", "FUNCTION"); next; } elsif (/^\s*DECLARE_ASN1_ENCODE_FUNCTIONS_const\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) { $def .= "int d2i_$2(void);"; $def .= "int i2d_$2(void);"; # Variant for platforms that do not # have to access globale variables # in shared libraries through functions $def .= "#INFO:" .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "OPENSSL_EXTERN int $2_it;"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Variant for platforms that have to # access globale variables in shared # libraries through functions &$make_variant("$2_it","$2_it", "EXPORT_VAR_AS_FUNCTION", "FUNCTION"); next; } elsif (/^\s*DECLARE_ASN1_FUNCTIONS_name\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) { $def .= "int d2i_$2(void);"; $def .= "int i2d_$2(void);"; $def .= "int $2_free(void);"; $def .= "int $2_new(void);"; # Variant for platforms that do not # have to access globale variables # in shared libraries through functions $def .= "#INFO:" .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "OPENSSL_EXTERN int $2_it;"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Variant for platforms that have to # access globale variables in shared # libraries through functions &$make_variant("$2_it","$2_it", "EXPORT_VAR_AS_FUNCTION", "FUNCTION"); next; } elsif (/^\s*DECLARE_ASN1_ITEM\s*\(\s*(\w*)\s*\)/) { # Variant for platforms that do not # have to access globale variables # in shared libraries through functions $def .= "#INFO:" .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "OPENSSL_EXTERN int $1_it;"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Variant for platforms that have to # access globale variables in shared # libraries through functions &$make_variant("$1_it","$1_it", "EXPORT_VAR_AS_FUNCTION", "FUNCTION"); next; } elsif (/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) { next; } elsif (/^\s*DECLARE_PKCS12_STACK_OF\s*\(\s*(\w*)\s*\)/) { next; } elsif (/^DECLARE_PEM_rw\s*\(\s*(\w*)\s*,/ || /^DECLARE_PEM_rw_cb\s*\(\s*(\w*)\s*,/ ) { # Things not in Win16 $def .= "#INFO:" .join(',',"!WIN16",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "int PEM_read_$1(void);"; $def .= "int PEM_write_$1(void);"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Things that are everywhere $def .= "int PEM_read_bio_$1(void);"; $def .= "int PEM_write_bio_$1(void);"; next; } elsif (/^DECLARE_PEM_write\s*\(\s*(\w*)\s*,/ || /^DECLARE_PEM_write_cb\s*\(\s*(\w*)\s*,/ ) { # Things not in Win16 $def .= "#INFO:" .join(',',"!WIN16",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "int PEM_write_$1(void);"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Things that are everywhere $def .= "int PEM_write_bio_$1(void);"; next; } elsif (/^DECLARE_PEM_read\s*\(\s*(\w*)\s*,/ || /^DECLARE_PEM_read_cb\s*\(\s*(\w*)\s*,/ ) { # Things not in Win16 $def .= "#INFO:" .join(',',"!WIN16",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "int PEM_read_$1(void);"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Things that are everywhere $def .= "int PEM_read_bio_$1(void);"; next; } elsif (/^OPENSSL_DECLARE_GLOBAL\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) { # Variant for platforms that do not # have to access globale variables # in shared libraries through functions $def .= "#INFO:" .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":" .join(',',@current_algorithms).";"; $def .= "OPENSSL_EXTERN int _shadow_$2;"; $def .= "#INFO:" .join(',',@current_platforms).":" .join(',',@current_algorithms).";"; # Variant for platforms that have to # access globale variables in shared # libraries through functions &$make_variant("_shadow_$2","_shadow_$2", "EXPORT_VAR_AS_FUNCTION", "FUNCTION"); } elsif ($tag{'CONST_STRICT'} != 1) { if (/\{|\/\*|\([^\)]*$/) { $line = $_; } else { $def .= $_; } } } } close(IN); my $algs; my $plays; print STDERR "DEBUG: postprocessing ----------\n" if $debug; foreach (split /;/, $def) { my $s; my $k = "FUNCTION"; my $p; my $a; s/^[\n\s]*//g; s/[\n\s]*$//g; next if(/\#undef/); next if(/typedef\W/); next if(/\#define/); print STDERR "DEBUG: \$_ = \"$_\"\n" if $debug; if (/^\#INFO:([^:]*):(.*)$/) { $plats = $1; $algs = $2; print STDERR "DEBUG: found info on platforms ($plats) and algorithms ($algs)\n" if $debug; next; } elsif (/^\s*OPENSSL_EXTERN\s.*?(\w+(\{[0-9]+\})?)(\[[0-9]*\])*\s*$/) { $s = $1; $k = "VARIABLE"; print STDERR "DEBUG: found external variable $s\n" if $debug; } elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) { $s = $1; print STDERR "DEBUG: found ANSI C function $s\n" if $debug; } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s) { # K&R C print STDERR "DEBUG: found K&R C function $s\n" if $debug; next; } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) { while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) { s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s; s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s; } s/\(void\)//; /(\w+(\{[0-9]+\})?)\W*\(\)/s; $s = $1; print STDERR "DEBUG: found function $s\n" if $debug; } elsif (/\(/ and not (/=/)) { print STDERR "File $file: cannot parse: $_;\n"; next; } else { next; } $syms{$s} = 1; $kind{$s} = $k; $p = $plats; $a = $algs; $a .= ",BF" if($s =~ /EVP_bf/); $a .= ",CAST" if($s =~ /EVP_cast/); $a .= ",DES" if($s =~ /EVP_des/); $a .= ",DSA" if($s =~ /EVP_dss/); $a .= ",IDEA" if($s =~ /EVP_idea/); $a .= ",MD2" if($s =~ /EVP_md2/); $a .= ",MD4" if($s =~ /EVP_md4/); $a .= ",MD5" if($s =~ /EVP_md5/); $a .= ",RC2" if($s =~ /EVP_rc2/); $a .= ",RC4" if($s =~ /EVP_rc4/); $a .= ",RC5" if($s =~ /EVP_rc5/); $a .= ",RIPEMD" if($s =~ /EVP_ripemd/); $a .= ",SHA" if($s =~ /EVP_sha/); $a .= ",RSA" if($s =~ /EVP_(Open|Seal)(Final|Init)/); $a .= ",RSA" if($s =~ /PEM_Seal(Final|Init|Update)/); $a .= ",RSA" if($s =~ /RSAPrivateKey/); $a .= ",RSA" if($s =~ /SSLv23?_((client|server)_)?method/); $platform{$s} = &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p); $algorithm{$s} .= ','.$a; if (defined($variant{$s})) { foreach $v (split /;/,$variant{$s}) { (my $r, my $p, my $k) = split(/:/,$v); my $ip = join ',',map({ /^!(.*)$/ ? $1 : "!".$_ } split /,/, $p); $syms{$r} = 1; if (!defined($k)) { $k = $kind{$s}; } $kind{$r} = $k."(".$s.")"; $algorithm{$r} = $algorithm{$s}; $platform{$r} = &reduce_platforms($platform{$s}.",".$p.",".$p); $platform{$s} = &reduce_platforms($platform{$s}.','.$ip.','.$ip); print STDERR "DEBUG: \$variant{\"$s\"} = ",$v,"; \$r = $r; \$p = ",$platform{$r},"; \$a = ",$algorithm{$r},"; \$kind = ",$kind{$r},"\n" if $debug; } } print STDERR "DEBUG: \$s = $s; \$p = ",$platform{$s},"; \$a = ",$algorithm{$s},"; \$kind = ",$kind{$s},"\n" if $debug; } } # Prune the returned symbols delete $syms{"bn_dump1"}; $platform{"BIO_s_log"} .= ",!WIN32,!WIN16,!macintosh"; $platform{"PEM_read_NS_CERT_SEQ"} = "VMS"; $platform{"PEM_write_NS_CERT_SEQ"} = "VMS"; $platform{"PEM_read_P8_PRIV_KEY_INFO"} = "VMS"; $platform{"PEM_write_P8_PRIV_KEY_INFO"} = "VMS"; # Info we know about push @ret, map { $_."\\".&info_string($_,"EXIST", $platform{$_}, $kind{$_}, $algorithm{$_}) } keys %syms; if (keys %unknown_algorithms) { print STDERR "WARNING: mkdef.pl doesn't know the following algorithms:\n"; print STDERR "\t",join("\n\t",keys %unknown_algorithms),"\n"; } return(@ret); } # Param: string of comma-separated platform-specs. sub reduce_platforms { my ($platforms) = @_; my $pl = defined($platforms) ? $platforms : ""; my %p = map { $_ => 0 } split /,/, $pl; my $ret; print STDERR "DEBUG: Entered reduce_platforms with \"$platforms\"\n" if $debug; # We do this, because if there's code like the following, it really # means the function exists in all cases and should therefore be # everywhere. By increasing and decreasing, we may attain 0: # # ifndef WIN16 # int foo(); # else # int _fat foo(); # endif foreach $platform (split /,/, $pl) { if ($platform =~ /^!(.*)$/) { $p{$1}--; } else { $p{$platform}++; } } foreach $platform (keys %p) { if ($p{$platform} == 0) { delete $p{$platform}; } } delete $p{""}; $ret = join(',',sort(map { $p{$_} < 0 ? "!".$_ : $_ } keys %p)); print STDERR "DEBUG: Exiting reduce_platforms with \"$ret\"\n" if $debug; return $ret; } sub info_string { (my $symbol, my $exist, my $platforms, my $kind, my $algorithms) = @_; my %a = defined($algorithms) ? map { $_ => 1 } split /,/, $algorithms : (); my $k = defined($kind) ? $kind : "FUNCTION"; my $ret; my $p = &reduce_platforms($platforms); delete $a{""}; $ret = $exist; $ret .= ":".$p; $ret .= ":".$k; $ret .= ":".join(',',sort keys %a); return $ret; } sub maybe_add_info { (my $name, *nums, my @symbols) = @_; my $sym; my $new_info = 0; my %syms=(); print STDERR "Updating $name info\n"; foreach $sym (@symbols) { (my $s, my $i) = split /\\/, $sym; if (defined($nums{$s})) { $i =~ s/^(.*?:.*?:\w+)(\(\w+\))?/$1/; (my $n, my $dummy) = split /\\/, $nums{$s}; if (!defined($dummy) || $i ne $dummy) { $nums{$s} = $n."\\".$i; $new_info++; print STDERR "DEBUG: maybe_add_info for $s: \"$dummy\" => \"$i\"\n" if $debug; } } $syms{$s} = 1; } my @s=sort { &parse_number($nums{$a},"n") <=> &parse_number($nums{$b},"n") } keys %nums; foreach $sym (@s) { (my $n, my $i) = split /\\/, $nums{$sym}; if (!defined($syms{$sym}) && $i !~ /^NOEXIST:/) { $new_info++; print STDERR "DEBUG: maybe_add_info for $sym: -> undefined\n" if $debug; } } if ($new_info) { print STDERR "$new_info old symbols got an info update\n"; if (!$do_rewrite) { print STDERR "You should do a rewrite to fix this.\n"; } } else { print STDERR "No old symbols needed info update\n"; } } # Param: string of comma-separated keywords, each possibly prefixed with a "!" sub is_valid { my ($keywords_txt,$platforms) = @_; my (@keywords) = split /,/,$keywords_txt; my ($falsesum, $truesum) = (0, !grep(/^[^!]/,@keywords)); # Param: one keyword sub recognise { my ($keyword,$platforms) = @_; if ($platforms) { # platforms if ($keyword eq "VMS" && $VMS) { return 1; } if ($keyword eq "WIN32" && $W32) { return 1; } if ($keyword eq "WIN16" && $W16) { return 1; } if ($keyword eq "WINNT" && $NT) { return 1; } if ($keyword eq "OS2" && $OS2) { return 1; } # Special platforms: # EXPORT_VAR_AS_FUNCTION means that global variables # will be represented as functions. This currently # only happens on VMS-VAX. if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) { return 1; } return 0; } else { # algorithms if ($keyword eq "RC2" && $no_rc2) { return 0; } if ($keyword eq "RC4" && $no_rc4) { return 0; } if ($keyword eq "RC5" && $no_rc5) { return 0; } if ($keyword eq "IDEA" && $no_idea) { return 0; } if ($keyword eq "DES" && $no_des) { return 0; } if ($keyword eq "BF" && $no_bf) { return 0; } if ($keyword eq "CAST" && $no_cast) { return 0; } if ($keyword eq "MD2" && $no_md2) { return 0; } if ($keyword eq "MD4" && $no_md4) { return 0; } if ($keyword eq "MD5" && $no_md5) { return 0; } if ($keyword eq "SHA" && $no_sha) { return 0; } if ($keyword eq "RIPEMD" && $no_ripemd) { return 0; } if ($keyword eq "MDC2" && $no_mdc2) { return 0; } if ($keyword eq "RSA" && $no_rsa) { return 0; } if ($keyword eq "DSA" && $no_dsa) { return 0; } if ($keyword eq "DH" && $no_dh) { return 0; } if ($keyword eq "EC" && $no_ec) { return 0; } if ($keyword eq "HMAC" && $no_hmac) { return 0; } if ($keyword eq "AES" && $no_aes) { return 0; } if ($keyword eq "EVP" && $no_evp) { return 0; } if ($keyword eq "LHASH" && $no_lhash) { return 0; } if ($keyword eq "STACK" && $no_stack) { return 0; } if ($keyword eq "ERR" && $no_err) { return 0; } if ($keyword eq "BUFFER" && $no_buffer) { return 0; } if ($keyword eq "BIO" && $no_bio) { return 0; } if ($keyword eq "COMP" && $no_comp) { return 0; } if ($keyword eq "DSO" && $no_dso) { return 0; } if ($keyword eq "KRB5" && $no_krb5) { return 0; } if ($keyword eq "ENGINE" && $no_engine) { return 0; } if ($keyword eq "HW" && $no_hw) { return 0; } if ($keyword eq "FP_API" && $no_fp_api) { return 0; } # Nothing recognise as true return 1; } } foreach $k (@keywords) { if ($k =~ /^!(.*)$/) { $falsesum += &recognise($1,$platforms); } else { $truesum += &recognise($k,$platforms); } } print STDERR "DEBUG: [",$#keywords,",",$#keywords < 0,"] is_valid($keywords_txt) => (\!$falsesum) && $truesum = ",(!$falsesum) && $truesum,"\n" if $debug; return (!$falsesum) && $truesum; } sub print_test_file { (*OUT,my $name,*nums,my $testall,my @symbols)=@_; my $n = 1; my @e; my @r; my $sym; my $prev = ""; my $prefSSLeay; (@e)=grep(/^SSLeay(\{[0-9]+\})?\\.*?:.*?:.*/,@symbols); (@r)=grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:.*/ && !/^SSLeay(\{[0-9]+\})?\\.*?:.*?:.*/,@symbols); @symbols=((sort @e),(sort @r)); foreach $sym (@symbols) { (my $s, my $i) = $sym =~ /^(.*?)\\(.*)$/; my $v = 0; $v = 1 if $i=~ /^.*?:.*?:VARIABLE/; my $p = ($i =~ /^[^:]*:([^:]*):/,$1); my $a = ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1); if (!defined($nums{$s})) { print STDERR "Warning: $s does not have a number assigned\n" if(!$do_update); } elsif (is_valid($p,1) && is_valid($a,0)) { my $s2 = ($s =~ /^(.*?)(\{[0-9]+\})?$/, $1); if ($prev eq $s2) { print OUT "\t/* The following has already appeared previously */\n"; print STDERR "Warning: Symbol '",$s2,"' redefined. old=",($nums{$prev} =~ /^(.*?)\\/,$1),", new=",($nums{$s2} =~ /^(.*?)\\/,$1),"\n"; } $prev = $s2; # To warn about duplicates... ($nn,$ni)=($nums{$s2} =~ /^(.*?)\\(.*)$/); if ($v) { print OUT "\textern int $s2; /* type unknown */ /* $nn $ni */\n"; } else { print OUT "\textern int $s2(); /* type unknown */ /* $nn $ni */\n"; } } } } +sub get_version { + local *MF; + my $v = '?'; + open MF, 'Makefile.ssl' or return $v; + while () { + $v = $1, last if /^VERSION=(.*?)\s*$/; + } + close MF; + return $v; +} + sub print_def_file { (*OUT,my $name,*nums,my @symbols)=@_; my $n = 1; my @e; my @r; my @v; my $prev=""; my $liboptions=""; + my $libname = $name; + my $http_vendor = 'www.openssl.org/'; + my $version = get_version(); + my $what = "OpenSSL: implementation of Secure Socket Layer"; + my $description = "$what $version, $name - http://$http_vendor"; if ($W32) - { $name.="32"; } + { $libname.="32"; } elsif ($W16) - { $name.="16"; } + { $libname.="16"; } elsif ($OS2) - { $liboptions = "INITINSTANCE\nDATA NONSHARED"; } + { # DLL names should not clash on the whole system. + # However, they should not have any particular relationship + # to the name of the static library. Chose descriptive names + # (must be at most 8 chars). + my %translate = (ssl => 'open_ssl', crypto => 'cryptssl'); + $libname = $translate{$name} || $name; + $liboptions = <) { chop; s/#.*$//; next if /^\s*$/; @a=split; if (defined $ret{$a[0]}) { # This is actually perfectly OK #print STDERR "Warning: Symbol '",$a[0],"' redefined. old=",$ret{$a[0]},", new=",$a[1],"\n"; } if ($max_num > $a[1]) { print STDERR "Warning: Number decreased from ",$max_num," to ",$a[1],"\n"; } elsif ($max_num == $a[1]) { # This is actually perfectly OK #print STDERR "Warning: Symbol ",$a[0]," has same number as previous ",$prev,": ",$a[1],"\n"; if ($a[0] eq $prev) { $prev_cnt++; $a[0] .= "{$prev_cnt}"; } } else { $prev_cnt = 0; } if ($#a < 2) { # Existence will be proven later, in do_defs $ret{$a[0]}=$a[1]; $num_noinfo++; } else { $ret{$a[0]}=$a[1]."\\".$a[2]; # \\ is a special marker } $max_num = $a[1] if $a[1] > $max_num; $prev=$a[0]; } if ($num_noinfo) { print STDERR "Warning: $num_noinfo symbols were without info."; if ($do_rewrite) { printf STDERR " The rewrite will fix this.\n"; } else { printf STDERR " You should do a rewrite to fix this.\n"; } } close(IN); return(%ret); } sub parse_number { (my $str, my $what) = @_; (my $n, my $i) = split(/\\/,$str); if ($what eq "n") { return $n; } else { return $i; } } sub rewrite_numbers { (*OUT,$name,*nums,@symbols)=@_; my $thing; print STDERR "Rewriting $name\n"; my @r = grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:\w+\(\w+\)/,@symbols); my $r; my %r; my %rsyms; foreach $r (@r) { (my $s, my $i) = split /\\/, $r; my $a = $1 if $i =~ /^.*?:.*?:\w+\((\w+)\)/; $i =~ s/^(.*?:.*?:\w+)\(\w+\)/$1/; $r{$a} = $s."\\".$i; $rsyms{$s} = 1; } my %syms = (); foreach $_ (@symbols) { (my $n, my $i) = split /\\/; $syms{$n} = 1; } my @s=sort { &parse_number($nums{$a},"n") <=> &parse_number($nums{$b},"n") || $a cmp $b } keys %nums; foreach $sym (@s) { (my $n, my $i) = split /\\/, $nums{$sym}; next if defined($i) && $i =~ /^.*?:.*?:\w+\(\w+\)/; next if defined($rsyms{$sym}); print STDERR "DEBUG: rewrite_numbers for sym = ",$sym,": i = ",$i,", n = ",$n,", rsym{sym} = ",$rsyms{$sym},"syms{sym} = ",$syms{$sym},"\n" if $debug; $i="NOEXIST::FUNCTION:" if !defined($i) || $i eq "" || !defined($syms{$sym}); my $s2 = $sym; $s2 =~ s/\{[0-9]+\}$//; printf OUT "%s%-39s %d\t%s\n","",$s2,$n,$i; if (exists $r{$sym}) { (my $s, $i) = split /\\/,$r{$sym}; my $s2 = $s; $s2 =~ s/\{[0-9]+\}$//; printf OUT "%s%-39s %d\t%s\n","",$s2,$n,$i; } } } sub update_numbers { (*OUT,$name,*nums,my $start_num, my @symbols)=@_; my $new_syms = 0; print STDERR "Updating $name numbers\n"; my @r = grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:\w+\(\w+\)/,@symbols); my $r; my %r; my %rsyms; foreach $r (@r) { (my $s, my $i) = split /\\/, $r; my $a = $1 if $i =~ /^.*?:.*?:\w+\((\w+)\)/; $i =~ s/^(.*?:.*?:\w+)\(\w+\)/$1/; $r{$a} = $s."\\".$i; $rsyms{$s} = 1; } foreach $sym (@symbols) { (my $s, my $i) = $sym =~ /^(.*?)\\(.*)$/; next if $i =~ /^.*?:.*?:\w+\(\w+\)/; next if defined($rsyms{$sym}); die "ERROR: Symbol $sym had no info attached to it." if $i eq ""; if (!exists $nums{$s}) { $new_syms++; my $s2 = $s; $s2 =~ s/\{[0-9]+\}$//; printf OUT "%s%-39s %d\t%s\n","",$s2, ++$start_num,$i; if (exists $r{$s}) { ($s, $i) = split /\\/,$r{$s}; $s =~ s/\{[0-9]+\}$//; printf OUT "%s%-39s %d\t%s\n","",$s, $start_num,$i; } } } if($new_syms) { print STDERR "$new_syms New symbols added\n"; } else { print STDERR "No New symbols Added\n"; } } sub check_existing { (*nums, my @symbols)=@_; my %existing; my @remaining; @remaining=(); foreach $sym (@symbols) { (my $s, my $i) = $sym =~ /^(.*?)\\(.*)$/; $existing{$s}=1; } foreach $sym (keys %nums) { if (!exists $existing{$sym}) { push @remaining, $sym; } } if(@remaining) { print STDERR "The following symbols do not seem to exist:\n"; foreach $sym (@remaining) { print STDERR "\t",$sym,"\n"; } } } diff --git a/crypto/openssl/util/pl/OS2-EMX.pl b/crypto/openssl/util/pl/OS2-EMX.pl index d695dda623dc..ddb35242108c 100644 --- a/crypto/openssl/util/pl/OS2-EMX.pl +++ b/crypto/openssl/util/pl/OS2-EMX.pl @@ -1,117 +1,119 @@ #!/usr/local/bin/perl # # OS2-EMX.pl - for EMX GCC on OS/2 # -$o='\\'; -$cp='copy'; +$o='/'; +$cp='cp'; $rm='rm -f'; +$preamble = "SHELL=sh\n"; + # C compiler stuff $cc='gcc'; $cflags="-DL_ENDIAN -O3 -fomit-frame-pointer -m486 -Zmtd -Wall "; $cflags.="-Zomf " if $shlib; $shl_cflag="-Zdll"; if ($debug) { $cflags.="-g "; } $obj=$shlib ? '.obj' : '.o'; $ofile='-o '; # EXE linking stuff $link='${CC}'; $lflags='${CFLAGS} -Zbsd-signals -s'; $efile='-o '; $exep='.exe'; $ex_libs="-lsocket"; # static library stuff $mklib='ar r'; $mlflags=''; $ranlib="ar s"; $plib=''; $libp=$shlib ? ".lib" : ".a"; $shlibp=$shlib ? ".dll" : ".a"; $lfile=''; $asm=$shlib ? 'as -Zomf' : 'as'; $afile='-o '; $bn_asm_obj=""; $bn_asm_src=""; $des_enc_obj=""; $des_enc_src=""; $bf_enc_obj=""; $bf_enc_src=""; if (!$no_asm) { - $bn_asm_obj="crypto\\bn\\asm\\bn-os2$obj crypto\\bn\\asm\\co-os2$obj"; - $bn_asm_src="crypto\\bn\\asm\\bn-os2.asm crypto\\bn\\asm\\co-os2.asm"; - $des_enc_obj="crypto\\des\\asm\\d-os2$obj crypto\\des\\asm\\y-os2$obj"; - $des_enc_src="crypto\\des\\asm\\d-os2.asm crypto\\des\\asm\\y-os2.asm"; - $bf_enc_obj="crypto\\bf\\asm\\b-os2$obj"; - $bf_enc_src="crypto\\bf\\asm\\b-os2.asm"; - $cast_enc_obj="crypto\\cast\\asm\\c-os2$obj"; - $cast_enc_src="crypto\\cast\\asm\\c-os2.asm"; - $rc4_enc_obj="crypto\\rc4\\asm\\r4-os2$obj"; - $rc4_enc_src="crypto\\rc4\\asm\\r4-os2.asm"; - $rc5_enc_obj="crypto\\rc5\\asm\\r5-os2$obj"; - $rc5_enc_src="crypto\\rc5\\asm\\r5-os2.asm"; - $md5_asm_obj="crypto\\md5\\asm\\m5-os2$obj"; - $md5_asm_src="crypto\\md5\\asm\\m5-os2.asm"; - $sha1_asm_obj="crypto\\sha\\asm\\s1-os2$obj"; - $sha1_asm_src="crypto\\sha\\asm\\s1-os2.asm"; - $rmd160_asm_obj="crypto\\ripemd\\asm\\rm-os2$obj"; - $rmd160_asm_src="crypto\\ripemd\\asm\\rm-os2.asm"; + $bn_asm_obj="crypto/bn/asm/bn-os2$obj crypto/bn/asm/co-os2$obj"; + $bn_asm_src="crypto/bn/asm/bn-os2.asm crypto/bn/asm/co-os2.asm"; + $des_enc_obj="crypto/des/asm/d-os2$obj crypto/des/asm/y-os2$obj"; + $des_enc_src="crypto/des/asm/d-os2.asm crypto/des/asm/y-os2.asm"; + $bf_enc_obj="crypto/bf/asm/b-os2$obj"; + $bf_enc_src="crypto/bf/asm/b-os2.asm"; + $cast_enc_obj="crypto/cast/asm/c-os2$obj"; + $cast_enc_src="crypto/cast/asm/c-os2.asm"; + $rc4_enc_obj="crypto/rc4/asm/r4-os2$obj"; + $rc4_enc_src="crypto/rc4/asm/r4-os2.asm"; + $rc5_enc_obj="crypto/rc5/asm/r5-os2$obj"; + $rc5_enc_src="crypto/rc5/asm/r5-os2.asm"; + $md5_asm_obj="crypto/md5/asm/m5-os2$obj"; + $md5_asm_src="crypto/md5/asm/m5-os2.asm"; + $sha1_asm_obj="crypto/sha/asm/s1-os2$obj"; + $sha1_asm_src="crypto/sha/asm/s1-os2.asm"; + $rmd160_asm_obj="crypto/ripemd/asm/rm-os2$obj"; + $rmd160_asm_src="crypto/ripemd/asm/rm-os2.asm"; } if ($shlib) { $mlflags.=" $lflags -Zdll"; $lib_cflag=" -D_DLL"; $out_def="out_dll"; $tmp_def="tmp_dll"; } sub do_lib_rule { local($obj,$target,$name,$shlib)=@_; local($ret,$_,$Name); $target =~ s/\//$o/g if $o ne '/'; $target="$target"; ($Name=$name) =~ tr/a-z/A-Z/; $ret.="$target: \$(${Name}OBJ)\n"; if (!$shlib) { $ret.="\t\$(RM) $target\n"; $ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n"; $ret.="\t\$(RANLIB) $target\n\n"; } else { local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':''; $ex.=' -lsocket'; $ret.="\t\$(LINK) \$(SHLIB_CFLAGS) \$(MLFLAGS) $efile$target \$(SHLIB_EX_OBJ) \$(${Name}OBJ) $ex os2/${Name}.def\n"; $ret.="\temximp -o $out_def/$name.a os2/${Name}.def\n"; $ret.="\temximp -o $out_def/$name.lib os2/${Name}.def\n\n"; } } sub do_link_rule { local($target,$files,$dep_libs,$libs)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n\n"; return($ret); } 1;