Index: releng/11.4/UPDATING =================================================================== --- releng/11.4/UPDATING (revision 368642) +++ releng/11.4/UPDATING (revision 368643) @@ -1,1964 +1,1968 @@ Updating Information for FreeBSD stable/11 users. This file is maintained and copyrighted by M. Warner Losh . See end of file for further details. For commonly done items, please see the COMMON ITEMS: section later in the file. These instructions assume that you basically know what you are doing. If not, then please consult the FreeBSD handbook: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. NOTE: FreeBSD has switched from gcc to clang. If you have trouble bootstrapping from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20201215: p6 FreeBSD-SA-20:33.openssl + + Fix OpenSSL NULL pointer de-reference. [SA-20:33.openssl] + 20201201: p5 FreeBSD-EN-20:19.audit FreeBSD-EN-20:20.tzdata FreeBSD-EN-20:22.callout FreeBSD-SA-20:31.icmp6 FreeBSD-SA-20:32.rtsold Fix execve/fexecve system call auditing. [EN-20:19.audit] Update timezone database information. [EN-20:20.tzdata] Fix race condition in callout CPU migration. [EN-20:22.callout] Fix ICMPv6 use-after-free in error message handling. [SA-20:31.icmp6] Fix multiple vulnerabilities in rtsold. [SA-20:32.rtsold] 20200915 p4 FreeBSD-SA-20:27.ure FreeBSD-SA-20:28.bhyve_vmcs FreeBSD-SA-20:29.bhyve_svm FreeBSD-SA-20:30.ftpd Fix ure device driver susceptible to packet-in-packet attack. [SA-20:27.ure] Fix bhyve privilege escalation via VMCS access. [SA-20:28.bhyve_vmcs] Fix bhyve SVM guest escape. [SA-20:29.bhyve_svm] Fix ftpd privilege escalation via ftpchroot. [SA-20:30.ftpd] 20200902 p3 FreeBSD-EN-20:17.linuxthread FreeBSD-EN-20:18.getfsstat FreeBSD-SA-20:25.sctp FreeBSD-SA-20:26.dhclient Fix FreeBSD Linux ABI kernel panic. [EN-20:17.linuxthread] Fix getfsstat compatibility system call panic. [EN-20:18.getfsstat] Fix SCTP socket use-after-free. [SA-20:25.sctp] Fix dhclient heap overflow. [SA-20:26.dhclient] 20200805 p2 FreeBSD-SA-20:21.usb_net FreeBSD-SA-20:22.unbound FreeBSD-SA-20:23.ipv6 Fix memory corruption in USB network device drivers. [SA-20:21.usb_net] Fix multiple vulnerabilities in sqlite3. [SA-20:22.sqlite] Fix sendmsg(2) privilege escalation. [SA-20:23.sendmsg] 20200708 p1 FreeBSD-EN-20:15.mps FreeBSD-SA-20:18.posix_spawnp FreeBSD-SA-20:19.unbound FreeBSD-SA-20:20.ipv6 Fix kernel panic in mps(4) driver. [EN-20:15.mps] Fix posix_spawnp(3) buffer overflow. [SA-20:18.posix_spawnp] Fix multiple vulnerabilities in unbound. [SA-20:19.unbound] Fix IPv6 socket option race condition and use after free. [SA-20:20.ipv6] 20200616: 11.4-RELEASE. 20200609: 11.4-RC2-p1 FreeBSD-SA-20:17.usb Fix USB HID descriptor parsing error. [SA-20:17.usb] 20200512: 11.4-BETA1-p1 FreeBSD-SA-20:12.libalias FreeBSD-SA-20:13.libalias Fix insufficient packet length validation in libalias [SA-20:12.libalias] Fix memory disclosure vulnerability in libalias [SA-20:13.libalias] 20200507: Clang, llvm, lld, lldb, compiler-rt, libc++, libunwind and openmp have been upgraded to 10.0.0. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20200430: The root certificates of the Mozilla CA Certificate Store have been imported into the base system and can be managed with the certctl(8) utility. If you have installed the security/ca_root_nss port or package with the ETCSYMLINK option (the default), be advised that there may be differences between those included in the port and those included in base due to differences in nss branch used as well as general update frequency. Note also that certctl(8) cannot manage certs in the format used by the security/ca_root_nss port. 20190913: ntpd no longer by default locks its pages in memory, allowing them to be paged out by the kernel. Use rlimit memlock to restore historic BSD behaviour. For example, add "rlimit memlock 32" to ntp.conf to lock up to 32 MB of ntpd address space in memory. 20190723: Clang, llvm, lld, lldb, compiler-rt, libc++, libunwind and openmp have been upgraded to 8.0.1. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20190426: CARP now sets DSCP value CS7(Network Traffic) in the flowlabel field of packets by default instead of only setting TOS_LOWDELAY in IPv4, which was deprecated in 1998. Original behavior can be restored by setting sysctl net.inet.carp.dscp=4. 20190416: Clang, llvm, lld, lldb, compiler-rt and libc++ have been upgraded to 8.0.0. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20190226: geom_uzip(4) depends on the new module xz. If geom_uzip is statically compiled into your custom kernel, add 'device xz' statement to the kernel config. 20190220: Co-existance for Forth and Lua interpreters in bootloaders has now been merged to ease testing of lualoader. LOADER_DEFAULT_INTERP, documented in build(7), may be used to control which interpreter flavor is used in the default loader to be installed. For systems where Lua and Forth coexist, this switch can also be made on a running system by creating a link from /boot/loader{,.efi} to /boot/loader_${flavor}{,.efi} rather than requiring a rebuild. The default flavor in this branch will remain Forth. As indicated in the 20190216 UPDATING entry, booting is a complex environment; it would be prudent to assume that lualoader may not work for your setup and make provisions for backup boot methods. 20190220: zfsloader's functionality has now been folded into loader. zfsloader is no longer necesasary once you've updated your boot blocks. For a transition period, we will install a hardlink for zfsloader to loader to allow a smooth transition until the boot blocks can be updated (hard link because old zfs boot blocks don't understand symlinks). 20190216: Lualoader has been merged to facilitate testing on this branch. It's purely opt-in for now by building WITH_LOADER_LUA and WITHOUT_FORTH in /etc/src.conf, but co-existance will come shortly. Booting is a complex environment and test coverage for Lua-enabled loaders has been thin, so it would be prudent to assume it might not work and make provisions for backup boot methods. 20190216: Clang, llvm, lld, lldb, compiler-rt and libc++ have been upgraded to 7.0.1. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20181228: r342562 modifies the NFSv4 server so that it obeys vfs.nfsd.nfs_privport in the same as it is applied to NFSv2 and 3. This implies that NFSv4 servers that have vfs.nfsd.nfs_privport set will only allow mounts from clients using a reserved port#. Since both the FreeBSD and Linux NFSv4 clients use reserved port#s by default, this should not affect most NFSv4 mounts. 20181107: The '%I' format in the kern.corefile sysctl limits the number of core files that a process can generate to the number stored in the debug.ncores sysctl. The '%I' format is replaced by the single digit index. Previously, if all indexes were taken the kernel would overwrite only a core file with the highest index in a filename. Currently the system will create a new core file if there is a free index or if all slots are taken it will overwrite the oldest one. 20180818: WITH_OFED option now only enables the build for the OFED libraries and some fundamental client utilities. OpenSM and rest of the debugging tools are enabled by WITH_OFED_EXTRA build switch. WITH_OFED is turned on by default on amd64. 20180714: Clang, llvm, lld, lldb, compiler-rt and libc++ have been upgraded to 6.0.1. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20180601: The releng/11.2 branch has been created from stable/11@r334458. 20180504: The tz database (tzdb) has been updated to 2018e. This version more correctly models time stamps in time zones with negative DST such as Europe/Dublin (from 1971 on), Europe/Prague (1946/7), and Africa/Windhoek (1994/2017). This does not affect the UT offsets, only time zone abbreviations and the tm_isdst flag. 20180409: The use of RSS hash from the network card aka flowid has been disabled by default for lagg(4) as it's currently incompatible with the lacp and loadbalance protocols. This can be re-enabled by setting the following in loader.conf: net.link.lagg.default_use_flowid="1" 20180331: Clang, llvm, lld, lldb, compiler-rt and libc++ have been upgraded to 6.0.0. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20180211: The LOADER_FIREWIRE_SUPPORT build variable as been renamed to WITH/OUT_LOADER_FIREWIRE. LOADER_{NO_,}GELI_SUPPORT has been renamed to WITH/OUT_LOADER_GELI. 20180210: The geli password typed at boot is now hidden. To restore the previous behavior, see geli(8) for configuration options. The SW_WATCHDOG option is no longer necessary to enable the hardclock-based software watchdog if no hardware watchdog is configured. As before, SW_WATCHDOG will cause the software watchdog to be enabled even if a hardware watchdog is configured. 20180108: lint(1) binaries and library are no longer built by default. To enable building them, define WITH_LINT in src.conf. If you are using a FreeBSD 12 or later system to build 11-stable, you may need to install a lint(1) binary to use WITH_LINT. 20171003: When building multiple kernels using KERNCONF, non-existent KERNCONF files will produce an error and buildkernel will fail. Previously missing KERNCONF files silently failed giving no indication as to why, only to subsequently discover during installkernel that the desired kernel was never built in the first place. 20170926: Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 5.0.0. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20170822: Since the switch to GPT disk labels, fsck for UFS/FFS has been unable to automatically find alternate superblocks. As of r322806, the information needed to find alternate superblocks has been moved to the end of the area reserved for the boot block. Filesystems created with a newfs of this vintage or later will create the recovery information. If you have a filesystem created prior to this change and wish to have a recovery block created for your filesystem, you can do so by running fsck in forground mode (i.e., do not use the -p or -y options). As it starts, fsck will ask ``SAVE DATA TO FIND ALTERNATE SUPERBLOCKS'' to which you should answer yes. 20170629: The releng/11.1 branch has been created from stable/11@r320475. 20170518: arm64 builds now use the base system LLD 4.0.0 linker by default, instead of requiring that the aarch64-binutils port or package be installed. To continue using aarch64-binutils, set CROSS_BINUTILS_PREFIX=/usr/local/aarch64-freebsd/bin . 20170529: The ctl.ko module no longer implements the iSCSI target frontend: cfiscsi.ko does instead. If building cfiscsi.ko as a kernel module, the module can be loaded via one of the following methods: - `cfiscsi_load="YES"` in loader.conf(5). - Add `cfiscsi` to `$kld_list` in rc.conf(5). - ctladm(8)/ctld(8), when compiled with iSCSI support (`WITH_ISCSI=yes` in src.conf(5)) Please see cfiscsi(4) for more details. 20170511: The mmcsd.ko module now additionally depends on geom_flashmap.ko. Also, mmc.ko and mmcsd.ko need to be a matching pair built from the same source (previously, the dependency of mmcsd.ko on mmc.ko was missing, but mmcsd.ko now will refuse to load if it is incompatible with mmc.ko). 20170414: Binds and sends to the loopback addresses, IPv6 and IPv4, will now use any explicitly assigned loopback address available in the jail instead of using the first assigned address of the jail. 20170413: As of r316810 for ipfilter, keep frags is no longer assumed when keep state is specified in a rule. r316810 aligns ipfilter with documentation in man pages separating keep frags from keep state. This allows keep state to specified without forcing keep frags and allows keep frags to be specified independently of keep state. To maintain previous behaviour, also specify keep frags with keep state (as documented in ipf.conf.5). 20170402: Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 4.0.0. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20170323: The code that provides support for ZFS .zfs/ directory functionality has been reimplemented. It's not possible now to create a snapshot by mkdir under .zfs/snapshot/. That should be the only user visible change. 20170319: Many changes in the IPsec code have been merged from the FreeBSD-CURRENT branch. The IPSEC_FILTERTUNNEL kernel option is removed in favour of corresponding sysctl. The IPSEC_NAT_T kernel option is also removed, and now NAT-T is supported by default. Security associations now use the single namespace for SPI allocation, so if you use several manually configured security associations with the same SPI, this configuration needs modification. 20161217: Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.9.1. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20161124: Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.9.0. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20161119: The layout of the pmap structure has changed for powerpc to put the pmap statistics at the front for all CPU variations. libkvm(3) and all tools that link against it need to be recompiled. 20161030: isl(4) and cyapa(4) drivers now require a new driver, chromebook_platform(4), to work properly on Chromebook-class hardware. On other types of hardware the drivers may need to be configured using device hints. Please see the corresponding manual pages for details. 20161210: Relocatable object files with the extension of .So have been renamed to use an extension of .pico instead. The purpose of this change is to avoid a name clash with shared libraries on case-insensitive file systems. On those file systems, foo.So is the same file as foo.so. 20160811: The releng/11.0 branch has been created from stable/11@r303970. 20160708: The stable/11 branch has been created from head@r302406. 20160622: The libc stub for the pipe(2) system call has been replaced with a wrapper that calls the pipe2(2) system call and the pipe(2) system call is now only implemented by the kernels that include "options COMPAT_FREEBSD10" in their config file (this is the default). Users should ensure that this option is enabled in their kernel or upgrade userspace to r302092 before upgrading their kernel. 20160527: CAM will now strip leading spaces from SCSI disks' serial numbers. This will effect users who create UFS filesystems on SCSI disks using those disk's diskid device nodes. For example, if /etc/fstab previously contained a line like "/dev/diskid/DISK-%20%20%20%20%20%20%20ABCDEFG0123456", you should change it to "/dev/diskid/DISK-ABCDEFG0123456". Users of geom transforms like gmirror may also be affected. ZFS users should generally be fine. 20160523: The bitstring(3) API has been updated with new functionality and improved performance. But it is binary-incompatible with the old API. Objects built with the new headers may not be linked against objects built with the old headers. 20160520: The brk and sbrk functions have been removed from libc on arm64. Binutils from ports has been updated to not link to these functions and should be updated to the latest version before installing a new libc. 20160517: The armv6 port now defaults to hard float ABI. Limited support for running both hardfloat and soft float on the same system is available using the libraries installed with -DWITH_LIBSOFT. This has only been tested as an upgrade path for installworld and packages may fail or need manual intervention to run. New packages will be needed. To update an existing self-hosted armv6hf system, you must add TARGET_ARCH=armv6 on the make command line for both the build and the install steps. 20160510: Kernel modules compiled outside of a kernel build now default to installing to /boot/modules instead of /boot/kernel. Many kernel modules built this way (such as those in ports) already overrode KMODDIR explicitly to install into /boot/modules. However, manually building and installing a module from /sys/modules will now install to /boot/modules instead of /boot/kernel. 20160414: The CAM I/O scheduler has been committed to the kernel. There should be no user visible impact. This does enable NCQ Trim on ada SSDs. While the list of known rogues that claim support for this but actually corrupt data is believed to be complete, be on the lookout for data corruption. The known rogue list is believed to be complete: o Crucial MX100, M550 drives with MU01 firmware. o Micron M510 and M550 drives with MU01 firmware. o Micron M500 prior to MU07 firmware o Samsung 830, 840, and 850 all firmwares o FCCT M500 all firmwares Crucial has firmware http://www.crucial.com/usa/en/support-ssd-firmware with working NCQ TRIM. For Micron branded drives, see your sales rep for updated firmware. Black listed drives will work correctly because these drives work correctly so long as no NCQ TRIMs are sent to them. Given this list is the same as found in Linux, it's believed there are no other rogues in the market place. All other models from the above vendors work. To be safe, if you are at all concerned, you can quirk each of your drives to prevent NCQ from being sent by setting: kern.cam.ada.X.quirks="0x2" in loader.conf. If the drive requires the 4k sector quirk, set the quirks entry to 0x3. 20160330: The FAST_DEPEND build option has been removed and its functionality is now the one true way. The old mkdep(1) style of 'make depend' has been removed. See 20160311 for further details. 20160317: Resource range types have grown from unsigned long to uintmax_t. All drivers, and anything using libdevinfo, need to be recompiled. 20160311: WITH_FAST_DEPEND is now enabled by default for in-tree and out-of-tree builds. It no longer runs mkdep(1) during 'make depend', and the 'make depend' stage can safely be skipped now as it is auto ran when building 'make all' and will generate all SRCS and DPSRCS before building anything else. Dependencies are gathered at compile time with -MF flags kept in separate .depend files per object file. Users should run 'make cleandepend' once if using -DNO_CLEAN to clean out older stale .depend files. 20160306: On amd64, clang 3.8.0 can now insert sections of type AMD64_UNWIND into kernel modules. Therefore, if you load any kernel modules at boot time, please install the boot loaders after you install the kernel, but before rebooting, e.g.: make buildworld make kernel KERNCONF=YOUR_KERNEL_HERE make -C sys/boot install Then follow the usual steps, described in the General Notes section, below. 20160305: Clang, llvm, lldb and compiler-rt have been upgraded to 3.8.0. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20160301: The AIO subsystem is now a standard part of the kernel. The VFS_AIO kernel option and aio.ko kernel module have been removed. Due to stability concerns, asynchronous I/O requests are only permitted on sockets and raw disks by default. To enable asynchronous I/O requests on all file types, set the vfs.aio.enable_unsafe sysctl to a non-zero value. 20160226: The ELF object manipulation tool objcopy is now provided by the ELF Tool Chain project rather than by GNU binutils. It should be a drop-in replacement, with the addition of arm64 support. The (temporary) src.conf knob WITHOUT_ELFCOPY_AS_OBJCOPY knob may be set to obtain the GNU version if necessary. 20160129: Building ZFS pools on top of zvols is prohibited by default. That feature has never worked safely; it's always been prone to deadlocks. Using a zvol as the backing store for a VM guest's virtual disk will still work, even if the guest is using ZFS. Legacy behavior can be restored by setting vfs.zfs.vol.recursive=1. 20160119: The NONE and HPN patches has been removed from OpenSSH. They are still available in the security/openssh-portable port. 20160113: With the addition of ypldap(8), a new _ypldap user is now required during installworld. "mergemaster -p" can be used to add the user prior to installworld, as documented in the handbook. 20151216: The tftp loader (pxeboot) now uses the option root-path directive. As a consequence it no longer looks for a pxeboot.4th file on the tftp server. Instead it uses the regular /boot infrastructure as with the other loaders. 20151211: The code to start recording plug and play data into the modules has been committed. While the old tools will properly build a new kernel, a number of warnings about "unknown metadata record 4" will be produced for an older kldxref. To avoid such warnings, make sure to rebuild the kernel toolchain (or world). Make sure that you have r292078 or later when trying to build 292077 or later before rebuilding. 20151207: Debug data files are now built by default with 'make buildworld' and installed with 'make installworld'. This facilitates debugging but requires more disk space both during the build and for the installed world. Debug files may be disabled by setting WITHOUT_DEBUG_FILES=yes in src.conf(5). 20151130: r291527 changed the internal interface between the nfsd.ko and nfscommon.ko modules. As such, they must both be upgraded to-gether. __FreeBSD_version has been bumped because of this. 20151108: Add support for unicode collation strings leads to a change of order of files listed by ls(1) for example. To get back to the old behaviour, set LC_COLLATE environment variable to "C". Databases administrators will need to reindex their databases given collation results will be different. Due to a bug in install(1) it is recommended to remove the ancient locales before running make installworld. rm -rf /usr/share/locale/* 20151030: The OpenSSL has been upgraded to 1.0.2d. Any binaries requiring libcrypto.so.7 or libssl.so.7 must be recompiled. 20151020: Qlogic 24xx/25xx firmware images were updated from 5.5.0 to 7.3.0. Kernel modules isp_2400_multi and isp_2500_multi were removed and should be replaced with isp_2400 and isp_2500 modules respectively. 20151017: The build previously allowed using 'make -n' to not recurse into sub-directories while showing what commands would be executed, and 'make -n -n' to recursively show commands. Now 'make -n' will recurse and 'make -N' will not. 20151012: If you specify SENDMAIL_MC or SENDMAIL_CF in make.conf, mergemaster and etcupdate will now use this file. A custom sendmail.cf is now updated via this mechanism rather than via installworld. If you had excluded sendmail.cf in mergemaster.rc or etcupdate.conf, you may want to remove the exclusion or change it to "always install". /etc/mail/sendmail.cf is now managed the same way regardless of whether SENDMAIL_MC/SENDMAIL_CF is used. If you are not using SENDMAIL_MC/SENDMAIL_CF there should be no change in behavior. 20151011: Compatibility shims for legacy ATA device names have been removed. It includes ATA_STATIC_ID kernel option, kern.cam.ada.legacy_aliases and kern.geom.raid.legacy_aliases loader tunables, kern.devalias.* environment variables, /dev/ad* and /dev/ar* symbolic links. 20151006: Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.7.0. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using clang 3.5.0 or higher. 20150924: Kernel debug files have been moved to /usr/lib/debug/boot/kernel/, and renamed from .symbols to .debug. This reduces the size requirements on the boot partition or file system and provides consistency with userland debug files. When using the supported kernel installation method the /usr/lib/debug/boot/kernel directory will be renamed (to kernel.old) as is done with /boot/kernel. Developers wishing to maintain the historical behavior of installing debug files in /boot/kernel/ can set KERN_DEBUGDIR="" in src.conf(5). 20150827: The wireless drivers had undergone changes that remove the 'parent interface' from the ifconfig -l output. The rc.d network scripts used to check presence of a parent interface in the list, so old scripts would fail to start wireless networking. Thus, etcupdate(3) or mergemaster(8) run is required after kernel update, to update your rc.d scripts in /etc. 20150827: pf no longer supports 'scrub fragment crop' or 'scrub fragment drop-ovl' These configurations are now automatically interpreted as 'scrub fragment reassemble'. 20150817: Kernel-loadable modules for the random(4) device are back. To use them, the kernel must have device random options RANDOM_LOADABLE kldload(8) can then be used to load random_fortuna.ko or random_yarrow.ko. Please note that due to the indirect function calls that the loadable modules need to provide, the build-in variants will be slightly more efficient. The random(4) kernel option RANDOM_DUMMY has been retired due to unpopularity. It was not all that useful anyway. 20150813: The WITHOUT_ELFTOOLCHAIN_TOOLS src.conf(5) knob has been retired. Control over building the ELF Tool Chain tools is now provided by the WITHOUT_TOOLCHAIN knob. 20150810: The polarity of Pulse Per Second (PPS) capture events with the uart(4) driver has been corrected. Prior to this change the PPS "assert" event corresponded to the trailing edge of a positive PPS pulse and the "clear" event was the leading edge of the next pulse. As the width of a PPS pulse in a typical GPS receiver is on the order of 1 millisecond, most users will not notice any significant difference with this change. Anyone who has compensated for the historical polarity reversal by configuring a negative offset equal to the pulse width will need to remove that workaround. 20150809: The default group assigned to /dev/dri entries has been changed from 'wheel' to 'video' with the id of '44'. If you want to have access to the dri devices please add yourself to the video group with: # pw groupmod video -m $USER 20150806: The menu.rc and loader.rc files will now be replaced during upgrades. Please migrate local changes to menu.rc.local and loader.rc.local instead. 20150805: GNU Binutils versions of addr2line, c++filt, nm, readelf, size, strings and strip have been removed. The src.conf(5) knob WITHOUT_ELFTOOLCHAIN_TOOLS no longer provides the binutils tools. 20150728: As ZFS requires more kernel stack pages than is the default on some architectures e.g. i386, it now warns if KSTACK_PAGES is less than ZFS_MIN_KSTACK_PAGES (which is 4 at the time of writing). Please consider using 'options KSTACK_PAGES=X' where X is greater than or equal to ZFS_MIN_KSTACK_PAGES i.e. 4 in such configurations. 20150706: sendmail has been updated to 8.15.2. Starting with FreeBSD 11.0 and sendmail 8.15, sendmail uses uncompressed IPv6 addresses by default, i.e., they will not contain "::". For example, instead of ::1, it will be 0:0:0:0:0:0:0:1. This permits a zero subnet to have a more specific match, such as different map entries for IPv6:0:0 vs IPv6:0. This change requires that configuration data (including maps, files, classes, custom ruleset, etc.) must use the same format, so make certain such configuration data is upgrading. As a very simple check search for patterns like 'IPv6:[0-9a-fA-F:]*::' and 'IPv6::'. To return to the old behavior, set the m4 option confUSE_COMPRESSED_IPV6_ADDRESSES or the cf option UseCompressedIPv6Addresses. 20150630: The default kernel entropy-processing algorithm is now Fortuna, replacing Yarrow. Assuming you have 'device random' in your kernel config file, the configurations allow a kernel option to override this default. You may choose *ONE* of: options RANDOM_YARROW # Legacy /dev/random algorithm. options RANDOM_DUMMY # Blocking-only driver. If you have neither, you get Fortuna. For most people, read no further, Fortuna will give a /dev/random that works like it always used to, and the difference will be irrelevant. If you remove 'device random', you get *NO* kernel-processed entropy at all. This may be acceptable to folks building embedded systems, but has complications. Carry on reading, and it is assumed you know what you need. *PLEASE* read random(4) and random(9) if you are in the habit of tweaking kernel configs, and/or if you are a member of the embedded community, wanting specific and not-usual behaviour from your security subsystems. NOTE!! If you use RANDOM_DUMMY and/or have no 'device random', you will NOT have a functioning /dev/random, and many cryptographic features will not work, including SSH. You may also find strange behaviour from the random(3) set of library functions, in particular sranddev(3), srandomdev(3) and arc4random(3). The reason for this is that the KERN_ARND sysctl only returns entropy if it thinks it has some to share, and with RANDOM_DUMMY or no 'device random' this will never happen. 20150623: An additional fix for the issue described in the 20150614 sendmail entry below has been been committed in revision 284717. 20150616: FreeBSD's old make (fmake) has been removed from the system. It is available as the devel/fmake port or via pkg install fmake. 20150615: The fix for the issue described in the 20150614 sendmail entry below has been been committed in revision 284436. The work around described in that entry is no longer needed unless the default setting is overridden by a confDH_PARAMETERS configuration setting of '5' or pointing to a 512 bit DH parameter file. 20150614: ALLOW_DEPRECATED_ATF_TOOLS/ATFFILE support has been removed from atf.test.mk (included from bsd.test.mk). Please upgrade devel/atf and devel/kyua to version 0.20+ and adjust any calling code to work with Kyuafile and kyua. 20150614: The import of openssl to address the FreeBSD-SA-15:10.openssl security advisory includes a change which rejects handshakes with DH parameters below 768 bits. sendmail releases prior to 8.15.2 (not yet released), defaulted to a 512 bit DH parameter setting for client connections. To work around this interoperability, sendmail can be configured to use a 2048 bit DH parameter by: 1. Edit /etc/mail/`hostname`.mc 2. If a setting for confDH_PARAMETERS does not exist or exists and is set to a string beginning with '5', replace it with '2'. 3. If a setting for confDH_PARAMETERS exists and is set to a file path, create a new file with: openssl dhparam -out /path/to/file 2048 4. Rebuild the .cf file: cd /etc/mail/; make; make install 5. Restart sendmail: cd /etc/mail/; make restart A sendmail patch is coming, at which time this file will be updated. 20150604: Generation of legacy formatted entries have been disabled by default in pwd_mkdb(8), as all base system consumers of the legacy formatted entries were converted to use the new format by default when the new, machine independent format have been added and supported since FreeBSD 5.x. Please see the pwd_mkdb(8) manual page for further details. 20150525: Clang and llvm have been upgraded to 3.6.1 release. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using 3.5.0 or higher. 20150521: TI platform code switched to using vendor DTS files and this update may break existing systems running on Beaglebone, Beaglebone Black, and Pandaboard: - dtb files should be regenerated/reinstalled. Filenames are the same but content is different now - GPIO addressing was changed, now each GPIO bank (32 pins per bank) has its own /dev/gpiocX device, e.g. pin 121 on /dev/gpioc0 in old addressing scheme is now pin 25 on /dev/gpioc3. - Pandaboard: /etc/ttys should be updated, serial console device is now /dev/ttyu2, not /dev/ttyu0 20150501: soelim(1) from gnu/usr.bin/groff has been replaced by usr.bin/soelim. If you need the GNU extension from groff soelim(1), install groff from package: pkg install groff, or via ports: textproc/groff. 20150423: chmod, chflags, chown and chgrp now affect symlinks in -R mode as defined in symlink(7); previously symlinks were silently ignored. 20150415: The const qualifier has been removed from iconv(3) to comply with POSIX. The ports tree is aware of this from r384038 onwards. 20150416: Libraries specified by LIBADD in Makefiles must have a corresponding DPADD_ variable to ensure correct dependencies. This is now enforced in src.libnames.mk. 20150324: From legacy ata(4) driver was removed support for SATA controllers supported by more functional drivers ahci(4), siis(4) and mvs(4). Kernel modules ataahci and ataadaptec were removed completely, replaced by ahci and mvs modules respectively. 20150315: Clang, llvm and lldb have been upgraded to 3.6.0 release. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using 3.5.0 or higher. 20150307: The 32-bit PowerPC kernel has been changed to a position-independent executable. This can only be booted with a version of loader(8) newer than January 31, 2015, so make sure to update both world and kernel before rebooting. 20150217: If you are running a -CURRENT kernel since r273872 (Oct 30th, 2014), but before r278950, the RNG was not seeded properly. Immediately upgrade the kernel to r278950 or later and regenerate any keys (e.g. ssh keys or openssl keys) that were generated w/ a kernel from that range. This does not affect programs that directly used /dev/random or /dev/urandom. All userland uses of arc4random(3) are affected. 20150210: The autofs(4) ABI was changed in order to restore binary compatibility with 10.1-RELEASE. The automountd(8) daemon needs to be rebuilt to work with the new kernel. 20150131: The powerpc64 kernel has been changed to a position-independent executable. This can only be booted with a new version of loader(8), so make sure to update both world and kernel before rebooting. 20150118: Clang and llvm have been upgraded to 3.5.1 release. This is a bugfix only release, no new features have been added. Please see the 20141231 entry below for information about prerequisites and upgrading, if you are not already using 3.5.0. 20150107: ELF tools addr2line, elfcopy (strip), nm, size, and strings are now taken from the ELF Tool Chain project rather than GNU binutils. They should be drop-in replacements, with the addition of arm64 support. The WITHOUT_ELFTOOLCHAIN_TOOLS= knob may be used to obtain the binutils tools, if necessary. See 20150805 for updated information. 20150105: The default Unbound configuration now enables remote control using a local socket. Users who have already enabled the local_unbound service should regenerate their configuration by running "service local_unbound setup" as root. 20150102: The GNU texinfo and GNU info pages have been removed. To be able to view GNU info pages please install texinfo from ports. 20141231: Clang, llvm and lldb have been upgraded to 3.5.0 release. As of this release, a prerequisite for building clang, llvm and lldb is a C++11 capable compiler and C++11 standard library. This means that to be able to successfully build the cross-tools stage of buildworld, with clang as the bootstrap compiler, your system compiler or cross compiler should either be clang 3.3 or later, or gcc 4.8 or later, and your system C++ library should be libc++, or libdstdc++ from gcc 4.8 or later. On any standard FreeBSD 10.x or 11.x installation, where clang and libc++ are on by default (that is, on x86 or arm), this should work out of the box. On 9.x installations where clang is enabled by default, e.g. on x86 and powerpc, libc++ will not be enabled by default, so libc++ should be built (with clang) and installed first. If both clang and libc++ are missing, build clang first, then use it to build libc++. On 8.x and earlier installations, upgrade to 9.x first, and then follow the instructions for 9.x above. Sparc64 and mips users are unaffected, as they still use gcc 4.2.1 by default, and do not build clang. Many embedded systems are resource constrained, and will not be able to build clang in a reasonable time, or in some cases at all. In those cases, cross building bootable systems on amd64 is a workaround. This new version of clang introduces a number of new warnings, of which the following are most likely to appear: -Wabsolute-value This warns in two cases, for both C and C++: * When the code is trying to take the absolute value of an unsigned quantity, which is effectively a no-op, and almost never what was intended. The code should be fixed, if at all possible. If you are sure that the unsigned quantity can be safely cast to signed, without loss of information or undefined behavior, you can add an explicit cast, or disable the warning. * When the code is trying to take an absolute value, but the called abs() variant is for the wrong type, which can lead to truncation. If you want to disable the warning instead of fixing the code, please make sure that truncation will not occur, or it might lead to unwanted side-effects. -Wtautological-undefined-compare and -Wundefined-bool-conversion These warn when C++ code is trying to compare 'this' against NULL, while 'this' should never be NULL in well-defined C++ code. However, there is some legacy (pre C++11) code out there, which actively abuses this feature, which was less strictly defined in previous C++ versions. Squid and openjdk do this, for example. The warning can be turned off for C++98 and earlier, but compiling the code in C++11 mode might result in unexpected behavior; for example, the parts of the program that are unreachable could be optimized away. 20141222: The old NFS client and server (kernel options NFSCLIENT, NFSSERVER) kernel sources have been removed. The .h files remain, since some utilities include them. This will need to be fixed later. If "mount -t oldnfs ..." is attempted, it will fail. If the "-o" option on mountd(8), nfsd(8) or nfsstat(1) is used, the utilities will report errors. 20141121: The handling of LOCAL_LIB_DIRS has been altered to skip addition of directories to top level SUBDIR variable when their parent directory is included in LOCAL_DIRS. Users with build systems with such hierarchies and without SUBDIR entries in the parent directory Makefiles should add them or add the directories to LOCAL_DIRS. 20141109: faith(4) and faithd(8) have been removed from the base system. Faith has been obsolete for a very long time. 20141104: vt(4), the new console driver, is enabled by default. It brings support for Unicode and double-width characters, as well as support for UEFI and integration with the KMS kernel video drivers. You may need to update your console settings in /etc/rc.conf, most probably the keymap. During boot, /etc/rc.d/syscons will indicate what you need to do. vt(4) still has issues and lacks some features compared to syscons(4). See the wiki for up-to-date information: https://wiki.freebsd.org/Newcons If you want to keep using syscons(4), you can do so by adding the following line to /boot/loader.conf: kern.vty=sc 20141102: pjdfstest has been integrated into kyua as an opt-in test suite. Please see share/doc/pjdfstest/README for more details on how to execute it. 20141009: gperf has been removed from the base system for architectures that use clang. Ports that require gperf will obtain it from the devel/gperf port. 20140923: pjdfstest has been moved from tools/regression/pjdfstest to contrib/pjdfstest . 20140922: At svn r271982, The default linux compat kernel ABI has been adjusted to 2.6.18 in support of the linux-c6 compat ports infrastructure update. If you wish to continue using the linux-f10 compat ports, add compat.linux.osrelease=2.6.16 to your local sysctl.conf. Users are encouraged to update their linux-compat packages to linux-c6 during their next update cycle. 20140729: The ofwfb driver, used to provide a graphics console on PowerPC when using vt(4), no longer allows mmap() of all physical memory. This will prevent Xorg on PowerPC with some ATI graphics cards from initializing properly unless x11-servers/xorg-server is updated to 1.12.4_8 or newer. 20140723: The xdev targets have been converted to using TARGET and TARGET_ARCH instead of XDEV and XDEV_ARCH. 20140719: The default unbound configuration has been modified to address issues with reverse lookups on networks that use private address ranges. If you use the local_unbound service, run "service local_unbound setup" as root to regenerate your configuration, then "service local_unbound reload" to load the new configuration. 20140709: The GNU texinfo and GNU info pages are not built and installed anymore, WITH_INFO knob has been added to allow to built and install them again. UPDATE: see 20150102 entry on texinfo's removal 20140708: The GNU readline library is now an INTERNALLIB - that is, it is statically linked into consumers (GDB and variants) in the base system, and the shared library is no longer installed. The devel/readline port is available for third party software that requires readline. 20140702: The Itanium architecture (ia64) has been removed from the list of known architectures. This is the first step in the removal of the architecture. 20140701: Commit r268115 has added NFSv4.1 server support, merged from projects/nfsv4.1-server. Since this includes changes to the internal interfaces between the NFS related modules, a full build of the kernel and modules will be necessary. __FreeBSD_version has been bumped. 20140629: The WITHOUT_VT_SUPPORT kernel config knob has been renamed WITHOUT_VT. (The other _SUPPORT knobs have a consistent meaning which differs from the behaviour controlled by this knob.) 20140619: Maximal length of the serial number in CTL was increased from 16 to 64 chars, that breaks ABI. All CTL-related tools, such as ctladm and ctld, need to be rebuilt to work with a new kernel. 20140606: The libatf-c and libatf-c++ major versions were downgraded to 0 and 1 respectively to match the upstream numbers. They were out of sync because, when they were originally added to FreeBSD, the upstream versions were not respected. These libraries are private and not yet built by default, so renumbering them should be a non-issue. However, unclean source trees will yield broken test programs once the operator executes "make delete-old-libs" after a "make installworld". Additionally, the atf-sh binary was made private by moving it into /usr/libexec/. Already-built shell test programs will keep the path to the old binary so they will break after "make delete-old" is run. If you are using WITH_TESTS=yes (not the default), wipe the object tree and rebuild from scratch to prevent spurious test failures. This is only needed once: the misnumbered libraries and misplaced binaries have been added to OptionalObsoleteFiles.inc so they will be removed during a clean upgrade. 20140512: Clang and llvm have been upgraded to 3.4.1 release. 20140508: We bogusly installed src.opts.mk in /usr/share/mk. This file should be removed to avoid issues in the future (and has been added to ObsoleteFiles.inc). 20140505: /etc/src.conf now affects only builds of the FreeBSD src tree. In the past, it affected all builds that used the bsd.*.mk files. The old behavior was a bug, but people may have relied upon it. To get this behavior back, you can .include /etc/src.conf from /etc/make.conf (which is still global and isn't changed). This also changes the behavior of incremental builds inside the tree of individual directories. Set MAKESYSPATH to ".../share/mk" to do that. Although this has survived make universe and some upgrade scenarios, other upgrade scenarios may have broken. At least one form of temporary breakage was fixed with MAKESYSPATH settings for buildworld as well... In cases where MAKESYSPATH isn't working with this setting, you'll need to set it to the full path to your tree. One side effect of all this cleaning up is that bsd.compiler.mk is no longer implicitly included by bsd.own.mk. If you wish to use COMPILER_TYPE, you must now explicitly include bsd.compiler.mk as well. 20140430: The lindev device has been removed since /dev/full has been made a standard device. __FreeBSD_version has been bumped. 20140424: The knob WITHOUT_VI was added to the base system, which controls building ex(1), vi(1), etc. Older releases of FreeBSD required ex(1) in order to reorder files share/termcap and didn't build ex(1) as a build tool, so building/installing with WITH_VI is highly advised for build hosts for older releases. This issue has been fixed in stable/9 and stable/10 in r277022 and r276991, respectively. 20140418: The YES_HESIOD knob has been removed. It has been obsolete for a decade. Please move to using WITH_HESIOD instead or your builds will silently lack HESIOD. 20140405: The uart(4) driver has been changed with respect to its handling of the low-level console. Previously the uart(4) driver prevented any process from changing the baudrate or the CLOCAL and HUPCL control flags. By removing the restrictions, operators can make changes to the serial console port without having to reboot. However, when getty(8) is started on the serial device that is associated with the low-level console, a misconfigured terminal line in /etc/ttys will now have a real impact. Before upgrading the kernel, make sure that /etc/ttys has the serial console device configured as 3wire without baudrate to preserve the previous behaviour. E.g: ttyu0 "/usr/libexec/getty 3wire" vt100 on secure 20140306: Support for libwrap (TCP wrappers) in rpcbind was disabled by default to improve performance. To re-enable it, if needed, run rpcbind with command line option -W. 20140226: Switched back to the GPL dtc compiler due to updates in the upstream dts files not being supported by the BSDL dtc compiler. You will need to rebuild your kernel toolchain to pick up the new compiler. Core dumps may result while building dtb files during a kernel build if you fail to do so. Set WITHOUT_GPL_DTC if you require the BSDL compiler. 20140216: Clang and llvm have been upgraded to 3.4 release. 20140216: The nve(4) driver has been removed. Please use the nfe(4) driver for NVIDIA nForce MCP Ethernet adapters instead. 20140212: An ABI incompatibility crept into the libc++ 3.4 import in r261283. This could cause certain C++ applications using shared libraries built against the previous version of libc++ to crash. The incompatibility has now been fixed, but any C++ applications or shared libraries built between r261283 and r261801 should be recompiled. 20140204: OpenSSH will now ignore errors caused by kernel lacking of Capsicum capability mode support. Please note that enabling the feature in kernel is still highly recommended. 20140131: OpenSSH is now built with sandbox support, and will use sandbox as the default privilege separation method. This requires Capsicum capability mode support in kernel. 20140128: The libelf and libdwarf libraries have been updated to newer versions from upstream. Shared library version numbers for these two libraries were bumped. Any ports or binaries requiring these two libraries should be recompiled. __FreeBSD_version is bumped to 1100006. 20140110: If a Makefile in a tests/ directory was auto-generating a Kyuafile instead of providing an explicit one, this would prevent such Makefile from providing its own Kyuafile in the future during NO_CLEAN builds. This has been fixed in the Makefiles but manual intervention is needed to clean an objdir if you use NO_CLEAN: # find /usr/obj -name Kyuafile | xargs rm -f 20131213: The behavior of gss_pseudo_random() for the krb5 mechanism has changed, for applications requesting a longer random string than produced by the underlying enctype's pseudo-random() function. In particular, the random string produced from a session key of enctype aes256-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96 will be different at the 17th octet and later, after this change. The counter used in the PRF+ construction is now encoded as a big-endian integer in accordance with RFC 4402. __FreeBSD_version is bumped to 1100004. 20131108: The WITHOUT_ATF build knob has been removed and its functionality has been subsumed into the more generic WITHOUT_TESTS. If you were using the former to disable the build of the ATF libraries, you should change your settings to use the latter. 20131025: The default version of mtree is nmtree which is obtained from NetBSD. The output is generally the same, but may vary slightly. If you found you need identical output adding "-F freebsd9" to the command line should do the trick. For the time being, the old mtree is available as fmtree. 20131014: libbsdyml has been renamed to libyaml and moved to /usr/lib/private. This will break ports-mgmt/pkg. Rebuild the port, or upgrade to pkg 1.1.4_8 and verify bsdyml not linked in, before running "make delete-old-libs": # make -C /usr/ports/ports-mgmt/pkg build deinstall install clean or # pkg install pkg; ldd /usr/local/sbin/pkg | grep bsdyml 20131010: The stable/10 branch has been created in subversion from head revision r256279. 20131010: The rc.d/jail script has been updated to support jail(8) configuration file. The "jail__*" rc.conf(5) variables for per-jail configuration are automatically converted to /var/run/jail..conf before the jail(8) utility is invoked. This is transparently backward compatible. See below about some incompatibilities and rc.conf(5) manual page for more details. These variables are now deprecated in favor of jail(8) configuration file. One can use "rc.d/jail config " command to generate a jail(8) configuration file in /var/run/jail..conf without running the jail(8) utility. The default pathname of the configuration file is /etc/jail.conf and can be specified by using $jail_conf or $jail__conf variables. Please note that jail_devfs_ruleset accepts an integer at this moment. Please consider to rewrite the ruleset name with an integer. 20130930: BIND has been removed from the base system. If all you need is a local resolver, simply enable and start the local_unbound service instead. Otherwise, several versions of BIND are available in the ports tree. The dns/bind99 port is one example. With this change, nslookup(1) and dig(1) are no longer in the base system. Users should instead use host(1) and drill(1) which are in the base system. Alternatively, nslookup and dig can be obtained by installing the dns/bind-tools port. 20130916: With the addition of unbound(8), a new unbound user is now required during installworld. "mergemaster -p" can be used to add the user prior to installworld, as documented in the handbook. 20130911: OpenSSH is now built with DNSSEC support, and will by default silently trust signed SSHFP records. This can be controlled with the VerifyHostKeyDNS client configuration setting. DNSSEC support can be disabled entirely with the WITHOUT_LDNS option in src.conf. 20130906: The GNU Compiler Collection and C++ standard library (libstdc++) are no longer built by default on platforms where clang is the system compiler. You can enable them with the WITH_GCC and WITH_GNUCXX options in src.conf. 20130905: The PROCDESC kernel option is now part of the GENERIC kernel configuration and is required for the rwhod(8) to work. If you are using custom kernel configuration, you should include 'options PROCDESC'. 20130905: The API and ABI related to the Capsicum framework was modified in backward incompatible way. The userland libraries and programs have to be recompiled to work with the new kernel. This includes the following libraries and programs, but the whole buildworld is advised: libc, libprocstat, dhclient, tcpdump, hastd, hastctl, kdump, procstat, rwho, rwhod, uniq. 20130903: AES-NI intrinsic support has been added to gcc. The AES-NI module has been updated to use this support. A new gcc is required to build the aesni module on both i386 and amd64. 20130821: The PADLOCK_RNG and RDRAND_RNG kernel options are now devices. Thus "device padlock_rng" and "device rdrand_rng" should be used instead of "options PADLOCK_RNG" & "options RDRAND_RNG". 20130813: WITH_ICONV has been split into two feature sets. WITH_ICONV now enables just the iconv* functionality and is now on by default. WITH_LIBICONV_COMPAT enables the libiconv api and link time compatibility. Set WITHOUT_ICONV to build the old way. If you have been using WITH_ICONV before, you will very likely need to turn on WITH_LIBICONV_COMPAT. 20130806: INVARIANTS option now enables DEBUG for code with OpenSolaris and Illumos origin, including ZFS. If you have INVARIANTS in your kernel configuration, then there is no need to set DEBUG or ZFS_DEBUG explicitly. DEBUG used to enable witness(9) tracking of OpenSolaris (mostly ZFS) locks if WITNESS option was set. Because that generated a lot of witness(9) reports and all of them were believed to be false positives, this is no longer done. New option OPENSOLARIS_WITNESS can be used to achieve the previous behavior. 20130806: Timer values in IPv6 data structures now use time_uptime instead of time_second. Although this is not a user-visible functional change, userland utilities which directly use them---ndp(8), rtadvd(8), and rtsold(8) in the base system---need to be updated to r253970 or later. 20130802: find -delete can now delete the pathnames given as arguments, instead of only files found below them or if the pathname did not contain any slashes. Formerly, the following error message would result: find: -delete: : relative path potentially not safe Deleting the pathnames given as arguments can be prevented without error messages using -mindepth 1 or by changing directory and passing "." as argument to find. This works in the old as well as the new version of find. 20130726: Behavior of devfs rules path matching has been changed. Pattern is now always matched against fully qualified devfs path and slash characters must be explicitly matched by slashes in pattern (FNM_PATHNAME). Rulesets involving devfs subdirectories must be reviewed. 20130716: The default ARM ABI has changed to the ARM EABI. The old ABI is incompatible with the ARM EABI and all programs and modules will need to be rebuilt to work with a new kernel. To keep using the old ABI ensure the WITHOUT_ARM_EABI knob is set. NOTE: Support for the old ABI will be removed in the future and users are advised to upgrade. 20130709: pkg_install has been disconnected from the build if you really need it you should add WITH_PKGTOOLS in your src.conf(5). 20130709: Most of network statistics structures were changed to be able keep 64-bits counters. Thus all tools, that work with networking statistics, must be rebuilt (netstat(1), bsnmpd(1), etc.) 20130618: Fix a bug that allowed a tracing process (e.g. gdb) to write to a memory-mapped file in the traced process's address space even if neither the traced process nor the tracing process had write access to that file. 20130615: CVS has been removed from the base system. An exact copy of the code is available from the devel/cvs port. 20130613: Some people report the following error after the switch to bmake: make: illegal option -- J usage: make [-BPSXeiknpqrstv] [-C directory] [-D variable] ... *** [buildworld] Error code 2 this likely due to an old instance of make in ${MAKEPATH} (${MAKEOBJDIRPREFIX}${.CURDIR}/make.${MACHINE}) which src/Makefile will use that blindly, if it exists, so if you see the above error: rm -rf `make -V MAKEPATH` should resolve it. 20130516: Use bmake by default. Whereas before one could choose to build with bmake via -DWITH_BMAKE one must now use -DWITHOUT_BMAKE to use the old make. The goal is to remove these knobs for 10-RELEASE. It is worth noting that bmake (like gmake) treats the command line as the unit of failure, rather than statements within the command line. Thus '(cd some/where && dosomething)' is safer than 'cd some/where; dosomething'. The '()' allows consistent behavior in parallel build. 20130429: Fix a bug that allows NFS clients to issue READDIR on files. 20130426: The WITHOUT_IDEA option has been removed because the IDEA patent expired. 20130426: The sysctl which controls TRIM support under ZFS has been renamed from vfs.zfs.trim_disable -> vfs.zfs.trim.enabled and has been enabled by default. 20130425: The mergemaster command now uses the default MAKEOBJDIRPREFIX rather than creating it's own in the temporary directory in order allow access to bootstrapped versions of tools such as install and mtree. When upgrading from version of FreeBSD where the install command does not support -l, you will need to install a new mergemaster command if mergemaster -p is required. This can be accomplished with the command (cd src/usr.sbin/mergemaster && make install). 20130404: Legacy ATA stack, disabled and replaced by new CAM-based one since FreeBSD 9.0, completely removed from the sources. Kernel modules atadisk and atapi*, user-level tools atacontrol and burncd are removed. Kernel option `options ATA_CAM` is now permanently enabled and removed. 20130319: SOCK_CLOEXEC and SOCK_NONBLOCK flags have been added to socket(2) and socketpair(2). Software, in particular Kerberos, may automatically detect and use these during building. The resulting binaries will not work on older kernels. 20130308: CTL_DISABLE has also been added to the sparc64 GENERIC (for further information, see the respective 20130304 entry). 20130304: Recent commits to callout(9) changed the size of struct callout, so the KBI is probably heavily disturbed. Also, some functions in callout(9)/sleep(9)/sleepqueue(9)/condvar(9) KPIs were replaced by macros. Every kernel module using it won't load, so rebuild is requested. The ctl device has been re-enabled in GENERIC for i386 and amd64, but does not initialize by default (because of the new CTL_DISABLE option) to save memory. To re-enable it, remove the CTL_DISABLE option from the kernel config file or set kern.cam.ctl.disable=0 in /boot/loader.conf. 20130301: The ctl device has been disabled in GENERIC for i386 and amd64. This was done due to the extra memory being allocated at system initialisation time by the ctl driver which was only used if a CAM target device was created. This makes a FreeBSD system unusable on 128MB or less of RAM. 20130208: A new compression method (lz4) has been merged to -HEAD. Please refer to zpool-features(7) for more information. Please refer to the "ZFS notes" section of this file for information on upgrading boot ZFS pools. 20130129: A BSD-licensed patch(1) variant has been added and is installed as bsdpatch, being the GNU version the default patch. To inverse the logic and use the BSD-licensed one as default, while having the GNU version installed as gnupatch, rebuild and install world with the WITH_BSD_PATCH knob set. 20130121: Due to the use of the new -l option to install(1) during build and install, you must take care not to directly set the INSTALL make variable in your /etc/make.conf, /etc/src.conf, or on the command line. If you wish to use the -C flag for all installs you may be able to add INSTALL+=-C to /etc/make.conf or /etc/src.conf. 20130118: The install(1) option -M has changed meaning and now takes an argument that is a file or path to append logs to. In the unlikely event that -M was the last option on the command line and the command line contained at least two files and a target directory the first file will have logs appended to it. The -M option served little practical purpose in the last decade so its use is expected to be extremely rare. 20121223: After switching to Clang as the default compiler some users of ZFS on i386 systems started to experience stack overflow kernel panics. Please consider using 'options KSTACK_PAGES=4' in such configurations. 20121222: GEOM_LABEL now mangles label names read from file system metadata. Mangling affect labels containing spaces, non-printable characters, '%' or '"'. Device names in /etc/fstab and other places may need to be updated. 20121217: By default, only the 10 most recent kernel dumps will be saved. To restore the previous behaviour (no limit on the number of kernel dumps stored in the dump directory) add the following line to /etc/rc.conf: savecore_flags="" 20121201: With the addition of auditdistd(8), a new auditdistd user is now required during installworld. "mergemaster -p" can be used to add the user prior to installworld, as documented in the handbook. 20121117: The sin6_scope_id member variable in struct sockaddr_in6 is now filled by the kernel before passing the structure to the userland via sysctl or routing socket. This means the KAME-specific embedded scope id in sin6_addr.s6_addr[2] is always cleared in userland application. This behavior can be controlled by net.inet6.ip6.deembed_scopeid. __FreeBSD_version is bumped to 1000025. 20121105: On i386 and amd64 systems WITH_CLANG_IS_CC is now the default. This means that the world and kernel will be compiled with clang and that clang will be installed as /usr/bin/cc, /usr/bin/c++, and /usr/bin/cpp. To disable this behavior and revert to building with gcc, compile with WITHOUT_CLANG_IS_CC. Really old versions of current may need to bootstrap WITHOUT_CLANG first if the clang build fails (its compatibility window doesn't extend to the 9 stable branch point). 20121102: The IPFIREWALL_FORWARD kernel option has been removed. Its functionality now turned on by default. 20121023: The ZERO_COPY_SOCKET kernel option has been removed and split into SOCKET_SEND_COW and SOCKET_RECV_PFLIP. NB: SOCKET_SEND_COW uses the VM page based copy-on-write mechanism which is not safe and may result in kernel crashes. NB: The SOCKET_RECV_PFLIP mechanism is useless as no current driver supports disposeable external page sized mbuf storage. Proper replacements for both zero-copy mechanisms are under consideration and will eventually lead to complete removal of the two kernel options. 20121023: The IPv4 network stack has been converted to network byte order. The following modules need to be recompiled together with kernel: carp(4), divert(4), gif(4), siftr(4), gre(4), pf(4), ipfw(4), ng_ipfw(4), stf(4). 20121022: Support for non-MPSAFE filesystems was removed from VFS. The VFS_VERSION was bumped, all filesystem modules shall be recompiled. 20121018: All the non-MPSAFE filesystems have been disconnected from the build. The full list includes: codafs, hpfs, ntfs, nwfs, portalfs, smbfs, xfs. 20121016: The interface cloning API and ABI has changed. The following modules need to be recompiled together with kernel: ipfw(4), pfsync(4), pflog(4), usb(4), wlan(4), stf(4), vlan(4), disc(4), edsc(4), if_bridge(4), gif(4), tap(4), faith(4), epair(4), enc(4), tun(4), if_lagg(4), gre(4). 20121015: The sdhci driver was split in two parts: sdhci (generic SD Host Controller logic) and sdhci_pci (actual hardware driver). No kernel config modifications are required, but if you load sdhc as a module you must switch to sdhci_pci instead. 20121014: Import the FUSE kernel and userland support into base system. 20121013: The GNU sort(1) program has been removed since the BSD-licensed sort(1) has been the default for quite some time and no serious problems have been reported. The corresponding WITH_GNU_SORT knob has also gone. 20121006: The pfil(9) API/ABI for AF_INET family has been changed. Packet filtering modules: pf(4), ipfw(4), ipfilter(4) need to be recompiled with new kernel. 20121001: The net80211(4) ABI has been changed to allow for improved driver PS-POLL and power-save support. All wireless drivers need to be recompiled to work with the new kernel. 20120913: The random(4) support for the VIA hardware random number generator (`PADLOCK') is no longer enabled unconditionally. Add the padlock_rng device in the custom kernel config if needed. The GENERIC kernels on i386 and amd64 do include the device, so the change only affects the custom kernel configurations. 20120908: The pf(4) packet filter ABI has been changed. pfctl(8) and snmp_pf module need to be recompiled to work with new kernel. 20120828: A new ZFS feature flag "com.delphix:empty_bpobj" has been merged to -HEAD. Pools that have empty_bpobj in active state can not be imported read-write with ZFS implementations that do not support this feature. For more information read the zpool-features(5) manual page. 20120727: The sparc64 ZFS loader has been changed to no longer try to auto- detect ZFS providers based on diskN aliases but now requires these to be explicitly listed in the OFW boot-device environment variable. 20120712: The OpenSSL has been upgraded to 1.0.1c. Any binaries requiring libcrypto.so.6 or libssl.so.6 must be recompiled. Also, there are configuration changes. Make sure to merge /etc/ssl/openssl.cnf. 20120712: The following sysctls and tunables have been renamed for consistency with other variables: kern.cam.da.da_send_ordered -> kern.cam.da.send_ordered kern.cam.ada.ada_send_ordered -> kern.cam.ada.send_ordered 20120628: The sort utility has been replaced with BSD sort. For now, GNU sort is also available as "gnusort" or the default can be set back to GNU sort by setting WITH_GNU_SORT. In this case, BSD sort will be installed as "bsdsort". 20120611: A new version of ZFS (pool version 5000) has been merged to -HEAD. Starting with this version the old system of ZFS pool versioning is superseded by "feature flags". This concept enables forward compatibility against certain future changes in functionality of ZFS pools. The first read-only compatible "feature flag" for ZFS pools is named "com.delphix:async_destroy". For more information read the new zpool-features(5) manual page. Please refer to the "ZFS notes" section of this file for information on upgrading boot ZFS pools. 20120417: The malloc(3) implementation embedded in libc now uses sources imported as contrib/jemalloc. The most disruptive API change is to /etc/malloc.conf. If your system has an old-style /etc/malloc.conf, delete it prior to installworld, and optionally re-create it using the new format after rebooting. See malloc.conf(5) for details (specifically the TUNING section and the "opt.*" entries in the MALLCTL NAMESPACE section). 20120328: Big-endian MIPS TARGET_ARCH values no longer end in "eb". mips64eb is now spelled mips64. mipsn32eb is now spelled mipsn32. mipseb is now spelled mips. This is to aid compatibility with third-party software that expects this naming scheme in uname(3). Little-endian settings are unchanged. If you are updating a big-endian mips64 machine from before this change, you may need to set MACHINE_ARCH=mips64 in your environment before the new build system will recognize your machine. 20120306: Disable by default the option VFS_ALLOW_NONMPSAFE for all supported platforms. 20120229: Now unix domain sockets behave "as expected" on nullfs(5). Previously nullfs(5) did not pass through all behaviours to the underlying layer, as a result if we bound to a socket on the lower layer we could connect only to the lower path; if we bound to the upper layer we could connect only to the upper path. The new behavior is one can connect to both the lower and the upper paths regardless what layer path one binds to. 20120211: The getifaddrs upgrade path broken with 20111215 has been restored. If you have upgraded in between 20111215 and 20120209 you need to recompile libc again with your kernel. You still need to recompile world to be able to configure CARP but this restriction already comes from 20111215. 20120114: The set_rcvar() function has been removed from /etc/rc.subr. All base and ports rc.d scripts have been updated, so if you have a port installed with a script in /usr/local/etc/rc.d you can either hand-edit the rcvar= line, or reinstall the port. An easy way to handle the mass-update of /etc/rc.d: rm /etc/rc.d/* && mergemaster -i 20120109: panic(9) now stops other CPUs in the SMP systems, disables interrupts on the current CPU and prevents other threads from running. This behavior can be reverted using the kern.stop_scheduler_on_panic tunable/sysctl. The new behavior can be incompatible with kern.sync_on_panic. 20111215: The carp(4) facility has been changed significantly. Configuration of the CARP protocol via ifconfig(8) has changed, as well as format of CARP events submitted to devd(8) has changed. See manual pages for more information. The arpbalance feature of carp(4) is currently not supported anymore. Size of struct in_aliasreq, struct in6_aliasreq has changed. User utilities using SIOCAIFADDR, SIOCAIFADDR_IN6, e.g. ifconfig(8), need to be recompiled. 20111122: The acpi_wmi(4) status device /dev/wmistat has been renamed to /dev/wmistat0. 20111108: The option VFS_ALLOW_NONMPSAFE option has been added in order to explicitely support non-MPSAFE filesystems. It is on by default for all supported platform at this present time. 20111101: The broken amd(4) driver has been replaced with esp(4) in the amd64, i386 and pc98 GENERIC kernel configuration files. 20110930: sysinstall has been removed 20110923: The stable/9 branch created in subversion. This corresponds to the RELENG_9 branch in CVS. COMMON ITEMS: General Notes ------------- Avoid using make -j when upgrading. While generally safe, there are sometimes problems using -j to upgrade. If your upgrade fails with -j, please try again without -j. From time to time in the past there have been problems using -j with buildworld and/or installworld. This is especially true when upgrading between "distant" versions (eg one that cross a major release boundary or several minor releases, or when several months have passed on the -current branch). Sometimes, obscure build problems are the result of environment poisoning. This can happen because the make utility reads its environment when searching for values for global variables. To run your build attempts in an "environmental clean room", prefix all make commands with 'env -i '. See the env(1) manual page for more details. When upgrading from one major version to another it is generally best to upgrade to the latest code in the currently installed branch first, then do an upgrade to the new branch. This is the best-tested upgrade path, and has the highest probability of being successful. Please try this approach before reporting problems with a major version upgrade. When upgrading a live system, having a root shell around before installing anything can help undo problems. Not having a root shell around can lead to problems if pam has changed too much from your starting point to allow continued authentication after the upgrade. This file should be read as a log of events. When a later event changes information of a prior event, the prior event should not be deleted. Instead, a pointer to the entry with the new information should be placed in the old entry. Readers of this file should also sanity check older entries before relying on them blindly. Authors of new entries should write them with this in mind. ZFS notes --------- When upgrading the boot ZFS pool to a new version, always follow these two steps: 1.) recompile and reinstall the ZFS boot loader and boot block (this is part of "make buildworld" and "make installworld") 2.) update the ZFS boot block on your boot drive The following example updates the ZFS boot block on the first partition (freebsd-boot) of a GPT partitioned drive ada0: "gpart bootcode -p /boot/gptzfsboot -i 1 ada0" Non-boot pools do not need these updates. To build a kernel ----------------- If you are updating from a prior version of FreeBSD (even one just a few days old), you should follow this procedure. It is the most failsafe as it uses a /usr/obj tree with a fresh mini-buildworld, make kernel-toolchain make -DALWAYS_CHECK_MAKE buildkernel KERNCONF=YOUR_KERNEL_HERE make -DALWAYS_CHECK_MAKE installkernel KERNCONF=YOUR_KERNEL_HERE To test a kernel once --------------------- If you just want to boot a kernel once (because you are not sure if it works, or if you want to boot a known bad kernel to provide debugging information) run make installkernel KERNCONF=YOUR_KERNEL_HERE KODIR=/boot/testkernel nextboot -k testkernel To just build a kernel when you know that it won't mess you up -------------------------------------------------------------- This assumes you are already running a CURRENT system. Replace ${arch} with the architecture of your machine (e.g. "i386", "arm", "amd64", "ia64", "pc98", "sparc64", "powerpc", "mips", etc). cd src/sys/${arch}/conf config KERNEL_NAME_HERE cd ../compile/KERNEL_NAME_HERE make depend make make install If this fails, go to the "To build a kernel" section. To rebuild everything and install it on the current system. ----------------------------------------------------------- # Note: sometimes if you are running current you gotta do more than # is listed here if you are upgrading from a really old current. make buildworld make kernel KERNCONF=YOUR_KERNEL_HERE [1] [3] mergemaster -Fp [5] make installworld mergemaster -Fi [4] make delete-old [6] To cross-install current onto a separate partition -------------------------------------------------- # In this approach we use a separate partition to hold # current's root, 'usr', and 'var' directories. A partition # holding "/", "/usr" and "/var" should be about 2GB in # size. make buildworld make buildkernel KERNCONF=YOUR_KERNEL_HERE make installworld DESTDIR=${CURRENT_ROOT} -DDB_FROM_SRC make distribution DESTDIR=${CURRENT_ROOT} # if newfs'd make installkernel KERNCONF=YOUR_KERNEL_HERE DESTDIR=${CURRENT_ROOT} cp /etc/fstab ${CURRENT_ROOT}/etc/fstab # if newfs'd To upgrade in-place from stable to current ---------------------------------------------- make buildworld [9] make kernel KERNCONF=YOUR_KERNEL_HERE [8] [1] [3] mergemaster -Fp [5] make installworld mergemaster -Fi [4] make delete-old [6] Make sure that you've read the UPDATING file to understand the tweaks to various things you need. At this point in the life cycle of current, things change often and you are on your own to cope. The defaults can also change, so please read ALL of the UPDATING entries. Also, if you are tracking -current, you must be subscribed to freebsd-current@freebsd.org. Make sure that before you update your sources that you have read and understood all the recent messages there. If in doubt, please track -stable which has much fewer pitfalls. [1] If you have third party modules, such as vmware, you should disable them at this point so they don't crash your system on reboot. [3] From the bootblocks, boot -s, and then do fsck -p mount -u / mount -a cd src adjkerntz -i # if CMOS is wall time Also, when doing a major release upgrade, it is required that you boot into single user mode to do the installworld. [4] Note: This step is non-optional. Failure to do this step can result in a significant reduction in the functionality of the system. Attempting to do it by hand is not recommended and those that pursue this avenue should read this file carefully, as well as the archives of freebsd-current and freebsd-hackers mailing lists for potential gotchas. The -U option is also useful to consider. See mergemaster(8) for more information. [5] Usually this step is a noop. However, from time to time you may need to do this if you get unknown user in the following step. It never hurts to do it all the time. You may need to install a new mergemaster (cd src/usr.sbin/mergemaster && make install) after the buildworld before this step if you last updated from current before 20130425 or from -stable before 20130430. [6] This only deletes old files and directories. Old libraries can be deleted by "make delete-old-libs", but you have to make sure that no program is using those libraries anymore. [8] The new kernel must be able to run existing binaries used by an installworld. When upgrading across major versions, the new kernel's configuration must include the correct COMPAT_FREEBSD option for existing binaries (e.g. COMPAT_FREEBSD11 to run 11.x binaries). Failure to do so may leave you with a system that is hard to boot to recover. A GENERIC kernel will include suitable compatibility options to run binaries from older branches. Make sure that you merge any new devices from GENERIC since the last time you updated your kernel config file. [9] When checking out sources, you must include the -P flag to have cvs prune empty directories. If CPUTYPE is defined in your /etc/make.conf, make sure to use the "?=" instead of the "=" assignment operator, so that buildworld can override the CPUTYPE if it needs to. MAKEOBJDIRPREFIX must be defined in an environment variable, and not on the command line, or in /etc/make.conf. buildworld will warn if it is improperly defined. FORMAT: This file contains a list, in reverse chronological order, of major breakages in tracking -current. It is not guaranteed to be a complete list of such breakages, and only contains entries since September 23, 2011. If you need to see UPDATING entries from before that date, you will need to fetch an UPDATING file from an older FreeBSD release. Copyright information: Copyright 1998-2009 M. Warner Losh. All Rights Reserved. Redistribution, publication, translation and use, with or without modification, in full or in part, in any form or format of this document are permitted without further permission from the author. THIS DOCUMENT IS PROVIDED BY WARNER LOSH ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WARNER LOSH BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Contact Warner Losh if you have any questions about your use of this document. $FreeBSD$ Index: releng/11.4/crypto/openssl/crypto/asn1/asn1.h =================================================================== --- releng/11.4/crypto/openssl/crypto/asn1/asn1.h (revision 368642) +++ releng/11.4/crypto/openssl/crypto/asn1/asn1.h (revision 368643) @@ -1,1424 +1,1426 @@ /* crypto/asn1/asn1.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #ifndef HEADER_ASN1_H # define HEADER_ASN1_H # include # include # ifndef OPENSSL_NO_BIO # include # endif # include # include # include # include # ifndef OPENSSL_NO_DEPRECATED # include # endif # ifdef OPENSSL_BUILD_SHLIBCRYPTO # undef OPENSSL_EXTERN # define OPENSSL_EXTERN OPENSSL_EXPORT # endif #ifdef __cplusplus extern "C" { #endif # define V_ASN1_UNIVERSAL 0x00 # define V_ASN1_APPLICATION 0x40 # define V_ASN1_CONTEXT_SPECIFIC 0x80 # define V_ASN1_PRIVATE 0xc0 # define V_ASN1_CONSTRUCTED 0x20 # define V_ASN1_PRIMITIVE_TAG 0x1f # define V_ASN1_PRIMATIVE_TAG 0x1f # define V_ASN1_APP_CHOOSE -2/* let the recipient choose */ # define V_ASN1_OTHER -3/* used in ASN1_TYPE */ # define V_ASN1_ANY -4/* used in ASN1 template code */ # define V_ASN1_NEG 0x100/* negative flag */ # define V_ASN1_UNDEF -1 # define V_ASN1_EOC 0 # define V_ASN1_BOOLEAN 1 /**/ # define V_ASN1_INTEGER 2 # define V_ASN1_NEG_INTEGER (2 | V_ASN1_NEG) # define V_ASN1_BIT_STRING 3 # define V_ASN1_OCTET_STRING 4 # define V_ASN1_NULL 5 # define V_ASN1_OBJECT 6 # define V_ASN1_OBJECT_DESCRIPTOR 7 # define V_ASN1_EXTERNAL 8 # define V_ASN1_REAL 9 # define V_ASN1_ENUMERATED 10 # define V_ASN1_NEG_ENUMERATED (10 | V_ASN1_NEG) # define V_ASN1_UTF8STRING 12 # define V_ASN1_SEQUENCE 16 # define V_ASN1_SET 17 # define V_ASN1_NUMERICSTRING 18 /**/ # define V_ASN1_PRINTABLESTRING 19 # define V_ASN1_T61STRING 20 # define V_ASN1_TELETEXSTRING 20/* alias */ # define V_ASN1_VIDEOTEXSTRING 21 /**/ # define V_ASN1_IA5STRING 22 # define V_ASN1_UTCTIME 23 # define V_ASN1_GENERALIZEDTIME 24 /**/ # define V_ASN1_GRAPHICSTRING 25 /**/ # define V_ASN1_ISO64STRING 26 /**/ # define V_ASN1_VISIBLESTRING 26/* alias */ # define V_ASN1_GENERALSTRING 27 /**/ # define V_ASN1_UNIVERSALSTRING 28 /**/ # define V_ASN1_BMPSTRING 30 /* For use with d2i_ASN1_type_bytes() */ # define B_ASN1_NUMERICSTRING 0x0001 # define B_ASN1_PRINTABLESTRING 0x0002 # define B_ASN1_T61STRING 0x0004 # define B_ASN1_TELETEXSTRING 0x0004 # define B_ASN1_VIDEOTEXSTRING 0x0008 # define B_ASN1_IA5STRING 0x0010 # define B_ASN1_GRAPHICSTRING 0x0020 # define B_ASN1_ISO64STRING 0x0040 # define B_ASN1_VISIBLESTRING 0x0040 # define B_ASN1_GENERALSTRING 0x0080 # define B_ASN1_UNIVERSALSTRING 0x0100 # define B_ASN1_OCTET_STRING 0x0200 # define B_ASN1_BIT_STRING 0x0400 # define B_ASN1_BMPSTRING 0x0800 # define B_ASN1_UNKNOWN 0x1000 # define B_ASN1_UTF8STRING 0x2000 # define B_ASN1_UTCTIME 0x4000 # define B_ASN1_GENERALIZEDTIME 0x8000 # define B_ASN1_SEQUENCE 0x10000 /* For use with ASN1_mbstring_copy() */ # define MBSTRING_FLAG 0x1000 # define MBSTRING_UTF8 (MBSTRING_FLAG) # define MBSTRING_ASC (MBSTRING_FLAG|1) # define MBSTRING_BMP (MBSTRING_FLAG|2) # define MBSTRING_UNIV (MBSTRING_FLAG|4) # define SMIME_OLDMIME 0x400 # define SMIME_CRLFEOL 0x800 # define SMIME_STREAM 0x1000 struct X509_algor_st; DECLARE_STACK_OF(X509_ALGOR) # define DECLARE_ASN1_SET_OF(type)/* filled in by mkstack.pl */ # define IMPLEMENT_ASN1_SET_OF(type)/* nothing, no longer needed */ /* * We MUST make sure that, except for constness, asn1_ctx_st and * asn1_const_ctx are exactly the same. Fortunately, as soon as the old ASN1 * parsing macros are gone, we can throw this away as well... */ typedef struct asn1_ctx_st { unsigned char *p; /* work char pointer */ int eos; /* end of sequence read for indefinite * encoding */ int error; /* error code to use when returning an error */ int inf; /* constructed if 0x20, indefinite is 0x21 */ int tag; /* tag from last 'get object' */ int xclass; /* class from last 'get object' */ long slen; /* length of last 'get object' */ unsigned char *max; /* largest value of p allowed */ unsigned char *q; /* temporary variable */ unsigned char **pp; /* variable */ int line; /* used in error processing */ } ASN1_CTX; typedef struct asn1_const_ctx_st { const unsigned char *p; /* work char pointer */ int eos; /* end of sequence read for indefinite * encoding */ int error; /* error code to use when returning an error */ int inf; /* constructed if 0x20, indefinite is 0x21 */ int tag; /* tag from last 'get object' */ int xclass; /* class from last 'get object' */ long slen; /* length of last 'get object' */ const unsigned char *max; /* largest value of p allowed */ const unsigned char *q; /* temporary variable */ const unsigned char **pp; /* variable */ int line; /* used in error processing */ } ASN1_const_CTX; /* * These are used internally in the ASN1_OBJECT to keep track of whether the * names and data need to be free()ed */ # define ASN1_OBJECT_FLAG_DYNAMIC 0x01/* internal use */ # define ASN1_OBJECT_FLAG_CRITICAL 0x02/* critical x509v3 object id */ # define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04/* internal use */ # define ASN1_OBJECT_FLAG_DYNAMIC_DATA 0x08/* internal use */ struct asn1_object_st { const char *sn, *ln; int nid; int length; const unsigned char *data; /* data remains const after init */ int flags; /* Should we free this one */ }; # define ASN1_STRING_FLAG_BITS_LEFT 0x08/* Set if 0x07 has bits left value */ /* * This indicates that the ASN1_STRING is not a real value but just a place * holder for the location where indefinite length constructed data should be * inserted in the memory buffer */ # define ASN1_STRING_FLAG_NDEF 0x010 /* * This flag is used by the CMS code to indicate that a string is not * complete and is a place holder for content when it had all been accessed. * The flag will be reset when content has been written to it. */ # define ASN1_STRING_FLAG_CONT 0x020 /* * This flag is used by ASN1 code to indicate an ASN1_STRING is an MSTRING * type. */ # define ASN1_STRING_FLAG_MSTRING 0x040 /* This is the base type that holds just about everything :-) */ struct asn1_string_st { int length; int type; unsigned char *data; /* * The value of the following field depends on the type being held. It * is mostly being used for BIT_STRING so if the input data has a * non-zero 'unused bits' value, it will be handled correctly */ long flags; }; /* * ASN1_ENCODING structure: this is used to save the received encoding of an * ASN1 type. This is useful to get round problems with invalid encodings * which can break signatures. */ typedef struct ASN1_ENCODING_st { unsigned char *enc; /* DER encoding */ long len; /* Length of encoding */ int modified; /* set to 1 if 'enc' is invalid */ } ASN1_ENCODING; /* Used with ASN1 LONG type: if a long is set to this it is omitted */ # define ASN1_LONG_UNDEF 0x7fffffffL # define STABLE_FLAGS_MALLOC 0x01 # define STABLE_NO_MASK 0x02 # define DIRSTRING_TYPE \ (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_BMPSTRING|B_ASN1_UTF8STRING) # define PKCS9STRING_TYPE (DIRSTRING_TYPE|B_ASN1_IA5STRING) typedef struct asn1_string_table_st { int nid; long minsize; long maxsize; unsigned long mask; unsigned long flags; } ASN1_STRING_TABLE; DECLARE_STACK_OF(ASN1_STRING_TABLE) /* size limits: this stuff is taken straight from RFC2459 */ # define ub_name 32768 # define ub_common_name 64 # define ub_locality_name 128 # define ub_state_name 128 # define ub_organization_name 64 # define ub_organization_unit_name 64 # define ub_title 64 # define ub_email_address 128 /* * Declarations for template structures: for full definitions see asn1t.h */ typedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE; typedef struct ASN1_TLC_st ASN1_TLC; /* This is just an opaque pointer */ typedef struct ASN1_VALUE_st ASN1_VALUE; /* Declare ASN1 functions: the implement macro in in asn1t.h */ # define DECLARE_ASN1_FUNCTIONS(type) DECLARE_ASN1_FUNCTIONS_name(type, type) # define DECLARE_ASN1_ALLOC_FUNCTIONS(type) \ DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, type) # define DECLARE_ASN1_FUNCTIONS_name(type, name) \ DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) # define DECLARE_ASN1_FUNCTIONS_fname(type, itname, name) \ DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) # define DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) \ type *d2i_##name(type **a, const unsigned char **in, long len); \ int i2d_##name(type *a, unsigned char **out); \ DECLARE_ASN1_ITEM(itname) # define DECLARE_ASN1_ENCODE_FUNCTIONS_const(type, name) \ type *d2i_##name(type **a, const unsigned char **in, long len); \ int i2d_##name(const type *a, unsigned char **out); \ DECLARE_ASN1_ITEM(name) # define DECLARE_ASN1_NDEF_FUNCTION(name) \ int i2d_##name##_NDEF(name *a, unsigned char **out); # define DECLARE_ASN1_FUNCTIONS_const(name) \ DECLARE_ASN1_ALLOC_FUNCTIONS(name) \ DECLARE_ASN1_ENCODE_FUNCTIONS_const(name, name) # define DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ type *name##_new(void); \ void name##_free(type *a); # define DECLARE_ASN1_PRINT_FUNCTION(stname) \ DECLARE_ASN1_PRINT_FUNCTION_fname(stname, stname) # define DECLARE_ASN1_PRINT_FUNCTION_fname(stname, fname) \ int fname##_print_ctx(BIO *out, stname *x, int indent, \ const ASN1_PCTX *pctx); # define D2I_OF(type) type *(*)(type **,const unsigned char **,long) # define I2D_OF(type) int (*)(type *,unsigned char **) # define I2D_OF_const(type) int (*)(const type *,unsigned char **) # define CHECKED_D2I_OF(type, d2i) \ ((d2i_of_void*) (1 ? d2i : ((D2I_OF(type))0))) # define CHECKED_I2D_OF(type, i2d) \ ((i2d_of_void*) (1 ? i2d : ((I2D_OF(type))0))) # define CHECKED_NEW_OF(type, xnew) \ ((void *(*)(void)) (1 ? xnew : ((type *(*)(void))0))) # define CHECKED_PTR_OF(type, p) \ ((void*) (1 ? p : (type*)0)) # define CHECKED_PPTR_OF(type, p) \ ((void**) (1 ? p : (type**)0)) # define TYPEDEF_D2I_OF(type) typedef type *d2i_of_##type(type **,const unsigned char **,long) # define TYPEDEF_I2D_OF(type) typedef int i2d_of_##type(type *,unsigned char **) # define TYPEDEF_D2I2D_OF(type) TYPEDEF_D2I_OF(type); TYPEDEF_I2D_OF(type) TYPEDEF_D2I2D_OF(void); /*- * The following macros and typedefs allow an ASN1_ITEM * to be embedded in a structure and referenced. Since * the ASN1_ITEM pointers need to be globally accessible * (possibly from shared libraries) they may exist in * different forms. On platforms that support it the * ASN1_ITEM structure itself will be globally exported. * Other platforms will export a function that returns * an ASN1_ITEM pointer. * * To handle both cases transparently the macros below * should be used instead of hard coding an ASN1_ITEM * pointer in a structure. * * The structure will look like this: * * typedef struct SOMETHING_st { * ... * ASN1_ITEM_EXP *iptr; * ... * } SOMETHING; * * It would be initialised as e.g.: * * SOMETHING somevar = {...,ASN1_ITEM_ref(X509),...}; * * and the actual pointer extracted with: * * const ASN1_ITEM *it = ASN1_ITEM_ptr(somevar.iptr); * * Finally an ASN1_ITEM pointer can be extracted from an * appropriate reference with: ASN1_ITEM_rptr(X509). This * would be used when a function takes an ASN1_ITEM * argument. * */ # ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION /* ASN1_ITEM pointer exported type */ typedef const ASN1_ITEM ASN1_ITEM_EXP; /* Macro to obtain ASN1_ITEM pointer from exported type */ # define ASN1_ITEM_ptr(iptr) (iptr) /* Macro to include ASN1_ITEM pointer from base type */ # define ASN1_ITEM_ref(iptr) (&(iptr##_it)) # define ASN1_ITEM_rptr(ref) (&(ref##_it)) # define DECLARE_ASN1_ITEM(name) \ OPENSSL_EXTERN const ASN1_ITEM name##_it; # else /* * Platforms that can't easily handle shared global variables are declared as * functions returning ASN1_ITEM pointers. */ /* ASN1_ITEM pointer exported type */ typedef const ASN1_ITEM *ASN1_ITEM_EXP (void); /* Macro to obtain ASN1_ITEM pointer from exported type */ # define ASN1_ITEM_ptr(iptr) (iptr()) /* Macro to include ASN1_ITEM pointer from base type */ # define ASN1_ITEM_ref(iptr) (iptr##_it) # define ASN1_ITEM_rptr(ref) (ref##_it()) # define DECLARE_ASN1_ITEM(name) \ const ASN1_ITEM * name##_it(void); # endif /* Parameters used by ASN1_STRING_print_ex() */ /* * These determine which characters to escape: RFC2253 special characters, * control characters and MSB set characters */ # define ASN1_STRFLGS_ESC_2253 1 # define ASN1_STRFLGS_ESC_CTRL 2 # define ASN1_STRFLGS_ESC_MSB 4 /* * This flag determines how we do escaping: normally RC2253 backslash only, * set this to use backslash and quote. */ # define ASN1_STRFLGS_ESC_QUOTE 8 /* These three flags are internal use only. */ /* Character is a valid PrintableString character */ # define CHARTYPE_PRINTABLESTRING 0x10 /* Character needs escaping if it is the first character */ # define CHARTYPE_FIRST_ESC_2253 0x20 /* Character needs escaping if it is the last character */ # define CHARTYPE_LAST_ESC_2253 0x40 /* * NB the internal flags are safely reused below by flags handled at the top * level. */ /* * If this is set we convert all character strings to UTF8 first */ # define ASN1_STRFLGS_UTF8_CONVERT 0x10 /* * If this is set we don't attempt to interpret content: just assume all * strings are 1 byte per character. This will produce some pretty odd * looking output! */ # define ASN1_STRFLGS_IGNORE_TYPE 0x20 /* If this is set we include the string type in the output */ # define ASN1_STRFLGS_SHOW_TYPE 0x40 /* * This determines which strings to display and which to 'dump' (hex dump of * content octets or DER encoding). We can only dump non character strings or * everything. If we don't dump 'unknown' they are interpreted as character * strings with 1 octet per character and are subject to the usual escaping * options. */ # define ASN1_STRFLGS_DUMP_ALL 0x80 # define ASN1_STRFLGS_DUMP_UNKNOWN 0x100 /* * These determine what 'dumping' does, we can dump the content octets or the * DER encoding: both use the RFC2253 #XXXXX notation. */ # define ASN1_STRFLGS_DUMP_DER 0x200 /* * All the string flags consistent with RFC2253, escaping control characters * isn't essential in RFC2253 but it is advisable anyway. */ # define ASN1_STRFLGS_RFC2253 (ASN1_STRFLGS_ESC_2253 | \ ASN1_STRFLGS_ESC_CTRL | \ ASN1_STRFLGS_ESC_MSB | \ ASN1_STRFLGS_UTF8_CONVERT | \ ASN1_STRFLGS_DUMP_UNKNOWN | \ ASN1_STRFLGS_DUMP_DER) DECLARE_STACK_OF(ASN1_INTEGER) DECLARE_ASN1_SET_OF(ASN1_INTEGER) DECLARE_STACK_OF(ASN1_GENERALSTRING) typedef struct asn1_type_st { int type; union { char *ptr; ASN1_BOOLEAN boolean; ASN1_STRING *asn1_string; ASN1_OBJECT *object; ASN1_INTEGER *integer; ASN1_ENUMERATED *enumerated; ASN1_BIT_STRING *bit_string; ASN1_OCTET_STRING *octet_string; ASN1_PRINTABLESTRING *printablestring; ASN1_T61STRING *t61string; ASN1_IA5STRING *ia5string; ASN1_GENERALSTRING *generalstring; ASN1_BMPSTRING *bmpstring; ASN1_UNIVERSALSTRING *universalstring; ASN1_UTCTIME *utctime; ASN1_GENERALIZEDTIME *generalizedtime; ASN1_VISIBLESTRING *visiblestring; ASN1_UTF8STRING *utf8string; /* * set and sequence are left complete and still contain the set or * sequence bytes */ ASN1_STRING *set; ASN1_STRING *sequence; ASN1_VALUE *asn1_value; } value; } ASN1_TYPE; DECLARE_STACK_OF(ASN1_TYPE) DECLARE_ASN1_SET_OF(ASN1_TYPE) typedef STACK_OF(ASN1_TYPE) ASN1_SEQUENCE_ANY; DECLARE_ASN1_ENCODE_FUNCTIONS_const(ASN1_SEQUENCE_ANY, ASN1_SEQUENCE_ANY) DECLARE_ASN1_ENCODE_FUNCTIONS_const(ASN1_SEQUENCE_ANY, ASN1_SET_ANY) typedef struct NETSCAPE_X509_st { ASN1_OCTET_STRING *header; X509 *cert; } NETSCAPE_X509; /* This is used to contain a list of bit names */ typedef struct BIT_STRING_BITNAME_st { int bitnum; const char *lname; const char *sname; } BIT_STRING_BITNAME; # define M_ASN1_STRING_length(x) ((x)->length) # define M_ASN1_STRING_length_set(x, n) ((x)->length = (n)) # define M_ASN1_STRING_type(x) ((x)->type) # define M_ASN1_STRING_data(x) ((x)->data) /* Macros for string operations */ # define M_ASN1_BIT_STRING_new() (ASN1_BIT_STRING *)\ ASN1_STRING_type_new(V_ASN1_BIT_STRING) # define M_ASN1_BIT_STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_ASN1_BIT_STRING_dup(a) (ASN1_BIT_STRING *)\ ASN1_STRING_dup((const ASN1_STRING *)a) # define M_ASN1_BIT_STRING_cmp(a,b) ASN1_STRING_cmp(\ (const ASN1_STRING *)a,(const ASN1_STRING *)b) # define M_ASN1_BIT_STRING_set(a,b,c) ASN1_STRING_set((ASN1_STRING *)a,b,c) # define M_ASN1_INTEGER_new() (ASN1_INTEGER *)\ ASN1_STRING_type_new(V_ASN1_INTEGER) # define M_ASN1_INTEGER_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_ASN1_INTEGER_dup(a) (ASN1_INTEGER *)\ ASN1_STRING_dup((const ASN1_STRING *)a) # define M_ASN1_INTEGER_cmp(a,b) ASN1_STRING_cmp(\ (const ASN1_STRING *)a,(const ASN1_STRING *)b) # define M_ASN1_ENUMERATED_new() (ASN1_ENUMERATED *)\ ASN1_STRING_type_new(V_ASN1_ENUMERATED) # define M_ASN1_ENUMERATED_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_ASN1_ENUMERATED_dup(a) (ASN1_ENUMERATED *)\ ASN1_STRING_dup((const ASN1_STRING *)a) # define M_ASN1_ENUMERATED_cmp(a,b) ASN1_STRING_cmp(\ (const ASN1_STRING *)a,(const ASN1_STRING *)b) # define M_ASN1_OCTET_STRING_new() (ASN1_OCTET_STRING *)\ ASN1_STRING_type_new(V_ASN1_OCTET_STRING) # define M_ASN1_OCTET_STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_ASN1_OCTET_STRING_dup(a) (ASN1_OCTET_STRING *)\ ASN1_STRING_dup((const ASN1_STRING *)a) # define M_ASN1_OCTET_STRING_cmp(a,b) ASN1_STRING_cmp(\ (const ASN1_STRING *)a,(const ASN1_STRING *)b) # define M_ASN1_OCTET_STRING_set(a,b,c) ASN1_STRING_set((ASN1_STRING *)a,b,c) # define M_ASN1_OCTET_STRING_print(a,b) ASN1_STRING_print(a,(ASN1_STRING *)b) # define M_i2d_ASN1_OCTET_STRING(a,pp) \ i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_OCTET_STRING,\ V_ASN1_UNIVERSAL) # define B_ASN1_TIME \ B_ASN1_UTCTIME | \ B_ASN1_GENERALIZEDTIME # define B_ASN1_PRINTABLE \ B_ASN1_NUMERICSTRING| \ B_ASN1_PRINTABLESTRING| \ B_ASN1_T61STRING| \ B_ASN1_IA5STRING| \ B_ASN1_BIT_STRING| \ B_ASN1_UNIVERSALSTRING|\ B_ASN1_BMPSTRING|\ B_ASN1_UTF8STRING|\ B_ASN1_SEQUENCE|\ B_ASN1_UNKNOWN # define B_ASN1_DIRECTORYSTRING \ B_ASN1_PRINTABLESTRING| \ B_ASN1_TELETEXSTRING|\ B_ASN1_BMPSTRING|\ B_ASN1_UNIVERSALSTRING|\ B_ASN1_UTF8STRING # define B_ASN1_DISPLAYTEXT \ B_ASN1_IA5STRING| \ B_ASN1_VISIBLESTRING| \ B_ASN1_BMPSTRING|\ B_ASN1_UTF8STRING # define M_ASN1_PRINTABLE_new() ASN1_STRING_type_new(V_ASN1_T61STRING) # define M_ASN1_PRINTABLE_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_ASN1_PRINTABLE(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\ pp,a->type,V_ASN1_UNIVERSAL) # define M_d2i_ASN1_PRINTABLE(a,pp,l) \ d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \ B_ASN1_PRINTABLE) # define M_DIRECTORYSTRING_new() ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING) # define M_DIRECTORYSTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_DIRECTORYSTRING(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\ pp,a->type,V_ASN1_UNIVERSAL) # define M_d2i_DIRECTORYSTRING(a,pp,l) \ d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \ B_ASN1_DIRECTORYSTRING) # define M_DISPLAYTEXT_new() ASN1_STRING_type_new(V_ASN1_VISIBLESTRING) # define M_DISPLAYTEXT_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_DISPLAYTEXT(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\ pp,a->type,V_ASN1_UNIVERSAL) # define M_d2i_DISPLAYTEXT(a,pp,l) \ d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \ B_ASN1_DISPLAYTEXT) # define M_ASN1_PRINTABLESTRING_new() (ASN1_PRINTABLESTRING *)\ ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING) # define M_ASN1_PRINTABLESTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_ASN1_PRINTABLESTRING(a,pp) \ i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_PRINTABLESTRING,\ V_ASN1_UNIVERSAL) # define M_d2i_ASN1_PRINTABLESTRING(a,pp,l) \ (ASN1_PRINTABLESTRING *)d2i_ASN1_type_bytes\ ((ASN1_STRING **)a,pp,l,B_ASN1_PRINTABLESTRING) # define M_ASN1_T61STRING_new() (ASN1_T61STRING *)\ ASN1_STRING_type_new(V_ASN1_T61STRING) # define M_ASN1_T61STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_ASN1_T61STRING(a,pp) \ i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_T61STRING,\ V_ASN1_UNIVERSAL) # define M_d2i_ASN1_T61STRING(a,pp,l) \ (ASN1_T61STRING *)d2i_ASN1_type_bytes\ ((ASN1_STRING **)a,pp,l,B_ASN1_T61STRING) # define M_ASN1_IA5STRING_new() (ASN1_IA5STRING *)\ ASN1_STRING_type_new(V_ASN1_IA5STRING) # define M_ASN1_IA5STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_ASN1_IA5STRING_dup(a) \ (ASN1_IA5STRING *)ASN1_STRING_dup((const ASN1_STRING *)a) # define M_i2d_ASN1_IA5STRING(a,pp) \ i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_IA5STRING,\ V_ASN1_UNIVERSAL) # define M_d2i_ASN1_IA5STRING(a,pp,l) \ (ASN1_IA5STRING *)d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l,\ B_ASN1_IA5STRING) # define M_ASN1_UTCTIME_new() (ASN1_UTCTIME *)\ ASN1_STRING_type_new(V_ASN1_UTCTIME) # define M_ASN1_UTCTIME_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_ASN1_UTCTIME_dup(a) (ASN1_UTCTIME *)\ ASN1_STRING_dup((const ASN1_STRING *)a) # define M_ASN1_GENERALIZEDTIME_new() (ASN1_GENERALIZEDTIME *)\ ASN1_STRING_type_new(V_ASN1_GENERALIZEDTIME) # define M_ASN1_GENERALIZEDTIME_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_ASN1_GENERALIZEDTIME_dup(a) (ASN1_GENERALIZEDTIME *)ASN1_STRING_dup(\ (const ASN1_STRING *)a) # define M_ASN1_TIME_new() (ASN1_TIME *)\ ASN1_STRING_type_new(V_ASN1_UTCTIME) # define M_ASN1_TIME_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_ASN1_TIME_dup(a) (ASN1_TIME *)\ ASN1_STRING_dup((const ASN1_STRING *)a) # define M_ASN1_GENERALSTRING_new() (ASN1_GENERALSTRING *)\ ASN1_STRING_type_new(V_ASN1_GENERALSTRING) # define M_ASN1_GENERALSTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_ASN1_GENERALSTRING(a,pp) \ i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_GENERALSTRING,\ V_ASN1_UNIVERSAL) # define M_d2i_ASN1_GENERALSTRING(a,pp,l) \ (ASN1_GENERALSTRING *)d2i_ASN1_type_bytes\ ((ASN1_STRING **)a,pp,l,B_ASN1_GENERALSTRING) # define M_ASN1_UNIVERSALSTRING_new() (ASN1_UNIVERSALSTRING *)\ ASN1_STRING_type_new(V_ASN1_UNIVERSALSTRING) # define M_ASN1_UNIVERSALSTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_ASN1_UNIVERSALSTRING(a,pp) \ i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_UNIVERSALSTRING,\ V_ASN1_UNIVERSAL) # define M_d2i_ASN1_UNIVERSALSTRING(a,pp,l) \ (ASN1_UNIVERSALSTRING *)d2i_ASN1_type_bytes\ ((ASN1_STRING **)a,pp,l,B_ASN1_UNIVERSALSTRING) # define M_ASN1_BMPSTRING_new() (ASN1_BMPSTRING *)\ ASN1_STRING_type_new(V_ASN1_BMPSTRING) # define M_ASN1_BMPSTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_ASN1_BMPSTRING(a,pp) \ i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_BMPSTRING,\ V_ASN1_UNIVERSAL) # define M_d2i_ASN1_BMPSTRING(a,pp,l) \ (ASN1_BMPSTRING *)d2i_ASN1_type_bytes\ ((ASN1_STRING **)a,pp,l,B_ASN1_BMPSTRING) # define M_ASN1_VISIBLESTRING_new() (ASN1_VISIBLESTRING *)\ ASN1_STRING_type_new(V_ASN1_VISIBLESTRING) # define M_ASN1_VISIBLESTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_ASN1_VISIBLESTRING(a,pp) \ i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_VISIBLESTRING,\ V_ASN1_UNIVERSAL) # define M_d2i_ASN1_VISIBLESTRING(a,pp,l) \ (ASN1_VISIBLESTRING *)d2i_ASN1_type_bytes\ ((ASN1_STRING **)a,pp,l,B_ASN1_VISIBLESTRING) # define M_ASN1_UTF8STRING_new() (ASN1_UTF8STRING *)\ ASN1_STRING_type_new(V_ASN1_UTF8STRING) # define M_ASN1_UTF8STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) # define M_i2d_ASN1_UTF8STRING(a,pp) \ i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_UTF8STRING,\ V_ASN1_UNIVERSAL) # define M_d2i_ASN1_UTF8STRING(a,pp,l) \ (ASN1_UTF8STRING *)d2i_ASN1_type_bytes\ ((ASN1_STRING **)a,pp,l,B_ASN1_UTF8STRING) /* for the is_set parameter to i2d_ASN1_SET */ # define IS_SEQUENCE 0 # define IS_SET 1 DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE) int ASN1_TYPE_get(ASN1_TYPE *a); void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value); int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); ASN1_OBJECT *ASN1_OBJECT_new(void); void ASN1_OBJECT_free(ASN1_OBJECT *a); int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp); ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long length); ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long length); DECLARE_ASN1_ITEM(ASN1_OBJECT) DECLARE_STACK_OF(ASN1_OBJECT) DECLARE_ASN1_SET_OF(ASN1_OBJECT) ASN1_STRING *ASN1_STRING_new(void); void ASN1_STRING_free(ASN1_STRING *a); void ASN1_STRING_clear_free(ASN1_STRING *a); int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str); ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *a); ASN1_STRING *ASN1_STRING_type_new(int type); int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b); /* * Since this is used to store all sorts of things, via macros, for now, * make its data void * */ int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len); void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len); int ASN1_STRING_length(const ASN1_STRING *x); void ASN1_STRING_length_set(ASN1_STRING *x, int n); int ASN1_STRING_type(ASN1_STRING *x); unsigned char *ASN1_STRING_data(ASN1_STRING *x); DECLARE_ASN1_FUNCTIONS(ASN1_BIT_STRING) int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp); ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, const unsigned char **pp, long length); int ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d, int length); int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value); int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n); int ASN1_BIT_STRING_check(ASN1_BIT_STRING *a, unsigned char *flags, int flags_len); # ifndef OPENSSL_NO_BIO int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs, BIT_STRING_BITNAME *tbl, int indent); # endif int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl); int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, BIT_STRING_BITNAME *tbl); int i2d_ASN1_BOOLEAN(int a, unsigned char **pp); int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length); DECLARE_ASN1_FUNCTIONS(ASN1_INTEGER) int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp); ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, long length); ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, long length); ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x); int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y); DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED) int ASN1_UTCTIME_check(const ASN1_UTCTIME *a); ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t); ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, int offset_day, long offset_sec); int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str); int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); # if 0 time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s); # endif int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a); ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, time_t t); ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, time_t t, int offset_day, long offset_sec); int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str); int ASN1_TIME_diff(int *pday, int *psec, const ASN1_TIME *from, const ASN1_TIME *to); DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING) ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(const ASN1_OCTET_STRING *a); int ASN1_OCTET_STRING_cmp(const ASN1_OCTET_STRING *a, const ASN1_OCTET_STRING *b); int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, const unsigned char *data, int len); DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING) DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING) DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING) DECLARE_ASN1_FUNCTIONS(ASN1_NULL) DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING) int UTF8_getc(const unsigned char *str, int len, unsigned long *val); int UTF8_putc(unsigned char *str, int len, unsigned long value); DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE) DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING) DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT) DECLARE_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING) DECLARE_ASN1_FUNCTIONS(ASN1_T61STRING) DECLARE_ASN1_FUNCTIONS(ASN1_IA5STRING) DECLARE_ASN1_FUNCTIONS(ASN1_GENERALSTRING) DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME) DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME) DECLARE_ASN1_FUNCTIONS(ASN1_TIME) DECLARE_ASN1_ITEM(ASN1_OCTET_STRING_NDEF) ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t); ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t, int offset_day, long offset_sec); int ASN1_TIME_check(ASN1_TIME *t); ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out); int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, i2d_of_void *i2d, int ex_tag, int ex_class, int is_set); STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a, const unsigned char **pp, long length, d2i_of_void *d2i, void (*free_func) (OPENSSL_BLOCK), int ex_tag, int ex_class); # ifndef OPENSSL_NO_BIO int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a); int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size); int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a); int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size); int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a); int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size); int i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type); # endif int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a); int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num); ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len, const char *sn, const char *ln); int ASN1_INTEGER_set(ASN1_INTEGER *a, long v); long ASN1_INTEGER_get(const ASN1_INTEGER *a); ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai); BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn); int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v); long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a); ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai); BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn); /* General */ /* given a string, return the correct type, max is the maximum length */ int ASN1_PRINTABLE_type(const unsigned char *s, int max); int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass); ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, long length, int Ptag, int Pclass); unsigned long ASN1_tag2bit(int tag); /* type is one or more of the B_ASN1_ values. */ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp, long length, int type); /* PARSING */ int asn1_Finish(ASN1_CTX *c); int asn1_const_Finish(ASN1_const_CTX *c); /* SPECIALS */ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, int *pclass, long omax); int ASN1_check_infinite_end(unsigned char **p, long len); int ASN1_const_check_infinite_end(const unsigned char **p, long len); void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag, int xclass); int ASN1_put_eoc(unsigned char **pp); int ASN1_object_size(int constructed, int length, int tag); /* Used to implement other functions */ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *x); # define ASN1_dup_of(type,i2d,d2i,x) \ ((type*)ASN1_dup(CHECKED_I2D_OF(type, i2d), \ CHECKED_D2I_OF(type, d2i), \ CHECKED_PTR_OF(type, x))) # define ASN1_dup_of_const(type,i2d,d2i,x) \ ((type*)ASN1_dup(CHECKED_I2D_OF(const type, i2d), \ CHECKED_D2I_OF(type, d2i), \ CHECKED_PTR_OF(const type, x))) void *ASN1_item_dup(const ASN1_ITEM *it, void *x); /* ASN1 alloc/free macros for when a type is only used internally */ # define M_ASN1_new_of(type) (type *)ASN1_item_new(ASN1_ITEM_rptr(type)) # define M_ASN1_free_of(x, type) \ ASN1_item_free(CHECKED_PTR_OF(type, x), ASN1_ITEM_rptr(type)) # ifndef OPENSSL_NO_FP_API void *ASN1_d2i_fp(void *(*xnew) (void), d2i_of_void *d2i, FILE *in, void **x); # define ASN1_d2i_fp_of(type,xnew,d2i,in,x) \ ((type*)ASN1_d2i_fp(CHECKED_NEW_OF(type, xnew), \ CHECKED_D2I_OF(type, d2i), \ in, \ CHECKED_PPTR_OF(type, x))) void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x); int ASN1_i2d_fp(i2d_of_void *i2d, FILE *out, void *x); # define ASN1_i2d_fp_of(type,i2d,out,x) \ (ASN1_i2d_fp(CHECKED_I2D_OF(type, i2d), \ out, \ CHECKED_PTR_OF(type, x))) # define ASN1_i2d_fp_of_const(type,i2d,out,x) \ (ASN1_i2d_fp(CHECKED_I2D_OF(const type, i2d), \ out, \ CHECKED_PTR_OF(const type, x))) int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x); int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags); # endif int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in); # ifndef OPENSSL_NO_BIO void *ASN1_d2i_bio(void *(*xnew) (void), d2i_of_void *d2i, BIO *in, void **x); # define ASN1_d2i_bio_of(type,xnew,d2i,in,x) \ ((type*)ASN1_d2i_bio( CHECKED_NEW_OF(type, xnew), \ CHECKED_D2I_OF(type, d2i), \ in, \ CHECKED_PPTR_OF(type, x))) void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x); int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char *x); # define ASN1_i2d_bio_of(type,i2d,out,x) \ (ASN1_i2d_bio(CHECKED_I2D_OF(type, i2d), \ out, \ CHECKED_PTR_OF(type, x))) # define ASN1_i2d_bio_of_const(type,i2d,out,x) \ (ASN1_i2d_bio(CHECKED_I2D_OF(const type, i2d), \ out, \ CHECKED_PTR_OF(const type, x))) int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x); int ASN1_UTCTIME_print(BIO *fp, const ASN1_UTCTIME *a); int ASN1_GENERALIZEDTIME_print(BIO *fp, const ASN1_GENERALIZEDTIME *a); int ASN1_TIME_print(BIO *fp, const ASN1_TIME *a); int ASN1_STRING_print(BIO *bp, const ASN1_STRING *v); int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags); int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num, unsigned char *buf, int off); int ASN1_parse(BIO *bp, const unsigned char *pp, long len, int indent); int ASN1_parse_dump(BIO *bp, const unsigned char *pp, long len, int indent, int dump); # endif const char *ASN1_tag2str(int tag); /* Used to load and write netscape format cert */ DECLARE_ASN1_FUNCTIONS(NETSCAPE_X509) int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s); int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len); int ASN1_TYPE_get_octetstring(ASN1_TYPE *a, unsigned char *data, int max_len); int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data, int len); int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a, long *num, unsigned char *data, int max_len); STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, d2i_of_void *d2i, void (*free_func) (OPENSSL_BLOCK)); unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d, unsigned char **buf, int *len); void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i); void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it); ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d, ASN1_OCTET_STRING **oct); # define ASN1_pack_string_of(type,obj,i2d,oct) \ (ASN1_pack_string(CHECKED_PTR_OF(type, obj), \ CHECKED_I2D_OF(type, i2d), \ oct)) ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct); void ASN1_STRING_set_default_mask(unsigned long mask); int ASN1_STRING_set_default_mask_asc(const char *p); unsigned long ASN1_STRING_get_default_mask(void); int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len, int inform, unsigned long mask); int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, int inform, unsigned long mask, long minsize, long maxsize); ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, int inlen, int inform, int nid); ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid); int ASN1_STRING_TABLE_add(int, long, long, unsigned long, unsigned long); void ASN1_STRING_TABLE_cleanup(void); /* ASN1 template functions */ /* Old API compatible functions */ ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it); void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it); ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it); int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); void ASN1_add_oid_module(void); ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf); ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf); /* ASN1 Print flags */ /* Indicate missing OPTIONAL fields */ # define ASN1_PCTX_FLAGS_SHOW_ABSENT 0x001 /* Mark start and end of SEQUENCE */ # define ASN1_PCTX_FLAGS_SHOW_SEQUENCE 0x002 /* Mark start and end of SEQUENCE/SET OF */ # define ASN1_PCTX_FLAGS_SHOW_SSOF 0x004 /* Show the ASN1 type of primitives */ # define ASN1_PCTX_FLAGS_SHOW_TYPE 0x008 /* Don't show ASN1 type of ANY */ # define ASN1_PCTX_FLAGS_NO_ANY_TYPE 0x010 /* Don't show ASN1 type of MSTRINGs */ # define ASN1_PCTX_FLAGS_NO_MSTRING_TYPE 0x020 /* Don't show field names in SEQUENCE */ # define ASN1_PCTX_FLAGS_NO_FIELD_NAME 0x040 /* Show structure names of each SEQUENCE field */ # define ASN1_PCTX_FLAGS_SHOW_FIELD_STRUCT_NAME 0x080 /* Don't show structure name even at top level */ # define ASN1_PCTX_FLAGS_NO_STRUCT_NAME 0x100 int ASN1_item_print(BIO *out, ASN1_VALUE *ifld, int indent, const ASN1_ITEM *it, const ASN1_PCTX *pctx); ASN1_PCTX *ASN1_PCTX_new(void); void ASN1_PCTX_free(ASN1_PCTX *p); unsigned long ASN1_PCTX_get_flags(ASN1_PCTX *p); void ASN1_PCTX_set_flags(ASN1_PCTX *p, unsigned long flags); unsigned long ASN1_PCTX_get_nm_flags(ASN1_PCTX *p); void ASN1_PCTX_set_nm_flags(ASN1_PCTX *p, unsigned long flags); unsigned long ASN1_PCTX_get_cert_flags(ASN1_PCTX *p); void ASN1_PCTX_set_cert_flags(ASN1_PCTX *p, unsigned long flags); unsigned long ASN1_PCTX_get_oid_flags(ASN1_PCTX *p); void ASN1_PCTX_set_oid_flags(ASN1_PCTX *p, unsigned long flags); unsigned long ASN1_PCTX_get_str_flags(ASN1_PCTX *p); void ASN1_PCTX_set_str_flags(ASN1_PCTX *p, unsigned long flags); BIO_METHOD *BIO_f_asn1(void); BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it); int i2d_ASN1_bio_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags, const ASN1_ITEM *it); int PEM_write_bio_ASN1_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags, const char *hdr, const ASN1_ITEM *it); int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, int ctype_nid, int econt_nid, STACK_OF(X509_ALGOR) *mdalgs, const ASN1_ITEM *it); ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it); int SMIME_crlf_copy(BIO *in, BIO *out, int flags); int SMIME_text(BIO *in, BIO *out); /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ void ERR_load_ASN1_strings(void); /* Error codes for the ASN1 functions. */ /* Function codes. */ # define ASN1_F_A2D_ASN1_OBJECT 100 # define ASN1_F_A2I_ASN1_ENUMERATED 101 # define ASN1_F_A2I_ASN1_INTEGER 102 # define ASN1_F_A2I_ASN1_STRING 103 # define ASN1_F_APPEND_EXP 176 # define ASN1_F_ASN1_BIT_STRING_SET_BIT 183 # define ASN1_F_ASN1_CB 177 # define ASN1_F_ASN1_CHECK_TLEN 104 # define ASN1_F_ASN1_COLLATE_PRIMITIVE 105 # define ASN1_F_ASN1_COLLECT 106 # define ASN1_F_ASN1_D2I_EX_PRIMITIVE 108 # define ASN1_F_ASN1_D2I_FP 109 # define ASN1_F_ASN1_D2I_READ_BIO 107 # define ASN1_F_ASN1_DIGEST 184 # define ASN1_F_ASN1_DO_ADB 110 # define ASN1_F_ASN1_DUP 111 # define ASN1_F_ASN1_ENUMERATED_SET 112 # define ASN1_F_ASN1_ENUMERATED_TO_BN 113 # define ASN1_F_ASN1_EX_C2I 204 # define ASN1_F_ASN1_FIND_END 190 # define ASN1_F_ASN1_GENERALIZEDTIME_ADJ 216 # define ASN1_F_ASN1_GENERALIZEDTIME_SET 185 # define ASN1_F_ASN1_GENERATE_V3 178 # define ASN1_F_ASN1_GET_OBJECT 114 # define ASN1_F_ASN1_HEADER_NEW 115 # define ASN1_F_ASN1_I2D_BIO 116 # define ASN1_F_ASN1_I2D_FP 117 # define ASN1_F_ASN1_INTEGER_SET 118 # define ASN1_F_ASN1_INTEGER_TO_BN 119 # define ASN1_F_ASN1_ITEM_D2I_FP 206 # define ASN1_F_ASN1_ITEM_DUP 191 # define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW 121 # define ASN1_F_ASN1_ITEM_EX_D2I 120 +# define ASN1_F_ASN1_ITEM_EX_I2D 224 # define ASN1_F_ASN1_ITEM_I2D_BIO 192 # define ASN1_F_ASN1_ITEM_I2D_FP 193 # define ASN1_F_ASN1_ITEM_PACK 198 # define ASN1_F_ASN1_ITEM_SIGN 195 # define ASN1_F_ASN1_ITEM_SIGN_CTX 220 # define ASN1_F_ASN1_ITEM_UNPACK 199 # define ASN1_F_ASN1_ITEM_VERIFY 197 # define ASN1_F_ASN1_MBSTRING_NCOPY 122 # define ASN1_F_ASN1_OBJECT_NEW 123 # define ASN1_F_ASN1_OUTPUT_DATA 214 # define ASN1_F_ASN1_PACK_STRING 124 # define ASN1_F_ASN1_PCTX_NEW 205 # define ASN1_F_ASN1_PKCS5_PBE_SET 125 # define ASN1_F_ASN1_SEQ_PACK 126 # define ASN1_F_ASN1_SEQ_UNPACK 127 # define ASN1_F_ASN1_SIGN 128 # define ASN1_F_ASN1_STR2TYPE 179 # define ASN1_F_ASN1_STRING_SET 186 # define ASN1_F_ASN1_STRING_TABLE_ADD 129 # define ASN1_F_ASN1_STRING_TYPE_NEW 130 # define ASN1_F_ASN1_TEMPLATE_EX_D2I 132 # define ASN1_F_ASN1_TEMPLATE_NEW 133 # define ASN1_F_ASN1_TEMPLATE_NOEXP_D2I 131 # define ASN1_F_ASN1_TIME_ADJ 217 # define ASN1_F_ASN1_TIME_SET 175 # define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING 134 # define ASN1_F_ASN1_TYPE_GET_OCTETSTRING 135 # define ASN1_F_ASN1_UNPACK_STRING 136 # define ASN1_F_ASN1_UTCTIME_ADJ 218 # define ASN1_F_ASN1_UTCTIME_SET 187 # define ASN1_F_ASN1_VERIFY 137 # define ASN1_F_B64_READ_ASN1 209 # define ASN1_F_B64_WRITE_ASN1 210 # define ASN1_F_BIO_NEW_NDEF 208 # define ASN1_F_BITSTR_CB 180 # define ASN1_F_BN_TO_ASN1_ENUMERATED 138 # define ASN1_F_BN_TO_ASN1_INTEGER 139 # define ASN1_F_C2I_ASN1_BIT_STRING 189 # define ASN1_F_C2I_ASN1_INTEGER 194 # define ASN1_F_C2I_ASN1_OBJECT 196 # define ASN1_F_COLLECT_DATA 140 # define ASN1_F_D2I_ASN1_BIT_STRING 141 # define ASN1_F_D2I_ASN1_BOOLEAN 142 # define ASN1_F_D2I_ASN1_BYTES 143 # define ASN1_F_D2I_ASN1_GENERALIZEDTIME 144 # define ASN1_F_D2I_ASN1_HEADER 145 # define ASN1_F_D2I_ASN1_INTEGER 146 # define ASN1_F_D2I_ASN1_OBJECT 147 # define ASN1_F_D2I_ASN1_SET 148 # define ASN1_F_D2I_ASN1_TYPE_BYTES 149 # define ASN1_F_D2I_ASN1_UINTEGER 150 # define ASN1_F_D2I_ASN1_UTCTIME 151 # define ASN1_F_D2I_AUTOPRIVATEKEY 207 # define ASN1_F_D2I_NETSCAPE_RSA 152 # define ASN1_F_D2I_NETSCAPE_RSA_2 153 # define ASN1_F_D2I_PRIVATEKEY 154 # define ASN1_F_D2I_PUBLICKEY 155 # define ASN1_F_D2I_RSA_NET 200 # define ASN1_F_D2I_RSA_NET_2 201 # define ASN1_F_D2I_X509 156 # define ASN1_F_D2I_X509_CINF 157 # define ASN1_F_D2I_X509_PKEY 159 # define ASN1_F_DO_BUF 221 # define ASN1_F_I2D_ASN1_BIO_STREAM 211 # define ASN1_F_I2D_ASN1_BOOLEAN 223 # define ASN1_F_I2D_ASN1_OBJECT 222 # define ASN1_F_I2D_ASN1_SET 188 # define ASN1_F_I2D_ASN1_TIME 160 # define ASN1_F_I2D_DSA_PUBKEY 161 # define ASN1_F_I2D_EC_PUBKEY 181 # define ASN1_F_I2D_PRIVATEKEY 163 # define ASN1_F_I2D_PUBLICKEY 164 # define ASN1_F_I2D_RSA_NET 162 # define ASN1_F_I2D_RSA_PUBKEY 165 # define ASN1_F_LONG_C2I 166 # define ASN1_F_OID_MODULE_INIT 174 # define ASN1_F_PARSE_TAGGING 182 # define ASN1_F_PKCS5_PBE2_SET_IV 167 # define ASN1_F_PKCS5_PBE_SET 202 # define ASN1_F_PKCS5_PBE_SET0_ALGOR 215 # define ASN1_F_PKCS5_PBKDF2_SET 219 # define ASN1_F_SMIME_READ_ASN1 212 # define ASN1_F_SMIME_TEXT 213 # define ASN1_F_X509_CINF_NEW 168 # define ASN1_F_X509_CRL_ADD0_REVOKED 169 # define ASN1_F_X509_INFO_NEW 170 # define ASN1_F_X509_NAME_ENCODE 203 # define ASN1_F_X509_NAME_EX_D2I 158 # define ASN1_F_X509_NAME_EX_NEW 171 # define ASN1_F_X509_NEW 172 # define ASN1_F_X509_PKEY_NEW 173 /* Reason codes. */ # define ASN1_R_ADDING_OBJECT 171 # define ASN1_R_ASN1_PARSE_ERROR 203 # define ASN1_R_ASN1_SIG_PARSE_ERROR 204 # define ASN1_R_AUX_ERROR 100 # define ASN1_R_BAD_CLASS 101 # define ASN1_R_BAD_OBJECT_HEADER 102 # define ASN1_R_BAD_PASSWORD_READ 103 # define ASN1_R_BAD_TAG 104 +# define ASN1_R_BAD_TEMPLATE 221 # define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214 # define ASN1_R_BN_LIB 105 # define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 # define ASN1_R_BUFFER_TOO_SMALL 107 # define ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 108 # define ASN1_R_CONTEXT_NOT_INITIALISED 217 # define ASN1_R_DATA_IS_WRONG 109 # define ASN1_R_DECODE_ERROR 110 # define ASN1_R_DECODING_ERROR 111 # define ASN1_R_DEPTH_EXCEEDED 174 # define ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED 198 # define ASN1_R_ENCODE_ERROR 112 # define ASN1_R_ERROR_GETTING_TIME 173 # define ASN1_R_ERROR_LOADING_SECTION 172 # define ASN1_R_ERROR_PARSING_SET_ELEMENT 113 # define ASN1_R_ERROR_SETTING_CIPHER_PARAMS 114 # define ASN1_R_EXPECTING_AN_INTEGER 115 # define ASN1_R_EXPECTING_AN_OBJECT 116 # define ASN1_R_EXPECTING_A_BOOLEAN 117 # define ASN1_R_EXPECTING_A_TIME 118 # define ASN1_R_EXPLICIT_LENGTH_MISMATCH 119 # define ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED 120 # define ASN1_R_FIELD_MISSING 121 # define ASN1_R_FIRST_NUM_TOO_LARGE 122 # define ASN1_R_HEADER_TOO_LONG 123 # define ASN1_R_ILLEGAL_BITSTRING_FORMAT 175 # define ASN1_R_ILLEGAL_BOOLEAN 176 # define ASN1_R_ILLEGAL_CHARACTERS 124 # define ASN1_R_ILLEGAL_FORMAT 177 # define ASN1_R_ILLEGAL_HEX 178 # define ASN1_R_ILLEGAL_IMPLICIT_TAG 179 # define ASN1_R_ILLEGAL_INTEGER 180 # define ASN1_R_ILLEGAL_NESTED_TAGGING 181 # define ASN1_R_ILLEGAL_NULL 125 # define ASN1_R_ILLEGAL_NULL_VALUE 182 # define ASN1_R_ILLEGAL_OBJECT 183 # define ASN1_R_ILLEGAL_OPTIONAL_ANY 126 # define ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE 170 # define ASN1_R_ILLEGAL_TAGGED_ANY 127 # define ASN1_R_ILLEGAL_TIME_VALUE 184 # define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185 # define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128 # define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220 # define ASN1_R_INVALID_BMPSTRING_LENGTH 129 # define ASN1_R_INVALID_DIGIT 130 # define ASN1_R_INVALID_MIME_TYPE 205 # define ASN1_R_INVALID_MODIFIER 186 # define ASN1_R_INVALID_NUMBER 187 # define ASN1_R_INVALID_OBJECT_ENCODING 216 # define ASN1_R_INVALID_SEPARATOR 131 # define ASN1_R_INVALID_TIME_FORMAT 132 # define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 133 # define ASN1_R_INVALID_UTF8STRING 134 # define ASN1_R_IV_TOO_LARGE 135 # define ASN1_R_LENGTH_ERROR 136 # define ASN1_R_LIST_ERROR 188 # define ASN1_R_MIME_NO_CONTENT_TYPE 206 # define ASN1_R_MIME_PARSE_ERROR 207 # define ASN1_R_MIME_SIG_PARSE_ERROR 208 # define ASN1_R_MISSING_EOC 137 # define ASN1_R_MISSING_SECOND_NUMBER 138 # define ASN1_R_MISSING_VALUE 189 # define ASN1_R_MSTRING_NOT_UNIVERSAL 139 # define ASN1_R_MSTRING_WRONG_TAG 140 # define ASN1_R_NESTED_ASN1_STRING 197 # define ASN1_R_NESTED_TOO_DEEP 219 # define ASN1_R_NON_HEX_CHARACTERS 141 # define ASN1_R_NOT_ASCII_FORMAT 190 # define ASN1_R_NOT_ENOUGH_DATA 142 # define ASN1_R_NO_CONTENT_TYPE 209 # define ASN1_R_NO_DEFAULT_DIGEST 201 # define ASN1_R_NO_MATCHING_CHOICE_TYPE 143 # define ASN1_R_NO_MULTIPART_BODY_FAILURE 210 # define ASN1_R_NO_MULTIPART_BOUNDARY 211 # define ASN1_R_NO_SIG_CONTENT_TYPE 212 # define ASN1_R_NULL_IS_WRONG_LENGTH 144 # define ASN1_R_OBJECT_NOT_ASCII_FORMAT 191 # define ASN1_R_ODD_NUMBER_OF_CHARS 145 # define ASN1_R_PRIVATE_KEY_HEADER_MISSING 146 # define ASN1_R_SECOND_NUMBER_TOO_LARGE 147 # define ASN1_R_SEQUENCE_LENGTH_MISMATCH 148 # define ASN1_R_SEQUENCE_NOT_CONSTRUCTED 149 # define ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG 192 # define ASN1_R_SHORT_LINE 150 # define ASN1_R_SIG_INVALID_MIME_TYPE 213 # define ASN1_R_STREAMING_NOT_SUPPORTED 202 # define ASN1_R_STRING_TOO_LONG 151 # define ASN1_R_STRING_TOO_SHORT 152 # define ASN1_R_TAG_VALUE_TOO_HIGH 153 # define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 154 # define ASN1_R_TIME_NOT_ASCII_FORMAT 193 # define ASN1_R_TOO_LONG 155 # define ASN1_R_TYPE_NOT_CONSTRUCTED 156 # define ASN1_R_TYPE_NOT_PRIMITIVE 218 # define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 # define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 # define ASN1_R_UNEXPECTED_EOC 159 # define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 215 # define ASN1_R_UNKNOWN_FORMAT 160 # define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 # define ASN1_R_UNKNOWN_OBJECT_TYPE 162 # define ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE 163 # define ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM 199 # define ASN1_R_UNKNOWN_TAG 194 # define ASN1_R_UNKOWN_FORMAT 195 # define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE 164 # define ASN1_R_UNSUPPORTED_CIPHER 165 # define ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM 166 # define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 167 # define ASN1_R_UNSUPPORTED_TYPE 196 # define ASN1_R_WRONG_PUBLIC_KEY_TYPE 200 # define ASN1_R_WRONG_TAG 168 # define ASN1_R_WRONG_TYPE 169 # ifdef __cplusplus } # endif #endif Index: releng/11.4/crypto/openssl/crypto/asn1/asn1_err.c =================================================================== --- releng/11.4/crypto/openssl/crypto/asn1/asn1_err.c (revision 368642) +++ releng/11.4/crypto/openssl/crypto/asn1/asn1_err.c (revision 368643) @@ -1,358 +1,360 @@ /* crypto/asn1/asn1_err.c */ /* ==================================================================== - * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2020 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ /* * NOTE: this file was auto generated by the mkerr.pl script: any changes * made to it will be overwritten when the script next updates this file, * only reason strings will be preserved. */ #include #include #include /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR # define ERR_FUNC(func) ERR_PACK(ERR_LIB_ASN1,func,0) # define ERR_REASON(reason) ERR_PACK(ERR_LIB_ASN1,0,reason) static ERR_STRING_DATA ASN1_str_functs[] = { {ERR_FUNC(ASN1_F_A2D_ASN1_OBJECT), "a2d_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_A2I_ASN1_ENUMERATED), "a2i_ASN1_ENUMERATED"}, {ERR_FUNC(ASN1_F_A2I_ASN1_INTEGER), "a2i_ASN1_INTEGER"}, {ERR_FUNC(ASN1_F_A2I_ASN1_STRING), "a2i_ASN1_STRING"}, {ERR_FUNC(ASN1_F_APPEND_EXP), "APPEND_EXP"}, {ERR_FUNC(ASN1_F_ASN1_BIT_STRING_SET_BIT), "ASN1_BIT_STRING_set_bit"}, {ERR_FUNC(ASN1_F_ASN1_CB), "ASN1_CB"}, {ERR_FUNC(ASN1_F_ASN1_CHECK_TLEN), "ASN1_CHECK_TLEN"}, {ERR_FUNC(ASN1_F_ASN1_COLLATE_PRIMITIVE), "ASN1_COLLATE_PRIMITIVE"}, {ERR_FUNC(ASN1_F_ASN1_COLLECT), "ASN1_COLLECT"}, {ERR_FUNC(ASN1_F_ASN1_D2I_EX_PRIMITIVE), "ASN1_D2I_EX_PRIMITIVE"}, {ERR_FUNC(ASN1_F_ASN1_D2I_FP), "ASN1_d2i_fp"}, {ERR_FUNC(ASN1_F_ASN1_D2I_READ_BIO), "ASN1_D2I_READ_BIO"}, {ERR_FUNC(ASN1_F_ASN1_DIGEST), "ASN1_digest"}, {ERR_FUNC(ASN1_F_ASN1_DO_ADB), "ASN1_DO_ADB"}, {ERR_FUNC(ASN1_F_ASN1_DUP), "ASN1_dup"}, {ERR_FUNC(ASN1_F_ASN1_ENUMERATED_SET), "ASN1_ENUMERATED_set"}, {ERR_FUNC(ASN1_F_ASN1_ENUMERATED_TO_BN), "ASN1_ENUMERATED_to_BN"}, {ERR_FUNC(ASN1_F_ASN1_EX_C2I), "ASN1_EX_C2I"}, {ERR_FUNC(ASN1_F_ASN1_FIND_END), "ASN1_FIND_END"}, {ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_ADJ), "ASN1_GENERALIZEDTIME_adj"}, {ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_SET), "ASN1_GENERALIZEDTIME_set"}, {ERR_FUNC(ASN1_F_ASN1_GENERATE_V3), "ASN1_generate_v3"}, {ERR_FUNC(ASN1_F_ASN1_GET_OBJECT), "ASN1_get_object"}, {ERR_FUNC(ASN1_F_ASN1_HEADER_NEW), "ASN1_HEADER_NEW"}, {ERR_FUNC(ASN1_F_ASN1_I2D_BIO), "ASN1_i2d_bio"}, {ERR_FUNC(ASN1_F_ASN1_I2D_FP), "ASN1_i2d_fp"}, {ERR_FUNC(ASN1_F_ASN1_INTEGER_SET), "ASN1_INTEGER_set"}, {ERR_FUNC(ASN1_F_ASN1_INTEGER_TO_BN), "ASN1_INTEGER_to_BN"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_D2I_FP), "ASN1_item_d2i_fp"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_DUP), "ASN1_item_dup"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW), "ASN1_ITEM_EX_COMBINE_NEW"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"}, + {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_I2D), "ASN1_item_ex_i2d"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO), "ASN1_item_i2d_bio"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_SIGN), "ASN1_item_sign"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_SIGN_CTX), "ASN1_item_sign_ctx"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_UNPACK), "ASN1_item_unpack"}, {ERR_FUNC(ASN1_F_ASN1_ITEM_VERIFY), "ASN1_item_verify"}, {ERR_FUNC(ASN1_F_ASN1_MBSTRING_NCOPY), "ASN1_mbstring_ncopy"}, {ERR_FUNC(ASN1_F_ASN1_OBJECT_NEW), "ASN1_OBJECT_new"}, {ERR_FUNC(ASN1_F_ASN1_OUTPUT_DATA), "ASN1_OUTPUT_DATA"}, {ERR_FUNC(ASN1_F_ASN1_PACK_STRING), "ASN1_pack_string"}, {ERR_FUNC(ASN1_F_ASN1_PCTX_NEW), "ASN1_PCTX_new"}, {ERR_FUNC(ASN1_F_ASN1_PKCS5_PBE_SET), "ASN1_PKCS5_PBE_SET"}, {ERR_FUNC(ASN1_F_ASN1_SEQ_PACK), "ASN1_seq_pack"}, {ERR_FUNC(ASN1_F_ASN1_SEQ_UNPACK), "ASN1_seq_unpack"}, {ERR_FUNC(ASN1_F_ASN1_SIGN), "ASN1_sign"}, {ERR_FUNC(ASN1_F_ASN1_STR2TYPE), "ASN1_STR2TYPE"}, {ERR_FUNC(ASN1_F_ASN1_STRING_SET), "ASN1_STRING_set"}, {ERR_FUNC(ASN1_F_ASN1_STRING_TABLE_ADD), "ASN1_STRING_TABLE_add"}, {ERR_FUNC(ASN1_F_ASN1_STRING_TYPE_NEW), "ASN1_STRING_type_new"}, {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I), "ASN1_TEMPLATE_EX_D2I"}, {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW), "ASN1_TEMPLATE_NEW"}, {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I), "ASN1_TEMPLATE_NOEXP_D2I"}, {ERR_FUNC(ASN1_F_ASN1_TIME_ADJ), "ASN1_TIME_adj"}, {ERR_FUNC(ASN1_F_ASN1_TIME_SET), "ASN1_TIME_set"}, {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING), "ASN1_TYPE_get_int_octetstring"}, {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING), "ASN1_TYPE_get_octetstring"}, {ERR_FUNC(ASN1_F_ASN1_UNPACK_STRING), "ASN1_unpack_string"}, {ERR_FUNC(ASN1_F_ASN1_UTCTIME_ADJ), "ASN1_UTCTIME_adj"}, {ERR_FUNC(ASN1_F_ASN1_UTCTIME_SET), "ASN1_UTCTIME_set"}, {ERR_FUNC(ASN1_F_ASN1_VERIFY), "ASN1_verify"}, {ERR_FUNC(ASN1_F_B64_READ_ASN1), "B64_READ_ASN1"}, {ERR_FUNC(ASN1_F_B64_WRITE_ASN1), "B64_WRITE_ASN1"}, {ERR_FUNC(ASN1_F_BIO_NEW_NDEF), "BIO_new_NDEF"}, {ERR_FUNC(ASN1_F_BITSTR_CB), "BITSTR_CB"}, {ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED), "BN_to_ASN1_ENUMERATED"}, {ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER), "BN_to_ASN1_INTEGER"}, {ERR_FUNC(ASN1_F_C2I_ASN1_BIT_STRING), "c2i_ASN1_BIT_STRING"}, {ERR_FUNC(ASN1_F_C2I_ASN1_INTEGER), "c2i_ASN1_INTEGER"}, {ERR_FUNC(ASN1_F_C2I_ASN1_OBJECT), "c2i_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_COLLECT_DATA), "COLLECT_DATA"}, {ERR_FUNC(ASN1_F_D2I_ASN1_BIT_STRING), "D2I_ASN1_BIT_STRING"}, {ERR_FUNC(ASN1_F_D2I_ASN1_BOOLEAN), "d2i_ASN1_BOOLEAN"}, {ERR_FUNC(ASN1_F_D2I_ASN1_BYTES), "d2i_ASN1_bytes"}, {ERR_FUNC(ASN1_F_D2I_ASN1_GENERALIZEDTIME), "D2I_ASN1_GENERALIZEDTIME"}, {ERR_FUNC(ASN1_F_D2I_ASN1_HEADER), "D2I_ASN1_HEADER"}, {ERR_FUNC(ASN1_F_D2I_ASN1_INTEGER), "D2I_ASN1_INTEGER"}, {ERR_FUNC(ASN1_F_D2I_ASN1_OBJECT), "d2i_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_D2I_ASN1_SET), "d2i_ASN1_SET"}, {ERR_FUNC(ASN1_F_D2I_ASN1_TYPE_BYTES), "d2i_ASN1_type_bytes"}, {ERR_FUNC(ASN1_F_D2I_ASN1_UINTEGER), "d2i_ASN1_UINTEGER"}, {ERR_FUNC(ASN1_F_D2I_ASN1_UTCTIME), "D2I_ASN1_UTCTIME"}, {ERR_FUNC(ASN1_F_D2I_AUTOPRIVATEKEY), "d2i_AutoPrivateKey"}, {ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA), "d2i_Netscape_RSA"}, {ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA_2), "D2I_NETSCAPE_RSA_2"}, {ERR_FUNC(ASN1_F_D2I_PRIVATEKEY), "d2i_PrivateKey"}, {ERR_FUNC(ASN1_F_D2I_PUBLICKEY), "d2i_PublicKey"}, {ERR_FUNC(ASN1_F_D2I_RSA_NET), "d2i_RSA_NET"}, {ERR_FUNC(ASN1_F_D2I_RSA_NET_2), "D2I_RSA_NET_2"}, {ERR_FUNC(ASN1_F_D2I_X509), "D2I_X509"}, {ERR_FUNC(ASN1_F_D2I_X509_CINF), "D2I_X509_CINF"}, {ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"}, {ERR_FUNC(ASN1_F_DO_BUF), "DO_BUF"}, {ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"}, {ERR_FUNC(ASN1_F_I2D_ASN1_BOOLEAN), "i2d_ASN1_BOOLEAN"}, {ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"}, {ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"}, {ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"}, {ERR_FUNC(ASN1_F_I2D_EC_PUBKEY), "i2d_EC_PUBKEY"}, {ERR_FUNC(ASN1_F_I2D_PRIVATEKEY), "i2d_PrivateKey"}, {ERR_FUNC(ASN1_F_I2D_PUBLICKEY), "i2d_PublicKey"}, {ERR_FUNC(ASN1_F_I2D_RSA_NET), "i2d_RSA_NET"}, {ERR_FUNC(ASN1_F_I2D_RSA_PUBKEY), "i2d_RSA_PUBKEY"}, {ERR_FUNC(ASN1_F_LONG_C2I), "LONG_C2I"}, {ERR_FUNC(ASN1_F_OID_MODULE_INIT), "OID_MODULE_INIT"}, {ERR_FUNC(ASN1_F_PARSE_TAGGING), "PARSE_TAGGING"}, {ERR_FUNC(ASN1_F_PKCS5_PBE2_SET_IV), "PKCS5_pbe2_set_iv"}, {ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_pbe_set"}, {ERR_FUNC(ASN1_F_PKCS5_PBE_SET0_ALGOR), "PKCS5_pbe_set0_algor"}, {ERR_FUNC(ASN1_F_PKCS5_PBKDF2_SET), "PKCS5_pbkdf2_set"}, {ERR_FUNC(ASN1_F_SMIME_READ_ASN1), "SMIME_read_ASN1"}, {ERR_FUNC(ASN1_F_SMIME_TEXT), "SMIME_text"}, {ERR_FUNC(ASN1_F_X509_CINF_NEW), "X509_CINF_NEW"}, {ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED), "X509_CRL_add0_revoked"}, {ERR_FUNC(ASN1_F_X509_INFO_NEW), "X509_INFO_new"}, {ERR_FUNC(ASN1_F_X509_NAME_ENCODE), "X509_NAME_ENCODE"}, {ERR_FUNC(ASN1_F_X509_NAME_EX_D2I), "X509_NAME_EX_D2I"}, {ERR_FUNC(ASN1_F_X509_NAME_EX_NEW), "X509_NAME_EX_NEW"}, {ERR_FUNC(ASN1_F_X509_NEW), "X509_NEW"}, {ERR_FUNC(ASN1_F_X509_PKEY_NEW), "X509_PKEY_new"}, {0, NULL} }; static ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_REASON(ASN1_R_ADDING_OBJECT), "adding object"}, {ERR_REASON(ASN1_R_ASN1_PARSE_ERROR), "asn1 parse error"}, {ERR_REASON(ASN1_R_ASN1_SIG_PARSE_ERROR), "asn1 sig parse error"}, {ERR_REASON(ASN1_R_AUX_ERROR), "aux error"}, {ERR_REASON(ASN1_R_BAD_CLASS), "bad class"}, {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER), "bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ), "bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG), "bad tag"}, + {ERR_REASON(ASN1_R_BAD_TEMPLATE), "bad template"}, {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH), "bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB), "bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH), "boolean is wrong length"}, {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL), "buffer too small"}, {ERR_REASON(ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER), "cipher has no object identifier"}, {ERR_REASON(ASN1_R_CONTEXT_NOT_INITIALISED), "context not initialised"}, {ERR_REASON(ASN1_R_DATA_IS_WRONG), "data is wrong"}, {ERR_REASON(ASN1_R_DECODE_ERROR), "decode error"}, {ERR_REASON(ASN1_R_DECODING_ERROR), "decoding error"}, {ERR_REASON(ASN1_R_DEPTH_EXCEEDED), "depth exceeded"}, {ERR_REASON(ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED), "digest and key type not supported"}, {ERR_REASON(ASN1_R_ENCODE_ERROR), "encode error"}, {ERR_REASON(ASN1_R_ERROR_GETTING_TIME), "error getting time"}, {ERR_REASON(ASN1_R_ERROR_LOADING_SECTION), "error loading section"}, {ERR_REASON(ASN1_R_ERROR_PARSING_SET_ELEMENT), "error parsing set element"}, {ERR_REASON(ASN1_R_ERROR_SETTING_CIPHER_PARAMS), "error setting cipher params"}, {ERR_REASON(ASN1_R_EXPECTING_AN_INTEGER), "expecting an integer"}, {ERR_REASON(ASN1_R_EXPECTING_AN_OBJECT), "expecting an object"}, {ERR_REASON(ASN1_R_EXPECTING_A_BOOLEAN), "expecting a boolean"}, {ERR_REASON(ASN1_R_EXPECTING_A_TIME), "expecting a time"}, {ERR_REASON(ASN1_R_EXPLICIT_LENGTH_MISMATCH), "explicit length mismatch"}, {ERR_REASON(ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED), "explicit tag not constructed"}, {ERR_REASON(ASN1_R_FIELD_MISSING), "field missing"}, {ERR_REASON(ASN1_R_FIRST_NUM_TOO_LARGE), "first num too large"}, {ERR_REASON(ASN1_R_HEADER_TOO_LONG), "header too long"}, {ERR_REASON(ASN1_R_ILLEGAL_BITSTRING_FORMAT), "illegal bitstring format"}, {ERR_REASON(ASN1_R_ILLEGAL_BOOLEAN), "illegal boolean"}, {ERR_REASON(ASN1_R_ILLEGAL_CHARACTERS), "illegal characters"}, {ERR_REASON(ASN1_R_ILLEGAL_FORMAT), "illegal format"}, {ERR_REASON(ASN1_R_ILLEGAL_HEX), "illegal hex"}, {ERR_REASON(ASN1_R_ILLEGAL_IMPLICIT_TAG), "illegal implicit tag"}, {ERR_REASON(ASN1_R_ILLEGAL_INTEGER), "illegal integer"}, {ERR_REASON(ASN1_R_ILLEGAL_NESTED_TAGGING), "illegal nested tagging"}, {ERR_REASON(ASN1_R_ILLEGAL_NULL), "illegal null"}, {ERR_REASON(ASN1_R_ILLEGAL_NULL_VALUE), "illegal null value"}, {ERR_REASON(ASN1_R_ILLEGAL_OBJECT), "illegal object"}, {ERR_REASON(ASN1_R_ILLEGAL_OPTIONAL_ANY), "illegal optional any"}, {ERR_REASON(ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE), "illegal options on item template"}, {ERR_REASON(ASN1_R_ILLEGAL_TAGGED_ANY), "illegal tagged any"}, {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE), "illegal time value"}, {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT), "integer not ascii format"}, {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG), "integer too large for long"}, {ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT), "invalid bit string bits left"}, {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH), "invalid bmpstring length"}, {ERR_REASON(ASN1_R_INVALID_DIGIT), "invalid digit"}, {ERR_REASON(ASN1_R_INVALID_MIME_TYPE), "invalid mime type"}, {ERR_REASON(ASN1_R_INVALID_MODIFIER), "invalid modifier"}, {ERR_REASON(ASN1_R_INVALID_NUMBER), "invalid number"}, {ERR_REASON(ASN1_R_INVALID_OBJECT_ENCODING), "invalid object encoding"}, {ERR_REASON(ASN1_R_INVALID_SEPARATOR), "invalid separator"}, {ERR_REASON(ASN1_R_INVALID_TIME_FORMAT), "invalid time format"}, {ERR_REASON(ASN1_R_INVALID_UNIVERSALSTRING_LENGTH), "invalid universalstring length"}, {ERR_REASON(ASN1_R_INVALID_UTF8STRING), "invalid utf8string"}, {ERR_REASON(ASN1_R_IV_TOO_LARGE), "iv too large"}, {ERR_REASON(ASN1_R_LENGTH_ERROR), "length error"}, {ERR_REASON(ASN1_R_LIST_ERROR), "list error"}, {ERR_REASON(ASN1_R_MIME_NO_CONTENT_TYPE), "mime no content type"}, {ERR_REASON(ASN1_R_MIME_PARSE_ERROR), "mime parse error"}, {ERR_REASON(ASN1_R_MIME_SIG_PARSE_ERROR), "mime sig parse error"}, {ERR_REASON(ASN1_R_MISSING_EOC), "missing eoc"}, {ERR_REASON(ASN1_R_MISSING_SECOND_NUMBER), "missing second number"}, {ERR_REASON(ASN1_R_MISSING_VALUE), "missing value"}, {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"}, {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"}, {ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"}, {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"}, {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"}, {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"}, {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"}, {ERR_REASON(ASN1_R_NO_CONTENT_TYPE), "no content type"}, {ERR_REASON(ASN1_R_NO_DEFAULT_DIGEST), "no default digest"}, {ERR_REASON(ASN1_R_NO_MATCHING_CHOICE_TYPE), "no matching choice type"}, {ERR_REASON(ASN1_R_NO_MULTIPART_BODY_FAILURE), "no multipart body failure"}, {ERR_REASON(ASN1_R_NO_MULTIPART_BOUNDARY), "no multipart boundary"}, {ERR_REASON(ASN1_R_NO_SIG_CONTENT_TYPE), "no sig content type"}, {ERR_REASON(ASN1_R_NULL_IS_WRONG_LENGTH), "null is wrong length"}, {ERR_REASON(ASN1_R_OBJECT_NOT_ASCII_FORMAT), "object not ascii format"}, {ERR_REASON(ASN1_R_ODD_NUMBER_OF_CHARS), "odd number of chars"}, {ERR_REASON(ASN1_R_PRIVATE_KEY_HEADER_MISSING), "private key header missing"}, {ERR_REASON(ASN1_R_SECOND_NUMBER_TOO_LARGE), "second number too large"}, {ERR_REASON(ASN1_R_SEQUENCE_LENGTH_MISMATCH), "sequence length mismatch"}, {ERR_REASON(ASN1_R_SEQUENCE_NOT_CONSTRUCTED), "sequence not constructed"}, {ERR_REASON(ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG), "sequence or set needs config"}, {ERR_REASON(ASN1_R_SHORT_LINE), "short line"}, {ERR_REASON(ASN1_R_SIG_INVALID_MIME_TYPE), "sig invalid mime type"}, {ERR_REASON(ASN1_R_STREAMING_NOT_SUPPORTED), "streaming not supported"}, {ERR_REASON(ASN1_R_STRING_TOO_LONG), "string too long"}, {ERR_REASON(ASN1_R_STRING_TOO_SHORT), "string too short"}, {ERR_REASON(ASN1_R_TAG_VALUE_TOO_HIGH), "tag value too high"}, {ERR_REASON(ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "the asn1 object identifier is not known for this md"}, {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT), "time not ascii format"}, {ERR_REASON(ASN1_R_TOO_LONG), "too long"}, {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED), "type not constructed"}, {ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE), "type not primitive"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY), "unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY), "unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC), "unexpected eoc"}, {ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH), "universalstring is wrong length"}, {ERR_REASON(ASN1_R_UNKNOWN_FORMAT), "unknown format"}, {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM), "unknown message digest algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE), "unknown object type"}, {ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE), "unknown public key type"}, {ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM), "unknown signature algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_TAG), "unknown tag"}, {ERR_REASON(ASN1_R_UNKOWN_FORMAT), "unknown format"}, {ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE), "unsupported any defined by type"}, {ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER), "unsupported cipher"}, {ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM), "unsupported encryption algorithm"}, {ERR_REASON(ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE), "unsupported public key type"}, {ERR_REASON(ASN1_R_UNSUPPORTED_TYPE), "unsupported type"}, {ERR_REASON(ASN1_R_WRONG_PUBLIC_KEY_TYPE), "wrong public key type"}, {ERR_REASON(ASN1_R_WRONG_TAG), "wrong tag"}, {ERR_REASON(ASN1_R_WRONG_TYPE), "wrong type"}, {0, NULL} }; #endif void ERR_load_ASN1_strings(void) { #ifndef OPENSSL_NO_ERR if (ERR_func_error_string(ASN1_str_functs[0].error) == NULL) { ERR_load_strings(0, ASN1_str_functs); ERR_load_strings(0, ASN1_str_reasons); } #endif } Index: releng/11.4/crypto/openssl/crypto/asn1/tasn_dec.c =================================================================== --- releng/11.4/crypto/openssl/crypto/asn1/tasn_dec.c (revision 368642) +++ releng/11.4/crypto/openssl/crypto/asn1/tasn_dec.c (revision 368643) @@ -1,1250 +1,1269 @@ /* tasn_dec.c */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project * 2000. */ /* ==================================================================== * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include #include #include #include /* * Constructed types with a recursive definition (such as can be found in PKCS7) * could eventually exceed the stack given malicious input with excessive * recursion. Therefore we limit the stack depth. This is the maximum number of * recursive invocations of asn1_item_embed_d2i(). */ #define ASN1_MAX_CONSTRUCTED_NEST 30 static int asn1_check_eoc(const unsigned char **in, long len); static int asn1_find_end(const unsigned char **in, long len, char inf); static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, char inf, int tag, int aclass, int depth); static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst, const unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx); static int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth); static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth); static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); /* Table to convert tags to bit values, used for MSTRING type */ static const unsigned long tag2bit[32] = { /* tags 0 - 3 */ 0, 0, 0, B_ASN1_BIT_STRING, /* tags 4- 7 */ B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN, /* tags 8-11 */ B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, /* tags 12-15 */ B_ASN1_UTF8STRING, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, /* tags 16-19 */ B_ASN1_SEQUENCE, 0, B_ASN1_NUMERICSTRING, B_ASN1_PRINTABLESTRING, /* tags 20-22 */ B_ASN1_T61STRING, B_ASN1_VIDEOTEXSTRING, B_ASN1_IA5STRING, /* tags 23-24 */ B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, /* tags 25-27 */ B_ASN1_GRAPHICSTRING, B_ASN1_ISO64STRING, B_ASN1_GENERALSTRING, /* tags 28-31 */ B_ASN1_UNIVERSALSTRING, B_ASN1_UNKNOWN, B_ASN1_BMPSTRING, B_ASN1_UNKNOWN, }; unsigned long ASN1_tag2bit(int tag) { if ((tag < 0) || (tag > 30)) return 0; return tag2bit[tag]; } /* Macro to initialize and invalidate the cache */ #define asn1_tlc_clear(c) if (c) (c)->valid = 0 /* Version to avoid compiler warning about 'c' always non-NULL */ #define asn1_tlc_clear_nc(c) (c)->valid = 0 /* * Decode an ASN1 item, this currently behaves just like a standard 'd2i' * function. 'in' points to a buffer to read the data from, in future we * will have more advanced versions that can input data a piece at a time and * this will simply be a special case. */ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it) { ASN1_TLC c; ASN1_VALUE *ptmpval = NULL; if (!pval) pval = &ptmpval; asn1_tlc_clear_nc(&c); if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) return *pval; return NULL; } int ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_TEMPLATE *tt) { ASN1_TLC c; asn1_tlc_clear_nc(&c); return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0); } /* * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and * tag mismatch return -1 to handle OPTIONAL */ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx, int depth) { const ASN1_TEMPLATE *tt, *errtt = NULL; const ASN1_COMPAT_FUNCS *cf; const ASN1_EXTERN_FUNCS *ef; const ASN1_AUX *aux = it->funcs; ASN1_aux_cb *asn1_cb; const unsigned char *p = NULL, *q; unsigned char *wp = NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */ unsigned char imphack = 0, oclass; char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; int combine = aclass & ASN1_TFLG_COMBINE; aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb; else asn1_cb = 0; if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP); goto err; } switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) { /* * tagging or OPTIONAL is currently illegal on an item template * because the flags can't get passed down. In practice this * isn't a problem: we include the relevant flags from the item * template in the template itself. */ if ((tag != -1) || opt) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); goto err; } return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx, depth); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx); break; case ASN1_ITYPE_MSTRING: + /* + * It never makes sense for multi-strings to have implicit tagging, so + * if tag != -1, then this looks like an error in the template. + */ + if (tag != -1) { + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE); + goto err; + } + p = *in; /* Just read in tag and class */ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* Must be UNIVERSAL class */ if (oclass != V_ASN1_UNIVERSAL) { /* If OPTIONAL, assume this is OK */ if (opt) return -1; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL); goto err; } + /* Check tag matches bit map */ if (!(ASN1_tag2bit(otag) & it->utype)) { /* If OPTIONAL, assume this is OK */ if (opt) return -1; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_WRONG_TAG); goto err; } return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx); case ASN1_ITYPE_EXTERN: /* Use new style d2i */ ef = it->funcs; return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx); case ASN1_ITYPE_COMPAT: /* we must resort to old style evil hackery */ cf = it->funcs; /* If OPTIONAL see if it is there */ if (opt) { int exptag; p = *in; if (tag == -1) exptag = it->utype; else exptag = tag; /* * Don't care about anything other than presence of expected tag */ ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, &p, len, exptag, aclass, 1, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } if (ret == -1) return -1; } /* * This is the old style evil hack IMPLICIT handling: since the * underlying code is expecting a tag and class other than the one * present we change the buffer temporarily then change it back * afterwards. This doesn't and never did work for tags > 30. Yes * this is *horrible* but it is only needed for old style d2i which * will hopefully not be around for much longer. FIXME: should copy * the buffer then modify it so the input buffer can be const: we * should *always* copy because the old style d2i might modify the * buffer. */ if (tag != -1) { wp = *(unsigned char **)in; imphack = *wp; if (p == NULL) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED) | it->utype); } ptmpval = cf->asn1_d2i(pval, in, len); if (tag != -1) *wp = imphack; if (ptmpval) return 1; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; case ASN1_ITYPE_CHOICE: + /* + * It never makes sense for CHOICE types to have implicit tagging, so + * if tag != -1, then this looks like an error in the template. + */ + if (tag != -1) { + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_BAD_TEMPLATE); + goto err; + } + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; if (*pval) { /* Free up and zero CHOICE value if initialised */ i = asn1_get_choice_selector(pval, it); if ((i >= 0) && (i < it->tcount)) { tt = it->templates + i; pchptr = asn1_get_field_ptr(pval, tt); ASN1_template_free(pchptr, tt); asn1_set_choice_selector(pval, -1, it); } } else if (!ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* CHOICE type, try each possibility in turn */ p = *in; for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { pchptr = asn1_get_field_ptr(pval, tt); /* * We mark field as OPTIONAL so its absence can be recognised. */ ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth); /* If field not present, try the next one */ if (ret == -1) continue; /* If positive return, read OK, break loop */ if (ret > 0) break; /* Otherwise must be an ASN1 parsing error */ errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } /* Did we fall off the end without reading anything? */ if (i == it->tcount) { /* If OPTIONAL, this is OK */ if (opt) { /* Free and zero it */ ASN1_item_ex_free(pval, it); return -1; } ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE); goto err; } asn1_set_choice_selector(pval, i, it); if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) goto auxerr; *in = p; return 1; case ASN1_ITYPE_NDEF_SEQUENCE: case ASN1_ITYPE_SEQUENCE: p = *in; tmplen = len; /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ if (tag == -1) { tag = V_ASN1_SEQUENCE; aclass = V_ASN1_UNIVERSAL; } /* Get SEQUENCE length and update len, p */ ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, &p, len, tag, aclass, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } else if (ret == -1) return -1; if (aux && (aux->flags & ASN1_AFLG_BROKEN)) { len = tmplen - (p - *in); seq_nolen = 1; } /* If indefinite we don't do a length check */ else seq_nolen = seq_eoc; if (!cst) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED); goto err; } if (!*pval && !ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; /* Free up and zero any ADB found */ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { if (tt->flags & ASN1_TFLG_ADB_MASK) { const ASN1_TEMPLATE *seqtt; ASN1_VALUE **pseqval; seqtt = asn1_do_adb(pval, tt, 0); if (seqtt == NULL) continue; pseqval = asn1_get_field_ptr(pval, seqtt); ASN1_template_free(pseqval, seqtt); } } /* Get each field entry */ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { const ASN1_TEMPLATE *seqtt; ASN1_VALUE **pseqval; seqtt = asn1_do_adb(pval, tt, 1); if (seqtt == NULL) goto err; pseqval = asn1_get_field_ptr(pval, seqtt); /* Have we ran out of data? */ if (!len) break; q = p; if (asn1_check_eoc(&p, len)) { if (!seq_eoc) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_UNEXPECTED_EOC); goto err; } len -= p - q; seq_eoc = 0; q = p; break; } /* * This determines the OPTIONAL flag value. The field cannot be * omitted if it is the last of a SEQUENCE and there is still * data to be read. This isn't strictly necessary but it * increases efficiency in some cases. */ if (i == (it->tcount - 1)) isopt = 0; else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); /* * attempt to read in field, allowing each to be OPTIONAL */ ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx, depth); if (!ret) { errtt = seqtt; goto err; } else if (ret == -1) { /* * OPTIONAL component absent. Free and zero the field. */ ASN1_template_free(pseqval, seqtt); continue; } /* Update length */ len -= p - q; } /* Check for EOC if expecting one */ if (seq_eoc && !asn1_check_eoc(&p, len)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC); goto err; } /* Check all data read */ if (!seq_nolen && len) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_LENGTH_MISMATCH); goto err; } /* * If we get here we've got no more data in the SEQUENCE, however we * may not have read all fields so check all remaining are OPTIONAL * and clear any that are. */ for (; i < it->tcount; tt++, i++) { const ASN1_TEMPLATE *seqtt; seqtt = asn1_do_adb(pval, tt, 1); if (seqtt == NULL) goto err; if (seqtt->flags & ASN1_TFLG_OPTIONAL) { ASN1_VALUE **pseqval; pseqval = asn1_get_field_ptr(pval, seqtt); ASN1_template_free(pseqval, seqtt); } else { errtt = seqtt; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_FIELD_MISSING); goto err; } } /* Save encoding */ if (!asn1_enc_save(pval, *in, p - *in, it)) goto auxerr; if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) goto auxerr; *in = p; return 1; default: return 0; } auxerr: ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); err: if (combine == 0) ASN1_item_ex_free(pval, it); if (errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname); else ERR_add_error_data(2, "Type=", it->sname); return 0; } int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) { return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); } /* * Templates are handled with two separate functions. One handles any * EXPLICIT tag and the other handles the rest. */ static int asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth) { int flags, aclass; int ret; long len; const unsigned char *p, *q; char exp_eoc; if (!val) return 0; flags = tt->flags; aclass = flags & ASN1_TFLG_TAG_CLASS; p = *in; /* Check if EXPLICIT tag expected */ if (flags & ASN1_TFLG_EXPTAG) { char cst; /* * Need to work out amount of data available to the inner content and * where it starts: so read in EXPLICIT header to get the info. */ ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, &p, inlen, tt->tag, aclass, opt, ctx); q = p; if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); return 0; } else if (ret == -1) return -1; if (!cst) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); return 0; } /* We've found the field so it can't be OPTIONAL now */ ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); return 0; } /* We read the field in OK so update length */ len -= p - q; if (exp_eoc) { /* If NDEF we must have an EOC here */ if (!asn1_check_eoc(&p, len)) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_MISSING_EOC); goto err; } } else { /* * Otherwise we must hit the EXPLICIT tag end or its an error */ if (len) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_EXPLICIT_LENGTH_MISMATCH); goto err; } } } else return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth); *in = p; return 1; err: ASN1_template_free(val, tt); return 0; } static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth) { int flags, aclass; int ret; const unsigned char *p, *q; if (!val) return 0; flags = tt->flags; aclass = flags & ASN1_TFLG_TAG_CLASS; p = *in; q = p; if (flags & ASN1_TFLG_SK_MASK) { /* SET OF, SEQUENCE OF */ int sktag, skaclass; char sk_eoc; /* First work out expected inner tag value */ if (flags & ASN1_TFLG_IMPTAG) { sktag = tt->tag; skaclass = aclass; } else { skaclass = V_ASN1_UNIVERSAL; if (flags & ASN1_TFLG_SET_OF) sktag = V_ASN1_SET; else sktag = V_ASN1_SEQUENCE; } /* Get the tag */ ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, &p, len, sktag, skaclass, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); return 0; } else if (ret == -1) return -1; if (!*val) *val = (ASN1_VALUE *)sk_new_null(); else { /* * We've got a valid STACK: free up any items present */ STACK_OF(ASN1_VALUE) *sktmp = (STACK_OF(ASN1_VALUE) *)*val; ASN1_VALUE *vtmp; while (sk_ASN1_VALUE_num(sktmp) > 0) { vtmp = sk_ASN1_VALUE_pop(sktmp); ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item)); } } if (!*val) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE); goto err; } /* Read as many items as we can */ while (len > 0) { ASN1_VALUE *skfield; q = p; /* See if EOC found */ if (asn1_check_eoc(&p, len)) { if (!sk_eoc) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_UNEXPECTED_EOC); goto err; } len -= p - q; sk_eoc = 0; break; } skfield = NULL; if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx, depth)) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } len -= p - q; if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) { ASN1_item_ex_free(&skfield, ASN1_ITEM_ptr(tt->item)); ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE); goto err; } } if (sk_eoc) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC); goto err; } } else if (flags & ASN1_TFLG_IMPTAG) { /* IMPLICIT tagging */ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx, depth); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } else if (ret == -1) return -1; } else { /* Nothing special */ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, depth); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; } else if (ret == -1) return -1; } *in = p; return 1; err: ASN1_template_free(val, tt); return 0; } static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long inlen, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) { int ret = 0, utype; long plen; char cst, inf, free_cont = 0; const unsigned char *p; BUF_MEM buf = { 0, NULL, 0 }; const unsigned char *cont = NULL; long len; if (!pval) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL); return 0; /* Should never happen */ } if (it->itype == ASN1_ITYPE_MSTRING) { utype = tag; tag = -1; } else utype = it->utype; if (utype == V_ASN1_ANY) { /* If type is ANY need to figure out type from tag */ unsigned char oclass; if (tag >= 0) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_TAGGED_ANY); return 0; } if (opt) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_OPTIONAL_ANY); return 0; } p = *in; ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, &p, inlen, -1, 0, 0, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); return 0; } if (oclass != V_ASN1_UNIVERSAL) utype = V_ASN1_OTHER; } if (tag == -1) { tag = utype; aclass = V_ASN1_UNIVERSAL; } p = *in; /* Check header */ ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, &p, inlen, tag, aclass, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); return 0; } else if (ret == -1) return -1; ret = 0; /* SEQUENCE, SET and "OTHER" are left in encoded form */ if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) { /* * Clear context cache for type OTHER because the auto clear when we * have a exact match wont work */ if (utype == V_ASN1_OTHER) { asn1_tlc_clear(ctx); } /* SEQUENCE and SET must be constructed */ else if (!cst) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_CONSTRUCTED); return 0; } cont = *in; /* If indefinite length constructed find the real end */ if (inf) { if (!asn1_find_end(&p, plen, inf)) goto err; len = p - cont; } else { len = p - cont + plen; p += plen; } } else if (cst) { if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER || utype == V_ASN1_ENUMERATED) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_PRIMITIVE); return 0; } /* Free any returned 'buf' content */ free_cont = 1; /* * Should really check the internal tags are correct but some things * may get this wrong. The relevant specs say that constructed string * types should be OCTET STRINGs internally irrespective of the type. * So instead just check for UNIVERSAL class and ignore the tag. */ if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) { goto err; } len = buf.length; /* Append a final null to string */ if (!BUF_MEM_grow_clean(&buf, len + 1)) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE); goto err; } buf.data[len] = 0; cont = (const unsigned char *)buf.data; } else { cont = p; len = plen; p += plen; } /* We now have content length and type: translate into a structure */ /* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */ if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) goto err; *in = p; ret = 1; err: if (free_cont && buf.data) OPENSSL_free(buf.data); return ret; } /* Translate ASN1 content octets into a structure */ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; int ret = 0; const ASN1_PRIMITIVE_FUNCS *pf; ASN1_INTEGER **tint; pf = it->funcs; if (pf && pf->prim_c2i) return pf->prim_c2i(pval, cont, len, utype, free_cont, it); /* If ANY type clear type and set pointer to internal value */ if (it->utype == V_ASN1_ANY) { if (!*pval) { typ = ASN1_TYPE_new(); if (typ == NULL) goto err; *pval = (ASN1_VALUE *)typ; } else typ = (ASN1_TYPE *)*pval; if (utype != typ->type) ASN1_TYPE_set(typ, utype, NULL); opval = pval; pval = &typ->value.asn1_value; } switch (utype) { case V_ASN1_OBJECT: if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) goto err; break; case V_ASN1_NULL: if (len) { ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_NULL_IS_WRONG_LENGTH); goto err; } *pval = (ASN1_VALUE *)1; break; case V_ASN1_BOOLEAN: if (len != 1) { ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_BOOLEAN_IS_WRONG_LENGTH); goto err; } else { ASN1_BOOLEAN *tbool; tbool = (ASN1_BOOLEAN *)pval; *tbool = *cont; } break; case V_ASN1_BIT_STRING: if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) goto err; break; case V_ASN1_INTEGER: case V_ASN1_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; /* Fixup type to match the expected form */ (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG); break; case V_ASN1_OCTET_STRING: case V_ASN1_NUMERICSTRING: case V_ASN1_PRINTABLESTRING: case V_ASN1_T61STRING: case V_ASN1_VIDEOTEXSTRING: case V_ASN1_IA5STRING: case V_ASN1_UTCTIME: case V_ASN1_GENERALIZEDTIME: case V_ASN1_GRAPHICSTRING: case V_ASN1_VISIBLESTRING: case V_ASN1_GENERALSTRING: case V_ASN1_UNIVERSALSTRING: case V_ASN1_BMPSTRING: case V_ASN1_UTF8STRING: case V_ASN1_OTHER: case V_ASN1_SET: case V_ASN1_SEQUENCE: default: if (utype == V_ASN1_BMPSTRING && (len & 1)) { ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); goto err; } if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) { ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); goto err; } /* All based on ASN1_STRING and handled the same */ if (!*pval) { stmp = ASN1_STRING_type_new(utype); if (!stmp) { ASN1err(ASN1_F_ASN1_EX_C2I, ERR_R_MALLOC_FAILURE); goto err; } *pval = (ASN1_VALUE *)stmp; } else { stmp = (ASN1_STRING *)*pval; stmp->type = utype; } /* If we've already allocated a buffer use it */ if (*free_cont) { if (stmp->data) OPENSSL_free(stmp->data); stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ stmp->length = len; *free_cont = 0; } else { if (!ASN1_STRING_set(stmp, cont, len)) { ASN1err(ASN1_F_ASN1_EX_C2I, ERR_R_MALLOC_FAILURE); ASN1_STRING_free(stmp); *pval = NULL; goto err; } } break; } /* If ASN1_ANY and NULL type fix up value */ if (typ && (utype == V_ASN1_NULL)) typ->value.ptr = NULL; ret = 1; err: if (!ret) { ASN1_TYPE_free(typ); if (opval) *opval = NULL; } return ret; } /* * This function finds the end of an ASN1 structure when passed its maximum * length, whether it is indefinite length and a pointer to the content. This * is more efficient than calling asn1_collect because it does not recurse on * each indefinite length header. */ static int asn1_find_end(const unsigned char **in, long len, char inf) { int expected_eoc; long plen; const unsigned char *p = *in, *q; /* If not indefinite length constructed just add length */ if (inf == 0) { *in += len; return 1; } expected_eoc = 1; /* * Indefinite length constructed form. Find the end when enough EOCs are * found. If more indefinite length constructed headers are encountered * increment the expected eoc count otherwise just skip to the end of the * data. */ while (len > 0) { if (asn1_check_eoc(&p, len)) { expected_eoc--; if (expected_eoc == 0) break; len -= 2; continue; } q = p; /* Just read in a header: only care about the length */ if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, -1, 0, 0, NULL)) { ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR); return 0; } if (inf) expected_eoc++; else p += plen; len -= p - q; } if (expected_eoc) { ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC); return 0; } *in = p; return 1; } /* * This function collects the asn1 data from a constructred string type into * a buffer. The values of 'in' and 'len' should refer to the contents of the * constructed type and 'inf' should be set if it is indefinite length. */ #ifndef ASN1_MAX_STRING_NEST /* * This determines how many levels of recursion are permitted in ASN1 string * types. If it is not limited stack overflows can occur. If set to zero no * recursion is allowed at all. Although zero should be adequate examples * exist that require a value of 1. So 5 should be more than enough. */ # define ASN1_MAX_STRING_NEST 5 #endif static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, char inf, int tag, int aclass, int depth) { const unsigned char *p, *q; long plen; char cst, ininf; p = *in; inf &= 1; /* * If no buffer and not indefinite length constructed just pass over the * encoded data */ if (!buf && !inf) { *in += len; return 1; } while (len > 0) { q = p; /* Check for EOC */ if (asn1_check_eoc(&p, len)) { /* * EOC is illegal outside indefinite length constructed form */ if (!inf) { ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_UNEXPECTED_EOC); return 0; } inf = 0; break; } if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, len, tag, aclass, 0, NULL)) { ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR); return 0; } /* If indefinite length constructed update max length */ if (cst) { if (depth >= ASN1_MAX_STRING_NEST) { ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING); return 0; } if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, depth + 1)) return 0; } else if (plen && !collect_data(buf, &p, plen)) return 0; len -= p - q; } if (inf) { ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC); return 0; } *in = p; return 1; } static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen) { int len; if (buf) { len = buf->length; if (!BUF_MEM_grow_clean(buf, len + plen)) { ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE); return 0; } memcpy(buf->data + len, *p, plen); } *p += plen; return 1; } /* Check for ASN1 EOC and swallow it if found */ static int asn1_check_eoc(const unsigned char **in, long len) { const unsigned char *p; if (len < 2) return 0; p = *in; if (!p[0] && !p[1]) { *in += 2; return 1; } return 0; } /* * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the * length for indefinite length constructed form, we don't know the exact * length but we can set an upper bound to the amount of data available minus * the header length just read. */ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst, const unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx) { int i; int ptag, pclass; long plen; const unsigned char *p, *q; p = *in; q = p; if (ctx && ctx->valid) { i = ctx->ret; plen = ctx->plen; pclass = ctx->pclass; ptag = ctx->ptag; p += ctx->hdrlen; } else { i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); if (ctx) { ctx->ret = i; ctx->plen = plen; ctx->pclass = pclass; ctx->ptag = ptag; ctx->hdrlen = p - q; ctx->valid = 1; /* * If definite length, and no error, length + header can't exceed * total amount of data available. */ if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) { ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG); asn1_tlc_clear(ctx); return 0; } } } if (i & 0x80) { ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER); asn1_tlc_clear(ctx); return 0; } if (exptag >= 0) { if ((exptag != ptag) || (expclass != pclass)) { /* * If type is OPTIONAL, not an error: indicate missing type. */ if (opt) return -1; asn1_tlc_clear(ctx); ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); return 0; } /* * We have a tag and class match: assume we are going to do something * with it */ asn1_tlc_clear(ctx); } if (i & 1) plen = len - (p - q); if (inf) *inf = i & 1; if (cst) *cst = i & V_ASN1_CONSTRUCTED; if (olen) *olen = plen; if (oclass) *oclass = pclass; if (otag) *otag = ptag; *in = p; return 1; } Index: releng/11.4/crypto/openssl/crypto/asn1/tasn_enc.c =================================================================== --- releng/11.4/crypto/openssl/crypto/asn1/tasn_enc.c (revision 368642) +++ releng/11.4/crypto/openssl/crypto/asn1/tasn_enc.c (revision 368643) @@ -1,669 +1,685 @@ /* tasn_enc.c */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project * 2000. */ /* ==================================================================== * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include #include #include "cryptlib.h" #include #include #include static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass); static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int do_sort, int iclass); static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt, int tag, int aclass); static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it, int flags); /* * Top level i2d equivalents: the 'ndef' variant instructs the encoder to use * indefinite length constructed encoding, where appropriate */ int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) { return asn1_item_flags_i2d(val, out, it, ASN1_TFLG_NDEF); } int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) { return asn1_item_flags_i2d(val, out, it, 0); } /* * Encode an ASN1 item, this is use by the standard 'i2d' function. 'out' * points to a buffer to output the data to. The new i2d has one additional * feature. If the output buffer is NULL (i.e. *out == NULL) then a buffer is * allocated and populated with the encoding. */ static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it, int flags) { if (out && !*out) { unsigned char *p, *buf; int len; len = ASN1_item_ex_i2d(&val, NULL, it, -1, flags); if (len <= 0) return len; buf = OPENSSL_malloc(len); if (!buf) return -1; p = buf; ASN1_item_ex_i2d(&val, &p, it, -1, flags); *out = buf; return len; } return ASN1_item_ex_i2d(&val, out, it, -1, flags); } /* * Encode an item, taking care of IMPLICIT tagging (if any). This function * performs the normal item handling: it can be used in external types. */ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass) { const ASN1_TEMPLATE *tt = NULL; unsigned char *p = NULL; int i, seqcontlen, seqlen, ndef = 1; const ASN1_COMPAT_FUNCS *cf; const ASN1_EXTERN_FUNCS *ef; const ASN1_AUX *aux = it->funcs; ASN1_aux_cb *asn1_cb = 0; if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return 0; if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb; switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) return asn1_template_ex_i2d(pval, out, it->templates, tag, aclass); return asn1_i2d_ex_primitive(pval, out, it, tag, aclass); break; case ASN1_ITYPE_MSTRING: + /* + * It never makes sense for multi-strings to have implicit tagging, so + * if tag != -1, then this looks like an error in the template. + */ + if (tag != -1) { + ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); + return -1; + } return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); case ASN1_ITYPE_CHOICE: + /* + * It never makes sense for CHOICE types to have implicit tagging, so + * if tag != -1, then this looks like an error in the template. + */ + if (tag != -1) { + ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE); + return -1; + } if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) return 0; i = asn1_get_choice_selector(pval, it); if ((i >= 0) && (i < it->tcount)) { ASN1_VALUE **pchval; const ASN1_TEMPLATE *chtt; chtt = it->templates + i; pchval = asn1_get_field_ptr(pval, chtt); return asn1_template_ex_i2d(pchval, out, chtt, -1, aclass); } /* Fixme: error condition if selector out of range */ if (asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it, NULL)) return 0; break; case ASN1_ITYPE_EXTERN: /* If new style i2d it does all the work */ ef = it->funcs; return ef->asn1_ex_i2d(pval, out, it, tag, aclass); case ASN1_ITYPE_COMPAT: /* old style hackery... */ cf = it->funcs; if (out) p = *out; i = cf->asn1_i2d(*pval, out); /* * Fixup for IMPLICIT tag: note this messes up for tags > 30, but so * did the old code. Tags > 30 are very rare anyway. */ if (out && (tag != -1)) *p = aclass | tag | (*p & V_ASN1_CONSTRUCTED); return i; case ASN1_ITYPE_NDEF_SEQUENCE: /* Use indefinite length constructed if requested */ if (aclass & ASN1_TFLG_NDEF) ndef = 2; /* fall through */ case ASN1_ITYPE_SEQUENCE: i = asn1_enc_restore(&seqcontlen, out, pval, it); /* An error occurred */ if (i < 0) return 0; /* We have a valid cached encoding... */ if (i > 0) return seqcontlen; /* Otherwise carry on */ seqcontlen = 0; /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ if (tag == -1) { tag = V_ASN1_SEQUENCE; /* Retain any other flags in aclass */ aclass = (aclass & ~ASN1_TFLG_TAG_CLASS) | V_ASN1_UNIVERSAL; } if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) return 0; /* First work out sequence content length */ for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) { const ASN1_TEMPLATE *seqtt; ASN1_VALUE **pseqval; int tmplen; seqtt = asn1_do_adb(pval, tt, 1); if (!seqtt) return 0; pseqval = asn1_get_field_ptr(pval, seqtt); tmplen = asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, aclass); if (tmplen == -1 || (tmplen > INT_MAX - seqcontlen)) return -1; seqcontlen += tmplen; } seqlen = ASN1_object_size(ndef, seqcontlen, tag); if (!out || seqlen == -1) return seqlen; /* Output SEQUENCE header */ ASN1_put_object(out, ndef, seqcontlen, tag, aclass); for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) { const ASN1_TEMPLATE *seqtt; ASN1_VALUE **pseqval; seqtt = asn1_do_adb(pval, tt, 1); if (!seqtt) return 0; pseqval = asn1_get_field_ptr(pval, seqtt); /* FIXME: check for errors in enhanced version */ asn1_template_ex_i2d(pseqval, out, seqtt, -1, aclass); } if (ndef == 2) ASN1_put_eoc(out); if (asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it, NULL)) return 0; return seqlen; default: return 0; } return 0; } int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt) { return asn1_template_ex_i2d(pval, out, tt, -1, 0); } static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt, int tag, int iclass) { int i, ret, flags, ttag, tclass, ndef; flags = tt->flags; /* * Work out tag and class to use: tagging may come either from the * template or the arguments, not both because this would create * ambiguity. Additionally the iclass argument may contain some * additional flags which should be noted and passed down to other * levels. */ if (flags & ASN1_TFLG_TAG_MASK) { /* Error if argument and template tagging */ if (tag != -1) /* FIXME: error code here */ return -1; /* Get tagging from template */ ttag = tt->tag; tclass = flags & ASN1_TFLG_TAG_CLASS; } else if (tag != -1) { /* No template tagging, get from arguments */ ttag = tag; tclass = iclass & ASN1_TFLG_TAG_CLASS; } else { ttag = -1; tclass = 0; } /* * Remove any class mask from iflag. */ iclass &= ~ASN1_TFLG_TAG_CLASS; /* * At this point 'ttag' contains the outer tag to use, 'tclass' is the * class and iclass is any flags passed to this function. */ /* if template and arguments require ndef, use it */ if ((flags & ASN1_TFLG_NDEF) && (iclass & ASN1_TFLG_NDEF)) ndef = 2; else ndef = 1; if (flags & ASN1_TFLG_SK_MASK) { /* SET OF, SEQUENCE OF */ STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval; int isset, sktag, skaclass; int skcontlen, sklen; ASN1_VALUE *skitem; if (!*pval) return 0; if (flags & ASN1_TFLG_SET_OF) { isset = 1; /* 2 means we reorder */ if (flags & ASN1_TFLG_SEQUENCE_OF) isset = 2; } else isset = 0; /* * Work out inner tag value: if EXPLICIT or no tagging use underlying * type. */ if ((ttag != -1) && !(flags & ASN1_TFLG_EXPTAG)) { sktag = ttag; skaclass = tclass; } else { skaclass = V_ASN1_UNIVERSAL; if (isset) sktag = V_ASN1_SET; else sktag = V_ASN1_SEQUENCE; } /* Determine total length of items */ skcontlen = 0; for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) { int tmplen; skitem = sk_ASN1_VALUE_value(sk, i); tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), -1, iclass); if (tmplen == -1 || (skcontlen > INT_MAX - tmplen)) return -1; skcontlen += tmplen; } sklen = ASN1_object_size(ndef, skcontlen, sktag); if (sklen == -1) return -1; /* If EXPLICIT need length of surrounding tag */ if (flags & ASN1_TFLG_EXPTAG) ret = ASN1_object_size(ndef, sklen, ttag); else ret = sklen; if (!out || ret == -1) return ret; /* Now encode this lot... */ /* EXPLICIT tag */ if (flags & ASN1_TFLG_EXPTAG) ASN1_put_object(out, ndef, sklen, ttag, tclass); /* SET or SEQUENCE and IMPLICIT tag */ ASN1_put_object(out, ndef, skcontlen, sktag, skaclass); /* And the stuff itself */ asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), isset, iclass); if (ndef == 2) { ASN1_put_eoc(out); if (flags & ASN1_TFLG_EXPTAG) ASN1_put_eoc(out); } return ret; } if (flags & ASN1_TFLG_EXPTAG) { /* EXPLICIT tagging */ /* Find length of tagged item */ i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, iclass); if (!i) return 0; /* Find length of EXPLICIT tag */ ret = ASN1_object_size(ndef, i, ttag); if (out && ret != -1) { /* Output tag and item */ ASN1_put_object(out, ndef, i, ttag, tclass); ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass); if (ndef == 2) ASN1_put_eoc(out); } return ret; } /* Either normal or IMPLICIT tagging: combine class and flags */ return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), ttag, tclass | iclass); } /* Temporary structure used to hold DER encoding of items for SET OF */ typedef struct { unsigned char *data; int length; ASN1_VALUE *field; } DER_ENC; static int der_cmp(const void *a, const void *b) { const DER_ENC *d1 = a, *d2 = b; int cmplen, i; cmplen = (d1->length < d2->length) ? d1->length : d2->length; i = memcmp(d1->data, d2->data, cmplen); if (i) return i; return d1->length - d2->length; } /* Output the content octets of SET OF or SEQUENCE OF */ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int do_sort, int iclass) { int i; ASN1_VALUE *skitem; unsigned char *tmpdat = NULL, *p = NULL; DER_ENC *derlst = NULL, *tder; if (do_sort) { /* Don't need to sort less than 2 items */ if (sk_ASN1_VALUE_num(sk) < 2) do_sort = 0; else { derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*derlst)); if (!derlst) return 0; tmpdat = OPENSSL_malloc(skcontlen); if (!tmpdat) { OPENSSL_free(derlst); return 0; } } } /* If not sorting just output each item */ if (!do_sort) { for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) { skitem = sk_ASN1_VALUE_value(sk, i); ASN1_item_ex_i2d(&skitem, out, item, -1, iclass); } return 1; } p = tmpdat; /* Doing sort: build up a list of each member's DER encoding */ for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) { skitem = sk_ASN1_VALUE_value(sk, i); tder->data = p; tder->length = ASN1_item_ex_i2d(&skitem, &p, item, -1, iclass); tder->field = skitem; } /* Now sort them */ qsort(derlst, sk_ASN1_VALUE_num(sk), sizeof(*derlst), der_cmp); /* Output sorted DER encoding */ p = *out; for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) { memcpy(p, tder->data, tder->length); p += tder->length; } *out = p; /* If do_sort is 2 then reorder the STACK */ if (do_sort == 2) { for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) (void)sk_ASN1_VALUE_set(sk, i, tder->field); } OPENSSL_free(derlst); OPENSSL_free(tmpdat); return 1; } static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass) { int len; int utype; int usetag; int ndef = 0; utype = it->utype; /* * Get length of content octets and maybe find out the underlying type. */ len = asn1_ex_i2c(pval, NULL, &utype, it); /* * If SEQUENCE, SET or OTHER then header is included in pseudo content * octets so don't include tag+length. We need to check here because the * call to asn1_ex_i2c() could change utype. */ if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) usetag = 0; else usetag = 1; /* -1 means omit type */ if (len == -1) return 0; /* -2 return is special meaning use ndef */ if (len == -2) { ndef = 2; len = 0; } /* If not implicitly tagged get tag from underlying type */ if (tag == -1) tag = utype; /* Output tag+length followed by content octets */ if (out) { if (usetag) ASN1_put_object(out, ndef, len, tag, aclass); asn1_ex_i2c(pval, *out, &utype, it); if (ndef) ASN1_put_eoc(out); else *out += len; } if (usetag) return ASN1_object_size(ndef, len, tag); return len; } /* Produce content octets from a structure */ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_ITEM *it) { ASN1_BOOLEAN *tbool = NULL; ASN1_STRING *strtmp; ASN1_OBJECT *otmp; int utype; const unsigned char *cont; unsigned char c; int len; const ASN1_PRIMITIVE_FUNCS *pf; pf = it->funcs; if (pf && pf->prim_i2c) return pf->prim_i2c(pval, cout, putype, it); /* Should type be omitted? */ if ((it->itype != ASN1_ITYPE_PRIMITIVE) || (it->utype != V_ASN1_BOOLEAN)) { if (!*pval) return -1; } if (it->itype == ASN1_ITYPE_MSTRING) { /* If MSTRING type set the underlying type */ strtmp = (ASN1_STRING *)*pval; utype = strtmp->type; *putype = utype; } else if (it->utype == V_ASN1_ANY) { /* If ANY set type and pointer to value */ ASN1_TYPE *typ; typ = (ASN1_TYPE *)*pval; utype = typ->type; *putype = utype; pval = &typ->value.asn1_value; } else utype = *putype; switch (utype) { case V_ASN1_OBJECT: otmp = (ASN1_OBJECT *)*pval; cont = otmp->data; len = otmp->length; if (cont == NULL || len == 0) return -1; break; case V_ASN1_NULL: cont = NULL; len = 0; break; case V_ASN1_BOOLEAN: tbool = (ASN1_BOOLEAN *)pval; if (*tbool == -1) return -1; if (it->utype != V_ASN1_ANY) { /* * Default handling if value == size field then omit */ if (*tbool && (it->size > 0)) return -1; if (!*tbool && !it->size) return -1; } c = (unsigned char)*tbool; cont = &c; len = 1; break; case V_ASN1_BIT_STRING: return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? &cout : NULL); break; case V_ASN1_INTEGER: case V_ASN1_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */ return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL); break; case V_ASN1_OCTET_STRING: case V_ASN1_NUMERICSTRING: case V_ASN1_PRINTABLESTRING: case V_ASN1_T61STRING: case V_ASN1_VIDEOTEXSTRING: case V_ASN1_IA5STRING: case V_ASN1_UTCTIME: case V_ASN1_GENERALIZEDTIME: case V_ASN1_GRAPHICSTRING: case V_ASN1_VISIBLESTRING: case V_ASN1_GENERALSTRING: case V_ASN1_UNIVERSALSTRING: case V_ASN1_BMPSTRING: case V_ASN1_UTF8STRING: case V_ASN1_SEQUENCE: case V_ASN1_SET: default: /* All based on ASN1_STRING and handled the same */ strtmp = (ASN1_STRING *)*pval; /* Special handling for NDEF */ if ((it->size == ASN1_TFLG_NDEF) && (strtmp->flags & ASN1_STRING_FLAG_NDEF)) { if (cout) { strtmp->data = cout; strtmp->length = 0; } /* Special return code */ return -2; } cont = strtmp->data; len = strtmp->length; break; } if (cout && len) memcpy(cout, cont, len); return len; } Index: releng/11.4/crypto/openssl/crypto/x509v3/v3_genn.c =================================================================== --- releng/11.4/crypto/openssl/crypto/x509v3/v3_genn.c (revision 368642) +++ releng/11.4/crypto/openssl/crypto/x509v3/v3_genn.c (revision 368643) @@ -1,251 +1,291 @@ /* v3_genn.c */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project * 1999. */ /* ==================================================================== * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include #include "cryptlib.h" #include #include #include ASN1_SEQUENCE(OTHERNAME) = { ASN1_SIMPLE(OTHERNAME, type_id, ASN1_OBJECT), /* Maybe have a true ANY DEFINED BY later */ ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0) } ASN1_SEQUENCE_END(OTHERNAME) IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME) ASN1_SEQUENCE(EDIPARTYNAME) = { - ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), - ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) + /* DirectoryString is a CHOICE type so use explicit tagging */ + ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0), + ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1) } ASN1_SEQUENCE_END(EDIPARTYNAME) IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME) ASN1_CHOICE(GENERAL_NAME) = { ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME), ASN1_IMP(GENERAL_NAME, d.rfc822Name, ASN1_IA5STRING, GEN_EMAIL), ASN1_IMP(GENERAL_NAME, d.dNSName, ASN1_IA5STRING, GEN_DNS), /* Don't decode this */ ASN1_IMP(GENERAL_NAME, d.x400Address, ASN1_SEQUENCE, GEN_X400), /* X509_NAME is a CHOICE type so use EXPLICIT */ ASN1_EXP(GENERAL_NAME, d.directoryName, X509_NAME, GEN_DIRNAME), ASN1_IMP(GENERAL_NAME, d.ediPartyName, EDIPARTYNAME, GEN_EDIPARTY), ASN1_IMP(GENERAL_NAME, d.uniformResourceIdentifier, ASN1_IA5STRING, GEN_URI), ASN1_IMP(GENERAL_NAME, d.iPAddress, ASN1_OCTET_STRING, GEN_IPADD), ASN1_IMP(GENERAL_NAME, d.registeredID, ASN1_OBJECT, GEN_RID) } ASN1_CHOICE_END(GENERAL_NAME) IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAME) ASN1_ITEM_TEMPLATE(GENERAL_NAMES) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, GENERAL_NAME) ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES) IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES) GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a) { return (GENERAL_NAME *)ASN1_dup((i2d_of_void *)i2d_GENERAL_NAME, (d2i_of_void *)d2i_GENERAL_NAME, (char *)a); } +static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) +{ + int res; + + if (a == NULL || b == NULL) { + /* + * Shouldn't be possible in a valid GENERAL_NAME, but we handle it + * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here + */ + return -1; + } + if (a->nameAssigner == NULL && b->nameAssigner != NULL) + return -1; + if (a->nameAssigner != NULL && b->nameAssigner == NULL) + return 1; + /* If we get here then both have nameAssigner set, or both unset */ + if (a->nameAssigner != NULL) { + res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); + if (res != 0) + return res; + } + /* + * partyName is required, so these should never be NULL. We treat it in + * the same way as the a == NULL || b == NULL case above + */ + if (a->partyName == NULL || b->partyName == NULL) + return -1; + + return ASN1_STRING_cmp(a->partyName, b->partyName); +} + /* Returns 0 if they are equal, != 0 otherwise. */ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) { int result = -1; if (!a || !b || a->type != b->type) return -1; switch (a->type) { case GEN_X400: + result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + break; + case GEN_EDIPARTY: - result = ASN1_TYPE_cmp(a->d.other, b->d.other); + result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); break; case GEN_OTHERNAME: result = OTHERNAME_cmp(a->d.otherName, b->d.otherName); break; case GEN_EMAIL: case GEN_DNS: case GEN_URI: result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5); break; case GEN_DIRNAME: result = X509_NAME_cmp(a->d.dirn, b->d.dirn); break; case GEN_IPADD: result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip); break; case GEN_RID: result = OBJ_cmp(a->d.rid, b->d.rid); break; } return result; } /* Returns 0 if they are equal, != 0 otherwise. */ int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b) { int result = -1; if (!a || !b) return -1; /* Check their type first. */ if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0) return result; /* Check the value. */ result = ASN1_TYPE_cmp(a->value, b->value); return result; } void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) { switch (type) { case GEN_X400: + a->d.x400Address = value; + break; + case GEN_EDIPARTY: - a->d.other = value; + a->d.ediPartyName = value; break; case GEN_OTHERNAME: a->d.otherName = value; break; case GEN_EMAIL: case GEN_DNS: case GEN_URI: a->d.ia5 = value; break; case GEN_DIRNAME: a->d.dirn = value; break; case GEN_IPADD: a->d.ip = value; break; case GEN_RID: a->d.rid = value; break; } a->type = type; } void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype) { if (ptype) *ptype = a->type; switch (a->type) { case GEN_X400: + return a->d.x400Address; + case GEN_EDIPARTY: - return a->d.other; + return a->d.ediPartyName; case GEN_OTHERNAME: return a->d.otherName; case GEN_EMAIL: case GEN_DNS: case GEN_URI: return a->d.ia5; case GEN_DIRNAME: return a->d.dirn; case GEN_IPADD: return a->d.ip; case GEN_RID: return a->d.rid; default: return NULL; } } int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid, ASN1_TYPE *value) { OTHERNAME *oth; oth = OTHERNAME_new(); if (!oth) return 0; ASN1_TYPE_free(oth->value); oth->type_id = oid; oth->value = value; GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth); return 1; } int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid, ASN1_TYPE **pvalue) { if (gen->type != GEN_OTHERNAME) return 0; if (poid) *poid = gen->d.otherName->type_id; if (pvalue) *pvalue = gen->d.otherName->value; return 1; } Index: releng/11.4/sys/conf/newvers.sh =================================================================== --- releng/11.4/sys/conf/newvers.sh (revision 368642) +++ releng/11.4/sys/conf/newvers.sh (revision 368643) @@ -1,315 +1,315 @@ #!/bin/sh - # # Copyright (c) 1984, 1986, 1990, 1993 # The Regents of the University of California. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. Neither the name of the University nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # @(#)newvers.sh 8.1 (Berkeley) 4/20/94 # $FreeBSD$ # Command line options: # # -r Reproducible build. Do not embed directory names, user # names, time stamps or other dynamic information into # the output file. This is intended to allow two builds # done at different times and even by different people on # different hosts to produce identical output. # # -R Reproducible build if the tree represents an unmodified # checkout from a version control system. Metadata is # included if the tree is modified. TYPE="FreeBSD" REVISION="11.4" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" # # findvcs dir # Looks up directory dir at world root and up the filesystem # findvcs() { local savedir savedir=$(pwd) cd ${SYSDIR}/.. while [ $(pwd) != "/" ]; do if [ -e "./$1" ]; then VCSDIR=$(pwd)"/$1" cd ${savedir} return 0 fi cd .. done cd ${savedir} return 1 } if [ -z "${SYSDIR}" ]; then SYSDIR=$(dirname $0)/.. fi if [ -n "${PARAMFILE}" ]; then RELDATE=$(awk '/__FreeBSD_version.*propagated to newvers/ {print $3}' \ ${PARAMFILE}) else RELDATE=$(awk '/__FreeBSD_version.*propagated to newvers/ {print $3}' \ ${SYSDIR}/sys/param.h) fi b=share/examples/etc/bsd-style-copyright if [ -r "${SYSDIR}/../COPYRIGHT" ]; then year=$(sed -Ee '/^Copyright .* The FreeBSD Project/!d;s/^.*1992-([0-9]*) .*$/\1/g' ${SYSDIR}/../COPYRIGHT) else year=$(date +%Y) fi # look for copyright template for bsd_copyright in ../$b ../../$b ../../../$b /usr/src/$b /usr/$b do if [ -r "$bsd_copyright" ]; then COPYRIGHT=`sed \ -e "s/\[year\]/1992-$year/" \ -e 's/\[your name here\]\.* /The FreeBSD Project./' \ -e 's/\[your name\]\.*/The FreeBSD Project./' \ -e '/\[id for your version control system, if any\]/d' \ $bsd_copyright` break fi done # no copyright found, use a dummy if [ -z "$COPYRIGHT" ]; then COPYRIGHT="/*- * Copyright (c) 1992-$year The FreeBSD Project. * All rights reserved. * */" fi # add newline COPYRIGHT="$COPYRIGHT " # VARS_ONLY means no files should be generated, this is just being # included. if [ -n "$VARS_ONLY" ]; then return 0 fi LC_ALL=C; export LC_ALL if [ ! -r version ] then echo 0 > version fi touch version v=`cat version` u=${USER:-root} d=`pwd` h=${HOSTNAME:-`hostname`} if [ -n "$SOURCE_DATE_EPOCH" ]; then if ! t=`date -r $SOURCE_DATE_EPOCH 2>/dev/null`; then echo "Invalid SOURCE_DATE_EPOCH" >&2 exit 1 fi else t=`date` fi i=`${MAKE:-make} -V KERN_IDENT` compiler_v=$($(${MAKE:-make} -V CC) -v 2>&1 | grep -w 'version') for dir in /usr/bin /usr/local/bin; do if [ ! -z "${svnversion}" ] ; then break fi if [ -x "${dir}/svnversion" ] && [ -z ${svnversion} ] ; then # Run svnversion from ${dir} on this script; if return code # is not zero, the checkout might not be compatible with the # svnversion being used. ${dir}/svnversion $(realpath ${0}) >/dev/null 2>&1 if [ $? -eq 0 ]; then svnversion=${dir}/svnversion break fi fi done if [ -z "${svnversion}" ] && [ -x /usr/bin/svnliteversion ] ; then /usr/bin/svnliteversion $(realpath ${0}) >/dev/null 2>&1 if [ $? -eq 0 ]; then svnversion=/usr/bin/svnliteversion else svnversion= fi fi for dir in /usr/bin /usr/local/bin; do if [ -x "${dir}/p4" ] && [ -z ${p4_cmd} ] ; then p4_cmd=${dir}/p4 fi done if findvcs .git; then for dir in /usr/bin /usr/local/bin; do if [ -x "${dir}/git" ] ; then git_cmd="${dir}/git --git-dir=${VCSDIR}" break fi done fi if findvcs .hg; then for dir in /usr/bin /usr/local/bin; do if [ -x "${dir}/hg" ] ; then hg_cmd="${dir}/hg -R ${VCSDIR}" break fi done fi if [ -n "$svnversion" ] ; then svn=`cd ${SYSDIR} && $svnversion 2>/dev/null` case "$svn" in [0-9]*[MSP]|*:*) svn=" r${svn}" modified=true ;; [0-9]*) svn=" r${svn}" ;; *) unset svn ;; esac fi if [ -n "$git_cmd" ] ; then git=`$git_cmd rev-parse --verify --short HEAD 2>/dev/null` svn=`$git_cmd svn find-rev $git 2>/dev/null` if [ -n "$svn" ] ; then svn=" r${svn}" git="=${git}" else svn=`$git_cmd log --grep '^git-svn-id:' | \ grep '^ git-svn-id:' | head -1 | \ sed -n 's/^.*@\([0-9][0-9]*\).*$/\1/p'` if [ -z "$svn" ] ; then svn=`$git_cmd log --format='format:%N' | \ grep '^svn ' | head -1 | \ sed -n 's/^.*revision=\([0-9][0-9]*\).*$/\1/p'` fi if [ -n "$svn" ] ; then svn=" r${svn}" git="+${git}" else git=" ${git}" fi fi git_b=`$git_cmd rev-parse --abbrev-ref HEAD` if [ -n "$git_b" ] ; then git="${git}(${git_b})" fi if $git_cmd --work-tree=${VCSDIR}/.. diff-index \ --name-only HEAD | read dummy; then git="${git}-dirty" modified=true fi fi if [ -n "$p4_cmd" ] ; then p4version=`cd ${SYSDIR} && $p4_cmd changes -m1 "./...#have" 2>&1 | \ awk '{ print $2 }'` case "$p4version" in [0-9]*) p4version=" ${p4version}" p4opened=`cd ${SYSDIR} && $p4_cmd opened ./... 2>&1` case "$p4opened" in File*) ;; //*) p4version="${p4version}+edit" modified=true ;; esac ;; *) unset p4version ;; esac fi if [ -n "$hg_cmd" ] ; then hg=`$hg_cmd id 2>/dev/null` svn=`$hg_cmd svn info 2>/dev/null | \ awk -F': ' '/Revision/ { print $2 }'` if [ -n "$svn" ] ; then svn=" r${svn}" fi if [ -n "$hg" ] ; then hg=" ${hg}" fi fi include_metadata=true while getopts rR opt; do case "$opt" in r) include_metadata= ;; R) if [ -z "${modified}" ]; then include_metadata= fi esac done shift $((OPTIND - 1)) if [ -z "${include_metadata}" ]; then VERINFO="${VERSION} ${svn}${git}${hg}${p4version}" VERSTR="${VERINFO}\\n" else VERINFO="${VERSION} #${v}${svn}${git}${hg}${p4version}: ${t}" VERSTR="${VERINFO}\\n ${u}@${h}:${d}\\n" fi cat << EOF > vers.c $COPYRIGHT #define SCCSSTR "@(#)${VERINFO}" #define VERSTR "${VERSTR}" #define RELSTR "${RELEASE}" char sccs[sizeof(SCCSSTR) > 128 ? sizeof(SCCSSTR) : 128] = SCCSSTR; char version[sizeof(VERSTR) > 256 ? sizeof(VERSTR) : 256] = VERSTR; char compiler_version[] = "${compiler_v}"; char ostype[] = "${TYPE}"; char osrelease[sizeof(RELSTR) > 32 ? sizeof(RELSTR) : 32] = RELSTR; int osreldate = ${RELDATE}; char kern_ident[] = "${i}"; EOF echo $((v + 1)) > version