diff options
Diffstat (limited to 'lib/libssl/src')
298 files changed, 5261 insertions, 1667 deletions
diff --git a/lib/libssl/src/CHANGES b/lib/libssl/src/CHANGES index 4a0363a1c2d..cccc4f812fa 100644 --- a/lib/libssl/src/CHANGES +++ b/lib/libssl/src/CHANGES @@ -2,6 +2,112 @@ OpenSSL CHANGES _______________ + Changes between 0.9.7f and 0.9.7g [11 Apr 2005] + + *) Fixes for newer kerberos headers. NB: the casts are needed because + the 'length' field is signed on one version and unsigned on another + with no (?) obvious way to tell the difference, without these VC++ + complains. Also the "definition" of FAR (blank) is no longer included + nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up + some needed definitions. + [Steve Henson] + + *) Undo Cygwin change. + [Ulf Möller] + + *) Added support for proxy certificates according to RFC 3820. + Because they may be a security thread to unaware applications, + they must be explicitely allowed in run-time. See + docs/HOWTO/proxy_certificates.txt for further information. + [Richard Levitte] + + Changes between 0.9.7e and 0.9.7f [22 Mar 2005] + + *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating + server and client random values. Previously + (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in + less random data when sizeof(time_t) > 4 (some 64 bit platforms). + + This change has negligible security impact because: + + 1. Server and client random values still have 24 bytes of pseudo random + data. + + 2. Server and client random values are sent in the clear in the initial + handshake. + + 3. The master secret is derived using the premaster secret (48 bytes in + size for static RSA ciphersuites) as well as client server and random + values. + + The OpenSSL team would like to thank the UK NISCC for bringing this issue + to our attention. + + [Stephen Henson, reported by UK NISCC] + + *) Use Windows randomness collection on Cygwin. + [Ulf Möller] + + *) Fix hang in EGD/PRNGD query when communication socket is closed + prematurely by EGD/PRNGD. + [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014] + + *) Prompt for pass phrases when appropriate for PKCS12 input format. + [Steve Henson] + + *) Back-port of selected performance improvements from development + branch, as well as improved support for PowerPC platforms. + [Andy Polyakov] + + *) Add lots of checks for memory allocation failure, error codes to indicate + failure and freeing up memory if a failure occurs. + [Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson] + + *) Add new -passin argument to dgst. + [Steve Henson] + + *) Perform some character comparisons of different types in X509_NAME_cmp: + this is needed for some certificates that reencode DNs into UTF8Strings + (in violation of RFC3280) and can't or wont issue name rollover + certificates. + [Steve Henson] + + *) Make an explicit check during certificate validation to see that + the CA setting in each certificate on the chain is correct. As a + side effect always do the following basic checks on extensions, + not just when there's an associated purpose to the check: + + - if there is an unhandled critical extension (unless the user + has chosen to ignore this fault) + - if the path length has been exceeded (if one is set at all) + - that certain extensions fit the associated purpose (if one has + been given) + [Richard Levitte] + + Changes between 0.9.7d and 0.9.7e [25 Oct 2004] + + *) Avoid a race condition when CRLs are checked in a multi threaded + environment. This would happen due to the reordering of the revoked + entries during signature checking and serial number lookup. Now the + encoding is cached and the serial number sort performed under a lock. + Add new STACK function sk_is_sorted(). + [Steve Henson] + + *) Add Delta CRL to the extension code. + [Steve Henson] + + *) Various fixes to s3_pkt.c so alerts are sent properly. + [David Holmes <d.holmes@f5.com>] + + *) Reduce the chances of duplicate issuer name and serial numbers (in + violation of RFC3280) using the OpenSSL certificate creation utilities. + This is done by creating a random 64 bit value for the initial serial + number when a serial number file is created or when a self signed + certificate is created using 'openssl req -x509'. The initial serial + number file is created using 'openssl x509 -next_serial' in CA.pl + rather than being initialized to 1. + [Steve Henson] + Changes between 0.9.7c and 0.9.7d [17 Mar 2004] *) Fix null-pointer assignment in do_change_cipher_spec() revealed @@ -2037,6 +2143,20 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] + Changes between 0.9.6l and 0.9.6m [17 Mar 2004] + + *) Fix null-pointer assignment in do_change_cipher_spec() revealed + by using the Codenomicon TLS Test Tool (CAN-2004-0079) + [Joe Orton, Steve Henson] + + Changes between 0.9.6k and 0.9.6l [04 Nov 2003] + + *) Fix additional bug revealed by the NISCC test suite: + + Stop bug triggering large recursion when presented with + certain ASN.1 tags (CAN-2003-0851) + [Steve Henson] + Changes between 0.9.6j and 0.9.6k [30 Sep 2003] *) Fix various bugs revealed by running the NISCC test suite: diff --git a/lib/libssl/src/Configure b/lib/libssl/src/Configure index 4e7883c17ab..e0e732c445c 100644 --- a/lib/libssl/src/Configure +++ b/lib/libssl/src/Configure @@ -10,7 +10,7 @@ use strict; # see INSTALL for instructions. -my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; +my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [[no-]fips] [debug] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; # Options: # @@ -135,15 +135,16 @@ my %table=( # Our development configs "purify", "purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::", "debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::", -"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o", +"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o", "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", -"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::", +"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::::", "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", +"debug-ben-fips-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_FIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o", "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", +"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn", "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -155,6 +156,12 @@ my %table=( "gcc", "gcc:-O3::(unknown):::BN_LLONG:::", "cc", "cc:-O::(unknown)::::::", +####VOS Configurations +"vos-gcc","gcc:-b hppa1.1-stratus-vos -O3 -Wall -Wuninitialized -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:", +"debug-vos-gcc","gcc:-b hppa1.1-stratus-vos -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:", +"vos-vcc","vcc:-b i386-stratus-vos -O3 -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map::::::::::::::.so:", +"debug-vos-vcc","vcc:-b i386-stratus-vos -O0 -g -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map::::::::::::::.so:", + #### Solaris x86 with GNU C setups # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it # here because whenever GNU C instantiates an assembler template it @@ -162,9 +169,19 @@ my %table=( # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic" # error message. "solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# -shared -static-libgcc might appear controversial, but modules taken +# from static libgcc do not have relocations and linking them into our +# shared objects doesn't have any negative side-effects. On the contrary, +# doing so makes it possible to use gcc shared build with Sun C. Given +# that gcc generates faster code [thanks to inline assembler], I would +# actually recommend to consider using gcc shared build even with vendor +# compiler:-) +# <appro@fy.chalmers.se> +"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-amd64.o:::dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Solaris x86 with Sun C setups "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL::::::::::dlfcn:solaris-shared:-KPIC:-xarch=amd64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with GNU C setups "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -263,10 +280,10 @@ my %table=( "hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # IA-64 targets -"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with # with debugging of the following config. -"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux64-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # More attempts at unified 10.X and 11.X targets for HP C compiler. # @@ -382,17 +399,20 @@ my %table=( "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", +"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "linux-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/linux_ppc32.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# -bpowerpc64-linux is transient option, -m64 should be the one to use... +"linux-ppc64", "gcc:-bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/linux_ppc64.o:::::::::dlfcn:linux-shared:-fPIC:-bpowerpc64-linux:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::", "linux-s390", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-ia64-ecc", "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-ia64-ecc", "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/ia64.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o::::::asm/rc4-amd64.o:::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-em64t", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -415,7 +435,9 @@ my %table=( "qnx6", "cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:", # Linux on ARM -"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# ARM comes in both little- and big-endian flavors. The following line is +# endian neutral, but ./config is free to throw in -D[BL]_ENDIAN... +"linux-elf-arm","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # SCO/Caldera targets. # @@ -442,11 +464,10 @@ my %table=( # IBM's AIX. -"aix-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::", -"aix-gcc", "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::", -"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::", -"aix43-gcc", "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:", -"aix64-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64", +"aix3-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::", +"aix-gcc", "gcc:-O3 -DB_ENDIAN::-D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:", +"aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:aix-shared::-q32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32", +"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:asm/aix_ppc64.o:::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64", # # Cray T90 and similar (SDSC) @@ -509,17 +530,17 @@ my %table=( "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::", # MinGW -"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll", +"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:-D_WINDLL:-mno-cygwin:.dll", # UWIN "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", # Cygwin "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", -"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll", +"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:cygwin-shared:-D_WINDLL::.dll", # DJGPP -"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::", +"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM=\"/dev/urandom\\x24\":::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::", # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at> "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::", @@ -542,7 +563,7 @@ my %table=( ##### MacOS X (a.k.a. Rhapsody or Darwin) setup "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", -"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", +"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/osx_ppc32.o::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", "darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", ##### A/UX @@ -609,7 +630,7 @@ my $threads=0; my $no_asm=0; my $no_dso=0; my @skip=(); -my $Makefile="Makefile.ssl"; +my $Makefile="Makefile"; my $des_locl="crypto/des/des_locl.h"; my $des ="crypto/des/des.h"; my $bn ="crypto/bn/bn.h"; @@ -621,6 +642,7 @@ my $rc2 ="crypto/rc2/rc2.h"; my $bf ="crypto/bf/bf_locl.h"; my $bn_asm ="bn_asm.o"; my $des_enc="des_enc.o fcrypt_b.o"; +my $fips_des_enc="fips_des_enc.o"; my $bf_enc ="bf_enc.o"; my $cast_enc="c_enc.o"; my $rc4_enc="rc4_enc.o"; @@ -631,6 +653,8 @@ my $rmd160_obj=""; my $processor=""; my $default_ranlib; my $perl; +my $fips=0; +my $debug=0; my $no_ssl2=0; my $no_ssl3=0; @@ -640,10 +664,6 @@ my $no_sha=0; my $no_rsa=0; my $no_dh=0; -$default_ranlib= &which("ranlib") or $default_ranlib="true"; -$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl") - or $perl="perl"; - &usage if ($#ARGV < 0); my $flags; @@ -739,6 +759,8 @@ PROCESS_ARGS: { $no_ssl3 = 1; } elsif (/^no-tls1?$/) { $no_tls1 = 1; } + elsif (/^no-fips$/) + { $fips = 0; } elsif (/^no-(.+)$/) { my $algo=$1; @@ -804,6 +826,14 @@ PROCESS_ARGS: } elsif (/^386$/) { $processor=386; } + elsif (/^fips$/) + { + $fips=1; + } + elsif (/^debug$/) + { + $debug=1; + } elsif (/^rsaref$/) { # No RSAref support any more since it's not needed. @@ -920,11 +950,15 @@ print "Configuring for $target\n"; my $IsWindows=scalar grep /^$target$/,@WinTargets; -$exe_ext=".exe" if ($target eq "Cygwin"); -$exe_ext=".exe" if ($target eq "DJGPP"); +$exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq "mingw"); +$exe_ext=".pm" if ($target eq "vos-gcc" or $target eq "debug-vos-gcc" or $target eq "vos-vcc" or $target eq "debug-vos-vcc"); $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq ""); $prefix=$openssldir if $prefix eq ""; +$default_ranlib= &which("ranlib") or $default_ranlib="true"; +$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl") + or $perl="perl"; + chop $openssldir if $openssldir =~ /\/$/; chop $prefix if $prefix =~ /\/$/; @@ -1139,12 +1173,26 @@ if ($ranlib eq "") $bn_obj = $bn_asm unless $bn_obj ne ""; +my $fips_des_obj; +my $fips_sha1_obj; +if ($fips) + { + if ($des_obj =~ /\-elf\.o$/ && $no_shared) # FIPS DES module is not PIC + { + $fips_des_obj='asm/fips-dx86-elf.o'; + $openssl_other_defines.="#define OPENSSL_FIPS_DES_ASM\n"; + } + else { $fips_des_obj=$fips_des_enc; } + $fips_sha1_obj='asm/sx86-elf.o' if ($sha1_obj =~ /\-elf\.o$/); + $des_obj=$sha1_obj=""; + $openssl_other_defines.="#define OPENSSL_FIPS\n"; + } $des_obj=$des_enc unless ($des_obj =~ /\.o$/); $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); $cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/); $rc4_obj=$rc4_enc unless ($rc4_obj =~ /\.o$/); $rc5_obj=$rc5_enc unless ($rc5_obj =~ /\.o$/); -if ($sha1_obj =~ /\.o$/) +if ($sha1_obj =~ /\.o$/ || $fips_sha1_obj =~ /\.o$/) { # $sha1_obj=$sha1_enc; $cflags.=" -DSHA1_ASM"; @@ -1160,6 +1208,12 @@ if ($rmd160_obj =~ /\.o$/) $cflags.=" -DRMD160_ASM"; } +if ($debug) + { + $cflags.=" -g"; + $cflags=~s/-fomit-frame-pointer//; + } + # "Stringify" the C flags string. This permits it to be made part of a string # and works as well on command lines. $cflags =~ s/([\\\"])/\\\1/g; @@ -1232,12 +1286,14 @@ while (<IN>) s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/; s/^BN_ASM=.*$/BN_ASM= $bn_obj/; s/^DES_ENC=.*$/DES_ENC= $des_obj/; + s/^FIPS_DES_ENC=.*$/FIPS_DES_ENC= $fips_des_obj/; s/^BF_ENC=.*$/BF_ENC= $bf_obj/; s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/; s/^RC4_ENC=.*$/RC4_ENC= $rc4_obj/; s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/; s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/; s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/; + s/^FIPS_SHA1_ASM_OBJ=.*$/FIPS_SHA1_ASM_OBJ= $fips_sha1_obj/; s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/; s/^PROCESSOR=.*/PROCESSOR= $processor/; s/^RANLIB=.*/RANLIB= $ranlib/; @@ -1470,7 +1526,7 @@ if($IsWindows) { printf OUT <<EOF; #ifndef MK1MF_BUILD /* auto-generated by Configure for crypto/cversion.c: - * for Unix builds, crypto/Makefile.ssl generates functional definitions; + * for Unix builds, crypto/Makefile generates functional definitions; * Windows builds (and other mk1mf builds) compile cversion.c with * -DMK1MF_BUILD and use definitions added to this file by util/mk1mf.pl. */ #error "Windows builds (PLATFORM=$target) use mk1mf.pl-created Makefiles" @@ -1478,7 +1534,7 @@ if($IsWindows) { EOF close(OUT); } else { - my $make_command = "make -f Makefile.ssl PERL=\'$perl\'"; + my $make_command = "make PERL=\'$perl\'"; my $make_targets = ""; $make_targets .= " links" if $symlink; $make_targets .= " depend" if $depflags ne "" && $make_depend; @@ -1487,12 +1543,10 @@ EOF if $make_targets ne ""; if ( $perl =~ m@^/@) { &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";'); - &dofile("apps/der_chop",$perl,'^#!/', '#!%s'); &dofile("apps/CA.pl",$perl,'^#!/', '#!%s'); } else { # No path for Perl known ... &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";'); - &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s'); &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s'); } if ($depflags ne "" && !$make_depend) { @@ -1569,10 +1623,10 @@ sub which my $path; foreach $path (split /:/, $ENV{PATH}) { - if (-f "$path/$name" and -x _) + if (-f "$path/$name$exe_ext" and -x _) { - return "$path/$name" unless ($name eq "perl" and - system("$path/$name -e " . '\'exit($]<5.0);\'')); + return "$path/$name$exe_ext" unless ($name eq "perl" and + system("$path/$name$exe_ext -e " . '\'exit($]<5.0);\'')); } } } diff --git a/lib/libssl/src/FAQ b/lib/libssl/src/FAQ index 0b40039ef81..943fc9d4a3b 100644 --- a/lib/libssl/src/FAQ +++ b/lib/libssl/src/FAQ @@ -52,6 +52,7 @@ OpenSSL - Frequently Asked Questions * Is OpenSSL thread-safe? * I've compiled a program under Windows and it crashes: why? * How do I read or write a DER encoded buffer using the ASN1 functions? +* OpenSSL uses DER but I need BER format: does OpenSSL support BER? * I've tried using <M_some_evil_pkcs12_macro> and I get errors why? * I've called <some function> and it fails, why? * I just get a load of numbers for the error output, what do they mean? @@ -60,6 +61,7 @@ OpenSSL - Frequently Asked Questions * Can I use OpenSSL's SSL library with non-blocking I/O? * Why doesn't my server application receive a client certificate? * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier? +* I think I've detected a memory leak, is this a bug? =============================================================================== @@ -68,7 +70,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.7d was released on March 17, 2004. +OpenSSL 0.9.7g was released on April 11, 2005. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -460,7 +462,7 @@ get the best result from OpenSSL. A bit more complicated solution is the following: ----- snip:start ----- - make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ + make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile | \ sed -e 's/ -O[0-9] / -O0 /'`" rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` make @@ -470,6 +472,10 @@ This will only compile sha_dgst.c with -O0, the rest with the optimization level chosen by the configuration process. When the above is done, do the test and installation and you're set. +3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It +should not be used and is not used in SSL/TLS nor any other recognized +protocol in either case. + * Why does the OpenSSL compilation fail with "ar: command not found"? @@ -683,6 +689,20 @@ and attempts to free the buffer will have unpredictable results because it no longer points to the same address. +* OpenSSL uses DER but I need BER format: does OpenSSL support BER? + +The short answer is yes, because DER is a special case of BER and OpenSSL +ASN1 decoders can process BER. + +The longer answer is that ASN1 structures can be encoded in a number of +different ways. One set of ways is the Basic Encoding Rules (BER) with various +permissible encodings. A restriction of BER is the Distinguished Encoding +Rules (DER): these uniquely specify how a given structure is encoded. + +Therefore, because DER is a special case of BER, DER is an acceptable encoding +for BER. + + * I've tried using <M_some_evil_pkcs12_macro> and I get errors why? This usually happens when you try compiling something using the PKCS#12 @@ -765,5 +785,28 @@ The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier. Change your code to use the new name when compiling against OpenSSL 0.9.7. +* I think I've detected a memory leak, is this a bug? + +In most cases the cause of an apparent memory leak is an OpenSSL internal table +that is allocated when an application starts up. Since such tables do not grow +in size over time they are harmless. + +These internal tables can be freed up when an application closes using various +functions. Currently these include following: + +Thread-local cleanup functions: + + ERR_remove_state() + +Application-global cleanup functions that are aware of usage (and therefore +thread-safe): + + ENGINE_cleanup() and CONF_modules_unload() + +"Brutal" (thread-unsafe) Application-global cleanup functions: + + ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data(). + + =============================================================================== diff --git a/lib/libssl/src/INSTALL b/lib/libssl/src/INSTALL index 1c3f3c3fe92..503474f2e4c 100644 --- a/lib/libssl/src/INSTALL +++ b/lib/libssl/src/INSTALL @@ -123,7 +123,7 @@ generic configurations "cc" or "gcc" should usually work on 32 bit systems. - Configure creates the file Makefile.ssl from Makefile.org and + Configure creates the file Makefile from Makefile.org and defines various macros in crypto/opensslconf.h (generated from crypto/opensslconf.h.in). @@ -159,7 +159,7 @@ the failure that isn't a problem in OpenSSL itself (like a missing or malfunctioning bc). If it is a problem with OpenSSL itself, try removing any compiler optimization flags from the CFLAG line - in Makefile.ssl and run "make clean; make". Please send a bug + in Makefile and run "make clean; make". Please send a bug report to <openssl-bugs@openssl.org>, including the output of "make report" in order to be added to the request tracker at http://www.openssl.org/support/rt2.html. diff --git a/lib/libssl/src/INSTALL.W32 b/lib/libssl/src/INSTALL.W32 index 0f6c302f0d7..c277efa18b4 100644 --- a/lib/libssl/src/INSTALL.W32 +++ b/lib/libssl/src/INSTALL.W32 @@ -46,12 +46,13 @@ http://www.kernel.org/pub/software/devel/nasm/binaries/win32/ The NASM binary nasmw.exe needs to be installed anywhere on your PATH. - Firstly you should run Configure: + Firstly you should run Configure (to build a FIPS-certified variant of + OpenSSL, add the option "fips"): > perl Configure VC-WIN32 Next you need to build the Makefiles and optionally the assembly language - files: + files (to build a FIPS-certified variant of OpenSSL, add the argument "fips"): - If you are using MASM then run: @@ -100,10 +101,12 @@ Borland C++ builder 5 --------------------- - * Configure for building with Borland Builder: + * Configure for building with Borland Builder (to build a FIPS-certified + variant of OpenSSL, add the option "fips"): > perl Configure BC-32 - * Create the appropriate makefile + * Create the appropriate makefile (to build a FIPS-certified variant of + OpenSSL, add the argument "fips") > ms\do_nasm * Build @@ -194,6 +197,8 @@ occur, try > ms\mingw32 no-asm instead. + If you want to build a FIPS-certified variant of OpenSSL, add the argument + "fips" libcrypto.a and libssl.a are the static libraries. To use the DLLs, link with libeay32.a and libssl32.a instead. diff --git a/lib/libssl/src/Makefile.org b/lib/libssl/src/Makefile.org index a987a0298b2..cc4000b1488 100644 --- a/lib/libssl/src/Makefile.org +++ b/lib/libssl/src/Makefile.org @@ -101,6 +101,7 @@ PROCESSOR= # Set DES_ENC to des_enc.o if you want to use the C version #There are 4 x86 assember options. +FIPS_DES_ENC= des_enc.o fcrypt_b.o DES_ENC= asm/dx86-out.o asm/yx86-out.o #DES_ENC= des_enc.o fcrypt_b.o # C #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf @@ -153,6 +154,7 @@ MD5_ASM_OBJ= asm/mx86-out.o # Also need SHA1_ASM defined SHA1_ASM_OBJ= asm/sx86-out.o +FIPS_SHA1_ASM_OBJ= asm/sx86-out.o #SHA1_ASM_OBJ= asm/sx86-elf.o # elf #SHA1_ASM_OBJ= asm/sx86-sol.o # solaris #SHA1_ASM_OBJ= asm/sx86-out.o # a.out, FreeBSD @@ -173,23 +175,24 @@ LIBKRB5= # we might set SHLIB_MARK to '$(SHARED_LIBS)'. SHLIB_MARK= -DIRS= crypto ssl $(SHLIB_MARK) apps test tools +DIRS= crypto fips ssl $(SHLIB_MARK) sigs apps test tools SHLIBDIRS= crypto ssl # dirs in crypto to build -SDIRS= \ +SDIRS= objects \ md2 md4 md5 sha mdc2 hmac ripemd \ des rc2 rc4 rc5 idea bf cast \ bn ec rsa dsa dh dso engine aes \ - buffer bio stack lhash rand err objects \ + buffer bio stack lhash rand err \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 +FDIRS= sha1 rand des aes dsa rsa dh + # tests to perform. "alltests" is a special word indicating that all tests # should be performed. TESTS = alltests -MAKEFILE= Makefile.ssl -MAKE= make -f Makefile.ssl +MAKEFILE= Makefile MANDIR=$(OPENSSLDIR)/man MAN1=1 @@ -202,6 +205,7 @@ ONEDIRS=out tmp EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS WDIRS= windows LIBS= libcrypto.a libssl.a +SIGS= libcrypto.a.sha1 SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_LIBS= @@ -219,14 +223,32 @@ HEADER= e_os.h # When we're prepared to use shared libraries in the programs we link here # we might remove 'clean-shared' from the targets to perform at this stage -all: Makefile.ssl sub_all openssl.pc +all: Makefile sub_all openssl.pc + +sigs: $(SIGS) +libcrypto.a.sha1: libcrypto.a + @if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ + $(RANLIB) libcrypto.a; \ + fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.a.sha1; \ + fi sub_all: @for i in $(DIRS); \ do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ + else \ + $(MAKE) $$i; \ + fi; \ + done; + +sub_target: + @for i in $(DIRS); \ + do \ + if [ -d "$$i" ]; then \ + (cd $$i && echo "making $(TARGET) in $$i..." && \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TARGET='$(TARGET)' sub_target ) || exit 1; \ else \ $(MAKE) $$i; \ fi; \ @@ -312,11 +334,18 @@ do_cygwin-shared: if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ - ( set -x; ${CC} -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \ + shlib=cyg$${i}-$(SHLIB_VERSION_NUMBER).dll; \ + [ "$(PLATFORM)" = "mingw" ] && shlib=$${i}eay32.dll; \ + [ -f apps/$$shlib ] && rm apps/$$shlib; \ + [ -f test/$$shlib ] && rm test/$$shlib; \ + base=; [ $$i = "crypto" ] && base=-Wl,--image-base,0xFE00000; \ + ( set -x; ${CC} ${SHARED_LDFLAGS} \ + -shared $$base -o $$shlib \ -Wl,-Bsymbolic \ -Wl,--whole-archive lib$$i.a \ -Wl,--out-implib,lib$$i.dll.a \ - -Wl,--no-whole-archive $$libs ) || exit 1; \ + -Wl,--no-whole-archive $$libs ${EX_LIBS} ) || exit 1; \ + cp -p $$shlib apps/; cp -p $$shlib test/; \ libs="-l$$i $$libs"; \ done @@ -392,6 +421,7 @@ do_solaris-shared: set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \ -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -Wl,-Bsymbolic \ $${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \ $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="-l$$i $$libs"; \ @@ -456,8 +486,8 @@ do_irix-shared: if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ - ( WHOLELIB="-all lib$$i.a -notall"; \ - (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \ + ( WHOLELIB="-all lib$$i.a -none"; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-none"; \ set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ @@ -482,13 +512,18 @@ do_hpux-shared: if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ + if expr $(PLATFORM) : '.*ia64' > /dev/null; then \ + shlib=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + else \ + shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + fi; \ + [ -f $$shlib ] && rm -f $$shlib; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ - +vnocompatwarnings \ + +vnocompatwarnings \ -b -z +s \ - -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -o $$shlib +h $$shlib \ -Fl lib$$i.a -ldld -lc ) || exit 1; \ - chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + chmod a=rx $$shlib; \ done # This assumes that GNU utilities are *not* used @@ -505,12 +540,17 @@ do_hpux64-shared: if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ + if expr $(PLATFORM) : '.*ia64' > /dev/null; then \ + shlib=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + else \ + shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + fi; \ + [ -f $$shlib ] && rm -f $$shlib; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ - -b -z \ - -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -b -z \ + -o $$shlib +h $$shlib \ +forceload lib$$i.a -ldl -lc ) || exit 1; \ - chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + chmod a=rx $$shlib; \ done # The following method is said to work on all platforms. Tests will @@ -551,6 +591,8 @@ do_aix-shared: libs="$(LIBKRB5) $$libs"; \ fi; \ ( set -x; \ + OBJECT_MODE=`expr x${SHARED_LDFLAGS} : 'x\-[a-z]\([0-9]*\)'`; \ + OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \ ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \ ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \ $(SHAREDCMD) $(SHAREDFLAGS) \ @@ -577,7 +619,7 @@ do_reliantunix-shared: libs="-l$$i $$libs"; \ done -openssl.pc: Makefile.ssl +openssl.pc: Makefile @ ( echo 'prefix=$(INSTALLTOP)'; \ echo 'exec_prefix=$${prefix}'; \ echo 'libdir=$${exec_prefix}/lib'; \ @@ -590,8 +632,8 @@ openssl.pc: Makefile.ssl echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc -Makefile.ssl: Makefile.org - @echo "Makefile.ssl is older than Makefile.org." +Makefile: Makefile.org + @echo "Makefile is older than Makefile.org." @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." @false @@ -604,7 +646,7 @@ clean: libclean do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making clean in $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \ + $(MAKE) EXE_EXT='${EXE_EXT}' SDIRS='${SDIRS}' clean ) || exit 1; \ rm -f $(LIBS); \ fi; \ done; @@ -621,7 +663,7 @@ makefile.one: files sh util/do_ms.sh files: - $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO + $(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ @@ -631,19 +673,18 @@ files: done; links: - @$(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @for i in $(DIRS); do \ if [ -d "$$i" ]; then \ (cd $$i && echo "making links in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \ fi; \ done; gentests: @(cd test && echo "generating dummy tests (if needed)..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate ); + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate ); dclean: rm -f *.bak @@ -657,29 +698,18 @@ dclean: rehash: rehash.time rehash.time: certs - @(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \ - export OPENSSL OPENSSL_DEBUG_MEMORY; \ - LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ - DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ - SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ - LIBPATH="`pwd`:$$LIBPATH"; \ - if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ - $(PERL) tools/c_rehash certs) + @(OPENSSL="`pwd`/util/opensslwrap.sh"; \ + OPENSSL_DEBUG_MEMORY=on; \ + export OPENSSL OPENSSL_DEBUG_MEMORY; \ + $(PERL) tools/c_rehash certs) touch rehash.time test: tests tests: rehash @(cd test && echo "testing..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests ); - @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ - DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ - SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ - LIBPATH="`pwd`:$$LIBPATH"; \ - if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ - apps/openssl version -a + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests ); + util/shlib_wrap.sh apps/openssl version -a report: @$(PERL) util/selftest.pl @@ -703,13 +733,8 @@ lint: done; tags: - @for i in $(DIRS) ;\ - do \ - if [ -d "$$i" ]; then \ - (cd $$i && echo "making tags $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \ - fi; \ - done; + rm -f TAGS + find . -name '[^.]*.[ch]' | xargs etags -a errors: $(PERL) util/mkerr.pl -recurse -write @@ -729,11 +754,14 @@ crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num $(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h +apps/openssl-vms.cnf: apps/openssl.cnf + $(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf + TABLE: Configure (echo 'Output of `Configure TABLE'"':"; \ $(PERL) Configure TABLE) > TABLE -update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE +update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf TABLE # Build distribution tar-file. As the list of files returned by "find" is # pretty long, on several platforms a "too many arguments" error or similar @@ -770,16 +798,17 @@ dist: dist_pem_h: (cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean) -install: all install_docs +install: all install_docs install_sw + +install_sw: @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/private \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/lib - @for i in $(EXHEADER) ;\ + $(INSTALL_PREFIX)$(OPENSSLDIR)/private + @headerlist="$(EXHEADER)"; for i in $$headerlist ;\ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ @@ -796,7 +825,11 @@ install: all install_docs if [ -f "$$i" ]; then \ ( echo installing $$i; \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ - $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ + : ; \ + else \ + $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + fi; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi; \ @@ -833,6 +866,15 @@ install: all install_docs sed -e '1,/^$$/d' doc/openssl-shared.txt; \ fi; \ fi + @for i in $(SIGS) ;\ + do \ + if [ -f "$$i" ]; then \ + ( echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + fi; \ + done; cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc @@ -845,7 +887,7 @@ install_docs: @pod2man="`cd util; ./pod2mantest $(PERL)`"; \ here="`pwd`"; \ filecase=; \ - if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \ + if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \ filecase=-i; \ fi; \ for i in doc/apps/*.pod; do \ diff --git a/lib/libssl/src/NEWS b/lib/libssl/src/NEWS index 4c1ba0a241f..8e1ce65a5f7 100644 --- a/lib/libssl/src/NEWS +++ b/lib/libssl/src/NEWS @@ -5,12 +5,34 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g: + + o More compilation issues fixed. + o Adaptation to more modern Kerberos API. + o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. + o Enhanced x86_64 assembler BIGNUM module. + o More constification. + o Added processing of proxy certificates (RFC 3820). + + Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f: + + o Several compilation issues fixed. + o Many memory allocation failure checks added. + o Improved comparison of X509 Name type. + o Mandatory basic checks on certificates. + o Performance improvements. + + Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e: + + o Fix race condition in CRL checking code. + o Fixes to PKCS#7 (S/MIME) code. + Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d: o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug o Security: Fix null-pointer assignment in do_change_cipher_spec() o Allow multiple active certificates with same subject in CA index - o Multiple X590 verification fixes + o Multiple X509 verification fixes o Speed up HMAC and other operations Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c: diff --git a/lib/libssl/src/README b/lib/libssl/src/README index f72a21036f9..c52c2d94bd8 100644 --- a/lib/libssl/src/README +++ b/lib/libssl/src/README @@ -1,7 +1,7 @@ - OpenSSL 0.9.7d 17 Mar 2004 + OpenSSL 0.9.7g 11 April 2005 - Copyright (c) 1998-2004 The OpenSSL Project + Copyright (c) 1998-2005 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. @@ -173,11 +173,17 @@ textual explanation of what your patch does. Note: For legal reasons, contributions from the US can be accepted only - if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov; - see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic] - and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)). - - The preferred format for changes is "diff -u" output. You might + if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov + (formerly BXA) with a copy to the ENC Encryption Request Coordinator; + please take some time to look at + http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic] + and + http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)) + for the details. If "your encryption source code is too large to serve as + an email attachment", they are glad to receive it by fax instead; hope you + have a cheap long-distance plan. + + Our preferred format for changes is "diff -u" output. You might generate it like this: # cd openssl-work diff --git a/lib/libssl/src/apps/CA.pl.in b/lib/libssl/src/apps/CA.pl.in index 8b2ce7ea424..39f267d313a 100644 --- a/lib/libssl/src/apps/CA.pl.in +++ b/lib/libssl/src/apps/CA.pl.in @@ -36,13 +36,21 @@ # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored +my $openssl; +if(defined $ENV{OPENSSL}) { + $openssl = $ENV{OPENSSL}; +} else { + $openssl = "openssl"; + $ENV{OPENSSL} = $openssl; +} + $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; $DAYS="-days 365"; -$REQ="openssl req $SSLEAY_CONFIG"; -$CA="openssl ca $SSLEAY_CONFIG"; -$VERIFY="openssl verify"; -$X509="openssl x509"; -$PKCS12="openssl pkcs12"; +$REQ="$openssl req $SSLEAY_CONFIG"; +$CA="$openssl ca $SSLEAY_CONFIG"; +$VERIFY="$openssl verify"; +$X509="$openssl x509"; +$PKCS12="$openssl pkcs12"; $CATOP="./demoCA"; $CAKEY="cakey.pem"; @@ -82,9 +90,6 @@ foreach (@ARGV) { mkdir "${CATOP}/crl", $DIRMODE ; mkdir "${CATOP}/newcerts", $DIRMODE; mkdir "${CATOP}/private", $DIRMODE; - open OUT, ">${CATOP}/serial"; - print OUT "01\n"; - close OUT; open OUT, ">${CATOP}/index.txt"; close OUT; } @@ -106,6 +111,10 @@ foreach (@ARGV) { $RET=$?; } } + if (! -f "${CATOP}/serial" ) { + system ("$X509 -in ${CATOP}/$CACERT -noout " + . "-next_serial -out ${CATOP}/serial"); + } } elsif (/^-pkcs12$/) { my $cname = $ARGV[1]; $cname = "My Certificate" unless defined $cname; diff --git a/lib/libssl/src/apps/CA.sh b/lib/libssl/src/apps/CA.sh index d9f3069fb2a..030a11fc25b 100644 --- a/lib/libssl/src/apps/CA.sh +++ b/lib/libssl/src/apps/CA.sh @@ -30,11 +30,13 @@ # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored +if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi + DAYS="-days 365" -REQ="openssl req $SSLEAY_CONFIG" -CA="openssl ca $SSLEAY_CONFIG" -VERIFY="openssl verify" -X509="openssl x509" +REQ="$OPENSSL req $SSLEAY_CONFIG" +CA="$OPENSSL ca $SSLEAY_CONFIG" +VERIFY="$OPENSSL verify" +X509="$OPENSSL x509" CATOP=./demoCA CAKEY=./cakey.pem diff --git a/lib/libssl/src/apps/apps.c b/lib/libssl/src/apps/apps.c index 1d37c4defb8..9157cdfcdca 100644 --- a/lib/libssl/src/apps/apps.c +++ b/lib/libssl/src/apps/apps.c @@ -126,16 +126,6 @@ #include <openssl/engine.h> #endif -#ifdef OPENSSL_SYS_WINDOWS -#define strcasecmp _stricmp -#else -# ifdef NO_STRINGS_H - int strcasecmp(); -# else -# include <strings.h> -# endif /* NO_STRINGS_H */ -#endif - #define NON_MAIN #include "apps.h" #undef NON_MAIN @@ -340,60 +330,6 @@ void program_name(char *in, char *out, int size) #endif #endif -#ifdef OPENSSL_SYS_WIN32 -int WIN32_rename(char *from, char *to) - { -#ifndef OPENSSL_SYS_WINCE - /* Windows rename gives an error if 'to' exists, so delete it - * first and ignore file not found errror - */ - if((remove(to) != 0) && (errno != ENOENT)) - return -1; -#undef rename - return rename(from, to); -#else - /* convert strings to UNICODE */ - { - BOOL result = FALSE; - WCHAR* wfrom; - WCHAR* wto; - int i; - wfrom = malloc((strlen(from)+1)*2); - wto = malloc((strlen(to)+1)*2); - if (wfrom != NULL && wto != NULL) - { - for (i=0; i<(int)strlen(from)+1; i++) - wfrom[i] = (short)from[i]; - for (i=0; i<(int)strlen(to)+1; i++) - wto[i] = (short)to[i]; - result = MoveFile(wfrom, wto); - } - if (wfrom != NULL) - free(wfrom); - if (wto != NULL) - free(wto); - return result; - } -#endif - } -#endif - -#ifdef OPENSSL_SYS_VMS -int VMS_strcasecmp(const char *str1, const char *str2) - { - while (*str1 && *str2) - { - int res = toupper(*str1) - toupper(*str2); - if (res) return res < 0 ? -1 : 1; - } - if (*str1) - return 1; - if (*str2) - return -1; - return 0; - } -#endif - int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]) { int num,len,i; @@ -590,7 +526,7 @@ int password_callback(char *buf, int bufsiz, int verify, char *prompt = NULL; prompt = UI_construct_prompt(ui, "pass phrase", - cb_data->prompt_info); + prompt_info); ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD; UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0); @@ -739,6 +675,51 @@ int add_oid_section(BIO *err, CONF *conf) return 1; } +static int load_pkcs12(BIO *err, BIO *in, const char *desc, + pem_password_cb *pem_cb, void *cb_data, + EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) + { + const char *pass; + char tpass[PEM_BUFSIZE]; + int len, ret = 0; + PKCS12 *p12; + p12 = d2i_PKCS12_bio(in, NULL); + if (p12 == NULL) + { + BIO_printf(err, "Error loading PKCS12 file for %s\n", desc); + goto die; + } + /* See if an empty password will do */ + if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0)) + pass = ""; + else + { + if (!pem_cb) + pem_cb = (pem_password_cb *)password_callback; + len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data); + if (len < 0) + { + BIO_printf(err, "Passpharse callback error for %s\n", + desc); + goto die; + } + if (len < PEM_BUFSIZE) + tpass[len] = 0; + if (!PKCS12_verify_mac(p12, tpass, len)) + { + BIO_printf(err, + "Mac verify error (wrong password?) in PKCS12 file for %s\n", desc); + goto die; + } + pass = tpass; + } + ret = PKCS12_parse(p12, pass, pkey, cert, ca); + die: + if (p12) + PKCS12_free(p12); + return ret; + } + X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) { @@ -819,11 +800,9 @@ X509 *load_cert(BIO *err, const char *file, int format, (pem_password_cb *)password_callback, NULL); else if (format == FORMAT_PKCS12) { - PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL); - - PKCS12_parse(p12, NULL, NULL, &x, NULL); - PKCS12_free(p12); - p12 = NULL; + if (!load_pkcs12(err, cert,cert_descrip, NULL, NULL, + NULL, &x, NULL)) + goto end; } else { BIO_printf(err,"bad input format specified for %s\n", @@ -902,11 +881,10 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, #endif else if (format == FORMAT_PKCS12) { - PKCS12 *p12 = d2i_PKCS12_bio(key, NULL); - - PKCS12_parse(p12, pass, &pkey, NULL, NULL); - PKCS12_free(p12); - p12 = NULL; + if (!load_pkcs12(err, key, key_descrip, + (pem_password_cb *)password_callback, &cb_data, + &pkey, NULL, NULL)) + goto end; } else { @@ -1486,12 +1464,9 @@ BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai) } else { - ASN1_INTEGER_set(ai,1); ret=BN_new(); - if (ret == NULL) + if (ret == NULL || !rand_serial(ret, ai)) BIO_printf(bio_err, "Out of memory\n"); - else - BN_one(ret); } } else @@ -1653,6 +1628,33 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) return 0; } +int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) + { + BIGNUM *btmp; + int ret = 0; + if (b) + btmp = b; + else + btmp = BN_new(); + + if (!btmp) + return 0; + + if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0)) + goto error; + if (ai && !BN_to_ASN1_INTEGER(btmp, ai)) + goto error; + + ret = 1; + + error: + + if (!b) + BN_free(btmp); + + return ret; + } + CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) { CA_DB *retdb = NULL; @@ -1970,9 +1972,48 @@ int rotate_index(char *dbfile, char *new_suffix, char *old_suffix) void free_index(CA_DB *db) { - if (db != NULL) + if (db) { - TXT_DB_free(db->db); + if (db->db) TXT_DB_free(db->db); OPENSSL_free(db); } } + +/* This code MUST COME AFTER anything that uses rename() */ +#ifdef OPENSSL_SYS_WIN32 +int WIN32_rename(char *from, char *to) + { +#ifndef OPENSSL_SYS_WINCE + /* Windows rename gives an error if 'to' exists, so delete it + * first and ignore file not found errror + */ + if((remove(to) != 0) && (errno != ENOENT)) + return -1; +#undef rename + return rename(from, to); +#else + /* convert strings to UNICODE */ + { + BOOL result = FALSE; + WCHAR* wfrom; + WCHAR* wto; + int i; + wfrom = malloc((strlen(from)+1)*2); + wto = malloc((strlen(to)+1)*2); + if (wfrom != NULL && wto != NULL) + { + for (i=0; i<(int)strlen(from)+1; i++) + wfrom[i] = (short)from[i]; + for (i=0; i<(int)strlen(to)+1; i++) + wto[i] = (short)to[i]; + result = MoveFile(wfrom, wto); + } + if (wfrom != NULL) + free(wfrom); + if (wto != NULL) + free(wto); + return result; + } +#endif + } +#endif diff --git a/lib/libssl/src/apps/apps.h b/lib/libssl/src/apps/apps.h index 8a9c4ab0a05..4320410dad3 100644 --- a/lib/libssl/src/apps/apps.h +++ b/lib/libssl/src/apps/apps.h @@ -141,12 +141,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read, int WIN32_rename(char *oldname,char *newname); #endif -/* VMS below version 7.0 doesn't have strcasecmp() */ -#ifdef OPENSSL_SYS_VMS -#define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2)) -int VMS_strcasecmp(const char *str1, const char *str2); -#endif - #ifndef MONOLITH #define MAIN(a,v) main(a,v) @@ -154,9 +148,11 @@ int VMS_strcasecmp(const char *str1, const char *str2); #ifndef NON_MAIN CONF *config=NULL; BIO *bio_err=NULL; +int in_FIPS_mode=0; #else extern CONF *config; extern BIO *bio_err; +extern int in_FIPS_mode; #endif #else @@ -165,6 +161,7 @@ extern BIO *bio_err; extern CONF *config; extern char *default_config_file; extern BIO *bio_err; +extern int in_FIPS_mode; #endif @@ -313,6 +310,7 @@ typedef struct ca_db_st BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai); int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai); int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix); +int rand_serial(BIGNUM *b, ASN1_INTEGER *ai); CA_DB *load_index(char *dbfile, DB_ATTR *dbattr); int index_index(CA_DB *db); int save_index(char *dbfile, char *suffix, CA_DB *db); @@ -341,4 +339,6 @@ X509_NAME *do_subject(char *str, long chtype); #define APP_PASS_LEN 1024 +#define SERIAL_RAND_BITS 64 + #endif diff --git a/lib/libssl/src/apps/asn1pars.c b/lib/libssl/src/apps/asn1pars.c index 7db40adf043..c89b358b238 100644 --- a/lib/libssl/src/apps/asn1pars.c +++ b/lib/libssl/src/apps/asn1pars.c @@ -278,6 +278,7 @@ bad: tmplen=num; for (i=0; i<sk_num(osk); i++) { + int typ; ASN1_TYPE *atmp; j=atoi(sk_value(osk,i)); if (j == 0) @@ -296,6 +297,15 @@ bad: ERR_print_errors(bio_err); goto end; } + typ = ASN1_TYPE_get(at); + if ((typ == V_ASN1_OBJECT) + || (typ == V_ASN1_NULL)) + { + BIO_printf(bio_err, "Can't parse %s type\n", + typ == V_ASN1_NULL ? "NULL" : "OBJECT"); + ERR_print_errors(bio_err); + goto end; + } /* hmm... this is a little evil but it works */ tmpbuf=at->value.asn1_string->data; tmplen=at->value.asn1_string->length; diff --git a/lib/libssl/src/apps/ca.c b/lib/libssl/src/apps/ca.c index 33362389ccb..b934b52cc58 100644 --- a/lib/libssl/src/apps/ca.c +++ b/lib/libssl/src/apps/ca.c @@ -76,16 +76,6 @@ #include <openssl/ocsp.h> #include <openssl/pem.h> -#ifdef OPENSSL_SYS_WINDOWS -#define strcasecmp _stricmp -#else -# ifdef NO_STRINGS_H - int strcasecmp(); -# else -# include <strings.h> -# endif /* NO_STRINGS_H */ -#endif - #ifndef W_OK # ifdef OPENSSL_SYS_VMS # if defined(__DECC) @@ -248,6 +238,7 @@ int MAIN(int argc, char **argv) { ENGINE *e = NULL; char *key=NULL,*passargin=NULL; + int create_ser = 0; int free_key = 0; int total=0; int total_done=0; @@ -547,10 +538,6 @@ bad: ERR_load_crypto_strings(); -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); -#endif - /*****************************************************************/ tofree=NULL; if (configfile == NULL) configfile = getenv("OPENSSL_CONF"); @@ -595,6 +582,10 @@ bad: if (!load_config(bio_err, conf)) goto err; +#ifndef OPENSSL_NO_ENGINE + e = setup_engine(bio_err, engine, 0); +#endif + /* Lets get the config section we are using */ if (section == NULL) { @@ -666,8 +657,10 @@ bad: break; } } -#ifdef RL_DEBUG else + ERR_clear_error(); +#ifdef RL_DEBUG + if (!p) BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p); #endif #ifdef RL_DEBUG @@ -1001,25 +994,27 @@ bad: } } + if ((md == NULL) && ((md=NCONF_get_string(conf, + section,ENV_DEFAULT_MD)) == NULL)) + { + lookup_fail(section,ENV_DEFAULT_MD); + goto err; + } + + if ((dgst=EVP_get_digestbyname(md)) == NULL) + { + BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); + goto err; + } + if (req) { - if ((md == NULL) && ((md=NCONF_get_string(conf, - section,ENV_DEFAULT_MD)) == NULL)) - { - lookup_fail(section,ENV_DEFAULT_MD); - goto err; - } if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf, section,ENV_DEFAULT_EMAIL_DN)) != NULL )) { if(strcmp(tmp_email_dn,"no") == 0) email_dn=0; } - if ((dgst=EVP_get_digestbyname(md)) == NULL) - { - BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); - goto err; - } if (verbose) BIO_printf(bio_err,"message digest is %s\n", OBJ_nid2ln(dgst->type)); @@ -1106,7 +1101,7 @@ bad: goto err; } - if ((serial=load_serial(serialfile, 0, NULL)) == NULL) + if ((serial=load_serial(serialfile, create_ser, NULL)) == NULL) { BIO_printf(bio_err,"error while loading serial number\n"); goto err; @@ -1402,23 +1397,10 @@ bad: /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); - if (md != NULL) - { - if ((dgst=EVP_get_digestbyname(md)) == NULL) - { - BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); - goto err; - } - } - else - { #ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) - dgst=EVP_dss1(); - else + if (pkey->type == EVP_PKEY_DSA) + dgst=EVP_dss1(); #endif - dgst=EVP_md5(); - } /* Add any extensions asked for */ diff --git a/lib/libssl/src/apps/crl.c b/lib/libssl/src/apps/crl.c index 81d66587c14..878f65468ee 100644 --- a/lib/libssl/src/apps/crl.c +++ b/lib/libssl/src/apps/crl.c @@ -355,7 +355,11 @@ bad: if (text) X509_CRL_print(out, x); - if (noout) goto end; + if (noout) + { + ret = 0; + goto end; + } if (outformat == FORMAT_ASN1) i=(int)i2d_X509_CRL_bio(out,x); diff --git a/lib/libssl/src/apps/dgst.c b/lib/libssl/src/apps/dgst.c index be25dafef70..17fb87b77cb 100644 --- a/lib/libssl/src/apps/dgst.c +++ b/lib/libssl/src/apps/dgst.c @@ -66,6 +66,7 @@ #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/pem.h> +#include <openssl/hmac.h> #undef BUFSIZE #define BUFSIZE 1024*8 @@ -73,9 +74,11 @@ #undef PROG #define PROG dgst_main +static HMAC_CTX hmac_ctx; + int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file); + const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow); int MAIN(int, char **); @@ -100,9 +103,12 @@ int MAIN(int argc, char **argv) EVP_PKEY *sigkey = NULL; unsigned char *sigbuf = NULL; int siglen = 0; + char *passargin = NULL, *passin = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif + char *hmac_key=NULL; + int non_fips_allow = 0; apps_startup(); @@ -145,6 +151,12 @@ int MAIN(int argc, char **argv) if (--argc < 1) break; keyfile=*(++argv); } + else if (!strcmp(*argv,"-passin")) + { + if (--argc < 1) + break; + passargin=*++argv; + } else if (strcmp(*argv,"-verify") == 0) { if (--argc < 1) break; @@ -181,6 +193,14 @@ int MAIN(int argc, char **argv) out_bin = 1; else if (strcmp(*argv,"-d") == 0) debug=1; + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow=1; + else if (!strcmp(*argv,"-hmac")) + { + if (--argc < 1) + break; + hmac_key=*++argv; + } else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) md=m; else @@ -235,7 +255,7 @@ int MAIN(int argc, char **argv) } #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(bio_err, engine, 0); #endif in=BIO_new(BIO_s_file()); @@ -247,6 +267,12 @@ int MAIN(int argc, char **argv) BIO_set_callback_arg(in,bio_err); } + if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) + { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + if ((in == NULL) || (bmd == NULL)) { ERR_print_errors(bio_err); @@ -288,7 +314,7 @@ int MAIN(int argc, char **argv) sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL, e, "key file"); else - sigkey = load_key(bio_err, keyfile, keyform, 0, NULL, + sigkey = load_key(bio_err, keyfile, keyform, 0, passin, e, "key file"); if (!sigkey) { @@ -318,18 +344,30 @@ int MAIN(int argc, char **argv) goto end; } } - + if (non_fips_allow) + { + EVP_MD_CTX *md_ctx; + BIO_get_md_ctx(bmd,&md_ctx); + EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + } /* we use md as a filter, reading from 'in' */ - BIO_set_md(bmd,md); + if (!BIO_set_md(bmd,md)) + { + BIO_printf(bio_err, "Error setting digest %s\n", + EVP_MD_name(md)); + ERR_print_errors(bio_err); + goto end; + } + inp=BIO_push(bmd,in); if (argc == 0) { BIO_set_fp(in,stdin,BIO_NOCLOSE); err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, - siglen,"","(stdin)"); + siglen,"","(stdin)",bmd,hmac_key, non_fips_allow); } else { @@ -347,14 +385,15 @@ int MAIN(int argc, char **argv) } if(!out_bin) { - size_t len = strlen(name)+strlen(argv[i])+5; + size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5; tmp=tofree=OPENSSL_malloc(len); - BIO_snprintf(tmp,len,"%s(%s)= ",name,argv[i]); + BIO_snprintf(tmp,len,"%s%s(%s)= ", + hmac_key ? "HMAC-" : "",name,argv[i]); } else tmp=""; r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, - siglen,tmp,argv[i]); + siglen,tmp,argv[i],bmd,hmac_key,non_fips_allow); if(r) err=r; if(tofree) @@ -369,6 +408,8 @@ end: OPENSSL_free(buf); } if (in != NULL) BIO_free(in); + if (passin) + OPENSSL_free(passin); BIO_free_all(out); EVP_PKEY_free(sigkey); if(sigbuf) OPENSSL_free(sigbuf); @@ -379,11 +420,25 @@ end: int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file) + const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow) { - int len; + unsigned int len; int i; + EVP_MD_CTX *md_ctx; + if (hmac_key) + { + EVP_MD *md; + + BIO_get_md(bmd,&md); + HMAC_CTX_init(&hmac_ctx); + if (non_fips_allow) + HMAC_CTX_set_flags(&hmac_ctx, + EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL); + BIO_get_md_ctx(bmd,&md_ctx); + BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx); + } for (;;) { i=BIO_read(bp,(char *)buf,BUFSIZE); @@ -426,6 +481,11 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, return 1; } } + else if(hmac_key) + { + HMAC_Final(&hmac_ctx,buf,&len); + HMAC_CTX_cleanup(&hmac_ctx); + } else len=BIO_gets(bp,(char *)buf,BUFSIZE); @@ -433,7 +493,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, else { BIO_write(out,title,strlen(title)); - for (i=0; i<len; i++) + for (i=0; (unsigned int)i<len; i++) { if (sep && (i != 0)) BIO_printf(out, ":"); @@ -441,6 +501,10 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, } BIO_printf(out, "\n"); } + if (hmac_key) + { + BIO_set_md_ctx(bmd,md_ctx); + } return 0; } diff --git a/lib/libssl/src/apps/enc.c b/lib/libssl/src/apps/enc.c index 30378a9542e..6f3161395ec 100644 --- a/lib/libssl/src/apps/enc.c +++ b/lib/libssl/src/apps/enc.c @@ -114,9 +114,11 @@ int MAIN(int argc, char **argv) unsigned char salt[PKCS5_SALT_LEN]; char *str=NULL, *passarg = NULL, *pass = NULL; char *hkey=NULL,*hiv=NULL,*hsalt = NULL; + char *md=NULL; int enc=1,printkey=0,i,base64=0; int debug=0,olb64=0,nosalt=0; const EVP_CIPHER *cipher=NULL,*c; + EVP_CIPHER_CTX *ctx = NULL; char *inf=NULL,*outf=NULL; BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL; #define PROG_NAME_SIZE 39 @@ -124,6 +126,8 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_ENGINE char *engine = NULL; #endif + const EVP_MD *dgst=NULL; + int non_fips_allow = 0; apps_startup(); @@ -253,6 +257,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; hiv= *(++argv); } + else if (strcmp(*argv,"-md") == 0) + { + if (--argc < 1) goto bad; + md= *(++argv); + } + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow = 1; else if ((argv[0][0] == '-') && ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) { @@ -271,8 +282,10 @@ bad: BIO_printf(bio_err,"%-14s encrypt\n","-e"); BIO_printf(bio_err,"%-14s decrypt\n","-d"); BIO_printf(bio_err,"%-14s base64 encode/decode, depending on encryption flag\n","-a/-base64"); - BIO_printf(bio_err,"%-14s key is the next argument\n","-k"); - BIO_printf(bio_err,"%-14s key is the first line of the file argument\n","-kfile"); + BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k"); + BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile"); + BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md"); + BIO_printf(bio_err,"%-14s from a passphrase. One of md2, md5, sha or sha1\n",""); BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv"); BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]"); BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>"); @@ -296,6 +309,20 @@ bad: e = setup_engine(bio_err, engine, 0); #endif + if (md && (dgst=EVP_get_digestbyname(md)) == NULL) + { + BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); + goto end; + } + + if (dgst == NULL) + { + if (in_FIPS_mode) + dgst = EVP_sha1(); + else + dgst = EVP_md5(); + } + if (bufsize != NULL) { unsigned long n; @@ -483,7 +510,7 @@ bad: sptr = salt; } - EVP_BytesToKey(cipher,EVP_md5(),sptr, + EVP_BytesToKey(cipher,dgst,sptr, (unsigned char *)str, strlen(str),1,key,iv); /* zero the complete buffer or the string @@ -516,13 +543,43 @@ bad: if ((benc=BIO_new(BIO_f_cipher())) == NULL) goto end; - BIO_set_cipher(benc,cipher,key,iv,enc); - if (nopad) + + /* Since we may be changing parameters work on the encryption + * context rather than calling BIO_set_cipher(). + */ + + BIO_get_cipher_ctx(benc, &ctx); + if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) { - EVP_CIPHER_CTX *ctx; - BIO_get_cipher_ctx(benc, &ctx); + BIO_printf(bio_err, "Error setting cipher %s\n", + EVP_CIPHER_name(cipher)); + ERR_print_errors(bio_err); + goto end; + } + + if (non_fips_allow) + EVP_CIPHER_CTX_set_flags(ctx, + EVP_CIPH_FLAG_NON_FIPS_ALLOW); + + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) + { + BIO_printf(bio_err, "Error setting cipher %s\n", + EVP_CIPHER_name(cipher)); + ERR_print_errors(bio_err); + goto end; + } + + if (nopad) EVP_CIPHER_CTX_set_padding(ctx, 0); + + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) + { + BIO_printf(bio_err, "Error setting cipher %s\n", + EVP_CIPHER_name(cipher)); + ERR_print_errors(bio_err); + goto end; } + if (debug) { BIO_set_callback(benc,BIO_debug_callback); diff --git a/lib/libssl/src/apps/makeapps.com b/lib/libssl/src/apps/makeapps.com index 0197c8a171d..2f1af9ec940 100644 --- a/lib/libssl/src/apps/makeapps.com +++ b/lib/libssl/src/apps/makeapps.com @@ -142,13 +142,13 @@ $ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+- "RSA;RSAUTL;DSA;DSAPARAM;"+- "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+- "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+- - "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP" + "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP;PRIME" $ APP_FILES := OPENSSL,'OBJ_DIR'VERIFY.OBJ,ASN1PARS.OBJ,REQ.OBJ,DGST.OBJ,DH.OBJ,DHPARAM.OBJ,ENC.OBJ,PASSWD.OBJ,GENDH.OBJ,ERRSTR.OBJ,- CA.OBJ,PKCS7.OBJ,CRL2P7.OBJ,CRL.OBJ,- RSA.OBJ,RSAUTL.OBJ,DSA.OBJ,DSAPARAM.OBJ,- X509.OBJ,GENRSA.OBJ,GENDSA.OBJ,S_SERVER.OBJ,S_CLIENT.OBJ,SPEED.OBJ,- S_TIME.OBJ,APPS.OBJ,S_CB.OBJ,S_SOCKET.OBJ,APP_RAND.OBJ,VERSION.OBJ,SESS_ID.OBJ,- - CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ,ENGINE.OBJ,OCSP.OBJ + CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ,ENGINE.OBJ,OCSP.OBJ,PRIME.OBJ $ TCPIP_PROGRAMS = ",," $ IF COMPILER .EQS. "VAXC" THEN - TCPIP_PROGRAMS = ",OPENSSL," @@ -679,7 +679,7 @@ $ IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" - THEN CC = "CC/DECC" $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + - "/NOLIST/PREFIX=ALL" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! @@ -711,7 +711,7 @@ $ EXIT $ ENDIF $ IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC" $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $ CCDEFS = CCDEFS + ",""VAXC""" $! $! Define <sys> As SYS$COMMON:[SYSLIB] @@ -743,7 +743,7 @@ $! Use GNU C... $! $ IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC $ CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! diff --git a/lib/libssl/src/apps/openssl-vms.cnf b/lib/libssl/src/apps/openssl-vms.cnf index d4498713fa7..878467ce982 100644 --- a/lib/libssl/src/apps/openssl-vms.cnf +++ b/lib/libssl/src/apps/openssl-vms.cnf @@ -3,8 +3,13 @@ # This is mostly being used for generation of certificate requests. # +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . RANDFILE = $ENV::HOME/.rnd -oid_file = $ENV::HOME/.oid + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the @@ -29,22 +34,35 @@ default_ca = CA_default # The default ca section #################################################################### [ CA_default ] -dir = sys\$disk:[.demoCA # Where everything is kept +dir = sys\$disk:[.demoCA # Where everything is kept certs = $dir.certs] # Where the issued certs are kept crl_dir = $dir.crl] # Where the issued crl are kept database = $dir]index.txt # database index file. -new_certs_dir = $dir.newcerts] # default place for new certs. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir.newcerts] # default place for new certs. certificate = $dir]cacert.pem # The CA certificate -serial = $dir]serial. # The current serial number +serial = $dir]serial. # The current serial number +#crlnumber = $dir]crlnumber. # the current crl number must be + # commented out to leave a V1 CRL crl = $dir]crl.pem # The current CRL private_key = $dir.private]cakey.pem# The private key RANDFILE = $dir.private].rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for @@ -86,16 +104,19 @@ distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert -# This sets the permitted types in a DirectoryString. There are several -# options. +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. -# nobmp : PrintableString, T61String (no BMPStrings). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! -dirstring_type = nobmp +string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request @@ -124,7 +145,7 @@ commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address -emailAddress_max = 40 +emailAddress_max = 64 # SET-ex3 = SET extension number 3 @@ -172,6 +193,9 @@ authorityKeyIdentifier=keyid,issuer:always # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy @@ -234,3 +258,56 @@ basicConstraints = CA:true # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/lib/libssl/src/apps/openssl.c b/lib/libssl/src/apps/openssl.c index e0d89d4ab41..65a9ee8a66b 100644 --- a/lib/libssl/src/apps/openssl.c +++ b/lib/libssl/src/apps/openssl.c @@ -129,6 +129,7 @@ #include "progs.h" #include "s_apps.h" #include <openssl/err.h> +#include <openssl/fips.h> /* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the * base prototypes (we cast each variable inside the function to the required @@ -147,6 +148,7 @@ char *default_config_file=NULL; #ifdef MONOLITH CONF *config=NULL; BIO *bio_err=NULL; +int in_FIPS_mode=0; #endif @@ -227,10 +229,31 @@ int main(int Argc, char *Argv[]) char **argv,*p; LHASH *prog=NULL; long errline; - + arg.data=NULL; arg.count=0; + in_FIPS_mode = 0; + +#ifdef OPENSSL_FIPS + if(getenv("OPENSSL_FIPS")) { +#if defined(_WIN32) + char filename[MAX_PATH] = ""; + GetModuleFileNameA( NULL, filename, MAX_PATH) ; + p = filename; +#else + p = Argv[0]; +#endif + if (!FIPS_mode_set(1,p)) { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + EXIT(1); + } + in_FIPS_mode = 1; + if (getenv("OPENSSL_FIPS_MD5")) + FIPS_allow_md5(1); + } +#endif if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); diff --git a/lib/libssl/src/apps/openssl.cnf b/lib/libssl/src/apps/openssl.cnf index 854d1f164eb..4c1d595b0a0 100644 --- a/lib/libssl/src/apps/openssl.cnf +++ b/lib/libssl/src/apps/openssl.cnf @@ -44,8 +44,8 @@ new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number -#crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL +#crlnumber = $dir/crlnumber # the current crl number must be + # commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file @@ -258,3 +258,56 @@ basicConstraints = CA:true # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo diff --git a/lib/libssl/src/apps/pkcs12.c b/lib/libssl/src/apps/pkcs12.c index 71192bdf749..c961e6b57ba 100644 --- a/lib/libssl/src/apps/pkcs12.c +++ b/lib/libssl/src/apps/pkcs12.c @@ -109,7 +109,7 @@ int MAIN(int argc, char **argv) int maciter = PKCS12_DEFAULT_ITER; int twopass = 0; int keytype = 0; - int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + int cert_pbe; int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; int ret = 1; int macver = 1; @@ -126,6 +126,13 @@ int MAIN(int argc, char **argv) apps_startup(); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + else +#endif + cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + enc = EVP_des_ede3_cbc(); if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); @@ -666,7 +673,7 @@ int MAIN(int argc, char **argv) CRYPTO_push_info("verify MAC"); #endif /* If we enter empty password try no password first */ - if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { + if(!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { /* If mac and crypto pass the same set it to NULL too */ if(!twopass) cpass = NULL; } else if (!PKCS12_verify_mac(p12, mpass, -1)) { @@ -710,9 +717,10 @@ int MAIN(int argc, char **argv) int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass) { - STACK_OF(PKCS7) *asafes; + STACK_OF(PKCS7) *asafes = NULL; STACK_OF(PKCS12_SAFEBAG) *bags; int i, bagnid; + int ret = 0; PKCS7 *p7; if (!( asafes = PKCS12_unpack_authsafes(p12))) return 0; @@ -730,16 +738,22 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, } bags = PKCS12_unpack_p7encdata(p7, pass, passlen); } else continue; - if (!bags) return 0; + if (!bags) goto err; if (!dump_certs_pkeys_bags (out, bags, pass, passlen, options, pempass)) { sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free); - return 0; + goto err; } sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free); + bags = NULL; } - sk_PKCS7_pop_free (asafes, PKCS7_free); - return 1; + ret = 1; + + err: + + if (asafes) + sk_PKCS7_pop_free (asafes, PKCS7_free); + return ret; } int dump_certs_pkeys_bags (BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, diff --git a/lib/libssl/src/apps/pkcs8.c b/lib/libssl/src/apps/pkcs8.c index ee8cf028138..d5085444e27 100644 --- a/lib/libssl/src/apps/pkcs8.c +++ b/lib/libssl/src/apps/pkcs8.c @@ -1,6 +1,6 @@ /* pkcs8.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project 1999-2004. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. @@ -68,7 +68,7 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) -{ + { ENGINE *e = NULL; char **args, *infile = NULL, *outfile = NULL; char *passargin = NULL, *passargout = NULL; @@ -100,43 +100,70 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); args = argv + 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args,"-v2")) { - if (args[1]) { + while (!badarg && *args && *args[0] == '-') + { + if (!strcmp(*args,"-v2")) + { + if (args[1]) + { args++; cipher=EVP_get_cipherbyname(*args); - if(!cipher) { + if (!cipher) + { BIO_printf(bio_err, "Unknown cipher %s\n", *args); badarg = 1; + } } - } else badarg = 1; - } else if (!strcmp(*args,"-v1")) { - if (args[1]) { + else + badarg = 1; + } + else if (!strcmp(*args,"-v1")) + { + if (args[1]) + { args++; pbe_nid=OBJ_txt2nid(*args); - if(pbe_nid == NID_undef) { + if (pbe_nid == NID_undef) + { BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args); badarg = 1; + } } - } else badarg = 1; - } else if (!strcmp(*args,"-inform")) { - if (args[1]) { + else + badarg = 1; + } + else if (!strcmp(*args,"-inform")) + { + if (args[1]) + { args++; informat=str2fmt(*args); - } else badarg = 1; - } else if (!strcmp(*args,"-outform")) { - if (args[1]) { + } + else badarg = 1; + } + else if (!strcmp(*args,"-outform")) + { + if (args[1]) + { args++; outformat=str2fmt(*args); - } else badarg = 1; - } else if (!strcmp (*args, "-topk8")) topk8 = 1; - else if (!strcmp (*args, "-noiter")) iter = 1; - else if (!strcmp (*args, "-nocrypt")) nocrypt = 1; - else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET; - else if (!strcmp (*args, "-nsdb")) p8_broken = PKCS8_NS_DB; - else if (!strcmp (*args, "-embed")) p8_broken = PKCS8_EMBEDDED_PARAM; + } + else badarg = 1; + } + else if (!strcmp (*args, "-topk8")) + topk8 = 1; + else if (!strcmp (*args, "-noiter")) + iter = 1; + else if (!strcmp (*args, "-nocrypt")) + nocrypt = 1; + else if (!strcmp (*args, "-nooct")) + p8_broken = PKCS8_NO_OCTET; + else if (!strcmp (*args, "-nsdb")) + p8_broken = PKCS8_NS_DB; + else if (!strcmp (*args, "-embed")) + p8_broken = PKCS8_EMBEDDED_PARAM; else if (!strcmp(*args,"-passin")) { if (!args[1]) goto bad; @@ -154,21 +181,30 @@ int MAIN(int argc, char **argv) engine= *(++args); } #endif - else if (!strcmp (*args, "-in")) { - if (args[1]) { + else if (!strcmp (*args, "-in")) + { + if (args[1]) + { args++; infile = *args; - } else badarg = 1; - } else if (!strcmp (*args, "-out")) { - if (args[1]) { + } + else badarg = 1; + } + else if (!strcmp (*args, "-out")) + { + if (args[1]) + { args++; outfile = *args; - } else badarg = 1; - } else badarg = 1; + } + else badarg = 1; + } + else badarg = 1; args++; - } + } - if (badarg) { + if (badarg) + { bad: BIO_printf(bio_err, "Usage pkcs8 [options]\n"); BIO_printf(bio_err, "where options are\n"); @@ -189,147 +225,199 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); #endif - return (1); - } + return 1; + } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif - if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) + { BIO_printf(bio_err, "Error getting passwords\n"); - return (1); - } + return 1; + } - if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC; + if ((pbe_nid == -1) && !cipher) + pbe_nid = NID_pbeWithMD5AndDES_CBC; - if (infile) { - if (!(in = BIO_new_file(infile, "rb"))) { + if (infile) + { + if (!(in = BIO_new_file(infile, "rb"))) + { BIO_printf(bio_err, "Can't open input file %s\n", infile); return (1); + } } - } else in = BIO_new_fp (stdin, BIO_NOCLOSE); + else + in = BIO_new_fp (stdin, BIO_NOCLOSE); - if (outfile) { - if (!(out = BIO_new_file (outfile, "wb"))) { + if (outfile) + { + if (!(out = BIO_new_file (outfile, "wb"))) + { BIO_printf(bio_err, "Can't open output file %s\n", outfile); return (1); + } } - } else { + else + { out = BIO_new_fp (stdout, BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS - { + { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); - } + } #endif - } + } if (topk8) { BIO_free(in); /* Not needed in this section */ pkey = load_key(bio_err, infile, informat, 1, passin, e, "key"); - if (!pkey) { - return (1); - } - if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) { + if (!pkey) + { + BIO_free_all(out); + return 1; + } + if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) + { BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); - return (1); - } - if(nocrypt) { - if(outformat == FORMAT_PEM) + EVP_PKEY_free(pkey); + BIO_free_all(out); + return 1; + } + if (nocrypt) + { + if (outformat == FORMAT_PEM) PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf); - else if(outformat == FORMAT_ASN1) + else if (outformat == FORMAT_ASN1) i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf); - else { + else + { BIO_printf(bio_err, "Bad format specified for key\n"); + PKCS8_PRIV_KEY_INFO_free(p8inf); + EVP_PKEY_free(pkey); + BIO_free_all(out); return (1); + } } - } else { - if(passout) p8pass = passout; - else { + else + { + if (passout) + p8pass = passout; + else + { p8pass = pass; if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1)) + { + PKCS8_PRIV_KEY_INFO_free(p8inf); + EVP_PKEY_free(pkey); + BIO_free_all(out); return (1); - } + } + } app_RAND_load_file(NULL, bio_err, 0); if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, p8pass, strlen(p8pass), - NULL, 0, iter, p8inf))) { + NULL, 0, iter, p8inf))) + { BIO_printf(bio_err, "Error encrypting key\n"); ERR_print_errors(bio_err); + PKCS8_PRIV_KEY_INFO_free(p8inf); + EVP_PKEY_free(pkey); + BIO_free_all(out); return (1); - } + } app_RAND_write_file(NULL, bio_err); - if(outformat == FORMAT_PEM) + if (outformat == FORMAT_PEM) PEM_write_bio_PKCS8(out, p8); - else if(outformat == FORMAT_ASN1) + else if (outformat == FORMAT_ASN1) i2d_PKCS8_bio(out, p8); - else { + else + { BIO_printf(bio_err, "Bad format specified for key\n"); + PKCS8_PRIV_KEY_INFO_free(p8inf); + EVP_PKEY_free(pkey); + BIO_free_all(out); return (1); - } + } X509_SIG_free(p8); - } + } + PKCS8_PRIV_KEY_INFO_free (p8inf); EVP_PKEY_free(pkey); BIO_free_all(out); - if(passin) OPENSSL_free(passin); - if(passout) OPENSSL_free(passout); + if (passin) + OPENSSL_free(passin); + if (passout) + OPENSSL_free(passout); return (0); - } + } - if(nocrypt) { - if(informat == FORMAT_PEM) + if (nocrypt) + { + if (informat == FORMAT_PEM) p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL, NULL); - else if(informat == FORMAT_ASN1) + else if (informat == FORMAT_ASN1) p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL); - else { + else + { BIO_printf(bio_err, "Bad format specified for key\n"); return (1); + } } - } else { - if(informat == FORMAT_PEM) + else + { + if (informat == FORMAT_PEM) p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL); - else if(informat == FORMAT_ASN1) + else if (informat == FORMAT_ASN1) p8 = d2i_PKCS8_bio(in, NULL); - else { + else + { BIO_printf(bio_err, "Bad format specified for key\n"); return (1); - } + } - if (!p8) { + if (!p8) + { BIO_printf (bio_err, "Error reading key\n"); ERR_print_errors(bio_err); return (1); - } - if(passin) p8pass = passin; - else { + } + if (passin) + p8pass = passin; + else + { p8pass = pass; EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0); - } + } p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass)); X509_SIG_free(p8); - } + } - if (!p8inf) { + if (!p8inf) + { BIO_printf(bio_err, "Error decrypting key\n"); ERR_print_errors(bio_err); return (1); - } + } - if (!(pkey = EVP_PKCS82PKEY(p8inf))) { + if (!(pkey = EVP_PKCS82PKEY(p8inf))) + { BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); return (1); - } + } - if (p8inf->broken) { + if (p8inf->broken) + { BIO_printf(bio_err, "Warning: broken key encoding: "); - switch (p8inf->broken) { + switch (p8inf->broken) + { case PKCS8_NO_OCTET: BIO_printf(bio_err, "No Octet String in PrivateKey\n"); break; @@ -349,21 +437,24 @@ int MAIN(int argc, char **argv) } PKCS8_PRIV_KEY_INFO_free(p8inf); - if(outformat == FORMAT_PEM) + if (outformat == FORMAT_PEM) PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout); - else if(outformat == FORMAT_ASN1) + else if (outformat == FORMAT_ASN1) i2d_PrivateKey_bio(out, pkey); - else { + else + { BIO_printf(bio_err, "Bad format specified for key\n"); return (1); - } + } end: EVP_PKEY_free(pkey); BIO_free_all(out); BIO_free(in); - if(passin) OPENSSL_free(passin); - if(passout) OPENSSL_free(passout); + if (passin) + OPENSSL_free(passin); + if (passout) + OPENSSL_free(passout); return (0); -} + } diff --git a/lib/libssl/src/apps/progs.h b/lib/libssl/src/apps/progs.h index 70e4dbac073..0493257bde1 100644 --- a/lib/libssl/src/apps/progs.h +++ b/lib/libssl/src/apps/progs.h @@ -35,6 +35,7 @@ extern int pkcs8_main(int argc,char *argv[]); extern int spkac_main(int argc,char *argv[]); extern int smime_main(int argc,char *argv[]); extern int rand_main(int argc,char *argv[]); +extern int prime_main(int argc,char *argv[]); #ifndef OPENSSL_NO_ENGINE extern int engine_main(int argc,char *argv[]); #endif @@ -115,6 +116,7 @@ FUNCTION functions[] = { {FUNC_TYPE_GENERAL,"spkac",spkac_main}, {FUNC_TYPE_GENERAL,"smime",smime_main}, {FUNC_TYPE_GENERAL,"rand",rand_main}, + {FUNC_TYPE_GENERAL,"prime",prime_main}, #ifndef OPENSSL_NO_ENGINE {FUNC_TYPE_GENERAL,"engine",engine_main}, #endif diff --git a/lib/libssl/src/apps/req.c b/lib/libssl/src/apps/req.c index 1a3d1d0dfab..eebe71b15e8 100644 --- a/lib/libssl/src/apps/req.c +++ b/lib/libssl/src/apps/req.c @@ -175,7 +175,7 @@ int MAIN(int argc, char **argv) char *passin = NULL, *passout = NULL; char *p; char *subj = NULL; - const EVP_MD *md_alg=NULL,*digest=EVP_md5(); + const EVP_MD *md_alg=NULL,*digest; unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH char *to_free; @@ -197,6 +197,13 @@ int MAIN(int argc, char **argv) informat=FORMAT_PEM; outformat=FORMAT_PEM; +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + digest = EVP_sha1(); + else +#endif + digest = EVP_md5(); + prog=argv[0]; argc--; argv++; @@ -499,13 +506,16 @@ bad: else { req_conf=config; - if( verbose ) - BIO_printf(bio_err,"Using configuration from %s\n", - default_config_file); + if (req_conf == NULL) { - BIO_printf(bio_err,"Unable to load config info\n"); + BIO_printf(bio_err,"Unable to load config info from %s\n", default_config_file); + if (newreq) + goto end; } + else if( verbose ) + BIO_printf(bio_err,"Using configuration from %s\n", + default_config_file); } if (req_conf != NULL) @@ -831,7 +841,9 @@ loop: } else { - if (!ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L)) goto end; + if (!rand_serial(NULL, + X509_get_serialNumber(x509ss))) + goto end; } if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end; diff --git a/lib/libssl/src/apps/s_client.c b/lib/libssl/src/apps/s_client.c index ae7c9f9ede7..a70735b9dca 100644 --- a/lib/libssl/src/apps/s_client.c +++ b/lib/libssl/src/apps/s_client.c @@ -201,6 +201,9 @@ static void sc_usage(void) BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); BIO_printf(bio_err," -debug - extra output\n"); +#ifdef WATT32 + BIO_printf(bio_err," -wdebug - WATT-32 tcp debugging\n"); +#endif BIO_printf(bio_err," -msg - Show protocol messages\n"); BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n"); BIO_printf(bio_err," -state - print the 'ssl' states\n"); @@ -352,6 +355,10 @@ int MAIN(int argc, char **argv) c_Pause=1; else if (strcmp(*argv,"-debug") == 0) c_debug=1; +#ifdef WATT32 + else if (strcmp(*argv,"-wdebug") == 0) + dbug_init(); +#endif else if (strcmp(*argv,"-msg") == 0) c_msg=1; else if (strcmp(*argv,"-showcerts") == 0) @@ -594,6 +601,8 @@ re_start: if (starttls_proto == 1) { BIO_read(sbio,mbuf,BUFSIZZ); + BIO_printf(sbio,"EHLO some.host.name\r\n"); + BIO_read(sbio,mbuf,BUFSIZZ); BIO_printf(sbio,"STARTTLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } diff --git a/lib/libssl/src/apps/s_socket.c b/lib/libssl/src/apps/s_socket.c index 9f92bcb3aeb..2cb5fce1926 100644 --- a/lib/libssl/src/apps/s_socket.c +++ b/lib/libssl/src/apps/s_socket.c @@ -151,7 +151,6 @@ static int ssl_sock_init(void) #ifdef WATT32 extern int _watt_do_exit; _watt_do_exit = 0; - dbug_init(); if (sock_init()) return (0); #elif defined(OPENSSL_SYS_WINDOWS) diff --git a/lib/libssl/src/apps/speed.c b/lib/libssl/src/apps/speed.c index 24122000092..5ed510ced69 100644 --- a/lib/libssl/src/apps/speed.c +++ b/lib/libssl/src/apps/speed.c @@ -1395,6 +1395,7 @@ int MAIN(int argc, char **argv) EVP_DecryptInit_ex(&ctx,evp_cipher,NULL,key16,iv); else EVP_EncryptInit_ex(&ctx,evp_cipher,NULL,key16,iv); + EVP_CIPHER_CTX_set_padding(&ctx, 0); Time_F(START); if(decrypt) diff --git a/lib/libssl/src/apps/verify.c b/lib/libssl/src/apps/verify.c index 6a93c018b8c..d73280cdd06 100644 --- a/lib/libssl/src/apps/verify.c +++ b/lib/libssl/src/apps/verify.c @@ -354,6 +354,7 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; /* Continue after extension errors too */ if (ctx->error == X509_V_ERR_INVALID_CA) ok=1; + if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1; if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; diff --git a/lib/libssl/src/apps/x509.c b/lib/libssl/src/apps/x509.c index 9b95f7bd3fe..e7115cac670 100644 --- a/lib/libssl/src/apps/x509.c +++ b/lib/libssl/src/apps/x509.c @@ -168,7 +168,7 @@ int MAIN(int argc, char **argv) char *CAkeyfile=NULL,*CAserial=NULL; char *alias=NULL; int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0; - int ocspid=0; + int next_serial=0,ocspid=0; int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; int C=0; @@ -179,7 +179,7 @@ int MAIN(int argc, char **argv) X509_REQ *rq=NULL; int fingerprint=0; char buf[256]; - const EVP_MD *md_alg,*digest=EVP_md5(); + const EVP_MD *md_alg,*digest; CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; @@ -216,6 +216,13 @@ int MAIN(int argc, char **argv) if (ctx == NULL) goto end; X509_STORE_set_verify_cb_func(ctx,callb); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + digest = EVP_sha1(); + else +#endif + digest = EVP_md5(); + argc--; argv++; num=0; @@ -371,6 +378,8 @@ int MAIN(int argc, char **argv) email= ++num; else if (strcmp(*argv,"-serial") == 0) serial= ++num; + else if (strcmp(*argv,"-next_serial") == 0) + next_serial= ++num; else if (strcmp(*argv,"-modulus") == 0) modulus= ++num; else if (strcmp(*argv,"-pubkey") == 0) @@ -591,12 +600,19 @@ bad: if ((x=X509_new()) == NULL) goto end; ci=x->cert_info; - if (sno) + if (sno == NULL) { - if (!X509_set_serialNumber(x, sno)) + sno = ASN1_INTEGER_new(); + if (!sno || !rand_serial(NULL, sno)) + goto end; + if (!X509_set_serialNumber(x, sno)) goto end; + ASN1_INTEGER_free(sno); + sno = NULL; } - else if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end; + else if (!X509_set_serialNumber(x, sno)) + goto end; + if (!X509_set_issuer_name(x,req->req_info->subject)) goto end; if (!X509_set_subject_name(x,req->req_info->subject)) goto end; @@ -617,7 +633,7 @@ bad: if (xca == NULL) goto end; } - if (!noout || text) + if (!noout || text || next_serial) { OBJ_create("2.99999.3", "SET.ex3","SET x509v3 extension 3"); @@ -691,6 +707,24 @@ bad: i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber); BIO_printf(STDout,"\n"); } + else if (next_serial == i) + { + BIGNUM *bnser; + ASN1_INTEGER *ser; + ser = X509_get_serialNumber(x); + bnser = ASN1_INTEGER_to_BN(ser, NULL); + if (!bnser) + goto end; + if (!BN_add_word(bnser, 1)) + goto end; + ser = BN_to_ASN1_INTEGER(bnser, NULL); + if (!ser) + goto end; + BN_free(bnser); + i2a_ASN1_INTEGER(out, ser); + ASN1_INTEGER_free(ser); + BIO_puts(out, "\n"); + } else if (email == i) { int j; @@ -947,9 +981,9 @@ bad: if (checkend) { - time_t tnow=time(NULL); + time_t tcheck=time(NULL) + checkoffset; - if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1) + if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) { BIO_printf(out,"Certificate will expire\n"); ret=1; @@ -1047,13 +1081,6 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create } else BUF_strlcpy(buf,serialfile,len); - serial=BN_new(); - bs=ASN1_INTEGER_new(); - if ((serial == NULL) || (bs == NULL)) - { - ERR_print_errors(bio_err); - goto end; - } serial = load_serial(buf, create, NULL); if (serial == NULL) goto end; diff --git a/lib/libssl/src/config b/lib/libssl/src/config index 25a3703c1fe..0715d378d9f 100644 --- a/lib/libssl/src/config +++ b/lib/libssl/src/config @@ -23,6 +23,7 @@ PREFIX="" SUFFIX="" TEST="false" +EXE="" # pick up any command line args to config for i @@ -110,16 +111,16 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "m68k-apple-aux3"; exit 0 ;; - AIX:[3456789]:4:*) - echo "${MACHINE}-ibm-aix43"; exit 0 + AIX:[3-9]:4:*) + echo "${MACHINE}-ibm-aix"; exit 0 ;; - AIX:*:[56789]:*) - echo "${MACHINE}-ibm-aix43"; exit 0 + AIX:*:[5-9]:*) + echo "${MACHINE}-ibm-aix"; exit 0 ;; AIX:*) - echo "${MACHINE}-ibm-aix"; exit 0 + echo "${MACHINE}-ibm-aix3"; exit 0 ;; dgux:*) @@ -288,6 +289,14 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "${MACHINE}-whatever-sysv4"; exit 0 ;; + VOS:*:*:i786) + echo "i386-stratus-vos"; exit 0 + ;; + + VOS:*:*:*) + echo "hppa1.1-stratus-vos"; exit 0 + ;; + *:4*:R4*:m88k) echo "${MACHINE}-whatever-sysv4"; exit 0 ;; @@ -328,6 +337,9 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "mips-sony-newsos4"; exit 0; ;; + MINGW*) + echo "${MACHINE}-whatever-mingw"; echo 0; + ;; CYGWIN*) case "$RELEASE" in [bB]*|1.0|1.[12].*) @@ -433,7 +445,7 @@ if [ "$SYSTEM" = "SunOS" ]; then egrep -e '^cc: .* C [0-9]\.[0-9]' | \ sed 's/.* C \([0-9]\)\.\([0-9]\).*/\1\2/'` CCVER=${CCVER:-0} - if [ $CCVER -gt 40 ]; then + if [ $MACHINE != i86pc -a $CCVER -gt 40 ]; then CC=cc # overrides gcc!!! if [ $CCVER -eq 50 ]; then echo "WARNING! Detected WorkShop C 5.0. Do make sure you have" @@ -482,29 +494,29 @@ case "$GUESSOS" in OUT="irix-$CC" ;; mips3-sgi-irix) - CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` - CPU=${CPU:-0} - if [ $CPU -ge 5000 ]; then - options="$options -mips4" - else - options="$options -mips3" - fi + #CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + #CPU=${CPU:-0} + #if [ $CPU -ge 5000 ]; then + # options="$options -mips4" + #else + # options="$options -mips3" + #fi OUT="irix-mips3-$CC" ;; mips4-sgi-irix64) echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure irix64-mips4-$CC' *manually*." - if [ "$TEST" = "false" ]; then + if [ "$TEST" = "false" -a -t 1 ]; then echo " You have about 5 seconds to press Ctrl-C to abort." - (stty -icanon min 0 time 50; read waste) < /dev/tty + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 fi - CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` - CPU=${CPU:-0} - if [ $CPU -ge 5000 ]; then - options="$options -mips4" - else - options="$options -mips3" - fi + #CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + #CPU=${CPU:-0} + #if [ $CPU -ge 5000 ]; then + # options="$options -mips4" + #else + # options="$options -mips3" + #fi OUT="irix-mips3-$CC" ;; alpha-*-linux2) @@ -538,9 +550,14 @@ EOF rm dummy dummy.c ;; ppc64-*-linux2) - #Use the standard target for PPC architecture until we create a - #special one for the 64bit architecture. - OUT="linux-ppc" ;; + echo "WARNING! If you wish to build 64-bit library, then you have to" + echo " invoke './Configure linux-ppc64' *manually*." + if [ "$TEST" = "false" -a -t 1 ]; then + echo " You have about 5 seconds to press Ctrl-C to abort." + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 + fi + OUT="linux-ppc" + ;; ppc-*-linux2) OUT="linux-ppc" ;; m68k-*-linux*) OUT="linux-m68k" ;; ia64-*-linux?) OUT="linux-ia64" ;; @@ -551,9 +568,9 @@ EOF echo "WARNING! If you *know* that your GNU C supports 64-bit/V9 ABI" echo " and wish to build 64-bit library, then you have to" echo " invoke './Configure linux64-sparcv9' *manually*." - if [ "$TEST" = "false" ]; then + if [ "$TEST" = "false" -a -t 1 ]; then echo " You have about 5 seconds to press Ctrl-C to abort." - (stty -icanon min 0 time 50; read waste) < /dev/tty + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 fi OUT="linux-sparcv9" ;; sparc-*-linux2) @@ -584,7 +601,9 @@ EOF options="$options -mschedule=$CPUSCHEDULE -march=$CPUARCH" OUT="linux-parisc" ;; - arm*-*-linux2) OUT="linux-elf-arm" ;; + arm*b-*-linux2) OUT="linux-elf-arm"; options="$options -DB_ENDIAN" ;; + arm*l-*-linux2) OUT="linux-elf-arm"; options="$options -DL_ENDIAN" ;; + arm*-*-linux2) OUT="linux-elf-arm" ;; s390-*-linux2) OUT="linux-s390" ;; s390x-*-linux?) OUT="linux-s390x" ;; x86_64-*-linux?) OUT="linux-x86_64" ;; @@ -608,9 +627,9 @@ EOF if [ "$CC" = "cc" -a $CCVER -ge 50 ]; then echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-cc' *manually*." - if [ "$TEST" = "false" ]; then + if [ "$TEST" = "false" -a -t 1 ]; then echo " You have about 5 seconds to press Ctrl-C to abort." - (stty -icanon min 0 time 50; read waste) < /dev/tty + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 fi elif [ "$CC" = "gcc" -a "$GCC_ARCH" = "-m64" ]; then # $GCC_ARCH denotes default ABI chosen by compiler driver @@ -620,17 +639,17 @@ EOF OUT="solaris64-sparcv9-gcc" echo "WARNING! If you wish to build 32-bit library, then you have to" echo " invoke './Configure solaris-sparcv9-gcc' *manually*." - if [ "$TEST" = "false" ]; then + if [ "$TEST" = "false" -a -t 1 ]; then echo " You have about 5 seconds to press Ctrl-C to abort." - (stty -icanon min 0 time 50; read waste) < /dev/tty + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 fi elif [ "$GCC_ARCH" = "-m32" ]; then echo "NOTICE! If you *know* that your GNU C supports 64-bit/V9 ABI" echo " and wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-gcc' *manually*." - if [ "$TEST" = "false" ]; then + if [ "$TEST" = "false" -a -t 1 ]; then echo " You have about 5 seconds to press Ctrl-C to abort." - (stty -icanon min 0 time 50; read waste) < /dev/tty + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 fi fi fi @@ -638,7 +657,14 @@ EOF sun4m-*-solaris2) OUT="solaris-sparcv8-$CC" ;; sun4d-*-solaris2) OUT="solaris-sparcv8-$CC" ;; sun4*-*-solaris2) OUT="solaris-sparcv7-$CC" ;; - *86*-*-solaris2) OUT="solaris-x86-$CC" ;; + *86*-*-solaris2) + ISA64=`(isalist) 2>/dev/null | grep amd64` + if [ "$ISA64" != "" ]; then + OUT="solaris64-x86_64-$CC" + else + OUT="solaris-x86-$CC" + fi + ;; *-*-sunos4) OUT="sunos-$CC" ;; alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;; sparc64-*-freebsd*) OUT="FreeBSD-sparc64" ;; @@ -679,6 +705,10 @@ EOF *-*-UnixWare21*) OUT="unixware-2.1" ;; *-*-Unixware20*) OUT="unixware-2.0" ;; *-*-Unixware21*) OUT="unixware-2.1" ;; + *-*-vos) + options="$options no-threads no-shared no-asm no-dso" + EXE=".pm" + OUT="vos-$CC" ;; BS2000-siemens-sysv4) OUT="BS2000-OSD" ;; RM*-siemens-sysv4) OUT="ReliantUNIX" ;; *-siemens-sysv4) OUT="SINIX" ;; @@ -702,9 +732,9 @@ EOF echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi." echo " If you wish to build 32-bit library, the you have to" echo " invoke './Configure hpux-ia64-cc' *manually*." - if [ "$TEST" = "false" ]; then + if [ "$TEST" = "false" -a -t 1 ]; then echo " You have about 5 seconds to press Ctrl-C to abort." - (stty -icanon min 0 time 50; read waste) < /dev/tty + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 fi OUT="hpux64-ia64-cc" elif [ $CPU_VERSION -ge 532 ]; then # PA-RISC 2.x CPU @@ -714,9 +744,9 @@ EOF if [ $KERNEL_BITS -eq 64 -a "$CC" = "cc" ]; then echo "WARNING! If you wish to build 64-bit library then you have to" echo " invoke './Configure hpux64-parisc2-cc' *manually*." - if [ "$TEST" = "false" ]; then + if [ "$TEST" = "false" -a -t 1 ]; then echo " You have about 5 seconds to press Ctrl-C to abort." - (stty -icanon min 0 time 50; read waste) < /dev/tty + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 fi fi elif [ $CPU_VERSION -ge 528 ]; then # PA-RISC 1.1+ CPU @@ -728,8 +758,28 @@ EOF fi options="$options -D_REENTRANT" ;; *-hpux) OUT="hpux-parisc-$CC" ;; + *-aix) + KERNEL_BITS=`(getconf KERNEL_BITMODE) 2>/dev/null` + KERNEL_BITS=${KERNEL_BITS:-32} + OBJECT_MODE=${OBJECT_MODE:-32} + if [ "$CC" = "gcc" ]; then + OUT="aix-gcc" + elif [ $OBJECT_MODE -eq 64 ]; then + echo 'Your $OBJECT_MODE was found to be set to 64' + OUT="aix64-cc" + else + OUT="aix-cc" + if [ $KERNEL_BITS -eq 64 ]; then + echo "WARNING! If you wish to build 64-bit kit, then you have to" + echo " invoke './Configure aix64-cc' *manually*." + if [ "$TEST" = "false" -a -t 1 ]; then + echo " You have ~5 seconds to press Ctrl-C to abort." + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 + fi + fi + fi + ;; # these are all covered by the catchall below - # *-aix) OUT="aix-$CC" ;; # *-dgux) OUT="dgux" ;; mips-sony-newsos4) OUT="newsos4-gcc" ;; *-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;; @@ -806,8 +856,8 @@ fi if [ ".$PERL" = . ] ; then for i in . `echo $PATH | sed 's/:/ /g'`; do - if [ -f "$i/perl5" ] ; then - PERL="$i/perl5" + if [ -f "$i/perl5$EXE" ] ; then + PERL="$i/perl5$EXE" break; fi; done @@ -815,9 +865,9 @@ fi if [ ".$PERL" = . ] ; then for i in . `echo $PATH | sed 's/:/ /g'`; do - if [ -f "$i/perl" ] ; then - if "$i/perl" -e 'exit($]<5.0)'; then - PERL="$i/perl" + if [ -f "$i/perl$EXE" ] ; then + if "$i/perl$EXE" -e 'exit($]<5.0)'; then + PERL="$i/perl$EXE" break; fi; fi; diff --git a/lib/libssl/src/crypto/aes/aes.h b/lib/libssl/src/crypto/aes/aes.h index da067f4a8fa..8a3ea0b8836 100644 --- a/lib/libssl/src/crypto/aes/aes.h +++ b/lib/libssl/src/crypto/aes/aes.h @@ -52,6 +52,8 @@ #ifndef HEADER_AES_H #define HEADER_AES_H +#include <openssl/e_os2.h> + #ifdef OPENSSL_NO_AES #error AES is disabled. #endif @@ -64,6 +66,10 @@ #define AES_MAXNR 14 #define AES_BLOCK_SIZE 16 +#if defined(OPENSSL_FIPS) +#define FIPS_AES_SIZE_T int +#endif + #ifdef __cplusplus extern "C" { #endif @@ -95,6 +101,15 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, int *num, const int enc); +void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc); +void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc); +void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out, + const int nbits,const AES_KEY *key, + unsigned char *ivec,const int enc); void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, int *num); diff --git a/lib/libssl/src/crypto/aes/aes_cbc.c b/lib/libssl/src/crypto/aes/aes_cbc.c index 1222a21002c..d2ba6bcdb46 100644 --- a/lib/libssl/src/crypto/aes/aes_cbc.c +++ b/lib/libssl/src/crypto/aes/aes_cbc.c @@ -66,6 +66,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, unsigned long n; unsigned long len = length; unsigned char tmp[AES_BLOCK_SIZE]; + const unsigned char *iv = ivec; assert(in && out && key && ivec); assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc)); @@ -73,22 +74,39 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, if (AES_ENCRYPT == enc) { while (len >= AES_BLOCK_SIZE) { for(n=0; n < AES_BLOCK_SIZE; ++n) - tmp[n] = in[n] ^ ivec[n]; - AES_encrypt(tmp, out, key); - memcpy(ivec, out, AES_BLOCK_SIZE); + out[n] = in[n] ^ iv[n]; + AES_encrypt(out, out, key); + iv = out; len -= AES_BLOCK_SIZE; in += AES_BLOCK_SIZE; out += AES_BLOCK_SIZE; } if (len) { for(n=0; n < len; ++n) - tmp[n] = in[n] ^ ivec[n]; + out[n] = in[n] ^ iv[n]; for(n=len; n < AES_BLOCK_SIZE; ++n) - tmp[n] = ivec[n]; - AES_encrypt(tmp, tmp, key); - memcpy(out, tmp, AES_BLOCK_SIZE); - memcpy(ivec, tmp, AES_BLOCK_SIZE); - } + out[n] = iv[n]; + AES_encrypt(out, out, key); + iv = out; + } + memcpy(ivec,iv,AES_BLOCK_SIZE); + } else if (in != out) { + while (len >= AES_BLOCK_SIZE) { + AES_decrypt(in, out, key); + for(n=0; n < AES_BLOCK_SIZE; ++n) + out[n] ^= iv[n]; + iv = in; + len -= AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + out += AES_BLOCK_SIZE; + } + if (len) { + AES_decrypt(in,tmp,key); + for(n=0; n < len; ++n) + out[n] = tmp[n] ^ iv[n]; + iv = in; + } + memcpy(ivec,iv,AES_BLOCK_SIZE); } else { while (len >= AES_BLOCK_SIZE) { memcpy(tmp, in, AES_BLOCK_SIZE); @@ -102,10 +120,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, } if (len) { memcpy(tmp, in, AES_BLOCK_SIZE); - AES_decrypt(tmp, tmp, key); + AES_decrypt(tmp, out, key); for(n=0; n < len; ++n) - out[n] = tmp[n] ^ ivec[n]; + out[n] ^= ivec[n]; + for(n=len; n < AES_BLOCK_SIZE; ++n) + out[n] = tmp[n]; memcpy(ivec, tmp, AES_BLOCK_SIZE); - } + } } } diff --git a/lib/libssl/src/crypto/aes/aes_cfb.c b/lib/libssl/src/crypto/aes/aes_cfb.c index 9b569dda903..49f0411010c 100644 --- a/lib/libssl/src/crypto/aes/aes_cfb.c +++ b/lib/libssl/src/crypto/aes/aes_cfb.c @@ -114,6 +114,7 @@ #include <openssl/aes.h> #include "aes_locl.h" +#include "e_os.h" /* The input and output encrypted as though 128bit cfb mode is being * used. The extra state information to record how much of the @@ -155,3 +156,70 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, *num=n; } +/* This expects a single block of size nbits for both in and out. Note that + it corrupts any extra bits in the last byte of out */ +void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out, + const int nbits,const AES_KEY *key, + unsigned char *ivec,const int enc) + { + int n,rem,num; + unsigned char ovec[AES_BLOCK_SIZE*2]; + + if (nbits<=0 || nbits>128) return; + + /* fill in the first half of the new IV with the current IV */ + memcpy(ovec,ivec,AES_BLOCK_SIZE); + /* construct the new IV */ + AES_encrypt(ivec,ivec,key); + num = (nbits+7)/8; + if (enc) /* encrypt the input */ + for(n=0 ; n < num ; ++n) + out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n] ^ ivec[n]); + else /* decrypt the input */ + for(n=0 ; n < num ; ++n) + out[n] = (ovec[AES_BLOCK_SIZE+n] = in[n]) ^ ivec[n]; + /* shift ovec left... */ + rem = nbits%8; + num = nbits/8; + if(rem==0) + memcpy(ivec,ovec+num,AES_BLOCK_SIZE); + else + for(n=0 ; n < AES_BLOCK_SIZE ; ++n) + ivec[n] = ovec[n+num]<<rem | ovec[n+num+1]>>(8-rem); + + /* it is not necessary to cleanse ovec, since the IV is not secret */ + } + +/* N.B. This expects the input to be packed, MS bit first */ +void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc) + { + unsigned int n; + unsigned char c[1],d[1]; + + assert(in && out && key && ivec && num); + assert(*num == 0); + + memset(out,0,(length+7)/8); + for(n=0 ; n < length ; ++n) + { + c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0; + AES_cfbr_encrypt_block(c,d,1,key,ivec,enc); + out[n/8]=(out[n/8]&~(1 << (7-n%8)))|((d[0]&0x80) >> (n%8)); + } + } + +void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc) + { + unsigned int n; + + assert(in && out && key && ivec && num); + assert(*num == 0); + + for(n=0 ; n < length ; ++n) + AES_cfbr_encrypt_block(&in[n],&out[n],8,key,ivec,enc); + } + diff --git a/lib/libssl/src/crypto/aes/aes_core.c b/lib/libssl/src/crypto/aes/aes_core.c index 2f41a825f8d..ed566a81233 100644 --- a/lib/libssl/src/crypto/aes/aes_core.c +++ b/lib/libssl/src/crypto/aes/aes_core.c @@ -37,8 +37,11 @@ #include <stdlib.h> #include <openssl/aes.h> +#include <openssl/fips.h> #include "aes_locl.h" +#ifndef OPENSSL_FIPS + /* Te0[x] = S [x].[02, 01, 01, 03]; Te1[x] = S [x].[03, 02, 01, 01]; @@ -1255,3 +1258,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out, PUTU32(out + 12, s3); } +#endif /* ndef OPENSSL_FIPS */ diff --git a/lib/libssl/src/crypto/aes/aes_ctr.c b/lib/libssl/src/crypto/aes/aes_ctr.c index 79e1c18f193..f36982be1e2 100644 --- a/lib/libssl/src/crypto/aes/aes_ctr.c +++ b/lib/libssl/src/crypto/aes/aes_ctr.c @@ -59,7 +59,7 @@ #include <openssl/aes.h> #include "aes_locl.h" -/* NOTE: CTR mode is big-endian. The rest of the AES code +/* NOTE: the IV/counter CTR mode is big-endian. The rest of the AES code * is endian-neutral. */ /* increment counter (128-bit int) by 1 */ @@ -67,61 +67,36 @@ static void AES_ctr128_inc(unsigned char *counter) { unsigned long c; /* Grab bottom dword of counter and increment */ -#ifdef L_ENDIAN - c = GETU32(counter + 0); - c++; - PUTU32(counter + 0, c); -#else c = GETU32(counter + 12); - c++; + c++; c &= 0xFFFFFFFF; PUTU32(counter + 12, c); -#endif /* if no overflow, we're done */ if (c) return; /* Grab 1st dword of counter and increment */ -#ifdef L_ENDIAN - c = GETU32(counter + 4); - c++; - PUTU32(counter + 4, c); -#else c = GETU32(counter + 8); - c++; + c++; c &= 0xFFFFFFFF; PUTU32(counter + 8, c); -#endif /* if no overflow, we're done */ if (c) return; /* Grab 2nd dword of counter and increment */ -#ifdef L_ENDIAN - c = GETU32(counter + 8); - c++; - PUTU32(counter + 8, c); -#else c = GETU32(counter + 4); - c++; + c++; c &= 0xFFFFFFFF; PUTU32(counter + 4, c); -#endif /* if no overflow, we're done */ if (c) return; /* Grab top dword of counter and increment */ -#ifdef L_ENDIAN - c = GETU32(counter + 12); - c++; - PUTU32(counter + 12, c); -#else c = GETU32(counter + 0); - c++; + c++; c &= 0xFFFFFFFF; PUTU32(counter + 0, c); -#endif - } /* The input encrypted as though 128bit counter mode is being diff --git a/lib/libssl/src/crypto/aes/aes_locl.h b/lib/libssl/src/crypto/aes/aes_locl.h index f290946058e..4184729e344 100644 --- a/lib/libssl/src/crypto/aes/aes_locl.h +++ b/lib/libssl/src/crypto/aes/aes_locl.h @@ -62,7 +62,7 @@ #include <stdlib.h> #include <string.h> -#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE) +#if defined(_MSC_VER) && !defined(_M_IA64) && !defined(OPENSSL_SYS_WINCE) # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) # define GETU32(p) SWAP(*((u32 *)(p))) # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); } diff --git a/lib/libssl/src/crypto/asn1/a_bitstr.c b/lib/libssl/src/crypto/asn1/a_bitstr.c index f4ea96cd54e..b81bf4fc81a 100644 --- a/lib/libssl/src/crypto/asn1/a_bitstr.c +++ b/lib/libssl/src/crypto/asn1/a_bitstr.c @@ -194,8 +194,12 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) c=(unsigned char *)OPENSSL_realloc_clean(a->data, a->length, w+1); - if (c == NULL) return(0); - if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length); + if (c == NULL) + { + ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT,ERR_R_MALLOC_FAILURE); + return 0; + } + if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length); a->data=c; a->length=w+1; } diff --git a/lib/libssl/src/crypto/asn1/a_digest.c b/lib/libssl/src/crypto/asn1/a_digest.c index 4931e222a05..7182e9fa5d5 100644 --- a/lib/libssl/src/crypto/asn1/a_digest.c +++ b/lib/libssl/src/crypto/asn1/a_digest.c @@ -65,6 +65,7 @@ # include <sys/types.h> #endif +#include <openssl/err.h> #include <openssl/evp.h> #include <openssl/buffer.h> #include <openssl/x509.h> @@ -78,7 +79,11 @@ int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data, unsigned char *str,*p; i=i2d(data,NULL); - if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) return(0); + if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) + { + ASN1err(ASN1_F_ASN1_DIGEST,ERR_R_MALLOC_FAILURE); + return(0); + } p=str; i2d(data,&p); diff --git a/lib/libssl/src/crypto/asn1/a_enum.c b/lib/libssl/src/crypto/asn1/a_enum.c index ad8f0ffd1ab..03ede68d1cc 100644 --- a/lib/libssl/src/crypto/asn1/a_enum.c +++ b/lib/libssl/src/crypto/asn1/a_enum.c @@ -156,7 +156,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai) unsigned char *new_data=OPENSSL_realloc(ret->data, len+4); if (!new_data) { - ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE); + ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED,ERR_R_MALLOC_FAILURE); goto err; } ret->data=new_data; diff --git a/lib/libssl/src/crypto/asn1/a_gentm.c b/lib/libssl/src/crypto/asn1/a_gentm.c index 85810078681..0dfd5762110 100644 --- a/lib/libssl/src/crypto/asn1/a_gentm.c +++ b/lib/libssl/src/crypto/asn1/a_gentm.c @@ -192,8 +192,9 @@ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str) { if (s != NULL) { - ASN1_STRING_set((ASN1_STRING *)s, - (unsigned char *)str,t.length); + if (!ASN1_STRING_set((ASN1_STRING *)s, + (unsigned char *)str,t.length)) + return 0; s->type=V_ASN1_GENERALIZEDTIME; } return(1); @@ -223,7 +224,12 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, if ((p == NULL) || ((size_t)s->length < len)) { p=OPENSSL_malloc(len); - if (p == NULL) return(NULL); + if (p == NULL) + { + ASN1err(ASN1_F_ASN1_GENERALIZEDTIME_SET, + ERR_R_MALLOC_FAILURE); + return(NULL); + } if (s->data != NULL) OPENSSL_free(s->data); s->data=(unsigned char *)p; diff --git a/lib/libssl/src/crypto/asn1/a_int.c b/lib/libssl/src/crypto/asn1/a_int.c index edb243c0217..21cc64bb234 100644 --- a/lib/libssl/src/crypto/asn1/a_int.c +++ b/lib/libssl/src/crypto/asn1/a_int.c @@ -64,7 +64,26 @@ ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x) { return M_ASN1_INTEGER_dup(x);} int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y) -{ return M_ASN1_INTEGER_cmp(x,y);} + { + int neg, ret; + /* Compare signs */ + neg = x->type & V_ASN1_NEG; + if (neg != (y->type & V_ASN1_NEG)) + { + if (neg) + return -1; + else + return 1; + } + + ret = ASN1_STRING_cmp(x, y); + + if (neg) + return -ret; + else + return ret; + } + /* * This converts an ASN1 INTEGER into its content encoding. diff --git a/lib/libssl/src/crypto/asn1/a_print.c b/lib/libssl/src/crypto/asn1/a_print.c index 8035513f047..d18e7723204 100644 --- a/lib/libssl/src/crypto/asn1/a_print.c +++ b/lib/libssl/src/crypto/asn1/a_print.c @@ -60,7 +60,7 @@ #include "cryptlib.h" #include <openssl/asn1.h> -int ASN1_PRINTABLE_type(unsigned char *s, int len) +int ASN1_PRINTABLE_type(const unsigned char *s, int len) { int c; int ia5=0; diff --git a/lib/libssl/src/crypto/asn1/a_set.c b/lib/libssl/src/crypto/asn1/a_set.c index 0f839822ff2..e24061c5459 100644 --- a/lib/libssl/src/crypto/asn1/a_set.c +++ b/lib/libssl/src/crypto/asn1/a_set.c @@ -118,8 +118,13 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag, } pStart = p; /* Catch the beg of Setblobs*/ - if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array -we will store the SET blobs */ + /* In this array we will store the SET blobs */ + rgSetBlob = (MYBLOB *)OPENSSL_malloc(sk_num(a) * sizeof(MYBLOB)); + if (rgSetBlob == NULL) + { + ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE); + return(0); + } for (i=0; i<sk_num(a); i++) { @@ -135,7 +140,11 @@ SetBlob /* Now we have to sort the blobs. I am using a simple algo. *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/ qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp); - if (!(pTempMem = OPENSSL_malloc(totSize))) return 0; + if (!(pTempMem = OPENSSL_malloc(totSize))) + { + ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE); + return(0); + } /* Copy to temp mem */ p = pTempMem; @@ -160,7 +169,13 @@ STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length, STACK *ret=NULL; if ((a == NULL) || ((*a) == NULL)) - { if ((ret=sk_new_null()) == NULL) goto err; } + { + if ((ret=sk_new_null()) == NULL) + { + ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE); + goto err; + } + } else ret=(*a); diff --git a/lib/libssl/src/crypto/asn1/a_strex.c b/lib/libssl/src/crypto/asn1/a_strex.c index bde666a6ff1..a07122ba479 100644 --- a/lib/libssl/src/crypto/asn1/a_strex.c +++ b/lib/libssl/src/crypto/asn1/a_strex.c @@ -3,7 +3,7 @@ * project 2000. */ /* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -553,7 +553,12 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in) if((type < 0) || (type > 30)) return -1; mbflag = tag2nbyte[type]; if(mbflag == -1) return -1; - mbflag |= MBSTRING_FLAG; + if (mbflag == 0) + mbflag = MBSTRING_UTF8; + else if (mbflag == 4) + mbflag = MBSTRING_UNIV; + else + mbflag |= MBSTRING_FLAG; stmp.data = NULL; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; diff --git a/lib/libssl/src/crypto/asn1/a_type.c b/lib/libssl/src/crypto/asn1/a_type.c index fe3fcd40b0b..2292d49b93f 100644 --- a/lib/libssl/src/crypto/asn1/a_type.c +++ b/lib/libssl/src/crypto/asn1/a_type.c @@ -71,7 +71,10 @@ int ASN1_TYPE_get(ASN1_TYPE *a) void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value) { if (a->value.ptr != NULL) - ASN1_primitive_free((ASN1_VALUE **)&a, NULL); + { + ASN1_TYPE **tmp_a = &a; + ASN1_primitive_free((ASN1_VALUE **)tmp_a, NULL); + } a->type=type; a->value.ptr=value; } diff --git a/lib/libssl/src/crypto/asn1/a_utctm.c b/lib/libssl/src/crypto/asn1/a_utctm.c index 999852dae52..7b25fed331c 100644 --- a/lib/libssl/src/crypto/asn1/a_utctm.c +++ b/lib/libssl/src/crypto/asn1/a_utctm.c @@ -173,8 +173,9 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str) { if (s != NULL) { - ASN1_STRING_set((ASN1_STRING *)s, - (unsigned char *)str,t.length); + if (!ASN1_STRING_set((ASN1_STRING *)s, + (unsigned char *)str,t.length)) + return 0; s->type = V_ASN1_UTCTIME; } return(1); @@ -203,7 +204,11 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) if ((p == NULL) || ((size_t)s->length < len)) { p=OPENSSL_malloc(len); - if (p == NULL) return(NULL); + if (p == NULL) + { + ASN1err(ASN1_F_ASN1_UTCTIME_SET,ERR_R_MALLOC_FAILURE); + return(NULL); + } if (s->data != NULL) OPENSSL_free(s->data); s->data=(unsigned char *)p; diff --git a/lib/libssl/src/crypto/asn1/a_verify.c b/lib/libssl/src/crypto/asn1/a_verify.c index da2a0a6d695..18ef0acf002 100644 --- a/lib/libssl/src/crypto/asn1/a_verify.c +++ b/lib/libssl/src/crypto/asn1/a_verify.c @@ -142,6 +142,13 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat goto err; } + if (!EVP_VerifyInit_ex(&ctx,type, NULL)) + { + ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB); + ret=0; + goto err; + } + inl = ASN1_item_i2d(asn, &buf_in, it); if (buf_in == NULL) @@ -150,7 +157,6 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat goto err; } - EVP_VerifyInit_ex(&ctx,type, NULL); EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl); OPENSSL_cleanse(buf_in,(unsigned int)inl); diff --git a/lib/libssl/src/crypto/asn1/asn1.h b/lib/libssl/src/crypto/asn1/asn1.h index 3414509f1b7..ceaeb4cbe39 100644 --- a/lib/libssl/src/crypto/asn1/asn1.h +++ b/lib/libssl/src/crypto/asn1/asn1.h @@ -829,7 +829,7 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn); /* General */ /* given a string, return the correct type, max is the maximum length */ -int ASN1_PRINTABLE_type(unsigned char *s, int max); +int ASN1_PRINTABLE_type(const unsigned char *s, int max); int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass); ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, @@ -950,16 +950,19 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_A2I_ASN1_ENUMERATED 101 #define ASN1_F_A2I_ASN1_INTEGER 102 #define ASN1_F_A2I_ASN1_STRING 103 +#define ASN1_F_ASN1_BIT_STRING_SET_BIT 176 #define ASN1_F_ASN1_CHECK_TLEN 104 #define ASN1_F_ASN1_COLLATE_PRIMITIVE 105 #define ASN1_F_ASN1_COLLECT 106 #define ASN1_F_ASN1_D2I_BIO 107 #define ASN1_F_ASN1_D2I_EX_PRIMITIVE 108 #define ASN1_F_ASN1_D2I_FP 109 +#define ASN1_F_ASN1_DIGEST 177 #define ASN1_F_ASN1_DO_ADB 110 #define ASN1_F_ASN1_DUP 111 #define ASN1_F_ASN1_ENUMERATED_SET 112 #define ASN1_F_ASN1_ENUMERATED_TO_BN 113 +#define ASN1_F_ASN1_GENERALIZEDTIME_SET 178 #define ASN1_F_ASN1_GET_OBJECT 114 #define ASN1_F_ASN1_HEADER_NEW 115 #define ASN1_F_ASN1_I2D_BIO 116 @@ -975,6 +978,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_ASN1_SEQ_PACK 126 #define ASN1_F_ASN1_SEQ_UNPACK 127 #define ASN1_F_ASN1_SIGN 128 +#define ASN1_F_ASN1_STRING_SET 179 #define ASN1_F_ASN1_STRING_TABLE_ADD 129 #define ASN1_F_ASN1_STRING_TYPE_NEW 130 #define ASN1_F_ASN1_TEMPLATE_D2I 131 @@ -984,6 +988,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING 134 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING 135 #define ASN1_F_ASN1_UNPACK_STRING 136 +#define ASN1_F_ASN1_UTCTIME_SET 180 #define ASN1_F_ASN1_VERIFY 137 #define ASN1_F_BN_TO_ASN1_ENUMERATED 138 #define ASN1_F_BN_TO_ASN1_INTEGER 139 @@ -1007,6 +1012,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_D2I_X509_CINF 157 #define ASN1_F_D2I_X509_NAME 158 #define ASN1_F_D2I_X509_PKEY 159 +#define ASN1_F_I2D_ASN1_SET 181 #define ASN1_F_I2D_ASN1_TIME 160 #define ASN1_F_I2D_DSA_PUBKEY 161 #define ASN1_F_I2D_NETSCAPE_RSA 162 diff --git a/lib/libssl/src/crypto/asn1/asn1_err.c b/lib/libssl/src/crypto/asn1/asn1_err.c index 094ec06fda0..3b57c8fbae9 100644 --- a/lib/libssl/src/crypto/asn1/asn1_err.c +++ b/lib/libssl/src/crypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* crypto/asn1/asn1_err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,16 +70,19 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0), "a2i_ASN1_ENUMERATED"}, {ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0), "a2i_ASN1_INTEGER"}, {ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0), "a2i_ASN1_STRING"}, +{ERR_PACK(0,ASN1_F_ASN1_BIT_STRING_SET_BIT,0), "ASN1_BIT_STRING_set_bit"}, {ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0), "ASN1_CHECK_TLEN"}, {ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0), "ASN1_COLLATE_PRIMITIVE"}, {ERR_PACK(0,ASN1_F_ASN1_COLLECT,0), "ASN1_COLLECT"}, {ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0), "ASN1_d2i_bio"}, {ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0), "ASN1_D2I_EX_PRIMITIVE"}, {ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0), "ASN1_d2i_fp"}, +{ERR_PACK(0,ASN1_F_ASN1_DIGEST,0), "ASN1_digest"}, {ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0), "ASN1_DO_ADB"}, {ERR_PACK(0,ASN1_F_ASN1_DUP,0), "ASN1_dup"}, {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0), "ASN1_ENUMERATED_set"}, {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0), "ASN1_ENUMERATED_to_BN"}, +{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_SET,0), "ASN1_GENERALIZEDTIME_set"}, {ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0), "ASN1_get_object"}, {ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0), "ASN1_HEADER_new"}, {ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0), "ASN1_i2d_bio"}, @@ -95,6 +98,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0), "ASN1_seq_pack"}, {ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0), "ASN1_seq_unpack"}, {ERR_PACK(0,ASN1_F_ASN1_SIGN,0), "ASN1_sign"}, +{ERR_PACK(0,ASN1_F_ASN1_STRING_SET,0), "ASN1_STRING_set"}, {ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0), "ASN1_STRING_TABLE_add"}, {ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0), "ASN1_STRING_type_new"}, {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0), "ASN1_TEMPLATE_D2I"}, @@ -104,6 +108,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0), "ASN1_TYPE_get_int_octetstring"}, {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0), "ASN1_TYPE_get_octetstring"}, {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0), "ASN1_unpack_string"}, +{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_SET,0), "ASN1_UTCTIME_set"}, {ERR_PACK(0,ASN1_F_ASN1_VERIFY,0), "ASN1_verify"}, {ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0), "BN_to_ASN1_ENUMERATED"}, {ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0), "BN_to_ASN1_INTEGER"}, @@ -127,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_D2I_X509_CINF,0), "D2I_X509_CINF"}, {ERR_PACK(0,ASN1_F_D2I_X509_NAME,0), "D2I_X509_NAME"}, {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0), "d2i_X509_PKEY"}, +{ERR_PACK(0,ASN1_F_I2D_ASN1_SET,0), "i2d_ASN1_SET"}, {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0), "I2D_ASN1_TIME"}, {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0), "i2d_DSA_PUBKEY"}, {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"}, diff --git a/lib/libssl/src/crypto/asn1/asn1_lib.c b/lib/libssl/src/crypto/asn1/asn1_lib.c index a74f1368d34..97b9b35f4bd 100644 --- a/lib/libssl/src/crypto/asn1/asn1_lib.c +++ b/lib/libssl/src/crypto/asn1/asn1_lib.c @@ -349,6 +349,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len) if (str->data == NULL) { + ASN1err(ASN1_F_ASN1_STRING_SET,ERR_R_MALLOC_FAILURE); str->data=c; return(0); } diff --git a/lib/libssl/src/crypto/asn1/evp_asn1.c b/lib/libssl/src/crypto/asn1/evp_asn1.c index 3506005a714..f92ce6cb5d4 100644 --- a/lib/libssl/src/crypto/asn1/evp_asn1.c +++ b/lib/libssl/src/crypto/asn1/evp_asn1.c @@ -115,7 +115,11 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data, if ((osp=ASN1_STRING_new()) == NULL) return(0); /* Grow the 'string' */ - ASN1_STRING_set(osp,NULL,size); + if (!ASN1_STRING_set(osp,NULL,size)) + { + ASN1_STRING_free(osp); + return(0); + } M_ASN1_STRING_length_set(osp, size); p=M_ASN1_STRING_data(osp); diff --git a/lib/libssl/src/crypto/asn1/p5_pbe.c b/lib/libssl/src/crypto/asn1/p5_pbe.c index 891150638e9..ec788267e01 100644 --- a/lib/libssl/src/crypto/asn1/p5_pbe.c +++ b/lib/libssl/src/crypto/asn1/p5_pbe.c @@ -76,47 +76,55 @@ IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM) X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt, int saltlen) { - PBEPARAM *pbe; + PBEPARAM *pbe=NULL; ASN1_OBJECT *al; X509_ALGOR *algor; - ASN1_TYPE *astype; + ASN1_TYPE *astype=NULL; if (!(pbe = PBEPARAM_new ())) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } if(iter <= 0) iter = PKCS5_DEFAULT_ITER; - ASN1_INTEGER_set (pbe->iter, iter); + if (!ASN1_INTEGER_set(pbe->iter, iter)) { + ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); + goto err; + } if (!saltlen) saltlen = PKCS5_SALT_LEN; if (!(pbe->salt->data = OPENSSL_malloc (saltlen))) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } pbe->salt->length = saltlen; if (salt) memcpy (pbe->salt->data, salt, saltlen); else if (RAND_pseudo_bytes (pbe->salt->data, saltlen) < 0) - return NULL; + goto err; if (!(astype = ASN1_TYPE_new())) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } astype->type = V_ASN1_SEQUENCE; if(!ASN1_pack_string(pbe, i2d_PBEPARAM, &astype->value.sequence)) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } PBEPARAM_free (pbe); + pbe = NULL; al = OBJ_nid2obj(alg); /* never need to free al */ if (!(algor = X509_ALGOR_new())) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } ASN1_OBJECT_free(algor->algorithm); algor->algorithm = al; algor->parameter = astype; return (algor); +err: + if (pbe != NULL) PBEPARAM_free(pbe); + if (astype != NULL) ASN1_TYPE_free(astype); + return NULL; } diff --git a/lib/libssl/src/crypto/asn1/p5_pbev2.c b/lib/libssl/src/crypto/asn1/p5_pbev2.c index 91e1c8987d3..e0dc0ec4ee3 100644 --- a/lib/libssl/src/crypto/asn1/p5_pbev2.c +++ b/lib/libssl/src/crypto/asn1/p5_pbev2.c @@ -1,6 +1,6 @@ /* p5_pbev2.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project 1999-2004. */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. @@ -113,7 +113,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, if(!(scheme->parameter = ASN1_TYPE_new())) goto merr; /* Create random IV */ - if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) + if (EVP_CIPHER_iv_length(cipher) && + RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) goto err; EVP_CIPHER_CTX_init(&ctx); @@ -123,6 +124,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) { ASN1err(ASN1_F_PKCS5_PBE2_SET, ASN1_R_ERROR_SETTING_CIPHER_PARAMS); + EVP_CIPHER_CTX_cleanup(&ctx); goto err; } EVP_CIPHER_CTX_cleanup(&ctx); diff --git a/lib/libssl/src/crypto/asn1/x_crl.c b/lib/libssl/src/crypto/asn1/x_crl.c index 11fce968257..b99f8fc522c 100644 --- a/lib/libssl/src/crypto/asn1/x_crl.c +++ b/lib/libssl/src/crypto/asn1/x_crl.c @@ -63,8 +63,6 @@ static int X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b); -static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a, - const X509_REVOKED * const *b); ASN1_SEQUENCE(X509_REVOKED) = { ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER), @@ -72,43 +70,28 @@ ASN1_SEQUENCE(X509_REVOKED) = { ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION) } ASN1_SEQUENCE_END(X509_REVOKED) -/* The X509_CRL_INFO structure needs a bit of customisation. This is actually - * mirroring the old behaviour: its purpose is to allow the use of - * sk_X509_REVOKED_find to lookup revoked certificates. Unfortunately - * this will zap the original order and the signature so we keep a copy - * of the original positions and reorder appropriately before encoding. - * - * Might want to see if there's a better way of doing this later... +/* The X509_CRL_INFO structure needs a bit of customisation. + * Since we cache the original encoding the signature wont be affected by + * reordering of the revoked field. */ static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) { X509_CRL_INFO *a = (X509_CRL_INFO *)*pval; - int i; - int (*old_cmp)(const X509_REVOKED * const *, - const X509_REVOKED * const *); if(!a || !a->revoked) return 1; switch(operation) { - - /* Save original order */ + /* Just set cmp function here. We don't sort because that + * would affect the output of X509_CRL_print(). + */ case ASN1_OP_D2I_POST: - for (i=0; i<sk_X509_REVOKED_num(a->revoked); i++) - sk_X509_REVOKED_value(a->revoked,i)->sequence=i; sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp); break; - - /* Restore original order */ - case ASN1_OP_I2D_PRE: - old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp); - sk_X509_REVOKED_sort(a->revoked); - sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp); - break; } return 1; } -ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = { +ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = { ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER), ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR), ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME), @@ -116,7 +99,7 @@ ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = { ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME), ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED), ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0) -} ASN1_SEQUENCE_END_cb(X509_CRL_INFO, X509_CRL_INFO) +} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = { ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO), @@ -137,12 +120,6 @@ static int X509_REVOKED_cmp(const X509_REVOKED * const *a, (ASN1_STRING *)(*b)->serialNumber)); } -static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a, - const X509_REVOKED * const *b) - { - return((*a)->sequence-(*b)->sequence); - } - int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) { X509_CRL_INFO *inf; @@ -153,6 +130,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE); return 0; } + inf->enc.modified = 1; return 1; } diff --git a/lib/libssl/src/crypto/asn1/x_name.c b/lib/libssl/src/crypto/asn1/x_name.c index caece0f1585..31f3377b642 100644 --- a/lib/libssl/src/crypto/asn1/x_name.c +++ b/lib/libssl/src/crypto/asn1/x_name.c @@ -160,21 +160,22 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, cons int tag, int aclass, char opt, ASN1_TLC *ctx) { unsigned char *p = *in, *q; - STACK *intname = NULL; + STACK *intname = NULL, **intname_pp = &intname; int i, j, ret; - X509_NAME *nm = NULL; + X509_NAME *nm = NULL, **nm_pp = &nm; STACK_OF(X509_NAME_ENTRY) *entries; X509_NAME_ENTRY *entry; q = p; /* Get internal representation of Name */ - ret = ASN1_item_ex_d2i((ASN1_VALUE **)&intname, &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL), - tag, aclass, opt, ctx); + ret = ASN1_item_ex_d2i((ASN1_VALUE **)intname_pp, + &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL), + tag, aclass, opt, ctx); if(ret <= 0) return ret; if(*val) x509_name_ex_free(val, NULL); - if(!x509_name_ex_new((ASN1_VALUE **)&nm, NULL)) goto err; + if(!x509_name_ex_new((ASN1_VALUE **)nm_pp, NULL)) goto err; /* We've decoded it: now cache encoding */ if(!BUF_MEM_grow(nm->bytes, p - q)) goto err; memcpy(nm->bytes->data, q, p - q); @@ -218,7 +219,7 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_IT static int x509_name_encode(X509_NAME *a) { - STACK *intname = NULL; + STACK *intname = NULL, **intname_pp = &intname; int len; unsigned char *p; STACK_OF(X509_NAME_ENTRY) *entries = NULL; @@ -236,10 +237,12 @@ static int x509_name_encode(X509_NAME *a) } if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr; } - len = ASN1_item_ex_i2d((ASN1_VALUE **)&intname, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); + len = ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, NULL, + ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); if (!BUF_MEM_grow(a->bytes,len)) goto memerr; p=(unsigned char *)a->bytes->data; - ASN1_item_ex_i2d((ASN1_VALUE **)&intname, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); + ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, + &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); sk_pop_free(intname, sk_internal_free); a->modified = 0; return len; diff --git a/lib/libssl/src/crypto/asn1/x_pubkey.c b/lib/libssl/src/crypto/asn1/x_pubkey.c index d9585401206..7d6d71af88d 100644 --- a/lib/libssl/src/crypto/asn1/x_pubkey.c +++ b/lib/libssl/src/crypto/asn1/x_pubkey.c @@ -80,8 +80,7 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY) int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) { - int ok=0; - X509_PUBKEY *pk; + X509_PUBKEY *pk=NULL; X509_ALGOR *a; ASN1_OBJECT *o; unsigned char *s,*p = NULL; @@ -104,7 +103,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) (a->parameter->type != V_ASN1_NULL)) { ASN1_TYPE_free(a->parameter); - a->parameter=ASN1_TYPE_new(); + if (!(a->parameter=ASN1_TYPE_new())) + { + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } a->parameter->type=V_ASN1_NULL; } } @@ -118,14 +121,34 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) dsa=pkey->pkey.dsa; dsa->write_params=0; ASN1_TYPE_free(a->parameter); - i=i2d_DSAparams(dsa,NULL); - if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err; + if ((i=i2d_DSAparams(dsa,NULL)) <= 0) + goto err; + if (!(p=(unsigned char *)OPENSSL_malloc(i))) + { + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } pp=p; i2d_DSAparams(dsa,&pp); - a->parameter=ASN1_TYPE_new(); + if (!(a->parameter=ASN1_TYPE_new())) + { + OPENSSL_free(p); + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } a->parameter->type=V_ASN1_SEQUENCE; - a->parameter->value.sequence=ASN1_STRING_new(); - ASN1_STRING_set(a->parameter->value.sequence,p,i); + if (!(a->parameter->value.sequence=ASN1_STRING_new())) + { + OPENSSL_free(p); + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!ASN1_STRING_set(a->parameter->value.sequence,p,i)) + { + OPENSSL_free(p); + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } OPENSSL_free(p); } else @@ -143,7 +166,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) } p=s; i2d_PublicKey(pkey,&p); - if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err; + if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) + { + X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE); + goto err; + } /* Set number of unused bits to zero */ pk->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); pk->public_key->flags|=ASN1_STRING_FLAG_BITS_LEFT; @@ -159,12 +186,11 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) X509_PUBKEY_free(*x); *x=pk; - pk=NULL; - ok=1; + return 1; err: if (pk != NULL) X509_PUBKEY_free(pk); - return(ok); + return 0; } EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) diff --git a/lib/libssl/src/crypto/bf/bf_skey.c b/lib/libssl/src/crypto/bf/bf_skey.c index 3673cdee6e2..fc5bebefce4 100644 --- a/lib/libssl/src/crypto/bf/bf_skey.c +++ b/lib/libssl/src/crypto/bf/bf_skey.c @@ -58,11 +58,12 @@ #include <stdio.h> #include <string.h> +#include <openssl/crypto.h> #include <openssl/blowfish.h> #include "bf_locl.h" #include "bf_pi.h" -void BF_set_key(BF_KEY *key, int len, const unsigned char *data) +FIPS_NON_FIPS_VCIPHER_Init(BF) { int i; BF_LONG *p,ri,in[2]; diff --git a/lib/libssl/src/crypto/bf/blowfish.h b/lib/libssl/src/crypto/bf/blowfish.h index cd49e85ab29..b4d87749619 100644 --- a/lib/libssl/src/crypto/bf/blowfish.h +++ b/lib/libssl/src/crypto/bf/blowfish.h @@ -104,7 +104,10 @@ typedef struct bf_key_st BF_LONG S[4*256]; } BF_KEY; - + +#ifdef OPENSSL_FIPS +void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data); +#endif void BF_set_key(BF_KEY *key, int len, const unsigned char *data); void BF_encrypt(BF_LONG *data,const BF_KEY *key); diff --git a/lib/libssl/src/crypto/bio/b_print.c b/lib/libssl/src/crypto/bio/b_print.c index 880dc693035..8b753e7ca01 100644 --- a/lib/libssl/src/crypto/bio/b_print.c +++ b/lib/libssl/src/crypto/bio/b_print.c @@ -641,7 +641,7 @@ fmtfp( multiplying by a factor of 10 */ fracpart = roundv((pow10(max)) * (ufvalue - intpart)); - if (fracpart >= pow10(max)) { + if (fracpart >= (long)pow10(max)) { intpart++; fracpart -= (long)pow10(max); } diff --git a/lib/libssl/src/crypto/bio/bio.h b/lib/libssl/src/crypto/bio/bio.h index fbbc16d00c5..2eb703830f4 100644 --- a/lib/libssl/src/crypto/bio/bio.h +++ b/lib/libssl/src/crypto/bio/bio.h @@ -347,6 +347,7 @@ typedef struct bio_f_buffer_ctx_struct #define BIO_C_NWRITE0 145 #define BIO_C_NWRITE 146 #define BIO_C_RESET_READ_REQUEST 147 +#define BIO_C_SET_MD_CTX 148 #define BIO_set_app_data(s,arg) BIO_set_ex_data(s,0,arg) diff --git a/lib/libssl/src/crypto/bio/bss_file.c b/lib/libssl/src/crypto/bio/bss_file.c index 9cdf159f82f..8034ac93f97 100644 --- a/lib/libssl/src/crypto/bio/bss_file.c +++ b/lib/libssl/src/crypto/bio/bss_file.c @@ -213,13 +213,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) b->shutdown=(int)num&BIO_CLOSE; b->ptr=(char *)ptr; b->init=1; + { #if defined(OPENSSL_SYS_WINDOWS) + int fd = fileno((FILE*)ptr); if (num & BIO_FP_TEXT) - _setmode(fileno((FILE *)ptr),_O_TEXT); + _setmode(fd,_O_TEXT); else - _setmode(fileno((FILE *)ptr),_O_BINARY); + _setmode(fd,_O_BINARY); #elif defined(OPENSSL_SYS_MSDOS) - { int fd = fileno((FILE*)ptr); /* Set correct text/binary mode */ if (num & BIO_FP_TEXT) @@ -235,13 +236,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) else _setmode(fd,_O_BINARY); } - } #elif defined(OPENSSL_SYS_OS2) + int fd = fileno((FILE*)ptr); if (num & BIO_FP_TEXT) - setmode(fileno((FILE *)ptr), O_TEXT); + setmode(fd, O_TEXT); else - setmode(fileno((FILE *)ptr), O_BINARY); + setmode(fd, O_BINARY); #endif + } break; case BIO_C_SET_FILENAME: file_free(b); @@ -264,7 +266,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) ret=0; break; } -#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) +#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN) if (!(num & BIO_FP_TEXT)) strcat(p,"b"); else diff --git a/lib/libssl/src/crypto/bn/asm/ia64.S b/lib/libssl/src/crypto/bn/asm/ia64.S index 7dfda855660..7b82b820e62 100644 --- a/lib/libssl/src/crypto/bn/asm/ia64.S +++ b/lib/libssl/src/crypto/bn/asm/ia64.S @@ -1,6 +1,6 @@ .explicit .text -.ident "ia64.S, Version 2.0" +.ident "ia64.S, Version 2.1" .ident "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>" // @@ -35,7 +35,7 @@ // What does it mean? You might ratiocinate that the original code // should run just faster... Because sum of latencies is smaller... // Wrong! Note that getf latency increased. This means that if a loop is -// scheduled for lower latency (and they are), then it will suffer from +// scheduled for lower latency (as they were), then it will suffer from // stall condition and the code will therefore turn anti-scalable, e.g. // original bn_mul_words spun at 5*n or 2.5 times slower than expected // on Itanium2! What to do? Reschedule loops for Itanium2? But then @@ -145,6 +145,12 @@ // -Drum=nop.m in command line. // +#if defined(_HPUX_SOURCE) && !defined(_LP64) +#define ADDP addp4 +#else +#define ADDP add +#endif + #if 1 // // bn_[add|sub]_words routines. @@ -178,27 +184,12 @@ bn_add_words: brp.loop.imp .L_bn_add_words_ctop,.L_bn_add_words_cend-16 } .body -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp -#else - mov r14=r32 // rp -#endif +{ .mib; ADDP r14=0,r32 // rp mov r9=pr };; -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r15=0,r33 // ap -#else - mov r15=r33 // ap -#endif +{ .mii; ADDP r15=0,r33 // ap mov ar.lc=r10 mov ar.ec=6 } -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r16=0,r34 // bp -#else - mov r16=r34 // bp -#endif +{ .mib; ADDP r16=0,r34 // bp mov pr.rot=1<<16 };; .L_bn_add_words_ctop: @@ -246,27 +237,12 @@ bn_sub_words: brp.loop.imp .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16 } .body -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp -#else - mov r14=r32 // rp -#endif +{ .mib; ADDP r14=0,r32 // rp mov r9=pr };; -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r15=0,r33 // ap -#else - mov r15=r33 // ap -#endif +{ .mii; ADDP r15=0,r33 // ap mov ar.lc=r10 mov ar.ec=6 } -{ .mib; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r16=0,r34 // bp -#else - mov r16=r34 // bp -#endif +{ .mib; ADDP r16=0,r34 // bp mov pr.rot=1<<16 };; .L_bn_sub_words_ctop: @@ -332,16 +308,10 @@ bn_mul_words: #ifndef XMA_TEMPTATION -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp - addp4 r15=0,r33 // ap -#else - mov r14=r32 // rp - mov r15=r33 // ap -#endif +{ .mmi; ADDP r14=0,r32 // rp + ADDP r15=0,r33 // ap mov ar.lc=r10 } -{ .mii; mov r40=0 // serves as r35 at first (p27) +{ .mmi; mov r40=0 // serves as r35 at first (p27) mov ar.ec=13 };; // This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium @@ -424,89 +394,64 @@ bn_mul_words: .global bn_mul_add_words# .proc bn_mul_add_words# .align 64 -//.skip 0 // makes the loop split at 64-byte boundary +.skip 48 // makes the loop body aligned at 64-byte boundary bn_mul_add_words: .prologue .fframe 0 .save ar.pfs,r2 -{ .mii; alloc r2=ar.pfs,4,12,0,16 - cmp4.le p6,p0=r34,r0 };; -{ .mfb; mov r8=r0 // return value -(p6) br.ret.spnt.many b0 };; - .save ar.lc,r3 -{ .mii; sub r10=r34,r0,1 - mov r3=ar.lc - mov r9=pr };; + .save pr,r9 +{ .mmi; alloc r2=ar.pfs,4,4,0,8 + cmp4.le p6,p0=r34,r0 + mov r3=ar.lc };; +{ .mib; mov r8=r0 // return value + sub r10=r34,r0,1 +(p6) br.ret.spnt.many b0 };; .body -{ .mib; setf.sig f8=r35 // w - mov pr.rot=0x800001<<16 - // ------^----- serves as (p50) at first (p27) +{ .mib; setf.sig f8=r35 // w + mov r9=pr brp.loop.imp .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16 } -{ .mii; -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r14=0,r32 // rp - addp4 r15=0,r33 // ap -#else - mov r14=r32 // rp - mov r15=r33 // ap -#endif +{ .mmi; ADDP r14=0,r32 // rp + ADDP r15=0,r33 // ap mov ar.lc=r10 } -{ .mii; mov r40=0 // serves as r35 at first (p27) -#if defined(_HPUX_SOURCE) && defined(_ILP32) - addp4 r18=0,r32 // rp copy -#else - mov r18=r32 // rp copy -#endif - mov ar.ec=15 };; - -// This loop spins in 3*(n+14) ticks on Itanium and should spin in -// 2*(n+14) on "wider" IA-64 implementations (to be verified with new -// µ-architecture manuals as they become available). As usual it's -// possible to compress the epilogue, down to 10 in this case, at the -// cost of scalability. Compressed (and therefore non-scalable) loop -// running at 3*(n+11) would buy you ~10% on Itanium but take ~35% -// from "wider" IA-64 so let it be scalable! Special attention was -// paid for having the loop body split at 64-byte boundary. ld8 is -// scheduled for L1 cache as the data is more than likely there. -// Indeed, bn_mul_words has put it there a moment ago:-) +{ .mii; ADDP r16=0,r32 // rp copy + mov pr.rot=0x2001<<16 + // ------^----- serves as (p40) at first (p27) + mov ar.ec=11 };; + +// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on +// Itanium 2. Yes, unlike previous versions it scales:-) Previous +// version was peforming *all* additions in IALU and was starving +// for those even on Itanium 2. In this version one addition is +// moved to FPU and is folded with multiplication. This is at cost +// of propogating the result from previous call to this subroutine +// to L2 cache... In other words negligible even for shorter keys. +// *Overall* performance improvement [over previous version] varies +// from 11 to 22 percent depending on key length. .L_bn_mul_add_words_ctop: -{ .mfi; (p25) getf.sig r36=f52 // low - (p21) xmpy.lu f48=f37,f8 - (p28) cmp.ltu p54,p50=r41,r39 } -{ .mfi; (p16) ldf8 f32=[r15],8 - (p21) xmpy.hu f40=f37,f8 - (p28) add r45=r45,r41 };; -{ .mii; (p25) getf.sig r32=f44 // high - .pred.rel "mutex",p50,p54 - (p50) add r40=r38,r35 // (p27) - (p54) add r40=r38,r35,1 } // (p27) -{ .mfb; (p28) cmp.ltu.unc p60,p0=r45,r41 - (p0) nop.f 0x0 - (p0) nop.b 0x0 } -{ .mii; (p27) ld8 r44=[r18],8 - (p62) cmp.eq.or p61,p0=-1,r46 - (p62) add r46=1,r46 } -{ .mfb; (p30) st8 [r14]=r47,8 - (p0) nop.f 0x0 +.pred.rel "mutex",p40,p42 +{ .mfi; (p23) getf.sig r36=f45 // low + (p20) xma.lu f42=f36,f8,f50 // low + (p40) add r39=r39,r35 } // (p27) +{ .mfi; (p16) ldf8 f32=[r15],8 // *(ap++) + (p20) xma.hu f36=f36,f8,f50 // high + (p42) add r39=r39,r35,1 };; // (p27) +{ .mmi; (p24) getf.sig r32=f40 // high + (p16) ldf8 f46=[r16],8 // *(rp1++) + (p40) cmp.ltu p41,p39=r39,r35 } // (p27) +{ .mib; (p26) st8 [r14]=r39,8 // *(rp2++) + (p42) cmp.leu p41,p39=r39,r35 // (p27) br.ctop.sptk .L_bn_mul_add_words_ctop};; .L_bn_mul_add_words_cend: -{ .mii; nop.m 0x0 -.pred.rel "mutex",p53,p57 -(p53) add r8=r38,r0 -(p57) add r8=r38,r0,1 } -{ .mfb; nop.m 0x0 - nop.f 0x0 - nop.b 0x0 };; -{ .mii; -(p63) add r8=1,r8 - mov pr=r9,0x1ffff - mov ar.lc=r3 } -{ .mfb; rum 1<<5 // clear um.mfh - nop.f 0x0 +{ .mmi; .pred.rel "mutex",p40,p42 +(p40) add r8=r35,r0 +(p42) add r8=r35,r0,1 + mov pr=r9,0x1ffff } +{ .mib; rum 1<<5 // clear um.mfh + mov ar.lc=r3 br.ret.sptk.many b0 };; .endp bn_mul_add_words# #endif @@ -527,7 +472,8 @@ bn_sqr_words: sxt4 r34=r34 };; { .mii; cmp.le p6,p0=r34,r0 mov r8=r0 } // return value -{ .mfb; nop.f 0x0 +{ .mfb; ADDP r32=0,r32 + nop.f 0x0 (p6) br.ret.spnt.many b0 };; .save ar.lc,r3 @@ -536,11 +482,7 @@ bn_sqr_words: mov r9=pr };; .body -#if defined(_HPUX_SOURCE) && defined(_ILP32) -{ .mii; addp4 r32=0,r32 - addp4 r33=0,r33 };; -#endif -{ .mib; +{ .mib; ADDP r33=0,r33 mov pr.rot=1<<16 brp.loop.imp .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16 } @@ -605,7 +547,7 @@ bn_sqr_comba8: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,2,1,0,0 addp4 r33=0,r33 addp4 r32=0,r32 };; @@ -631,6 +573,10 @@ bn_sqr_comba8: // clause in Itanium µ-architecture manual? Comments are welcomed and // highly appreciated. // +// On Itanium 2 it takes ~190 ticks. This is because of stalls on +// result from getf.sig. I do nothing about it at this point for +// reasons depicted below. +// // However! It should be noted that even 160 ticks is darn good result // as it's over 10 (yes, ten, spelled as t-e-n) times faster than the // C version (compiled with gcc with inline assembler). I really @@ -673,7 +619,7 @@ bn_mul_comba8: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,3,0,0,0 addp4 r33=0,r33 addp4 r34=0,r34 };; @@ -1231,7 +1177,7 @@ bn_sqr_comba4: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,2,1,0,0 addp4 r32=0,r32 addp4 r33=0,r33 };; @@ -1264,7 +1210,7 @@ bn_mul_comba4: .prologue .fframe 0 .save ar.pfs,r2 -#if defined(_HPUX_SOURCE) && defined(_ILP32) +#if defined(_HPUX_SOURCE) && !defined(_LP64) { .mii; alloc r2=ar.pfs,3,0,0,0 addp4 r33=0,r33 addp4 r34=0,r34 };; @@ -1448,8 +1394,8 @@ bn_mul_comba4: #define I r21 #if 0 -// Some preprocessors (most notably HP-UX) apper to be allergic to -// macros enclosed to parenthesis as these three will be. +// Some preprocessors (most notably HP-UX) appear to be allergic to +// macros enclosed to parenthesis [as these three were]. #define cont p16 #define break p0 // p20 #define equ p24 @@ -1581,9 +1527,18 @@ bn_div_words: // output: f8 = (int)(a/b) // clobbered: f8,f9,f10,f11,pred pred=p15 -// This procedure is essentially Intel code and therefore is -// copyrighted to Intel Corporation (I suppose...). It's sligtly -// modified for specific needs. +// One can argue that this snippet is copyrighted to Intel +// Corporation, as it's essentially identical to one of those +// found in "Divide, Square Root and Remainder" section at +// http://www.intel.com/software/products/opensource/libraries/num.htm. +// Yes, I admit that the referred code was used as template, +// but after I realized that there hardly is any other instruction +// sequence which would perform this operation. I mean I figure that +// any independent attempt to implement high-performance division +// will result in code virtually identical to the Intel code. It +// should be noted though that below division kernel is 1 cycle +// faster than Intel one (note commented splits:-), not to mention +// original prologue (rather lack of one) and epilogue. .align 32 .skip 16 .L_udiv64_32_b6: diff --git a/lib/libssl/src/crypto/bn/bn_mont.c b/lib/libssl/src/crypto/bn/bn_mont.c index c9ebdbaabeb..b79b1b60da0 100644 --- a/lib/libssl/src/crypto/bn/bn_mont.c +++ b/lib/libssl/src/crypto/bn/bn_mont.c @@ -273,7 +273,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) BN_init(&Ri); R= &(mont->RR); /* grab RR as a temp */ - BN_copy(&(mont->N),mod); /* Set N */ + if (!BN_copy(&(mont->N),mod)) goto err; /* Set N */ mont->N.neg = 0; #ifdef MONT_WORD diff --git a/lib/libssl/src/crypto/bn/bntest.c b/lib/libssl/src/crypto/bn/bntest.c index 8ef733013d6..79d813d85e1 100644 --- a/lib/libssl/src/crypto/bn/bntest.c +++ b/lib/libssl/src/crypto/bn/bntest.c @@ -232,7 +232,7 @@ int main(int argc, char *argv[]) EXIT(0); err: BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices - * the failure, see test_bn in test/Makefile.ssl*/ + * the failure, see test_bn in test/Makefile */ BIO_flush(out); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); diff --git a/lib/libssl/src/crypto/cast/c_skey.c b/lib/libssl/src/crypto/cast/c_skey.c index 76e40005c99..dc4791a8cff 100644 --- a/lib/libssl/src/crypto/cast/c_skey.c +++ b/lib/libssl/src/crypto/cast/c_skey.c @@ -56,7 +56,9 @@ * [including the GNU Public Licence.] */ +#include <openssl/crypto.h> #include <openssl/cast.h> + #include "cast_lcl.h" #include "cast_s.h" @@ -72,7 +74,7 @@ #define S6 CAST_S_table6 #define S7 CAST_S_table7 -void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) +FIPS_NON_FIPS_VCIPHER_Init(CAST) { CAST_LONG x[16]; CAST_LONG z[16]; diff --git a/lib/libssl/src/crypto/cast/cast.h b/lib/libssl/src/crypto/cast/cast.h index b28e4e4f3b3..9e300178d90 100644 --- a/lib/libssl/src/crypto/cast/cast.h +++ b/lib/libssl/src/crypto/cast/cast.h @@ -81,7 +81,10 @@ typedef struct cast_key_st int short_key; /* Use reduced rounds for short key */ } CAST_KEY; - + +#ifdef OPENSSL_FIPS +void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); +#endif void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key, int enc); diff --git a/lib/libssl/src/crypto/comp/c_zlib.c b/lib/libssl/src/crypto/comp/c_zlib.c index 8c0876151ac..1bd2850d15b 100644 --- a/lib/libssl/src/crypto/comp/c_zlib.c +++ b/lib/libssl/src/crypto/comp/c_zlib.c @@ -3,6 +3,7 @@ #include <string.h> #include <openssl/objects.h> #include <openssl/comp.h> +#include <openssl/err.h> COMP_METHOD *COMP_zlib(void ); @@ -189,7 +190,17 @@ COMP_METHOD *COMP_zlib(void) if (!zlib_loaded) { #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) - zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0); + zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0); + if (!zlib_dso) + { + zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0); + if (zlib_dso) + { + /* Clear the errors from the first failed + DSO_load() */ + ERR_clear_error(); + } + } #else zlib_dso = DSO_load(NULL, "z", NULL, 0); #endif diff --git a/lib/libssl/src/crypto/conf/conf_def.c b/lib/libssl/src/crypto/conf/conf_def.c index 2e9f52f1fd5..b5a876ae68a 100644 --- a/lib/libssl/src/crypto/conf/conf_def.c +++ b/lib/libssl/src/crypto/conf/conf_def.c @@ -632,6 +632,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) BUF_MEM_grow_clean(buf,(strlen(p)+len-(e-from))); while (*p) buf->data[to++]= *(p++); + + /* Since we change the pointer 'from', we also have + to change the perceived length of the string it + points at. /RL */ + len -= e-from; from=e; } else diff --git a/lib/libssl/src/crypto/cryptlib.c b/lib/libssl/src/crypto/cryptlib.c index 2924def2bb0..fef0afb29fc 100644 --- a/lib/libssl/src/crypto/cryptlib.c +++ b/lib/libssl/src/crypto/cryptlib.c @@ -105,7 +105,9 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "engine", "ui", "hwcrhk", /* This is a HACK which will disappear in 0.9.8 */ -#if CRYPTO_NUM_LOCKS != 33 + "fips", + "fips2", +#if CRYPTO_NUM_LOCKS != 35 # error "Inconsistency between crypto.h and cryptlib.c" #endif }; @@ -478,13 +480,12 @@ const char *CRYPTO_get_lock_name(int type) return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS)); } -#ifdef _DLL -#ifdef OPENSSL_SYS_WIN32 +#if defined(_WIN32) && defined(_WINDLL) /* All we really need to do is remove the 'error' state when a thread * detaches */ -BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, +BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch(fdwReason) @@ -503,8 +504,6 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, } #endif -#endif - void OpenSSLDie(const char *file,int line,const char *assertion) { fprintf(stderr, @@ -512,3 +511,122 @@ void OpenSSLDie(const char *file,int line,const char *assertion) file,line,assertion); abort(); } + +#ifdef OPENSSL_FIPS +static int fips_started = 0; +static int fips_mode = 0; +static void *fips_rand_check = 0; +static unsigned long fips_thread = 0; + +void fips_set_started(void) + { + fips_started = 1; + } + +int fips_is_started(void) + { + return fips_started; + } + +int fips_is_owning_thread(void) + { + int ret = 0; + + if (fips_is_started()) + { + CRYPTO_r_lock(CRYPTO_LOCK_FIPS2); + if (fips_thread != 0 && fips_thread == CRYPTO_thread_id()) + ret = 1; + CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2); + } + return ret; + } + +int fips_set_owning_thread(void) + { + int ret = 0; + + if (fips_is_started()) + { + CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); + if (fips_thread == 0) + { + fips_thread = CRYPTO_thread_id(); + ret = 1; + } + CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); + } + return ret; + } + +int fips_clear_owning_thread(void) + { + int ret = 0; + + if (fips_is_started()) + { + CRYPTO_w_lock(CRYPTO_LOCK_FIPS2); + if (fips_thread == CRYPTO_thread_id()) + { + fips_thread = 0; + ret = 1; + } + CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2); + } + return ret; + } + +void fips_set_mode(int onoff) + { + int owning_thread = fips_is_owning_thread(); + + if (fips_is_started()) + { + if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS); + fips_mode = onoff; + if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); + } + } + +void fips_set_rand_check(void *rand_check) + { + int owning_thread = fips_is_owning_thread(); + + if (fips_is_started()) + { + if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS); + fips_rand_check = rand_check; + if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS); + } + } + +int FIPS_mode(void) + { + int ret = 0; + int owning_thread = fips_is_owning_thread(); + + if (fips_is_started()) + { + if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS); + ret = fips_mode; + if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); + } + return ret; + } + +void *FIPS_rand_check(void) + { + void *ret = 0; + int owning_thread = fips_is_owning_thread(); + + if (fips_is_started()) + { + if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS); + ret = fips_rand_check; + if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS); + } + return ret; + } + +#endif /* OPENSSL_FIPS */ + diff --git a/lib/libssl/src/crypto/crypto-lib.com b/lib/libssl/src/crypto/crypto-lib.com index 39e78c69e50..c044ce0099d 100644 --- a/lib/libssl/src/crypto/crypto-lib.com +++ b/lib/libssl/src/crypto/crypto-lib.com @@ -158,7 +158,7 @@ $! $ APPS_DES = "DES/DES,CBC3_ENC" $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE" $ -$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time" +$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time,o_str" $ LIB_MD2 = "md2_dgst,md2_one" $ LIB_MD4 = "md4_dgst,md4_one" $ LIB_MD5 = "md5_dgst,md5_one" @@ -247,7 +247,7 @@ $ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ - $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ - "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ - "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ - - "v3_ocsp,v3_akeya" + "v3_ocsp,v3_akeya,v3_pcia,v3_pci" $ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall,conf_sap" $ LIB_TXT_DB = "txt_db" $ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ - @@ -752,8 +752,8 @@ $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT "The Option ",P1," Is Invalid. The Valid Options Are:" $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " ALL : Just Build Everything." -$ WRITE SYS$OUTPUT " LIBRARY : To Compile Just The [.xxx.EXE.SSL]LIBCRYPTO.OLB Library." -$ WRITE SYS$OUTPUT " APPS : To Compile Just The [.xxx.EXE.SSL]*.EXE Programs." +$ WRITE SYS$OUTPUT " LIBRARY : To Compile Just The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library." +$ WRITE SYS$OUTPUT " APPS : To Compile Just The [.xxx.EXE.CRYPTO]*.EXE Programs." $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " Where 'xxx' Stands For:" $ WRITE SYS$OUTPUT "" diff --git a/lib/libssl/src/crypto/crypto.h b/lib/libssl/src/crypto/crypto.h index 273bc5e3f87..4d1dfac7f1e 100644 --- a/lib/libssl/src/crypto/crypto.h +++ b/lib/libssl/src/crypto/crypto.h @@ -128,7 +128,9 @@ extern "C" { #define CRYPTO_LOCK_ENGINE 30 #define CRYPTO_LOCK_UI 31 #define CRYPTO_LOCK_HWCRHK 32 /* This is a HACK which will disappear in 0.9.8 */ -#define CRYPTO_NUM_LOCKS 33 +#define CRYPTO_LOCK_FIPS 33 +#define CRYPTO_LOCK_FIPS2 34 +#define CRYPTO_NUM_LOCKS 35 #define CRYPTO_LOCK 1 #define CRYPTO_UNLOCK 2 @@ -434,6 +436,63 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb); void OpenSSLDie(const char *file,int line,const char *assertion); #define OPENSSL_assert(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) +#ifdef OPENSSL_FIPS +int FIPS_mode(void); +void *FIPS_rand_check(void); + +#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ + alg " previous FIPS forbidden algorithm error ignored"); + +#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \ + #alg " Algorithm forbidden in FIPS mode"); + +#ifdef OPENSSL_FIPS_STRICT +#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg) +#else +#define FIPS_BAD_ALGORITHM(alg) \ + { \ + FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \ + ERR_add_error_data(2, "Algorithm=", #alg); \ + return 0; \ + } +#endif + +/* Low level digest API blocking macro */ + +#define FIPS_NON_FIPS_MD_Init(alg) \ + int alg##_Init(alg##_CTX *c) \ + { \ + if (FIPS_mode()) \ + FIPS_BAD_ALGORITHM(alg) \ + return private_##alg##_Init(c); \ + } \ + int private_##alg##_Init(alg##_CTX *c) + +/* For ciphers the API often varies from cipher to cipher and each needs to + * be treated as a special case. Variable key length ciphers (Blowfish, RC4, + * CAST) however are very similar and can use a blocking macro. + */ + +#define FIPS_NON_FIPS_VCIPHER_Init(alg) \ + void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \ + { \ + if (FIPS_mode()) \ + FIPS_BAD_ABORT(alg) \ + private_##alg##_set_key(key, len, data); \ + } \ + void private_##alg##_set_key(alg##_KEY *key, int len, \ + const unsigned char *data) + +#else + +#define FIPS_NON_FIPS_VCIPHER_Init(alg) \ + void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) + +#define FIPS_NON_FIPS_MD_Init(alg) \ + int alg##_Init(alg##_CTX *c) + +#endif /* def OPENSSL_FIPS */ + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/lib/libssl/src/crypto/des/cfb64ede.c b/lib/libssl/src/crypto/des/cfb64ede.c index 60c1aa08db4..f3c60185288 100644 --- a/lib/libssl/src/crypto/des/cfb64ede.c +++ b/lib/libssl/src/crypto/des/cfb64ede.c @@ -57,6 +57,7 @@ */ #include "des_locl.h" +#include "e_os.h" /* The input and output encrypted as though 64bit cfb mode is being * used. The extra state information to record how much of the @@ -140,3 +141,114 @@ void DES_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length, DES_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc); } #endif + +/* This is compatible with the single key CFB-r for DES, even thought that's + * not what EVP needs. + */ + +void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out, + int numbits,long length,DES_key_schedule *ks1, + DES_key_schedule *ks2,DES_key_schedule *ks3, + DES_cblock *ivec,int enc) + { + register DES_LONG d0,d1,v0,v1; + register long l=length; + register int num=numbits,n=(numbits+7)/8,i; + DES_LONG ti[2]; + unsigned char *iv; + unsigned char ovec[16]; + + if (num > 64) return; + iv = &(*ivec)[0]; + c2l(iv,v0); + c2l(iv,v1); + if (enc) + { + while (l >= n) + { + l-=n; + ti[0]=v0; + ti[1]=v1; + DES_encrypt3(ti,ks1,ks2,ks3); + c2ln(in,d0,d1,n); + in+=n; + d0^=ti[0]; + d1^=ti[1]; + l2cn(d0,d1,out,n); + out+=n; + /* 30-08-94 - eay - changed because l>>32 and + * l<<32 are bad under gcc :-( */ + if (num == 32) + { v0=v1; v1=d0; } + else if (num == 64) + { v0=d0; v1=d1; } + else + { + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(i=0 ; i < 8 ; ++i) + { + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); + } + } + } + else + { + while (l >= n) + { + l-=n; + ti[0]=v0; + ti[1]=v1; + DES_encrypt3(ti,ks1,ks2,ks3); + c2ln(in,d0,d1,n); + in+=n; + /* 30-08-94 - eay - changed because l>>32 and + * l<<32 are bad under gcc :-( */ + if (num == 32) + { v0=v1; v1=d0; } + else if (num == 64) + { v0=d0; v1=d1; } + else + { + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(i=0 ; i < 8 ; ++i) + { + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); + } + d0^=ti[0]; + d1^=ti[1]; + l2cn(d0,d1,out,n); + out+=n; + } + } + iv = &(*ivec)[0]; + l2c(v0,iv); + l2c(v1,iv); + v0=v1=d0=d1=ti[0]=ti[1]=0; + } + diff --git a/lib/libssl/src/crypto/des/des.h b/lib/libssl/src/crypto/des/des.h index dfe5ff64e44..81bd874edd7 100644 --- a/lib/libssl/src/crypto/des/des.h +++ b/lib/libssl/src/crypto/des/des.h @@ -130,7 +130,7 @@ OPENSSL_DECLARE_GLOBAL(int,DES_rw_mode); /* defaults to DES_PCBC_MODE */ #define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode) const char *DES_options(void); -void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, +void DES_ecb3_encrypt(const unsigned char *input, unsigned char *output, DES_key_schedule *ks1,DES_key_schedule *ks2, DES_key_schedule *ks3, int enc); DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output, @@ -189,6 +189,10 @@ void DES_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out, long length,DES_key_schedule *ks1, DES_key_schedule *ks2,DES_key_schedule *ks3, DES_cblock *ivec,int *num,int enc); +void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out, + int numbits,long length,DES_key_schedule *ks1, + DES_key_schedule *ks2,DES_key_schedule *ks3, + DES_cblock *ivec,int enc); void DES_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out, long length,DES_key_schedule *ks1, DES_key_schedule *ks2,DES_key_schedule *ks3, diff --git a/lib/libssl/src/crypto/des/des_enc.c b/lib/libssl/src/crypto/des/des_enc.c index 4f09804c44f..6a49ec4a550 100644 --- a/lib/libssl/src/crypto/des/des_enc.c +++ b/lib/libssl/src/crypto/des/des_enc.c @@ -58,7 +58,9 @@ #include "des_locl.h" +#ifndef OPENSSL_FIPS #ifndef OPENBSD_DES_ASM + void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc) { register DES_LONG l,r,t,u; @@ -289,8 +291,12 @@ void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1, data[1]=r; } +#endif /* ndef OPENSSL_FIPS */ + #ifndef DES_DEFAULT_OPTIONS +#if !defined(OPENSSL_FIPS_DES_ASM) + #undef CBC_ENC_C__DONT_UPDATE_IV #include "ncbc_enc.c" /* DES_ncbc_encrypt */ @@ -406,4 +412,6 @@ void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output, tin[0]=tin[1]=0; } +#endif /* !defined(OPENSSL_FIPS_DES_ASM) */ + #endif /* DES_DEFAULT_OPTIONS */ diff --git a/lib/libssl/src/crypto/des/destest.c b/lib/libssl/src/crypto/des/destest.c index 3983ac8e5f1..e3e9d77f144 100644 --- a/lib/libssl/src/crypto/des/destest.c +++ b/lib/libssl/src/crypto/des/destest.c @@ -439,8 +439,8 @@ int main(int argc, char *argv[]) memcpy(in,plain_data[i],8); memset(out,0,8); memset(outin,0,8); - des_ecb2_encrypt(&in,&out,ks,ks2,DES_ENCRYPT); - des_ecb2_encrypt(&out,&outin,ks,ks2,DES_DECRYPT); + des_ecb2_encrypt(in,out,ks,ks2,DES_ENCRYPT); + des_ecb2_encrypt(out,outin,ks,ks2,DES_DECRYPT); if (memcmp(out,cipher_ecb2[i],8) != 0) { diff --git a/lib/libssl/src/crypto/des/ecb3_enc.c b/lib/libssl/src/crypto/des/ecb3_enc.c index c3437bc6062..fa0c9c4d4fc 100644 --- a/lib/libssl/src/crypto/des/ecb3_enc.c +++ b/lib/libssl/src/crypto/des/ecb3_enc.c @@ -58,15 +58,13 @@ #include "des_locl.h" -void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, +void DES_ecb3_encrypt(const unsigned char *in, unsigned char *out, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, int enc) { register DES_LONG l0,l1; DES_LONG ll[2]; - const unsigned char *in = &(*input)[0]; - unsigned char *out = &(*output)[0]; c2l(in,l0); c2l(in,l1); diff --git a/lib/libssl/src/crypto/des/set_key.c b/lib/libssl/src/crypto/des/set_key.c index 143008ed9c5..8881d46a7ad 100644 --- a/lib/libssl/src/crypto/des/set_key.c +++ b/lib/libssl/src/crypto/des/set_key.c @@ -65,6 +65,8 @@ */ #include "des_locl.h" +#ifndef OPENSSL_FIPS + OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key); /* defaults to false */ static const unsigned char odd_parity[256]={ @@ -405,3 +407,5 @@ void des_fixup_key_parity(des_cblock *key) des_set_odd_parity(key); } */ + +#endif /* ndef OPENSSL_FIPS */ diff --git a/lib/libssl/src/crypto/dh/dh_check.c b/lib/libssl/src/crypto/dh/dh_check.c index f0373f7d687..a7e9920efb0 100644 --- a/lib/libssl/src/crypto/dh/dh_check.c +++ b/lib/libssl/src/crypto/dh/dh_check.c @@ -70,6 +70,8 @@ * should hold. */ +#ifndef OPENSSL_FIPS + int DH_check(const DH *dh, int *ret) { int ok=0; @@ -118,3 +120,5 @@ err: if (q != NULL) BN_free(q); return(ok); } + +#endif diff --git a/lib/libssl/src/crypto/dh/dh_err.c b/lib/libssl/src/crypto/dh/dh_err.c index d837950aecb..c2715044c91 100644 --- a/lib/libssl/src/crypto/dh/dh_err.c +++ b/lib/libssl/src/crypto/dh/dh_err.c @@ -1,6 +1,6 @@ /* crypto/dh/dh_err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/lib/libssl/src/crypto/dh/dh_gen.c b/lib/libssl/src/crypto/dh/dh_gen.c index 06f78b35ab7..23777f5a16c 100644 --- a/lib/libssl/src/crypto/dh/dh_gen.c +++ b/lib/libssl/src/crypto/dh/dh_gen.c @@ -86,6 +86,9 @@ * It's just as OK (and in some sense better) to use a generator of the * order-q subgroup. */ + +#ifndef OPENSSL_FIPS + DH *DH_generate_parameters(int prime_len, int generator, void (*callback)(int,int,void *), void *cb_arg) { @@ -146,6 +149,7 @@ DH *DH_generate_parameters(int prime_len, int generator, if (callback != NULL) callback(3,0,cb_arg); ret->p=p; ret->g=BN_new(); + if (ret->g == NULL) goto err; if (!BN_set_word(ret->g,g)) goto err; ok=1; err: @@ -167,3 +171,5 @@ err: } return(ret); } + +#endif diff --git a/lib/libssl/src/crypto/dh/dh_key.c b/lib/libssl/src/crypto/dh/dh_key.c index 77f2f50b516..ff125c2296f 100644 --- a/lib/libssl/src/crypto/dh/dh_key.c +++ b/lib/libssl/src/crypto/dh/dh_key.c @@ -62,6 +62,8 @@ #include <openssl/rand.h> #include <openssl/dh.h> +#ifndef OPENSSL_FIPS + static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, @@ -220,3 +222,5 @@ static int dh_finish(DH *dh) BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p); return(1); } + +#endif diff --git a/lib/libssl/src/crypto/dsa/dsa.h b/lib/libssl/src/crypto/dsa/dsa.h index 9b3baadf2c4..225ff391f9b 100644 --- a/lib/libssl/src/crypto/dsa/dsa.h +++ b/lib/libssl/src/crypto/dsa/dsa.h @@ -81,6 +81,10 @@ #define DSA_FLAG_CACHE_MONT_P 0x01 +#if defined(OPENSSL_FIPS) +#define FIPS_DSA_SIZE_T int +#endif + #ifdef __cplusplus extern "C" { #endif diff --git a/lib/libssl/src/crypto/dsa/dsa_gen.c b/lib/libssl/src/crypto/dsa/dsa_gen.c index dc9c2493103..e40afeea516 100644 --- a/lib/libssl/src/crypto/dsa/dsa_gen.c +++ b/lib/libssl/src/crypto/dsa/dsa_gen.c @@ -80,6 +80,7 @@ #include <openssl/rand.h> #include <openssl/sha.h> +#ifndef OPENSSL_FIPS DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, int *counter_ret, unsigned long *h_ret, @@ -127,8 +128,9 @@ DSA *DSA_generate_parameters(int bits, c = BN_CTX_get(ctx2); p = BN_CTX_get(ctx2); test = BN_CTX_get(ctx2); + if (test == NULL) goto err; - BN_lshift(test,BN_value_one(),bits-1); + if (!BN_lshift(test,BN_value_one(),bits-1)) goto err; for (;;) { @@ -196,7 +198,7 @@ DSA *DSA_generate_parameters(int bits, callback(0,counter,cb_arg); /* step 7 */ - BN_zero(W); + if (!BN_zero(W)) goto err; /* now 'buf' contains "SEED + offset - 1" */ for (k=0; k<=n; k++) { @@ -212,20 +214,20 @@ DSA *DSA_generate_parameters(int bits, /* step 8 */ if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0)) goto err; - BN_lshift(r0,r0,160*k); - BN_add(W,W,r0); + if (!BN_lshift(r0,r0,160*k)) goto err; + if (!BN_add(W,W,r0)) goto err; } /* more of step 8 */ - BN_mask_bits(W,bits-1); - BN_copy(X,W); /* this should be ok */ - BN_add(X,X,test); /* this should be ok */ + if (!BN_mask_bits(W,bits-1)) goto err; + if (!BN_copy(X,W)) goto err; + if (!BN_add(X,X,test)) goto err; /* step 9 */ - BN_lshift1(r0,q); - BN_mod(c,X,r0,ctx); - BN_sub(r0,c,BN_value_one()); - BN_sub(p,X,r0); + if (!BN_lshift1(r0,q)) goto err; + if (!BN_mod(c,X,r0,ctx)) goto err; + if (!BN_sub(r0,c,BN_value_one())) goto err; + if (!BN_sub(p,X,r0)) goto err; /* step 10 */ if (BN_cmp(p,test) >= 0) @@ -251,18 +253,18 @@ end: /* We now need to generate g */ /* Set r0=(p-1)/q */ - BN_sub(test,p,BN_value_one()); - BN_div(r0,NULL,test,q,ctx); + if (!BN_sub(test,p,BN_value_one())) goto err; + if (!BN_div(r0,NULL,test,q,ctx)) goto err; - BN_set_word(test,h); - BN_MONT_CTX_set(mont,p,ctx); + if (!BN_set_word(test,h)) goto err; + if (!BN_MONT_CTX_set(mont,p,ctx)) goto err; for (;;) { /* g=test^r0%p */ - BN_mod_exp_mont(g,test,r0,p,ctx,mont); + if (!BN_mod_exp_mont(g,test,r0,p,ctx,mont)) goto err; if (!BN_is_one(g)) break; - BN_add(test,test,BN_value_one()); + if (!BN_add(test,test,BN_value_one())) goto err; h++; } @@ -279,6 +281,11 @@ err: ret->p=BN_dup(p); ret->q=BN_dup(q); ret->g=BN_dup(g); + if (ret->p == NULL || ret->q == NULL || ret->g == NULL) + { + ok=0; + goto err; + } if ((m > 1) && (seed_in != NULL)) memcpy(seed_in,seed,20); if (counter_ret != NULL) *counter_ret=counter; if (h_ret != NULL) *h_ret=h; @@ -293,4 +300,6 @@ err: if (mont != NULL) BN_MONT_CTX_free(mont); return(ok?ret:NULL); } -#endif +#endif /* ndef OPENSSL_FIPS */ +#endif /* ndef OPENSSL_NO_SHA */ + diff --git a/lib/libssl/src/crypto/dsa/dsa_key.c b/lib/libssl/src/crypto/dsa/dsa_key.c index ef87c3e6372..30607ca579f 100644 --- a/lib/libssl/src/crypto/dsa/dsa_key.c +++ b/lib/libssl/src/crypto/dsa/dsa_key.c @@ -64,6 +64,7 @@ #include <openssl/dsa.h> #include <openssl/rand.h> +#ifndef OPENSSL_FIPS int DSA_generate_key(DSA *dsa) { int ok=0; @@ -103,3 +104,4 @@ err: return(ok); } #endif +#endif diff --git a/lib/libssl/src/crypto/dsa/dsa_ossl.c b/lib/libssl/src/crypto/dsa/dsa_ossl.c index b9e7f3ea5c6..f1a85afcde8 100644 --- a/lib/libssl/src/crypto/dsa/dsa_ossl.c +++ b/lib/libssl/src/crypto/dsa/dsa_ossl.c @@ -65,6 +65,7 @@ #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef OPENSSL_FIPS static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, @@ -346,3 +347,4 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, { return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } +#endif diff --git a/lib/libssl/src/crypto/dsa/dsa_sign.c b/lib/libssl/src/crypto/dsa/dsa_sign.c index 89205026f01..3c9753bac39 100644 --- a/lib/libssl/src/crypto/dsa/dsa_sign.c +++ b/lib/libssl/src/crypto/dsa/dsa_sign.c @@ -64,9 +64,17 @@ #include <openssl/dsa.h> #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif +#include <openssl/fips.h> DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { +#ifdef OPENSSL_FIPS + if(FIPS_mode() && !FIPS_dsa_check(dsa)) + return NULL; +#endif return dsa->meth->dsa_do_sign(dgst, dlen, dsa); } @@ -87,6 +95,10 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { +#ifdef OPENSSL_FIPS + if(FIPS_mode() && !FIPS_dsa_check(dsa)) + return 0; +#endif return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); } diff --git a/lib/libssl/src/crypto/dsa/dsa_vrf.c b/lib/libssl/src/crypto/dsa/dsa_vrf.c index c4aeddd0560..8ef0c450252 100644 --- a/lib/libssl/src/crypto/dsa/dsa_vrf.c +++ b/lib/libssl/src/crypto/dsa/dsa_vrf.c @@ -65,10 +65,18 @@ #include <openssl/rand.h> #include <openssl/asn1.h> #include <openssl/asn1_mac.h> +#ifndef OPENSSL_NO_ENGINE +#include <openssl/engine.h> +#endif +#include <openssl/fips.h> int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { +#ifdef OPENSSL_FIPS + if(FIPS_mode() && !FIPS_dsa_check(dsa)) + return -1; +#endif return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); } diff --git a/lib/libssl/src/crypto/dso/dso_win32.c b/lib/libssl/src/crypto/dso/dso_win32.c index 6c30deb250b..3fa90eb27cf 100644 --- a/lib/libssl/src/crypto/dso/dso_win32.c +++ b/lib/libssl/src/crypto/dso/dso_win32.c @@ -61,7 +61,7 @@ #include "cryptlib.h" #include <openssl/dso.h> -#if !defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE) +#if !defined(DSO_WIN32) DSO_METHOD *DSO_METHOD_win32(void) { return NULL; diff --git a/lib/libssl/src/crypto/engine/hw_cryptodev.c b/lib/libssl/src/crypto/engine/hw_cryptodev.c index 0ca442af8a5..41184b67867 100644 --- a/lib/libssl/src/crypto/engine/hw_cryptodev.c +++ b/lib/libssl/src/crypto/engine/hw_cryptodev.c @@ -93,7 +93,7 @@ static int open_dev_crypto(void); static int get_dev_crypto(void); static struct dev_crypto_cipher *cipher_nid_to_cryptodev(int nid); static int get_cryptodev_ciphers(const int **cnids); -static int get_cryptodev_digests(const int **cnids); +/*static int get_cryptodev_digests(const int **cnids);*/ static int cryptodev_usable_ciphers(const int **nids); static int cryptodev_usable_digests(const int **nids); static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, @@ -150,6 +150,7 @@ static struct dev_crypto_cipher ciphers[] = { { 0, NID_undef, 0, 0, }, }; +#if 0 /* UNUSED */ static struct { int id; int nid; @@ -162,6 +163,7 @@ static struct { { CRYPTO_SHA1, NID_undef, }, { 0, NID_undef, }, }; +#endif /* * Return a fd if /dev/crypto seems usable, -1 otherwise. @@ -297,6 +299,7 @@ get_cryptodev_ciphers(const int **cnids) * returning them here is harmless, as long as we return NULL * when asked for a handler in the cryptodev_engine_digests routine */ +#if 0 /* UNUSED */ static int get_cryptodev_digests(const int **cnids) { @@ -326,6 +329,7 @@ get_cryptodev_digests(const int **cnids) *cnids = NULL; return (count); } +#endif /* * Find the useable ciphers|digests from dev/crypto - this is the first @@ -832,7 +836,7 @@ static int bn2crparam(const BIGNUM *a, struct crparam *crp) { int i, j, k; - ssize_t words, bytes, bits; + ssize_t bytes, bits; u_char *b; crp->crp_p = NULL; diff --git a/lib/libssl/src/crypto/err/err.c b/lib/libssl/src/crypto/err/err.c index 792f3296009..c78790a54cc 100644 --- a/lib/libssl/src/crypto/err/err.c +++ b/lib/libssl/src/crypto/err/err.c @@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]= {ERR_PACK(ERR_LIB_DSO,0,0) ,"DSO support routines"}, {ERR_PACK(ERR_LIB_ENGINE,0,0) ,"engine routines"}, {ERR_PACK(ERR_LIB_OCSP,0,0) ,"OCSP routines"}, +{ERR_PACK(ERR_LIB_FIPS,0,0) ,"FIPS routines"}, {0,NULL}, }; @@ -167,6 +168,7 @@ static ERR_STRING_DATA ERR_str_functs[]= #endif {ERR_PACK(0,SYS_F_OPENDIR,0), "opendir"}, {ERR_PACK(0,SYS_F_FREAD,0), "fread"}, + {ERR_PACK(0,SYS_F_GETADDRINFO,0), "getaddrinfo"}, {0,NULL}, }; diff --git a/lib/libssl/src/crypto/err/err.h b/lib/libssl/src/crypto/err/err.h index 8faa3a7b4f5..2efa18866ad 100644 --- a/lib/libssl/src/crypto/err/err.h +++ b/lib/libssl/src/crypto/err/err.h @@ -131,6 +131,7 @@ typedef struct err_state_st #define ERR_LIB_OCSP 39 #define ERR_LIB_UI 40 #define ERR_LIB_COMP 41 +#define ERR_LIB_FIPS 42 #define ERR_LIB_USER 128 @@ -159,6 +160,7 @@ typedef struct err_state_st #define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__) #define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__) #define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__) +#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__) /* Borland C seems too stupid to be able to shift and do longs in * the pre-processor :-( */ @@ -183,6 +185,7 @@ typedef struct err_state_st #define SYS_F_WSASTARTUP 9 /* Winsock stuff */ #define SYS_F_OPENDIR 10 #define SYS_F_FREAD 11 +#define SYS_F_GETADDRINFO 12 /* reasons */ diff --git a/lib/libssl/src/crypto/err/err_all.c b/lib/libssl/src/crypto/err/err_all.c index dc505d9d9d4..4dc93008929 100644 --- a/lib/libssl/src/crypto/err/err_all.c +++ b/lib/libssl/src/crypto/err/err_all.c @@ -87,6 +87,7 @@ #endif #include <openssl/ocsp.h> #include <openssl/err.h> +#include <openssl/fips.h> void ERR_load_crypto_strings(void) { @@ -130,4 +131,7 @@ void ERR_load_crypto_strings(void) ERR_load_OCSP_strings(); ERR_load_UI_strings(); #endif +#ifdef OPENSSL_FIPS + ERR_load_FIPS_strings(); +#endif } diff --git a/lib/libssl/src/crypto/err/openssl.ec b/lib/libssl/src/crypto/err/openssl.ec index 29a69dfdd43..447a7f87ed8 100644 --- a/lib/libssl/src/crypto/err/openssl.ec +++ b/lib/libssl/src/crypto/err/openssl.ec @@ -27,6 +27,7 @@ L DSO crypto/dso/dso.h crypto/dso/dso_err.c L ENGINE crypto/engine/engine.h crypto/engine/eng_err.c L OCSP crypto/ocsp/ocsp.h crypto/ocsp/ocsp_err.c L UI crypto/ui/ui.h crypto/ui/ui_err.c +L FIPS fips/fips.h fips/fips_err.h # additional header files to be scanned for function names L NONE crypto/x509/x509_vfy.h NONE diff --git a/lib/libssl/src/crypto/evp/bio_md.c b/lib/libssl/src/crypto/evp/bio_md.c index c632dfb2022..f4aa41ac4b4 100644 --- a/lib/libssl/src/crypto/evp/bio_md.c +++ b/lib/libssl/src/crypto/evp/bio_md.c @@ -176,10 +176,11 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) { case BIO_CTRL_RESET: if (b->init) - EVP_DigestInit_ex(ctx,ctx->digest, NULL); + ret = EVP_DigestInit_ex(ctx,ctx->digest, NULL); else ret=0; - ret=BIO_ctrl(b->next_bio,cmd,num,ptr); + if (ret > 0) + ret=BIO_ctrl(b->next_bio,cmd,num,ptr); break; case BIO_C_GET_MD: if (b->init) @@ -191,11 +192,12 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) ret=0; break; case BIO_C_GET_MD_CTX: + pctx=ptr; + *pctx=ctx; + break; + case BIO_C_SET_MD_CTX: if (b->init) - { - pctx=ptr; - *pctx=ctx; - } + b->ptr=ptr; else ret=0; break; @@ -207,8 +209,9 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_C_SET_MD: md=ptr; - EVP_DigestInit_ex(ctx,md, NULL); - b->init=1; + ret = EVP_DigestInit_ex(ctx,md, NULL); + if (ret > 0) + b->init=1; break; case BIO_CTRL_DUP: dbio=ptr; diff --git a/lib/libssl/src/crypto/evp/c_allc.c b/lib/libssl/src/crypto/evp/c_allc.c index 341a958fd47..fc968123657 100644 --- a/lib/libssl/src/crypto/evp/c_allc.c +++ b/lib/libssl/src/crypto/evp/c_allc.c @@ -67,6 +67,8 @@ void OpenSSL_add_all_ciphers(void) #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cfb()); + EVP_add_cipher(EVP_des_cfb1()); + EVP_add_cipher(EVP_des_cfb8()); EVP_add_cipher(EVP_des_ede_cfb()); EVP_add_cipher(EVP_des_ede3_cfb()); @@ -150,6 +152,8 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_128_ecb()); EVP_add_cipher(EVP_aes_128_cbc()); EVP_add_cipher(EVP_aes_128_cfb()); + EVP_add_cipher(EVP_aes_128_cfb1()); + EVP_add_cipher(EVP_aes_128_cfb8()); EVP_add_cipher(EVP_aes_128_ofb()); #if 0 EVP_add_cipher(EVP_aes_128_ctr()); @@ -159,6 +163,8 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_192_ecb()); EVP_add_cipher(EVP_aes_192_cbc()); EVP_add_cipher(EVP_aes_192_cfb()); + EVP_add_cipher(EVP_aes_192_cfb1()); + EVP_add_cipher(EVP_aes_192_cfb8()); EVP_add_cipher(EVP_aes_192_ofb()); #if 0 EVP_add_cipher(EVP_aes_192_ctr()); @@ -168,6 +174,8 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_256_ecb()); EVP_add_cipher(EVP_aes_256_cbc()); EVP_add_cipher(EVP_aes_256_cfb()); + EVP_add_cipher(EVP_aes_256_cfb1()); + EVP_add_cipher(EVP_aes_256_cfb8()); EVP_add_cipher(EVP_aes_256_ofb()); #if 0 EVP_add_cipher(EVP_aes_256_ctr()); diff --git a/lib/libssl/src/crypto/evp/c_alld.c b/lib/libssl/src/crypto/evp/c_alld.c index be91cdb0373..aae7bf7482a 100644 --- a/lib/libssl/src/crypto/evp/c_alld.c +++ b/lib/libssl/src/crypto/evp/c_alld.c @@ -75,7 +75,7 @@ void OpenSSL_add_all_digests(void) EVP_add_digest_alias(SN_md5,"ssl2-md5"); EVP_add_digest_alias(SN_md5,"ssl3-md5"); #endif -#ifndef OPENSSL_NO_SHA +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0) EVP_add_digest(EVP_sha()); #ifndef OPENSSL_NO_DSA EVP_add_digest(EVP_dss()); diff --git a/lib/libssl/src/crypto/evp/digest.c b/lib/libssl/src/crypto/evp/digest.c index 0623ddf1f05..f21c63842ca 100644 --- a/lib/libssl/src/crypto/evp/digest.c +++ b/lib/libssl/src/crypto/evp/digest.c @@ -137,6 +137,39 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) return EVP_DigestInit_ex(ctx, type, NULL); } +#ifdef OPENSSL_FIPS + +/* The purpose of these is to trap programs that attempt to use non FIPS + * algorithms in FIPS mode and ignore the errors. + */ + +static int bad_init(EVP_MD_CTX *ctx) + { FIPS_ERROR_IGNORED("Digest init"); return 0;} + +static int bad_update(EVP_MD_CTX *ctx,const void *data,unsigned long count) + { FIPS_ERROR_IGNORED("Digest update"); return 0;} + +static int bad_final(EVP_MD_CTX *ctx,unsigned char *md) + { FIPS_ERROR_IGNORED("Digest Final"); return 0;} + +static const EVP_MD bad_md = + { + 0, + 0, + 0, + 0, + bad_init, + bad_update, + bad_final, + NULL, + NULL, + NULL, + 0, + {0,0,0,0}, + }; + +#endif + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); @@ -195,6 +228,18 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) #endif if (ctx->digest != type) { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + { + if (!(type->flags & EVP_MD_FLAG_FIPS) + && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) + { + EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_DISABLED_FOR_FIPS); + ctx->digest = &bad_md; + return 0; + } + } +#endif if (ctx->digest && ctx->digest->ctx_size) OPENSSL_free(ctx->md_data); ctx->digest=type; diff --git a/lib/libssl/src/crypto/evp/e_aes.c b/lib/libssl/src/crypto/evp/e_aes.c index fe8bcda631f..f35036c9d76 100644 --- a/lib/libssl/src/crypto/evp/e_aes.c +++ b/lib/libssl/src/crypto/evp/e_aes.c @@ -67,34 +67,52 @@ typedef struct IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, NID_aes_128, 16, 16, 16, 128, - 0, aes_init_key, NULL, + EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY, NID_aes_192, 16, 24, 16, 128, - 0, aes_init_key, NULL, + EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, NID_aes_256, 16, 32, 16, 128, - 0, aes_init_key, NULL, + EVP_CIPH_FLAG_FIPS, aes_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) +#define IMPLEMENT_AES_CFBR(ksize,cbits,flags) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags) + +IMPLEMENT_AES_CFBR(128,1,0) +IMPLEMENT_AES_CFBR(192,1,0) +IMPLEMENT_AES_CFBR(256,1,0) + +IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS) +IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS) +IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS) + static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) { + const unsigned char *iv, int enc) + { + int ret; if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE || enc) - AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); else - AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + + if(ret < 0) + { + EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); + return 0; + } return 1; -} + } #endif diff --git a/lib/libssl/src/crypto/evp/e_des.c b/lib/libssl/src/crypto/evp/e_des.c index 105266a4b36..46e2899825f 100644 --- a/lib/libssl/src/crypto/evp/e_des.c +++ b/lib/libssl/src/crypto/evp/e_des.c @@ -56,9 +56,9 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_DES #include <stdio.h> #include "cryptlib.h" +#ifndef OPENSSL_NO_DES #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" @@ -92,20 +92,55 @@ static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -static int des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, unsigned int inl) +static int des_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) { DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data, (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt); return 1; } +/* Although we have a CFB-r implementation for DES, it doesn't pack the right + way, so wrap it here */ +static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + unsigned int n; + unsigned char c[1],d[1]; + + for(n=0 ; n < inl ; ++n) + { + c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0; + DES_cfb_encrypt(c,d,1,1,ctx->cipher_data,(DES_cblock *)ctx->iv, + ctx->encrypt); + out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8)); + } + return 1; + } + +static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + DES_cfb_encrypt(in,out,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv, + ctx->encrypt); + return 1; + } + BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64, - 0, des_init_key, NULL, + EVP_CIPH_FLAG_FIPS, des_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1, + EVP_CIPH_FLAG_FIPS,des_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) + +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8, + EVP_CIPH_FLAG_FIPS,des_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) diff --git a/lib/libssl/src/crypto/evp/e_des3.c b/lib/libssl/src/crypto/evp/e_des3.c index 077860e7b61..677322bf021 100644 --- a/lib/libssl/src/crypto/evp/e_des3.c +++ b/lib/libssl/src/crypto/evp/e_des3.c @@ -56,9 +56,9 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_DES #include <stdio.h> #include "cryptlib.h" +#ifndef OPENSSL_NO_DES #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" @@ -85,7 +85,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { BLOCK_CIPHER_ecb_loop() - DES_ecb3_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), + DES_ecb3_encrypt(in + i,out + i, &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, ctx->encrypt); @@ -121,7 +121,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, +static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { DES_ede3_cfb64_encrypt(in, out, (long)inl, @@ -130,23 +130,62 @@ static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } +/* Although we have a CFB-r implementation for 3-DES, it doesn't pack the right + way, so wrap it here */ +static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + unsigned int n; + unsigned char c[1],d[1]; + + for(n=0 ; n < inl ; ++n) + { + c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0; + DES_ede3_cfb_encrypt(c,d,1,1, + &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3, + (DES_cblock *)ctx->iv,ctx->encrypt); + out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8)); + } + + return 1; + } + +static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + DES_ede3_cfb_encrypt(in,out,8,inl, + &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3, + (DES_cblock *)ctx->iv,ctx->encrypt); + return 1; + } + BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, - 0, des_ede_init_key, NULL, + EVP_CIPH_FLAG_FIPS, des_ede_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) -#define des_ede3_cfb_cipher des_ede_cfb_cipher +#define des_ede3_cfb64_cipher des_ede_cfb64_cipher #define des_ede3_ofb_cipher des_ede_ofb_cipher #define des_ede3_cbc_cipher des_ede_cbc_cipher #define des_ede3_ecb_cipher des_ede_ecb_cipher BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, - 0, des_ede3_init_key, NULL, + EVP_CIPH_FLAG_FIPS, des_ede3_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1, + EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) + +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8, + EVP_CIPH_FLAG_FIPS, des_ede3_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) + static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { diff --git a/lib/libssl/src/crypto/evp/e_null.c b/lib/libssl/src/crypto/evp/e_null.c index 2420d7e5af8..a84b0f14b1a 100644 --- a/lib/libssl/src/crypto/evp/e_null.c +++ b/lib/libssl/src/crypto/evp/e_null.c @@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher= { NID_undef, 1,0,0, - 0, + EVP_CIPH_FLAG_FIPS, null_init_key, null_cipher, NULL, diff --git a/lib/libssl/src/crypto/evp/e_rc4.c b/lib/libssl/src/crypto/evp/e_rc4.c index d58f507837b..8aa70585b9a 100644 --- a/lib/libssl/src/crypto/evp/e_rc4.c +++ b/lib/libssl/src/crypto/evp/e_rc4.c @@ -62,6 +62,7 @@ #include "cryptlib.h" #include <openssl/evp.h> #include <openssl/objects.h> +#include "evp_locl.h" #include <openssl/rc4.h> /* FIXME: surely this is available elsewhere? */ diff --git a/lib/libssl/src/crypto/evp/evp.h b/lib/libssl/src/crypto/evp/evp.h index f9b48792ce4..62d95354efd 100644 --- a/lib/libssl/src/crypto/evp/evp.h +++ b/lib/libssl/src/crypto/evp/evp.h @@ -75,6 +75,10 @@ #include <openssl/bio.h> #endif +#ifdef OPENSSL_FIPS +#include <openssl/fips.h> +#endif + /* #define EVP_RC2_KEY_SIZE 16 #define EVP_RC4_KEY_SIZE 16 @@ -236,6 +240,7 @@ struct env_md_st #define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single * block */ +#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */ #define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0} @@ -278,6 +283,9 @@ struct env_md_ctx_st #define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data * in EVP_MD_CTX_cleanup */ +#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008 /* Allow use of non FIPS digest + * in FIPS mode */ + struct evp_cipher_st { int nid; @@ -319,6 +327,10 @@ struct evp_cipher_st #define EVP_CIPH_CUSTOM_KEY_LENGTH 0x80 /* Don't use standard block padding */ #define EVP_CIPH_NO_PADDING 0x100 +/* Note if suitable for use in FIPS mode */ +#define EVP_CIPH_FLAG_FIPS 0x400 +/* Allow non FIPS cipher in FIPS mode */ +#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x800 /* ctrl() values */ @@ -425,6 +437,9 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d)) #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) #define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags) +#define EVP_CIPHER_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs)) +#define EVP_CIPHER_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs)) +#define EVP_CIPHER_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs)) #define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE) #define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80) @@ -446,6 +461,7 @@ void BIO_set_md(BIO *,const EVP_MD *md); #endif #define BIO_get_md(b,mdp) BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp) #define BIO_get_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp) +#define BIO_set_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_SET_MD_CTX,0,(char *)mdcp) #define BIO_get_cipher_status(b) BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL) #define BIO_get_cipher_ctx(b,c_pp) BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp) @@ -587,9 +603,20 @@ const EVP_CIPHER *EVP_des_ede(void); const EVP_CIPHER *EVP_des_ede3(void); const EVP_CIPHER *EVP_des_ede_ecb(void); const EVP_CIPHER *EVP_des_ede3_ecb(void); -const EVP_CIPHER *EVP_des_cfb(void); -const EVP_CIPHER *EVP_des_ede_cfb(void); -const EVP_CIPHER *EVP_des_ede3_cfb(void); +const EVP_CIPHER *EVP_des_cfb64(void); +# define EVP_des_cfb EVP_des_cfb64 +const EVP_CIPHER *EVP_des_cfb1(void); +const EVP_CIPHER *EVP_des_cfb8(void); +const EVP_CIPHER *EVP_des_ede_cfb64(void); +# define EVP_des_ede_cfb EVP_des_ede_cfb64 +#if 0 +const EVP_CIPHER *EVP_des_ede_cfb1(void); +const EVP_CIPHER *EVP_des_ede_cfb8(void); +#endif +const EVP_CIPHER *EVP_des_ede3_cfb64(void); +# define EVP_des_ede3_cfb EVP_des_ede3_cfb64 +const EVP_CIPHER *EVP_des_ede3_cfb1(void); +const EVP_CIPHER *EVP_des_ede3_cfb8(void); const EVP_CIPHER *EVP_des_ofb(void); const EVP_CIPHER *EVP_des_ede_ofb(void); const EVP_CIPHER *EVP_des_ede3_ofb(void); @@ -613,7 +640,8 @@ const EVP_CIPHER *EVP_rc4_40(void); #endif #ifndef OPENSSL_NO_IDEA const EVP_CIPHER *EVP_idea_ecb(void); -const EVP_CIPHER *EVP_idea_cfb(void); +const EVP_CIPHER *EVP_idea_cfb64(void); +# define EVP_idea_cfb EVP_idea_cfb64 const EVP_CIPHER *EVP_idea_ofb(void); const EVP_CIPHER *EVP_idea_cbc(void); #endif @@ -622,45 +650,58 @@ const EVP_CIPHER *EVP_rc2_ecb(void); const EVP_CIPHER *EVP_rc2_cbc(void); const EVP_CIPHER *EVP_rc2_40_cbc(void); const EVP_CIPHER *EVP_rc2_64_cbc(void); -const EVP_CIPHER *EVP_rc2_cfb(void); +const EVP_CIPHER *EVP_rc2_cfb64(void); +# define EVP_rc2_cfb EVP_rc2_cfb64 const EVP_CIPHER *EVP_rc2_ofb(void); #endif #ifndef OPENSSL_NO_BF const EVP_CIPHER *EVP_bf_ecb(void); const EVP_CIPHER *EVP_bf_cbc(void); -const EVP_CIPHER *EVP_bf_cfb(void); +const EVP_CIPHER *EVP_bf_cfb64(void); +# define EVP_bf_cfb EVP_bf_cfb64 const EVP_CIPHER *EVP_bf_ofb(void); #endif #ifndef OPENSSL_NO_CAST const EVP_CIPHER *EVP_cast5_ecb(void); const EVP_CIPHER *EVP_cast5_cbc(void); -const EVP_CIPHER *EVP_cast5_cfb(void); +const EVP_CIPHER *EVP_cast5_cfb64(void); +# define EVP_cast5_cfb EVP_cast5_cfb64 const EVP_CIPHER *EVP_cast5_ofb(void); #endif #ifndef OPENSSL_NO_RC5 const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); -const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); +const EVP_CIPHER *EVP_rc5_32_12_16_cfb64(void); +# define EVP_rc5_32_12_16_cfb EVP_rc5_32_12_16_cfb64 const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); #endif #ifndef OPENSSL_NO_AES const EVP_CIPHER *EVP_aes_128_ecb(void); const EVP_CIPHER *EVP_aes_128_cbc(void); -const EVP_CIPHER *EVP_aes_128_cfb(void); +const EVP_CIPHER *EVP_aes_128_cfb1(void); +const EVP_CIPHER *EVP_aes_128_cfb8(void); +const EVP_CIPHER *EVP_aes_128_cfb128(void); +# define EVP_aes_128_cfb EVP_aes_128_cfb128 const EVP_CIPHER *EVP_aes_128_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_128_ctr(void); #endif const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_cbc(void); -const EVP_CIPHER *EVP_aes_192_cfb(void); +const EVP_CIPHER *EVP_aes_192_cfb1(void); +const EVP_CIPHER *EVP_aes_192_cfb8(void); +const EVP_CIPHER *EVP_aes_192_cfb128(void); +# define EVP_aes_192_cfb EVP_aes_192_cfb128 const EVP_CIPHER *EVP_aes_192_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_192_ctr(void); #endif const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_cbc(void); -const EVP_CIPHER *EVP_aes_256_cfb(void); +const EVP_CIPHER *EVP_aes_256_cfb1(void); +const EVP_CIPHER *EVP_aes_256_cfb8(void); +const EVP_CIPHER *EVP_aes_256_cfb128(void); +# define EVP_aes_256_cfb EVP_aes_256_cfb128 const EVP_CIPHER *EVP_aes_256_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_256_ctr(void); @@ -775,13 +816,18 @@ void ERR_load_EVP_strings(void); /* Error codes for the EVP functions. */ /* Function codes. */ +#define EVP_F_AES_INIT_KEY 129 #define EVP_F_D2I_PKEY 100 +#define EVP_F_EVP_ADD_CIPHER 130 +#define EVP_F_EVP_ADD_DIGEST 131 #define EVP_F_EVP_CIPHERINIT 123 #define EVP_F_EVP_CIPHER_CTX_CTRL 124 #define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 #define EVP_F_EVP_DECRYPTFINAL 101 #define EVP_F_EVP_DIGESTINIT 128 #define EVP_F_EVP_ENCRYPTFINAL 127 +#define EVP_F_EVP_GET_CIPHERBYNAME 132 +#define EVP_F_EVP_GET_DIGESTBYNAME 133 #define EVP_F_EVP_MD_CTX_COPY 110 #define EVP_F_EVP_OPENINIT 102 #define EVP_F_EVP_PBE_ALG_ADD 115 @@ -805,6 +851,7 @@ void ERR_load_EVP_strings(void); #define EVP_F_RC5_CTRL 125 /* Reason codes. */ +#define EVP_R_AES_KEY_SETUP_FAILED 140 #define EVP_R_BAD_BLOCK_LENGTH 136 #define EVP_R_BAD_DECRYPT 100 #define EVP_R_BAD_KEY_LENGTH 137 @@ -816,6 +863,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 #define EVP_R_DECODE_ERROR 114 #define EVP_R_DIFFERENT_KEY_TYPES 101 +#define EVP_R_DISABLED_FOR_FIPS 141 #define EVP_R_ENCODE_ERROR 115 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 diff --git a/lib/libssl/src/crypto/evp/evp_enc.c b/lib/libssl/src/crypto/evp/evp_enc.c index 8ea5aa935dd..f549eeb4377 100644 --- a/lib/libssl/src/crypto/evp/evp_enc.c +++ b/lib/libssl/src/crypto/evp/evp_enc.c @@ -82,6 +82,48 @@ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc); } +#ifdef OPENSSL_FIPS + +/* The purpose of these is to trap programs that attempt to use non FIPS + * algorithms in FIPS mode and ignore the errors. + */ + +int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) + { FIPS_ERROR_IGNORED("Cipher init"); return 0;} + +int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { FIPS_ERROR_IGNORED("Cipher update"); return 0;} + +/* NB: no cleanup because it is allowed after failed init */ + +int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) + { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;} +int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) + { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;} +int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) + { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;} + +static const EVP_CIPHER bad_cipher = + { + 0, + 0, + 0, + 0, + 0, + bad_init, + bad_do_cipher, + NULL, + 0, + bad_set_asn1, + bad_get_asn1, + bad_ctrl, + NULL + }; + +#endif + int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc) { @@ -146,7 +188,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp else ctx->engine = NULL; #endif - ctx->cipher=cipher; if (ctx->cipher->ctx_size) { @@ -210,6 +251,24 @@ skip_to_init: } } +#ifdef OPENSSL_FIPS + /* After 'key' is set no further parameters changes are permissible. + * So only check for non FIPS enabling at this point. + */ + if (key && FIPS_mode()) + { + if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) + & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) + { + EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS); + ERR_add_error_data(2, "cipher=", + EVP_CIPHER_name(ctx->cipher)); + ctx->cipher = &bad_cipher; + return 0; + } + } +#endif + if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; } diff --git a/lib/libssl/src/crypto/evp/evp_err.c b/lib/libssl/src/crypto/evp/evp_err.c index 3a23d21c217..40135d07292 100644 --- a/lib/libssl/src/crypto/evp/evp_err.c +++ b/lib/libssl/src/crypto/evp/evp_err.c @@ -1,6 +1,6 @@ /* crypto/evp/evp_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,13 +66,18 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA EVP_str_functs[]= { +{ERR_PACK(0,EVP_F_AES_INIT_KEY,0), "AES_INIT_KEY"}, {ERR_PACK(0,EVP_F_D2I_PKEY,0), "D2I_PKEY"}, +{ERR_PACK(0,EVP_F_EVP_ADD_CIPHER,0), "EVP_add_cipher"}, +{ERR_PACK(0,EVP_F_EVP_ADD_DIGEST,0), "EVP_add_digest"}, {ERR_PACK(0,EVP_F_EVP_CIPHERINIT,0), "EVP_CipherInit"}, {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0), "EVP_CIPHER_CTX_ctrl"}, {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0), "EVP_CIPHER_CTX_set_key_length"}, {ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0), "EVP_DecryptFinal"}, {ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0), "EVP_DigestInit"}, {ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0), "EVP_EncryptFinal"}, +{ERR_PACK(0,EVP_F_EVP_GET_CIPHERBYNAME,0), "EVP_get_cipherbyname"}, +{ERR_PACK(0,EVP_F_EVP_GET_DIGESTBYNAME,0), "EVP_get_digestbyname"}, {ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0), "EVP_MD_CTX_copy"}, {ERR_PACK(0,EVP_F_EVP_OPENINIT,0), "EVP_OpenInit"}, {ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0), "EVP_PBE_alg_add"}, @@ -99,6 +104,7 @@ static ERR_STRING_DATA EVP_str_functs[]= static ERR_STRING_DATA EVP_str_reasons[]= { +{EVP_R_AES_KEY_SETUP_FAILED ,"aes key setup failed"}, {EVP_R_BAD_BLOCK_LENGTH ,"bad block length"}, {EVP_R_BAD_DECRYPT ,"bad decrypt"}, {EVP_R_BAD_KEY_LENGTH ,"bad key length"}, @@ -110,6 +116,7 @@ static ERR_STRING_DATA EVP_str_reasons[]= {EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"}, {EVP_R_DECODE_ERROR ,"decode error"}, {EVP_R_DIFFERENT_KEY_TYPES ,"different key types"}, +{EVP_R_DISABLED_FOR_FIPS ,"disabled for fips"}, {EVP_R_ENCODE_ERROR ,"encode error"}, {EVP_R_EVP_PBE_CIPHERINIT_ERROR ,"evp pbe cipherinit error"}, {EVP_R_EXPECTING_AN_RSA_KEY ,"expecting an rsa key"}, diff --git a/lib/libssl/src/crypto/evp/evp_lib.c b/lib/libssl/src/crypto/evp/evp_lib.c index 52a3b287bee..a63ba19317c 100644 --- a/lib/libssl/src/crypto/evp/evp_lib.c +++ b/lib/libssl/src/crypto/evp/evp_lib.c @@ -68,7 +68,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) if (c->cipher->set_asn1_parameters != NULL) ret=c->cipher->set_asn1_parameters(c,type); else - ret=1; + return -1; return(ret); } @@ -79,7 +79,7 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type) if (c->cipher->get_asn1_parameters != NULL) ret=c->cipher->get_asn1_parameters(c,type); else - ret=1; + return -1; return(ret); } @@ -133,6 +133,30 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx) return NID_rc4; + case NID_aes_128_cfb128: + case NID_aes_128_cfb8: + case NID_aes_128_cfb1: + + return NID_aes_128_cfb128; + + case NID_aes_192_cfb128: + case NID_aes_192_cfb8: + case NID_aes_192_cfb1: + + return NID_aes_192_cfb128; + + case NID_aes_256_cfb128: + case NID_aes_256_cfb8: + case NID_aes_256_cfb1: + + return NID_aes_256_cfb128; + + case NID_des_cfb64: + case NID_des_cfb8: + case NID_des_cfb1: + + return NID_des_cfb64; + default: /* Check it has an OID and it is valid */ otmp = OBJ_nid2obj(nid); diff --git a/lib/libssl/src/crypto/evp/evp_locl.h b/lib/libssl/src/crypto/evp/evp_locl.h index 4d81a3bf4c5..f8c53436208 100644 --- a/lib/libssl/src/crypto/evp/evp_locl.h +++ b/lib/libssl/src/crypto/evp/evp_locl.h @@ -90,7 +90,7 @@ static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const uns } #define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \ -static int cname##_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \ +static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \ {\ cprefix##_cfb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\ return 1;\ @@ -127,7 +127,7 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \ #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \ iv_len, cbits, flags, init_key, cleanup, \ set_asn1, get_asn1, ctrl) \ -BLOCK_CIPHER_def1(cname, cfb##cbits, cfb, CFB, kstruct, nid, 1, \ +BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \ key_len, iv_len, flags, init_key, cleanup, set_asn1, \ get_asn1, ctrl) @@ -225,3 +225,28 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; } get_asn1, ctrl) #define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data) + +#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,flags) \ + BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ + BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ + NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \ + flags, cipher##_init_key, NULL, \ + EVP_CIPHER_set_asn1_iv, \ + EVP_CIPHER_get_asn1_iv, \ + NULL) + +#ifdef OPENSSL_FIPS +#define RC2_set_key private_RC2_set_key +#define RC4_set_key private_RC4_set_key +#define CAST_set_key private_CAST_set_key +#define RC5_32_set_key private_RC5_32_set_key +#define BF_set_key private_BF_set_key +#define idea_set_encrypt_key private_idea_set_encrypt_key + +#define MD5_Init private_MD5_Init +#define MD4_Init private_MD4_Init +#define MD2_Init private_MD2_Init +#define MDC2_Init private_MDC2_Init +#define SHA_Init private_SHA_Init + +#endif diff --git a/lib/libssl/src/crypto/evp/evp_pkey.c b/lib/libssl/src/crypto/evp/evp_pkey.c index eb481ec661d..47a69932a52 100644 --- a/lib/libssl/src/crypto/evp/evp_pkey.c +++ b/lib/libssl/src/crypto/evp/evp_pkey.c @@ -235,7 +235,11 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken) return NULL; } p8->broken = broken; - ASN1_INTEGER_set (p8->version, 0); + if (!ASN1_INTEGER_set(p8->version, 0)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + PKCS8_PRIV_KEY_INFO_free (p8); + return NULL; + } if (!(p8->pkeyalg->parameter = ASN1_TYPE_new ())) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); PKCS8_PRIV_KEY_INFO_free (p8); @@ -303,29 +307,35 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken) #ifndef OPENSSL_NO_DSA static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) { - ASN1_STRING *params; - ASN1_INTEGER *prkey; - ASN1_TYPE *ttmp; - STACK_OF(ASN1_TYPE) *ndsa; - unsigned char *p, *q; + ASN1_STRING *params = NULL; + ASN1_INTEGER *prkey = NULL; + ASN1_TYPE *ttmp = NULL; + STACK_OF(ASN1_TYPE) *ndsa = NULL; + unsigned char *p = NULL, *q; int len; p8->pkeyalg->algorithm = OBJ_nid2obj(NID_dsa); len = i2d_DSAparams (pkey->pkey.dsa, NULL); if (!(p = OPENSSL_malloc(len))) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); - PKCS8_PRIV_KEY_INFO_free (p8); - return 0; + goto err; } q = p; i2d_DSAparams (pkey->pkey.dsa, &q); - params = ASN1_STRING_new(); - ASN1_STRING_set(params, p, len); + if (!(params = ASN1_STRING_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!ASN1_STRING_set(params, p, len)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } OPENSSL_free(p); + p = NULL; /* Get private key into integer */ if (!(prkey = BN_to_ASN1_INTEGER (pkey->pkey.dsa->priv_key, NULL))) { EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR); - return 0; + goto err; } switch(p8->broken) { @@ -336,12 +346,13 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) if (!ASN1_pack_string((char *)prkey, i2d_ASN1_INTEGER, &p8->pkey->value.octet_string)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); - M_ASN1_INTEGER_free (prkey); - return 0; + goto err; } M_ASN1_INTEGER_free (prkey); + prkey = NULL; p8->pkeyalg->parameter->value.sequence = params; + params = NULL; p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE; break; @@ -349,32 +360,51 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) case PKCS8_NS_DB: p8->pkeyalg->parameter->value.sequence = params; + params = NULL; p8->pkeyalg->parameter->type = V_ASN1_SEQUENCE; - ndsa = sk_ASN1_TYPE_new_null(); - ttmp = ASN1_TYPE_new(); - if (!(ttmp->value.integer = BN_to_ASN1_INTEGER (pkey->pkey.dsa->pub_key, NULL))) { + if (!(ndsa = sk_ASN1_TYPE_new_null())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!(ttmp = ASN1_TYPE_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!(ttmp->value.integer = + BN_to_ASN1_INTEGER(pkey->pkey.dsa->pub_key, NULL))) { EVPerr(EVP_F_EVP_PKEY2PKCS8,EVP_R_ENCODE_ERROR); - PKCS8_PRIV_KEY_INFO_free(p8); - return 0; + goto err; } ttmp->type = V_ASN1_INTEGER; - sk_ASN1_TYPE_push(ndsa, ttmp); + if (!sk_ASN1_TYPE_push(ndsa, ttmp)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } - ttmp = ASN1_TYPE_new(); + if (!(ttmp = ASN1_TYPE_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } ttmp->value.integer = prkey; + prkey = NULL; ttmp->type = V_ASN1_INTEGER; - sk_ASN1_TYPE_push(ndsa, ttmp); + if (!sk_ASN1_TYPE_push(ndsa, ttmp)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + ttmp = NULL; - p8->pkey->value.octet_string = ASN1_OCTET_STRING_new(); + if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE, &p8->pkey->value.octet_string->data, &p8->pkey->value.octet_string->length)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); - sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); - M_ASN1_INTEGER_free(prkey); - return 0; + goto err; } sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); break; @@ -382,31 +412,57 @@ static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey) case PKCS8_EMBEDDED_PARAM: p8->pkeyalg->parameter->type = V_ASN1_NULL; - ndsa = sk_ASN1_TYPE_new_null(); - ttmp = ASN1_TYPE_new(); + if (!(ndsa = sk_ASN1_TYPE_new_null())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!(ttmp = ASN1_TYPE_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } ttmp->value.sequence = params; + params = NULL; ttmp->type = V_ASN1_SEQUENCE; - sk_ASN1_TYPE_push(ndsa, ttmp); + if (!sk_ASN1_TYPE_push(ndsa, ttmp)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } - ttmp = ASN1_TYPE_new(); + if (!(ttmp = ASN1_TYPE_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } ttmp->value.integer = prkey; + prkey = NULL; ttmp->type = V_ASN1_INTEGER; - sk_ASN1_TYPE_push(ndsa, ttmp); + if (!sk_ASN1_TYPE_push(ndsa, ttmp)) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } + ttmp = NULL; - p8->pkey->value.octet_string = ASN1_OCTET_STRING_new(); + if (!(p8->pkey->value.octet_string = ASN1_OCTET_STRING_new())) { + EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); + goto err; + } if (!ASN1_seq_pack_ASN1_TYPE(ndsa, i2d_ASN1_TYPE, &p8->pkey->value.octet_string->data, &p8->pkey->value.octet_string->length)) { EVPerr(EVP_F_EVP_PKEY2PKCS8,ERR_R_MALLOC_FAILURE); - sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); - M_ASN1_INTEGER_free (prkey); - return 0; + goto err; } sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); break; } return 1; +err: + if (p != NULL) OPENSSL_free(p); + if (params != NULL) ASN1_STRING_free(params); + if (prkey != NULL) M_ASN1_INTEGER_free(prkey); + if (ttmp != NULL) ASN1_TYPE_free(ttmp); + if (ndsa != NULL) sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); + return 0; } #endif diff --git a/lib/libssl/src/crypto/evp/evp_test.c b/lib/libssl/src/crypto/evp/evp_test.c index 28460173f7e..a624cfd248a 100644 --- a/lib/libssl/src/crypto/evp/evp_test.c +++ b/lib/libssl/src/crypto/evp/evp_test.c @@ -136,7 +136,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, const unsigned char *iv,int in, const unsigned char *plaintext,int pn, const unsigned char *ciphertext,int cn, - int encdec) + int encdec,int multiplier) { EVP_CIPHER_CTX ctx; unsigned char out[4096]; @@ -162,22 +162,25 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv)) { fprintf(stderr,"EncryptInit failed\n"); + ERR_print_errors_fp(stderr); test1_exit(10); } EVP_CIPHER_CTX_set_padding(&ctx,0); - if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn)) + if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn*multiplier)) { fprintf(stderr,"Encrypt failed\n"); + ERR_print_errors_fp(stderr); test1_exit(6); } if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2)) { fprintf(stderr,"EncryptFinal failed\n"); + ERR_print_errors_fp(stderr); test1_exit(7); } - if(outl+outl2 != cn) + if(outl+outl2 != cn*multiplier) { fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n", outl+outl2,cn); @@ -198,22 +201,25 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv)) { fprintf(stderr,"DecryptInit failed\n"); + ERR_print_errors_fp(stderr); test1_exit(11); } EVP_CIPHER_CTX_set_padding(&ctx,0); - if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn)) + if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn*multiplier)) { fprintf(stderr,"Decrypt failed\n"); + ERR_print_errors_fp(stderr); test1_exit(6); } if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2)) { fprintf(stderr,"DecryptFinal failed\n"); + ERR_print_errors_fp(stderr); test1_exit(7); } - if(outl+outl2 != cn) + if(outl+outl2 != cn*multiplier) { fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", outl+outl2,cn); @@ -238,7 +244,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn, const unsigned char *iv,int in, const unsigned char *plaintext,int pn, const unsigned char *ciphertext,int cn, - int encdec) + int encdec,int multiplier) { const EVP_CIPHER *c; @@ -246,7 +252,7 @@ static int test_cipher(const char *cipher,const unsigned char *key,int kn, if(!c) return 0; - test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec); + test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec,multiplier); return 1; } @@ -272,16 +278,19 @@ static int test_digest(const char *digest, if(!EVP_DigestInit_ex(&ctx,d, NULL)) { fprintf(stderr,"DigestInit failed\n"); + ERR_print_errors_fp(stderr); EXIT(100); } if(!EVP_DigestUpdate(&ctx,plaintext,pn)) { fprintf(stderr,"DigestUpdate failed\n"); + ERR_print_errors_fp(stderr); EXIT(101); } if(!EVP_DigestFinal_ex(&ctx,md,&mdn)) { fprintf(stderr,"DigestFinal failed\n"); + ERR_print_errors_fp(stderr); EXIT(101); } EVP_MD_CTX_cleanup(&ctx); @@ -359,6 +368,7 @@ int main(int argc,char **argv) unsigned char *iv,*key,*plaintext,*ciphertext; int encdec; int kn,in,pn,cn; + int multiplier=1; if(!fgets((char *)line,sizeof line,f)) break; @@ -383,7 +393,15 @@ int main(int argc,char **argv) pn=convert(plaintext); cn=convert(ciphertext); - if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec) + if(strchr(cipher,'*')) + { + p=cipher; + sstrsep(&p,"*"); + multiplier=atoi(sstrsep(&p,"*")); + } + + if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec, + multiplier) && !test_digest(cipher,plaintext,pn,ciphertext,cn)) { fprintf(stderr,"Can't find %s\n",cipher); diff --git a/lib/libssl/src/crypto/evp/evptests.txt b/lib/libssl/src/crypto/evp/evptests.txt index 80bd9c7765c..dfe91a5bc0e 100644 --- a/lib/libssl/src/crypto/evp/evptests.txt +++ b/lib/libssl/src/crypto/evp/evptests.txt @@ -92,7 +92,102 @@ AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461 AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B -# We don't support CFB{1,8}-AESxxx.{En,De}crypt + +# CFB1-AES128.Encrypt + +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:1 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:1 +# all of the above packed into one... +# in: 0110 1011 1100 0001 = 6bc1 +# out: 0110 1000 1011 0011 = 68b3 +AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:1 + +# CFB1-AES128.Decrypt +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00020406080a0c0e10121416181a1c1e:80:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0004080c1014181c2024282c3034383d:80:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0008101820283038404850586068707b:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:00102030405060708090a0b0c0d0e0f6:80:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0020406080a0c0e10121416181a1c1ed:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:004080c1014181c2024282c3034383da:80:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:008101820283038404850586068707b4:80:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f68:80:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:020406080a0c0e10121416181a1c1ed1:80:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:04080c1014181c2024282c3034383da2:00:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:08101820283038404850586068707b45:00:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:102030405060708090a0b0c0d0e0f68b:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:20406080a0c0e10121416181a1c1ed16:00:00:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:4080c1014181c2024282c3034383da2c:00:80:0 +AES-128-CFB1:2b7e151628aed2a6abf7158809cf4f3c:8101820283038404850586068707b459:80:80:0 +# all of the above packed into one... +# in: 0110 1000 1011 0011 = 68b3 +# out: 0110 1011 1100 0001 = 6bc1 +AES-128-CFB1*8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1:68b3:0 + +# TODO: CFB1-AES192 and 256 + +# CFB8-AES128.Encrypt + +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:1 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:1 +# all of the above packed into one +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:1 + +# CFB8-AES128.Decrypt + +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6b:3b:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0102030405060708090a0b0c0d0e0f3b:c1:79:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:02030405060708090a0b0c0d0e0f3b79:be:42:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:030405060708090a0b0c0d0e0f3b7942:e2:4c:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0405060708090a0b0c0d0e0f3b79424c:2e:9c:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:05060708090a0b0c0d0e0f3b79424c9c:40:0d:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:060708090a0b0c0d0e0f3b79424c9c0d:9f:d4:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0708090a0b0c0d0e0f3b79424c9c0dd4:96:36:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:08090a0b0c0d0e0f3b79424c9c0dd436:e9:ba:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:090a0b0c0d0e0f3b79424c9c0dd436ba:3d:ce:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0a0b0c0d0e0f3b79424c9c0dd436bace:7e:9e:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0b0c0d0e0f3b79424c9c0dd436bace9e:11:0e:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0c0d0e0f3b79424c9c0dd436bace9e0e:73:d4:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0d0e0f3b79424c9c0dd436bace9e0ed4:93:58:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0e0f3b79424c9c0dd436bace9e0ed458:17:6a:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:0f3b79424c9c0dd436bace9e0ed4586a:2a:4f:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:3b79424c9c0dd436bace9e0ed4586a4f:ae:32:0 +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:79424c9c0dd436bace9e0ed4586a4f32:2d:b9:0 +# all of the above packed into one +AES-128-CFB8:2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d:3b79424c9c0dd436bace9e0ed4586a4f32b9:0 + +# TODO: 192 and 256 bit keys + # For all CFB128 encrypts and decrypts, the transformed sequence is # AES-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec # CFB128-AES128.Encrypt @@ -174,6 +269,16 @@ DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363 # DES EDE3 CBC tests (from destest) DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 +# DES CFB1 from FIPS 81 +# plaintext: 0100 1110 0110 1111 0111 0111 = 4e6f77 +# ciphertext: 1100 1101 0001 1110 1100 1001 = cd1ec9 + +DES-CFB1*8:0123456789abcdef:1234567890abcdef:4e6f77:cd1ec9 + +# DES CFB8 from FIPS 81 + +DES-CFB8:0123456789abcdef:1234567890abcdef:4e6f7720697320746865:f31fda07011462ee187f + # RC4 tests (from rc4test) RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596 RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879 diff --git a/lib/libssl/src/crypto/evp/m_dss.c b/lib/libssl/src/crypto/evp/m_dss.c index beb8d7fc5c9..d393eb34009 100644 --- a/lib/libssl/src/crypto/evp/m_dss.c +++ b/lib/libssl/src/crypto/evp/m_dss.c @@ -77,7 +77,7 @@ static const EVP_MD dsa_md= NID_dsaWithSHA, NID_dsaWithSHA, SHA_DIGEST_LENGTH, - 0, + EVP_MD_FLAG_FIPS, init, update, final, diff --git a/lib/libssl/src/crypto/evp/m_md2.c b/lib/libssl/src/crypto/evp/m_md2.c index 50914c83b3a..0df48e5199e 100644 --- a/lib/libssl/src/crypto/evp/m_md2.c +++ b/lib/libssl/src/crypto/evp/m_md2.c @@ -60,6 +60,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/md2.h> diff --git a/lib/libssl/src/crypto/evp/m_md4.c b/lib/libssl/src/crypto/evp/m_md4.c index e19b6637546..0605e4b707c 100644 --- a/lib/libssl/src/crypto/evp/m_md4.c +++ b/lib/libssl/src/crypto/evp/m_md4.c @@ -60,6 +60,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/md4.h> diff --git a/lib/libssl/src/crypto/evp/m_md5.c b/lib/libssl/src/crypto/evp/m_md5.c index b00a03e048b..752615d473a 100644 --- a/lib/libssl/src/crypto/evp/m_md5.c +++ b/lib/libssl/src/crypto/evp/m_md5.c @@ -60,6 +60,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/md5.h> diff --git a/lib/libssl/src/crypto/evp/m_mdc2.c b/lib/libssl/src/crypto/evp/m_mdc2.c index 9f6467c9314..62de1336b85 100644 --- a/lib/libssl/src/crypto/evp/m_mdc2.c +++ b/lib/libssl/src/crypto/evp/m_mdc2.c @@ -60,6 +60,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> #include <openssl/mdc2.h> diff --git a/lib/libssl/src/crypto/evp/m_sha.c b/lib/libssl/src/crypto/evp/m_sha.c index 10697c7ed38..d1785e5f745 100644 --- a/lib/libssl/src/crypto/evp/m_sha.c +++ b/lib/libssl/src/crypto/evp/m_sha.c @@ -56,10 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SHA +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0) #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include "evp_locl.h" #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/lib/libssl/src/crypto/evp/m_sha1.c b/lib/libssl/src/crypto/evp/m_sha1.c index d6be3502f0a..fe4402389ae 100644 --- a/lib/libssl/src/crypto/evp/m_sha1.c +++ b/lib/libssl/src/crypto/evp/m_sha1.c @@ -77,7 +77,7 @@ static const EVP_MD sha1_md= NID_sha1, NID_sha1WithRSAEncryption, SHA_DIGEST_LENGTH, - 0, + EVP_MD_FLAG_FIPS, init, update, final, diff --git a/lib/libssl/src/crypto/evp/names.c b/lib/libssl/src/crypto/evp/names.c index eb9f4329cd4..77124530461 100644 --- a/lib/libssl/src/crypto/evp/names.c +++ b/lib/libssl/src/crypto/evp/names.c @@ -61,6 +61,9 @@ #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> +#ifdef OPENSSL_FIPS +#include <openssl/fips.h> +#endif int EVP_add_cipher(const EVP_CIPHER *c) { diff --git a/lib/libssl/src/crypto/hmac/hmac.c b/lib/libssl/src/crypto/hmac/hmac.c index 4c91f919d56..06ee80761ff 100644 --- a/lib/libssl/src/crypto/hmac/hmac.c +++ b/lib/libssl/src/crypto/hmac/hmac.c @@ -77,6 +77,15 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, if (key != NULL) { +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(md->flags & EVP_MD_FLAG_FIPS) + && (!(ctx->md_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) + || !(ctx->i_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) + || !(ctx->o_ctx.flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) + OpenSSLDie(__FILE__,__LINE__, + "HMAC: digest not allowed in FIPS mode"); +#endif + reset=1; j=EVP_MD_block_size(md); OPENSSL_assert(j <= sizeof ctx->key); @@ -171,3 +180,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, return(md); } +void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) + { + EVP_MD_CTX_set_flags(&ctx->i_ctx, flags); + EVP_MD_CTX_set_flags(&ctx->o_ctx, flags); + EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); + } + diff --git a/lib/libssl/src/crypto/hmac/hmac.h b/lib/libssl/src/crypto/hmac/hmac.h index 0364a1fcbd9..294ab3b36a0 100644 --- a/lib/libssl/src/crypto/hmac/hmac.h +++ b/lib/libssl/src/crypto/hmac/hmac.h @@ -98,6 +98,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, int n, unsigned char *md, unsigned int *md_len); +void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags); #ifdef __cplusplus } diff --git a/lib/libssl/src/crypto/idea/idea.h b/lib/libssl/src/crypto/idea/idea.h index 67132414ee7..bf41844fd76 100644 --- a/lib/libssl/src/crypto/idea/idea.h +++ b/lib/libssl/src/crypto/idea/idea.h @@ -82,6 +82,10 @@ typedef struct idea_key_st const char *idea_options(void); void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, IDEA_KEY_SCHEDULE *ks); +#ifdef OPENSSL_FIPS +void private_idea_set_encrypt_key(const unsigned char *key, + IDEA_KEY_SCHEDULE *ks); +#endif void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, diff --git a/lib/libssl/src/crypto/md2/md2.h b/lib/libssl/src/crypto/md2/md2.h index ad9241455ca..d0ef9da08e7 100644 --- a/lib/libssl/src/crypto/md2/md2.h +++ b/lib/libssl/src/crypto/md2/md2.h @@ -80,6 +80,9 @@ typedef struct MD2state_st } MD2_CTX; const char *MD2_options(void); +#ifdef OPENSSL_FIPS +int private_MD2_Init(MD2_CTX *c); +#endif int MD2_Init(MD2_CTX *c); int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len); int MD2_Final(unsigned char *md, MD2_CTX *c); diff --git a/lib/libssl/src/crypto/md2/md2_dgst.c b/lib/libssl/src/crypto/md2/md2_dgst.c index ecb64f0ec40..8124acd6877 100644 --- a/lib/libssl/src/crypto/md2/md2_dgst.c +++ b/lib/libssl/src/crypto/md2/md2_dgst.c @@ -62,6 +62,8 @@ #include <openssl/md2.h> #include <openssl/opensslv.h> #include <openssl/crypto.h> +#include <openssl/fips.h> +#include <openssl/err.h> const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT; @@ -116,7 +118,7 @@ const char *MD2_options(void) return("md2(int)"); } -int MD2_Init(MD2_CTX *c) +FIPS_NON_FIPS_MD_Init(MD2) { c->num=0; memset(c->state,0,sizeof c->state); diff --git a/lib/libssl/src/crypto/md32_common.h b/lib/libssl/src/crypto/md32_common.h index 573850b1228..733da6acafe 100644 --- a/lib/libssl/src/crypto/md32_common.h +++ b/lib/libssl/src/crypto/md32_common.h @@ -128,6 +128,10 @@ * <appro@fy.chalmers.se> */ +#include <openssl/crypto.h> +#include <openssl/fips.h> +#include <openssl/err.h> + #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) #error "DATA_ORDER must be defined!" #endif @@ -207,7 +211,7 @@ : "cc"); \ ret; \ }) -# elif defined(__powerpc) || defined(__ppc) +# elif defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__) # define ROTATE(a,n) ({ register unsigned int ret; \ asm ( \ "rlwinm %0,%1,%2,0,31" \ @@ -555,6 +559,14 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c) static const unsigned char end[4]={0x80,0x00,0x00,0x00}; const unsigned char *cp=end; +#if 0 + if(FIPS_mode() && !FIPS_md5_allowed()) + { + FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); + return 0; + } +#endif + /* c->num should definitly have room for at least one more byte. */ p=c->data; i=c->num>>2; diff --git a/lib/libssl/src/crypto/md4/md4.h b/lib/libssl/src/crypto/md4/md4.h index 7a7b23682f8..7e761efb621 100644 --- a/lib/libssl/src/crypto/md4/md4.h +++ b/lib/libssl/src/crypto/md4/md4.h @@ -104,6 +104,9 @@ typedef struct MD4state_st int num; } MD4_CTX; +#ifdef OPENSSL_FIPS +int private_MD4_Init(MD4_CTX *c); +#endif int MD4_Init(MD4_CTX *c); int MD4_Update(MD4_CTX *c, const void *data, unsigned long len); int MD4_Final(unsigned char *md, MD4_CTX *c); diff --git a/lib/libssl/src/crypto/md4/md4_dgst.c b/lib/libssl/src/crypto/md4/md4_dgst.c index 7afb7185b68..ee7cc72262a 100644 --- a/lib/libssl/src/crypto/md4/md4_dgst.c +++ b/lib/libssl/src/crypto/md4/md4_dgst.c @@ -70,7 +70,7 @@ const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT; #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L -int MD4_Init(MD4_CTX *c) +FIPS_NON_FIPS_MD_Init(MD4) { c->A=INIT_DATA_A; c->B=INIT_DATA_B; diff --git a/lib/libssl/src/crypto/md5/md5.h b/lib/libssl/src/crypto/md5/md5.h index a252e021154..c663dd18160 100644 --- a/lib/libssl/src/crypto/md5/md5.h +++ b/lib/libssl/src/crypto/md5/md5.h @@ -104,6 +104,9 @@ typedef struct MD5state_st int num; } MD5_CTX; +#ifdef OPENSSL_FIPS +int private_MD5_Init(MD5_CTX *c); +#endif int MD5_Init(MD5_CTX *c); int MD5_Update(MD5_CTX *c, const void *data, unsigned long len); int MD5_Final(unsigned char *md, MD5_CTX *c); diff --git a/lib/libssl/src/crypto/md5/md5_dgst.c b/lib/libssl/src/crypto/md5/md5_dgst.c index 9c7abc36972..54b33c6509a 100644 --- a/lib/libssl/src/crypto/md5/md5_dgst.c +++ b/lib/libssl/src/crypto/md5/md5_dgst.c @@ -70,7 +70,7 @@ const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT; #define INIT_DATA_C (unsigned long)0x98badcfeL #define INIT_DATA_D (unsigned long)0x10325476L -int MD5_Init(MD5_CTX *c) +FIPS_NON_FIPS_MD_Init(MD5) { c->A=INIT_DATA_A; c->B=INIT_DATA_B; diff --git a/lib/libssl/src/crypto/mdc2/mdc2.h b/lib/libssl/src/crypto/mdc2/mdc2.h index 793a8a0f13f..4cba101f378 100644 --- a/lib/libssl/src/crypto/mdc2/mdc2.h +++ b/lib/libssl/src/crypto/mdc2/mdc2.h @@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st int pad_type; /* either 1 or 2, default 1 */ } MDC2_CTX; - +#ifdef OPENSSL_FIPS +int private_MDC2_Init(MDC2_CTX *c); +#endif int MDC2_Init(MDC2_CTX *c); int MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len); int MDC2_Final(unsigned char *md, MDC2_CTX *c); diff --git a/lib/libssl/src/crypto/o_time.c b/lib/libssl/src/crypto/o_time.c index 785468131e1..e29091d6504 100644 --- a/lib/libssl/src/crypto/o_time.c +++ b/lib/libssl/src/crypto/o_time.c @@ -114,16 +114,28 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) return NULL; logvalue[reslen] = '\0'; + t = *timer; + +/* The following is extracted from the DEC C header time.h */ +/* +** Beginning in OpenVMS Version 7.0 mktime, time, ctime, strftime +** have two implementations. One implementation is provided +** for compatibility and deals with time in terms of local time, +** the other __utc_* deals with time in terms of UTC. +*/ +/* We use the same conditions as in said time.h to check if we should + assume that t contains local time (and should therefore be adjusted) + or UTC (and should therefore be left untouched). */ +#if __CRTL_VER < 70000000 || defined _VMS_V6_SOURCE /* Get the numerical value of the equivalence string */ status = atoi(logvalue); /* and use it to move time to GMT */ - t = *timer - status; + t -= status; +#endif /* then convert the result to the time structure */ -#ifndef OPENSSL_THREADS - ts=(struct tm *)localtime(&t); -#else + /* Since there was no gmtime_r() to do this stuff for us, we have to do it the hard way. */ { @@ -198,7 +210,6 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) result->tm_isdst = 0; /* There's no way to know... */ ts = result; -#endif } } #endif diff --git a/lib/libssl/src/crypto/objects/o_names.c b/lib/libssl/src/crypto/objects/o_names.c index b4453b4a987..28c9370ca3c 100644 --- a/lib/libssl/src/crypto/objects/o_names.c +++ b/lib/libssl/src/crypto/objects/o_names.c @@ -2,6 +2,7 @@ #include <stdlib.h> #include <string.h> +#include <openssl/err.h> #include <openssl/lhash.h> #include <openssl/objects.h> #include <openssl/safestack.h> @@ -80,7 +81,11 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *), MemCheck_off(); name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS)); MemCheck_on(); - if (!name_funcs) return(0); + if (!name_funcs) + { + OBJerr(OBJ_F_OBJ_NAME_NEW_INDEX,ERR_R_MALLOC_FAILURE); + return(0); + } name_funcs->hash_func = lh_strhash; name_funcs->cmp_func = OPENSSL_strcmp; name_funcs->free_func = 0; /* NULL is often declared to diff --git a/lib/libssl/src/crypto/objects/obj_dat.c b/lib/libssl/src/crypto/objects/obj_dat.c index 4534dc09856..f549d078ef6 100644 --- a/lib/libssl/src/crypto/objects/obj_dat.c +++ b/lib/libssl/src/crypto/objects/obj_dat.c @@ -236,13 +236,13 @@ int OBJ_add_object(const ASN1_OBJECT *obj) if (added == NULL) if (!init_added()) return(0); if ((o=OBJ_dup(obj)) == NULL) goto err; - if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err; + if (!(ao[ADDED_NID]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; if ((o->length != 0) && (obj->data != NULL)) - ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); + if (!(ao[ADDED_DATA]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; if (o->sn != NULL) - ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); + if (!(ao[ADDED_SNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; if (o->ln != NULL) - ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)); + if (!(ao[ADDED_LNAME]=(ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; for (i=ADDED_DATA; i<=ADDED_NID; i++) { @@ -260,6 +260,8 @@ int OBJ_add_object(const ASN1_OBJECT *obj) ASN1_OBJECT_FLAG_DYNAMIC_DATA); return(o->nid); +err2: + OBJerr(OBJ_F_OBJ_ADD_OBJECT,ERR_R_MALLOC_FAILURE); err: for (i=ADDED_DATA; i<=ADDED_NID; i++) if (ao[i] != NULL) OPENSSL_free(ao[i]); @@ -648,7 +650,7 @@ int OBJ_create(const char *oid, const char *sn, const char *ln) if ((buf=(unsigned char *)OPENSSL_malloc(i)) == NULL) { - OBJerr(OBJ_F_OBJ_CREATE,OBJ_R_MALLOC_FAILURE); + OBJerr(OBJ_F_OBJ_CREATE,ERR_R_MALLOC_FAILURE); return(0); } i=a2d_ASN1_OBJECT(buf,i,oid,-1); diff --git a/lib/libssl/src/crypto/objects/obj_err.c b/lib/libssl/src/crypto/objects/obj_err.c index 80ab6855af3..2b5f43e3ccd 100644 --- a/lib/libssl/src/crypto/objects/obj_err.c +++ b/lib/libssl/src/crypto/objects/obj_err.c @@ -1,6 +1,6 @@ /* crypto/objects/obj_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,8 +66,10 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA OBJ_str_functs[]= { +{ERR_PACK(0,OBJ_F_OBJ_ADD_OBJECT,0), "OBJ_add_object"}, {ERR_PACK(0,OBJ_F_OBJ_CREATE,0), "OBJ_create"}, {ERR_PACK(0,OBJ_F_OBJ_DUP,0), "OBJ_dup"}, +{ERR_PACK(0,OBJ_F_OBJ_NAME_NEW_INDEX,0), "OBJ_NAME_new_index"}, {ERR_PACK(0,OBJ_F_OBJ_NID2LN,0), "OBJ_nid2ln"}, {ERR_PACK(0,OBJ_F_OBJ_NID2OBJ,0), "OBJ_nid2obj"}, {ERR_PACK(0,OBJ_F_OBJ_NID2SN,0), "OBJ_nid2sn"}, diff --git a/lib/libssl/src/crypto/objects/obj_mac.num b/lib/libssl/src/crypto/objects/obj_mac.num index 9838072b65c..0e64a929bab 100644 --- a/lib/libssl/src/crypto/objects/obj_mac.num +++ b/lib/libssl/src/crypto/objects/obj_mac.num @@ -647,3 +647,21 @@ joint_iso_itu_t 646 international_organizations 647 ms_smartcard_login 648 ms_upn 649 +aes_128_cfb1 650 +aes_192_cfb1 651 +aes_256_cfb1 652 +aes_128_cfb8 653 +aes_192_cfb8 654 +aes_256_cfb8 655 +des_cfb1 656 +des_cfb8 657 +des_ede3_cfb1 658 +des_ede3_cfb8 659 +streetAddress 660 +postalCode 661 +id_ppl 662 +proxyCertInfo 663 +id_ppl_anyLanguage 664 +id_ppl_inheritAll 665 +id_ppl_independent 666 +Independent 667 diff --git a/lib/libssl/src/crypto/objects/objects.h b/lib/libssl/src/crypto/objects/objects.h index de105328136..f859d859b85 100644 --- a/lib/libssl/src/crypto/objects/objects.h +++ b/lib/libssl/src/crypto/objects/objects.h @@ -1026,8 +1026,10 @@ void ERR_load_OBJ_strings(void); /* Error codes for the OBJ functions. */ /* Function codes. */ +#define OBJ_F_OBJ_ADD_OBJECT 105 #define OBJ_F_OBJ_CREATE 100 #define OBJ_F_OBJ_DUP 101 +#define OBJ_F_OBJ_NAME_NEW_INDEX 106 #define OBJ_F_OBJ_NID2LN 102 #define OBJ_F_OBJ_NID2OBJ 103 #define OBJ_F_OBJ_NID2SN 104 diff --git a/lib/libssl/src/crypto/objects/objects.txt b/lib/libssl/src/crypto/objects/objects.txt index 3ba11f65ccf..50e9031e61e 100644 --- a/lib/libssl/src/crypto/objects/objects.txt +++ b/lib/libssl/src/crypto/objects/objects.txt @@ -312,6 +312,7 @@ id-pkix 9 : id-pda id-pkix 10 : id-aca id-pkix 11 : id-qcs id-pkix 12 : id-cct +id-pkix 21 : id-ppl id-pkix 48 : id-ad # PKIX Modules @@ -346,6 +347,7 @@ id-pe 9 : sbqp-routerIdentifier id-pe 10 : ac-proxying !Cname sinfo-access id-pe 11 : subjectInfoAccess : Subject Information Access +id-pe 14 : proxyCertInfo : Proxy Certificate Information # PKIX policyQualifiers for Internet policy qualifiers id-qt 1 : id-qt-cps : Policy Qualifier CPS @@ -461,6 +463,11 @@ id-cct 1 : id-cct-crs id-cct 2 : id-cct-PKIData id-cct 3 : id-cct-PKIResponse +# Predefined Proxy Certificate policy languages +id-ppl 0 : id-ppl-anyLanguage : Any language +id-ppl 1 : id-ppl-inheritAll : Inherit all +id-ppl 2 : id-ppl-independent : Independent + # access descriptors for authority info access extension !Cname ad-OCSP id-ad 1 : OCSP : OCSP @@ -536,10 +543,12 @@ X509 5 : : serialNumber X509 6 : C : countryName X509 7 : L : localityName X509 8 : ST : stateOrProvinceName +X509 9 : : streetAddress X509 10 : O : organizationName X509 11 : OU : organizationalUnitName X509 12 : : title X509 13 : : description +X509 17 : : postalCode X509 41 : name : name X509 42 : GN : givenName X509 43 : : initials @@ -681,6 +690,19 @@ aes 43 : AES-256-OFB : aes-256-ofb !Cname aes-256-cfb128 aes 44 : AES-256-CFB : aes-256-cfb +# There are no OIDs for these modes... + + : AES-128-CFB1 : aes-128-cfb1 + : AES-192-CFB1 : aes-192-cfb1 + : AES-256-CFB1 : aes-256-cfb1 + : AES-128-CFB8 : aes-128-cfb8 + : AES-192-CFB8 : aes-192-cfb8 + : AES-256-CFB8 : aes-256-cfb8 + : DES-CFB1 : des-cfb1 + : DES-CFB8 : des-cfb8 + : DES-EDE3-CFB1 : des-ede3-cfb1 + : DES-EDE3-CFB8 : des-ede3-cfb8 + # Hold instruction CRL entry extension !Cname hold-instruction-code id-ce 23 : holdInstructionCode : Hold Instruction Code diff --git a/lib/libssl/src/crypto/opensslv.h b/lib/libssl/src/crypto/opensslv.h index 02f1710fb3f..5d5f688edd7 100644 --- a/lib/libssl/src/crypto/opensslv.h +++ b/lib/libssl/src/crypto/opensslv.h @@ -25,8 +25,12 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090704fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d 17 Mar 2004" +#define OPENSSL_VERSION_NUMBER 0x0090707fL +#ifdef OPENSSL_FIPS +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g-fips 11 Apr 2005" +#else +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7g 11 Apr 2005" +#endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/lib/libssl/src/crypto/pem/pem_all.c b/lib/libssl/src/crypto/pem/pem_all.c index e72b7134cec..07963314c95 100644 --- a/lib/libssl/src/crypto/pem/pem_all.c +++ b/lib/libssl/src/crypto/pem/pem_all.c @@ -64,6 +64,7 @@ #include <openssl/x509.h> #include <openssl/pkcs7.h> #include <openssl/pem.h> +#include <openssl/fips.h> #ifndef OPENSSL_NO_RSA static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa); @@ -128,7 +129,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, #endif +#ifdef OPENSSL_FIPS + +int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_RSA(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + + EVP_PKEY_set1_RSA(k, x); + + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; +} +#endif + +#else + IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) + +#endif + IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) @@ -158,7 +201,48 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb, return pkey_get_dsa(pktmp, dsa); } + +#ifdef OPENSSL_FIPS + +int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_DSA(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_DSA(k, x); + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; +} +#endif + +#else + IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) + +#endif + IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) #ifndef OPENSSL_NO_FP_API @@ -190,7 +274,42 @@ IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams) * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything * appropriate.) */ + +#ifdef OPENSSL_FIPS + +int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) + { + if (FIPS_mode()) + return PEM_write_bio_PKCS8PrivateKey(bp, x, enc, + (char *)kstr, klen, cb, u); + else + return PEM_ASN1_write_bio((int (*)())i2d_PrivateKey, + (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), + bp,(char *)x,enc,kstr,klen,cb,u); + } + +#ifndef OPENSSL_NO_FP_API +int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) + { + if (FIPS_mode()) + return PEM_write_PKCS8PrivateKey(fp, x, enc, + (char *)kstr, klen, cb, u); + else + return PEM_ASN1_write((int (*)())i2d_PrivateKey, + (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), + fp,(char *)x,enc,kstr,klen,cb,u); + } +#endif + +#else + IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey) +#endif + IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY) diff --git a/lib/libssl/src/crypto/pem/pem_lib.c b/lib/libssl/src/crypto/pem/pem_lib.c index 7785039b993..82815067b39 100644 --- a/lib/libssl/src/crypto/pem/pem_lib.c +++ b/lib/libssl/src/crypto/pem/pem_lib.c @@ -73,7 +73,7 @@ const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT; #define MIN_LENGTH 4 -static int load_iv(unsigned char **fromp,unsigned char *to, int num); +static int load_iv(char **fromp,unsigned char *to, int num); static int check_pem(const char *nm, const char *name); int PEM_def_callback(char *buf, int num, int w, void *key) @@ -301,7 +301,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, if ((dsize=i2d(x,NULL)) < 0) { - PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_MALLOC_FAILURE); + PEMerr(PEM_F_PEM_ASN1_WRITE_BIO,ERR_R_ASN1_LIB); dsize=0; goto err; } @@ -432,6 +432,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) int o; const EVP_CIPHER *enc=NULL; char *p,c; + char **header_pp = &header; cipher->cipher=NULL; if ((header == NULL) || (*header == '\0') || (*header == '\n')) @@ -478,15 +479,16 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION); return(0); } - if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),enc->iv_len)) return(0); + if (!load_iv(header_pp,&(cipher->iv[0]),enc->iv_len)) + return(0); return(1); } -static int load_iv(unsigned char **fromp, unsigned char *to, int num) +static int load_iv(char **fromp, unsigned char *to, int num) { int v,i; - unsigned char *from; + char *from; from= *fromp; for (i=0; i<num; i++) to[i]=0; @@ -623,6 +625,9 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data, dataB=BUF_MEM_new(); if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL)) { + BUF_MEM_free(nameB); + BUF_MEM_free(headerB); + BUF_MEM_free(dataB); PEMerr(PEM_F_PEM_READ_BIO,ERR_R_MALLOC_FAILURE); return(0); } diff --git a/lib/libssl/src/crypto/pem/pem_pkey.c b/lib/libssl/src/crypto/pem/pem_pkey.c index f77c949e87b..9ecdbd5419e 100644 --- a/lib/libssl/src/crypto/pem/pem_pkey.c +++ b/lib/libssl/src/crypto/pem/pem_pkey.c @@ -104,6 +104,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo if (klen <= 0) { PEMerr(PEM_F_PEM_ASN1_READ_BIO, PEM_R_BAD_PASSWORD_READ); + X509_SIG_free(p8); goto err; } p8inf = PKCS8_decrypt(p8, psbuf, klen); diff --git a/lib/libssl/src/crypto/perlasm/x86asm.pl b/lib/libssl/src/crypto/perlasm/x86asm.pl index 7c675e3ced3..60233f80e85 100644 --- a/lib/libssl/src/crypto/perlasm/x86asm.pl +++ b/lib/libssl/src/crypto/perlasm/x86asm.pl @@ -130,4 +130,6 @@ BSDI - a.out with a very primative version of as. EOF } +sub main'align() {} # swallow align statements in 0.9.7 context + 1; diff --git a/lib/libssl/src/crypto/perlasm/x86ms.pl b/lib/libssl/src/crypto/perlasm/x86ms.pl index fbb4afb9bda..b6bd744057e 100644 --- a/lib/libssl/src/crypto/perlasm/x86ms.pl +++ b/lib/libssl/src/crypto/perlasm/x86ms.pl @@ -160,6 +160,7 @@ sub main'not { &out1("not",@_); } sub main'call { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } +sub main'movz { &out2("movzx",@_); } sub out2 { diff --git a/lib/libssl/src/crypto/perlasm/x86nasm.pl b/lib/libssl/src/crypto/perlasm/x86nasm.pl index 30346af4eac..5009acb4b31 100644 --- a/lib/libssl/src/crypto/perlasm/x86nasm.pl +++ b/lib/libssl/src/crypto/perlasm/x86nasm.pl @@ -86,7 +86,7 @@ sub get_mem { my($size,$addr,$reg1,$reg2,$idx)=@_; my($t,$post); - my($ret)="["; + my($ret)="$size ["; $addr =~ s/^\s+//; if ($addr =~ /^(.+)\+(.+)$/) { @@ -169,6 +169,7 @@ sub main'not { &out1("not",@_); } sub main'call { &out1("call",($_[0]=~/^\$L/?'':'_').$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } +sub main'movz { &out2("movzx",@_); } sub out2 { @@ -176,6 +177,11 @@ sub out2 my($l,$t); push(@out,"\t$name\t"); + if ($name eq "lea") + { + $p1 =~ s/^[^\[]*\[/\[/; + $p2 =~ s/^[^\[]*\[/\[/; + } $t=&conv($p1).","; $l=length($t); push(@out,$t); diff --git a/lib/libssl/src/crypto/perlasm/x86unix.pl b/lib/libssl/src/crypto/perlasm/x86unix.pl index 53ad5f49279..9717d185579 100644 --- a/lib/libssl/src/crypto/perlasm/x86unix.pl +++ b/lib/libssl/src/crypto/perlasm/x86unix.pl @@ -143,12 +143,12 @@ sub main'shl { &out2("sall",@_); } sub main'shr { &out2("shrl",@_); } sub main'xor { &out2("xorl",@_); } sub main'xorb { &out2("xorb",@_); } -sub main'add { &out2("addl",@_); } +sub main'add { &out2($_[0]=~/%[a-d][lh]/?"addb":"addl",@_); } sub main'adc { &out2("adcl",@_); } sub main'sub { &out2("subl",@_); } sub main'rotl { &out2("roll",@_); } sub main'rotr { &out2("rorl",@_); } -sub main'exch { &out2("xchg",@_); } +sub main'exch { &out2($_[0]=~/%[a-d][lh]/?"xchgb":"xchgl",@_); } sub main'cmp { &out2("cmpl",@_); } sub main'lea { &out2("leal",@_); } sub main'mul { &out1("mull",@_); } @@ -170,7 +170,7 @@ sub main'jc { &out1("jc",@_); } sub main'jnc { &out1("jnc",@_); } sub main'jno { &out1("jno",@_); } sub main'dec { &out1("decl",@_); } -sub main'inc { &out1("incl",@_); } +sub main'inc { &out1($_[0]=~/%[a-d][hl]/?"incb":"incl",@_); } sub main'push { &out1("pushl",@_); $stack+=4; } sub main'pop { &out1("popl",@_); $stack-=4; } sub main'pushf { &out0("pushf"); $stack+=4; } @@ -179,6 +179,7 @@ sub main'not { &out1("notl",@_); } sub main'call { &out1("call",($_[0]=~/^\.L/?'':$under).$_[0]); } sub main'ret { &out0("ret"); } sub main'nop { &out0("nop"); } +sub main'movz { &out2("movzbl",@_); } # The bswapl instruction is new for the 486. Emulate if i386. sub main'bswap diff --git a/lib/libssl/src/crypto/pkcs12/p12_crpt.c b/lib/libssl/src/crypto/pkcs12/p12_crpt.c index 5e8958612b4..003ec7a33e6 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_crpt.c +++ b/lib/libssl/src/crypto/pkcs12/p12_crpt.c @@ -88,7 +88,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de) { PBEPARAM *pbe; - int saltlen, iter; + int saltlen, iter, ret; unsigned char *salt, *pbuf; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; @@ -117,8 +117,8 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen, return 0; } PBEPARAM_free(pbe); - EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de); + ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de); OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); - return 1; + return ret; } diff --git a/lib/libssl/src/crypto/pkcs12/p12_init.c b/lib/libssl/src/crypto/pkcs12/p12_init.c index eb837a78cf7..5276b126698 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_init.c +++ b/lib/libssl/src/crypto/pkcs12/p12_init.c @@ -76,15 +76,17 @@ PKCS12 *PKCS12_init (int mode) if (!(pkcs12->authsafes->d.data = M_ASN1_OCTET_STRING_new())) { PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } break; default: - PKCS12err(PKCS12_F_PKCS12_INIT,PKCS12_R_UNSUPPORTED_PKCS12_MODE); - PKCS12_free(pkcs12); - return NULL; - break; + PKCS12err(PKCS12_F_PKCS12_INIT, + PKCS12_R_UNSUPPORTED_PKCS12_MODE); + goto err; } return pkcs12; +err: + if (pkcs12 != NULL) PKCS12_free(pkcs12); + return NULL; } diff --git a/lib/libssl/src/crypto/pkcs12/p12_kiss.c b/lib/libssl/src/crypto/pkcs12/p12_kiss.c index 885087ad00f..2b31999e112 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_kiss.c +++ b/lib/libssl/src/crypto/pkcs12/p12_kiss.c @@ -249,14 +249,26 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate ) return 1; if (!(x509 = PKCS12_certbag2x509(bag))) return 0; - if(ckid) X509_keyid_set1(x509, ckid->data, ckid->length); + if(ckid) + { + if (!X509_keyid_set1(x509, ckid->data, ckid->length)) + { + X509_free(x509); + return 0; + } + } if(fname) { - int len; + int len, r; unsigned char *data; len = ASN1_STRING_to_UTF8(&data, fname); if(len > 0) { - X509_alias_set1(x509, data, len); + r = X509_alias_set1(x509, data, len); OPENSSL_free(data); + if (!r) + { + X509_free(x509); + return 0; + } } } diff --git a/lib/libssl/src/crypto/pkcs12/p12_mutl.c b/lib/libssl/src/crypto/pkcs12/p12_mutl.c index 0fb67f74b8b..4886b9b2899 100644 --- a/lib/libssl/src/crypto/pkcs12/p12_mutl.c +++ b/lib/libssl/src/crypto/pkcs12/p12_mutl.c @@ -148,7 +148,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen, PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); return 0; } - ASN1_INTEGER_set(p12->mac->iter, iter); + if (!ASN1_INTEGER_set(p12->mac->iter, iter)) { + PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); + return 0; + } } if (!saltlen) saltlen = PKCS12_SALT_LEN; p12->mac->salt->length = saltlen; diff --git a/lib/libssl/src/crypto/pkcs7/pk7_attr.c b/lib/libssl/src/crypto/pkcs7/pk7_attr.c index 5ff5a88b5cf..039141027a6 100644 --- a/lib/libssl/src/crypto/pkcs7/pk7_attr.c +++ b/lib/libssl/src/crypto/pkcs7/pk7_attr.c @@ -3,7 +3,7 @@ * project 2001. */ /* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -94,17 +94,18 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap) } STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) -{ + { ASN1_TYPE *cap; unsigned char *p; cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities); - if (!cap) return NULL; + if (!cap || (cap->type != V_ASN1_SEQUENCE)) + return NULL; p = cap->value.sequence->data; return d2i_ASN1_SET_OF_X509_ALGOR(NULL, &p, cap->value.sequence->length, d2i_X509_ALGOR, X509_ALGOR_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); -} + } /* Basic smime-capabilities OID and optional integer arg */ int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg) diff --git a/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/lib/libssl/src/crypto/pkcs7/pk7_doit.c index b78e22819cd..4ac29ae14d6 100644 --- a/lib/libssl/src/crypto/pkcs7/pk7_doit.c +++ b/lib/libssl/src/crypto/pkcs7/pk7_doit.c @@ -239,7 +239,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) OPENSSL_free(tmp); goto err; } - M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj); + if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj)) + { + PKCS7err(PKCS7_F_PKCS7_DATAINIT, + ERR_R_MALLOC_FAILURE); + OPENSSL_free(tmp); + goto err; + } } OPENSSL_free(tmp); OPENSSL_cleanse(key, keylen); @@ -520,12 +526,20 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) case NID_pkcs7_signedAndEnveloped: /* XXXXXXXXXXXXXXXX */ si_sk=p7->d.signed_and_enveloped->signer_info; - os=M_ASN1_OCTET_STRING_new(); + if (!(os=M_ASN1_OCTET_STRING_new())) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE); + goto err; + } p7->d.signed_and_enveloped->enc_data->enc_data=os; break; case NID_pkcs7_enveloped: /* XXXXXXXXXXXXXXXX */ - os=M_ASN1_OCTET_STRING_new(); + if (!(os=M_ASN1_OCTET_STRING_new())) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_MALLOC_FAILURE); + goto err; + } p7->d.enveloped->enc_data->enc_data=os; break; case NID_pkcs7_signed: @@ -599,7 +613,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) { - sign_time=X509_gmtime_adj(NULL,0); + if (!(sign_time=X509_gmtime_adj(NULL,0))) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN, + ERR_R_MALLOC_FAILURE); + goto err; + } PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,sign_time); @@ -608,8 +627,19 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) /* Add digest */ md_tmp=EVP_MD_CTX_md(&ctx_tmp); EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len); - digest=M_ASN1_OCTET_STRING_new(); - M_ASN1_OCTET_STRING_set(digest,md_data,md_len); + if (!(digest=M_ASN1_OCTET_STRING_new())) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN, + ERR_R_MALLOC_FAILURE); + goto err; + } + if (!M_ASN1_OCTET_STRING_set(digest,md_data, + md_len)) + { + PKCS7err(PKCS7_F_PKCS7_DATASIGN, + ERR_R_MALLOC_FAILURE); + goto err; + } PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest, V_ASN1_OCTET_STRING,digest); diff --git a/lib/libssl/src/crypto/pkcs7/pk7_lib.c b/lib/libssl/src/crypto/pkcs7/pk7_lib.c index 985b07245cc..ee1817c7af9 100644 --- a/lib/libssl/src/crypto/pkcs7/pk7_lib.c +++ b/lib/libssl/src/crypto/pkcs7/pk7_lib.c @@ -164,7 +164,12 @@ int PKCS7_set_type(PKCS7 *p7, int type) p7->type=obj; if ((p7->d.sign=PKCS7_SIGNED_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.sign->version,1); + if (!ASN1_INTEGER_set(p7->d.sign->version,1)) + { + PKCS7_SIGNED_free(p7->d.sign); + p7->d.sign=NULL; + goto err; + } break; case NID_pkcs7_data: p7->type=obj; @@ -176,6 +181,8 @@ int PKCS7_set_type(PKCS7 *p7, int type) if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new()) == NULL) goto err; ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1); + if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1)) + goto err; p7->d.signed_and_enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; @@ -183,7 +190,8 @@ int PKCS7_set_type(PKCS7 *p7, int type) p7->type=obj; if ((p7->d.enveloped=PKCS7_ENVELOPE_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.enveloped->version,0); + if (!ASN1_INTEGER_set(p7->d.enveloped->version,0)) + goto err; p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; @@ -191,7 +199,8 @@ int PKCS7_set_type(PKCS7 *p7, int type) p7->type=obj; if ((p7->d.encrypted=PKCS7_ENCRYPT_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.encrypted->version,0); + if (!ASN1_INTEGER_set(p7->d.encrypted->version,0)) + goto err; p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; @@ -318,15 +327,18 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, if (pkey->type == EVP_PKEY_DSA) is_dsa = 1; else is_dsa = 0; /* We now need to add another PKCS7_SIGNER_INFO entry */ - ASN1_INTEGER_set(p7i->version,1); - X509_NAME_set(&p7i->issuer_and_serial->issuer, - X509_get_issuer_name(x509)); + if (!ASN1_INTEGER_set(p7i->version,1)) + goto err; + if (!X509_NAME_set(&p7i->issuer_and_serial->issuer, + X509_get_issuer_name(x509))) + goto err; /* because ASN1_INTEGER_set is used to set a 'long' we will do * things the ugly way. */ M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial); - p7i->issuer_and_serial->serial= - M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)); + if (!(p7i->issuer_and_serial->serial= + M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) + goto err; /* lets keep the pkey around for a while */ CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); @@ -423,16 +435,20 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) { - ASN1_INTEGER_set(p7i->version,0); - X509_NAME_set(&p7i->issuer_and_serial->issuer, - X509_get_issuer_name(x509)); + if (!ASN1_INTEGER_set(p7i->version,0)) + return 0; + if (!X509_NAME_set(&p7i->issuer_and_serial->issuer, + X509_get_issuer_name(x509))) + return 0; M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial); - p7i->issuer_and_serial->serial= - M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)); + if (!(p7i->issuer_and_serial->serial= + M_ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) + return 0; X509_ALGOR_free(p7i->key_enc_algor); - p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor); + if (!(p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor))) + return 0; CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); p7i->cert=x509; diff --git a/lib/libssl/src/crypto/pkcs7/pk7_smime.c b/lib/libssl/src/crypto/pkcs7/pk7_smime.c index 6e5735de118..a852b492358 100644 --- a/lib/libssl/src/crypto/pkcs7/pk7_smime.c +++ b/lib/libssl/src/crypto/pkcs7/pk7_smime.c @@ -155,7 +155,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, char buf[4096]; int i, j=0, k, ret = 0; BIO *p7bio; - BIO *tmpout; + BIO *tmpin, *tmpout; if(!p7) { PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_INVALID_NULL_POINTER); @@ -228,7 +228,30 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, /* Check for revocation status here */ } - p7bio=PKCS7_dataInit(p7,indata); + /* Performance optimization: if the content is a memory BIO then + * store its contents in a temporary read only memory BIO. This + * avoids potentially large numbers of slow copies of data which will + * occur when reading from a read write memory BIO when signatures + * are calculated. + */ + + if (indata && (BIO_method_type(indata) == BIO_TYPE_MEM)) + { + char *ptr; + long len; + len = BIO_get_mem_data(indata, &ptr); + tmpin = BIO_new_mem_buf(ptr, len); + if (tmpin == NULL) + { + PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE); + return 0; + } + } + else + tmpin = indata; + + + p7bio=PKCS7_dataInit(p7,tmpin); if(flags & PKCS7_TEXT) { if(!(tmpout = BIO_new(BIO_s_mem()))) { @@ -270,9 +293,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, ret = 1; err: + + if (tmpin == indata) + { + if(indata) BIO_pop(p7bio); + BIO_free_all(p7bio); + } + else + BIO_free_all(tmpin); - if(indata) BIO_pop(p7bio); - BIO_free_all(p7bio); sk_X509_free(signers); return ret; @@ -296,10 +325,6 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_WRONG_CONTENT_TYPE); return NULL; } - if(!(signers = sk_X509_new_null())) { - PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE); - return NULL; - } /* Collect all the signers together */ @@ -310,6 +335,11 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) return 0; } + if(!(signers = sk_X509_new_null())) { + PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,ERR_R_MALLOC_FAILURE); + return NULL; + } + for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { si = sk_PKCS7_SIGNER_INFO_value(sinfos, i); diff --git a/lib/libssl/src/crypto/rand/md_rand.c b/lib/libssl/src/crypto/rand/md_rand.c index eeffc0df4cb..c84968df88f 100644 --- a/lib/libssl/src/crypto/rand/md_rand.c +++ b/lib/libssl/src/crypto/rand/md_rand.c @@ -126,6 +126,7 @@ #include <openssl/crypto.h> #include <openssl/err.h> +#include <openssl/fips.h> #ifdef BN_DEBUG # define PREDICT @@ -332,6 +333,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) #endif int do_stir_pool = 0; +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + { + FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD); + return 0; + } +#endif + #ifdef PREDICT if (rand_predictable) { diff --git a/lib/libssl/src/crypto/rand/rand.h b/lib/libssl/src/crypto/rand/rand.h index 606382dd211..604df9be6c3 100644 --- a/lib/libssl/src/crypto/rand/rand.h +++ b/lib/libssl/src/crypto/rand/rand.h @@ -71,6 +71,10 @@ extern "C" { #endif +#if defined(OPENSSL_FIPS) +#define FIPS_RAND_SIZE_T int +#endif + typedef struct rand_meth_st { void (*seed)(const void *buf, int num); @@ -121,11 +125,17 @@ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. */ /* Function codes. */ +#define RAND_F_FIPS_RAND_BYTES 102 #define RAND_F_RAND_GET_RAND_METHOD 101 #define RAND_F_SSLEAY_RAND_BYTES 100 /* Reason codes. */ +#define RAND_R_NON_FIPS_METHOD 101 +#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH 105 +#define RAND_R_PRNG_NOT_REKEYED 103 +#define RAND_R_PRNG_NOT_RESEEDED 104 #define RAND_R_PRNG_NOT_SEEDED 100 +#define RAND_R_PRNG_STUCK 102 #ifdef __cplusplus } diff --git a/lib/libssl/src/crypto/rand/rand_egd.c b/lib/libssl/src/crypto/rand/rand_egd.c index 6f742900a0a..cd666abfcb6 100644 --- a/lib/libssl/src/crypto/rand/rand_egd.c +++ b/lib/libssl/src/crypto/rand/rand_egd.c @@ -95,7 +95,7 @@ * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. */ -#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) +#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_VOS) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) { return(-1); @@ -216,7 +216,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) while (numbytes != 1) { num = read(fd, egdbuf, 1); - if (num >= 0) + if (num == 0) + goto err; /* descriptor closed */ + else if (num > 0) numbytes += num; else { @@ -246,7 +248,9 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) while (numbytes != egdbuf[0]) { num = read(fd, retrievebuf + numbytes, egdbuf[0] - numbytes); - if (num >= 0) + if (num == 0) + goto err; /* descriptor closed */ + else if (num > 0) numbytes += num; else { diff --git a/lib/libssl/src/crypto/rand/rand_err.c b/lib/libssl/src/crypto/rand/rand_err.c index b77267e213b..95574659ace 100644 --- a/lib/libssl/src/crypto/rand/rand_err.c +++ b/lib/libssl/src/crypto/rand/rand_err.c @@ -1,6 +1,6 @@ /* crypto/rand/rand_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,6 +66,7 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA RAND_str_functs[]= { +{ERR_PACK(0,RAND_F_FIPS_RAND_BYTES,0), "FIPS_RAND_BYTES"}, {ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0), "RAND_get_rand_method"}, {ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0), "SSLEAY_RAND_BYTES"}, {0,NULL} @@ -73,7 +74,12 @@ static ERR_STRING_DATA RAND_str_functs[]= static ERR_STRING_DATA RAND_str_reasons[]= { +{RAND_R_NON_FIPS_METHOD ,"non fips method"}, +{RAND_R_PRNG_ASKING_FOR_TOO_MUCH ,"prng asking for too much"}, +{RAND_R_PRNG_NOT_REKEYED ,"prng not rekeyed"}, +{RAND_R_PRNG_NOT_RESEEDED ,"prng not reseeded"}, {RAND_R_PRNG_NOT_SEEDED ,"PRNG not seeded"}, +{RAND_R_PRNG_STUCK ,"prng stuck"}, {0,NULL} }; diff --git a/lib/libssl/src/crypto/rand/rand_lib.c b/lib/libssl/src/crypto/rand/rand_lib.c index 513e3389859..88f1b56d91e 100644 --- a/lib/libssl/src/crypto/rand/rand_lib.c +++ b/lib/libssl/src/crypto/rand/rand_lib.c @@ -63,6 +63,8 @@ #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif +#include <openssl/fips.h> +#include <openssl/fips_rand.h> #ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ @@ -85,6 +87,16 @@ int RAND_set_rand_method(const RAND_METHOD *meth) const RAND_METHOD *RAND_get_rand_method(void) { +#ifdef OPENSSL_FIPS + if(FIPS_mode() + && default_RAND_meth != FIPS_rand_check()) + { + RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD); + return 0; + } +#endif + + if (!default_RAND_meth) { #ifndef OPENSSL_NO_ENGINE diff --git a/lib/libssl/src/crypto/rand/rand_unix.c b/lib/libssl/src/crypto/rand/rand_unix.c index 0599719dd1d..9376554fae7 100644 --- a/lib/libssl/src/crypto/rand/rand_unix.c +++ b/lib/libssl/src/crypto/rand/rand_unix.c @@ -120,6 +120,7 @@ #include <sys/types.h> #include <sys/time.h> #include <sys/times.h> +#include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <time.h> @@ -151,9 +152,9 @@ int RAND_poll(void) int n = 0; #endif #ifdef DEVRANDOM - static const char *randomfiles[] = { DEVRANDOM, NULL }; - const char **randomfile = NULL; - int fd; + static const char *randomfiles[] = { DEVRANDOM }; + struct stat randomstats[sizeof(randomfiles)/sizeof(randomfiles[0])]; + int fd,i; #endif #ifdef DEVRANDOM_EGD static const char *egdsockets[] = { DEVRANDOM_EGD, NULL }; @@ -161,26 +162,42 @@ int RAND_poll(void) #endif #ifdef DEVRANDOM + memset(randomstats,0,sizeof(randomstats)); /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD * have this. Use /dev/urandom if you can as /dev/random may block * if it runs out of random entries. */ - for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++) + for (i=0; i<sizeof(randomfiles)/sizeof(randomfiles[0]) && n < ENTROPY_NEEDED; i++) { - if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK + if ((fd = open(randomfiles[i], O_RDONLY +#ifdef O_NONBLOCK + |O_NONBLOCK +#endif +#ifdef O_BINARY + |O_BINARY +#endif #ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it our controlling tty */ |O_NOCTTY #endif -#ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */ - |O_NOFOLLOW -#endif )) >= 0) { struct timeval t = { 0, 10*1000 }; /* Spend 10ms on each file. */ - int r; + int r,j; fd_set fset; + struct stat *st=&randomstats[i]; + + /* Avoid using same input... Used to be O_NOFOLLOW + * above, but it's not universally appropriate... */ + if (fstat(fd,st) != 0) { close(fd); continue; } + for (j=0;j<i;j++) + { + if (randomstats[j].st_ino==st->st_ino && + randomstats[j].st_dev==st->st_dev) + break; + } + if (j<i) { close(fd); continue; } do { diff --git a/lib/libssl/src/crypto/rand/rand_win.c b/lib/libssl/src/crypto/rand/rand_win.c index 3584842224c..30c69161ef8 100644 --- a/lib/libssl/src/crypto/rand/rand_win.c +++ b/lib/libssl/src/crypto/rand/rand_win.c @@ -125,7 +125,7 @@ * http://developer.intel.com/design/security/rng/redist_license.htm */ #define PROV_INTEL_SEC 22 -#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider") +#define INTEL_DEF_PROV L"Intel Hardware Cryptographic Service Provider" static void readtimer(void); static void readscreen(void); @@ -152,7 +152,7 @@ typedef struct tagCURSORINFO #define CURSOR_SHOWING 0x00000001 #endif /* CURSOR_SHOWING */ -typedef BOOL (WINAPI *CRYPTACQUIRECONTEXT)(HCRYPTPROV *, LPCTSTR, LPCTSTR, +typedef BOOL (WINAPI *CRYPTACQUIRECONTEXTW)(HCRYPTPROV *, LPCWSTR, LPCWSTR, DWORD, DWORD); typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV, DWORD, BYTE *); typedef BOOL (WINAPI *CRYPTRELEASECONTEXT)(HCRYPTPROV, DWORD); @@ -194,7 +194,7 @@ int RAND_poll(void) HWND h; HMODULE advapi, kernel, user, netapi; - CRYPTACQUIRECONTEXT acquire = 0; + CRYPTACQUIRECONTEXTW acquire = 0; CRYPTGENRANDOM gen = 0; CRYPTRELEASECONTEXT release = 0; #if 1 /* There was previously a problem with NETSTATGET. Currently, this @@ -213,6 +213,9 @@ int RAND_poll(void) GetVersionEx( &osverinfo ) ; #if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO +#ifndef CryptAcquireContext +#define CryptAcquireContext CryptAcquireContextW +#endif /* poll the CryptoAPI PRNG */ /* The CryptoAPI returns sizeof(buf) bytes of randomness */ if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) @@ -223,21 +226,35 @@ int RAND_poll(void) } #endif +#ifndef OPENSSL_SYS_WINCE + /* + * None of below libraries are present on Windows CE, which is + * why we #ifndef the whole section. This also excuses us from + * handling the GetProcAddress issue. The trouble is that in + * real Win32 API GetProcAddress is available in ANSI flavor + * only. In WinCE on the other hand GetProcAddress is a macro + * most commonly defined as GetProcAddressW, which accepts + * Unicode argument. If we were to call GetProcAddress under + * WinCE, I'd recommend to either redefine GetProcAddress as + * GetProcAddressA (there seem to be one in common CE spec) or + * implement own shim routine, which would accept ANSI argument + * and expand it to Unicode. + */ + /* load functions dynamically - not available on all systems */ advapi = LoadLibrary(TEXT("ADVAPI32.DLL")); kernel = LoadLibrary(TEXT("KERNEL32.DLL")); user = LoadLibrary(TEXT("USER32.DLL")); netapi = LoadLibrary(TEXT("NETAPI32.DLL")); -#ifndef OPENSSL_SYS_WINCE #if 1 /* There was previously a problem with NETSTATGET. Currently, this * section is still experimental, but if all goes well, this conditional * will be removed */ if (netapi) { - netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet")); - netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree")); + netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet"); + netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree"); } if (netstatget && netfree) @@ -264,9 +281,7 @@ int RAND_poll(void) if (netapi) FreeLibrary(netapi); #endif /* 1 */ -#endif /* !OPENSSL_SYS_WINCE */ - -#ifndef OPENSSL_SYS_WINCE + /* It appears like this can cause an exception deep within ADVAPI32.DLL * at random times on Windows 2000. Reported by Jeffrey Altman. * Only use it on NT. @@ -321,16 +336,20 @@ int RAND_poll(void) free(buf); } #endif -#endif /* !OPENSSL_SYS_WINCE */ if (advapi) { - acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi, - TEXT("CryptAcquireContextA")); + /* + * If it's available, then it's available in both ANSI + * and UNICODE flavors even in Win9x, documentation says. + * We favor Unicode... + */ + acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi, + "CryptAcquireContextW"); gen = (CRYPTGENRANDOM) GetProcAddress(advapi, - TEXT("CryptGenRandom")); + "CryptGenRandom"); release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, - TEXT("CryptReleaseContext")); + "CryptReleaseContext"); } if (acquire && gen && release) @@ -367,26 +386,15 @@ int RAND_poll(void) if (advapi) FreeLibrary(advapi); - /* timer data */ - readtimer(); - - /* memory usage statistics */ - GlobalMemoryStatus(&m); - RAND_add(&m, sizeof(m), 1); - - /* process ID */ - w = GetCurrentProcessId(); - RAND_add(&w, sizeof(w), 1); - if (user) { GETCURSORINFO cursor; GETFOREGROUNDWINDOW win; GETQUEUESTATUS queue; - win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow")); - cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo")); - queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus")); + win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow"); + cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo"); + queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus"); if (win) { @@ -458,19 +466,19 @@ int RAND_poll(void) MODULEENTRY32 m; snap = (CREATETOOLHELP32SNAPSHOT) - GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot")); + GetProcAddress(kernel, "CreateToolhelp32Snapshot"); close_snap = (CLOSETOOLHELP32SNAPSHOT) - GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot")); - heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First")); - heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next")); - heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst")); - heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext")); - process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First")); - process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next")); - thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First")); - thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next")); - module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First")); - module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next")); + GetProcAddress(kernel, "CloseToolhelp32Snapshot"); + heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First"); + heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next"); + heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst"); + heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext"); + process_first = (PROCESS32) GetProcAddress(kernel, "Process32First"); + process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next"); + thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First"); + thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next"); + module_first = (MODULE32) GetProcAddress(kernel, "Module32First"); + module_next = (MODULE32) GetProcAddress(kernel, "Module32Next"); if (snap && heap_first && heap_next && heaplist_first && heaplist_next && process_first && process_next && @@ -546,6 +554,18 @@ int RAND_poll(void) FreeLibrary(kernel); } +#endif /* !OPENSSL_SYS_WINCE */ + + /* timer data */ + readtimer(); + + /* memory usage statistics */ + GlobalMemoryStatus(&m); + RAND_add(&m, sizeof(m), 1); + + /* process ID */ + w = GetCurrentProcessId(); + RAND_add(&w, sizeof(w), 1); #if 0 printf("Exiting RAND_poll\n"); @@ -607,7 +627,7 @@ static void readtimer(void) DWORD w; LARGE_INTEGER l; static int have_perfc = 1; -#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE) +#if defined(_MSC_VER) && defined(_M_X86) static int have_tsc = 1; DWORD cyclecount; @@ -660,7 +680,7 @@ static void readtimer(void) static void readscreen(void) { -#ifndef OPENSSL_SYS_WINCE +#if !defined(OPENSSL_SYS_WINCE) && !defined(OPENSSL_SYS_WIN32_CYGWIN) HDC hScrDC; /* screen DC */ HDC hMemDC; /* memory DC */ HBITMAP hBitmap; /* handle for our bitmap */ diff --git a/lib/libssl/src/crypto/rand/randfile.c b/lib/libssl/src/crypto/rand/randfile.c index d88ee0d780b..9bd89ba495d 100644 --- a/lib/libssl/src/crypto/rand/randfile.c +++ b/lib/libssl/src/crypto/rand/randfile.c @@ -166,6 +166,7 @@ int RAND_write_file(const char *file) } #if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32) + { /* For some reason Win32 can't write to files created this way */ /* chmod(..., 0600) is too late to protect the file, @@ -173,6 +174,7 @@ int RAND_write_file(const char *file) int fd = open(file, O_CREAT, 0600); if (fd != -1) out = fdopen(fd, "wb"); + } #endif if (out == NULL) out = fopen(file,"wb"); diff --git a/lib/libssl/src/crypto/rc2/rc2.h b/lib/libssl/src/crypto/rc2/rc2.h index 7816b454dcd..71788158d84 100644 --- a/lib/libssl/src/crypto/rc2/rc2.h +++ b/lib/libssl/src/crypto/rc2/rc2.h @@ -79,7 +79,10 @@ typedef struct rc2_key_st RC2_INT data[64]; } RC2_KEY; - +#ifdef OPENSSL_FIPS +void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, + int bits); +#endif void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, int enc); diff --git a/lib/libssl/src/crypto/rc2/rc2_skey.c b/lib/libssl/src/crypto/rc2/rc2_skey.c index cab3080c73d..22f372f85cc 100644 --- a/lib/libssl/src/crypto/rc2/rc2_skey.c +++ b/lib/libssl/src/crypto/rc2/rc2_skey.c @@ -57,6 +57,7 @@ */ #include <openssl/rc2.h> +#include <openssl/crypto.h> #include "rc2_locl.h" static unsigned char key_table[256]={ @@ -90,7 +91,19 @@ static unsigned char key_table[256]={ * BSAFE uses the 'retarded' version. What I previously shipped is * the same as specifying 1024 for the 'bits' parameter. Bsafe uses * a version where the bits parameter is the same as len*8 */ + +#ifdef OPENSSL_FIPS +void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) + { + if (FIPS_mode()) + FIPS_BAD_ABORT(RC2) + private_RC2_set_key(key, len, data, bits); + } +void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, + int bits) +#else void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) +#endif { int i,j; unsigned char *k; diff --git a/lib/libssl/src/crypto/rc4/asm/rc4-586.pl b/lib/libssl/src/crypto/rc4/asm/rc4-586.pl index 7ef889e5a13..d6e98f08117 100644 --- a/lib/libssl/src/crypto/rc4/asm/rc4-586.pl +++ b/lib/libssl/src/crypto/rc4/asm/rc4-586.pl @@ -1,16 +1,37 @@ #!/usr/local/bin/perl -# define for pentium pro friendly version +# At some point it became apparent that the original SSLeay RC4 +# assembler implementation performs suboptimaly on latest IA-32 +# microarchitectures. After re-tuning performance has changed as +# following: +# +# Pentium +0% +# Pentium III +17% +# AMD +52%(*) +# P4 +180%(**) +# +# (*) This number is actually a trade-off:-) It's possible to +# achieve +72%, but at the cost of -48% off PIII performance. +# In other words code performing further 13% faster on AMD +# would perform almost 2 times slower on Intel PIII... +# For reference! This code delivers ~80% of rc4-amd64.pl +# performance on the same Opteron machine. +# (**) This number requires compressed key schedule set up by +# RC4_set_key and therefore doesn't apply to 0.9.7 [option for +# compressed key schedule is implemented in 0.9.8 and later, +# see commentary section in rc4_skey.c for further details]. +# +# <appro@fy.chalmers.se> push(@INC,"perlasm","../../perlasm"); require "x86asm.pl"; &asm_init($ARGV[0],"rc4-586.pl"); -$tx="eax"; -$ty="ebx"; -$x="ecx"; -$y="edx"; +$x="eax"; +$y="ebx"; +$tx="ecx"; +$ty="edx"; $in="esi"; $out="edi"; $d="ebp"; @@ -31,7 +52,7 @@ sub RC4_loop { &mov($ty, &swtmp(2)); &cmp($ty, $in); - &jle(&label("finished")); + &jbe(&label("finished")); &inc($in); } else @@ -39,27 +60,23 @@ sub RC4_loop &add($ty, 8); &inc($in); &cmp($ty, $in); - &jl(&label("finished")); + &jb(&label("finished")); &mov(&swtmp(2), $ty); } } # Moved out # &mov( $tx, &DWP(0,$d,$x,4)) if $p < 0; - &add( $y, $tx); - &and( $y, 0xff); - &inc( $x); # NEXT ROUND + &add( &LB($y), &LB($tx)); &mov( $ty, &DWP(0,$d,$y,4)); # XXX - &mov( &DWP(-4,$d,$x,4),$ty); # AGI + &mov( &DWP(0,$d,$x,4),$ty); &add( $ty, $tx); - &and( $x, 0xff); # NEXT ROUND - &and( $ty, 0xff); &mov( &DWP(0,$d,$y,4),$tx); - &nop(); - &mov( $ty, &DWP(0,$d,$ty,4)); - &mov( $tx, &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND - # XXX + &and( $ty, 0xff); + &inc( &LB($x)); # NEXT ROUND + &mov( $tx, &DWP(0,$d,$x,4)) if $p < 1; # NEXT ROUND + &mov( $ty, &DWP(0,$d,$ty,4)); if (!$char) { @@ -88,35 +105,47 @@ sub RC4 &function_begin_B($name,""); + &mov($ty,&wparam(1)); # len + &cmp($ty,0); + &jne(&label("proceed")); + &ret(); + &set_label("proceed"); + &comment(""); &push("ebp"); &push("ebx"); - &mov( $d, &wparam(0)); # key - &mov( $ty, &wparam(1)); # num &push("esi"); - &push("edi"); + &xor( $x, $x); # avoid partial register stalls + &push("edi"); + &xor( $y, $y); # avoid partial register stalls + &mov( $d, &wparam(0)); # key + &mov( $in, &wparam(2)); - &mov( $x, &DWP(0,$d,"",1)); - &mov( $y, &DWP(4,$d,"",1)); + &movb( &LB($x), &BP(0,$d,"",1)); + &movb( &LB($y), &BP(4,$d,"",1)); - &mov( $in, &wparam(2)); - &inc( $x); + &mov( $out, &wparam(3)); + &inc( &LB($x)); &stack_push(3); # 3 temp variables &add( $d, 8); - &and( $x, 0xff); + + # detect compressed schedule, see commentary section in rc4_skey.c... + # in 0.9.7 context ~50 bytes below RC4_CHAR label remain redundant, + # as compressed key schedule is set up in 0.9.8 and later. + &cmp(&DWP(256,$d),-1); + &je(&label("RC4_CHAR")); &lea( $ty, &DWP(-8,$ty,$in)); # check for 0 length input - &mov( $out, &wparam(3)); &mov( &swtmp(2), $ty); # this is now address to exit at &mov( $tx, &DWP(0,$d,$x,4)); &cmp( $ty, $in); - &jl( &label("end")); # less than 8 bytes + &jb( &label("end")); # less than 8 bytes &set_label("start"); @@ -148,7 +177,7 @@ sub RC4 &mov( &DWP(-4,$out,"",0), $tx); &mov( $tx, &DWP(0,$d,$x,4)); &cmp($in, $ty); - &jle(&label("start")); + &jbe(&label("start")); &set_label("end"); @@ -162,10 +191,37 @@ sub RC4 &RC4_loop(5,0,1); &RC4_loop(6,1,1); + &jmp(&label("finished")); + + &align(16); + # this is essentially Intel P4 specific codepath, see rc4_skey.c, + # and is engaged in 0.9.8 and later context... + &set_label("RC4_CHAR"); + + &lea ($ty,&DWP(0,$in,$ty)); + &mov (&swtmp(2),$ty); + + # strangely enough unrolled loop performs over 20% slower... + &set_label("RC4_CHAR_loop"); + &movz ($tx,&BP(0,$d,$x)); + &add (&LB($y),&LB($tx)); + &movz ($ty,&BP(0,$d,$y)); + &movb (&BP(0,$d,$y),&LB($tx)); + &movb (&BP(0,$d,$x),&LB($ty)); + &add (&LB($ty),&LB($tx)); + &movz ($ty,&BP(0,$d,$ty)); + &xorb (&LB($ty),&BP(0,$in)); + &movb (&BP(0,$out),&LB($ty)); + &inc (&LB($x)); + &inc ($in); + &inc ($out); + &cmp ($in,&swtmp(2)); + &jb (&label("RC4_CHAR_loop")); + &set_label("finished"); &dec( $x); &stack_pop(3); - &mov( &DWP(-4,$d,"",0),$y); + &movb( &BP(-4,$d,"",0),&LB($y)); &movb( &BP(-8,$d,"",0),&LB($x)); &function_end($name); diff --git a/lib/libssl/src/crypto/rc4/rc4.h b/lib/libssl/src/crypto/rc4/rc4.h index 8722091f2ec..dd90d9fde09 100644 --- a/lib/libssl/src/crypto/rc4/rc4.h +++ b/lib/libssl/src/crypto/rc4/rc4.h @@ -73,10 +73,17 @@ typedef struct rc4_key_st { RC4_INT x,y; RC4_INT data[256]; +#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64) + /* see crypto/rc4/asm/rc4-ia64.S for further details... */ + RC4_INT pad[512-256-2]; +#endif } RC4_KEY; const char *RC4_options(void); +#ifdef OPENSSL_FIPS +void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); +#endif void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata, unsigned char *outdata); diff --git a/lib/libssl/src/crypto/rc4/rc4_enc.c b/lib/libssl/src/crypto/rc4/rc4_enc.c index d5f18a3a707..81a97ea3b7c 100644 --- a/lib/libssl/src/crypto/rc4/rc4_enc.c +++ b/lib/libssl/src/crypto/rc4/rc4_enc.c @@ -77,6 +77,10 @@ void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata, x=key->x; y=key->y; d=key->data; +#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64) + /* see crypto/rc4/asm/rc4-ia64.S for further details... */ + d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1)); +#endif #if defined(RC4_CHUNK) /* diff --git a/lib/libssl/src/crypto/rc4/rc4_skey.c b/lib/libssl/src/crypto/rc4/rc4_skey.c index bb10c1ebe28..07234f061af 100644 --- a/lib/libssl/src/crypto/rc4/rc4_skey.c +++ b/lib/libssl/src/crypto/rc4/rc4_skey.c @@ -57,6 +57,7 @@ */ #include <openssl/rc4.h> +#include <openssl/crypto.h> #include "rc4_locl.h" #include <openssl/opensslv.h> @@ -85,7 +86,7 @@ const char *RC4_options(void) * Date: Wed, 14 Sep 1994 06:35:31 GMT */ -void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) +FIPS_NON_FIPS_VCIPHER_Init(RC4) { register RC4_INT tmp; register int id1,id2; @@ -93,6 +94,11 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) unsigned int i; d= &(key->data[0]); +#if defined(__ia64) || defined(__ia64__) || defined(_M_IA64) + /* see crypto/rc4/asm/rc4-ia64.S for further details... */ + d=(RC4_INT *)(((size_t)(d+255))&~(sizeof(key->data)-1)); +#endif + for (i=0; i<256; i++) d[i]=i; key->x = 0; diff --git a/lib/libssl/src/crypto/rc5/rc5.h b/lib/libssl/src/crypto/rc5/rc5.h index 4adfd2db5ab..aa3f26920bf 100644 --- a/lib/libssl/src/crypto/rc5/rc5.h +++ b/lib/libssl/src/crypto/rc5/rc5.h @@ -92,7 +92,10 @@ typedef struct rc5_key_st RC5_32_INT data[2*(RC5_16_ROUNDS+1)]; } RC5_32_KEY; - +#ifdef OPENSSL_FIPS +void private_RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data, + int rounds); +#endif void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data, int rounds); void RC5_32_ecb_encrypt(const unsigned char *in,unsigned char *out,RC5_32_KEY *key, diff --git a/lib/libssl/src/crypto/ripemd/ripemd.h b/lib/libssl/src/crypto/ripemd/ripemd.h index 78d5f365605..7d0d9981894 100644 --- a/lib/libssl/src/crypto/ripemd/ripemd.h +++ b/lib/libssl/src/crypto/ripemd/ripemd.h @@ -90,6 +90,9 @@ typedef struct RIPEMD160state_st int num; } RIPEMD160_CTX; +#ifdef OPENSSL_FIPS +int private_RIPEMD160_Init(RIPEMD160_CTX *c); +#endif int RIPEMD160_Init(RIPEMD160_CTX *c); int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len); int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); diff --git a/lib/libssl/src/crypto/ripemd/rmd_dgst.c b/lib/libssl/src/crypto/ripemd/rmd_dgst.c index 28896512e7c..58ff010d110 100644 --- a/lib/libssl/src/crypto/ripemd/rmd_dgst.c +++ b/lib/libssl/src/crypto/ripemd/rmd_dgst.c @@ -58,6 +58,7 @@ #include <stdio.h> #include "rmd_locl.h" +#include <openssl/fips.h> #include <openssl/opensslv.h> const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT; @@ -69,7 +70,7 @@ const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT; void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num); # endif -int RIPEMD160_Init(RIPEMD160_CTX *c) +FIPS_NON_FIPS_MD_Init(RIPEMD160) { c->A=RIPEMD160_A; c->B=RIPEMD160_B; diff --git a/lib/libssl/src/crypto/rsa/rsa.h b/lib/libssl/src/crypto/rsa/rsa.h index 62fa745f79e..fc3bb5f86de 100644 --- a/lib/libssl/src/crypto/rsa/rsa.h +++ b/lib/libssl/src/crypto/rsa/rsa.h @@ -72,6 +72,10 @@ #error RSA is disabled. #endif +#if defined(OPENSSL_FIPS) +#define FIPS_RSA_SIZE_T int +#endif + #ifdef __cplusplus extern "C" { #endif diff --git a/lib/libssl/src/crypto/rsa/rsa_eay.c b/lib/libssl/src/crypto/rsa/rsa_eay.c index e0d286266e0..d4caab3f953 100644 --- a/lib/libssl/src/crypto/rsa/rsa_eay.c +++ b/lib/libssl/src/crypto/rsa/rsa_eay.c @@ -62,7 +62,7 @@ #include <openssl/rsa.h> #include <openssl/rand.h> -#ifndef RSA_NULL +#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS) static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,int padding); diff --git a/lib/libssl/src/crypto/rsa/rsa_gen.c b/lib/libssl/src/crypto/rsa/rsa_gen.c index 00c25adbc58..adb5e34da56 100644 --- a/lib/libssl/src/crypto/rsa/rsa_gen.c +++ b/lib/libssl/src/crypto/rsa/rsa_gen.c @@ -62,6 +62,8 @@ #include <openssl/bn.h> #include <openssl/rsa.h> +#ifndef OPENSSL_FIPS + RSA *RSA_generate_key(int bits, unsigned long e_value, void (*callback)(int,int,void *), void *cb_arg) { @@ -195,3 +197,4 @@ err: return(rsa); } +#endif diff --git a/lib/libssl/src/crypto/rsa/rsa_saos.c b/lib/libssl/src/crypto/rsa/rsa_saos.c index f462716a57f..24fc94835e2 100644 --- a/lib/libssl/src/crypto/rsa/rsa_saos.c +++ b/lib/libssl/src/crypto/rsa/rsa_saos.c @@ -139,8 +139,11 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, ret=1; err: if (sig != NULL) M_ASN1_OCTET_STRING_free(sig); - OPENSSL_cleanse(s,(unsigned int)siglen); - OPENSSL_free(s); + if (s != NULL) + { + OPENSSL_cleanse(s,(unsigned int)siglen); + OPENSSL_free(s); + } return(ret); } diff --git a/lib/libssl/src/crypto/rsa/rsa_sign.c b/lib/libssl/src/crypto/rsa/rsa_sign.c index 8a1e642183c..cee09eccb1f 100644 --- a/lib/libssl/src/crypto/rsa/rsa_sign.c +++ b/lib/libssl/src/crypto/rsa/rsa_sign.c @@ -169,7 +169,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, } if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) { RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH); - return(0); + goto err; } i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); @@ -222,8 +222,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, } err: if (sig != NULL) X509_SIG_free(sig); - OPENSSL_cleanse(s,(unsigned int)siglen); - OPENSSL_free(s); + if (s != NULL) + { + OPENSSL_cleanse(s,(unsigned int)siglen); + OPENSSL_free(s); + } return(ret); } diff --git a/lib/libssl/src/crypto/sha/asm/sha1-586.pl b/lib/libssl/src/crypto/sha/asm/sha1-586.pl index e00f7095538..041acc03486 100644 --- a/lib/libssl/src/crypto/sha/asm/sha1-586.pl +++ b/lib/libssl/src/crypto/sha/asm/sha1-586.pl @@ -405,7 +405,7 @@ sub sha1_block_data &mov(&DWP(16,$tmp1,"",0),$E); &cmp("esi","eax"); &mov(&DWP( 4,$tmp1,"",0),$B); - &jl(&label("start")); + &jb(&label("start")); &stack_pop(18+9); &pop("edi"); diff --git a/lib/libssl/src/crypto/sha/sha.h b/lib/libssl/src/crypto/sha/sha.h index 3fd54a10cc7..79c07b0fd1f 100644 --- a/lib/libssl/src/crypto/sha/sha.h +++ b/lib/libssl/src/crypto/sha/sha.h @@ -69,6 +69,10 @@ extern "C" { #error SHA is disabled. #endif +#if defined(OPENSSL_FIPS) +#define FIPS_SHA_SIZE_T unsigned long +#endif + /* * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then ! @@ -101,6 +105,9 @@ typedef struct SHAstate_st } SHA_CTX; #ifndef OPENSSL_NO_SHA0 +#ifdef OPENSSL_FIPS +int private_SHA_Init(SHA_CTX *c); +#endif int SHA_Init(SHA_CTX *c); int SHA_Update(SHA_CTX *c, const void *data, unsigned long len); int SHA_Final(unsigned char *md, SHA_CTX *c); diff --git a/lib/libssl/src/crypto/sha/sha1dgst.c b/lib/libssl/src/crypto/sha/sha1dgst.c index 182f65982ab..1e2009b7608 100644 --- a/lib/libssl/src/crypto/sha/sha1dgst.c +++ b/lib/libssl/src/crypto/sha/sha1dgst.c @@ -62,12 +62,20 @@ #define SHA_1 #include <openssl/opensslv.h> +#include <openssl/opensslconf.h> +#ifndef OPENSSL_FIPS const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT; /* The implementation is in ../md32_common.h */ #include "sha_locl.h" +#else /* ndef OPENSSL_FIPS */ + +static void *dummy=&dummy; + +#endif /* ndef OPENSSL_FIPS */ + #endif diff --git a/lib/libssl/src/crypto/sha/sha_locl.h b/lib/libssl/src/crypto/sha/sha_locl.h index 2dd63a62a64..a3623f72da1 100644 --- a/lib/libssl/src/crypto/sha/sha_locl.h +++ b/lib/libssl/src/crypto/sha/sha_locl.h @@ -121,6 +121,11 @@ # define sha1_block_data_order sha1_block_asm_data_order # define DONT_IMPLEMENT_BLOCK_DATA_ORDER # define HASH_BLOCK_DATA_ORDER_ALIGNED sha1_block_asm_data_order +# elif defined(__ia64) || defined(__ia64__) || defined(_M_IA64) +# define sha1_block_host_order sha1_block_asm_host_order +# define DONT_IMPLEMENT_BLOCK_HOST_ORDER +# define sha1_block_data_order sha1_block_asm_data_order +# define DONT_IMPLEMENT_BLOCK_DATA_ORDER # endif # endif void sha1_block_host_order (SHA_CTX *c, const void *p,int num); @@ -138,7 +143,11 @@ #define INIT_DATA_h3 0x10325476UL #define INIT_DATA_h4 0xc3d2e1f0UL +#if defined(SHA_0) && defined(OPENSSL_FIPS) +FIPS_NON_FIPS_MD_Init(SHA) +#else int HASH_INIT (SHA_CTX *c) +#endif { c->h0=INIT_DATA_h0; c->h1=INIT_DATA_h1; diff --git a/lib/libssl/src/crypto/sha/shatest.c b/lib/libssl/src/crypto/sha/shatest.c index 5d2b1d3b1ae..ff702aa53e4 100644 --- a/lib/libssl/src/crypto/sha/shatest.c +++ b/lib/libssl/src/crypto/sha/shatest.c @@ -62,10 +62,10 @@ #include "../e_os.h" -#ifdef OPENSSL_NO_SHA +#if defined(OPENSSL_NO_SHA) || defined(OPENSSL_NO_SHA0) int main(int argc, char *argv[]) { - printf("No SHA support\n"); + printf("No SHA0 support\n"); return(0); } #else diff --git a/lib/libssl/src/crypto/stack/safestack.h b/lib/libssl/src/crypto/stack/safestack.h index ed9ed2c23a0..bd1121c279e 100644 --- a/lib/libssl/src/crypto/stack/safestack.h +++ b/lib/libssl/src/crypto/stack/safestack.h @@ -113,6 +113,8 @@ STACK_OF(type) \ ((type * (*)(STACK_OF(type) *))sk_pop)(st) #define SKM_sk_sort(type, st) \ ((void (*)(STACK_OF(type) *))sk_sort)(st) +#define SKM_sk_is_sorted(type, st) \ + ((int (*)(const STACK_OF(type) *))sk_is_sorted)(st) #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ ((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \ @@ -187,6 +189,8 @@ STACK_OF(type) \ ((type *)sk_pop(st)) #define SKM_sk_sort(type, st) \ sk_sort(st) +#define SKM_sk_is_sorted(type, st) \ + sk_is_sorted(st) #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ d2i_ASN1_SET(st,pp,length, (char *(*)())d2i_func, (void (*)(void *))free_func, ex_tag,ex_class) @@ -223,6 +227,7 @@ STACK_OF(type) \ #define sk_ACCESS_DESCRIPTION_shift(st) SKM_sk_shift(ACCESS_DESCRIPTION, (st)) #define sk_ACCESS_DESCRIPTION_pop(st) SKM_sk_pop(ACCESS_DESCRIPTION, (st)) #define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st)) +#define sk_ACCESS_DESCRIPTION_is_sorted(st) SKM_sk_is_sorted(ACCESS_DESCRIPTION, (st)) #define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st)) #define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING) @@ -243,6 +248,7 @@ STACK_OF(type) \ #define sk_ASN1_GENERALSTRING_shift(st) SKM_sk_shift(ASN1_GENERALSTRING, (st)) #define sk_ASN1_GENERALSTRING_pop(st) SKM_sk_pop(ASN1_GENERALSTRING, (st)) #define sk_ASN1_GENERALSTRING_sort(st) SKM_sk_sort(ASN1_GENERALSTRING, (st)) +#define sk_ASN1_GENERALSTRING_is_sorted(st) SKM_sk_is_sorted(ASN1_GENERALSTRING, (st)) #define sk_ASN1_INTEGER_new(st) SKM_sk_new(ASN1_INTEGER, (st)) #define sk_ASN1_INTEGER_new_null() SKM_sk_new_null(ASN1_INTEGER) @@ -263,6 +269,7 @@ STACK_OF(type) \ #define sk_ASN1_INTEGER_shift(st) SKM_sk_shift(ASN1_INTEGER, (st)) #define sk_ASN1_INTEGER_pop(st) SKM_sk_pop(ASN1_INTEGER, (st)) #define sk_ASN1_INTEGER_sort(st) SKM_sk_sort(ASN1_INTEGER, (st)) +#define sk_ASN1_INTEGER_is_sorted(st) SKM_sk_is_sorted(ASN1_INTEGER, (st)) #define sk_ASN1_OBJECT_new(st) SKM_sk_new(ASN1_OBJECT, (st)) #define sk_ASN1_OBJECT_new_null() SKM_sk_new_null(ASN1_OBJECT) @@ -283,6 +290,7 @@ STACK_OF(type) \ #define sk_ASN1_OBJECT_shift(st) SKM_sk_shift(ASN1_OBJECT, (st)) #define sk_ASN1_OBJECT_pop(st) SKM_sk_pop(ASN1_OBJECT, (st)) #define sk_ASN1_OBJECT_sort(st) SKM_sk_sort(ASN1_OBJECT, (st)) +#define sk_ASN1_OBJECT_is_sorted(st) SKM_sk_is_sorted(ASN1_OBJECT, (st)) #define sk_ASN1_STRING_TABLE_new(st) SKM_sk_new(ASN1_STRING_TABLE, (st)) #define sk_ASN1_STRING_TABLE_new_null() SKM_sk_new_null(ASN1_STRING_TABLE) @@ -303,6 +311,7 @@ STACK_OF(type) \ #define sk_ASN1_STRING_TABLE_shift(st) SKM_sk_shift(ASN1_STRING_TABLE, (st)) #define sk_ASN1_STRING_TABLE_pop(st) SKM_sk_pop(ASN1_STRING_TABLE, (st)) #define sk_ASN1_STRING_TABLE_sort(st) SKM_sk_sort(ASN1_STRING_TABLE, (st)) +#define sk_ASN1_STRING_TABLE_is_sorted(st) SKM_sk_is_sorted(ASN1_STRING_TABLE, (st)) #define sk_ASN1_TYPE_new(st) SKM_sk_new(ASN1_TYPE, (st)) #define sk_ASN1_TYPE_new_null() SKM_sk_new_null(ASN1_TYPE) @@ -323,6 +332,7 @@ STACK_OF(type) \ #define sk_ASN1_TYPE_shift(st) SKM_sk_shift(ASN1_TYPE, (st)) #define sk_ASN1_TYPE_pop(st) SKM_sk_pop(ASN1_TYPE, (st)) #define sk_ASN1_TYPE_sort(st) SKM_sk_sort(ASN1_TYPE, (st)) +#define sk_ASN1_TYPE_is_sorted(st) SKM_sk_is_sorted(ASN1_TYPE, (st)) #define sk_ASN1_VALUE_new(st) SKM_sk_new(ASN1_VALUE, (st)) #define sk_ASN1_VALUE_new_null() SKM_sk_new_null(ASN1_VALUE) @@ -343,6 +353,7 @@ STACK_OF(type) \ #define sk_ASN1_VALUE_shift(st) SKM_sk_shift(ASN1_VALUE, (st)) #define sk_ASN1_VALUE_pop(st) SKM_sk_pop(ASN1_VALUE, (st)) #define sk_ASN1_VALUE_sort(st) SKM_sk_sort(ASN1_VALUE, (st)) +#define sk_ASN1_VALUE_is_sorted(st) SKM_sk_is_sorted(ASN1_VALUE, (st)) #define sk_BIO_new(st) SKM_sk_new(BIO, (st)) #define sk_BIO_new_null() SKM_sk_new_null(BIO) @@ -363,6 +374,7 @@ STACK_OF(type) \ #define sk_BIO_shift(st) SKM_sk_shift(BIO, (st)) #define sk_BIO_pop(st) SKM_sk_pop(BIO, (st)) #define sk_BIO_sort(st) SKM_sk_sort(BIO, (st)) +#define sk_BIO_is_sorted(st) SKM_sk_is_sorted(BIO, (st)) #define sk_CONF_IMODULE_new(st) SKM_sk_new(CONF_IMODULE, (st)) #define sk_CONF_IMODULE_new_null() SKM_sk_new_null(CONF_IMODULE) @@ -383,6 +395,7 @@ STACK_OF(type) \ #define sk_CONF_IMODULE_shift(st) SKM_sk_shift(CONF_IMODULE, (st)) #define sk_CONF_IMODULE_pop(st) SKM_sk_pop(CONF_IMODULE, (st)) #define sk_CONF_IMODULE_sort(st) SKM_sk_sort(CONF_IMODULE, (st)) +#define sk_CONF_IMODULE_is_sorted(st) SKM_sk_is_sorted(CONF_IMODULE, (st)) #define sk_CONF_MODULE_new(st) SKM_sk_new(CONF_MODULE, (st)) #define sk_CONF_MODULE_new_null() SKM_sk_new_null(CONF_MODULE) @@ -403,6 +416,7 @@ STACK_OF(type) \ #define sk_CONF_MODULE_shift(st) SKM_sk_shift(CONF_MODULE, (st)) #define sk_CONF_MODULE_pop(st) SKM_sk_pop(CONF_MODULE, (st)) #define sk_CONF_MODULE_sort(st) SKM_sk_sort(CONF_MODULE, (st)) +#define sk_CONF_MODULE_is_sorted(st) SKM_sk_is_sorted(CONF_MODULE, (st)) #define sk_CONF_VALUE_new(st) SKM_sk_new(CONF_VALUE, (st)) #define sk_CONF_VALUE_new_null() SKM_sk_new_null(CONF_VALUE) @@ -423,6 +437,7 @@ STACK_OF(type) \ #define sk_CONF_VALUE_shift(st) SKM_sk_shift(CONF_VALUE, (st)) #define sk_CONF_VALUE_pop(st) SKM_sk_pop(CONF_VALUE, (st)) #define sk_CONF_VALUE_sort(st) SKM_sk_sort(CONF_VALUE, (st)) +#define sk_CONF_VALUE_is_sorted(st) SKM_sk_is_sorted(CONF_VALUE, (st)) #define sk_CRYPTO_EX_DATA_FUNCS_new(st) SKM_sk_new(CRYPTO_EX_DATA_FUNCS, (st)) #define sk_CRYPTO_EX_DATA_FUNCS_new_null() SKM_sk_new_null(CRYPTO_EX_DATA_FUNCS) @@ -443,6 +458,7 @@ STACK_OF(type) \ #define sk_CRYPTO_EX_DATA_FUNCS_shift(st) SKM_sk_shift(CRYPTO_EX_DATA_FUNCS, (st)) #define sk_CRYPTO_EX_DATA_FUNCS_pop(st) SKM_sk_pop(CRYPTO_EX_DATA_FUNCS, (st)) #define sk_CRYPTO_EX_DATA_FUNCS_sort(st) SKM_sk_sort(CRYPTO_EX_DATA_FUNCS, (st)) +#define sk_CRYPTO_EX_DATA_FUNCS_is_sorted(st) SKM_sk_is_sorted(CRYPTO_EX_DATA_FUNCS, (st)) #define sk_CRYPTO_dynlock_new(st) SKM_sk_new(CRYPTO_dynlock, (st)) #define sk_CRYPTO_dynlock_new_null() SKM_sk_new_null(CRYPTO_dynlock) @@ -463,6 +479,7 @@ STACK_OF(type) \ #define sk_CRYPTO_dynlock_shift(st) SKM_sk_shift(CRYPTO_dynlock, (st)) #define sk_CRYPTO_dynlock_pop(st) SKM_sk_pop(CRYPTO_dynlock, (st)) #define sk_CRYPTO_dynlock_sort(st) SKM_sk_sort(CRYPTO_dynlock, (st)) +#define sk_CRYPTO_dynlock_is_sorted(st) SKM_sk_is_sorted(CRYPTO_dynlock, (st)) #define sk_DIST_POINT_new(st) SKM_sk_new(DIST_POINT, (st)) #define sk_DIST_POINT_new_null() SKM_sk_new_null(DIST_POINT) @@ -483,6 +500,7 @@ STACK_OF(type) \ #define sk_DIST_POINT_shift(st) SKM_sk_shift(DIST_POINT, (st)) #define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st)) #define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st)) +#define sk_DIST_POINT_is_sorted(st) SKM_sk_is_sorted(DIST_POINT, (st)) #define sk_ENGINE_new(st) SKM_sk_new(ENGINE, (st)) #define sk_ENGINE_new_null() SKM_sk_new_null(ENGINE) @@ -503,6 +521,7 @@ STACK_OF(type) \ #define sk_ENGINE_shift(st) SKM_sk_shift(ENGINE, (st)) #define sk_ENGINE_pop(st) SKM_sk_pop(ENGINE, (st)) #define sk_ENGINE_sort(st) SKM_sk_sort(ENGINE, (st)) +#define sk_ENGINE_is_sorted(st) SKM_sk_is_sorted(ENGINE, (st)) #define sk_ENGINE_CLEANUP_ITEM_new(st) SKM_sk_new(ENGINE_CLEANUP_ITEM, (st)) #define sk_ENGINE_CLEANUP_ITEM_new_null() SKM_sk_new_null(ENGINE_CLEANUP_ITEM) @@ -523,6 +542,7 @@ STACK_OF(type) \ #define sk_ENGINE_CLEANUP_ITEM_shift(st) SKM_sk_shift(ENGINE_CLEANUP_ITEM, (st)) #define sk_ENGINE_CLEANUP_ITEM_pop(st) SKM_sk_pop(ENGINE_CLEANUP_ITEM, (st)) #define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st)) +#define sk_ENGINE_CLEANUP_ITEM_is_sorted(st) SKM_sk_is_sorted(ENGINE_CLEANUP_ITEM, (st)) #define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st)) #define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME) @@ -543,6 +563,7 @@ STACK_OF(type) \ #define sk_GENERAL_NAME_shift(st) SKM_sk_shift(GENERAL_NAME, (st)) #define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st)) #define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st)) +#define sk_GENERAL_NAME_is_sorted(st) SKM_sk_is_sorted(GENERAL_NAME, (st)) #define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st)) #define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY) @@ -563,6 +584,7 @@ STACK_OF(type) \ #define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st)) #define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st)) #define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st)) +#define sk_KRB5_APREQBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_APREQBODY, (st)) #define sk_KRB5_AUTHDATA_new(st) SKM_sk_new(KRB5_AUTHDATA, (st)) #define sk_KRB5_AUTHDATA_new_null() SKM_sk_new_null(KRB5_AUTHDATA) @@ -583,6 +605,7 @@ STACK_OF(type) \ #define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st)) #define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st)) #define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st)) +#define sk_KRB5_AUTHDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHDATA, (st)) #define sk_KRB5_AUTHENTBODY_new(st) SKM_sk_new(KRB5_AUTHENTBODY, (st)) #define sk_KRB5_AUTHENTBODY_new_null() SKM_sk_new_null(KRB5_AUTHENTBODY) @@ -603,6 +626,7 @@ STACK_OF(type) \ #define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st)) #define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st)) #define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st)) +#define sk_KRB5_AUTHENTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHENTBODY, (st)) #define sk_KRB5_CHECKSUM_new(st) SKM_sk_new(KRB5_CHECKSUM, (st)) #define sk_KRB5_CHECKSUM_new_null() SKM_sk_new_null(KRB5_CHECKSUM) @@ -623,6 +647,7 @@ STACK_OF(type) \ #define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st)) #define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st)) #define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st)) +#define sk_KRB5_CHECKSUM_is_sorted(st) SKM_sk_is_sorted(KRB5_CHECKSUM, (st)) #define sk_KRB5_ENCDATA_new(st) SKM_sk_new(KRB5_ENCDATA, (st)) #define sk_KRB5_ENCDATA_new_null() SKM_sk_new_null(KRB5_ENCDATA) @@ -643,6 +668,7 @@ STACK_OF(type) \ #define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st)) #define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st)) #define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st)) +#define sk_KRB5_ENCDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCDATA, (st)) #define sk_KRB5_ENCKEY_new(st) SKM_sk_new(KRB5_ENCKEY, (st)) #define sk_KRB5_ENCKEY_new_null() SKM_sk_new_null(KRB5_ENCKEY) @@ -663,6 +689,7 @@ STACK_OF(type) \ #define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st)) #define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st)) #define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st)) +#define sk_KRB5_ENCKEY_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCKEY, (st)) #define sk_KRB5_PRINCNAME_new(st) SKM_sk_new(KRB5_PRINCNAME, (st)) #define sk_KRB5_PRINCNAME_new_null() SKM_sk_new_null(KRB5_PRINCNAME) @@ -683,6 +710,7 @@ STACK_OF(type) \ #define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st)) #define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st)) #define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st)) +#define sk_KRB5_PRINCNAME_is_sorted(st) SKM_sk_is_sorted(KRB5_PRINCNAME, (st)) #define sk_KRB5_TKTBODY_new(st) SKM_sk_new(KRB5_TKTBODY, (st)) #define sk_KRB5_TKTBODY_new_null() SKM_sk_new_null(KRB5_TKTBODY) @@ -703,6 +731,7 @@ STACK_OF(type) \ #define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st)) #define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st)) #define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st)) +#define sk_KRB5_TKTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_TKTBODY, (st)) #define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st)) #define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER) @@ -723,6 +752,7 @@ STACK_OF(type) \ #define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st)) #define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st)) #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st)) +#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st)) #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st)) #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM) @@ -743,6 +773,7 @@ STACK_OF(type) \ #define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st)) #define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st)) #define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st)) +#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st)) #define sk_NAME_FUNCS_new(st) SKM_sk_new(NAME_FUNCS, (st)) #define sk_NAME_FUNCS_new_null() SKM_sk_new_null(NAME_FUNCS) @@ -763,6 +794,7 @@ STACK_OF(type) \ #define sk_NAME_FUNCS_shift(st) SKM_sk_shift(NAME_FUNCS, (st)) #define sk_NAME_FUNCS_pop(st) SKM_sk_pop(NAME_FUNCS, (st)) #define sk_NAME_FUNCS_sort(st) SKM_sk_sort(NAME_FUNCS, (st)) +#define sk_NAME_FUNCS_is_sorted(st) SKM_sk_is_sorted(NAME_FUNCS, (st)) #define sk_OCSP_CERTID_new(st) SKM_sk_new(OCSP_CERTID, (st)) #define sk_OCSP_CERTID_new_null() SKM_sk_new_null(OCSP_CERTID) @@ -783,6 +815,7 @@ STACK_OF(type) \ #define sk_OCSP_CERTID_shift(st) SKM_sk_shift(OCSP_CERTID, (st)) #define sk_OCSP_CERTID_pop(st) SKM_sk_pop(OCSP_CERTID, (st)) #define sk_OCSP_CERTID_sort(st) SKM_sk_sort(OCSP_CERTID, (st)) +#define sk_OCSP_CERTID_is_sorted(st) SKM_sk_is_sorted(OCSP_CERTID, (st)) #define sk_OCSP_ONEREQ_new(st) SKM_sk_new(OCSP_ONEREQ, (st)) #define sk_OCSP_ONEREQ_new_null() SKM_sk_new_null(OCSP_ONEREQ) @@ -803,6 +836,7 @@ STACK_OF(type) \ #define sk_OCSP_ONEREQ_shift(st) SKM_sk_shift(OCSP_ONEREQ, (st)) #define sk_OCSP_ONEREQ_pop(st) SKM_sk_pop(OCSP_ONEREQ, (st)) #define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ, (st)) +#define sk_OCSP_ONEREQ_is_sorted(st) SKM_sk_is_sorted(OCSP_ONEREQ, (st)) #define sk_OCSP_SINGLERESP_new(st) SKM_sk_new(OCSP_SINGLERESP, (st)) #define sk_OCSP_SINGLERESP_new_null() SKM_sk_new_null(OCSP_SINGLERESP) @@ -823,6 +857,7 @@ STACK_OF(type) \ #define sk_OCSP_SINGLERESP_shift(st) SKM_sk_shift(OCSP_SINGLERESP, (st)) #define sk_OCSP_SINGLERESP_pop(st) SKM_sk_pop(OCSP_SINGLERESP, (st)) #define sk_OCSP_SINGLERESP_sort(st) SKM_sk_sort(OCSP_SINGLERESP, (st)) +#define sk_OCSP_SINGLERESP_is_sorted(st) SKM_sk_is_sorted(OCSP_SINGLERESP, (st)) #define sk_PKCS12_SAFEBAG_new(st) SKM_sk_new(PKCS12_SAFEBAG, (st)) #define sk_PKCS12_SAFEBAG_new_null() SKM_sk_new_null(PKCS12_SAFEBAG) @@ -843,6 +878,7 @@ STACK_OF(type) \ #define sk_PKCS12_SAFEBAG_shift(st) SKM_sk_shift(PKCS12_SAFEBAG, (st)) #define sk_PKCS12_SAFEBAG_pop(st) SKM_sk_pop(PKCS12_SAFEBAG, (st)) #define sk_PKCS12_SAFEBAG_sort(st) SKM_sk_sort(PKCS12_SAFEBAG, (st)) +#define sk_PKCS12_SAFEBAG_is_sorted(st) SKM_sk_is_sorted(PKCS12_SAFEBAG, (st)) #define sk_PKCS7_new(st) SKM_sk_new(PKCS7, (st)) #define sk_PKCS7_new_null() SKM_sk_new_null(PKCS7) @@ -863,6 +899,7 @@ STACK_OF(type) \ #define sk_PKCS7_shift(st) SKM_sk_shift(PKCS7, (st)) #define sk_PKCS7_pop(st) SKM_sk_pop(PKCS7, (st)) #define sk_PKCS7_sort(st) SKM_sk_sort(PKCS7, (st)) +#define sk_PKCS7_is_sorted(st) SKM_sk_is_sorted(PKCS7, (st)) #define sk_PKCS7_RECIP_INFO_new(st) SKM_sk_new(PKCS7_RECIP_INFO, (st)) #define sk_PKCS7_RECIP_INFO_new_null() SKM_sk_new_null(PKCS7_RECIP_INFO) @@ -883,6 +920,7 @@ STACK_OF(type) \ #define sk_PKCS7_RECIP_INFO_shift(st) SKM_sk_shift(PKCS7_RECIP_INFO, (st)) #define sk_PKCS7_RECIP_INFO_pop(st) SKM_sk_pop(PKCS7_RECIP_INFO, (st)) #define sk_PKCS7_RECIP_INFO_sort(st) SKM_sk_sort(PKCS7_RECIP_INFO, (st)) +#define sk_PKCS7_RECIP_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_RECIP_INFO, (st)) #define sk_PKCS7_SIGNER_INFO_new(st) SKM_sk_new(PKCS7_SIGNER_INFO, (st)) #define sk_PKCS7_SIGNER_INFO_new_null() SKM_sk_new_null(PKCS7_SIGNER_INFO) @@ -903,6 +941,7 @@ STACK_OF(type) \ #define sk_PKCS7_SIGNER_INFO_shift(st) SKM_sk_shift(PKCS7_SIGNER_INFO, (st)) #define sk_PKCS7_SIGNER_INFO_pop(st) SKM_sk_pop(PKCS7_SIGNER_INFO, (st)) #define sk_PKCS7_SIGNER_INFO_sort(st) SKM_sk_sort(PKCS7_SIGNER_INFO, (st)) +#define sk_PKCS7_SIGNER_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_SIGNER_INFO, (st)) #define sk_POLICYINFO_new(st) SKM_sk_new(POLICYINFO, (st)) #define sk_POLICYINFO_new_null() SKM_sk_new_null(POLICYINFO) @@ -923,6 +962,7 @@ STACK_OF(type) \ #define sk_POLICYINFO_shift(st) SKM_sk_shift(POLICYINFO, (st)) #define sk_POLICYINFO_pop(st) SKM_sk_pop(POLICYINFO, (st)) #define sk_POLICYINFO_sort(st) SKM_sk_sort(POLICYINFO, (st)) +#define sk_POLICYINFO_is_sorted(st) SKM_sk_is_sorted(POLICYINFO, (st)) #define sk_POLICYQUALINFO_new(st) SKM_sk_new(POLICYQUALINFO, (st)) #define sk_POLICYQUALINFO_new_null() SKM_sk_new_null(POLICYQUALINFO) @@ -943,6 +983,7 @@ STACK_OF(type) \ #define sk_POLICYQUALINFO_shift(st) SKM_sk_shift(POLICYQUALINFO, (st)) #define sk_POLICYQUALINFO_pop(st) SKM_sk_pop(POLICYQUALINFO, (st)) #define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st)) +#define sk_POLICYQUALINFO_is_sorted(st) SKM_sk_is_sorted(POLICYQUALINFO, (st)) #define sk_SSL_CIPHER_new(st) SKM_sk_new(SSL_CIPHER, (st)) #define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER) @@ -963,6 +1004,7 @@ STACK_OF(type) \ #define sk_SSL_CIPHER_shift(st) SKM_sk_shift(SSL_CIPHER, (st)) #define sk_SSL_CIPHER_pop(st) SKM_sk_pop(SSL_CIPHER, (st)) #define sk_SSL_CIPHER_sort(st) SKM_sk_sort(SSL_CIPHER, (st)) +#define sk_SSL_CIPHER_is_sorted(st) SKM_sk_is_sorted(SSL_CIPHER, (st)) #define sk_SSL_COMP_new(st) SKM_sk_new(SSL_COMP, (st)) #define sk_SSL_COMP_new_null() SKM_sk_new_null(SSL_COMP) @@ -983,6 +1025,7 @@ STACK_OF(type) \ #define sk_SSL_COMP_shift(st) SKM_sk_shift(SSL_COMP, (st)) #define sk_SSL_COMP_pop(st) SKM_sk_pop(SSL_COMP, (st)) #define sk_SSL_COMP_sort(st) SKM_sk_sort(SSL_COMP, (st)) +#define sk_SSL_COMP_is_sorted(st) SKM_sk_is_sorted(SSL_COMP, (st)) #define sk_SXNETID_new(st) SKM_sk_new(SXNETID, (st)) #define sk_SXNETID_new_null() SKM_sk_new_null(SXNETID) @@ -1003,6 +1046,7 @@ STACK_OF(type) \ #define sk_SXNETID_shift(st) SKM_sk_shift(SXNETID, (st)) #define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st)) #define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st)) +#define sk_SXNETID_is_sorted(st) SKM_sk_is_sorted(SXNETID, (st)) #define sk_UI_STRING_new(st) SKM_sk_new(UI_STRING, (st)) #define sk_UI_STRING_new_null() SKM_sk_new_null(UI_STRING) @@ -1023,6 +1067,7 @@ STACK_OF(type) \ #define sk_UI_STRING_shift(st) SKM_sk_shift(UI_STRING, (st)) #define sk_UI_STRING_pop(st) SKM_sk_pop(UI_STRING, (st)) #define sk_UI_STRING_sort(st) SKM_sk_sort(UI_STRING, (st)) +#define sk_UI_STRING_is_sorted(st) SKM_sk_is_sorted(UI_STRING, (st)) #define sk_X509_new(st) SKM_sk_new(X509, (st)) #define sk_X509_new_null() SKM_sk_new_null(X509) @@ -1043,6 +1088,7 @@ STACK_OF(type) \ #define sk_X509_shift(st) SKM_sk_shift(X509, (st)) #define sk_X509_pop(st) SKM_sk_pop(X509, (st)) #define sk_X509_sort(st) SKM_sk_sort(X509, (st)) +#define sk_X509_is_sorted(st) SKM_sk_is_sorted(X509, (st)) #define sk_X509V3_EXT_METHOD_new(st) SKM_sk_new(X509V3_EXT_METHOD, (st)) #define sk_X509V3_EXT_METHOD_new_null() SKM_sk_new_null(X509V3_EXT_METHOD) @@ -1063,6 +1109,7 @@ STACK_OF(type) \ #define sk_X509V3_EXT_METHOD_shift(st) SKM_sk_shift(X509V3_EXT_METHOD, (st)) #define sk_X509V3_EXT_METHOD_pop(st) SKM_sk_pop(X509V3_EXT_METHOD, (st)) #define sk_X509V3_EXT_METHOD_sort(st) SKM_sk_sort(X509V3_EXT_METHOD, (st)) +#define sk_X509V3_EXT_METHOD_is_sorted(st) SKM_sk_is_sorted(X509V3_EXT_METHOD, (st)) #define sk_X509_ALGOR_new(st) SKM_sk_new(X509_ALGOR, (st)) #define sk_X509_ALGOR_new_null() SKM_sk_new_null(X509_ALGOR) @@ -1083,6 +1130,7 @@ STACK_OF(type) \ #define sk_X509_ALGOR_shift(st) SKM_sk_shift(X509_ALGOR, (st)) #define sk_X509_ALGOR_pop(st) SKM_sk_pop(X509_ALGOR, (st)) #define sk_X509_ALGOR_sort(st) SKM_sk_sort(X509_ALGOR, (st)) +#define sk_X509_ALGOR_is_sorted(st) SKM_sk_is_sorted(X509_ALGOR, (st)) #define sk_X509_ATTRIBUTE_new(st) SKM_sk_new(X509_ATTRIBUTE, (st)) #define sk_X509_ATTRIBUTE_new_null() SKM_sk_new_null(X509_ATTRIBUTE) @@ -1103,6 +1151,7 @@ STACK_OF(type) \ #define sk_X509_ATTRIBUTE_shift(st) SKM_sk_shift(X509_ATTRIBUTE, (st)) #define sk_X509_ATTRIBUTE_pop(st) SKM_sk_pop(X509_ATTRIBUTE, (st)) #define sk_X509_ATTRIBUTE_sort(st) SKM_sk_sort(X509_ATTRIBUTE, (st)) +#define sk_X509_ATTRIBUTE_is_sorted(st) SKM_sk_is_sorted(X509_ATTRIBUTE, (st)) #define sk_X509_CRL_new(st) SKM_sk_new(X509_CRL, (st)) #define sk_X509_CRL_new_null() SKM_sk_new_null(X509_CRL) @@ -1123,6 +1172,7 @@ STACK_OF(type) \ #define sk_X509_CRL_shift(st) SKM_sk_shift(X509_CRL, (st)) #define sk_X509_CRL_pop(st) SKM_sk_pop(X509_CRL, (st)) #define sk_X509_CRL_sort(st) SKM_sk_sort(X509_CRL, (st)) +#define sk_X509_CRL_is_sorted(st) SKM_sk_is_sorted(X509_CRL, (st)) #define sk_X509_EXTENSION_new(st) SKM_sk_new(X509_EXTENSION, (st)) #define sk_X509_EXTENSION_new_null() SKM_sk_new_null(X509_EXTENSION) @@ -1143,6 +1193,7 @@ STACK_OF(type) \ #define sk_X509_EXTENSION_shift(st) SKM_sk_shift(X509_EXTENSION, (st)) #define sk_X509_EXTENSION_pop(st) SKM_sk_pop(X509_EXTENSION, (st)) #define sk_X509_EXTENSION_sort(st) SKM_sk_sort(X509_EXTENSION, (st)) +#define sk_X509_EXTENSION_is_sorted(st) SKM_sk_is_sorted(X509_EXTENSION, (st)) #define sk_X509_INFO_new(st) SKM_sk_new(X509_INFO, (st)) #define sk_X509_INFO_new_null() SKM_sk_new_null(X509_INFO) @@ -1163,6 +1214,7 @@ STACK_OF(type) \ #define sk_X509_INFO_shift(st) SKM_sk_shift(X509_INFO, (st)) #define sk_X509_INFO_pop(st) SKM_sk_pop(X509_INFO, (st)) #define sk_X509_INFO_sort(st) SKM_sk_sort(X509_INFO, (st)) +#define sk_X509_INFO_is_sorted(st) SKM_sk_is_sorted(X509_INFO, (st)) #define sk_X509_LOOKUP_new(st) SKM_sk_new(X509_LOOKUP, (st)) #define sk_X509_LOOKUP_new_null() SKM_sk_new_null(X509_LOOKUP) @@ -1183,6 +1235,7 @@ STACK_OF(type) \ #define sk_X509_LOOKUP_shift(st) SKM_sk_shift(X509_LOOKUP, (st)) #define sk_X509_LOOKUP_pop(st) SKM_sk_pop(X509_LOOKUP, (st)) #define sk_X509_LOOKUP_sort(st) SKM_sk_sort(X509_LOOKUP, (st)) +#define sk_X509_LOOKUP_is_sorted(st) SKM_sk_is_sorted(X509_LOOKUP, (st)) #define sk_X509_NAME_new(st) SKM_sk_new(X509_NAME, (st)) #define sk_X509_NAME_new_null() SKM_sk_new_null(X509_NAME) @@ -1203,6 +1256,7 @@ STACK_OF(type) \ #define sk_X509_NAME_shift(st) SKM_sk_shift(X509_NAME, (st)) #define sk_X509_NAME_pop(st) SKM_sk_pop(X509_NAME, (st)) #define sk_X509_NAME_sort(st) SKM_sk_sort(X509_NAME, (st)) +#define sk_X509_NAME_is_sorted(st) SKM_sk_is_sorted(X509_NAME, (st)) #define sk_X509_NAME_ENTRY_new(st) SKM_sk_new(X509_NAME_ENTRY, (st)) #define sk_X509_NAME_ENTRY_new_null() SKM_sk_new_null(X509_NAME_ENTRY) @@ -1223,6 +1277,7 @@ STACK_OF(type) \ #define sk_X509_NAME_ENTRY_shift(st) SKM_sk_shift(X509_NAME_ENTRY, (st)) #define sk_X509_NAME_ENTRY_pop(st) SKM_sk_pop(X509_NAME_ENTRY, (st)) #define sk_X509_NAME_ENTRY_sort(st) SKM_sk_sort(X509_NAME_ENTRY, (st)) +#define sk_X509_NAME_ENTRY_is_sorted(st) SKM_sk_is_sorted(X509_NAME_ENTRY, (st)) #define sk_X509_OBJECT_new(st) SKM_sk_new(X509_OBJECT, (st)) #define sk_X509_OBJECT_new_null() SKM_sk_new_null(X509_OBJECT) @@ -1243,6 +1298,7 @@ STACK_OF(type) \ #define sk_X509_OBJECT_shift(st) SKM_sk_shift(X509_OBJECT, (st)) #define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st)) #define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st)) +#define sk_X509_OBJECT_is_sorted(st) SKM_sk_is_sorted(X509_OBJECT, (st)) #define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st)) #define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE) @@ -1263,6 +1319,7 @@ STACK_OF(type) \ #define sk_X509_PURPOSE_shift(st) SKM_sk_shift(X509_PURPOSE, (st)) #define sk_X509_PURPOSE_pop(st) SKM_sk_pop(X509_PURPOSE, (st)) #define sk_X509_PURPOSE_sort(st) SKM_sk_sort(X509_PURPOSE, (st)) +#define sk_X509_PURPOSE_is_sorted(st) SKM_sk_is_sorted(X509_PURPOSE, (st)) #define sk_X509_REVOKED_new(st) SKM_sk_new(X509_REVOKED, (st)) #define sk_X509_REVOKED_new_null() SKM_sk_new_null(X509_REVOKED) @@ -1283,6 +1340,7 @@ STACK_OF(type) \ #define sk_X509_REVOKED_shift(st) SKM_sk_shift(X509_REVOKED, (st)) #define sk_X509_REVOKED_pop(st) SKM_sk_pop(X509_REVOKED, (st)) #define sk_X509_REVOKED_sort(st) SKM_sk_sort(X509_REVOKED, (st)) +#define sk_X509_REVOKED_is_sorted(st) SKM_sk_is_sorted(X509_REVOKED, (st)) #define sk_X509_TRUST_new(st) SKM_sk_new(X509_TRUST, (st)) #define sk_X509_TRUST_new_null() SKM_sk_new_null(X509_TRUST) @@ -1303,6 +1361,7 @@ STACK_OF(type) \ #define sk_X509_TRUST_shift(st) SKM_sk_shift(X509_TRUST, (st)) #define sk_X509_TRUST_pop(st) SKM_sk_pop(X509_TRUST, (st)) #define sk_X509_TRUST_sort(st) SKM_sk_sort(X509_TRUST, (st)) +#define sk_X509_TRUST_is_sorted(st) SKM_sk_is_sorted(X509_TRUST, (st)) #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) diff --git a/lib/libssl/src/crypto/stack/stack.c b/lib/libssl/src/crypto/stack/stack.c index 2496f28a8c0..c7173eb6ab2 100644 --- a/lib/libssl/src/crypto/stack/stack.c +++ b/lib/libssl/src/crypto/stack/stack.c @@ -191,8 +191,7 @@ char *sk_delete(STACK *st, int loc) char *ret; int i,j; - if ((st == NULL) || (st->num == 0) || (loc < 0) - || (loc >= st->num)) return(NULL); + if(!st || (loc < 0) || (loc >= st->num)) return NULL; ret=st->data[loc]; if (loc != st->num-1) @@ -306,13 +305,13 @@ int sk_num(const STACK *st) char *sk_value(const STACK *st, int i) { - if(st == NULL) return NULL; + if(!st || (i < 0) || (i >= st->num)) return NULL; return st->data[i]; } char *sk_set(STACK *st, int i, char *value) { - if(st == NULL) return NULL; + if(!st || (i < 0) || (i >= st->num)) return NULL; return (st->data[i] = value); } @@ -332,3 +331,10 @@ void sk_sort(STACK *st) st->sorted=1; } } + +int sk_is_sorted(const STACK *st) + { + if (!st) + return 1; + return st->sorted; + } diff --git a/lib/libssl/src/crypto/stack/stack.h b/lib/libssl/src/crypto/stack/stack.h index 8b436ca4b98..7570b85fe85 100644 --- a/lib/libssl/src/crypto/stack/stack.h +++ b/lib/libssl/src/crypto/stack/stack.h @@ -99,6 +99,7 @@ int (*sk_set_cmp_func(STACK *sk, int (*c)(const char * const *, (const char * const *, const char * const *); STACK *sk_dup(STACK *st); void sk_sort(STACK *st); +int sk_is_sorted(const STACK *st); #ifdef __cplusplus } diff --git a/lib/libssl/src/crypto/x509/by_file.c b/lib/libssl/src/crypto/x509/by_file.c index b4b04183d07..a5e0d4aefa1 100644 --- a/lib/libssl/src/crypto/x509/by_file.c +++ b/lib/libssl/src/crypto/x509/by_file.c @@ -150,7 +150,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL); if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_error()) == + if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); @@ -217,7 +217,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_error()) == + if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); diff --git a/lib/libssl/src/crypto/x509/x509.h b/lib/libssl/src/crypto/x509/x509.h index 8d0c7e2e179..e8c1a59cf2f 100644 --- a/lib/libssl/src/crypto/x509/x509.h +++ b/lib/libssl/src/crypto/x509/x509.h @@ -410,6 +410,7 @@ typedef struct X509_crl_info_st ASN1_TIME *nextUpdate; STACK_OF(X509_REVOKED) *revoked; STACK_OF(X509_EXTENSION) /* [0] */ *extensions; + ASN1_ENCODING enc; } X509_CRL_INFO; struct X509_crl_st @@ -1037,18 +1038,18 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, - char *field, int type, unsigned char *bytes, int len); + const char *field, int type, const unsigned char *bytes, int len); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len); -int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, - unsigned char *bytes, int len, int loc, int set); +int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, + const unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, - ASN1_OBJECT *obj, int type,unsigned char *bytes, + ASN1_OBJECT *obj, int type,const unsigned char *bytes, int len); int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj); int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, - unsigned char *bytes, int len); + const unsigned char *bytes, int len); ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); diff --git a/lib/libssl/src/crypto/x509/x509_cmp.c b/lib/libssl/src/crypto/x509/x509_cmp.c index f460102f497..030d0966fc0 100644 --- a/lib/libssl/src/crypto/x509/x509_cmp.c +++ b/lib/libssl/src/crypto/x509/x509_cmp.c @@ -254,33 +254,49 @@ static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b) return 0; } +static int asn1_string_memcmp(ASN1_STRING *a, ASN1_STRING *b) + { + int j; + j = a->length - b->length; + if (j) + return j; + return memcmp(a->data, b->data, a->length); + } + +#define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING) + int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { int i,j; X509_NAME_ENTRY *na,*nb; - if (sk_X509_NAME_ENTRY_num(a->entries) - != sk_X509_NAME_ENTRY_num(b->entries)) - return sk_X509_NAME_ENTRY_num(a->entries) - -sk_X509_NAME_ENTRY_num(b->entries); + unsigned long nabit, nbbit; + + j = sk_X509_NAME_ENTRY_num(a->entries) + - sk_X509_NAME_ENTRY_num(b->entries); + if (j) + return j; for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) { na=sk_X509_NAME_ENTRY_value(a->entries,i); nb=sk_X509_NAME_ENTRY_value(b->entries,i); j=na->value->type-nb->value->type; - if (j) return(j); - if (na->value->type == V_ASN1_PRINTABLESTRING) + if (j) + { + nabit = ASN1_tag2bit(na->value->type); + nbbit = ASN1_tag2bit(nb->value->type); + if (!(nabit & STR_TYPE_CMP) || + !(nbbit & STR_TYPE_CMP)) + return j; + j = asn1_string_memcmp(na->value, nb->value); + } + else if (na->value->type == V_ASN1_PRINTABLESTRING) j=nocase_spacenorm_cmp(na->value, nb->value); else if (na->value->type == V_ASN1_IA5STRING && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) j=nocase_cmp(na->value, nb->value); else - { - j=na->value->length-nb->value->length; - if (j) return(j); - j=memcmp(na->value->data,nb->value->data, - na->value->length); - } + j = asn1_string_memcmp(na->value, nb->value); if (j) return(j); j=na->set-nb->set; if (j) return(j); @@ -306,10 +322,16 @@ unsigned long X509_NAME_hash(X509_NAME *x) { unsigned long ret=0; unsigned char md[16]; + EVP_MD_CTX md_ctx; /* Make sure X509_NAME structure contains valid cached encoding */ i2d_X509_NAME(x,NULL); - EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); + EVP_MD_CTX_init(&md_ctx); + EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL); + EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length); + EVP_DigestFinal_ex(&md_ctx,md,NULL); + EVP_MD_CTX_cleanup(&md_ctx); ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) diff --git a/lib/libssl/src/crypto/x509/x509_r2x.c b/lib/libssl/src/crypto/x509/x509_r2x.c index db051033d9b..fb8a78dabeb 100644 --- a/lib/libssl/src/crypto/x509/x509_r2x.c +++ b/lib/libssl/src/crypto/x509/x509_r2x.c @@ -92,8 +92,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) X509_set_subject_name(ret,X509_NAME_dup(xn)); X509_set_issuer_name(ret,X509_NAME_dup(xn)); - X509_gmtime_adj(xi->validity->notBefore,0); - X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days); + if (X509_gmtime_adj(xi->validity->notBefore,0) == NULL) + goto err; + if (X509_gmtime_adj(xi->validity->notAfter,(long)60*60*24*days) == NULL) + goto err; X509_set_pubkey(ret,X509_REQ_get_pubkey(r)); diff --git a/lib/libssl/src/crypto/x509/x509_req.c b/lib/libssl/src/crypto/x509/x509_req.c index 0affa3bf306..59fc6ca5484 100644 --- a/lib/libssl/src/crypto/x509/x509_req.c +++ b/lib/libssl/src/crypto/x509/x509_req.c @@ -118,7 +118,7 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) * used and there may be more: so the list is configurable. */ -static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef}; +static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef}; static int *ext_nids = ext_nid_list; @@ -143,32 +143,33 @@ void X509_REQ_set_extension_nids(int *nids) } STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) -{ + { X509_ATTRIBUTE *attr; - STACK_OF(X509_ATTRIBUTE) *sk; ASN1_TYPE *ext = NULL; - int i; + int idx, *pnid; unsigned char *p; - if ((req == NULL) || (req->req_info == NULL)) + + if ((req == NULL) || (req->req_info == NULL) || !ext_nids) return(NULL); - sk=req->req_info->attributes; - if (!sk) return NULL; - for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { - attr = sk_X509_ATTRIBUTE_value(sk, i); - if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) { - if(attr->single) ext = attr->value.single; - else if(sk_ASN1_TYPE_num(attr->value.set)) - ext = sk_ASN1_TYPE_value(attr->value.set, 0); - break; + for (pnid = ext_nids; *pnid != NID_undef; pnid++) + { + idx = X509_REQ_get_attr_by_NID(req, *pnid, -1); + if (idx == -1) + continue; + attr = X509_REQ_get_attr(req, idx); + if(attr->single) ext = attr->value.single; + else if(sk_ASN1_TYPE_num(attr->value.set)) + ext = sk_ASN1_TYPE_value(attr->value.set, 0); + break; } - } - if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL; + if(!ext || (ext->type != V_ASN1_SEQUENCE)) + return NULL; p = ext->value.sequence->data; return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p, ext->value.sequence->length, d2i_X509_EXTENSION, X509_EXTENSION_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); -} + } /* Add a STACK_OF extensions to a certificate request: allow alternative OIDs * in case we want to create a non standard one. diff --git a/lib/libssl/src/crypto/x509/x509_txt.c b/lib/libssl/src/crypto/x509/x509_txt.c index e31ebc6741a..f19e66a238a 100644 --- a/lib/libssl/src/crypto/x509/x509_txt.c +++ b/lib/libssl/src/crypto/x509/x509_txt.c @@ -122,8 +122,14 @@ const char *X509_verify_cert_error_string(long n) return("certificate revoked"); case X509_V_ERR_INVALID_CA: return ("invalid CA certificate"); + case X509_V_ERR_INVALID_NON_CA: + return ("invalid non-CA certificate (has CA markings)"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return("proxy path length constraint exceeded"); + case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: + return("proxy cerificates not allowed, please set the appropriate flag"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: @@ -140,19 +146,16 @@ const char *X509_verify_cert_error_string(long n) return("authority and issuer serial number mismatch"); case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: return("key usage does not include certificate signing"); - case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: return("unable to get CRL issuer certificate"); - case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); - case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: return("key usage does not include CRL signing"); - + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + return("key usage does not include digital signature"); case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: return("unhandled critical CRL extension"); - default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/lib/libssl/src/crypto/x509/x509_vfy.c b/lib/libssl/src/crypto/x509/x509_vfy.c index 2e4d0b823ab..e43c861ee77 100644 --- a/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/lib/libssl/src/crypto/x509/x509_vfy.c @@ -73,7 +73,7 @@ static int null_callback(int ok,X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); -static int check_chain_purpose(X509_STORE_CTX *ctx); +static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_trust(X509_STORE_CTX *ctx); static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); @@ -281,7 +281,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) } /* We have the chain complete: now we need to check its purpose */ - if (ctx->purpose > 0) ok = check_chain_purpose(ctx); + ok = check_chain_extensions(ctx); if (!ok) goto end; @@ -365,21 +365,39 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) else return 0; } - + /* Check a certificate chains extensions for consistency * with the supplied purpose */ -static int check_chain_purpose(X509_STORE_CTX *ctx) +static int check_chain_extensions(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; #else - int i, ok=0; + int i, ok=0, must_be_ca; X509 *x; int (*cb)(); + int proxy_path_length = 0; + int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); cb=ctx->verify_cb; + + /* must_be_ca can have 1 of 3 values: + -1: we accept both CA and non-CA certificates, to allow direct + use of self-signed certificates (which are marked as CA). + 0: we only accept non-CA certificates. This is currently not + used, but the possibility is present for future extensions. + 1: we only accept CA certificates. This is currently used for + all certificates in the chain except the leaf certificate. + */ + must_be_ca = -1; + + /* A hack to keep people who don't want to modify their software + happy */ + if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) + allow_proxy_certs = 1; + /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { @@ -394,23 +412,73 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - ret = X509_check_purpose(x, ctx->purpose, i); - if ((ret == 0) - || ((ctx->flags & X509_V_FLAG_X509_STRICT) - && (ret != 1))) + if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { - if (i) + ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + ret = X509_check_ca(x); + switch(must_be_ca) + { + case -1: + if ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1) && (ret != 0)) + { + ret = 0; ctx->error = X509_V_ERR_INVALID_CA; + } else - ctx->error = X509_V_ERR_INVALID_PURPOSE; + ret = 1; + break; + case 0: + if (ret != 0) + { + ret = 0; + ctx->error = X509_V_ERR_INVALID_NON_CA; + } + else + ret = 1; + break; + default: + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) + { + ret = 0; + ctx->error = X509_V_ERR_INVALID_CA; + } + else + ret = 1; + break; + } + if (ret == 0) + { ctx->error_depth = i; ctx->current_cert = x; ok=cb(0,ctx); if (!ok) goto end; } + if (ctx->purpose > 0) + { + ret = X509_check_purpose(x, ctx->purpose, + must_be_ca > 0); + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) + { + ctx->error = X509_V_ERR_INVALID_PURPOSE; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + } /* Check pathlen */ if ((i > 1) && (x->ex_pathlen != -1) - && (i > (x->ex_pathlen + 1))) + && (i > (x->ex_pathlen + proxy_path_length + 1))) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; @@ -418,6 +486,32 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } + /* If this certificate is a proxy certificate, the next + certificate must be another proxy certificate or a EE + certificate. If not, the next certificate must be a + CA certificate. */ + if (x->ex_flags & EXFLAG_PROXY) + { + PROXY_CERT_INFO_EXTENSION *pci = + X509_get_ext_d2i(x, NID_proxyCertInfo, + NULL, NULL); + if (pci->pcPathLengthConstraint && + ASN1_INTEGER_get(pci->pcPathLengthConstraint) + < i) + { + PROXY_CERT_INFO_EXTENSION_free(pci); + ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; + ctx->error_depth = i; + ctx->current_cert = x; + ok=cb(0,ctx); + if (!ok) goto end; + } + PROXY_CERT_INFO_EXTENSION_free(pci); + proxy_path_length++; + must_be_ca = 0; + } + else + must_be_ca = 1; } ok = 1; end: @@ -627,6 +721,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) X509_EXTENSION *ext; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); + /* Sort revoked into serial number order if not already sorted. + * Do this under a lock to avoid race condition. + */ + if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) + { + CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL); + sk_X509_REVOKED_sort(crl->crl->revoked); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL); + } idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); /* If found assume revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. @@ -772,6 +875,7 @@ static int internal_verify(X509_STORE_CTX *ctx) } /* The last error (if any) is still in the error value */ + ctx->current_issuer=xi; ctx->current_cert=xs; ok=(*cb)(1,ctx); if (!ok) goto end; @@ -851,7 +955,8 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) atm.length=sizeof(buff2); atm.data=(unsigned char *)buff2; - X509_time_adj(&atm,-offset*60, cmp_time); + if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL) + return 0; if (ctm->type == V_ASN1_UTCTIME) { diff --git a/lib/libssl/src/crypto/x509/x509_vfy.h b/lib/libssl/src/crypto/x509/x509_vfy.h index 198495884cf..7fd1f0bc4de 100644 --- a/lib/libssl/src/crypto/x509/x509_vfy.h +++ b/lib/libssl/src/crypto/x509/x509_vfy.h @@ -276,7 +276,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 #define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 #define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_NOT_YET_VALID 9 #define X509_V_ERR_CERT_HAS_EXPIRED 10 #define X509_V_ERR_CRL_NOT_YET_VALID 11 #define X509_V_ERR_CRL_HAS_EXPIRED 12 @@ -306,6 +306,10 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 #define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 #define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 +#define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 @@ -324,6 +328,8 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Disable workarounds for broken certificates */ #define X509_V_FLAG_X509_STRICT 0x20 +/* Enable proxy certificate validation */ +#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); diff --git a/lib/libssl/src/crypto/x509/x509name.c b/lib/libssl/src/crypto/x509/x509name.c index 4c20e03eced..068abfe5f04 100644 --- a/lib/libssl/src/crypto/x509/x509name.c +++ b/lib/libssl/src/crypto/x509/x509name.c @@ -195,8 +195,8 @@ int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, return ret; } -int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, - unsigned char *bytes, int len, int loc, int set) +int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, + const unsigned char *bytes, int len, int loc, int set) { X509_NAME_ENTRY *ne; int ret; @@ -273,7 +273,7 @@ err: } X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, - char *field, int type, unsigned char *bytes, int len) + const char *field, int type, const unsigned char *bytes, int len) { ASN1_OBJECT *obj; X509_NAME_ENTRY *nentry; @@ -309,7 +309,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, } X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, - ASN1_OBJECT *obj, int type, unsigned char *bytes, int len) + ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len) { X509_NAME_ENTRY *ret; @@ -347,7 +347,7 @@ int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj) } int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, - unsigned char *bytes, int len) + const unsigned char *bytes, int len) { int i; diff --git a/lib/libssl/src/crypto/x509/x_all.c b/lib/libssl/src/crypto/x509/x_all.c index fb5015cd4de..ac6dea493a8 100644 --- a/lib/libssl/src/crypto/x509/x_all.c +++ b/lib/libssl/src/crypto/x509/x_all.c @@ -103,6 +103,7 @@ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { + x->crl->enc.modified = 1; return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg, x->sig_alg, x->signature, x->crl,pkey,md)); } diff --git a/lib/libssl/src/crypto/x509v3/ext_dat.h b/lib/libssl/src/crypto/x509v3/ext_dat.h index 5442480595b..d8328ac468c 100644 --- a/lib/libssl/src/crypto/x509v3/ext_dat.h +++ b/lib/libssl/src/crypto/x509v3/ext_dat.h @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -60,10 +60,11 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; -extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld; +extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; +extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld; extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; -extern X509V3_EXT_METHOD v3_crl_hold; +extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; /* This table will be searched using OBJ_bsearch so it *must* kept in * order of the ext_nid values. @@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = { &v3_akey_id, &v3_crld, &v3_ext_ku, +&v3_delta_crl, &v3_crl_reason, #ifndef OPENSSL_NO_OCSP &v3_crl_invdate, @@ -105,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = { #endif &v3_sinfo, #ifndef OPENSSL_NO_OCSP -&v3_crl_hold +&v3_crl_hold, #endif +&v3_pci, }; /* Number of standard extensions */ diff --git a/lib/libssl/src/crypto/x509v3/v3_bitst.c b/lib/libssl/src/crypto/x509v3/v3_bitst.c index 16cf1255621..274965306d4 100644 --- a/lib/libssl/src/crypto/x509v3/v3_bitst.c +++ b/lib/libssl/src/crypto/x509v3/v3_bitst.c @@ -124,7 +124,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, for(bnam = method->usr_data; bnam->lname; bnam++) { if(!strcmp(bnam->sname, val->name) || !strcmp(bnam->lname, val->name) ) { - ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1); + if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) { + X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, + ERR_R_MALLOC_FAILURE); + M_ASN1_BIT_STRING_free(bs); + return NULL; + } break; } } diff --git a/lib/libssl/src/crypto/x509v3/v3_ia5.c b/lib/libssl/src/crypto/x509v3/v3_ia5.c index f9414456de2..9683afa47c4 100644 --- a/lib/libssl/src/crypto/x509v3/v3_ia5.c +++ b/lib/libssl/src/crypto/x509v3/v3_ia5.c @@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, { char *tmp; if(!ia5 || !ia5->length) return NULL; - if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL; + if(!(tmp = OPENSSL_malloc(ia5->length + 1))) { + X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE); + return NULL; + } memcpy(tmp, ia5->data, ia5->length); tmp[ia5->length] = 0; return tmp; diff --git a/lib/libssl/src/crypto/x509v3/v3_int.c b/lib/libssl/src/crypto/x509v3/v3_int.c index f34cbfb7315..7a43b4717bc 100644 --- a/lib/libssl/src/crypto/x509v3/v3_int.c +++ b/lib/libssl/src/crypto/x509v3/v3_int.c @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -61,9 +61,16 @@ #include <openssl/x509v3.h> X509V3_EXT_METHOD v3_crl_num = { -NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), -0,0,0,0, -(X509V3_EXT_I2S)i2s_ASN1_INTEGER, -0, -0,0,0,0, NULL}; + NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), + 0,0,0,0, + (X509V3_EXT_I2S)i2s_ASN1_INTEGER, + 0, + 0,0,0,0, NULL}; + +X509V3_EXT_METHOD v3_delta_crl = { + NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER), + 0,0,0,0, + (X509V3_EXT_I2S)i2s_ASN1_INTEGER, + 0, + 0,0,0,0, NULL}; diff --git a/lib/libssl/src/crypto/x509v3/v3_purp.c b/lib/libssl/src/crypto/x509v3/v3_purp.c index b3d1ae5d1cc..bbdf6da4937 100644 --- a/lib/libssl/src/crypto/x509v3/v3_purp.c +++ b/lib/libssl/src/crypto/x509v3/v3_purp.c @@ -63,7 +63,6 @@ static void x509v3_cache_extensions(X509 *x); -static int ca_check(const X509 *x); static int check_ssl_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); @@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_key_usage, /* 83 */ NID_subject_alt_name, /* 85 */ NID_basic_constraints, /* 87 */ - NID_ext_key_usage /* 126 */ + NID_ext_key_usage, /* 126 */ + NID_proxyCertInfo /* 661 */ }; int ex_nid; @@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex) static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; + PROXY_CERT_INFO_EXTENSION *pci; ASN1_BIT_STRING *usage; ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; @@ -335,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x) BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; } + /* Handle proxy certificates */ + if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { + if (x->ex_flags & EXFLAG_CA + || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0 + || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { + x->ex_flags |= EXFLAG_INVALID; + } + PROXY_CERT_INFO_EXTENSION_free(pci); + x->ex_flags |= EXFLAG_PROXY; + } /* Handle key usage */ if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { if(usage->length > 0) { @@ -426,7 +437,7 @@ static void x509v3_cache_extensions(X509 *x) #define ns_reject(x, usage) \ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) -static int ca_check(const X509 *x) +static int check_ca(const X509 *x) { /* keyUsage if present should allow cert signing */ if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0; @@ -435,25 +446,37 @@ static int ca_check(const X509 *x) /* If basicConstraints says not a CA then say so */ else return 0; } else { + /* we support V1 roots for... uh, I don't really know why. */ if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; /* If key usage present it must have certSign so tolerate it */ else if (x->ex_flags & EXFLAG_KUSAGE) return 4; - else return 2; + /* Older certificates could have Netscape-specific CA types */ + else if (x->ex_flags & EXFLAG_NSCERT + && x->ex_nscert & NS_ANY_CA) return 5; + /* can this still be regarded a CA certificate? I doubt it */ + return 0; } } +int X509_check_ca(X509 *x) +{ + if(!(x->ex_flags & EXFLAG_SET)) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions(x); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + + return check_ca(x); +} + /* Check SSL CA: common checks for SSL client and server */ static int check_ssl_ca(const X509 *x) { int ca_ret; - ca_ret = ca_check(x); + ca_ret = check_ca(x); if(!ca_ret) return 0; /* check nsCertType if present */ - if(x->ex_flags & EXFLAG_NSCERT) { - if(x->ex_nscert & NS_SSL_CA) return ca_ret; - return 0; - } - if(ca_ret != 2) return ca_ret; + if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret; else return 0; } @@ -498,14 +521,10 @@ static int purpose_smime(const X509 *x, int ca) if(xku_reject(x,XKU_SMIME)) return 0; if(ca) { int ca_ret; - ca_ret = ca_check(x); + ca_ret = check_ca(x); if(!ca_ret) return 0; /* check nsCertType if present */ - if(x->ex_flags & EXFLAG_NSCERT) { - if(x->ex_nscert & NS_SMIME_CA) return ca_ret; - return 0; - } - if(ca_ret != 2) return ca_ret; + if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret; else return 0; } if(x->ex_flags & EXFLAG_NSCERT) { @@ -539,7 +558,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { if(ca) { int ca_ret; - if((ca_ret = ca_check(x)) != 2) return ca_ret; + if((ca_ret = check_ca(x)) != 2) return ca_ret; else return 0; } if(ku_reject(x, KU_CRL_SIGN)) return 0; @@ -552,17 +571,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) { - /* Must be a valid CA */ - if(ca) { - int ca_ret; - ca_ret = ca_check(x); - if(ca_ret != 2) return ca_ret; - if(x->ex_flags & EXFLAG_NSCERT) { - if(x->ex_nscert & NS_ANY_CA) return ca_ret; - return 0; - } - return 0; - } + /* Must be a valid CA. Should we really support the "I don't know" + value (2)? */ + if(ca) return check_ca(x); /* leaf certificate is checked in OCSP_verify() */ return 1; } @@ -624,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject) return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; } } - if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; + if(subject->ex_flags & EXFLAG_PROXY) + { + if(ku_reject(issuer, KU_DIGITAL_SIGNATURE)) + return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; + } + else if(ku_reject(issuer, KU_KEY_CERT_SIGN)) + return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; } diff --git a/lib/libssl/src/crypto/x509v3/v3err.c b/lib/libssl/src/crypto/x509v3/v3err.c index 6458e95bb91..2df0c3ef01d 100644 --- a/lib/libssl/src/crypto/x509v3/v3err.c +++ b/lib/libssl/src/crypto/x509v3/v3err.c @@ -1,6 +1,6 @@ /* crypto/x509v3/v3err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -72,12 +72,14 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, +{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0), "I2S_ASN1_IA5STRING"}, {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, {ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0), "I2V_AUTHORITY_INFO_ACCESS"}, {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0), "NOTICE_SECTION"}, {ERR_PACK(0,X509V3_F_NREF_NOS,0), "NREF_NOS"}, {ERR_PACK(0,X509V3_F_POLICY_SECTION,0), "POLICY_SECTION"}, {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0), "R2I_CERTPOL"}, +{ERR_PACK(0,X509V3_F_R2I_PCI,0), "R2I_PCI"}, {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0), "S2I_ASN1_IA5STRING"}, {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0), "s2i_ASN1_INTEGER"}, {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"}, @@ -128,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, {X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, {X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, +{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG ,"incorrect policy syntax tag"}, {X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, {X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, {X509V3_R_INVALID_NAME ,"invalid name"}, @@ -139,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_INVALID_OBJECT_IDENTIFIER ,"invalid object identifier"}, {X509V3_R_INVALID_OPTION ,"invalid option"}, {X509V3_R_INVALID_POLICY_IDENTIFIER ,"invalid policy identifier"}, +{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"}, +{X509V3_R_INVALID_PROXY_POLICY_SETTING ,"invalid proxy policy setting"}, {X509V3_R_INVALID_PURPOSE ,"invalid purpose"}, {X509V3_R_INVALID_SECTION ,"invalid section"}, {X509V3_R_INVALID_SYNTAX ,"invalid syntax"}, @@ -149,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_NO_ISSUER_CERTIFICATE ,"no issuer certificate"}, {X509V3_R_NO_ISSUER_DETAILS ,"no issuer details"}, {X509V3_R_NO_POLICY_IDENTIFIER ,"no policy identifier"}, +{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"}, {X509V3_R_NO_PUBLIC_KEY ,"no public key"}, {X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, {X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, +{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"}, +{X509V3_R_POLICY_PATH_LENGTH ,"policy path length"}, +{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"}, +{X509V3_R_POLICY_SYNTAX_NOT ,"policy syntax not"}, +{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"}, +{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"}, {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, diff --git a/lib/libssl/src/crypto/x509v3/x509v3.h b/lib/libssl/src/crypto/x509v3/x509v3.h index fb07a19016f..e6d91251c2a 100644 --- a/lib/libssl/src/crypto/x509v3/x509v3.h +++ b/lib/libssl/src/crypto/x509v3/x509v3.h @@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; DECLARE_STACK_OF(POLICYINFO) DECLARE_ASN1_SET_OF(POLICYINFO) +/* Proxy certificate structures, see RFC 3820 */ +typedef struct PROXY_POLICY_st + { + ASN1_OBJECT *policyLanguage; + ASN1_OCTET_STRING *policy; + } PROXY_POLICY; + +typedef struct PROXY_CERT_INFO_EXTENSION_st + { + ASN1_INTEGER *pcPathLengthConstraint; + PROXY_POLICY *proxyPolicy; + } PROXY_CERT_INFO_EXTENSION; + +DECLARE_ASN1_FUNCTIONS(PROXY_POLICY) +DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION) + + #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ ",name:", val->name, ",value:", val->value); @@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO) #define EXFLAG_INVALID 0x80 #define EXFLAG_SET 0x100 #define EXFLAG_CRITICAL 0x200 +#define EXFLAG_PROXY 0x400 #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040 @@ -527,6 +545,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); +int X509_check_ca(X509 *x); int X509_check_purpose(X509 *x, int id, int ca); int X509_supported_extension(X509_EXTENSION *ex); int X509_PURPOSE_set(int *p, int purpose); @@ -564,12 +583,14 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_DO_EXT_I2D 135 #define X509V3_F_HEX_TO_STRING 111 #define X509V3_F_I2S_ASN1_ENUMERATED 121 +#define X509V3_F_I2S_ASN1_IA5STRING 142 #define X509V3_F_I2S_ASN1_INTEGER 120 #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS 138 #define X509V3_F_NOTICE_SECTION 132 #define X509V3_F_NREF_NOS 133 #define X509V3_F_POLICY_SECTION 131 #define X509V3_F_R2I_CERTPOL 130 +#define X509V3_F_R2I_PCI 142 #define X509V3_F_S2I_ASN1_IA5STRING 100 #define X509V3_F_S2I_ASN1_INTEGER 108 #define X509V3_F_S2I_ASN1_OCTET_STRING 112 @@ -617,6 +638,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 #define X509V3_R_EXTENSION_VALUE_ERROR 116 #define X509V3_R_ILLEGAL_HEX_DIGIT 113 +#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 153 #define X509V3_R_INVALID_BOOLEAN_STRING 104 #define X509V3_R_INVALID_EXTENSION_STRING 105 #define X509V3_R_INVALID_NAME 106 @@ -628,6 +650,8 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_INVALID_OBJECT_IDENTIFIER 110 #define X509V3_R_INVALID_OPTION 138 #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 +#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER 147 +#define X509V3_R_INVALID_PROXY_POLICY_SETTING 151 #define X509V3_R_INVALID_PURPOSE 146 #define X509V3_R_INVALID_SECTION 135 #define X509V3_R_INVALID_SYNTAX 143 @@ -638,9 +662,16 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_NO_ISSUER_CERTIFICATE 121 #define X509V3_R_NO_ISSUER_DETAILS 127 #define X509V3_R_NO_POLICY_IDENTIFIER 139 +#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 148 #define X509V3_R_NO_PUBLIC_KEY 114 #define X509V3_R_NO_SUBJECT_DETAILS 125 #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 +#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED 149 +#define X509V3_R_POLICY_PATH_LENGTH 152 +#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED 150 +#define X509V3_R_POLICY_SYNTAX_NOT 154 +#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 155 +#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 diff --git a/lib/libssl/src/doc/apps/dgst.pod b/lib/libssl/src/doc/apps/dgst.pod index 1648742bcfe..b0d198724c6 100644 --- a/lib/libssl/src/doc/apps/dgst.pod +++ b/lib/libssl/src/doc/apps/dgst.pod @@ -14,6 +14,7 @@ B<openssl> B<dgst> [B<-binary>] [B<-out filename>] [B<-sign filename>] +[B<-passin arg>] [B<-verify filename>] [B<-prverify filename>] [B<-signature filename>] @@ -59,6 +60,11 @@ filename to output to, or standard output by default. digitally sign the digest using the private key in "filename". +=item B<-passin arg> + +the private key password source. For more information about the format of B<arg> +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. + =item B<-verify filename> verify the signature using the the public key in "filename". diff --git a/lib/libssl/src/doc/apps/enc.pod b/lib/libssl/src/doc/apps/enc.pod index ddf081617f5..18fe7c81c72 100644 --- a/lib/libssl/src/doc/apps/enc.pod +++ b/lib/libssl/src/doc/apps/enc.pod @@ -86,7 +86,7 @@ versions of OpenSSL. Superseded by the B<-pass> argument. =item B<-kfile filename> read the password to derive the key from the first line of B<filename>. -This is for computability with previous versions of OpenSSL. Superseded by +This is for compatibility with previous versions of OpenSSL. Superseded by the B<-pass> argument. =item B<-S salt> diff --git a/lib/libssl/src/doc/crypto/ERR_error_string.pod b/lib/libssl/src/doc/crypto/ERR_error_string.pod index e01beb817a3..cdfa7fe1fe7 100644 --- a/lib/libssl/src/doc/crypto/ERR_error_string.pod +++ b/lib/libssl/src/doc/crypto/ERR_error_string.pod @@ -11,7 +11,7 @@ error message #include <openssl/err.h> char *ERR_error_string(unsigned long e, char *buf); - char *ERR_error_string_n(unsigned long e, char *buf, size_t len); + void ERR_error_string_n(unsigned long e, char *buf, size_t len); const char *ERR_lib_error_string(unsigned long e); const char *ERR_func_error_string(unsigned long e); diff --git a/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod b/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod index daf57e5895f..40e525dd56e 100644 --- a/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod @@ -479,6 +479,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen)) { /* Error */ + EVP_CIPHER_CTX_cleanup(&ctx); return 0; } fwrite(outbuf, 1, outlen, out); @@ -486,6 +487,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen)) { /* Error */ + EVP_CIPHER_CTX_cleanup(&ctx); return 0; } fwrite(outbuf, 1, outlen, out); diff --git a/lib/libssl/src/doc/crypto/EVP_SealInit.pod b/lib/libssl/src/doc/crypto/EVP_SealInit.pod index b5e477e2942..48a0e299542 100644 --- a/lib/libssl/src/doc/crypto/EVP_SealInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_SealInit.pod @@ -8,8 +8,9 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption #include <openssl/evp.h> - int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek, - int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk); + int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, + unsigned char **ek, int *ekl, unsigned char *iv, + EVP_PKEY **pubk, int npubk); int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, diff --git a/lib/libssl/src/doc/crypto/EVP_SignInit.pod b/lib/libssl/src/doc/crypto/EVP_SignInit.pod index e65e54ce522..0bace249389 100644 --- a/lib/libssl/src/doc/crypto/EVP_SignInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_SignInit.pod @@ -29,11 +29,10 @@ EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the signature context B<ctx>. This function can be called several times on the same B<ctx> to include additional data. -EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> -and places the signature in B<sig>. If the B<s> parameter is not NULL -then the number of bytes of data written (i.e. the length of the signature) -will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes -will be written. +EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and +places the signature in B<sig>. The number of bytes of data written (i.e. the +length of the signature) will be written to the integer at B<s>, at most +EVP_PKEY_size(pkey) bytes will be written. EVP_SignInit() initializes a signing context B<ctx> to use the default implementation of digest B<type>. diff --git a/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod b/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod index d53e19d2b74..ab0fe3b2cd1 100644 --- a/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod +++ b/lib/libssl/src/doc/crypto/RSA_public_encrypt.pod @@ -47,9 +47,10 @@ Encrypting user data directly with RSA is insecure. =back B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5 -based padding modes, and less than RSA_size(B<rsa>) - 41 for -RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded -prior to calling RSA_public_encrypt(). +based padding modes, less than RSA_size(B<rsa>) - 41 for +RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING. +The random number generator must be seeded prior to calling +RSA_public_encrypt(). RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the private key B<rsa> and stores the plaintext in B<to>. B<to> must point diff --git a/lib/libssl/src/doc/crypto/blowfish.pod b/lib/libssl/src/doc/crypto/blowfish.pod index ed71334f561..5b2d274c15f 100644 --- a/lib/libssl/src/doc/crypto/blowfish.pod +++ b/lib/libssl/src/doc/crypto/blowfish.pod @@ -32,7 +32,7 @@ by Counterpane (see http://www.counterpane.com/blowfish.html ). Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data. It uses a variable size key, but typically, 128 bit (16 byte) keys are -a considered good for strong encryption. Blowfish can be used in the same +considered good for strong encryption. Blowfish can be used in the same modes as DES (see L<des_modes(7)|des_modes(7)>). Blowfish is currently one of the faster block ciphers. It is quite a bit faster than DES, and much faster than IDEA or RC2. diff --git a/lib/libssl/src/doc/crypto/pem.pod b/lib/libssl/src/doc/crypto/pem.pod index 8613114452e..4f9a27df0cc 100644 --- a/lib/libssl/src/doc/crypto/pem.pod +++ b/lib/libssl/src/doc/crypto/pem.pod @@ -471,6 +471,6 @@ is guaranteed to work. =head1 RETURN CODES The read routines return either a pointer to the structure read or NULL -is an error occurred. +if an error occurred. The write routines return 1 for success or 0 for failure. diff --git a/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod b/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod index 914eb7c9e3e..f62a869a9bb 100644 --- a/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod +++ b/lib/libssl/src/doc/ssl/SSL_CIPHER_get_name.pod @@ -8,9 +8,9 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_des #include <openssl/ssl.h> - const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher); - int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits); - char *SSL_CIPHER_get_version(SSL_CIPHER *cipher); + const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher); + int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits); + char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod b/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod index 5686faf2998..0c40a91f2fb 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod @@ -15,7 +15,7 @@ SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal ap int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg); - void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx); + void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx); typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp); diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod b/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod index 3a240c4d374..6acf0d9f9b1 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_cert_store.pod @@ -9,7 +9,7 @@ SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate ver #include <openssl/ssl.h> void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store); - X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx); + X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod index 766f0c92007..5ab1b32f932 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod @@ -163,7 +163,7 @@ When choosing a cipher, use the server's preferences instead of the client preferences. When not set, the SSL server will always follow the clients preferences. When set, the SSLv3/TLSv1 server will choose following its own preferences. Because of the different protocol, for SSLv2 the server -will send his list of preferences to the client and the client chooses. +will send its list of preferences to the client and the client chooses. =item SSL_OP_PKCS1_CHECK_1 diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod b/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod index ea2faba3ecc..48c888c3379 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod @@ -31,8 +31,8 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); - int SSL_CTX_check_private_key(SSL_CTX *ctx); - int SSL_check_private_key(SSL *ssl); + int SSL_CTX_check_private_key(const SSL_CTX *ctx); + int SSL_check_private_key(const SSL *ssl); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod index da0bcf1590c..657cda931ff 100644 --- a/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod +++ b/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod @@ -15,7 +15,7 @@ SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data - int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg); - void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx); + void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx); typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp); diff --git a/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod b/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod index ea3c2bcfe60..00883ed2a05 100644 --- a/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod +++ b/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod @@ -8,14 +8,14 @@ SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION #include <openssl/ssl.h> - long SSL_SESSION_get_time(SSL_SESSION *s); + long SSL_SESSION_get_time(const SSL_SESSION *s); long SSL_SESSION_set_time(SSL_SESSION *s, long tm); - long SSL_SESSION_get_timeout(SSL_SESSION *s); + long SSL_SESSION_get_timeout(const SSL_SESSION *s); long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm); - long SSL_get_time(SSL_SESSION *s); + long SSL_get_time(const SSL_SESSION *s); long SSL_set_time(SSL_SESSION *s, long tm); - long SSL_get_timeout(SSL_SESSION *s); + long SSL_get_timeout(const SSL_SESSION *s); long SSL_set_timeout(SSL_SESSION *s, long tm); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod b/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod index 5693fdebb2f..68181b2407b 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod @@ -8,8 +8,8 @@ SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs #include <openssl/ssl.h> - STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); - STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); + STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s); + STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_get_error.pod b/lib/libssl/src/doc/ssl/SSL_get_error.pod index fe28dd942ae..48c6b15db78 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_error.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_error.pod @@ -8,7 +8,7 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation #include <openssl/ssl.h> - int SSL_get_error(SSL *ssl, int ret); + int SSL_get_error(const SSL *ssl, int ret); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod b/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod index 6644ef8fbc1..228d23d8c0b 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod @@ -15,7 +15,7 @@ SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application sp int SSL_set_ex_data(SSL *ssl, int idx, void *arg); - void *SSL_get_ex_data(SSL *ssl, int idx); + void *SSL_get_ex_data(const SSL *ssl, int idx); typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp); diff --git a/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod b/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod index 390ce0b41b5..49fb88f86fa 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_peer_cert_chain.pod @@ -8,7 +8,7 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer #include <openssl/ssl.h> - STACKOF(X509) *SSL_get_peer_cert_chain(SSL *ssl); + STACKOF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod b/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod index 60635a96600..ef7c8be1807 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod @@ -8,7 +8,7 @@ SSL_get_peer_certificate - get the X509 certificate of the peer #include <openssl/ssl.h> - X509 *SSL_get_peer_certificate(SSL *ssl); + X509 *SSL_get_peer_certificate(const SSL *ssl); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_get_session.pod b/lib/libssl/src/doc/ssl/SSL_get_session.pod index dd9aba40b6a..0c41caa922a 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_session.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_session.pod @@ -8,8 +8,8 @@ SSL_get_session - retrieve TLS/SSL session data #include <openssl/ssl.h> - SSL_SESSION *SSL_get_session(SSL *ssl); - SSL_SESSION *SSL_get0_session(SSL *ssl); + SSL_SESSION *SSL_get_session(const SSL *ssl); + SSL_SESSION *SSL_get0_session(const SSL *ssl); SSL_SESSION *SSL_get1_session(SSL *ssl); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod b/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod index e6bac9c35a8..55b56a53f92 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_verify_result.pod @@ -8,7 +8,7 @@ SSL_get_verify_result - get result of peer certificate verification #include <openssl/ssl.h> - long SSL_get_verify_result(SSL *ssl); + long SSL_get_verify_result(const SSL *ssl); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_pending.pod b/lib/libssl/src/doc/ssl/SSL_pending.pod index b4c48598b25..43f2874e8b6 100644 --- a/lib/libssl/src/doc/ssl/SSL_pending.pod +++ b/lib/libssl/src/doc/ssl/SSL_pending.pod @@ -8,7 +8,7 @@ SSL_pending - obtain number of readable bytes buffered in an SSL object #include <openssl/ssl.h> - int SSL_pending(SSL *ssl); + int SSL_pending(const SSL *ssl); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod b/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod index 6289e635d96..011a022a12c 100644 --- a/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod +++ b/lib/libssl/src/doc/ssl/SSL_set_shutdown.pod @@ -10,7 +10,7 @@ SSL_set_shutdown, SSL_get_shutdown - manipulate shutdown state of an SSL connect void SSL_set_shutdown(SSL *ssl, int mode); - int SSL_get_shutdown(SSL *ssl); + int SSL_get_shutdown(const SSL *ssl); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/SSL_shutdown.pod b/lib/libssl/src/doc/ssl/SSL_shutdown.pod index 6b5012be7a8..89911acbcac 100644 --- a/lib/libssl/src/doc/ssl/SSL_shutdown.pod +++ b/lib/libssl/src/doc/ssl/SSL_shutdown.pod @@ -38,7 +38,7 @@ behaviour. =over 4 =item When the application is the first party to send the "close notify" -alert, SSL_shutdown() will only send the alert and the set the +alert, SSL_shutdown() will only send the alert and then set the SSL_SENT_SHUTDOWN flag (so that the session is considered good and will be kept in cache). SSL_shutdown() will then return with 0. If a unidirectional shutdown is enough (the underlying connection shall be closed anyway), this diff --git a/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod b/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod index 0321a5a36f2..81d276477f9 100644 --- a/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod +++ b/lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod @@ -8,7 +8,7 @@ d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 repre #include <openssl/ssl.h> - SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length); + SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/ssl/ssl.pod b/lib/libssl/src/doc/ssl/ssl.pod index 4d7a6b7e2b6..b41f3e3645b 100644 --- a/lib/libssl/src/doc/ssl/ssl.pod +++ b/lib/libssl/src/doc/ssl/ssl.pod @@ -213,7 +213,7 @@ protocol context defined in the B<SSL_CTX> structure. =item int B<SSL_CTX_add_session>(SSL_CTX *ctx, SSL_SESSION *c); -=item int B<SSL_CTX_check_private_key>(SSL_CTX *ctx); +=item int B<SSL_CTX_check_private_key>(const SSL_CTX *ctx); =item long B<SSL_CTX_ctrl>(SSL_CTX *ctx, int cmd, long larg, char *parg); @@ -225,23 +225,23 @@ protocol context defined in the B<SSL_CTX> structure. =item X509_STORE *B<SSL_CTX_get_cert_store>(SSL_CTX *ctx); -=item STACK *B<SSL_CTX_get_client_CA_list>(SSL_CTX *ctx); +=item STACK *B<SSL_CTX_get_client_CA_list>(const SSL_CTX *ctx); =item int (*B<SSL_CTX_get_client_cert_cb>(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); -=item char *B<SSL_CTX_get_ex_data>(SSL_CTX *s, int idx); +=item char *B<SSL_CTX_get_ex_data>(const SSL_CTX *s, int idx); =item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void)) =item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret); -=item int B<SSL_CTX_get_quiet_shutdown>(SSL_CTX *ctx); +=item int B<SSL_CTX_get_quiet_shutdown>(const SSL_CTX *ctx); =item int B<SSL_CTX_get_session_cache_mode>(SSL_CTX *ctx); -=item long B<SSL_CTX_get_timeout>(SSL_CTX *ctx); +=item long B<SSL_CTX_get_timeout>(const SSL_CTX *ctx); -=item int (*B<SSL_CTX_get_verify_callback>(SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx); +=item int (*B<SSL_CTX_get_verify_callback>(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx); =item int B<SSL_CTX_get_verify_mode>(SSL_CTX *ctx); @@ -383,27 +383,27 @@ sessions defined in the B<SSL_SESSION> structures. =over 4 -=item int B<SSL_SESSION_cmp>(SSL_SESSION *a, SSL_SESSION *b); +=item int B<SSL_SESSION_cmp>(const SSL_SESSION *a, const SSL_SESSION *b); =item void B<SSL_SESSION_free>(SSL_SESSION *ss); =item char *B<SSL_SESSION_get_app_data>(SSL_SESSION *s); -=item char *B<SSL_SESSION_get_ex_data>(SSL_SESSION *s, int idx); +=item char *B<SSL_SESSION_get_ex_data>(const SSL_SESSION *s, int idx); =item int B<SSL_SESSION_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void)) -=item long B<SSL_SESSION_get_time>(SSL_SESSION *s); +=item long B<SSL_SESSION_get_time>(const SSL_SESSION *s); -=item long B<SSL_SESSION_get_timeout>(SSL_SESSION *s); +=item long B<SSL_SESSION_get_timeout>(const SSL_SESSION *s); -=item unsigned long B<SSL_SESSION_hash>(SSL_SESSION *a); +=item unsigned long B<SSL_SESSION_hash>(const SSL_SESSION *a); =item SSL_SESSION *B<SSL_SESSION_new>(void); -=item int B<SSL_SESSION_print>(BIO *bp, SSL_SESSION *x); +=item int B<SSL_SESSION_print>(BIO *bp, const SSL_SESSION *x); -=item int B<SSL_SESSION_print_fp>(FILE *fp, SSL_SESSION *x); +=item int B<SSL_SESSION_print_fp>(FILE *fp, const SSL_SESSION *x); =item void B<SSL_SESSION_set_app_data>(SSL_SESSION *s, char *a); @@ -438,7 +438,7 @@ connection defined in the B<SSL> structure. =item char *B<SSL_alert_type_string_long>(int value); -=item int B<SSL_check_private_key>(SSL *ssl); +=item int B<SSL_check_private_key>(const SSL *ssl); =item void B<SSL_clear>(SSL *ssl); @@ -446,7 +446,7 @@ connection defined in the B<SSL> structure. =item int B<SSL_connect>(SSL *ssl); -=item void B<SSL_copy_session_id>(SSL *t, SSL *f); +=item void B<SSL_copy_session_id>(SSL *t, const SSL *f); =item long B<SSL_ctrl>(SSL *ssl, int cmd, long larg, char *parg); @@ -458,77 +458,77 @@ connection defined in the B<SSL> structure. =item void B<SSL_free>(SSL *ssl); -=item SSL_CTX *B<SSL_get_SSL_CTX>(SSL *ssl); +=item SSL_CTX *B<SSL_get_SSL_CTX>(const SSL *ssl); =item char *B<SSL_get_app_data>(SSL *ssl); -=item X509 *B<SSL_get_certificate>(SSL *ssl); +=item X509 *B<SSL_get_certificate>(const SSL *ssl); -=item const char *B<SSL_get_cipher>(SSL *ssl); +=item const char *B<SSL_get_cipher>(const SSL *ssl); -=item int B<SSL_get_cipher_bits>(SSL *ssl, int *alg_bits); +=item int B<SSL_get_cipher_bits>(const SSL *ssl, int *alg_bits); -=item char *B<SSL_get_cipher_list>(SSL *ssl, int n); +=item char *B<SSL_get_cipher_list>(const SSL *ssl, int n); -=item char *B<SSL_get_cipher_name>(SSL *ssl); +=item char *B<SSL_get_cipher_name>(const SSL *ssl); -=item char *B<SSL_get_cipher_version>(SSL *ssl); +=item char *B<SSL_get_cipher_version>(const SSL *ssl); -=item STACK *B<SSL_get_ciphers>(SSL *ssl); +=item STACK *B<SSL_get_ciphers>(const SSL *ssl); -=item STACK *B<SSL_get_client_CA_list>(SSL *ssl); +=item STACK *B<SSL_get_client_CA_list>(const SSL *ssl); =item SSL_CIPHER *B<SSL_get_current_cipher>(SSL *ssl); -=item long B<SSL_get_default_timeout>(SSL *ssl); +=item long B<SSL_get_default_timeout>(const SSL *ssl); -=item int B<SSL_get_error>(SSL *ssl, int i); +=item int B<SSL_get_error>(const SSL *ssl, int i); -=item char *B<SSL_get_ex_data>(SSL *ssl, int idx); +=item char *B<SSL_get_ex_data>(const SSL *ssl, int idx); =item int B<SSL_get_ex_data_X509_STORE_CTX_idx>(void); =item int B<SSL_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void)) -=item int B<SSL_get_fd>(SSL *ssl); +=item int B<SSL_get_fd>(const SSL *ssl); -=item void (*B<SSL_get_info_callback>(SSL *ssl);)(void) +=item void (*B<SSL_get_info_callback>(const SSL *ssl);)() -=item STACK *B<SSL_get_peer_cert_chain>(SSL *ssl); +=item STACK *B<SSL_get_peer_cert_chain>(const SSL *ssl); -=item X509 *B<SSL_get_peer_certificate>(SSL *ssl); +=item X509 *B<SSL_get_peer_certificate>(const SSL *ssl); =item EVP_PKEY *B<SSL_get_privatekey>(SSL *ssl); -=item int B<SSL_get_quiet_shutdown>(SSL *ssl); +=item int B<SSL_get_quiet_shutdown>(const SSL *ssl); -=item BIO *B<SSL_get_rbio>(SSL *ssl); +=item BIO *B<SSL_get_rbio>(const SSL *ssl); -=item int B<SSL_get_read_ahead>(SSL *ssl); +=item int B<SSL_get_read_ahead>(const SSL *ssl); -=item SSL_SESSION *B<SSL_get_session>(SSL *ssl); +=item SSL_SESSION *B<SSL_get_session>(const SSL *ssl); -=item char *B<SSL_get_shared_ciphers>(SSL *ssl, char *buf, int len); +=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int len); -=item int B<SSL_get_shutdown>(SSL *ssl); +=item int B<SSL_get_shutdown>(const SSL *ssl); =item SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl); -=item int B<SSL_get_state>(SSL *ssl); +=item int B<SSL_get_state>(const SSL *ssl); -=item long B<SSL_get_time>(SSL *ssl); +=item long B<SSL_get_time>(const SSL *ssl); -=item long B<SSL_get_timeout>(SSL *ssl); +=item long B<SSL_get_timeout>(const SSL *ssl); -=item int (*B<SSL_get_verify_callback>(SSL *ssl);)(void) +=item int (*B<SSL_get_verify_callback>(const SSL *ssl))(int,X509_STORE_CTX *) -=item int B<SSL_get_verify_mode>(SSL *ssl); +=item int B<SSL_get_verify_mode>(const SSL *ssl); -=item long B<SSL_get_verify_result>(SSL *ssl); +=item long B<SSL_get_verify_result>(const SSL *ssl); -=item char *B<SSL_get_version>(SSL *ssl); +=item char *B<SSL_get_version>(const SSL *ssl); -=item BIO *B<SSL_get_wbio>(SSL *ssl); +=item BIO *B<SSL_get_wbio>(const SSL *ssl); =item int B<SSL_in_accept_init>(SSL *ssl); @@ -550,7 +550,7 @@ connection defined in the B<SSL> structure. =item int B<SSL_peek>(SSL *ssl, void *buf, int num); -=item int B<SSL_pending>(SSL *ssl); +=item int B<SSL_pending>(const SSL *ssl); =item int B<SSL_read>(SSL *ssl, void *buf, int num); @@ -610,11 +610,11 @@ connection defined in the B<SSL> structure. =item int B<SSL_shutdown>(SSL *ssl); -=item int B<SSL_state>(SSL *ssl); +=item int B<SSL_state>(const SSL *ssl); -=item char *B<SSL_state_string>(SSL *ssl); +=item char *B<SSL_state_string>(const SSL *ssl); -=item char *B<SSL_state_string_long>(SSL *ssl); +=item char *B<SSL_state_string_long>(const SSL *ssl); =item long B<SSL_total_renegotiations>(SSL *ssl); @@ -636,17 +636,17 @@ connection defined in the B<SSL> structure. =item int B<SSL_use_certificate_file>(SSL *ssl, char *file, int type); -=item int B<SSL_version>(SSL *ssl); +=item int B<SSL_version>(const SSL *ssl); -=item int B<SSL_want>(SSL *ssl); +=item int B<SSL_want>(const SSL *ssl); -=item int B<SSL_want_nothing>(SSL *ssl); +=item int B<SSL_want_nothing>(const SSL *ssl); -=item int B<SSL_want_read>(SSL *ssl); +=item int B<SSL_want_read>(const SSL *ssl); -=item int B<SSL_want_write>(SSL *ssl); +=item int B<SSL_want_write>(const SSL *ssl); -=item int B<SSL_want_x509_lookup>(s); +=item int B<SSL_want_x509_lookup>(const SSL *ssl); =item int B<SSL_write>(SSL *ssl, const void *buf, int num); diff --git a/lib/libssl/src/doc/standards.txt b/lib/libssl/src/doc/standards.txt index edbe2f3a57d..f6675b574b6 100644 --- a/lib/libssl/src/doc/standards.txt +++ b/lib/libssl/src/doc/standards.txt @@ -88,6 +88,10 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0. (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status: INFORMATIONAL) +3820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate + Profile. S. Tuecke, V. Welch, D. Engert, L. Pearlman, M. Thompson. + June 2004. (Format: TXT=86374 bytes) (Status: PROPOSED STANDARD) + Related: -------- diff --git a/lib/libssl/src/e_os.h b/lib/libssl/src/e_os.h index 096eabe09a5..5a328b7fa8f 100644 --- a/lib/libssl/src/e_os.h +++ b/lib/libssl/src/e_os.h @@ -510,11 +510,31 @@ extern char *sys_errlist[]; extern int sys_nerr; #define IRIX_CC_BUG /* CDS++ up to V2.0Bsomething suffered from the same bug.*/ #endif +#if defined(OPENSSL_SYS_WINDOWS) +# define strcasecmp _stricmp +# define strncasecmp _strnicmp +#elif defined(OPENSSL_SYS_VMS) +/* VMS below version 7.0 doesn't have strcasecmp() */ +# include "o_str.h" +# define strcasecmp OPENSSL_strcasecmp +# define strncasecmp OPENSSL_strncasecmp +# define OPENSSL_IMPLEMENTS_strncasecmp +#elif defined(OPENSSL_SYS_OS2) && defined(__EMX__) +# define strcasecmp stricmp +# define strncasecmp strnicmp +#else +# ifdef NO_STRINGS_H + int strcasecmp(); + int strncasecmp(); +# else +# include <strings.h> +# endif /* NO_STRINGS_H */ +#endif + #if defined(OPENSSL_SYS_OS2) && defined(__EMX__) # include <io.h> # include <fcntl.h> # define NO_SYSLOG -# define strcasecmp stricmp #endif /* vxworks */ diff --git a/lib/libssl/src/e_os2.h b/lib/libssl/src/e_os2.h index 81be3025f60..4ca79a4d65d 100644 --- a/lib/libssl/src/e_os2.h +++ b/lib/libssl/src/e_os2.h @@ -189,6 +189,11 @@ extern "C" { # endif #endif +/* --------------------------------- VOS ----------------------------------- */ +#ifdef OPENSSL_SYSNAME_VOS +# define OPENSSL_SYS_VOS +#endif + /* ------------------------------- VxWorks --------------------------------- */ #ifdef OPENSSL_SYSNAME_VXWORKS # define OPENSSL_SYS_VXWORKS @@ -243,7 +248,7 @@ extern "C" { #define OPENSSL_EXTERN OPENSSL_IMPORT /* Macros to allow global variables to be reached through function calls when - required (if a shared library version requvres it, for example. + required (if a shared library version requires it, for example. The way it's done allows definitions like this: // in foobar.c @@ -253,9 +258,10 @@ extern "C" { #define foobar OPENSSL_GLOBAL_REF(foobar) */ #ifdef OPENSSL_EXPORT_VAR_AS_FUNCTION -# define OPENSSL_IMPLEMENT_GLOBAL(type,name) static type _hide_##name; \ - type *_shadow_##name(void) { return &_hide_##name; } \ - static type _hide_##name +# define OPENSSL_IMPLEMENT_GLOBAL(type,name) \ + extern type _hide_##name; \ + type *_shadow_##name(void) { return &_hide_##name; } \ + static type _hide_##name # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void) # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name())) #else diff --git a/lib/libssl/src/install.com b/lib/libssl/src/install.com index 4e4fe80dfe6..8de3a7f9772 100644 --- a/lib/libssl/src/install.com +++ b/lib/libssl/src/install.com @@ -52,23 +52,23 @@ $ IF F$PARSE("WRK_SSLPRIVATE:") .EQS. "" THEN - $ IF F$PARSE("WRK_SSLROOT:[VMS]") .EQS. "" THEN - CREATE/DIR/LOG WRK_SSLROOT:[VMS] $ -$ SDIRS := CRYPTO,SSL,APPS,VMS!,RSAREF,TEST,TOOLS +$ DIRS := CRYPTO,FIPS,SSL,APPS,VMS!,RSAREF,TEST,TOOLS $ EXHEADER := e_os2.h $ $ COPY 'EXHEADER' WRK_SSLINCLUDE: /LOG $ SET FILE/PROT=WORLD:RE WRK_SSLINCLUDE:'EXHEADER' $ $ I = 0 -$ LOOP_SDIRS: -$ D = F$ELEMENT(I, ",", SDIRS) +$ LOOP_DIRS: +$ D = F$ELEMENT(I, ",", DIRS) $ I = I + 1 -$ IF D .EQS. "," THEN GOTO LOOP_SDIRS_END +$ IF D .EQS. "," THEN GOTO LOOP_DIRS_END $ WRITE SYS$OUTPUT "Installing ",D," files." $ SET DEFAULT [.'D'] $ @INSTALL 'ROOT'] $ SET DEFAULT [-] -$ GOTO LOOP_SDIRS -$ LOOP_SDIRS_END: +$ GOTO LOOP_DIRS +$ LOOP_DIRS_END: $ $ DEASSIGN WRK_SSLROOT $ DEASSIGN WRK_SSLVLIB diff --git a/lib/libssl/src/makevms.com b/lib/libssl/src/makevms.com index 443f3c15c5a..d892fe9f0d3 100644 --- a/lib/libssl/src/makevms.com +++ b/lib/libssl/src/makevms.com @@ -178,7 +178,7 @@ $ WRITE H_FILE "# define OPENSSL_SYS_VMS" $ WRITE H_FILE "#endif" $ CONFIG_LOGICALS := NO_ASM,NO_RSA,NO_DSA,NO_DH,NO_MD2,NO_MD5,NO_RIPEMD,- NO_SHA,NO_SHA0,NO_SHA1,NO_DES/NO_MDC2;NO_MDC2,NO_RC2,NO_RC4,NO_RC5,- - NO_IDEA,NO_BF,NO_CAST,NO_HMAC,NO_SSL2 + NO_IDEA,NO_BF,NO_CAST,NO_HMAC,NO_SSL2,FIPS $ CONFIG_LOG_I = 0 $ CONFIG_LOG_LOOP: $ CONFIG_LOG_E1 = F$ELEMENT(CONFIG_LOG_I,",",CONFIG_LOGICALS) @@ -357,7 +357,7 @@ $! Copy a lot of files around. $! $ SOFTLINKS: $! -$! Tell The User We Are Partly Rebuilding The [.TEST] Directory. +$! Tell The User We Are Partly Rebuilding The [.APPS] Directory. $! $ WRITE SYS$OUTPUT "Rebuilding The '[.APPS]MD4.C', '[.APPS]MD5.C' And '[.APPS]RMD160.C' Files." $! @@ -480,6 +480,33 @@ $! $ EXHEADER := ssl.h,ssl2.h,ssl3.h,ssl23.h,tls1.h,kssl.h $ COPY SYS$DISK:[.SSL]'EXHEADER' SYS$DISK:[.INCLUDE.OPENSSL] $! +$! Copy All The ".H" Files From The [.FIPS] Directories. +$! +$ FDIRS := ,SHA1,RAND,DES,AES,DSA,RSA +$ EXHEADER_ := fips.h +$ EXHEADER_SHA1 := +$ EXHEADER_RAND := fips_rand.h +$ EXHEADER_DES := +$ EXHEADER_AES := +$ EXHEADER_DSA := +$ EXHEADER_RSA := +$ +$ I = 0 +$ LOOP_FDIRS: +$ D = F$EDIT(F$ELEMENT(I, ",", FDIRS),"TRIM") +$ I = I + 1 +$ IF D .EQS. "," THEN GOTO LOOP_FDIRS_END +$ tmp = EXHEADER_'D' +$ IF tmp .EQS. "" THEN GOTO LOOP_FDIRS +$ IF D .EQS. "" +$ THEN +$ COPY [.FIPS]'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG +$ ELSE +$ COPY [.FIPS.'D']'tmp' SYS$DISK:[.INCLUDE.OPENSSL] !/LOG +$ ENDIF +$ GOTO LOOP_FDIRS +$ LOOP_FDIRS_END: +$! $! Purge all doubles $! $ PURGE SYS$DISK:[.INCLUDE.OPENSSL]*.H @@ -505,9 +532,21 @@ $! Build The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library. $! $ @CRYPTO-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" "''ISSEVEN'" "''BUILDPART'" $! +$! Go Back To The Main Directory. +$! +$ SET DEFAULT [-] +$! +$! Go To The [.FIPS] Directory. +$! +$ SET DEFAULT SYS$DISK:[.FIPS] +$! +$! Build The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library. +$! +$ @FIPS-LIB LIBRARY 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" "''ISSEVEN'" "''BUILDPART'" +$! $! Build The [.xxx.EXE.CRYPTO]*.EXE Test Applications. $! -$ @CRYPTO-LIB APPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN' +$ @FIPS-LIB APPS 'DEBUGGER' "''COMPILER'" "''TCPIP_TYPE'" 'ISSEVEN' $! $! Go Back To The Main Directory. $! diff --git a/lib/libssl/src/ms/do_masm.bat b/lib/libssl/src/ms/do_masm.bat index f4c958c5617..61c52562f7f 100644 --- a/lib/libssl/src/ms/do_masm.bat +++ b/lib/libssl/src/ms/do_masm.bat @@ -1,3 +1,5 @@ +rem use "fips" as the first argument to make a proper FIPS build.
+
@echo off
echo Generating x86 for MASM assember
@@ -56,13 +58,13 @@ cd ..\..\.. echo on
perl util\mkfiles.pl >MINFO
-rem perl util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak
-rem perl util\mk1mf.pl VC-W31-32 >ms\w31.mak
-perl util\mk1mf.pl dll VC-W31-32 >ms\w31dll.mak
-perl util\mk1mf.pl VC-WIN32 >ms\nt.mak
-perl util\mk1mf.pl dll VC-WIN32 >ms\ntdll.mak
-
-perl util\mkdef.pl 16 libeay > ms\libeay16.def
-perl util\mkdef.pl 32 libeay > ms\libeay32.def
-perl util\mkdef.pl 16 ssleay > ms\ssleay16.def
-perl util\mkdef.pl 32 ssleay > ms\ssleay32.def
+rem perl util\mk1mf.pl no-sock %1 VC-MSDOS >ms\msdos.mak
+rem perl util\mk1mf.pl %1 VC-W31-32 >ms\w31.mak
+perl util\mk1mf.pl dll %1 VC-W31-32 >ms\w31dll.mak
+perl util\mk1mf.pl %1 VC-WIN32 >ms\nt.mak
+perl util\mk1mf.pl dll %1 VC-WIN32 >ms\ntdll.mak
+
+perl util\mkdef.pl 16 libeay %1 > ms\libeay16.def
+perl util\mkdef.pl 32 libeay %1 > ms\libeay32.def
+perl util\mkdef.pl 16 ssleay %1 > ms\ssleay16.def
+perl util\mkdef.pl 32 ssleay %1 > ms\ssleay32.def
diff --git a/lib/libssl/src/ms/do_ms.bat b/lib/libssl/src/ms/do_ms.bat index a8cf515bac2..72179708bf1 100644 --- a/lib/libssl/src/ms/do_ms.bat +++ b/lib/libssl/src/ms/do_ms.bat @@ -1,14 +1,14 @@ perl util\mkfiles.pl >MINFO
-rem perl util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak
-rem perl util\mk1mf.pl VC-W31-32 >ms\w31.mak
-perl util\mk1mf.pl dll VC-W31-32 >ms\w31dll.mak
-perl util\mk1mf.pl no-asm VC-WIN32 >ms\nt.mak
-perl util\mk1mf.pl dll no-asm VC-WIN32 >ms\ntdll.mak
-perl util\mk1mf.pl no-asm VC-CE >ms\ce.mak
-perl util\mk1mf.pl dll no-asm VC-CE >ms\cedll.mak
+rem perl util\mk1mf.pl no-sock %1 VC-MSDOS >ms\msdos.mak
+rem perl util\mk1mf.pl %1 VC-W31-32 >ms\w31.mak
+perl util\mk1mf.pl dll %1 VC-W31-32 >ms\w31dll.mak
+perl util\mk1mf.pl no-asm %1 VC-WIN32 >ms\nt.mak
+perl util\mk1mf.pl dll no-asm %1 VC-WIN32 >ms\ntdll.mak
+perl util\mk1mf.pl no-asm %1 VC-CE >ms\ce.mak
+perl util\mk1mf.pl dll no-asm %1 VC-CE >ms\cedll.mak
-perl util\mkdef.pl 16 libeay > ms\libeay16.def
-perl util\mkdef.pl 32 libeay > ms\libeay32.def
-perl util\mkdef.pl 16 ssleay > ms\ssleay16.def
-perl util\mkdef.pl 32 ssleay > ms\ssleay32.def
+perl util\mkdef.pl 16 libeay %1 > ms\libeay16.def
+perl util\mkdef.pl 32 libeay %1 > ms\libeay32.def
+perl util\mkdef.pl 16 ssleay %1 > ms\ssleay16.def
+perl util\mkdef.pl 32 ssleay %1 > ms\ssleay32.def
diff --git a/lib/libssl/src/ms/do_nasm.bat b/lib/libssl/src/ms/do_nasm.bat index 557f8a66d7e..270dab00588 100644 --- a/lib/libssl/src/ms/do_nasm.bat +++ b/lib/libssl/src/ms/do_nasm.bat @@ -1,3 +1,4 @@ +rem use "fips" as the first argument to make a proper FIPS build.
@echo off
echo Generating x86 for NASM assember
@@ -57,14 +58,14 @@ cd ..\..\.. echo on
perl util\mkfiles.pl >MINFO
-rem perl util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak
-rem perl util\mk1mf.pl VC-W31-32 >ms\w31.mak
-perl util\mk1mf.pl dll VC-W31-32 >ms\w31dll.mak
-perl util\mk1mf.pl nasm VC-WIN32 >ms\nt.mak
-perl util\mk1mf.pl dll nasm VC-WIN32 >ms\ntdll.mak
-perl util\mk1mf.pl nasm BC-NT >ms\bcb.mak
-
-perl util\mkdef.pl 16 libeay > ms\libeay16.def
-perl util\mkdef.pl 32 libeay > ms\libeay32.def
-perl util\mkdef.pl 16 ssleay > ms\ssleay16.def
-perl util\mkdef.pl 32 ssleay > ms\ssleay32.def
+rem perl util\mk1mf.pl no-sock %1 VC-MSDOS >ms\msdos.mak
+rem perl util\mk1mf.pl %1 VC-W31-32 >ms\w31.mak
+perl util\mk1mf.pl dll %1 VC-W31-32 >ms\w31dll.mak
+perl util\mk1mf.pl nasm %1 VC-WIN32 >ms\nt.mak
+perl util\mk1mf.pl dll nasm %1 VC-WIN32 >ms\ntdll.mak
+perl util\mk1mf.pl nasm %1 BC-NT >ms\bcb.mak
+
+perl util\mkdef.pl 16 libeay %1 > ms\libeay16.def
+perl util\mkdef.pl 32 libeay %1 > ms\libeay32.def
+perl util\mkdef.pl 16 ssleay %1 > ms\ssleay16.def
+perl util\mkdef.pl 32 ssleay %1 > ms\ssleay32.def
diff --git a/lib/libssl/src/ms/test.bat b/lib/libssl/src/ms/test.bat index c3a1b0c28d9..7fb04421473 100644 --- a/lib/libssl/src/ms/test.bat +++ b/lib/libssl/src/ms/test.bat @@ -87,20 +87,22 @@ echo testss call %test%\testss openssl
if errorlevel 1 goto done
+set SSL_TEST=ssltest -key keyU.ss -cert certU.ss -c_key keyU.ss -c_cert certU.ss -CAfile certCA.ss
+
echo test sslv2
ssltest -ssl2
if errorlevel 1 goto done
echo test sslv2 with server authentication
-ssltest -ssl2 -server_auth -CAfile cert.tmp
+%SSL_TEST% -ssl2 -server_auth
if errorlevel 1 goto done
echo test sslv2 with client authentication
-ssltest -ssl2 -client_auth -CAfile cert.tmp
+%SSL_TEST% -ssl2 -client_auth
if errorlevel 1 goto done
echo test sslv2 with both client and server authentication
-ssltest -ssl2 -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -ssl2 -server_auth -client_auth
if errorlevel 1 goto done
echo test sslv3
@@ -108,15 +110,15 @@ ssltest -ssl3 if errorlevel 1 goto done
echo test sslv3 with server authentication
-ssltest -ssl3 -server_auth -CAfile cert.tmp
+%SSL_TEST% -ssl3 -server_auth
if errorlevel 1 goto done
echo test sslv3 with client authentication
-ssltest -ssl3 -client_auth -CAfile cert.tmp
+%SSL_TEST% -ssl3 -client_auth
if errorlevel 1 goto done
echo test sslv3 with both client and server authentication
-ssltest -ssl3 -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -ssl3 -server_auth -client_auth
if errorlevel 1 goto done
echo test sslv2/sslv3
@@ -124,15 +126,15 @@ ssltest if errorlevel 1 goto done
echo test sslv2/sslv3 with server authentication
-ssltest -server_auth -CAfile cert.tmp
+%SSL_TEST% -server_auth
if errorlevel 1 goto done
echo test sslv2/sslv3 with client authentication
-ssltest -client_auth -CAfile cert.tmp
+%SSL_TEST% -client_auth
if errorlevel 1 goto done
echo test sslv2/sslv3 with both client and server authentication
-ssltest -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -server_auth -client_auth
if errorlevel 1 goto done
echo test sslv2 via BIO pair
@@ -144,15 +146,15 @@ ssltest -bio_pair -dhe1024dsa -v if errorlevel 1 goto done
echo test sslv2 with server authentication via BIO pair
-ssltest -bio_pair -ssl2 -server_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl2 -server_auth
if errorlevel 1 goto done
echo test sslv2 with client authentication via BIO pair
-ssltest -bio_pair -ssl2 -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl2 -client_auth
if errorlevel 1 goto done
echo test sslv2 with both client and server authentication via BIO pair
-ssltest -bio_pair -ssl2 -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl2 -server_auth -client_auth
if errorlevel 1 goto done
echo test sslv3 via BIO pair
@@ -160,31 +162,31 @@ ssltest -bio_pair -ssl3 if errorlevel 1 goto done
echo test sslv3 with server authentication via BIO pair
-ssltest -bio_pair -ssl3 -server_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl3 -server_auth
if errorlevel 1 goto done
echo test sslv3 with client authentication via BIO pair
-ssltest -bio_pair -ssl3 -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl3 -client_auth
if errorlevel 1 goto done
echo test sslv3 with both client and server authentication via BIO pair
-ssltest -bio_pair -ssl3 -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -ssl3 -server_auth -client_auth
if errorlevel 1 goto done
echo test sslv2/sslv3 via BIO pair
-ssltest
+ssltest -bio_pair
if errorlevel 1 goto done
echo test sslv2/sslv3 with server authentication
-ssltest -bio_pair -server_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -server_auth
if errorlevel 1 goto done
echo test sslv2/sslv3 with client authentication via BIO pair
-ssltest -bio_pair -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -client_auth
if errorlevel 1 goto done
echo test sslv2/sslv3 with both client and server authentication via BIO pair
-ssltest -bio_pair -server_auth -client_auth -CAfile cert.tmp
+%SSL_TEST% -bio_pair -server_auth -client_auth
if errorlevel 1 goto done
del cert.tmp
diff --git a/lib/libssl/src/ms/testss.bat b/lib/libssl/src/ms/testss.bat index f7e58e2756a..b4aaf3c601d 100644 --- a/lib/libssl/src/ms/testss.bat +++ b/lib/libssl/src/ms/testss.bat @@ -4,7 +4,7 @@ rem set ssleay=..\out\ssleay set ssleay=%1
set reqcmd=%ssleay% req
-set x509cmd=%ssleay% x509
+set x509cmd=%ssleay% x509 -sha1
set verifycmd=%ssleay% verify
set CAkey=keyCA.ss
diff --git a/lib/libssl/src/openssl.spec b/lib/libssl/src/openssl.spec index 6a272f69698..98ef153e3bd 100644 --- a/lib/libssl/src/openssl.spec +++ b/lib/libssl/src/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 7 -%define librev d +%define librev g Release: 1 %define openssldir /var/ssl diff --git a/lib/libssl/src/shlib/hpux10-cc.sh b/lib/libssl/src/shlib/hpux10-cc.sh index 81eb9d4caba..fcadda827d7 100644 --- a/lib/libssl/src/shlib/hpux10-cc.sh +++ b/lib/libssl/src/shlib/hpux10-cc.sh @@ -74,9 +74,9 @@ make clean # Hack the Makefiles to pick up the dynamic libraries during linking # -sed 's/^PEX_LIBS=.*$/PEX_LIBS=-L\/usr\/local\/ssl\/lib/' Makefile.ssl >xxx; mv xxx Makefile.ssl -sed 's/-L\.\.//' apps/Makefile.ssl >xxx; mv xxx apps/Makefile.ssl -sed 's/-L\.\.//' test/Makefile.ssl >xxx; mv xxx test/Makefile.ssl +sed 's/^PEX_LIBS=.*$/PEX_LIBS=-L\/usr\/local\/ssl\/lib/' Makefile >xxx; mv xxx Makefile.ssl +sed 's/-L\.\.//' apps/Makefile >xxx; mv xxx apps/Makefile +sed 's/-L\.\.//' test/Makefile >xxx; mv xxx test/Makefile # Build the static libs and the executables in one make. make # Install everything diff --git a/lib/libssl/src/ssl/kssl.c b/lib/libssl/src/ssl/kssl.c index 51378897f6e..3afa95f3fad 100644 --- a/lib/libssl/src/ssl/kssl.c +++ b/lib/libssl/src/ssl/kssl.c @@ -73,6 +73,8 @@ #undef _XOPEN_SOURCE /* To avoid clashes with anything else... */ #include <string.h> +#define KRB5_PRIVATE 1 + #include <openssl/ssl.h> #include <openssl/evp.h> #include <openssl/objects.h> @@ -80,6 +82,10 @@ #ifndef OPENSSL_NO_KRB5 +#ifndef ENOMEM +#define ENOMEM KRB5KRB_ERR_GENERIC +#endif + /* * When OpenSSL is built on Windows, we do not want to require that * the Kerberos DLLs be available in order for the OpenSSL DLLs to @@ -932,7 +938,7 @@ print_krb5_data(char *label, krb5_data *kdata) int i; printf("%s[%d] ", label, kdata->length); - for (i=0; i < kdata->length; i++) + for (i=0; i < (int)kdata->length; i++) { if (0 && isprint((int) kdata->data[i])) printf( "%c ", kdata->data[i]); @@ -984,14 +990,14 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk) #ifdef KRB5_HEIMDAL printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype, keyblk->keyvalue->length); - for (i=0; i < keyblk->keyvalue->length; i++) + for (i=0; i < (int)keyblk->keyvalue->length; i++) { printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]); } printf("\n"); #else printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length); - for (i=0; i < keyblk->length; i++) + for (i=0; i < (int)keyblk->length; i++) { printf("%02x",keyblk->contents[i]); } @@ -1010,12 +1016,12 @@ print_krb5_princ(char *label, krb5_principal_data *princ) printf("%s principal Realm: ", label); if (princ == NULL) return; - for (ui=0; ui < princ->realm.length; ui++) putchar(princ->realm.data[ui]); + for (ui=0; ui < (int)princ->realm.length; ui++) putchar(princ->realm.data[ui]); printf(" (nametype %d) has %d strings:\n", princ->type,princ->length); - for (i=0; i < princ->length; i++) + for (i=0; i < (int)princ->length; i++) { printf("\t%d [%d]: ", i, princ->data[i].length); - for (uj=0; uj < princ->data[i].length; uj++) { + for (uj=0; uj < (int)princ->data[i].length; uj++) { putchar(princ->data[i].data[uj]); } printf("\n"); diff --git a/lib/libssl/src/ssl/kssl.h b/lib/libssl/src/ssl/kssl.h index 19a689b089b..a3d20e1ccbd 100644 --- a/lib/libssl/src/ssl/kssl.h +++ b/lib/libssl/src/ssl/kssl.h @@ -82,6 +82,12 @@ extern "C" { #ifdef KRB5_HEIMDAL typedef unsigned char krb5_octet; #define FAR +#else + +#ifndef FAR +#define FAR +#endif + #endif /* Uncomment this to debug kssl problems or diff --git a/lib/libssl/src/ssl/s23_clnt.c b/lib/libssl/src/ssl/s23_clnt.c index 64ee4269ec1..779e94a35c4 100644 --- a/lib/libssl/src/ssl/s23_clnt.c +++ b/lib/libssl/src/ssl/s23_clnt.c @@ -235,7 +235,8 @@ static int ssl23_client_hello(SSL *s) #endif p=s->s3->client_random; - RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE); + if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0) + return -1; /* Do the message type and length last */ d= &(buf[2]); @@ -248,6 +249,14 @@ static int ssl23_client_hello(SSL *s) *(d++)=TLS1_VERSION_MINOR; s->client_version=TLS1_VERSION; } +#ifdef OPENSSL_FIPS + else if(FIPS_mode()) + { + SSLerr(SSL_F_SSL23_CLIENT_HELLO, + SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + return -1; + } +#endif else if (!(s->options & SSL_OP_NO_SSLv3)) { *(d++)=SSL3_VERSION_MAJOR; @@ -296,7 +305,9 @@ static int ssl23_client_hello(SSL *s) i=ch_len; s2n(i,d); memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE); - RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); + if(RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i) <= 0) + return -1; + memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); p+=i; @@ -426,6 +437,14 @@ static int ssl23_get_server_hello(SSL *s) if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + { + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, + SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + goto err; + } +#endif s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } diff --git a/lib/libssl/src/ssl/s23_lib.c b/lib/libssl/src/ssl/s23_lib.c index b70002a6476..8d7dbcf569c 100644 --- a/lib/libssl/src/ssl/s23_lib.c +++ b/lib/libssl/src/ssl/s23_lib.c @@ -87,7 +87,7 @@ static SSL_METHOD SSLv23_data= { ssl3_ctx_ctrl, ssl23_get_cipher_by_char, ssl23_put_cipher_by_char, - ssl_undefined_function, + ssl_undefined_const_function, ssl23_num_ciphers, ssl23_get_cipher, ssl_bad_method, diff --git a/lib/libssl/src/ssl/s23_srvr.c b/lib/libssl/src/ssl/s23_srvr.c index c5404ca0bcd..92f3391f601 100644 --- a/lib/libssl/src/ssl/s23_srvr.c +++ b/lib/libssl/src/ssl/s23_srvr.c @@ -407,6 +407,15 @@ int ssl23_get_client_hello(SSL *s) } } +#ifdef OPENSSL_FIPS + if (FIPS_mode() && (s->version < TLS1_VERSION)) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, + SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + goto err; + } +#endif + if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header diff --git a/lib/libssl/src/ssl/s2_clnt.c b/lib/libssl/src/ssl/s2_clnt.c index 43b32eb4159..c67829f4957 100644 --- a/lib/libssl/src/ssl/s2_clnt.c +++ b/lib/libssl/src/ssl/s2_clnt.c @@ -612,7 +612,8 @@ static int client_hello(SSL *s) s->s2->challenge_length=SSL2_CHALLENGE_LENGTH; s2n(SSL2_CHALLENGE_LENGTH,p); /* challenge length */ /*challenge id data*/ - RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH); + if(RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH) <= 0) + return -1; memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH); d+=SSL2_CHALLENGE_LENGTH; @@ -660,7 +661,9 @@ static int client_master_key(SSL *s) SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } - if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); + if (i > 0) + if(RAND_pseudo_bytes(sess->key_arg,i) <= 0) + return -1; /* make a master key */ i=EVP_CIPHER_key_length(c); diff --git a/lib/libssl/src/ssl/s2_lib.c b/lib/libssl/src/ssl/s2_lib.c index edcef4dda29..26ce8c8d98e 100644 --- a/lib/libssl/src/ssl/s2_lib.c +++ b/lib/libssl/src/ssl/s2_lib.c @@ -263,7 +263,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u) return(NULL); } -int ssl2_pending(SSL *s) +int ssl2_pending(const SSL *s) { return SSL_in_init(s) ? 0 : s->s2->ract_data_length; } diff --git a/lib/libssl/src/ssl/s2_srvr.c b/lib/libssl/src/ssl/s2_srvr.c index 5da2a54af37..853871f28c4 100644 --- a/lib/libssl/src/ssl/s2_srvr.c +++ b/lib/libssl/src/ssl/s2_srvr.c @@ -498,7 +498,8 @@ static int get_client_master_key(SSL *s) i=ek; else i=EVP_CIPHER_key_length(c); - RAND_pseudo_bytes(p,i); + if(RAND_pseudo_bytes(p,i) <= 0) + return 0; } #else if (i < 0) @@ -804,7 +805,8 @@ static int server_hello(SSL *s) /* make and send conn_id */ s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */ s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH; - RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length); + if(RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0) + return -1; memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH); d+=SSL2_CONNECTION_ID_LENGTH; @@ -949,7 +951,8 @@ static int request_certificate(SSL *s) p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_REQUEST_CERTIFICATE; *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION; - RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); + if(RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0) + return -1; memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B; diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c index 36f4a8b4c3b..ebf83b03226 100644 --- a/lib/libssl/src/ssl/s3_clnt.c +++ b/lib/libssl/src/ssl/s3_clnt.c @@ -117,6 +117,7 @@ #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/md5.h> +#include <openssl/fips.h> static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -534,7 +535,8 @@ static int ssl3_client_hello(SSL *s) p=s->s3->client_random; Time=time(NULL); /* Time */ l2n(Time,p); - RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); + if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + goto err; /* Do the message type and length last */ d=p= &(buf[4]); @@ -1160,11 +1162,14 @@ static int ssl3_get_key_exchange(SSL *s) q=md_buf; for (num=2; num > 0; num--) { + EVP_MD_CTX_set_flags(&md_ctx, + EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,param,param_len); + EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); q+=i; j+=i; diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c index 92efb9597d3..a012d3f2b5e 100644 --- a/lib/libssl/src/ssl/s3_enc.c +++ b/lib/libssl/src/ssl/s3_enc.c @@ -146,6 +146,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) #endif k=0; EVP_MD_CTX_init(&m5); + EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_MD_CTX_init(&s1); for (i=0; i<num; i+=MD5_DIGEST_LENGTH) { @@ -501,6 +502,8 @@ int ssl3_enc(SSL *s, int send) void ssl3_init_finished_mac(SSL *s) { + EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1), + EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL); EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL); } @@ -641,6 +644,7 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, unsigned int n; EVP_MD_CTX_init(&ctx); + EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); for (i=0; i<3; i++) { EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL); diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c index d04096016ce..9bf1dbec066 100644 --- a/lib/libssl/src/ssl/s3_lib.c +++ b/lib/libssl/src/ssl/s3_lib.c @@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS, 0, 0, 0, @@ -183,7 +183,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_ADH_DES_40_CBC_SHA, SSL3_CK_ADH_DES_40_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, + SSL_EXPORT|SSL_EXP40|SSL_FIPS, 0, 40, 128, @@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_ADH_DES_64_CBC_SHA, SSL3_CK_ADH_DES_64_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, + SSL_NOT_EXP|SSL_LOW|SSL_FIPS, 0, 56, 56, @@ -209,7 +209,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_ADH_DES_192_CBC_SHA, SSL3_CK_ADH_DES_192_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -291,7 +291,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_DES_40_CBC_SHA, SSL3_CK_RSA_DES_40_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, + SSL_EXPORT|SSL_EXP40|SSL_FIPS, 0, 40, 56, @@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_DES_64_CBC_SHA, SSL3_CK_RSA_DES_64_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, + SSL_NOT_EXP|SSL_LOW|SSL_FIPS, 0, 56, 56, @@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -332,7 +332,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_DSS_DES_40_CBC_SHA, SSL3_CK_DH_DSS_DES_40_CBC_SHA, SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, + SSL_EXPORT|SSL_EXP40|SSL_FIPS, 0, 40, 56, @@ -345,7 +345,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_DSS_DES_64_CBC_SHA, SSL3_CK_DH_DSS_DES_64_CBC_SHA, SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, + SSL_NOT_EXP|SSL_LOW|SSL_FIPS, 0, 56, 56, @@ -358,7 +358,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, SSL3_CK_DH_DSS_DES_192_CBC3_SHA, SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -371,7 +371,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_RSA_DES_40_CBC_SHA, SSL3_CK_DH_RSA_DES_40_CBC_SHA, SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, + SSL_EXPORT|SSL_EXP40|SSL_FIPS, 0, 40, 56, @@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_RSA_DES_64_CBC_SHA, SSL3_CK_DH_RSA_DES_64_CBC_SHA, SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, + SSL_NOT_EXP|SSL_LOW|SSL_FIPS, 0, 56, 56, @@ -397,7 +397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, SSL3_CK_DH_RSA_DES_192_CBC3_SHA, SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -412,7 +412,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, SSL3_CK_EDH_DSS_DES_40_CBC_SHA, SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, + SSL_EXPORT|SSL_EXP40|SSL_FIPS, 0, 40, 56, @@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, SSL3_CK_EDH_DSS_DES_64_CBC_SHA, SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, + SSL_NOT_EXP|SSL_LOW|SSL_FIPS, 0, 56, 56, @@ -438,7 +438,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -451,7 +451,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, SSL3_CK_EDH_RSA_DES_40_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, + SSL_EXPORT|SSL_EXP40|SSL_FIPS, 0, 40, 56, @@ -464,7 +464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, SSL3_CK_EDH_RSA_DES_64_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, + SSL_NOT_EXP|SSL_LOW|SSL_FIPS, 0, 56, 56, @@ -477,7 +477,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -541,7 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_KRB5_DES_64_CBC_SHA, SSL3_CK_KRB5_DES_64_CBC_SHA, SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, + SSL_NOT_EXP|SSL_LOW|SSL_FIPS, 0, 56, 56, @@ -555,7 +555,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_KRB5_DES_192_CBC3_SHA, SSL3_CK_KRB5_DES_192_CBC3_SHA, SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 112, 168, @@ -653,7 +653,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_KRB5_DES_40_CBC_SHA, SSL3_CK_KRB5_DES_40_CBC_SHA, SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, + SSL_EXPORT|SSL_EXP40|SSL_FIPS, 0, 40, 56, @@ -767,7 +767,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, + SSL_EXPORT|SSL_EXP56|SSL_FIPS, 0, 56, 56, @@ -780,7 +780,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, - SSL_EXPORT|SSL_EXP56, + SSL_EXPORT|SSL_EXP56|SSL_FIPS, 0, 56, 56, @@ -835,7 +835,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, 0, 128, 128, @@ -848,7 +848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_DSS_WITH_AES_128_SHA, TLS1_CK_DH_DSS_WITH_AES_128_SHA, SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, 0, 128, 128, @@ -861,7 +861,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_RSA_WITH_AES_128_SHA, TLS1_CK_DH_RSA_WITH_AES_128_SHA, SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, 0, 128, 128, @@ -874,7 +874,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, TLS1_CK_DHE_DSS_WITH_AES_128_SHA, SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, 0, 128, 128, @@ -887,7 +887,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA, SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, 0, 128, 128, @@ -900,7 +900,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, + SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS, 0, 128, 128, @@ -914,7 +914,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -927,7 +927,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_DSS_WITH_AES_256_SHA, TLS1_CK_DH_DSS_WITH_AES_256_SHA, SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -940,7 +940,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_RSA_WITH_AES_256_SHA, TLS1_CK_DH_RSA_WITH_AES_256_SHA, SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -953,7 +953,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, TLS1_CK_DHE_DSS_WITH_AES_256_SHA, SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -966,7 +966,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA, SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -979,7 +979,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -1057,7 +1057,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u) return(NULL); } -int ssl3_pending(SSL *s) +int ssl3_pending(const SSL *s) { if (s->rstate == SSL_ST_READ_BODY) return 0; diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c index 9f3e5139ad9..cb0b12b4006 100644 --- a/lib/libssl/src/ssl/s3_pkt.c +++ b/lib/libssl/src/ssl/s3_pkt.c @@ -862,7 +862,7 @@ start: { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); - goto err; + goto f_err; } /* If the other end has shut down, throw anything we read away @@ -969,7 +969,7 @@ start: { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); - goto err; + goto f_err; } if (s->msg_callback) @@ -1080,17 +1080,17 @@ start: if ( (rr->length != 1) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { - i=SSL_AD_ILLEGAL_PARAMETER; + al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto err; + goto f_err; } /* Check we have a cipher to change to */ if (s->s3->tmp.new_cipher == NULL) { - i=SSL_AD_UNEXPECTED_MESSAGE; + al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); - goto err; + goto f_err; } rr->length=0; diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index deb3cffabeb..c4a1a715238 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -125,6 +125,7 @@ #include <openssl/krb5_asn.h> #endif #include <openssl/md5.h> +#include <openssl/fips.h> static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -955,7 +956,8 @@ static int ssl3_send_server_hello(SSL *s) p=s->s3->server_random; Time=time(NULL); /* Time */ l2n(Time,p); - RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); + if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + return -1; /* Do the message type and length last */ d=p= &(buf[4]); @@ -1211,6 +1213,8 @@ static int ssl3_send_server_key_exchange(SSL *s) j=0; for (num=2; num > 0; num--) { + EVP_MD_CTX_set_flags(&md_ctx, + EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); @@ -1491,7 +1495,8 @@ static int ssl3_get_client_key_exchange(SSL *s) i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; - RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ + if(RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ + goto err; } s->session->master_key_length= @@ -1589,7 +1594,7 @@ static int ssl3_get_client_key_exchange(SSL *s) n2s(p,i); enc_ticket.length = i; - if (n < enc_ticket.length + 6) + if (n < (long)enc_ticket.length + 6) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); @@ -1602,7 +1607,7 @@ static int ssl3_get_client_key_exchange(SSL *s) n2s(p,i); authenticator.length = i; - if (n < enc_ticket.length + authenticator.length + 6) + if (n < (long)(enc_ticket.length + authenticator.length + 6)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); @@ -1627,8 +1632,8 @@ static int ssl3_get_client_key_exchange(SSL *s) goto err; } - if (n != enc_ticket.length + authenticator.length + - enc_pms.length + 6) + if (n != (long)(enc_ticket.length + authenticator.length + + enc_pms.length + 6)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h index 913bd40eea4..3161f532cf6 100644 --- a/lib/libssl/src/ssl/ssl.h +++ b/lib/libssl/src/ssl/ssl.h @@ -239,6 +239,7 @@ extern "C" { #define SSL_TXT_LOW "LOW" #define SSL_TXT_MEDIUM "MEDIUM" #define SSL_TXT_HIGH "HIGH" +#define SSL_TXT_FIPS "FIPS" #define SSL_TXT_kFZA "kFZA" #define SSL_TXT_aFZA "aFZA" #define SSL_TXT_eFZA "eFZA" @@ -372,7 +373,7 @@ typedef struct ssl_method_st long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg); SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr); - int (*ssl_pending)(SSL *s); + int (*ssl_pending)(const SSL *s); int (*num_ciphers)(void); SSL_CIPHER *(*get_cipher)(unsigned ncipher); struct ssl_method_st *(*get_ssl_method)(int version); @@ -998,8 +999,8 @@ extern "C" { * -- that we sent (SSL_get_finished) * -- that we expected from peer (SSL_get_peer_finished). * Returns length (0 == no Finished so far), copies up to 'count' bytes. */ -size_t SSL_get_finished(SSL *s, void *buf, size_t count); -size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); +size_t SSL_get_finished(const SSL *s, void *buf, size_t count); +size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options * are 'ored' with SSL_VERIFY_PEER if they are desired */ @@ -1171,26 +1172,26 @@ int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str); SSL_CTX *SSL_CTX_new(SSL_METHOD *meth); void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *ctx,long t); -long SSL_CTX_get_timeout(SSL_CTX *ctx); -X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *); +long SSL_CTX_get_timeout(const SSL_CTX *ctx); +X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *); -int SSL_want(SSL *s); +int SSL_want(const SSL *s); int SSL_clear(SSL *s); void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm); -SSL_CIPHER *SSL_get_current_cipher(SSL *s); -int SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits); -char * SSL_CIPHER_get_version(SSL_CIPHER *c); -const char * SSL_CIPHER_get_name(SSL_CIPHER *c); - -int SSL_get_fd(SSL *s); -int SSL_get_rfd(SSL *s); -int SSL_get_wfd(SSL *s); -const char * SSL_get_cipher_list(SSL *s,int n); -char * SSL_get_shared_ciphers(SSL *s, char *buf, int len); -int SSL_get_read_ahead(SSL * s); -int SSL_pending(SSL *s); +SSL_CIPHER *SSL_get_current_cipher(const SSL *s); +int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits); +char * SSL_CIPHER_get_version(const SSL_CIPHER *c); +const char * SSL_CIPHER_get_name(const SSL_CIPHER *c); + +int SSL_get_fd(const SSL *s); +int SSL_get_rfd(const SSL *s); +int SSL_get_wfd(const SSL *s); +const char * SSL_get_cipher_list(const SSL *s,int n); +char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len); +int SSL_get_read_ahead(const SSL * s); +int SSL_pending(const SSL *s); #ifndef OPENSSL_NO_SOCK int SSL_set_fd(SSL *s, int fd); int SSL_set_rfd(SSL *s, int fd); @@ -1198,14 +1199,14 @@ int SSL_set_wfd(SSL *s, int fd); #endif #ifndef OPENSSL_NO_BIO void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio); -BIO * SSL_get_rbio(SSL *s); -BIO * SSL_get_wbio(SSL *s); +BIO * SSL_get_rbio(const SSL *s); +BIO * SSL_get_wbio(const SSL *s); #endif int SSL_set_cipher_list(SSL *s, const char *str); void SSL_set_read_ahead(SSL *s, int yes); -int SSL_get_verify_mode(SSL *s); -int SSL_get_verify_depth(SSL *s); -int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *); +int SSL_get_verify_mode(const SSL *s); +int SSL_get_verify_depth(const SSL *s); +int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *); void SSL_set_verify(SSL *s, int mode, int (*callback)(int ok,X509_STORE_CTX *ctx)); void SSL_set_verify_depth(SSL *s, int depth); @@ -1243,20 +1244,20 @@ const char *SSL_state_string(const SSL *s); const char *SSL_rstate_string(const SSL *s); const char *SSL_state_string_long(const SSL *s); const char *SSL_rstate_string_long(const SSL *s); -long SSL_SESSION_get_time(SSL_SESSION *s); +long SSL_SESSION_get_time(const SSL_SESSION *s); long SSL_SESSION_set_time(SSL_SESSION *s, long t); -long SSL_SESSION_get_timeout(SSL_SESSION *s); +long SSL_SESSION_get_timeout(const SSL_SESSION *s); long SSL_SESSION_set_timeout(SSL_SESSION *s, long t); -void SSL_copy_session_id(SSL *to,SSL *from); +void SSL_copy_session_id(SSL *to,const SSL *from); SSL_SESSION *SSL_SESSION_new(void); -unsigned long SSL_SESSION_hash(SSL_SESSION *a); -int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b); +unsigned long SSL_SESSION_hash(const SSL_SESSION *a); +int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b); #ifndef OPENSSL_NO_FP_API -int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses); +int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses); #endif #ifndef OPENSSL_NO_BIO -int SSL_SESSION_print(BIO *fp,SSL_SESSION *ses); +int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses); #endif void SSL_SESSION_free(SSL_SESSION *ses); int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); @@ -1267,17 +1268,18 @@ int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB); int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB); int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, unsigned int id_len); -SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length); +SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char * const *pp, + long length); #ifdef HEADER_X509_H -X509 * SSL_get_peer_certificate(SSL *s); +X509 * SSL_get_peer_certificate(const SSL *s); #endif -STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s); +STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s); -int SSL_CTX_get_verify_mode(SSL_CTX *ctx); -int SSL_CTX_get_verify_depth(SSL_CTX *ctx); -int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *); +int SSL_CTX_get_verify_mode(const SSL_CTX *ctx); +int SSL_CTX_get_verify_depth(const SSL_CTX *ctx); +int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *); void SSL_CTX_set_verify(SSL_CTX *ctx,int mode, int (*callback)(int, X509_STORE_CTX *)); void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); @@ -1295,8 +1297,8 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d); void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); -int SSL_CTX_check_private_key(SSL_CTX *ctx); -int SSL_check_private_key(SSL *ctx); +int SSL_CTX_check_private_key(const SSL_CTX *ctx); +int SSL_check_private_key(const SSL *ctx); int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, unsigned int sid_ctx_len); @@ -1321,8 +1323,8 @@ long SSL_callback_ctrl(SSL *, int, void (*)()); long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg); long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)()); -int SSL_get_error(SSL *s,int ret_code); -const char *SSL_get_version(SSL *s); +int SSL_get_error(const SSL *s,int ret_code); +const char *SSL_get_version(const SSL *s); /* This sets the 'default' SSL version that SSL_new() will create */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth); @@ -1343,7 +1345,7 @@ SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */ -STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s); +STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s); int SSL_do_handshake(SSL *s); int SSL_renegotiate(SSL *s); @@ -1359,15 +1361,15 @@ const char *SSL_alert_desc_string(int value); void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); -STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); -STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s); +STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s); +STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s); int SSL_add_client_CA(SSL *ssl,X509 *x); int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x); void SSL_set_connect_state(SSL *s); void SSL_set_accept_state(SSL *s); -long SSL_get_default_timeout(SSL *s); +long SSL_get_default_timeout(const SSL *s); int SSL_library_init(void ); @@ -1376,43 +1378,43 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk); SSL *SSL_dup(SSL *ssl); -X509 *SSL_get_certificate(SSL *ssl); +X509 *SSL_get_certificate(const SSL *ssl); /* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl); void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode); -int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx); +int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx); void SSL_set_quiet_shutdown(SSL *ssl,int mode); -int SSL_get_quiet_shutdown(SSL *ssl); +int SSL_get_quiet_shutdown(const SSL *ssl); void SSL_set_shutdown(SSL *ssl,int mode); -int SSL_get_shutdown(SSL *ssl); -int SSL_version(SSL *ssl); +int SSL_get_shutdown(const SSL *ssl); +int SSL_version(const SSL *ssl); int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); #define SSL_get0_session SSL_get_session /* just peek at pointer */ -SSL_SESSION *SSL_get_session(SSL *ssl); +SSL_SESSION *SSL_get_session(const SSL *ssl); SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ -SSL_CTX *SSL_get_SSL_CTX(SSL *ssl); +SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl); void SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl,int type,int val)); -void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val); -int SSL_state(SSL *ssl); +void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val); +int SSL_state(const SSL *ssl); void SSL_set_verify_result(SSL *ssl,long v); -long SSL_get_verify_result(SSL *ssl); +long SSL_get_verify_result(const SSL *ssl); int SSL_set_ex_data(SSL *ssl,int idx,void *data); -void *SSL_get_ex_data(SSL *ssl,int idx); +void *SSL_get_ex_data(const SSL *ssl,int idx); int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data); -void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx); +void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx); int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data); -void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx); +void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx); int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); @@ -1603,6 +1605,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_SET_TRUST 228 #define SSL_F_SSL_SET_WFD 196 #define SSL_F_SSL_SHUTDOWN 224 +#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243 #define SSL_F_SSL_UNDEFINED_FUNCTION 197 #define SSL_F_SSL_USE_CERTIFICATE 198 #define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 @@ -1741,6 +1744,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_NULL_SSL_CTX 195 #define SSL_R_NULL_SSL_METHOD_PASSED 196 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 +#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 1115 #define SSL_R_PACKET_LENGTH_TOO_LONG 198 #define SSL_R_PATH_TOO_LONG 270 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 diff --git a/lib/libssl/src/ssl/ssl_asn1.c b/lib/libssl/src/ssl/ssl_asn1.c index d8ff8fc4a3d..4d5900ad2f2 100644 --- a/lib/libssl/src/ssl/ssl_asn1.c +++ b/lib/libssl/src/ssl/ssl_asn1.c @@ -226,7 +226,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) M_ASN1_I2D_finish(); } -SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, +SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp, long length) { int version,ssl_version=0,i; @@ -266,7 +266,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, ((unsigned long)os.data[1]<< 8L)| (unsigned long)os.data[2]; } - else if ((ssl_version>>8) == 3) + else if ((ssl_version>>8) == SSL3_VERSION_MAJOR) { if (os.length != 2) { @@ -287,9 +287,9 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, ret->cipher_id=id; M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); - if ((ssl_version>>8) == SSL3_VERSION) + if ((ssl_version>>8) == SSL3_VERSION_MAJOR) i=SSL3_MAX_SSL_SESSION_ID_LENGTH; - else /* if (ssl_version == SSL2_VERSION) */ + else /* if (ssl_version == SSL2_VERSION_MAJOR) */ i=SSL2_MAX_SSL_SESSION_ID_LENGTH; if (os.length > i) diff --git a/lib/libssl/src/ssl/ssl_cert.c b/lib/libssl/src/ssl/ssl_cert.c index 2cfb6158787..b8b9bc23900 100644 --- a/lib/libssl/src/ssl/ssl_cert.c +++ b/lib/libssl/src/ssl/ssl_cert.c @@ -117,6 +117,7 @@ #if defined(WIN32) #include <windows.h> +#include <tchar.h> #endif #ifdef NeXT @@ -129,6 +130,7 @@ #include <openssl/pem.h> #include <openssl/x509v3.h> #include "ssl_locl.h" +#include <openssl/fips.h> int SSL_get_ex_data_X509_STORE_CTX_idx(void) { @@ -542,12 +544,12 @@ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list) set_client_CA_list(&(ctx->client_CA),name_list); } -STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx) +STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { return(ctx->client_CA); } -STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s) +STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) { if (s->type == SSL_ST_CONNECT) { /* we are in the client */ @@ -783,36 +785,54 @@ err: #else /* OPENSSL_SYS_WIN32 */ +#if defined(_WIN32_WCE) +# ifndef UNICODE +# error "WinCE comes in UNICODE flavor only..." +# endif +# if _WIN32_WCE<101 && !defined(OPENSSL_NO_MULTIBYTE) +# define OPENSSL_NO_MULTIBYTE +# endif +# ifndef FindFirstFile +# define FindFirstFile FindFirstFileW +# endif +# ifndef FindNextFile +# define FindNextFile FindNextFileW +# endif +#endif + int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) { WIN32_FIND_DATA FindFileData; HANDLE hFind; - int ret = 0; -#ifdef OPENSSL_SYS_WINCE - WCHAR* wdir = NULL; -#endif + int ret = 0; + TCHAR *wdir = NULL; + size_t i,len_0 = strlen(dir)+1; /* len_0 accounts for trailing 0 */ + char buf[1024],*slash; + + if (len_0 > (sizeof(buf)-14)) /* 14 is just some value... */ + { + SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); + return ret; + } CRYPTO_w_lock(CRYPTO_LOCK_READDIR); - -#ifdef OPENSSL_SYS_WINCE - /* convert strings to UNICODE */ - { - BOOL result = FALSE; - int i; - wdir = malloc((strlen(dir)+1)*2); + + if (sizeof(TCHAR) != sizeof(char)) + { + wdir = (TCHAR *)malloc(len_0*sizeof(TCHAR)); if (wdir == NULL) goto err_noclose; - for (i=0; i<(int)strlen(dir)+1; i++) - wdir[i] = (short)dir[i]; - } +#ifndef OPENSSL_NO_MULTIBYTE + if (!MultiByteToWideChar(CP_ACP,0,dir,len_0, + (WCHAR *)wdir,len_0)) #endif + for (i=0;i<len_0;i++) wdir[i]=(TCHAR)dir[i]; + + hFind = FindFirstFile(wdir, &FindFileData); + } + else hFind = FindFirstFile((const TCHAR *)dir, &FindFileData); -#ifdef OPENSSL_SYS_WINCE - hFind = FindFirstFile(wdir, &FindFileData); -#else - hFind = FindFirstFile(dir, &FindFileData); -#endif /* Note that a side effect is that the CAs will be sorted by name */ if(hFind == INVALID_HANDLE_VALUE) { @@ -821,25 +841,34 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); goto err_noclose; } - - do - { - char buf[1024]; - int r; - -#ifdef OPENSSL_SYS_WINCE - if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf) -#else - if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf) -#endif + + strncpy(buf,dir,sizeof(buf)); /* strcpy is safe too... */ + buf[len_0-1]='/'; /* no trailing zero! */ + slash=buf+len_0; + + do { + const TCHAR *fnam=FindFileData.cFileName; + size_t flen_0=_tcslen(fnam)+1; + + if (flen_0 > (sizeof(buf)-len_0)) { SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); goto err; } - - r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,FindFileData.cFileName); - if (r <= 0 || r >= sizeof buf) - goto err; + /* else strcpy would be safe too... */ + + if (sizeof(TCHAR) != sizeof(char)) + { +#ifndef OPENSSL_NO_MULTIBYTE + if (!WideCharToMultiByte(CP_ACP,0, + (WCHAR *)fnam,flen_0, + slash,sizeof(buf)-len_0, + NULL,0)) +#endif + for (i=0;i<flen_0;i++) slash[i]=(char)fnam[i]; + } + else strncpy(slash,(const char *)fnam,sizeof(buf)-len_0); + if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) goto err; } @@ -849,10 +878,9 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, err: FindClose(hFind); err_noclose: -#ifdef OPENSSL_SYS_WINCE if (wdir != NULL) free(wdir); -#endif + CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); return ret; } diff --git a/lib/libssl/src/ssl/ssl_ciph.c b/lib/libssl/src/ssl/ssl_ciph.c index 2d6eab20c38..a7ccefa30cf 100644 --- a/lib/libssl/src/ssl/ssl_ciph.c +++ b/lib/libssl/src/ssl/ssl_ciph.c @@ -59,6 +59,7 @@ #include <stdio.h> #include <openssl/objects.h> #include <openssl/comp.h> +#include <openssl/fips.h> #include "ssl_locl.h" #define SSL_ENC_DES_IDX 0 @@ -153,13 +154,13 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, + {0,SSL_TXT_FIPS, 0, 0, SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE}, }; static int init_ciphers=1; static void load_ciphers(void) { - init_ciphers=0; ssl_cipher_methods[SSL_ENC_DES_IDX]= EVP_get_cipherbyname(SN_des_cbc); ssl_cipher_methods[SSL_ENC_3DES_IDX]= @@ -183,9 +184,10 @@ static void load_ciphers(void) EVP_get_digestbyname(SN_md5); ssl_digest_methods[SSL_MD_SHA1_IDX]= EVP_get_digestbyname(SN_sha1); + init_ciphers=0; } -int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc, +int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, SSL_COMP **comp) { int i; @@ -359,7 +361,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, { c = ssl_method->get_cipher(i); /* drop those that use any of that is not available */ +#ifdef OPENSSL_FIPS + if ((c != NULL) && c->valid && !(c->algorithms & mask) + && (!FIPS_mode() || (c->algo_strength & SSL_FIPS))) +#else if ((c != NULL) && c->valid && !(c->algorithms & mask)) +#endif { co_list[co_list_num].cipher = c; co_list[co_list_num].next = NULL; @@ -854,7 +861,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ for (curr = head; curr != NULL; curr = curr->next) { +#ifdef OPENSSL_FIPS + if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) +#else if (curr->active) +#endif { sk_SSL_CIPHER_push(cipherstack, curr->cipher); #ifdef CIPHER_DEBUG @@ -1054,7 +1065,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) return(buf); } -char *SSL_CIPHER_get_version(SSL_CIPHER *c) +char *SSL_CIPHER_get_version(const SSL_CIPHER *c) { int i; @@ -1069,7 +1080,7 @@ char *SSL_CIPHER_get_version(SSL_CIPHER *c) } /* return the actual cipher being used */ -const char *SSL_CIPHER_get_name(SSL_CIPHER *c) +const char *SSL_CIPHER_get_name(const SSL_CIPHER *c) { if (c != NULL) return(c->name); @@ -1077,7 +1088,7 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c) } /* number of bits for symmetric cipher */ -int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits) +int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) { int ret=0; diff --git a/lib/libssl/src/ssl/ssl_err.c b/lib/libssl/src/ssl/ssl_err.c index d2cb1815032..29b8ff47889 100644 --- a/lib/libssl/src/ssl/ssl_err.c +++ b/lib/libssl/src/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -193,6 +193,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL_SET_TRUST,0), "SSL_set_trust"}, {ERR_PACK(0,SSL_F_SSL_SET_WFD,0), "SSL_set_wfd"}, {ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0), "SSL_shutdown"}, +{ERR_PACK(0,SSL_F_SSL_UNDEFINED_CONST_FUNCTION,0), "SSL_UNDEFINED_CONST_FUNCTION"}, {ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0), "SSL_UNDEFINED_FUNCTION"}, {ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0), "SSL_use_certificate"}, {ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0), "SSL_use_certificate_ASN1"}, @@ -334,6 +335,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_NULL_SSL_CTX ,"null ssl ctx"}, {SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"}, {SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"}, +{SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE ,"only tls allowed in fips mode"}, {SSL_R_PACKET_LENGTH_TOO_LONG ,"packet length too long"}, {SSL_R_PATH_TOO_LONG ,"path too long"}, {SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"}, diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index ee9a82d5860..631229558f9 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -121,6 +121,7 @@ #include <openssl/objects.h> #include <openssl/lhash.h> #include <openssl/x509v3.h> +#include <openssl/fips.h> const char *SSL_version_str=OPENSSL_VERSION_TEXT; @@ -500,18 +501,18 @@ void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio) s->wbio=wbio; } -BIO *SSL_get_rbio(SSL *s) +BIO *SSL_get_rbio(const SSL *s) { return(s->rbio); } -BIO *SSL_get_wbio(SSL *s) +BIO *SSL_get_wbio(const SSL *s) { return(s->wbio); } -int SSL_get_fd(SSL *s) +int SSL_get_fd(const SSL *s) { return(SSL_get_rfd(s)); } -int SSL_get_rfd(SSL *s) +int SSL_get_rfd(const SSL *s) { int ret= -1; BIO *b,*r; @@ -523,7 +524,7 @@ int SSL_get_rfd(SSL *s) return(ret); } -int SSL_get_wfd(SSL *s) +int SSL_get_wfd(const SSL *s) { int ret= -1; BIO *b,*r; @@ -605,7 +606,7 @@ err: /* return length of latest Finished message we sent, copy to 'buf' */ -size_t SSL_get_finished(SSL *s, void *buf, size_t count) +size_t SSL_get_finished(const SSL *s, void *buf, size_t count) { size_t ret = 0; @@ -620,7 +621,7 @@ size_t SSL_get_finished(SSL *s, void *buf, size_t count) } /* return length of latest Finished message we expected, copy to 'buf' */ -size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count) +size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) { size_t ret = 0; @@ -635,32 +636,32 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count) } -int SSL_get_verify_mode(SSL *s) +int SSL_get_verify_mode(const SSL *s) { return(s->verify_mode); } -int SSL_get_verify_depth(SSL *s) +int SSL_get_verify_depth(const SSL *s) { return(s->verify_depth); } -int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *) +int (*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *) { return(s->verify_callback); } -int SSL_CTX_get_verify_mode(SSL_CTX *ctx) +int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { return(ctx->verify_mode); } -int SSL_CTX_get_verify_depth(SSL_CTX *ctx) +int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) { return(ctx->verify_depth); } -int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *) +int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *) { return(ctx->default_verify_callback); } @@ -683,12 +684,12 @@ void SSL_set_read_ahead(SSL *s,int yes) s->read_ahead=yes; } -int SSL_get_read_ahead(SSL *s) +int SSL_get_read_ahead(const SSL *s) { return(s->read_ahead); } -int SSL_pending(SSL *s) +int SSL_pending(const SSL *s) { /* SSL_pending cannot work properly if read-ahead is enabled * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), @@ -700,7 +701,7 @@ int SSL_pending(SSL *s) return(s->method->ssl_pending(s)); } -X509 *SSL_get_peer_certificate(SSL *s) +X509 *SSL_get_peer_certificate(const SSL *s) { X509 *r; @@ -716,7 +717,7 @@ X509 *SSL_get_peer_certificate(SSL *s) return(r); } -STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s) +STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) { STACK_OF(X509) *r; @@ -733,7 +734,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s) /* Now in theory, since the calling process own 't' it should be safe to * modify. We need to be able to read f without being hassled */ -void SSL_copy_session_id(SSL *t,SSL *f) +void SSL_copy_session_id(SSL *t,const SSL *f) { CERT *tmp; @@ -762,7 +763,7 @@ void SSL_copy_session_id(SSL *t,SSL *f) } /* Fix this so it checks all the valid key/cert options */ -int SSL_CTX_check_private_key(SSL_CTX *ctx) +int SSL_CTX_check_private_key(const SSL_CTX *ctx) { if ( (ctx == NULL) || (ctx->cert == NULL) || @@ -780,7 +781,7 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx) } /* Fix this function so that it takes an optional type parameter */ -int SSL_check_private_key(SSL *ssl) +int SSL_check_private_key(const SSL *ssl) { if (ssl == NULL) { @@ -824,7 +825,7 @@ int SSL_connect(SSL *s) return(s->method->ssl_connect(s)); } -long SSL_get_default_timeout(SSL *s) +long SSL_get_default_timeout(const SSL *s) { return(s->method->get_timeout()); } @@ -1071,7 +1072,7 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, /** return a STACK of the ciphers available for the SSL and in order of * preference */ -STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s) +STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) { if (s != NULL) { @@ -1108,7 +1109,7 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) } /** The old interface to get the same thing as SSL_get_ciphers() */ -const char *SSL_get_cipher_list(SSL *s,int n) +const char *SSL_get_cipher_list(const SSL *s,int n) { SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; @@ -1145,7 +1146,7 @@ int SSL_set_cipher_list(SSL *s,const char *str) } /* works well for SSLv2, not so good for SSLv3 */ -char *SSL_get_shared_ciphers(SSL *s,char *buf,int len) +char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) { char *p; const char *cp; @@ -1249,7 +1250,7 @@ err: return(NULL); } -unsigned long SSL_SESSION_hash(SSL_SESSION *a) +unsigned long SSL_SESSION_hash(const SSL_SESSION *a) { unsigned long l; @@ -1266,7 +1267,7 @@ unsigned long SSL_SESSION_hash(SSL_SESSION *a) * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being * able to construct an SSL_SESSION that will collide with any existing session * with a matching session ID. */ -int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b) +int SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b) { if (a->ssl_version != b->ssl_version) return(1); @@ -1292,6 +1293,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) return(NULL); } +#ifdef OPENSSL_FIPS + if (FIPS_mode() && (meth->version < TLS1_VERSION)) + { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + return NULL; + } +#endif + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); @@ -1722,7 +1731,7 @@ int SSL_set_ssl_method(SSL *s,SSL_METHOD *meth) return(ret); } -int SSL_get_error(SSL *s,int i) +int SSL_get_error(const SSL *s,int i) { int reason; unsigned long l; @@ -1856,13 +1865,19 @@ int ssl_undefined_function(SSL *s) return(0); } +int ssl_undefined_const_function(const SSL *s) + { + SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return(0); + } + SSL_METHOD *ssl_bad_method(int ver) { SSLerr(SSL_F_SSL_BAD_METHOD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return(NULL); } -const char *SSL_get_version(SSL *s) +const char *SSL_get_version(const SSL *s) { if (s->version == TLS1_VERSION) return("TLSv1"); @@ -2031,7 +2046,7 @@ void ssl_clear_cipher_ctx(SSL *s) } /* Fix this function so that it takes an optional type parameter */ -X509 *SSL_get_certificate(SSL *s) +X509 *SSL_get_certificate(const SSL *s) { if (s->cert != NULL) return(s->cert->key->x509); @@ -2048,7 +2063,7 @@ EVP_PKEY *SSL_get_privatekey(SSL *s) return(NULL); } -SSL_CIPHER *SSL_get_current_cipher(SSL *s) +SSL_CIPHER *SSL_get_current_cipher(const SSL *s) { if ((s->session != NULL) && (s->session->cipher != NULL)) return(s->session->cipher); @@ -2112,7 +2127,7 @@ void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode) ctx->quiet_shutdown=mode; } -int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx) +int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { return(ctx->quiet_shutdown); } @@ -2122,7 +2137,7 @@ void SSL_set_quiet_shutdown(SSL *s,int mode) s->quiet_shutdown=mode; } -int SSL_get_quiet_shutdown(SSL *s) +int SSL_get_quiet_shutdown(const SSL *s) { return(s->quiet_shutdown); } @@ -2132,17 +2147,17 @@ void SSL_set_shutdown(SSL *s,int mode) s->shutdown=mode; } -int SSL_get_shutdown(SSL *s) +int SSL_get_shutdown(const SSL *s) { return(s->shutdown); } -int SSL_version(SSL *s) +int SSL_version(const SSL *s) { return(s->version); } -SSL_CTX *SSL_get_SSL_CTX(SSL *ssl) +SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return(ssl->ctx); } @@ -2156,7 +2171,9 @@ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) { - return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); + int r; + r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath); + return r; } #endif @@ -2166,12 +2183,12 @@ void SSL_set_info_callback(SSL *ssl, ssl->info_callback=cb; } -void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val) +void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val) { return ssl->info_callback; } -int SSL_state(SSL *ssl) +int SSL_state(const SSL *ssl) { return(ssl->state); } @@ -2181,7 +2198,7 @@ void SSL_set_verify_result(SSL *ssl,long arg) ssl->verify_result=arg; } -long SSL_get_verify_result(SSL *ssl) +long SSL_get_verify_result(const SSL *ssl) { return(ssl->verify_result); } @@ -2198,7 +2215,7 @@ int SSL_set_ex_data(SSL *s,int idx,void *arg) return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); } -void *SSL_get_ex_data(SSL *s,int idx) +void *SSL_get_ex_data(const SSL *s,int idx) { return(CRYPTO_get_ex_data(&s->ex_data,idx)); } @@ -2215,7 +2232,7 @@ int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg) return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); } -void *SSL_CTX_get_ex_data(SSL_CTX *s,int idx) +void *SSL_CTX_get_ex_data(const SSL_CTX *s,int idx) { return(CRYPTO_get_ex_data(&s->ex_data,idx)); } @@ -2225,7 +2242,7 @@ int ssl_ok(SSL *s) return(1); } -X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx) +X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) { return(ctx->cert_store); } @@ -2237,7 +2254,7 @@ void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store) ctx->cert_store=store; } -int SSL_want(SSL *s) +int SSL_want(const SSL *s) { return(s->rwstate); } diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index dd6c7a7323f..25a144a0d0d 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -302,8 +302,9 @@ #define SSL_LOW 0x00000020L #define SSL_MEDIUM 0x00000040L #define SSL_HIGH 0x00000080L +#define SSL_FIPS 0x00000100L -/* we have used 000000ff - 24 bits left to go */ +/* we have used 000001ff - 23 bits left to go */ /* * Macros to check the export status and cipher strength for export ciphers. @@ -498,10 +499,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, STACK_OF(SSL_CIPHER) **sorted, const char *rule_str); void ssl_update_cache(SSL *s, int mode); -int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md, - SSL_COMP **comp); +int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc, + const EVP_MD **md,SSL_COMP **comp); int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_undefined_function(SSL *s); +int ssl_undefined_const_function(const SSL *s); X509 *ssl_get_server_send_cert(SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); @@ -535,7 +537,7 @@ long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg); long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg); long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)()); long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)()); -int ssl2_pending(SSL *s); +int ssl2_pending(const SSL *s); SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p); @@ -583,7 +585,7 @@ long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg); long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg); long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)()); long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)()); -int ssl3_pending(SSL *s); +int ssl3_pending(const SSL *s); int ssl23_accept(SSL *s); int ssl23_connect(SSL *s); diff --git a/lib/libssl/src/ssl/ssl_rsa.c b/lib/libssl/src/ssl/ssl_rsa.c index 330390519bb..fb0bd4d0452 100644 --- a/lib/libssl/src/ssl/ssl_rsa.c +++ b/lib/libssl/src/ssl/ssl_rsa.c @@ -804,7 +804,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) /* When the while loop ends, it's usually just EOF. */ err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) - (void)ERR_get_error(); + ERR_clear_error(); else ret = 0; /* some real error */ } diff --git a/lib/libssl/src/ssl/ssl_sess.c b/lib/libssl/src/ssl/ssl_sess.c index 7016c87d3b2..5f12aa361c1 100644 --- a/lib/libssl/src/ssl/ssl_sess.c +++ b/lib/libssl/src/ssl/ssl_sess.c @@ -65,7 +65,7 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); -SSL_SESSION *SSL_get_session(SSL *ssl) +SSL_SESSION *SSL_get_session(const SSL *ssl) /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ { return(ssl->session); @@ -98,7 +98,7 @@ int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); } -void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx) +void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx) { return(CRYPTO_get_ex_data(&s->ex_data,idx)); } @@ -141,7 +141,8 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id, { unsigned int retry = 0; do - RAND_pseudo_bytes(id, *id_len); + if(RAND_pseudo_bytes(id, *id_len) <= 0) + return 0; while(SSL_has_matching_session_id(ssl, id, *id_len) && (++retry < MAX_SESS_ID_ATTEMPTS)); if(retry < MAX_SESS_ID_ATTEMPTS) @@ -609,13 +610,13 @@ long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) return(1); } -long SSL_SESSION_get_timeout(SSL_SESSION *s) +long SSL_SESSION_get_timeout(const SSL_SESSION *s) { if (s == NULL) return(0); return(s->timeout); } -long SSL_SESSION_get_time(SSL_SESSION *s) +long SSL_SESSION_get_time(const SSL_SESSION *s) { if (s == NULL) return(0); return(s->time); @@ -637,7 +638,7 @@ long SSL_CTX_set_timeout(SSL_CTX *s, long t) return(l); } -long SSL_CTX_get_timeout(SSL_CTX *s) +long SSL_CTX_get_timeout(const SSL_CTX *s) { if (s == NULL) return(0); return(s->session_timeout); diff --git a/lib/libssl/src/ssl/ssl_txt.c b/lib/libssl/src/ssl/ssl_txt.c index 40b76b1b269..8655a313332 100644 --- a/lib/libssl/src/ssl/ssl_txt.c +++ b/lib/libssl/src/ssl/ssl_txt.c @@ -61,7 +61,7 @@ #include "ssl_locl.h" #ifndef OPENSSL_NO_FP_API -int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x) +int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) { BIO *b; int ret; @@ -78,7 +78,7 @@ int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x) } #endif -int SSL_SESSION_print(BIO *bp, SSL_SESSION *x) +int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) { unsigned int i; char *s; diff --git a/lib/libssl/src/ssl/ssltest.c b/lib/libssl/src/ssl/ssltest.c index 033f309ffe5..3a0db0cb514 100644 --- a/lib/libssl/src/ssl/ssltest.c +++ b/lib/libssl/src/ssl/ssltest.c @@ -120,6 +120,7 @@ #include <string.h> #include <time.h> #include <inttypes.h> +#include <ctype.h> #define USE_SOCKETS #include "e_os.h" @@ -128,12 +129,14 @@ #include <openssl/crypto.h> #include <openssl/evp.h> #include <openssl/x509.h> +#include <openssl/x509v3.h> #include <openssl/ssl.h> #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif #include <openssl/err.h> #include <openssl/rand.h> +#include <openssl/fips.h> #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly on Compaq platforms (at least with DEC C). @@ -169,8 +172,15 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); static void free_tmp_rsa(void); #endif static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg); -#define APP_CALLBACK "Test Callback Argument" -static char *app_verify_arg = APP_CALLBACK; +#define APP_CALLBACK_STRING "Test Callback Argument" +struct app_verify_arg + { + char *string; + int app_verify; + int allow_proxy_certs; + char *proxy_auth; + char *proxy_cond; + }; #ifndef OPENSSL_NO_DH static DH *get_dh512(void); @@ -199,8 +209,14 @@ static void sv_usage(void) { fprintf(stderr,"usage: ssltest [args ...]\n"); fprintf(stderr,"\n"); +#ifdef OPENSSL_FIPS + fprintf(stderr,"-F - run test in FIPS mode\n"); +#endif fprintf(stderr," -server_auth - check server certificate\n"); fprintf(stderr," -client_auth - do client authentication\n"); + fprintf(stderr," -proxy - allow proxy certificates\n"); + fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n"); + fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n"); fprintf(stderr," -v - more output\n"); fprintf(stderr," -d - debug output\n"); fprintf(stderr," -reuse - use session-id reuse\n"); @@ -350,7 +366,8 @@ int main(int argc, char *argv[]) int tls1=0,ssl2=0,ssl3=0,ret=1; int client_auth=0; int server_auth=0,i; - int app_verify=0; + struct app_verify_arg app_verify_arg = + { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; char *server_cert=TEST_SERVER_CERT; char *server_key=NULL; char *client_cert=TEST_CLIENT_CERT; @@ -370,6 +387,10 @@ int main(int argc, char *argv[]) clock_t s_time = 0, c_time = 0; int comp = 0; COMP_METHOD *cm = NULL; +#ifdef OPENSSL_FIPS + int fips_mode=0; + const char *path=argv[0]; +#endif verbose = 0; debug = 0; @@ -401,10 +422,29 @@ int main(int argc, char *argv[]) while (argc >= 1) { - if (strcmp(*argv,"-server_auth") == 0) + if(!strcmp(*argv,"-F")) + { +#ifdef OPENSSL_FIPS + fips_mode=1; +#else + fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n"); + EXIT(0); +#endif + } + else if (strcmp(*argv,"-server_auth") == 0) server_auth=1; else if (strcmp(*argv,"-client_auth") == 0) client_auth=1; + else if (strcmp(*argv,"-proxy_auth") == 0) + { + if (--argc < 1) goto bad; + app_verify_arg.proxy_auth= *(++argv); + } + else if (strcmp(*argv,"-proxy_cond") == 0) + { + if (--argc < 1) goto bad; + app_verify_arg.proxy_cond= *(++argv); + } else if (strcmp(*argv,"-v") == 0) verbose=1; else if (strcmp(*argv,"-d") == 0) @@ -517,7 +557,11 @@ int main(int argc, char *argv[]) } else if (strcmp(*argv,"-app_verify") == 0) { - app_verify = 1; + app_verify_arg.app_verify = 1; + } + else if (strcmp(*argv,"-proxy") == 0) + { + app_verify_arg.allow_proxy_certs = 1; } else { @@ -535,6 +579,7 @@ bad: goto end; } + if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " @@ -544,6 +589,20 @@ bad: EXIT(1); } +#ifdef OPENSSL_FIPS + if(fips_mode) + { + if(!FIPS_mode_set(1,path)) + { + ERR_load_crypto_strings(); + ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); + EXIT(1); + } + else + fprintf(stderr,"*** IN FIPS MODE ***\n"); + } +#endif + if (print_time) { if (!bio_pair) @@ -677,20 +736,14 @@ bad: SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); - if (app_verify) - { - SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); - } + SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg); } if (server_auth) { BIO_printf(bio_err,"server authentication\n"); SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, verify_callback); - if (app_verify) - { - SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); - } + SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); } { @@ -1472,6 +1525,22 @@ err: return(ret); } +static int get_proxy_auth_ex_data_idx(void) + { + static volatile int idx = -1; + if (idx < 0) + { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + if (idx < 0) + { + idx = X509_STORE_CTX_get_ex_new_index(0, + "SSLtest for verify callback", NULL,NULL,NULL); + } + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + } + return idx; + } + static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { char *s,buf[256]; @@ -1481,42 +1550,467 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) if (s != NULL) { if (ok) - fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf); + fprintf(stderr,"depth=%d %s\n", + ctx->error_depth,buf); else + { fprintf(stderr,"depth=%d error=%d %s\n", ctx->error_depth,ctx->error,buf); + } } if (ok == 0) { + fprintf(stderr,"Error string: %s\n", + X509_verify_cert_error_string(ctx->error)); switch (ctx->error) { case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + fprintf(stderr," ... ignored.\n"); ok=1; } } + if (ok == 1) + { + X509 *xs = ctx->current_cert; +#if 0 + X509 *xi = ctx->current_issuer; +#endif + + if (xs->ex_flags & EXFLAG_PROXY) + { + unsigned int *letters = + X509_STORE_CTX_get_ex_data(ctx, + get_proxy_auth_ex_data_idx()); + + if (letters) + { + int found_any = 0; + int i; + PROXY_CERT_INFO_EXTENSION *pci = + X509_get_ext_d2i(xs, NID_proxyCertInfo, + NULL, NULL); + + switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) + { + case NID_Independent: + /* Completely meaningless in this + program, as there's no way to + grant explicit rights to a + specific PrC. Basically, using + id-ppl-Independent is the perfect + way to grant no rights at all. */ + fprintf(stderr, " Independent proxy certificate"); + for (i = 0; i < 26; i++) + letters[i] = 0; + break; + case NID_id_ppl_inheritAll: + /* This is basically a NOP, we + simply let the current rights + stand as they are. */ + fprintf(stderr, " Proxy certificate inherits all"); + break; + default: + s = (char *) + pci->proxyPolicy->policy->data; + i = pci->proxyPolicy->policy->length; + + /* The algorithm works as follows: + it is assumed that previous + iterations or the initial granted + rights has already set some elements + of `letters'. What we need to do is + to clear those that weren't granted + by the current PrC as well. The + easiest way to do this is to add 1 + to all the elements whose letters + are given with the current policy. + That way, all elements that are set + by the current policy and were + already set by earlier policies and + through the original grant of rights + will get the value 2 or higher. + The last thing to do is to sweep + through `letters' and keep the + elements having the value 2 as set, + and clear all the others. */ + + fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s); + while(i-- > 0) + { + char c = *s++; + if (isascii(c) && isalpha(c)) + { + if (islower(c)) + c = toupper(c); + letters[c - 'A']++; + } + } + for (i = 0; i < 26; i++) + if (letters[i] < 2) + letters[i] = 0; + else + letters[i] = 1; + } + + found_any = 0; + fprintf(stderr, + ", resulting proxy rights = "); + for(i = 0; i < 26; i++) + if (letters[i]) + { + fprintf(stderr, "%c", i + 'A'); + found_any = 1; + } + if (!found_any) + fprintf(stderr, "none"); + fprintf(stderr, "\n"); + + PROXY_CERT_INFO_EXTENSION_free(pci); + } + } + } + return(ok); } +static void process_proxy_debug(int indent, const char *format, ...) + { + static const char indentation[] = + ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" + ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */ + char my_format[256]; + va_list args; + + BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s", + indent, indent, indentation, format); + + va_start(args, format); + vfprintf(stderr, my_format, args); + va_end(args); + } +/* Priority levels: + 0 [!]var, () + 1 & ^ + 2 | +*/ +static int process_proxy_cond_adders(unsigned int letters[26], + const char *cond, const char **cond_end, int *pos, int indent); +static int process_proxy_cond_val(unsigned int letters[26], + const char *cond, const char **cond_end, int *pos, int indent) + { + char c; + int ok = 1; + int negate = 0; + + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + + if (debug) + process_proxy_debug(indent, + "Start process_proxy_cond_val at position %d: %s\n", + *pos, cond); + + while(c == '!') + { + negate = !negate; + cond++; (*pos)++; + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + } + + if (c == '(') + { + cond++; (*pos)++; + ok = process_proxy_cond_adders(letters, cond, cond_end, pos, + indent + 1); + cond = *cond_end; + if (ok < 0) + goto end; + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + if (c != ')') + { + fprintf(stderr, + "Weird condition character in position %d: " + "%c\n", *pos, c); + ok = -1; + goto end; + } + cond++; (*pos)++; + } + else if (isascii(c) && isalpha(c)) + { + if (islower(c)) + c = toupper(c); + ok = letters[c - 'A']; + cond++; (*pos)++; + } + else + { + fprintf(stderr, + "Weird condition character in position %d: " + "%c\n", *pos, c); + ok = -1; + goto end; + } + end: + *cond_end = cond; + if (ok >= 0 && negate) + ok = !ok; + + if (debug) + process_proxy_debug(indent, + "End process_proxy_cond_val at position %d: %s, returning %d\n", + *pos, cond, ok); + + return ok; + } +static int process_proxy_cond_multipliers(unsigned int letters[26], + const char *cond, const char **cond_end, int *pos, int indent) + { + int ok; + char c; + + if (debug) + process_proxy_debug(indent, + "Start process_proxy_cond_multipliers at position %d: %s\n", + *pos, cond); + + ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); + cond = *cond_end; + if (ok < 0) + goto end; + + while(ok >= 0) + { + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + + switch(c) + { + case '&': + case '^': + { + int save_ok = ok; + + cond++; (*pos)++; + ok = process_proxy_cond_val(letters, + cond, cond_end, pos, indent + 1); + cond = *cond_end; + if (ok < 0) + break; + + switch(c) + { + case '&': + ok &= save_ok; + break; + case '^': + ok ^= save_ok; + break; + default: + fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" + " STOPPING\n"); + EXIT(1); + } + } + break; + default: + goto end; + } + } + end: + if (debug) + process_proxy_debug(indent, + "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", + *pos, cond, ok); + + *cond_end = cond; + return ok; + } +static int process_proxy_cond_adders(unsigned int letters[26], + const char *cond, const char **cond_end, int *pos, int indent) + { + int ok; + char c; + + if (debug) + process_proxy_debug(indent, + "Start process_proxy_cond_adders at position %d: %s\n", + *pos, cond); + + ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, + indent + 1); + cond = *cond_end; + if (ok < 0) + goto end; + + while(ok >= 0) + { + while(isspace(*cond)) + { + cond++; (*pos)++; + } + c = *cond; + + switch(c) + { + case '|': + { + int save_ok = ok; + + cond++; (*pos)++; + ok = process_proxy_cond_multipliers(letters, + cond, cond_end, pos, indent + 1); + cond = *cond_end; + if (ok < 0) + break; + + switch(c) + { + case '|': + ok |= save_ok; + break; + default: + fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" + " STOPPING\n"); + EXIT(1); + } + } + break; + default: + goto end; + } + } + end: + if (debug) + process_proxy_debug(indent, + "End process_proxy_cond_adders at position %d: %s, returning %d\n", + *pos, cond, ok); + + *cond_end = cond; + return ok; + } + +static int process_proxy_cond(unsigned int letters[26], + const char *cond, const char **cond_end) + { + int pos = 1; + return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); + } + static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) { - char *s = NULL,buf[256]; int ok=1; + struct app_verify_arg *cb_arg = arg; + unsigned int letters[26]; /* only used with proxy_auth */ - fprintf(stderr, "In app_verify_callback, allowing cert. "); - fprintf(stderr, "Arg is: %s\n", (char *)arg); - fprintf(stderr, "Finished printing do we have a context? 0x%lx a cert? 0x%lx\n", - (uintptr_t)ctx, (uintptr_t)ctx->cert); - if (ctx->cert) - s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); - if (s != NULL) + if (cb_arg->app_verify) { + char *s = NULL,buf[256]; + + fprintf(stderr, "In app_verify_callback, allowing cert. "); + fprintf(stderr, "Arg is: %s\n", cb_arg->string); + fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n", + (unsigned int)ctx, (unsigned int)ctx->cert); + if (ctx->cert) + s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); + if (s != NULL) + { fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf); + } + return(1); } + if (cb_arg->proxy_auth) + { + int found_any = 0, i; + char *sp; + + for(i = 0; i < 26; i++) + letters[i] = 0; + for(sp = cb_arg->proxy_auth; *sp; sp++) + { + char c = *sp; + if (isascii(c) && isalpha(c)) + { + if (islower(c)) + c = toupper(c); + letters[c - 'A'] = 1; + } + } + fprintf(stderr, + " Initial proxy rights = "); + for(i = 0; i < 26; i++) + if (letters[i]) + { + fprintf(stderr, "%c", i + 'A'); + found_any = 1; + } + if (!found_any) + fprintf(stderr, "none"); + fprintf(stderr, "\n"); + + X509_STORE_CTX_set_ex_data(ctx, + get_proxy_auth_ex_data_idx(),letters); + } + if (cb_arg->allow_proxy_certs) + { + X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); + } + +#ifndef OPENSSL_NO_X509_VERIFY +# ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION) + FIPS_allow_md5(1); +# endif + ok = X509_verify_cert(ctx); +# ifdef OPENSSL_FIPS + if(s->version == TLS1_VERSION) + FIPS_allow_md5(0); +# endif +#endif + + if (cb_arg->proxy_auth) + { + if (ok) + { + const char *cond_end = NULL; + + ok = process_proxy_cond(letters, + cb_arg->proxy_cond, &cond_end); + + if (ok < 0) + EXIT(3); + if (*cond_end) + { + fprintf(stderr, "Stopped processing condition before it's end.\n"); + ok = 0; + } + if (!ok) + fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n", + cb_arg->proxy_cond); + else + fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n", + cb_arg->proxy_cond); + } + } return(ok); } diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c index 271e247eea7..2c6246abf54 100644 --- a/lib/libssl/src/ssl/t1_enc.c +++ b/lib/libssl/src/ssl/t1_enc.c @@ -115,6 +115,7 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/md5.h> +#include <openssl/fips.h> static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, unsigned char *seed, int seed_len, @@ -131,6 +132,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, HMAC_CTX_init(&ctx); HMAC_CTX_init(&ctx_tmp); + HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); HMAC_Update(&ctx,seed,seed_len); @@ -177,7 +180,6 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, S2= &(sec[len]); len+=(slen&1); /* add for odd, make longer */ - tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); diff --git a/lib/libssl/src/test/maketests.com b/lib/libssl/src/test/maketests.com index 7c44e4545a9..dfbfef7b1bb 100644 --- a/lib/libssl/src/test/maketests.com +++ b/lib/libssl/src/test/maketests.com @@ -615,7 +615,7 @@ $ IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" - THEN CC = "CC/DECC" $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + - "/NOLIST/PREFIX=ALL" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! @@ -648,7 +648,7 @@ $ EXIT $ ENDIF $ IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC" $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $ CCDEFS = CCDEFS + ",""VAXC""" $! $! Define <sys> As SYS$COMMON:[SYSLIB] @@ -679,7 +679,7 @@ $! $! Use GNU C... $! $ CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! diff --git a/lib/libssl/src/test/tcrl b/lib/libssl/src/test/tcrl index f71ef7a8630..3ffed12a036 100644 --- a/lib/libssl/src/test/tcrl +++ b/lib/libssl/src/test/tcrl @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl crl' +cmd='../util/shlib_wrap.sh ../apps/openssl crl' if [ "$1"x != "x" ]; then t=$1 diff --git a/lib/libssl/src/test/testca b/lib/libssl/src/test/testca index 8215ebb5d1d..5b2faa78f15 100644 --- a/lib/libssl/src/test/testca +++ b/lib/libssl/src/test/testca @@ -11,6 +11,9 @@ export SH PATH SSLEAY_CONFIG="-config CAss.cnf" export SSLEAY_CONFIG +OPENSSL="`pwd`/../util/shlib_wrap.sh openssl" +export OPENSSL + /bin/rm -fr demoCA $SH ../apps/CA.sh -newca <<EOF EOF diff --git a/lib/libssl/src/test/testenc b/lib/libssl/src/test/testenc index 0656c7f5254..4571ea28754 100644 --- a/lib/libssl/src/test/testenc +++ b/lib/libssl/src/test/testenc @@ -1,14 +1,14 @@ #!/bin/sh -testsrc=Makefile.ssl +testsrc=Makefile test=./p -cmd=../apps/openssl +cmd="../util/shlib_wrap.sh ../apps/openssl" cat $testsrc >$test; echo cat -$cmd enc < $test > $test.cipher -$cmd enc < $test.cipher >$test.clear +$cmd enc -non-fips-allow < $test > $test.cipher +$cmd enc -non-fips-allow < $test.cipher >$test.clear cmp $test $test.clear if [ $? != 0 ] then @@ -17,8 +17,8 @@ else /bin/rm $test.cipher $test.clear fi echo base64 -$cmd enc -a -e < $test > $test.cipher -$cmd enc -a -d < $test.cipher >$test.clear +$cmd enc -non-fips-allow -a -e < $test > $test.cipher +$cmd enc -non-fips-allow -a -d < $test.cipher >$test.clear cmp $test $test.clear if [ $? != 0 ] then @@ -30,8 +30,8 @@ fi for i in `$cmd list-cipher-commands` do echo $i - $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher - $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear + $cmd $i -non-fips-allow -bufsize 113 -e -k test < $test > $test.$i.cipher + $cmd $i -non-fips-allow -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear cmp $test $test.$i.clear if [ $? != 0 ] then @@ -41,8 +41,8 @@ do fi echo $i base64 - $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher - $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear + $cmd $i -non-fips-allow -bufsize 113 -a -e -k test < $test > $test.$i.cipher + $cmd $i -non-fips-allow -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear cmp $test $test.$i.clear if [ $? != 0 ] then diff --git a/lib/libssl/src/test/testenc.com b/lib/libssl/src/test/testenc.com index c24fa388c06..5e6f521f9de 100644 --- a/lib/libssl/src/test/testenc.com +++ b/lib/libssl/src/test/testenc.com @@ -4,7 +4,7 @@ $ __arch := VAX $ if f$getsyi("cpu") .ge. 128 then __arch := AXP $ exe_dir := sys$disk:[-.'__arch'.exe.apps] $ -$ testsrc := makefile.ssl +$ testsrc := makefile. $ test := p.txt $ cmd := mcr 'exe_dir'openssl $ diff --git a/lib/libssl/src/test/testgen b/lib/libssl/src/test/testgen index 3798543e047..524c0d134c8 100644 --- a/lib/libssl/src/test/testgen +++ b/lib/libssl/src/test/testgen @@ -17,7 +17,7 @@ echo "generating certificate request" echo "string to make the random number generator think it has entropy" >> ./.rnd -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then req_new='-newkey dsa:../apps/dsa512.pem' else req_new='-new' @@ -29,13 +29,13 @@ echo "This could take some time." rm -f testkey.pem testreq.pem -../apps/openssl req -config test.cnf $req_new -out testreq.pem +../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem if [ $? != 0 ]; then echo problems creating request exit 1 fi -../apps/openssl req -config test.cnf -verify -in testreq.pem -noout +../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout if [ $? != 0 ]; then echo signature on req is wrong exit 1 diff --git a/lib/libssl/src/test/testss b/lib/libssl/src/test/testss index 8d3557f356d..1a426857d31 100644 --- a/lib/libssl/src/test/testss +++ b/lib/libssl/src/test/testss @@ -1,9 +1,9 @@ #!/bin/sh -digest='-md5' -reqcmd="../apps/openssl req" -x509cmd="../apps/openssl x509 $digest" -verifycmd="../apps/openssl verify" +digest='-sha1' +reqcmd="../util/shlib_wrap.sh ../apps/openssl req" +x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest" +verifycmd="../util/shlib_wrap.sh ../apps/openssl verify" dummycnf="../apps/openssl.cnf" CAkey="keyCA.ss" @@ -17,12 +17,24 @@ Ukey="keyU.ss" Ureq="reqU.ss" Ucert="certU.ss" +P1conf="P1ss.cnf" +P1key="keyP1.ss" +P1req="reqP1.ss" +P1cert="certP1.ss" +P1intermediate="tmp_intP1.ss" + +P2conf="P2ss.cnf" +P2key="keyP2.ss" +P2req="reqP2.ss" +P2cert="certP2.ss" +P2intermediate="tmp_intP2.ss" + echo echo "make a certificate request using 'req'" echo "string to make the random number generator think it has entropy" >> ./.rnd -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then req_new='-newkey dsa:../apps/dsa512.pem' else req_new='-new' @@ -35,7 +47,7 @@ if [ $? != 0 ]; then fi echo echo "convert the certificate request into a self signed certificate using 'x509'" -$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss +$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss if [ $? != 0 ]; then echo "error using 'x509' to self sign a certificate request" exit 1 @@ -68,18 +80,18 @@ if [ $? != 0 ]; then fi echo -echo "make another certificate request using 'req'" +echo "make a user certificate request using 'req'" $reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss if [ $? != 0 ]; then - echo "error using 'req' to generate a certificate request" + echo "error using 'req' to generate a user certificate request" exit 1 fi echo -echo "sign certificate request with the just created CA via 'x509'" -$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss +echo "sign user certificate request with the just created CA via 'x509'" +$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss if [ $? != 0 ]; then - echo "error using 'x509' to sign a certificate request" + echo "error using 'x509' to sign a user certificate request" exit 1 fi @@ -89,11 +101,63 @@ echo "Certificate details" $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert echo +echo "make a proxy certificate request using 'req'" +$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss +if [ $? != 0 ]; then + echo "error using 'req' to generate a proxy certificate request" + exit 1 +fi + +echo +echo "sign proxy certificate request with the just created user certificate via 'x509'" +$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss +if [ $? != 0 ]; then + echo "error using 'x509' to sign a proxy certificate request" + exit 1 +fi + +cat $Ucert > $P1intermediate +$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert +echo +echo "Certificate details" +$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert + +echo +echo "make another proxy certificate request using 'req'" +$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss +if [ $? != 0 ]; then + echo "error using 'req' to generate another proxy certificate request" + exit 1 +fi + +echo +echo "sign second proxy certificate request with the first proxy certificate via 'x509'" +$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss +if [ $? != 0 ]; then + echo "error using 'x509' to sign a second proxy certificate request" + exit 1 +fi + +cat $Ucert $P1cert > $P2intermediate +$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert +echo +echo "Certificate details" +$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert + +echo echo The generated CA certificate is $CAcert echo The generated CA private key is $CAkey echo The generated user certificate is $Ucert echo The generated user private key is $Ukey +echo The first generated proxy certificate is $P1cert +echo The first generated proxy private key is $P1key + +echo The second generated proxy certificate is $P2cert +echo The second generated proxy private key is $P2key + /bin/rm err.ss +#/bin/rm $P1intermediate +#/bin/rm $P2intermediate exit 0 diff --git a/lib/libssl/src/test/testssl b/lib/libssl/src/test/testssl index ca8e718022a..8ac90ae5eec 100644 --- a/lib/libssl/src/test/testssl +++ b/lib/libssl/src/test/testssl @@ -10,9 +10,9 @@ if [ "$2" = "" ]; then else cert="$2" fi -ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" +ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" -if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then +if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then dsa_cert=YES else dsa_cert=NO @@ -121,24 +121,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 ############################################################################# -if ../apps/openssl no-dh; then +if ../util/shlib_wrap.sh ../apps/openssl no-dh; then echo skipping anonymous DH tests else echo test tls1 with 1024bit anonymous DH, multiple handshakes $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 fi -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then echo skipping RSA tests else echo test tls1 with 1024bit RSA, no DHE, multiple handshakes - ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 - if ../apps/openssl no-dh; then + if ../util/shlib_wrap.sh ../apps/openssl no-dh; then echo skipping RSA+DHE tests else echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes - ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 fi fi diff --git a/lib/libssl/src/test/tpkcs7 b/lib/libssl/src/test/tpkcs7 index cf3bd9fadbe..79bb6e0edff 100644 --- a/lib/libssl/src/test/tpkcs7 +++ b/lib/libssl/src/test/tpkcs7 @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl pkcs7' +cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7' if [ "$1"x != "x" ]; then t=$1 diff --git a/lib/libssl/src/test/tpkcs7d b/lib/libssl/src/test/tpkcs7d index 18f9311b068..20394b34c4f 100644 --- a/lib/libssl/src/test/tpkcs7d +++ b/lib/libssl/src/test/tpkcs7d @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl pkcs7' +cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7' if [ "$1"x != "x" ]; then t=$1 diff --git a/lib/libssl/src/test/treq b/lib/libssl/src/test/treq index 47a8273cde6..7e020210a54 100644 --- a/lib/libssl/src/test/treq +++ b/lib/libssl/src/test/treq @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl req -config ../apps/openssl.cnf' +cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf' if [ "$1"x != "x" ]; then t=$1 diff --git a/lib/libssl/src/test/trsa b/lib/libssl/src/test/trsa index 413e2ec0a0c..67b4a988410 100644 --- a/lib/libssl/src/test/trsa +++ b/lib/libssl/src/test/trsa @@ -7,12 +7,12 @@ else fi export PATH -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then echo skipping rsa conversion test exit 0 fi -cmd='../apps/openssl rsa' +cmd='../util/shlib_wrap.sh ../apps/openssl rsa' if [ "$1"x != "x" ]; then t=$1 diff --git a/lib/libssl/src/test/tsid b/lib/libssl/src/test/tsid index 40a1dfa97ce..fb4a7213b91 100644 --- a/lib/libssl/src/test/tsid +++ b/lib/libssl/src/test/tsid @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl sess_id' +cmd='../util/shlib_wrap.sh ../apps/openssl sess_id' if [ "$1"x != "x" ]; then t=$1 diff --git a/lib/libssl/src/test/tx509 b/lib/libssl/src/test/tx509 index d380963abce..1b9c8661f3c 100644 --- a/lib/libssl/src/test/tx509 +++ b/lib/libssl/src/test/tx509 @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl x509' +cmd='../util/shlib_wrap.sh ../apps/openssl x509' if [ "$1"x != "x" ]; then t=$1 diff --git a/lib/libssl/src/tools/c_issuer b/lib/libssl/src/tools/c_issuer index 4c691201bb4..55821ab740d 100644 --- a/lib/libssl/src/tools/c_issuer +++ b/lib/libssl/src/tools/c_issuer @@ -6,5 +6,5 @@ for i in $* do n=`openssl x509 -issuer -noout -in $i` - echo "$i\t$n" + echo "$i $n" done diff --git a/lib/libssl/src/util/cygwin.sh b/lib/libssl/src/util/cygwin.sh index 930f766b4ff..7f791d47f4b 100644 --- a/lib/libssl/src/util/cygwin.sh +++ b/lib/libssl/src/util/cygwin.sh @@ -21,11 +21,11 @@ function cleanup() function get_openssl_version() { - eval `grep '^VERSION=' Makefile.ssl` + eval `grep '^VERSION=' Makefile` if [ -z "${VERSION}" ] then - echo "Error: Couldn't retrieve OpenSSL version from Makefile.ssl." - echo " Check value of variable VERSION in Makefile.ssl." + echo "Error: Couldn't retrieve OpenSSL version from Makefile." + echo " Check value of variable VERSION in Makefile." exit 1 fi } @@ -39,7 +39,7 @@ function base_install() function doc_install() { - DOC_DIR=${INSTALL_PREFIX}/usr/doc/openssl + DOC_DIR=${INSTALL_PREFIX}/usr/share/doc/openssl mkdir -p ${DOC_DIR} cp CHANGES CHANGES.SSLeay INSTALL LICENSE NEWS README ${DOC_DIR} @@ -49,7 +49,7 @@ function doc_install() function create_cygwin_readme() { - README_DIR=${INSTALL_PREFIX}/usr/doc/Cygwin + README_DIR=${INSTALL_PREFIX}/usr/share/doc/Cygwin README_FILE=${README_DIR}/openssl-${VERSION}.README mkdir -p ${README_DIR} @@ -112,8 +112,8 @@ cd ${INSTALL_PREFIX} strip usr/bin/*.exe usr/bin/*.dll # Runtime package -find etc usr/bin usr/doc usr/ssl/certs usr/ssl/man/man[157] usr/ssl/misc \ - usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d | +find etc usr/bin usr/share/doc usr/ssl/certs usr/ssl/man/man[157] \ + usr/ssl/misc usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d | tar cjfT openssl-${VERSION}-${SUBVERSION}.tar.bz2 - # Development package find usr/include usr/lib usr/ssl/man/man3 -empty -o \! -type d | diff --git a/lib/libssl/src/util/domd b/lib/libssl/src/util/domd index 49310bbdd1a..5610521f0b8 100644 --- a/lib/libssl/src/util/domd +++ b/lib/libssl/src/util/domd @@ -11,7 +11,7 @@ if [ "$1" = "-MD" ]; then fi if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi -cp Makefile.ssl Makefile.save +cp Makefile Makefile.save # fake the presence of Kerberos touch $TOP/krb5.h if [ "$MAKEDEPEND" = "gcc" ]; then @@ -20,15 +20,15 @@ if [ "$MAKEDEPEND" = "gcc" ]; then if [ "$1" != "--" ]; then args="$args $1"; fi shift done - sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp + sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new rm -f Makefile.tmp else - ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile.ssl $@ - ${PERL} $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new + ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile $@ + ${PERL} $TOP/util/clean-depend.pl < Makefile > Makefile.new fi -mv Makefile.new Makefile.ssl +mv Makefile.new Makefile # unfake the presence of Kerberos rm $TOP/krb5.h diff --git a/lib/libssl/src/util/libeay.num b/lib/libssl/src/util/libeay.num index 203c7713e72..56fb7446e04 100644 --- a/lib/libssl/src/util/libeay.num +++ b/lib/libssl/src/util/libeay.num @@ -284,20 +284,20 @@ EVP_add_alias 291 NOEXIST::FUNCTION: EVP_add_cipher 292 EXIST::FUNCTION: EVP_add_digest 293 EXIST::FUNCTION: EVP_bf_cbc 294 EXIST::FUNCTION:BF -EVP_bf_cfb 295 EXIST::FUNCTION:BF +EVP_bf_cfb64 295 EXIST::FUNCTION:BF EVP_bf_ecb 296 EXIST::FUNCTION:BF EVP_bf_ofb 297 EXIST::FUNCTION:BF EVP_cleanup 298 EXIST::FUNCTION: EVP_des_cbc 299 EXIST::FUNCTION:DES -EVP_des_cfb 300 EXIST::FUNCTION:DES +EVP_des_cfb64 300 EXIST::FUNCTION:DES EVP_des_ecb 301 EXIST::FUNCTION:DES EVP_des_ede 302 EXIST::FUNCTION:DES EVP_des_ede3 303 EXIST::FUNCTION:DES EVP_des_ede3_cbc 304 EXIST::FUNCTION:DES -EVP_des_ede3_cfb 305 EXIST::FUNCTION:DES +EVP_des_ede3_cfb64 305 EXIST::FUNCTION:DES EVP_des_ede3_ofb 306 EXIST::FUNCTION:DES EVP_des_ede_cbc 307 EXIST::FUNCTION:DES -EVP_des_ede_cfb 308 EXIST::FUNCTION:DES +EVP_des_ede_cfb64 308 EXIST::FUNCTION:DES EVP_des_ede_ofb 309 EXIST::FUNCTION:DES EVP_des_ofb 310 EXIST::FUNCTION:DES EVP_desx_cbc 311 EXIST::FUNCTION:DES @@ -308,14 +308,14 @@ EVP_get_cipherbyname 315 EXIST::FUNCTION: EVP_get_digestbyname 316 EXIST::FUNCTION: EVP_get_pw_prompt 317 EXIST::FUNCTION: EVP_idea_cbc 318 EXIST::FUNCTION:IDEA -EVP_idea_cfb 319 EXIST::FUNCTION:IDEA +EVP_idea_cfb64 319 EXIST::FUNCTION:IDEA EVP_idea_ecb 320 EXIST::FUNCTION:IDEA EVP_idea_ofb 321 EXIST::FUNCTION:IDEA EVP_md2 322 EXIST::FUNCTION:MD2 EVP_md5 323 EXIST::FUNCTION:MD5 EVP_md_null 324 EXIST::FUNCTION: EVP_rc2_cbc 325 EXIST::FUNCTION:RC2 -EVP_rc2_cfb 326 EXIST::FUNCTION:RC2 +EVP_rc2_cfb64 326 EXIST::FUNCTION:RC2 EVP_rc2_ecb 327 EXIST::FUNCTION:RC2 EVP_rc2_ofb 328 EXIST::FUNCTION:RC2 EVP_rc4 329 EXIST::FUNCTION:RC4 @@ -962,7 +962,7 @@ i2t_ASN1_OBJECT 979 EXIST::FUNCTION: BN_BLINDING_new 980 EXIST::FUNCTION: BN_BLINDING_free 981 EXIST::FUNCTION: EVP_cast5_cbc 983 EXIST::FUNCTION:CAST -EVP_cast5_cfb 984 EXIST::FUNCTION:CAST +EVP_cast5_cfb64 984 EXIST::FUNCTION:CAST EVP_cast5_ecb 985 EXIST::FUNCTION:CAST EVP_cast5_ofb 986 EXIST::FUNCTION:CAST BF_decrypt 987 EXIST::FUNCTION:BF @@ -1057,7 +1057,7 @@ EVP_CIPHER_param_to_asn1 1084 EXIST::FUNCTION: EVP_CIPHER_get_asn1_iv 1085 EXIST::FUNCTION: EVP_CIPHER_set_asn1_iv 1086 EXIST::FUNCTION: EVP_rc5_32_12_16_cbc 1087 EXIST::FUNCTION:RC5 -EVP_rc5_32_12_16_cfb 1088 EXIST::FUNCTION:RC5 +EVP_rc5_32_12_16_cfb64 1088 EXIST::FUNCTION:RC5 EVP_rc5_32_12_16_ecb 1089 EXIST::FUNCTION:RC5 EVP_rc5_32_12_16_ofb 1090 EXIST::FUNCTION:RC5 asn1_add_error 1091 EXIST::FUNCTION: @@ -2776,10 +2776,10 @@ ENGINE_load_4758cca 3218 EXIST::FUNCTION:ENGINE _ossl_096_des_random_seed 3219 EXIST::FUNCTION:DES EVP_aes_256_ofb 3220 EXIST::FUNCTION:AES EVP_aes_192_ofb 3221 EXIST::FUNCTION:AES -EVP_aes_128_cfb 3222 EXIST::FUNCTION:AES -EVP_aes_256_cfb 3223 EXIST::FUNCTION:AES +EVP_aes_128_cfb128 3222 EXIST::FUNCTION:AES +EVP_aes_256_cfb128 3223 EXIST::FUNCTION:AES EVP_aes_128_ofb 3224 EXIST::FUNCTION:AES -EVP_aes_192_cfb 3225 EXIST::FUNCTION:AES +EVP_aes_192_cfb128 3225 EXIST::FUNCTION:AES CONF_modules_free 3226 EXIST::FUNCTION: NCONF_default 3227 EXIST::FUNCTION: OPENSSL_no_config 3228 EXIST::FUNCTION: @@ -2803,3 +2803,67 @@ OpenSSLDie 3244 EXIST::FUNCTION: OPENSSL_cleanse 3245 EXIST::FUNCTION: ENGINE_setup_bsd_cryptodev 3246 EXIST:__FreeBSD__:FUNCTION:ENGINE ERR_release_err_state_table 3247 EXIST::FUNCTION:LHASH +EVP_aes_128_cfb8 3248 EXIST::FUNCTION:AES +FIPS_corrupt_rsa 3249 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_des 3250 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_aes_128_cfb1 3251 EXIST::FUNCTION:AES +EVP_aes_192_cfb8 3252 EXIST::FUNCTION:AES +FIPS_mode_set 3253 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_dsa 3254 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_aes_256_cfb8 3255 EXIST::FUNCTION:AES +FIPS_allow_md5 3256 EXIST:OPENSSL_FIPS:FUNCTION: +DES_ede3_cfb_encrypt 3257 EXIST::FUNCTION:DES +EVP_des_ede3_cfb8 3258 EXIST::FUNCTION:DES +FIPS_rand_seeded 3259 EXIST:OPENSSL_FIPS:FUNCTION: +AES_cfbr_encrypt_block 3260 EXIST::FUNCTION:AES +AES_cfb8_encrypt 3261 EXIST::FUNCTION:AES +FIPS_rand_seed 3262 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_corrupt_des 3263 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_aes_192_cfb1 3264 EXIST::FUNCTION:AES +FIPS_selftest_aes 3265 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_set_prng_key 3266 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_des_cfb8 3267 EXIST::FUNCTION:DES +FIPS_corrupt_dsa 3268 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_test_mode 3269 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_rand_method 3270 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_aes_256_cfb1 3271 EXIST::FUNCTION:AES +ERR_load_FIPS_strings 3272 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_corrupt_aes 3273 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_sha1 3274 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_rsa 3275 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_corrupt_sha1 3276 EXIST:OPENSSL_FIPS:FUNCTION: +EVP_des_cfb1 3277 EXIST::FUNCTION:DES +FIPS_dsa_check 3278 EXIST:OPENSSL_FIPS:FUNCTION: +AES_cfb1_encrypt 3279 EXIST::FUNCTION:AES +EVP_des_ede3_cfb1 3280 EXIST::FUNCTION:DES +FIPS_rand_check 3281 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_md5_allowed 3282 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_mode 3283 EXIST:OPENSSL_FIPS:FUNCTION: +FIPS_selftest_failed 3284 EXIST:OPENSSL_FIPS:FUNCTION: +sk_is_sorted 3285 EXIST::FUNCTION: +X509_check_ca 3286 EXIST::FUNCTION: +private_idea_set_encrypt_key 3287 EXIST:OPENSSL_FIPS:FUNCTION:IDEA +HMAC_CTX_set_flags 3288 EXIST::FUNCTION:HMAC +private_SHA_Init 3289 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA0 +private_CAST_set_key 3290 EXIST:OPENSSL_FIPS:FUNCTION:CAST +private_RIPEMD160_Init 3291 EXIST:OPENSSL_FIPS:FUNCTION:RIPEMD +private_RC5_32_set_key 3292 EXIST:OPENSSL_FIPS:FUNCTION:RC5 +private_MD5_Init 3293 EXIST:OPENSSL_FIPS:FUNCTION:MD5 +private_RC4_set_key 3294 EXIST:OPENSSL_FIPS:FUNCTION:RC4 +private_MDC2_Init 3295 EXIST:OPENSSL_FIPS:FUNCTION:MDC2 +private_RC2_set_key 3296 EXIST:OPENSSL_FIPS:FUNCTION:RC2 +private_MD4_Init 3297 EXIST:OPENSSL_FIPS:FUNCTION:MD4 +private_BF_set_key 3298 EXIST:OPENSSL_FIPS:FUNCTION:BF +private_MD2_Init 3299 EXIST:OPENSSL_FIPS:FUNCTION:MD2 +d2i_PROXY_CERT_INFO_EXTENSION 3300 EXIST::FUNCTION: +PROXY_POLICY_it 3301 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +PROXY_POLICY_it 3301 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +i2d_PROXY_POLICY 3302 EXIST::FUNCTION: +i2d_PROXY_CERT_INFO_EXTENSION 3303 EXIST::FUNCTION: +d2i_PROXY_POLICY 3304 EXIST::FUNCTION: +PROXY_CERT_INFO_EXTENSION_new 3305 EXIST::FUNCTION: +PROXY_CERT_INFO_EXTENSION_free 3306 EXIST::FUNCTION: +PROXY_CERT_INFO_EXTENSION_it 3307 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +PROXY_CERT_INFO_EXTENSION_it 3307 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +PROXY_POLICY_free 3308 EXIST::FUNCTION: +PROXY_POLICY_new 3309 EXIST::FUNCTION: diff --git a/lib/libssl/src/util/mk1mf.pl b/lib/libssl/src/util/mk1mf.pl index b4bc0457e54..957264c6b54 100644 --- a/lib/libssl/src/util/mk1mf.pl +++ b/lib/libssl/src/util/mk1mf.pl @@ -10,7 +10,7 @@ $OPTIONS=""; $ssl_version=""; $banner="\t\@echo Building OpenSSL"; -open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n"; +open(IN,"<Makefile") || die "unable to open Makefile!\n"; while(<IN>) { $ssl_version=$1 if (/^VERSION=(.*)$/); $OPTIONS=$1 if (/^OPTIONS=(.*)$/); @@ -18,7 +18,7 @@ while(<IN>) { } close(IN); -die "Makefile.ssl is not the toplevel Makefile!\n" if $ssl_version eq ""; +die "Makefile is not the toplevel Makefile!\n" if $ssl_version eq ""; $infile="MINFO"; @@ -222,7 +222,7 @@ $cflags.=" -DOPENSSL_NO_SHA" if $no_sha; $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1; $cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd; $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2; -$cflags.=" -DOPENSSL_NO_BF" if $no_bf; +$cflags.=" -DOPENSSL_NO_BF" if $no_bf; $cflags.=" -DOPENSSL_NO_CAST" if $no_cast; $cflags.=" -DOPENSSL_NO_DES" if $no_des; $cflags.=" -DOPENSSL_NO_RSA" if $no_rsa; @@ -236,6 +236,7 @@ $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5; $cflags.=" -DOPENSSL_NO_EC" if $no_ec; $cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine; $cflags.=" -DOPENSSL_NO_HW" if $no_hw; +$cflags.=" -DOPENSSL_FIPS" if $fips; #$cflags.=" -DRSAref" if $rsaref ne ""; ## if ($unix) @@ -631,15 +632,21 @@ foreach (split(/\s+/,$test)) $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)"); $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)"); -$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)"); - +if ($fips) + { + $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)","\$(BIN_D)$o.sha1","\$(BIN_D)$o\$(E_EXE)$exep"); + } +else + { + $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)"); + } print $defs; if ($platform eq "linux-elf") { print <<"EOF"; # Generate perlasm output files %.cpp: - (cd \$(\@D)/..; PERL=perl make -f Makefile.ssl asm/\$(\@F)) + (cd \$(\@D)/..; PERL=perl make -f Makefile asm/\$(\@F)) EOF } print "###################################################################\n"; @@ -921,6 +928,7 @@ sub read_options $no_aes=1; } elsif (/^rsaref$/) { } + elsif (/^fips$/) { $fips=1; } elsif (/^gcc$/) { $gcc=1; } elsif (/^debug$/) { $debug=1; } elsif (/^profile$/) { $profile=1; } diff --git a/lib/libssl/src/util/mkdef.pl b/lib/libssl/src/util/mkdef.pl index 01a1bfda197..9918c3d549c 100644 --- a/lib/libssl/src/util/mkdef.pl +++ b/lib/libssl/src/util/mkdef.pl @@ -79,7 +79,7 @@ my $OS2=0; my $safe_stack_def = 0; my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT", - "EXPORT_VAR_AS_FUNCTION" ); + "EXPORT_VAR_AS_FUNCTION", "OPENSSL_FIPS" ); my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" ); my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1", @@ -94,7 +94,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "FP_API", "STDIO", "SOCK", "KRB5", "ENGINE", "HW" ); my $options=""; -open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n"; +open(IN,"<Makefile") || die "unable to open Makefile!\n"; while(<IN>) { $options=$1 if (/^OPTIONS=(.*)$/); } @@ -109,6 +109,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5; my $no_ec; my $no_engine; my $no_hw; my $no_fp_api; +my $fips; foreach (@ARGV, split(/ /, $options)) { @@ -129,6 +130,7 @@ foreach (@ARGV, split(/ /, $options)) } $VMS=1 if $_ eq "VMS"; $OS2=1 if $_ eq "OS2"; + $fips=1 if $_ eq "fips"; $do_ssl=1 if $_ eq "ssleay"; if ($_ eq "ssl") { @@ -265,6 +267,7 @@ $crypto.=" crypto/ocsp/ocsp.h"; $crypto.=" crypto/ui/ui.h crypto/ui/ui_compat.h"; $crypto.=" crypto/krb5/krb5_asn.h"; $crypto.=" crypto/tmdiff.h"; +$crypto.=" fips/fips.h fips/rand/fips_rand.h"; my $symhacks="crypto/symhacks.h"; @@ -469,7 +472,7 @@ sub do_defs push(@tag,$1); $tag{$1}=-1; } - } elsif (/^\#\s*ifdef\s+(.*)/) { + } elsif (/^\#\s*ifdef\s+(\S*)/) { push(@tag,"-"); push(@tag,$1); $tag{$1}=1; @@ -794,7 +797,7 @@ sub do_defs } close(IN); - my $algs; + my $algs = ''; my $plays; print STDERR "DEBUG: postprocessing ----------\n" if $debug; @@ -864,6 +867,7 @@ sub do_defs $platform{$s} = &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p); + $algorithm{$s} = '' if !defined $algorithm{$s}; $algorithm{$s} .= ','.$a; if (defined($variant{$s})) { @@ -1028,6 +1032,9 @@ sub is_valid if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) { return 1; } + if ($keyword eq "OPENSSL_FIPS" && $fips) { + return 1; + } return 0; } else { # algorithms @@ -1119,7 +1126,7 @@ sub print_test_file sub get_version { local *MF; my $v = '?'; - open MF, 'Makefile.ssl' or return $v; + open MF, 'Makefile' or return $v; while (<MF>) { $v = $1, last if /^VERSION=(.*?)\s*$/; } diff --git a/lib/libssl/src/util/mkerr.pl b/lib/libssl/src/util/mkerr.pl index 1b2915c7677..60e534807eb 100644 --- a/lib/libssl/src/util/mkerr.pl +++ b/lib/libssl/src/util/mkerr.pl @@ -41,7 +41,8 @@ while (@ARGV) { } if($recurse) { - @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>); + @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>, <fips/*.c>, + <fips/*/*.c>); } else { @source = @ARGV; } @@ -262,7 +263,7 @@ foreach $lib (keys %csrc) } else { push @out, "/* ====================================================================\n", -" * Copyright (c) 2001-2003 The OpenSSL Project. All rights reserved.\n", +" * Copyright (c) 2001-2005 The OpenSSL Project. All rights reserved.\n", " *\n", " * Redistribution and use in source and binary forms, with or without\n", " * modification, are permitted provided that the following conditions\n", @@ -404,7 +405,7 @@ EOF print OUT <<"EOF"; /* $cfile */ /* ==================================================================== - * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/lib/libssl/src/util/mkfiles.pl b/lib/libssl/src/util/mkfiles.pl index 29e1404c695..928a274303d 100644 --- a/lib/libssl/src/util/mkfiles.pl +++ b/lib/libssl/src/util/mkfiles.pl @@ -51,6 +51,14 @@ my @dirs = ( "crypto/ocsp", "crypto/ui", "crypto/krb5", +"fips", +"fips/aes", +"fips/des", +"fips/dsa", +"fips/dh", +"fips/rand", +"fips/rsa", +"fips/sha1", "ssl", "apps", "test", @@ -58,7 +66,7 @@ my @dirs = ( ); foreach (@dirs) { - &files_dir ($_, "Makefile.ssl"); + &files_dir ($_, "Makefile"); } exit(0); diff --git a/lib/libssl/src/util/mklink.pl b/lib/libssl/src/util/mklink.pl index 9386da7aa4c..c8653cecc37 100644 --- a/lib/libssl/src/util/mklink.pl +++ b/lib/libssl/src/util/mklink.pl @@ -52,6 +52,7 @@ $symlink_exists=eval {symlink("",""); 1}; foreach $file (@files) { my $err = ""; if ($symlink_exists) { + unlink "$from/$file"; symlink("$to/$file", "$from/$file") or $err = " [$!]"; } else { unlink "$from/$file"; diff --git a/lib/libssl/src/util/mkstack.pl b/lib/libssl/src/util/mkstack.pl index 085c50f790f..0ca9eb6a766 100644 --- a/lib/libssl/src/util/mkstack.pl +++ b/lib/libssl/src/util/mkstack.pl @@ -84,6 +84,7 @@ while(<IN>) { #define sk_${type_thing}_shift(st) SKM_sk_shift($type_thing, (st)) #define sk_${type_thing}_pop(st) SKM_sk_pop($type_thing, (st)) #define sk_${type_thing}_sort(st) SKM_sk_sort($type_thing, (st)) +#define sk_${type_thing}_is_sorted(st) SKM_sk_is_sorted($type_thing, (st)) EOF } foreach $type_thing (sort @asn1setlst) { diff --git a/lib/libssl/src/util/pl/BC-16.pl b/lib/libssl/src/util/pl/BC-16.pl index 2033f524ca5..8030653daad 100644 --- a/lib/libssl/src/util/pl/BC-16.pl +++ b/lib/libssl/src/util/pl/BC-16.pl @@ -64,7 +64,7 @@ $lfile=''; $asm='bcc -c -B -Tml'; $afile='/o'; -if ($no_asm) +if ($no_asm || $fips) { $bn_asm_obj=''; $bn_asm_src=''; @@ -119,11 +119,11 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$f,$_,@f); - + $file =~ s/\//$o/g if $o ne '/'; - $n=&bname($targer); + $n=&bname($target); $ret.="$target: $files $dep_libs\n"; $ret.=" \$(LINK) @&&|"; @@ -139,7 +139,12 @@ sub do_link_rule } else { $ret.="\n $r \$(APP_EX_OBJ) $files\n"; } - $ret.=" $target\n\n $libs\n\n|\n\n"; + $ret.=" $target\n\n $libs\n\n|\n"; + if (defined $sha1file) + { + $ret.=" $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libssl/src/util/pl/BC-32.pl b/lib/libssl/src/util/pl/BC-32.pl index e83b3361908..897ae9d8249 100644 --- a/lib/libssl/src/util/pl/BC-32.pl +++ b/lib/libssl/src/util/pl/BC-32.pl @@ -62,7 +62,7 @@ $des_enc_src=''; $bf_enc_obj=''; $bf_enc_src=''; -if (!$no_asm) +if (!$no_asm && !$fips) { $bn_mulw_obj='crypto\bn\asm\bn_win32.obj'; $bn_mulw_src='crypto\bn\asm\bn_win32.asm'; @@ -122,13 +122,18 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); - + $file =~ s/\//$o/g if $o ne '/'; $n=&bname($targer); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n\n"; + $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libssl/src/util/pl/Mingw32.pl b/lib/libssl/src/util/pl/Mingw32.pl index 4bee638c4a6..b9bb24d21d7 100644 --- a/lib/libssl/src/util/pl/Mingw32.pl +++ b/lib/libssl/src/util/pl/Mingw32.pl @@ -21,7 +21,7 @@ if ($debug) else { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; } -if ($gaswin and !$no_asm) +if ($gaswin and !$no_asm and !$fips) { $bn_asm_obj='$(OBJ_D)\bn-win32.o'; $bn_asm_src='crypto/bn/asm/bn-win32.s'; @@ -92,13 +92,18 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n"; + $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } 1; diff --git a/lib/libssl/src/util/pl/OS2-EMX.pl b/lib/libssl/src/util/pl/OS2-EMX.pl index ddb35242108..75d72ebbcbd 100644 --- a/lib/libssl/src/util/pl/OS2-EMX.pl +++ b/lib/libssl/src/util/pl/OS2-EMX.pl @@ -48,7 +48,7 @@ $des_enc_src=""; $bf_enc_obj=""; $bf_enc_src=""; -if (!$no_asm) +if (!$no_asm && !$fips) { $bn_asm_obj="crypto/bn/asm/bn-os2$obj crypto/bn/asm/co-os2$obj"; $bn_asm_src="crypto/bn/asm/bn-os2.asm crypto/bn/asm/co-os2.asm"; @@ -106,13 +106,18 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n\n"; + $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libssl/src/util/pl/VC-16.pl b/lib/libssl/src/util/pl/VC-16.pl index 7cda5e67a94..564ba3fd08b 100644 --- a/lib/libssl/src/util/pl/VC-16.pl +++ b/lib/libssl/src/util/pl/VC-16.pl @@ -61,7 +61,7 @@ if ($shlib) else { $mlflags=''; } -$app_ex_obj="setargv.obj"; +$app_ex_obj=""; $obj='.obj'; $ofile="/Fo"; @@ -90,7 +90,7 @@ $des_enc_src=''; $bf_enc_obj=''; $bf_enc_src=''; -if (!$no_asm) +if (!$no_asm && !$fips) { if ($asmbits == 32) { @@ -147,7 +147,7 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$f,$_,@f); $file =~ s/\//$o/g if $o ne '/'; @@ -165,7 +165,12 @@ sub do_link_rule } else { $ret.=" \$(APP_EX_OBJ) $files"; } - $ret.="\n $target\n\n $libs\n\n<<\n\n"; + $ret.="\n $target\n\n $libs\n\n<<\n"; + if (defined $sha1file) + { + $ret.=" $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libssl/src/util/pl/VC-32.pl b/lib/libssl/src/util/pl/VC-32.pl index 285990c5896..cf689b9feb4 100644 --- a/lib/libssl/src/util/pl/VC-32.pl +++ b/lib/libssl/src/util/pl/VC-32.pl @@ -64,7 +64,7 @@ $des_enc_src=''; $bf_enc_obj=''; $bf_enc_src=''; -if (!$no_asm) +if (!$no_asm && !$fips) { $bn_asm_obj='crypto\bn\asm\bn_win32.obj'; $bn_asm_src='crypto\bn\asm\bn_win32.asm'; @@ -126,14 +126,19 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($targer); $ret.="$target: $files $dep_libs\n"; $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n"; - $ret.=" \$(APP_EX_OBJ) $files $libs\n<<\n\n"; + $ret.=" \$(APP_EX_OBJ) $files $libs\n<<\n"; + if (defined $sha1file) + { + $ret.=" $openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libssl/src/util/pl/linux.pl b/lib/libssl/src/util/pl/linux.pl index 8924ed54808..df05c40526e 100644 --- a/lib/libssl/src/util/pl/linux.pl +++ b/lib/libssl/src/util/pl/linux.pl @@ -72,13 +72,18 @@ sub do_shlib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n"; + $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libssl/src/util/pl/unix.pl b/lib/libssl/src/util/pl/unix.pl index 146611ad995..bbd1798a2e5 100644 --- a/lib/libssl/src/util/pl/unix.pl +++ b/lib/libssl/src/util/pl/unix.pl @@ -70,13 +70,18 @@ sub do_lib_rule sub do_link_rule { - local($target,$files,$dep_libs,$libs)=@_; + local($target,$files,$dep_libs,$libs,$sha1file,$openssl)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($target); $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n"; + $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n"; + if (defined $sha1file) + { + $ret.="\t$openssl sha1 -hmac etaonrishdlcupfm -binary $target > $sha1file"; + } + $ret.="\n"; return($ret); } diff --git a/lib/libssl/src/util/selftest.pl b/lib/libssl/src/util/selftest.pl index 276b81183d2..e9d5aa8938e 100644 --- a/lib/libssl/src/util/selftest.pl +++ b/lib/libssl/src/util/selftest.pl @@ -34,9 +34,9 @@ foreach $_ (split("\n",$c)) { $platform0=$1 if (/Configuring for (.*)$/); } -system "sh config" if (! -f "Makefile.ssl"); +system "sh config" if (! -f "Makefile"); -if (open(IN,"<Makefile.ssl")) { +if (open(IN,"<Makefile")) { while (<IN>) { $version=$1 if (/^VERSION=(.*)$/); $platform=$1 if (/^PLATFORM=(.*)$/); |