diff options
301 files changed, 6040 insertions, 2624 deletions
@@ -2,7 +2,112 @@ OpenSSL CHANGES _______________ - Changes between 0.9.7 and 0.9.8 [xx XXX xxxx] + Changes between 0.9.7a and 0.9.8 [xx XXX xxxx] + + *) Make it possible to create self-signed certificates with 'openssl ca' + in such a way that the self-signed certificate becomes part of the + CA database and uses the same mechanisms for serial number generation + as all other certificate signing. The new flag '-selfsign' enables + this functionality. Adapt CA.sh and CA.pl.in. + [Richard Levitte] + + *) Add functionality to check the public key of a certificate request + against a given private. This is useful to check that a certificate + request can be signed by that key (self-signing). + [Richard Levitte] + + *) Make it possible to have multiple active certificates with the same + subject in the CA index file. This is done only if the keyword + 'unique_subject' is set to 'no' in the main CA section (default + if 'CA_default') of the configuration file. The value is saved + with the database itself in a separate index attribute file, + named like the index file with '.attr' appended to the name. + [Richard Levitte] + + *) Generate muti valued AVAs using '+' notation in config files for + req and dirName. + [Steve Henson] + + *) Support for nameConstraints certificate extension. + [Steve Henson] + + *) Support for policyConstraints certificate extension. + [Steve Henson] + + *) Support for policyMappings certificate extension. + [Steve Henson] + + *) Fixed a typo bug that would cause ENGINE_set_default() to set an + ENGINE as defaults for all supported algorithms irrespective of + the 'flags' parameter. 'flags' is now honoured, so applications + should make sure they are passing it correctly. + [Geoff Thorpe] + + *) Make sure the default DSA_METHOD implementation only uses its + dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, + and change its own handlers to be NULL so as to remove unnecessary + indirection. This lets alternative implementations fallback to the + default implementation more easily. + [Geoff Thorpe] + + *) Support for directoryName in GeneralName related extensions + in config files. + [Steve Henson] + + *) Make it possible to link applications using Makefile.shared. + Make that possible even when linking against static libraries! + [Richard Levitte] + + *) Various fixes to base64 BIO and non blocking I/O. On write + flushes were not handled properly if the BIO retried. On read + data was not being buffered properly and had various logic bugs. + [Steve Henson] + + *) Support for single pass processing for S/MIME signing. This now + means that S/MIME signing can be done from a pipe, in addition + cleartext signing (multipart/signed type) is effectively streaming + and the signed data does not need to be all held in memory. + + This is done with a new flag PKCS7_STREAM. When this flag is set + PKCS7_sign() only initializes the PKCS7 structure and the actual signing + is done after the data is output (and digests calculated) in + SMIME_write_PKCS7(). + [Steve Henson] + + *) Add full support for -rpath/-R, both in shared libraries and + applications, at least on the platforms where it's known how + to do it. + [Richard Levitte] + + *) In crypto/ec/ec_mult.c, implement fast point multiplication with + precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() + will now compute a table of multiples of the generator that + makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() + faster (notably in the case of a single point multiplication, + scalar * generator). + [Nils Larsch, Bodo Moeller] + + *) IPv6 support for certificate extensions. The various extensions + which use the IP:a.b.c.d can now take IPv6 addresses using the + formats of RFC1884 2.2 . IPv6 addresses are now also displayed + correctly. + [Steve Henson] + + *) Added an ENGINE that implements RSA by performing private key + exponentiations with the GMP library. The conversions to and from + GMP's mpz_t format aren't optimised nor are any montgomery forms + cached, and on x86 it appears OpenSSL's own performance has caught up. + However there are likely to be other architectures where GMP could + provide a boost. This ENGINE is not built in by default, but it can be + specified at Configure time and should be accompanied by the necessary + linker additions, eg; + ./config -DOPENSSL_USE_GMP -lgmp + [Geoff Thorpe] + + *) "openssl engine" will not display ENGINE/DSO load failure errors when + testing availability of engines with "-t" - the old behaviour is + produced by increasing the feature's verbosity with "-tt". + [Geoff Thorpe] *) ECDSA routines: under certain error conditions uninitialized BN objects could be freed. Solution: make sure initialization is performed early @@ -149,8 +254,6 @@ [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] *) Add ECDH in new directory crypto/ecdh/. -TODO: more general interface (return x coordinate, not its hash) -TODO: bug: pad x with leading zeros if necessary [Douglas Stebila (Sun Microsystems Laboratories)] *) Let BN_rand_range() abort with an error after 100 iterations @@ -379,7 +482,103 @@ TODO: bug: pad x with leading zeros if necessary EC_GROUP_get_nid() [Nils Larsch <nla@trustcenter.de, Bodo Moeller] - Changes between 0.9.7 and 0.9.7a [XX xxx 2003] + *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there + was actually never needed) and in BN_mul(). The removal in BN_mul() + required a small change in bn_mul_part_recursive() and the addition + of the functions bn_cmp_part_words(), bn_sub_part_words() and + bn_add_part_words(), which do the same thing as bn_cmp_words(), + bn_sub_words() and bn_add_words() except they take arrays with + differing sizes. + [Richard Levitte] + + Changes between 0.9.7a and 0.9.7b [xx XXX 2003] + + *) Countermeasure against the Klima-Pokorny-Rosa extension of + Bleichbacher's attack on PKCS #1 v1.5 padding: treat + a protocol version number mismatch like a decryption error + in ssl3_get_client_key_exchange (ssl/s3_srvr.c). + [Bodo Moeller] + + *) Turn on RSA blinding by default in the default implementation + to avoid a timing attack. Applications that don't want it can call + RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. + They would be ill-advised to do so in most cases. + [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] + + *) Change RSA blinding code so that it works when the PRNG is not + seeded (in this case, the secret RSA exponent is abused as + an unpredictable seed -- if it is not unpredictable, there + is no point in blinding anyway). Make RSA blinding thread-safe + by remembering the creator's thread ID in rsa->blinding and + having all other threads use local one-time blinding factors + (this requires more computation than sharing rsa->blinding, but + avoids excessive locking; and if an RSA object is not shared + between threads, blinding will still be very fast). + [Bodo Moeller] + +yet to be integrated into this CVS branch: +- Geoff's ENGINE_set_default() fix + + *) Target "mingw" now allows native Windows code to be generated in + the Cygwin environment as well as with the MinGW compiler. + [Ulf Moeller] + + Changes between 0.9.7 and 0.9.7a [19 Feb 2003] + + *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked + via timing by performing a MAC computation even if incorrrect + block cipher padding has been found. This is a countermeasure + against active attacks where the attacker has to distinguish + between bad padding and a MAC verification error. (CAN-2003-0078) + + [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), + Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and + Martin Vuagnoux (EPFL, Ilion)] + + *) Make the no-err option work as intended. The intention with no-err + is not to have the whole error stack handling routines removed from + libcrypto, it's only intended to remove all the function name and + reason texts, thereby removing some of the footprint that may not + be interesting if those errors aren't displayed anyway. + + NOTE: it's still possible for any application or module to have it's + own set of error texts inserted. The routines are there, just not + used by default when no-err is given. + [Richard Levitte] + + *) Add support for FreeBSD on IA64. + [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] + + *) Adjust DES_cbc_cksum() so it returns the same value as the MIT + Kerberos function mit_des_cbc_cksum(). Before this change, + the value returned by DES_cbc_cksum() was like the one from + mit_des_cbc_cksum(), except the bytes were swapped. + [Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte] + + *) Allow an application to disable the automatic SSL chain building. + Before this a rather primitive chain build was always performed in + ssl3_output_cert_chain(): an application had no way to send the + correct chain if the automatic operation produced an incorrect result. + + Now the chain builder is disabled if either: + + 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). + + 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. + + The reasoning behind this is that an application would not want the + auto chain building to take place if extra chain certificates are + present and it might also want a means of sending no additional + certificates (for example the chain has two certificates and the + root is omitted). + [Steve Henson] + + *) Add the possibility to build without the ENGINE framework. + [Steven Reddie <smr@essemer.com.au> via Richard Levitte] + + *) Under Win32 gmtime() can return NULL: check return value in + OPENSSL_gmtime(). Add error code for case where gmtime() fails. + [Steve Henson] *) DSA routines: under certain error conditions uninitialized BN objects could be freed. Solution: make sure initialization is performed early @@ -2080,6 +2279,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k be reduced modulo m. [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] +#if 0 + The following entry accidentily appeared in the CHANGES file + distributed with OpenSSL 0.9.7. The modifications described in + it do *not* apply to OpenSSL 0.9.7. + *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there was actually never needed) and in BN_mul(). The removal in BN_mul() required a small change in bn_mul_part_recursive() and the addition @@ -2088,6 +2292,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k bn_sub_words() and bn_add_words() except they take arrays with differing sizes. [Richard Levitte] +#endif *) In 'openssl passwd', verify passwords read from the terminal unless the '-salt' option is used (which usually means that @@ -2219,6 +2424,18 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] + Changes between 0.9.6h and 0.9.6i [19 Feb 2003] + + *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked + via timing by performing a MAC computation even if incorrrect + block cipher padding has been found. This is a countermeasure + against active attacks where the attacker has to distinguish + between bad padding and a MAC verification error. (CAN-2003-0078) + + [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), + Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and + Martin Vuagnoux (EPFL, Ilion)] + Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of @@ -10,7 +10,7 @@ use strict; # see INSTALL for instructions. -my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; +my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; # Options: # @@ -38,6 +38,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [- # --test-sanity Make a number of sanity checks on the data in this file. # This is a debugging tool for OpenSSL developers. # +# no-engine do not compile in any engine code. # no-hw-xxx do not compile support for specific crypto hardware. # Generic OpenSSL-style methods relating to this support # are always compiled but return NULL if the hardware @@ -142,8 +143,8 @@ my %table=( "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", -"debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn", +"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", +"debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn:linux-shared", "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -269,12 +270,12 @@ my %table=( # # Chris Ruemmler <ruemmler@cup.hp.com> # Kevin Steves <ks@hp.se> -"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # Isn't the line below meaningless? HP-UX cc optimizes for host by default. # hpux-parisc1_0-cc with +DAportable flag would make more sense. <appro> -"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # HPUX 9.X config. # Don't use the bundled cc. It is broken. Use HP ANSI C if possible, or @@ -382,19 +383,21 @@ my %table=( "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", -"linux-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::", -"linux-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::", +"linux-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::", "linux-s390", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-ia64-ecc", "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD-sparc64","gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"FreeBSD-ia64","gcc:-DL_ENDIAN -DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64-cpp.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown):::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}", "bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -433,16 +436,16 @@ my %table=( "OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "sco3-gcc", "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc. -"sco5-cc", "cc:-belf::(unknown)::-lsocket -lresolv -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic", -"sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC", +"sco5-cc", "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # IBM's AIX. "aix-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::", "aix-gcc", "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::", -"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:", +"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::", "aix43-gcc", "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:", -"aix64-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn::::::-X 64", +"aix64-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64", # # Cray T90 and similar (SDSC) @@ -504,10 +507,8 @@ my %table=( "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN::::::::::win32", "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::", -# Mingw32 -# (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl -# and its library files in util/pl/*) -"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", +# MinGW +"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll", # UWIN "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", @@ -649,6 +650,7 @@ my $openssl_thread_defines; my $openssl_sys_defines=""; my $openssl_other_defines; my $libs; +my $libkrb5=""; my $target; my $options; my $symlink; @@ -686,19 +688,24 @@ PROCESS_ARGS: elsif (/^no-asm$/) { $no_asm=1; - $flags .= "-DOPENSSL_NO_ASM "; + #$flags .= "-DOPENSSL_NO_ASM "; $openssl_other_defines .= "#define OPENSSL_NO_ASM\n"; } + elsif (/^no-err$/) + { + $flags .= "-DOPENSSL_NO_ERR "; + $openssl_other_defines .= "#define OPENSSL_NO_ERR\n"; + } elsif (/^no-hw-(.+)$/) { my $hw=$1; $hw =~ tr/[a-z]/[A-Z]/; - $flags .= "-DOPENSSL_NO_HW_$hw "; + #$flags .= "-DOPENSSL_NO_HW_$hw "; $openssl_other_defines .= "#define OPENSSL_NO_HW_$hw\n"; } elsif (/^no-hw$/) { - $flags .= "-DOPENSSL_NO_HW "; + #$flags .= "-DOPENSSL_NO_HW "; $openssl_other_defines .= "#define OPENSSL_NO_HW\n"; } elsif (/^no-dso$/) @@ -734,22 +741,22 @@ PROCESS_ARGS: my $algo=$1; push @skip,$algo; $algo =~ tr/[a-z]/[A-Z]/; - $flags .= "-DOPENSSL_NO_$algo "; - $depflags .= "-DOPENSSL_NO_$algo "; + #$flags .= "-DOPENSSL_NO_$algo "; + #$depflags .= "-DOPENSSL_NO_$algo "; $openssl_algorithm_defines .= "#define OPENSSL_NO_$algo\n"; if ($algo eq "RIJNDAEL") { push @skip, "aes"; - $flags .= "-DOPENSSL_NO_AES "; - $depflags .= "-DOPENSSL_NO_AES "; + #$flags .= "-DOPENSSL_NO_AES "; + #$depflags .= "-DOPENSSL_NO_AES "; $openssl_algorithm_defines .= "#define OPENSSL_NO_AES\n"; } if ($algo eq "DES") { push @skip, "mdc2"; $options .= " no-mdc2"; - $flags .= "-DOPENSSL_NO_MDC2 "; - $depflags .= "-DOPENSSL_NO_MDC2 "; + #$flags .= "-DOPENSSL_NO_MDC2 "; + #$depflags .= "-DOPENSSL_NO_MDC2 "; $openssl_algorithm_defines .= "#define OPENSSL_NO_MDC2\n"; } if ($algo eq "EC") @@ -885,24 +892,24 @@ $no_tls1=1 if ($no_dh); if ($no_ssl2) { push @skip,"SSL2"; - $flags .= "-DOPENSSL_NO_SSL2 "; - $depflags .= "-DOPENSSL_NO_SSL2 "; + #$flags .= "-DOPENSSL_NO_SSL2 "; + #$depflags .= "-DOPENSSL_NO_SSL2 "; $openssl_algorithm_defines .= "#define OPENSSL_NO_SSL2\n"; } if ($no_ssl3) { push @skip,"SSL3"; - $flags .= "-DOPENSSL_NO_SSL3 "; - $depflags .= "-DOPENSSL_NO_SSL3 "; + #$flags .= "-DOPENSSL_NO_SSL3 "; + #$depflags .= "-DOPENSSL_NO_SSL3 "; $openssl_algorithm_defines .= "#define OPENSSL_NO_SSL3\n"; } if ($no_tls1) { push @skip,"TLS1"; - $flags .= "-DOPENSSL_NO_TLS1 "; - $depflags .= "-DOPENSSL_NO_TLS1 "; + #$flags .= "-DOPENSSL_NO_TLS1 "; + #$depflags .= "-DOPENSSL_NO_TLS1 "; $openssl_algorithm_defines .= "#define OPENSSL_NO_TLS1\n"; } @@ -980,7 +987,7 @@ if ($no_krb5 || !defined($withargs{"krb5-flavor"}) || $withargs{"krb5-flavor"} eq "") { - $cflags="-DOPENSSL_NO_KRB5 $cflags"; + #$cflags="-DOPENSSL_NO_KRB5 $cflags"; $options.=" no-krb5" unless $no_krb5; $openssl_algorithm_defines .= "#define OPENSSL_NO_KRB5\n"; } @@ -1036,8 +1043,6 @@ else $withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include" if $withargs{"krb5-include"} eq "" && $withargs{"krb5-dir"} ne ""; - - $libs.=$withargs{"krb5-lib"}." " if $withargs{"krb5-lib"} ne ""; } # The DSO code currently always implements all functions so that no @@ -1108,7 +1113,7 @@ if (!$no_shared) if ($threads) { - $cflags=$thread_cflags; + #$cflags=$thread_cflags; $openssl_thread_defines .= $thread_defines; } @@ -1136,18 +1141,18 @@ if (!$no_shared) if ($no_shared) { - $cflags="-DOPENSSL_NO_DYNAMIC_ENGINE $cflags"; + #$cflags="-DOPENSSL_NO_DYNAMIC_ENGINE $cflags"; $openssl_other_defines.="#define OPENSSL_NO_DYNAMIC_ENGINE\n"; } else { - $cflags="-DOPENSSL_NO_STATIC_ENGINE $cflags"; + #$cflags="-DOPENSSL_NO_STATIC_ENGINE $cflags"; $openssl_other_defines.="#define OPENSSL_NO_STATIC_ENGINE\n"; } if ($sys_id ne "") { - $cflags="-DOPENSSL_SYSNAME_$sys_id $cflags"; + #$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags"; $openssl_sys_defines="#define OPENSSL_SYSNAME_$sys_id\n"; } @@ -1272,6 +1277,7 @@ while (<IN>) s/^ARFLAGS=.*/ARFLAGS= $arflags/; s/^PERL=.*/PERL= $perl/; s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/; + s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); @@ -68,7 +68,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.7 was released on December 31, 2002. +OpenSSL 0.9.7a was released on February 19, 2003. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -189,18 +189,30 @@ for permission to use their software with OpenSSL. Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness -device" that serves this purpose. On other systems, applications have -to call the RAND_add() or RAND_seed() function with appropriate data -before generating keys or performing public key encryption. -(These functions initialize the pseudo-random number generator, PRNG.) - -Some broken applications do not do this. As of version 0.9.5, the -OpenSSL functions that need randomness report an error if the random -number generator has not been seeded with at least 128 bits of -randomness. If this error occurs, please contact the author of the -application you are using. It is likely that it never worked -correctly. OpenSSL 0.9.5 and later make the error visible by refusing -to perform potentially insecure encryption. +device" (/dev/urandom or /dev/random) that serves this purpose. +All OpenSSL versions try to use /dev/urandom by default; starting with +version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not +available. + +On other systems, applications have to call the RAND_add() or +RAND_seed() function with appropriate data before generating keys or +performing public key encryption. (These functions initialize the +pseudo-random number generator, PRNG.) Some broken applications do +not do this. As of version 0.9.5, the OpenSSL functions that need +randomness report an error if the random number generator has not been +seeded with at least 128 bits of randomness. If this error occurs and +is not discussed in the documentation of the application you are +using, please contact the author of that application; it is likely +that it never worked correctly. OpenSSL 0.9.5 and later make the +error visible by refusing to perform potentially insecure encryption. + +If you are using Solaris 8, you can add /dev/urandom and /dev/random +devices by installing patch 112438 (Sparc) or 112439 (x86), which are +available via the Patchfinder at <URL: http://sunsolve.sun.com> +(Solaris 9 includes these devices by default). For /dev/random support +for earlier Solaris versions, see Sun's statement at +<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski> +(the SUNWski package is available in patch 105710). On systems without /dev/urandom and /dev/random, it is a good idea to use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for @@ -233,18 +245,6 @@ OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application. -For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested -installing the SUNski package from Sun patch 105710-01 (Sparc) which -adds a /dev/random device and make sure it gets used, usually through -$RANDFILE. There are probably similar patches for the other Solaris -versions. An official statement from Sun with respect to /dev/random -support can be found at - http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski -However, be warned that /dev/random is usually a blocking device, which -may have some effects on OpenSSL. -A third party /dev/random solution for Solaris is available at - http://www.cosy.sbg.ac.at/~andi/ - * Why do I get an "unable to write 'random state'" error message? @@ -490,10 +490,13 @@ and then redo the compilation. What you should really do is make sure Sometimes, you may get reports from VC++ command line (cl) that it can't find standard include files like stdio.h and other weirdnesses. One possible cause is that the environment isn't correctly set up. -To solve that problem, one should run VCVARS32.BAT which is found in -the 'bin' subdirectory of the VC++ installation directory (somewhere -under 'Program Files'). This needs to be done prior to running NMAKE, -and the changes are only valid for the current DOS session. +To solve that problem for VC++ versions up to 6, one should run +VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++ +installation directory (somewhere under 'Program Files'). For VC++ +version 7 (and up?), which is also called VS.NET, the file is called +VSVARS32.BAT instead. +This needs to be done prior to running NMAKE, and the changes are only +valid for the current DOS session. * What is special about OpenSSL on Redhat? @@ -729,6 +732,7 @@ The general answer is to check the config.log file generated when running the OpenSSH configure script. It should contain the detailed information on why the OpenSSL library was not detected or considered incompatible. + * Can I use OpenSSL's SSL library with non-blocking I/O? Yes; make sure to read the SSL_get_error(3) manual page! diff --git a/INSTALL.W32 b/INSTALL.W32 index 8a875cf0be..d4996560dd 100644 --- a/INSTALL.W32 +++ b/INSTALL.W32 @@ -1,277 +1,288 @@ - - INSTALLATION ON THE WIN32 PLATFORM - ---------------------------------- - - [Instructions for building for Windows CE can be found in INSTALL.WCE] - - Heres a few comments about building OpenSSL in Windows environments. Most - of this is tested on Win32 but it may also work in Win 3.1 with some - modification. - - You need Perl for Win32. Unless you will build on Cygwin, you will need - ActiveState Perl, available from http://www.activestate.com/ActivePerl. - For Cygwin users, there's more info in the Cygwin section. - - and one of the following C compilers: - - * Visual C++ - * Borland C - * GNU C (Mingw32 or Cygwin) - - If you want to compile in the assembly language routines with Visual C++ then - you will need an assembler. This is worth doing because it will result in - faster code: for example it will typically result in a 2 times speedup in the - RSA routines. Currently the following assemblers are supported: - - * Microsoft MASM (aka "ml") - * Free Netwide Assembler NASM. - - MASM was at one point distributed with VC++. It is now distributed with some - Microsoft DDKs, for example the Windows NT 4.0 DDK and the Windows 98 DDK. If - you do not have either of these DDKs then you can just download the binaries - for the Windows 98 DDK and extract and rename the two files XXXXXml.exe and - XXXXXml.err, to ml.exe and ml.err and install somewhere on your PATH. Both - DDKs can be downloaded from the Microsoft developers site www.msdn.com. - - NASM is freely available. Version 0.98 was used during testing: other versions - may also work. It is available from many places, see for example: - http://www.kernel.org/pub/software/devel/nasm/binaries/win32/ - The NASM binary nasmw.exe needs to be installed anywhere on your PATH. - - If you are compiling from a tarball or a CVS snapshot then the Win32 files - may well be not up to date. This may mean that some "tweaking" is required to - get it all to work. See the trouble shooting section later on for if (when?) - it goes wrong. - - Visual C++ - ---------- - - Firstly you should run Configure: - - > perl Configure VC-WIN32 - - Next you need to build the Makefiles and optionally the assembly language - files: - - - If you are using MASM then run: - - > ms\do_masm - - - If you are using NASM then run: - - > ms\do_nasm - - - If you don't want to use the assembly language files at all then run: - - > ms\do_ms - - If you get errors about things not having numbers assigned then check the - troubleshooting section: you probably won't be able to compile it as it - stands. - - Then from the VC++ environment at a prompt do: - - > nmake -f ms\ntdll.mak - - If all is well it should compile and you will have some DLLs and executables - in out32dll. If you want to try the tests then do: - - > cd out32dll - > ..\ms\test - - Tweaks: - - There are various changes you can make to the Win32 compile environment. By - default the library is not compiled with debugging symbols. If you add 'debug' - to the mk1mf.pl lines in the do_* batch file then debugging symbols will be - compiled in. Note that mk1mf.pl expects the platform to be the last argument - on the command line, so 'debug' must appear before that, as all other options. - - The default Win32 environment is to leave out any Windows NT specific - features. - - If you want to enable the NT specific features of OpenSSL (currently only the - logging BIO) follow the instructions above but call the batch file do_nt.bat - instead of do_ms.bat. - - You can also build a static version of the library using the Makefile - ms\nt.mak - - Borland C++ builder 5 - --------------------- - - * Configure for building with Borland Builder: - > perl Configure BC-32 - - * Create the appropriate makefile - > ms\do_nasm - - * Build - > make -f ms\bcb.mak - - Borland C++ builder 3 and 4 - --------------------------- - - * Setup PATH. First must be GNU make then bcb4/bin - - * Run ms\bcb4.bat - - * Run make: - > make -f bcb.mak - - GNU C (Mingw32) - --------------- - - To build OpenSSL, you need the Mingw32 package and GNU make. - - * Compiler installation: - - Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/ - gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. Extract it - to a directory such as C:\gcc-2.95.2 and add c:\gcc-2.95.2\bin to - the PATH environment variable in "System Properties"; or edit and - run C:\gcc-2.95.2\mingw32.bat to set the PATH. - - * Compile OpenSSL: - - > ms\mingw32 - - This will create the library and binaries in out. In case any problems - occur, try - > ms\mingw32 no-asm - instead. - - libcrypto.a and libssl.a are the static libraries. To use the DLLs, - link with libeay32.a and libssl32.a instead. - - See troubleshooting if you get error messages about functions not having - a number assigned. - - * You can now try the tests: - - > cd out - > ..\ms\test - - GNU C (Cygwin) - -------------- - - Cygwin provides a bash shell and GNU tools environment running - on NT 4.0, Windows 9x, Windows ME, Windows 2000, and Windows XP. - Consequently, a make of OpenSSL with Cygwin is closer to a GNU - bash environment such as Linux than to other W32 makes which are - based on a single makefile approach. Cygwin implements Posix/Unix - calls through cygwin1.dll, and is contrasted to Mingw32 which links - dynamically to msvcrt.dll or crtdll.dll. - - To build OpenSSL using Cygwin: - - * Install Cygwin (see http://cygwin.com/) - - * Install Perl and ensure it is in the path (recent Cygwin perl - (version 5.6.1-2 of the latter has been reported to work) or - ActivePerl) - - * Run the Cygwin bash shell - - * $ tar zxvf openssl-x.x.x.tar.gz - $ cd openssl-x.x.x - $ ./config - [...] - $ make - [...] - $ make test - $ make install - - This will create a default install in /usr/local/ssl. - - Cygwin Notes: - - "make test" and normal file operations may fail in directories - mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin - stripping of carriage returns. To avoid this ensure that a binary - mount is used, e.g. mount -b c:\somewhere /home. - - "bc" is not provided in older Cygwin distribution. This causes a - non-fatal error in "make test" but is otherwise harmless. If - desired and needed, GNU bc can be built with Cygwin without change. - - - Installation - ------------ - - If you used the Cygwin procedure above, you have already installed and - can skip this section. For all other procedures, there's currently no real - installation procedure for Win32. There are, however, some suggestions: - - - do nothing. The include files are found in the inc32/ subdirectory, - all binaries are found in out32dll/ or out32/ depending if you built - dynamic or static libraries. - - - do as is written in INSTALL.Win32 that comes with modssl: - - $ md c:\openssl - $ md c:\openssl\bin - $ md c:\openssl\lib - $ md c:\openssl\include - $ md c:\openssl\include\openssl - $ copy /b inc32\* c:\openssl\include\openssl - $ copy /b out32dll\ssleay32.lib c:\openssl\lib - $ copy /b out32dll\libeay32.lib c:\openssl\lib - $ copy /b out32dll\ssleay32.dll c:\openssl\bin - $ copy /b out32dll\libeay32.dll c:\openssl\bin - $ copy /b out32dll\openssl.exe c:\openssl\bin - - Of course, you can choose another device than c:. C: is used here - because that's usually the first (and often only) harddisk device. - Note: in the modssl INSTALL.Win32, p: is used rather than c:. - - - Troubleshooting - --------------- - - Since the Win32 build is only occasionally tested it may not always compile - cleanly. If you get an error about functions not having numbers assigned - when you run ms\do_ms then this means the Win32 ordinal files are not up to - date. You can do: - - > perl util\mkdef.pl crypto ssl update - - then ms\do_XXX should not give a warning any more. However the numbers that - get assigned by this technique may not match those that eventually get - assigned in the CVS tree: so anything linked against this version of the - library may need to be recompiled. - - If you get errors about unresolved symbols there are several possible - causes. - - If this happens when the DLL is being linked and you have disabled some - ciphers then it is possible the DEF file generator hasn't removed all - the disabled symbols: the easiest solution is to edit the DEF files manually - to delete them. The DEF files are ms\libeay32.def ms\ssleay32.def. - - Another cause is if you missed or ignored the errors about missing numbers - mentioned above. - - If you get warnings in the code then the compilation will halt. - - The default Makefile for Win32 halts whenever any warnings occur. Since VC++ - has its own ideas about warnings which don't always match up to other - environments this can happen. The best fix is to edit the file with the - warning in and fix it. Alternatively you can turn off the halt on warnings by - editing the CFLAG line in the Makefile and deleting the /WX option. - - You might get compilation errors. Again you will have to fix these or report - them. - - One final comment about compiling applications linked to the OpenSSL library. - If you don't use the multithreaded DLL runtime library (/MD option) your - program will almost certainly crash because malloc gets confused -- the - OpenSSL DLLs are statically linked to one version, the application must - not use a different one. You might be able to work around such problems - by adding CRYPTO_malloc_init() to your program before any calls to the - OpenSSL libraries: This tells the OpenSSL libraries to use the same - malloc(), free() and realloc() as the application. However there are many - standard library functions used by OpenSSL that call malloc() internally - (e.g. fopen()), and OpenSSL cannot change these; so in general you cannot - rely on CRYPTO_malloc_init() solving your problem, and you should - consistently use the multithreaded library. +
+ INSTALLATION ON THE WIN32 PLATFORM
+ ----------------------------------
+
+ [Instructions for building for Windows CE can be found in INSTALL.WCE]
+
+ Heres a few comments about building OpenSSL in Windows environments. Most
+ of this is tested on Win32 but it may also work in Win 3.1 with some
+ modification.
+
+ You need Perl for Win32. Unless you will build on Cygwin, you will need
+ ActiveState Perl, available from http://www.activestate.com/ActivePerl.
+
+ and one of the following C compilers:
+
+ * Visual C++
+ * Borland C
+ * GNU C (Cygwin or MinGW)
+
+ If you are compiling from a tarball or a CVS snapshot then the Win32 files
+ may well be not up to date. This may mean that some "tweaking" is required to
+ get it all to work. See the trouble shooting section later on for if (when?)
+ it goes wrong.
+
+ Visual C++
+ ----------
+
+ If you want to compile in the assembly language routines with Visual C++ then
+ you will need an assembler. This is worth doing because it will result in
+ faster code: for example it will typically result in a 2 times speedup in the
+ RSA routines. Currently the following assemblers are supported:
+
+ * Microsoft MASM (aka "ml")
+ * Free Netwide Assembler NASM.
+
+ MASM is distributed with most versions of VC++. For the versions where it is
+ not included in VC++, it is also distributed with some Microsoft DDKs, for
+ example the Windows NT 4.0 DDK and the Windows 98 DDK. If you do not have
+ either of these DDKs then you can just download the binaries for the Windows
+ 98 DDK and extract and rename the two files XXXXXml.exe and XXXXXml.err, to
+ ml.exe and ml.err and install somewhere on your PATH. Both DDKs can be
+ downloaded from the Microsoft developers site www.msdn.com.
+
+ NASM is freely available. Version 0.98 was used during testing: other versions
+ may also work. It is available from many places, see for example:
+ http://www.kernel.org/pub/software/devel/nasm/binaries/win32/
+ The NASM binary nasmw.exe needs to be installed anywhere on your PATH.
+
+ Firstly you should run Configure:
+
+ > perl Configure VC-WIN32
+
+ Next you need to build the Makefiles and optionally the assembly language
+ files:
+
+ - If you are using MASM then run:
+
+ > ms\do_masm
+
+ - If you are using NASM then run:
+
+ > ms\do_nasm
+
+ - If you don't want to use the assembly language files at all then run:
+
+ > ms\do_ms
+
+ If you get errors about things not having numbers assigned then check the
+ troubleshooting section: you probably won't be able to compile it as it
+ stands.
+
+ Then from the VC++ environment at a prompt do:
+
+ > nmake -f ms\ntdll.mak
+
+ If all is well it should compile and you will have some DLLs and executables
+ in out32dll. If you want to try the tests then do:
+
+ > cd out32dll
+ > ..\ms\test
+
+ Tweaks:
+
+ There are various changes you can make to the Win32 compile environment. By
+ default the library is not compiled with debugging symbols. If you add 'debug'
+ to the mk1mf.pl lines in the do_* batch file then debugging symbols will be
+ compiled in. Note that mk1mf.pl expects the platform to be the last argument
+ on the command line, so 'debug' must appear before that, as all other options.
+
+ The default Win32 environment is to leave out any Windows NT specific
+ features.
+
+ If you want to enable the NT specific features of OpenSSL (currently only the
+ logging BIO) follow the instructions above but call the batch file do_nt.bat
+ instead of do_ms.bat.
+
+ You can also build a static version of the library using the Makefile
+ ms\nt.mak
+
+ Borland C++ builder 5
+ ---------------------
+
+ * Configure for building with Borland Builder:
+ > perl Configure BC-32
+
+ * Create the appropriate makefile
+ > ms\do_nasm
+
+ * Build
+ > make -f ms\bcb.mak
+
+ Borland C++ builder 3 and 4
+ ---------------------------
+
+ * Setup PATH. First must be GNU make then bcb4/bin
+
+ * Run ms\bcb4.bat
+
+ * Run make:
+ > make -f bcb.mak
+
+ GNU C (Cygwin)
+ --------------
+
+ Cygwin provides a bash shell and GNU tools environment running
+ on NT 4.0, Windows 9x, Windows ME, Windows 2000, and Windows XP.
+ Consequently, a make of OpenSSL with Cygwin is closer to a GNU
+ bash environment such as Linux than to other the other Win32
+ makes.
+
+ Cygwin implements a Posix/Unix runtime system (cygwin1.dll).
+ It is also possible to create Win32 binaries that only use the
+ Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
+ MinGW. MinGW can be used in the Cygwin development environment
+ or in a standalone setup as described in the following section.
+
+ To build OpenSSL using Cygwin:
+
+ * Install Cygwin (see http://cygwin.com/)
+
+ * Install Perl and ensure it is in the path. Both Cygwin perl
+ (5.6.1-2 or newer) and ActivePerl work.
+
+ * Run the Cygwin bash shell
+
+ * $ tar zxvf openssl-x.x.x.tar.gz
+ $ cd openssl-x.x.x
+
+ To build the Cygwin version of OpenSSL:
+
+ $ ./config
+ [...]
+ $ make
+ [...]
+ $ make test
+ $ make install
+
+ This will create a default install in /usr/local/ssl.
+
+ To build the MinGW version (native Windows) in Cygwin:
+
+ $ ./Configure mingw
+ [...]
+ $ make
+ [...]
+ $ make test
+ $ make install
+
+ Cygwin Notes:
+
+ "make test" and normal file operations may fail in directories
+ mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
+ stripping of carriage returns. To avoid this ensure that a binary
+ mount is used, e.g. mount -b c:\somewhere /home.
+
+ "bc" is not provided in older Cygwin distribution. This causes a
+ non-fatal error in "make test" but is otherwise harmless. If
+ desired and needed, GNU bc can be built with Cygwin without change.
+
+ GNU C (MinGW)
+ -------------
+
+ * Compiler installation:
+
+ MinGW is available from http://www.mingw.org. Run the installer and
+ set the MinGW bin directory to the PATH in "System Properties" or
+ autoexec.bat.
+
+ * Compile OpenSSL:
+
+ > ms\mingw32
+
+ This will create the library and binaries in out. In case any problems
+ occur, try
+ > ms\mingw32 no-asm
+ instead.
+
+ libcrypto.a and libssl.a are the static libraries. To use the DLLs,
+ link with libeay32.a and libssl32.a instead.
+
+ See troubleshooting if you get error messages about functions not having
+ a number assigned.
+
+ * You can now try the tests:
+
+ > cd out
+ > ..\ms\test
+
+
+ Installation
+ ------------
+
+ If you used the Cygwin procedure above, you have already installed and
+ can skip this section. For all other procedures, there's currently no real
+ installation procedure for Win32. There are, however, some suggestions:
+
+ - do nothing. The include files are found in the inc32/ subdirectory,
+ all binaries are found in out32dll/ or out32/ depending if you built
+ dynamic or static libraries.
+
+ - do as is written in INSTALL.Win32 that comes with modssl:
+
+ $ md c:\openssl
+ $ md c:\openssl\bin
+ $ md c:\openssl\lib
+ $ md c:\openssl\include
+ $ md c:\openssl\include\openssl
+ $ copy /b inc32\* c:\openssl\include\openssl
+ $ copy /b out32dll\ssleay32.lib c:\openssl\lib
+ $ copy /b out32dll\libeay32.lib c:\openssl\lib
+ $ copy /b out32dll\ssleay32.dll c:\openssl\bin
+ $ copy /b out32dll\libeay32.dll c:\openssl\bin
+ $ copy /b out32dll\openssl.exe c:\openssl\bin
+
+ Of course, you can choose another device than c:. C: is used here
+ because that's usually the first (and often only) harddisk device.
+ Note: in the modssl INSTALL.Win32, p: is used rather than c:.
+
+
+ Troubleshooting
+ ---------------
+
+ Since the Win32 build is only occasionally tested it may not always compile
+ cleanly. If you get an error about functions not having numbers assigned
+ when you run ms\do_ms then this means the Win32 ordinal files are not up to
+ date. You can do:
+
+ > perl util\mkdef.pl crypto ssl update
+
+ then ms\do_XXX should not give a warning any more. However the numbers that
+ get assigned by this technique may not match those that eventually get
+ assigned in the CVS tree: so anything linked against this version of the
+ library may need to be recompiled.
+
+ If you get errors about unresolved symbols there are several possible
+ causes.
+
+ If this happens when the DLL is being linked and you have disabled some
+ ciphers then it is possible the DEF file generator hasn't removed all
+ the disabled symbols: the easiest solution is to edit the DEF files manually
+ to delete them. The DEF files are ms\libeay32.def ms\ssleay32.def.
+
+ Another cause is if you missed or ignored the errors about missing numbers
+ mentioned above.
+
+ If you get warnings in the code then the compilation will halt.
+
+ The default Makefile for Win32 halts whenever any warnings occur. Since VC++
+ has its own ideas about warnings which don't always match up to other
+ environments this can happen. The best fix is to edit the file with the
+ warning in and fix it. Alternatively you can turn off the halt on warnings by
+ editing the CFLAG line in the Makefile and deleting the /WX option.
+
+ You might get compilation errors. Again you will have to fix these or report
+ them.
+
+ One final comment about compiling applications linked to the OpenSSL library.
+ If you don't use the multithreaded DLL runtime library (/MD option) your
+ program will almost certainly crash because malloc gets confused -- the
+ OpenSSL DLLs are statically linked to one version, the application must
+ not use a different one. You might be able to work around such problems
+ by adding CRYPTO_malloc_init() to your program before any calls to the
+ OpenSSL libraries: This tells the OpenSSL libraries to use the same
+ malloc(), free() and realloc() as the application. However there are many
+ standard library functions used by OpenSSL that call malloc() internally
+ (e.g. fopen()), and OpenSSL cannot change these; so in general you cannot
+ rely on CRYPTO_malloc_init() solving your problem, and you should
+ consistently use the multithreaded library.
@@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/Makefile.org b/Makefile.org index 3568efc314..58c0807fbf 100644 --- a/Makefile.org +++ b/Makefile.org @@ -167,6 +167,7 @@ RMD160_ASM_OBJ= asm/rm86-out.o # KRB5 stuff KRB5_INCLUDES= +LIBKRB5= DIRS= crypto ssl engines apps test tools SHLIBDIRS= crypto ssl @@ -280,14 +281,18 @@ build-shared: do_$(SHLIB_TARGET) link-shared do_$(SHLIB_TARGET): @ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ $(NEWMAKE) -f Makefile.shared \ CC="$(CC)" LDFLAGS="$(LDFLAGS)" \ SHARED_LDFLAGS="$(SHARED_LDFLAGS)" \ LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ LIBDEPS="$$libs $(EX_LIBS)" \ + LIBRPATH="$(INSTALLTOP)/lib" \ link_a.$(SHLIB_TARGET); \ - libs="$$libs -l$$i"; \ + libs="-l$$i $$libs"; \ done openssl.pc: Makefile.ssl @@ -309,10 +314,10 @@ Makefile.ssl: Makefile.org @false libclean: - rm -f *.so *.so.* engines/*.so *.a */lib */*/lib + rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib -clean: - rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c +clean: libclean + rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ if [ -d "$$i" ]; then \ @@ -322,7 +327,7 @@ clean: fi; \ done; rm -f openssl.pc - rm -f *.a *.o speed.* *.map *.so .pure core + rm -f speed.* .pure rm -f $(TARFILE) @for i in $(ONEDIRS) ;\ do \ @@ -372,7 +377,10 @@ rehash: rehash.time rehash.time: certs @(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \ export OPENSSL OPENSSL_DEBUG_MEMORY; \ - LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \ + LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ $(PERL) tools/c_rehash certs) @@ -383,10 +391,13 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests ); - @LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \ - if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ - apps/openssl version -a + @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ + if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ + export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ + apps/openssl version -a report: @$(PERL) util/selftest.pl diff --git a/Makefile.shared b/Makefile.shared index a3acc9877a..3584158b9c 100644 --- a/Makefile.shared +++ b/Makefile.shared @@ -7,19 +7,32 @@ # CC contains the current compiler. This one MUST be defined CC=cc -# LDFLAGS contains flags to be used when the temporary object file is -# created. SHARED_LDFLAGS contains flags to be used when the shared -# library is created. +# LDFLAGS contains flags to be used when temporary object files (when building +# shared libraries) are created, or when an application is linked. +# SHARED_LDFLAGS contains flags to be used when the shared library is created. LDFLAGS= SHARED_LDFLAGS= -# LIBNAME contains just the name of thhe library, without prefix ("lib" +# LIBNAME contains just the name of the library, without prefix ("lib" # on Unix, "cyg" for certain forms under Cygwin...) or suffix (.a, .so, -# .dll, ...). This one MUST have a value when using this makefile. +# .dll, ...). This one MUST have a value when using this makefile to +# build shared libraries. # For example, to build libfoo.so, you need to do the following: #LIBNAME=foo LIBNAME= +# APPNAME contains just the name of the application, without suffix ("" +# on Unix, ".exe" on Windows, ...). This one MUST have a value when using +# this makefile to build applications. +# For example, to build foo, you need to do the following: +#APPNAME=foo +APPNAME= + +# OBJECTS contains all the object files to link together into the application. +# This must contain at least one object file. +#OBJECTS=foo.o +OBJECTS= + # LIBEXTRAS contains extra modules to link together with the library. # For example, if a second library, say libbar.a needs to be linked into # libfoo.so, you need to do the following: @@ -73,8 +86,12 @@ CALC_VERSIONS= \ done; \ fi +LINK_APP= \ + ( $(DEBUG); \ + $$LDCMD $(LDFLAGS) $$LDFLAGS -o $$APPNAME $(OBJECTS) $$LIBDEPS ) + LINK_SO= \ - ( $(DEBUG); \ + ( $(DEBUG); \ nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \ $$SHAREDCMD $(SHARED_LDFLAGS) $$SHAREDFLAGS -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \ $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS ) && \ @@ -111,19 +128,37 @@ LINK_SO_A_UNPACKED= \ DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null -DO_GNU=$(CALC_VERSIONS); \ +DO_GNU_SO=$(CALC_VERSIONS); \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='-Wl,--whole-archive'; \ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ - SHAREDFLAGS="-shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="-shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-rpath,$(LIBRPATH)"; \ SHAREDCMD='$(CC)' +DO_GNU_APP=LDCMD=$(CC);\ + LDFLAGS="-Wl,-rpath,$(LIBRPATH)"; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME=$(APPNAME) + +#This is rather special. It's a special target with which one can link +#applications without bothering with any features that have anything to +#do with shared libraries, for example when linking against static +#libraries. It's mostly here to avoid a lot of conditionals everywhere +#else... +link_app.: + LDCMD=$(CC); \ + LDFLAGS=""; \ + LIBDEPS="$(LIBDEPS)"; \ + APPNAME="$(APPNAME)"; \ + $(LINK_APP) link_o.gnu: - @ $(DO_GNU); $(LINK_SO_O) + @ $(DO_GNU_SO); $(LINK_SO_O) link_a.gnu: - @ $(DO_GNU); $(LINK_SO_A) + @ $(DO_GNU_SO); $(LINK_SO_A) +link_app.gnu: + @ $(DO_GNU_APP); $(LINK_APP) # For Darwin AKA Mac OS/X (dyld) link_o.darwin: @@ -158,6 +193,12 @@ link_a.darwin: SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \ fi; \ $(LINK_SO_A) +link_app.darwin: + LDCMD=$(CC);\ + LDFLAGS=""; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)"; \ + $(LINK_APP) link_o.cygwin: @ $(CALC_VERSIONS); \ @@ -183,10 +224,16 @@ link_a.cygwin: SHAREDFLAGS="-shared -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \ SHAREDCMD='${CC}'; \ $(LINK_SO_A) +link_app.cygwin: + LDCMD=$(CC);\ + LDFLAGS=""; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME).exe" + $(LINK_APP) link_o.alpha-osf1: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ @@ -209,7 +256,7 @@ link_o.alpha-osf1: $(LINK_SO_O) link_a.alpha-osf1: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ @@ -230,12 +277,22 @@ link_a.alpha-osf1: fi; \ fi; \ $(LINK_SO_A) +link_app.alpha-osf1: + @ if ${DETECT_GNU_LD}; then \ + $(DO_GNU_APP); \ + else \ + LDCMD=$(CC);\ + LDFLAGS=""; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)" + fi; \ + $(LINK_APP) # The difference between alpha-osf1-shared and tru64-shared is the `-msym' # option passed to the linker. link_o.tru64: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ @@ -249,7 +306,7 @@ link_o.tru64: SHLIB_SOVER=; \ ALLSYMSFLAGS='-all'; \ NOALLSYMSFLAGS='-none'; \ - SHAREDFLAGS="-shared -msym"; \ + SHAREDFLAGS="-shared -msym -rpath $(LIBRPATH)"; \ SHAREDCMD='$(CC)'; \ if [ -n "$$SHLIB_HIST" ]; then \ SHAREDFLAGS="$$SHAREDFLAGS -set_version \"$$SHLIB_HIST\""; \ @@ -258,7 +315,7 @@ link_o.tru64: $(LINK_SO_O) link_a.tru64: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ @@ -272,19 +329,29 @@ link_a.tru64: SHLIB_SOVER=; \ ALLSYMSFLAGS='-all'; \ NOALLSYMSFLAGS='-none'; \ - SHAREDFLAGS="-shared -msym"; \ + SHAREDFLAGS="-shared -msym -rpath $(LIBRPATH)"; \ SHAREDCMD='$(CC)'; \ if [ -n "$$SHLIB_HIST" ]; then \ SHAREDFLAGS="$$SHAREDFLAGS -set_version \"$$SHLIB_HIST\""; \ fi; \ fi; \ $(LINK_SO_A) +link_app.tru64: + @ if ${DETECT_GNU_LD}; then \ + $(DO_GNU_APP); \ + else \ + LDCMD=$(CC);\ + LDFLAGS="-rpath $(LIBRPATH)"; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)"; \ + fi; \ + $(LINK_APP) # The difference between tru64-shared and tru64-shared-rpath is the # -rpath ${LIBRPATH} passed to the linker. link_o.tru64-rpath: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ @@ -307,7 +374,7 @@ link_o.tru64-rpath: $(LINK_SO_O) link_a.tru64-rpath: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ @@ -328,10 +395,20 @@ link_a.tru64-rpath: fi; \ fi; \ $(LINK_SO_A) +link_app.tru64-rpath: + @ if ${DETECT_GNU_LD}; then \ + $(DO_GNU_APP); \ + else \ + LDCMD=$(CC);\ + LDFLAGS="-rpath $(LIBRPATH)"; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)"; \ + fi; \ + $(LINK_APP) link_o.solaris: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ $(CALC_VERSIONS); \ MINUSZ='-z '; \ @@ -341,13 +418,13 @@ link_o.solaris: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS="$${MINUSZ}allextract"; \ NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \ - SHAREDFLAGS="-G -dy -z text -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="-G -dy -z text -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -R $(LIBRPATH)"; \ SHAREDCMD='$(CC)'; \ fi; \ $(LINK_SO_O) link_a.solaris: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ $(CALC_VERSIONS); \ MINUSZ='-z '; \ @@ -357,45 +434,69 @@ link_a.solaris: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS="$${MINUSZ}allextract"; \ NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \ - SHAREDFLAGS="-G -dy -z text -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="-G -dy -z text -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -R $(LIBRPATH)"; \ SHAREDCMD='$(CC)'; \ fi; \ $(LINK_SO_A) +link_app.solaris: + @ if ${DETECT_GNU_LD}; then \ + $(DO_GNU_APP); \ + else \ + LDCMD=$(CC);\ + LDFLAGS="-R $(LIBRPATH)"; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)"; \ + fi; \ + $(LINK_APP) # OpenServer 5 native compilers used # UnixWare 7 and OpenUNIX 8 native compilers used link_o.svr3: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ $(CALC_VERSIONS); \ + SHARE_FLAG='-G'; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAGS='-shared'; \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='-z allextract'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS="-G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="$${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ SHAREDCMD='$(CC)'; \ fi; \ $(LINK_SO_O) link_a.svr3: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ $(CALC_VERSIONS); \ + SHARE_FLAG='-G'; \ + (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAGS='-shared'; \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='-z allextract'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS="-G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="$${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ SHAREDCMD='$(CC)'; \ fi; \ $(LINK_SO_A_UNPACKED) +link_app.svr3: + @ if ${DETECT_GNU_LD}; then \ + $(DO_GNU_APP); \ + else \ + LDCMD=$(CC);\ + LDFLAGS=""; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)"; \ + fi; \ + $(LINK_APP) link_o.irix: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ $(CALC_VERSIONS); \ SHLIB=lib$(LIBNAME).so; \ @@ -403,13 +504,13 @@ link_o.irix: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='-all'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS="-shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="-shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-rpath,$(LIBRPATH)"; \ SHAREDCMD='$(CC)'; \ fi; \ $(LINK_SO_O) link_a.irix: @ if ${DETECT_GNU_LD}; then \ - $(DO_GNU); \ + $(DO_GNU_SO); \ else \ $(CALC_VERSIONS); \ SHLIB=lib$(LIBNAME).so; \ @@ -417,10 +518,20 @@ link_a.irix: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='-all'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS="-shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="-shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-rpath,$(LIBRPATH)"; \ SHAREDCMD='$(CC)'; \ fi; \ $(LINK_SO_A) +link_app.irix: + @ if ${DETECT_GNU_LD}; then \ + $(DO_GNU_APP); \ + else \ + LDCMD=$(CC);\ + LDFLAGS="-Wl,-rpath,$(LIBRPATH)"; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)"; \ + fi; \ + $(LINK_APP) # HP-UX includes the full pathname of libs we depend on, so we would get # ./libcrypto (with ./ as path information) compiled into libssl, hence @@ -439,7 +550,7 @@ link_o.hpux32: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='-Fl'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS="+vnocompatwarnings -b -z +s +h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="+vnocompatwarnings -b -z +s +h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX +b $(LIBRPATH)"; \ SHAREDCMD='/usr/ccs/bin/ld'; \ $(LINK_SO_O) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX link_a.hpux32: @@ -449,9 +560,15 @@ link_a.hpux32: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='-Fl'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS="+vnocompatwarnings -b -z +s +h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="+vnocompatwarnings -b -z +s +h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX +b $(LIBRPATH)"; \ SHAREDCMD='/usr/ccs/bin/ld'; \ $(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX +link_app.hpux32: + LDCMD=$(CC);\ + LDFLAGS="-Wl,+b,$(LIBRPATH)"; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)" + $(LINK_APP) # HP-UX includes the full pathname of libs we depend on, so we would get # ./libcrypto (with ./ as path information) compiled into libssl, hence @@ -468,7 +585,7 @@ link_o.hpux64: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='+forceload'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS="-b -z +h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="-b -z +h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX +b $(LIBRPATH)"; \ SHAREDCMD='/usr/ccs/bin/ld'; \ $(LINK_SO_O) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX link_a.hpux64: @@ -478,9 +595,15 @@ link_a.hpux64: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='+forceload'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS="-b -z +h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \ + SHAREDFLAGS="-b -z +h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX +b $(LIBRPATH)"; \ SHAREDCMD='/usr/ccs/bin/ld'; \ $(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX +link_app.hpux64: + LDCMD=$(CC);\ + LDFLAGS="-Wl,+b,$(LIBRPATH)"; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)" + $(LINK_APP) link_o.aix: @ $(CALC_VERSIONS); \ @@ -489,7 +612,7 @@ link_o.aix: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='-bnogc'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS='-G -bE:lib$(LIBNAME).exp -bM:SRE'; \ + SHAREDFLAGS='-G -bE:lib$(LIBNAME).exp -bM:SRE -blibpath:$(LIBRPATH)'; \ SHAREDCMD='$(CC)'; \ $(LINK_SO_O) link_a.aix: @@ -499,9 +622,15 @@ link_a.aix: LIBDEPS="$(LIBDEPS) -lc"; \ ALLSYMSFLAGS='-bnogc'; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS='-G -bE:lib$(LIBNAME).exp -bM:SRE'; \ + SHAREDFLAGS='-G -bE:lib$(LIBNAME).exp -bM:SRE -blibpath:$(LIBRPATH)'; \ SHAREDCMD='$(CC)'; \ $(LINK_SO_A_VIA_O) +link_app.aix: + LDCMD=$(CC);\ + LDFLAGS="-blibpath:$(LIBRPATH)"; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)" + $(LINK_APP) link_o.reliantunix: @ $(CALC_VERSIONS); \ @@ -523,6 +652,12 @@ link_a.reliantunix: SHAREDFLAGS='-G'; \ SHAREDCMD='$(CC)'; \ $(LINK_SO_A_UNPACKED) +link_app.reliantunix: + LDCMD=$(CC);\ + LDFLAGS=""; \ + LIBDEPS="$(LIBDEPS) -lc"; \ + APPNAME="$(APPNAME)" + $(LINK_APP) # Targets to build symbolic links when needed symlink.gnu symlink.solaris symlink.svr3 symlink.irix \ @@ -545,43 +680,57 @@ symlink.cygwin symlib.alpha-osf1 symlink.tru64 symlink.tru64-rpath: # Compatibility targets link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu link_a.bsd-gcc-shared link_a.linux-shared link_a.gnu-shared: link_a.gnu +link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared: link_app.gnu symlink.bsd-gcc-shared symlink.linux-shared symlink.gnu-shared: symlink.gnu link_o.darwin-shared: link_o.darwin link_a.darwin-shared: link_a.darwin +link_app.darwin-shared: link_app.darwin symlink.darwin-shared: symlink.darwin link_o.cygwin-shared: link_o.cygwin link_a.cygwin-shared: link_a.cygwin +link_app.cygwin-shared: link_app.cygwin symlink.cygwin-shared: symlink.cygwin link_o.alpha-osf1-shared: link_o.alpha-osf1 link_a.alpha-osf1-shared: link_a.alpha-osf1 +link_app.alpha-osf1-shared: link_app.alpha-osf1 symlink.alpha-osf1-shared: symlink.alpha-osf1 link_o.tru64-shared: link_o.tru64 link_a.tru64-shared: link_a.tru64 +link_app.tru64-shared: link_app.tru64 symlink.tru64-shared: symlink.tru64 link_o.tru64-shared-rpath: link_o.tru64-rpath link_a.tru64-shared-rpath: link_a.tru64-rpath +link_app.tru64-shared-rpath: link_app.tru64-rpath symlink.tru64-shared-rpath: symlink.tru64-rpath link_o.solaris-shared: link_o.solaris link_a.solaris-shared: link_a.solaris +link_app.solaris-shared: link_app.solaris symlink.solaris-shared: symlink.solaris link_o.svr3-shared: link_o.svr3 link_a.svr3-shared: link_a.svr3 +link_app.svr3-shared: link_app.svr3 symlink.svr3-shared: symlink.svr3 link_o.svr5-shared: link_o.svr3 link_a.svr5-shared: link_a.svr3 +link_app.svr5-shared: link_app.svr3 symlink.svr5-shared: symlink.svr3 link_o.irix-shared: link_o.irix link_a.irix-shared: link_a.irix +link_app.irix-shared: link_app.irix symlink.irix-shared: symlink.irix link_o.hpux-shared: link_o.hpux32 link_a.hpux-shared: link_a.hpux32 +link_app.hpux-shared: link_app.hpux32 symlink.hpux-shared: symlink.hpux32 link_o.hpux64-shared: link_o.hpux64 link_a.hpux64-shared: link_a.hpux64 +link_app.hpux64-shared: link_app.hpux64 symlink.hpux64-shared: symlink.hpux64 link_o.aix-shared: link_o.aix link_a.aix-shared: link_a.aix +link_app.aix-shared: link_app.aix symlink.aix-shared: symlink.aix link_o.reliantunix-shared: link_o.reliantunix link_a.reliantunix-shared: link_a.reliantunix +link_app.reliantunix-shared: link_app.reliantunix symlink.reliantunix-shared: symlink.reliantunix @@ -5,6 +5,17 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a: + + o Security: Important security related bugfixes. + o Enhanced compatibility with MIT Kerberos. + o Can be built without the ENGINE framework. + o IA32 assembler enhancements. + o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. + o Configuration: the no-err option now works properly. + o SSL/TLS: now handles manual certificate chain building. + o SSL/TLS: certain session ID malfunctions corrected. + Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7: o New library section OCSP. @@ -48,6 +59,10 @@ o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: support AES cipher suites (RFC3268). + Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: + + o Important security related bugfixes. + Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h: o New configuration targets for Tandem OSS and A/UX. @@ -89,3 +89,12 @@ failures in other parts of the code. (See Ticket #426.) Workaround: modify the target to +O2 when building with no-asm. + +* Poor support for AIX shared builds. + +do_aix-shared rule is not flexible enough to parameterize through a +config-line. './Configure aix43-cc shared' is working, but not +'./Configure aix64-gcc shared'. In latter case make fails to create shared +libraries. It's possible to build 64-bit shared libraries by running +'env OBJECT_MODE=64 make', but we need more elegant solution. Preferably one +supporting even gcc shared builds. See RT#463 for background information. @@ -1,11 +1,13 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2003/01/02 01:41:11 $ + ______________ $Date: 2003/04/04 15:17:19 $ DEVELOPMENT STATE o OpenSSL 0.9.8: Under development... + o OpenSSL 0.9.7a: Released on February 19th, 2003 o OpenSSL 0.9.7: Released on December 31st, 2002 + o OpenSSL 0.9.6i: Released on February 19th, 2003 o OpenSSL 0.9.6h: Released on December 5th, 2002 o OpenSSL 0.9.6g: Released on August 9th, 2002 o OpenSSL 0.9.6f: Released on August 8th, 2002 @@ -27,17 +29,7 @@ RELEASE SHOWSTOPPERS - o [2002-11-21] - PR 343 mentions that scrubbing memory with 'memset(ptr, 0, n)' may - be optimized away in modern compilers. This is definitely not good - and needs to be fixed immediately. The formula to use is presented - in: - - http://online.securityfocus.com/archive/82/297918/2002-10-27/2002-11-02/0 - - The problem report that mentions this is: - - https://www.aet.TU-Cottbus.DE/rt2/Ticket/Display.html?id=343 + o AVAILABLE PATCHES @@ -225,15 +225,15 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = -*** FreeBSD-sparc64 +*** FreeBSD-ia64 $cc = gcc -$cflags = -DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer +$cflags = -DL_ENDIAN -DTERMIOS -O -fomit-frame-pointer $unistd = -$thread_cflag = -pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE +$thread_cflag = (unknown) $sys_id = $lflags = -$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR -$bn_obj = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR +$bn_obj = asm/ia64-cpp.o $des_obj = $bf_obj = $md5_obj = @@ -250,14 +250,14 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = -*** MPE/iX-gcc +*** FreeBSD-sparc64 $cc = gcc -$cflags = -D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB +$cflags = -DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer $unistd = -$thread_cflag = (unknown) -$sys_id = MPE -$lflags = -L/SYSLOG/PUB -lsyslog -lsocket -lcurses -$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$thread_cflag = -pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE +$sys_id = +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR $bn_obj = $des_obj = $bf_obj = @@ -267,22 +267,22 @@ $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = -$dso_scheme = -$shared_target= -$shared_cflag = +$dso_scheme = dlfcn +$shared_target= bsd-gcc-shared +$shared_cflag = -fPIC $shared_ldflag = -$shared_extension = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = -*** Mingw32 +*** MPE/iX-gcc $cc = gcc -$cflags = -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$cflags = -D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB $unistd = -$thread_cflag = -$sys_id = -$lflags = -$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$thread_cflag = (unknown) +$sys_id = MPE +$lflags = -L/SYSLOG/PUB -lsyslog -lsocket -lcurses +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 $bn_obj = $des_obj = $bf_obj = @@ -292,7 +292,7 @@ $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = -$dso_scheme = win32 +$dso_scheme = $shared_target= $shared_cflag = $shared_ldflag = @@ -1093,10 +1093,10 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn -$shared_target= +$shared_target= aix-shared $shared_cflag = $shared_ldflag = -$shared_extension = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = @@ -1143,10 +1143,10 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn -$shared_target= +$shared_target= aix-shared $shared_cflag = -$shared_ldflag = -$shared_extension = +$shared_ldflag = -q64 +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = -X 64 @@ -1993,7 +1993,7 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = dlfcn -$shared_target= +$shared_target= linux-shared $shared_cflag = $shared_ldflag = $shared_extension = @@ -2010,7 +2010,7 @@ $lflags = -rdynamic -ldl $bn_ops = SIXTY_FOUR_BIT $bn_obj = $des_obj = dlfcn -$bf_obj = +$bf_obj = linux-shared $md5_obj = $sha1_obj = $cast_obj = @@ -2327,7 +2327,7 @@ $arflags = *** hpux-parisc-cc $cc = cc -$cflags = +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY +$cflags = +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -2402,7 +2402,7 @@ $arflags = *** hpux-parisc1_1-cc $cc = cc -$cflags = +DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY +$cflags = +DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -2427,7 +2427,7 @@ $arflags = *** hpux-parisc2-cc $cc = cc -$cflags = +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY +$cflags = +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -2627,7 +2627,7 @@ $arflags = *** hpux64-parisc2-cc $cc = cc -$cflags = +DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY +$cflags = +DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -3050,6 +3050,31 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = +*** linux-ia64-ecc +$cc = ecc +$cflags = -DL_ENDIAN -DTERMIO -O2 -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$sys_id = +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR +$bn_obj = asm/ia64.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC +$shared_ldflag = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) +$ranlib = +$arflags = + *** linux-k6 $cc = gcc $cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall @@ -3104,10 +3129,10 @@ $arflags = $cc = gcc $cflags = -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall $unistd = -$thread_cflag = (unknown) +$thread_cflag = -D_REENTRANT $sys_id = -$lflags = -$bn_ops = BN_LLONG +$lflags = -ldl +$bn_ops = BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2 $bn_obj = $des_obj = $bf_obj = @@ -3117,11 +3142,11 @@ $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = -$dso_scheme = -$shared_target= -$shared_cflag = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC $shared_ldflag = -$shared_extension = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = @@ -3129,10 +3154,10 @@ $arflags = $cc = gcc $cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall $unistd = -$thread_cflag = (unknown) +$thread_cflag = -D_REENTRANT $sys_id = -$lflags = -$bn_ops = BN_LLONG +$lflags = -ldl +$bn_ops = BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2 $bn_obj = $des_obj = $bf_obj = @@ -3142,11 +3167,11 @@ $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = -$dso_scheme = -$shared_target= -$shared_cflag = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC $shared_ldflag = -$shared_extension = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = @@ -3425,13 +3450,38 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = +*** mingw +$cc = gcc +$cflags = -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall +$unistd = +$thread_cflag = +$sys_id = MINGW32 +$lflags = -mno-cygwin -lwsock32 -lgdi32 +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-out.o asm/co86-out.o +$des_obj = asm/dx86-out.o asm/yx86-out.o +$bf_obj = asm/bx86-out.o +$md5_obj = asm/mx86-out.o +$sha1_obj = asm/sx86-out.o +$cast_obj = asm/cx86-out.o +$rc4_obj = asm/rx86-out.o +$rmd160_obj = asm/rm86-out.o +$rc5_obj = asm/r586-out.o +$dso_scheme = win32 +$shared_target= +$shared_cflag = +$shared_ldflag = +$shared_extension = .dll +$ranlib = +$arflags = + *** ncr-scde $cc = cc $cflags = -O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw $unistd = $thread_cflag = (unknown) $sys_id = -$lflags = -lsocket -lnsl +$lflags = -lsocket -lnsl -lc89 $bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT $bn_obj = $des_obj = @@ -3656,7 +3706,7 @@ $cflags = -belf $unistd = $thread_cflag = (unknown) $sys_id = -$lflags = -lsocket -lresolv -lnsl +$lflags = -lsocket -lnsl $bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT $bn_obj = asm/bn86-elf.o asm/co86-elf.o $des_obj = asm/dx86-elf.o asm/yx86-elf.o @@ -3671,7 +3721,7 @@ $dso_scheme = dlfcn $shared_target= svr3-shared $shared_cflag = -Kpic $shared_ldflag = -$shared_extension = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = @@ -3681,7 +3731,7 @@ $cflags = -O3 -fomit-frame-pointer $unistd = $thread_cflag = (unknown) $sys_id = -$lflags = -lsocket -lresolv -lnsl +$lflags = -lsocket -lnsl $bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT $bn_obj = asm/bn86-elf.o asm/co86-elf.o $des_obj = asm/dx86-elf.o asm/yx86-elf.o @@ -3696,7 +3746,7 @@ $dso_scheme = dlfcn $shared_target= svr3-shared $shared_cflag = -fPIC $shared_ldflag = -$shared_extension = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = diff --git a/apps/CA.pl.in b/apps/CA.pl.in index 8b2ce7ea42..2242f7e03b 100644 --- a/apps/CA.pl.in +++ b/apps/CA.pl.in @@ -37,7 +37,8 @@ # demoCA ... where everything is stored $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; -$DAYS="-days 365"; +$DAYS="-days 365"; # 1 year +$CADAYS="-days 1095"; # 3 years $REQ="openssl req $SSLEAY_CONFIG"; $CA="openssl ca $SSLEAY_CONFIG"; $VERIFY="openssl verify"; @@ -46,6 +47,7 @@ $PKCS12="openssl pkcs12"; $CATOP="./demoCA"; $CAKEY="cakey.pem"; +$CAREQ="careq.pem"; $CACERT="cacert.pem"; $DIRMODE = 0777; @@ -101,8 +103,11 @@ foreach (@ARGV) { $RET=$?; } else { print "Making CA certificate ...\n"; - system ("$REQ -new -x509 -keyout " . - "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS"); + system ("$REQ -new -keyout " . + "${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ"); + system ("$CA -out ${CATOP}/$CACERT $CADAYS -batch " . + "-keyfile ${CATOP}/private/$CAKEY -selfsign " . + "-infiles ${CATOP}/$CAREQ "); $RET=$?; } } diff --git a/apps/CA.sh b/apps/CA.sh index d9f3069fb2..e63a2267ee 100644 --- a/apps/CA.sh +++ b/apps/CA.sh @@ -30,7 +30,8 @@ # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored -DAYS="-days 365" +DAYS="-days 365" # 1 year +CADAYS="-days 1095" # 3 years REQ="openssl req $SSLEAY_CONFIG" CA="openssl ca $SSLEAY_CONFIG" VERIFY="openssl verify" @@ -38,6 +39,7 @@ X509="openssl x509" CATOP=./demoCA CAKEY=./cakey.pem +CAREQ=./careq.pem CACERT=./cacert.pem for i @@ -70,7 +72,7 @@ case $i in mkdir ${CATOP}/crl mkdir ${CATOP}/newcerts mkdir ${CATOP}/private - echo "01" > ${CATOP}/serial + echo "00" > ${CATOP}/serial touch ${CATOP}/index.txt fi if [ ! -f ${CATOP}/private/$CAKEY ]; then @@ -83,8 +85,11 @@ case $i in RET=$? else echo "Making CA certificate ..." - $REQ -new -x509 -keyout ${CATOP}/private/$CAKEY \ - -out ${CATOP}/$CACERT $DAYS + $REQ -new -keyout ${CATOP}/private/$CAKEY \ + -out ${CATOP}/$CAREQ + $CA -out ${CATOP}/$CACERT $CADAYS -batch \ + -keyfile ${CATOP}/private/$CAKEY -selfsign \ + -infiles ${CATOP}/$CAREQ RET=$? fi fi diff --git a/apps/Makefile.ssl b/apps/Makefile.ssl index ab266f19b3..168fb06233 100644 --- a/apps/Makefile.ssl +++ b/apps/Makefile.ssl @@ -10,7 +10,8 @@ CFLAG= -g -static INSTALL_PREFIX= INSTALLTOP= /usr/local/ssl OPENSSLDIR= /usr/local/ssl -MAKE= make -f Makefile.ssl +NEWMAKE= make +MAKE= $(NEWMAKE) -f Makefile.ssl MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl @@ -18,6 +19,7 @@ PERL= perl RM= rm -f # KRB5 stuff KRB5_INCLUDES= +LIBKRB5= PEX_LIBS= EX_LIBS= @@ -86,7 +88,15 @@ all: exe exe: $(PROGRAM) req: sreq.o $(A_OBJ) $(DLIBCRYPTO) - $(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=req LDFLAGS="$(CFLAG)" \ + OBJECTS="sreq.o $(A_OBJ) $(RAND_OBJ)" \ + LIBDEPS="$(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} sreq.o: req.c $(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c @@ -143,13 +153,25 @@ $(DLIBCRYPTO): $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) $(RM) $(PROGRAM) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO)" ; \ else \ - $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(PROGRAM) LDFLAGS="$(CFLAG)" \ + OBJECTS="$(PROGRAM).o $(E_OBJ)" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} -(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; \ - LIBPATH="`pwd`"; LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; \ + LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ + LIBPATH="`pwd`:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ $(PERL) tools/c_rehash certs) diff --git a/apps/apps.c b/apps/apps.c index 4a8c9263a7..0cdc1ad69b 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -122,7 +122,9 @@ #include <openssl/pkcs12.h> #include <openssl/ui.h> #include <openssl/safestack.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #ifdef OPENSSL_SYS_WINDOWS #define strcasecmp _stricmp @@ -138,10 +140,6 @@ #include "apps.h" #undef NON_MAIN -#ifdef OPENSSL_SYS_WINDOWS -# include "bss_file.c" -#endif - typedef struct { char *name; unsigned long flag; @@ -859,6 +857,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, BIO_printf(err,"no keyfile specified\n"); goto end; } +#ifndef OPENSSL_NO_ENGINE if (format == FORMAT_ENGINE) { if (!e) @@ -868,6 +867,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, ui_method, &cb_data); goto end; } +#endif key=BIO_new(BIO_s_file()); if (key == NULL) { @@ -935,6 +935,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, BIO_printf(err,"no keyfile specified\n"); goto end; } +#ifndef OPENSSL_NO_ENGINE if (format == FORMAT_ENGINE) { if (!e) @@ -944,6 +945,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, ui_method, &cb_data); goto end; } +#endif key=BIO_new(BIO_s_file()); if (key == NULL) { @@ -1329,6 +1331,7 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath) return NULL; } +#ifndef OPENSSL_NO_ENGINE /* Try to load an engine in a shareable library */ static ENGINE *try_load_engine(BIO *err, const char *engine, int debug) { @@ -1385,6 +1388,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug) } return e; } +#endif int load_config(BIO *err, CONF *cnf) { @@ -1418,3 +1422,462 @@ char *make_config_name() return p; } + +static unsigned long index_serial_hash(const char **a) + { + const char *n; + + n=a[DB_serial]; + while (*n == '0') n++; + return(lh_strhash(n)); + } + +static int index_serial_cmp(const char **a, const char **b) + { + const char *aa,*bb; + + for (aa=a[DB_serial]; *aa == '0'; aa++); + for (bb=b[DB_serial]; *bb == '0'; bb++); + return(strcmp(aa,bb)); + } + +static int index_name_qual(char **a) + { return(a[0][0] == 'V'); } + +static unsigned long index_name_hash(const char **a) + { return(lh_strhash(a[DB_name])); } + +int index_name_cmp(const char **a, const char **b) + { return(strcmp(a[DB_name], + b[DB_name])); } + +static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) +static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) +static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) +static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) + +#undef BSIZE +#define BSIZE 256 + +BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai) + { + BIO *in=NULL; + BIGNUM *ret=NULL; + MS_STATIC char buf[1024]; + ASN1_INTEGER *ai=NULL; + + ai=ASN1_INTEGER_new(); + if (ai == NULL) goto err; + + if ((in=BIO_new(BIO_s_file())) == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + + if (BIO_read_filename(in,serialfile) <= 0) + { + if (!create) + { + perror(serialfile); + goto err; + } + else + { + ASN1_INTEGER_set(ai,1); + ret=BN_new(); + if (ret == NULL) + BIO_printf(bio_err, "Out of memory\n"); + else + BN_one(ret); + } + } + else + { + if (!a2i_ASN1_INTEGER(in,ai,buf,1024)) + { + BIO_printf(bio_err,"unable to load number from %s\n", + serialfile); + goto err; + } + ret=ASN1_INTEGER_to_BN(ai,NULL); + if (ret == NULL) + { + BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); + goto err; + } + } + + if (ret && retai) + { + *retai = ai; + ai = NULL; + } + err: + if (in != NULL) BIO_free(in); + if (ai != NULL) ASN1_INTEGER_free(ai); + return(ret); + } + +int save_serial(char *serialfile, BIGNUM *serial, ASN1_INTEGER **retai) + { + BIO *out; + int ret=0; + ASN1_INTEGER *ai=NULL; + + out=BIO_new(BIO_s_file()); + if (out == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + if (BIO_write_filename(out,serialfile) <= 0) + { + perror(serialfile); + goto err; + } + + if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL) + { + BIO_printf(bio_err,"error converting serial to ASN.1 format\n"); + goto err; + } + i2a_ASN1_INTEGER(out,ai); + BIO_puts(out,"\n"); + ret=1; + if (retai) + { + *retai = ai; + ai = NULL; + } +err: + if (out != NULL) BIO_free_all(out); + if (ai != NULL) ASN1_INTEGER_free(ai); + return(ret); + } + +CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) + { + CA_DB *retdb = NULL; + TXT_DB *tmpdb = NULL; + BIO *in = BIO_new(BIO_s_file()); + CONF *dbattr_conf = NULL; + char buf[1][BSIZE]; + long errorline= -1; + + if (in == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + if (BIO_read_filename(in,dbfile) <= 0) + { + perror(dbfile); + BIO_printf(bio_err,"unable to open '%s'\n",dbfile); + goto err; + } + if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL) + { + if (tmpdb != NULL) TXT_DB_free(tmpdb); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile); +#else + BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile); +#endif + dbattr_conf = NCONF_new(NULL); + if (NCONF_load(dbattr_conf,buf[0],&errorline) <= 0) + { + if (errorline > 0) + { + BIO_printf(bio_err, + "error on line %ld of db attribute file '%s'\n" + ,errorline,buf[0]); + goto err; + } + else + { + NCONF_free(dbattr_conf); + dbattr_conf = NULL; + } + } + + if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL) + { + fprintf(stderr, "Out of memory\n"); + goto err; + } + + retdb->db = tmpdb; + tmpdb = NULL; + if (db_attr) + retdb->attributes = *db_attr; + else + { + retdb->attributes.unique_subject = 1; + } + + if (dbattr_conf) + { + char *p = NCONF_get_string(dbattr_conf,NULL,"unique_subject"); + if (p) + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG[load_index]: unique_subject = \"%s\"\n", p); +#endif + switch(*p) + { + case 'f': /* false */ + case 'F': /* FALSE */ + case 'n': /* no */ + case 'N': /* NO */ + retdb->attributes.unique_subject = 0; + break; + case 't': /* true */ + case 'T': /* TRUE */ + case 'y': /* yes */ + case 'Y': /* YES */ + default: + retdb->attributes.unique_subject = 1; + break; + } + } + } + + err: + if (dbattr_conf) NCONF_free(dbattr_conf); + if (tmpdb) TXT_DB_free(tmpdb); + if (in) BIO_free_all(in); + return retdb; + } + +int index_index(CA_DB *db) + { + if (!TXT_DB_create_index(db->db, DB_serial, NULL, + LHASH_HASH_FN(index_serial_hash), + LHASH_COMP_FN(index_serial_cmp))) + { + BIO_printf(bio_err, + "error creating serial number index:(%ld,%ld,%ld)\n", + db->db->error,db->db->arg1,db->db->arg2); + return 0; + } + + if (db->attributes.unique_subject + && !TXT_DB_create_index(db->db, DB_name, index_name_qual, + LHASH_HASH_FN(index_name_hash), + LHASH_COMP_FN(index_name_cmp))) + { + BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", + db->db->error,db->db->arg1,db->db->arg2); + return 0; + } + return 1; + } + +int save_index(char *dbfile, char *suffix, CA_DB *db) + { + char buf[3][BSIZE]; + BIO *out = BIO_new(BIO_s_file()); + int j; + + if (out == NULL) + { + ERR_print_errors(bio_err); + goto err; + } + + j = strlen(dbfile) + strlen(suffix); + if (j + 6 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile); +#else + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix); +#endif +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); +#endif + if (BIO_write_filename(out,buf[0]) <= 0) + { + perror(dbfile); + BIO_printf(bio_err,"unable to open '%s'\n", dbfile); + goto err; + } + j=TXT_DB_write(out,db->db); + if (j <= 0) goto err; + + BIO_free(out); + + out = BIO_new(BIO_s_file()); +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]); +#endif + if (BIO_write_filename(out,buf[1]) <= 0) + { + perror(buf[2]); + BIO_printf(bio_err,"unable to open '%s'\n", buf[2]); + goto err; + } + BIO_printf(out,"unique_subject = %s\n", + db->attributes.unique_subject ? "yes" : "no"); + BIO_free(out); + + return 1; + err: + return 0; + } + +int rotate_index(char *dbfile, char *new_suffix, char *old_suffix) + { + char buf[5][BSIZE]; + int i,j; + struct stat sb; + + i = strlen(dbfile) + strlen(old_suffix); + j = strlen(dbfile) + strlen(new_suffix); + if (i > j) j = i; + if (j + 6 >= BSIZE) + { + BIO_printf(bio_err,"file name too long\n"); + goto err; + } + +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile); +#else + j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", + dbfile, new_suffix); +#else + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", + dbfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", + dbfile, new_suffix); +#else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", + dbfile, new_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", + dbfile, old_suffix); +#else + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", + dbfile, old_suffix); +#endif +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", + dbfile, old_suffix); +#else + j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", + dbfile, old_suffix); +#endif + if (stat(dbfile,&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + dbfile, buf[1]); +#endif + if (rename(dbfile,buf[1]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + dbfile, buf[1]); + perror("reason"); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[0],dbfile); +#endif + if (rename(buf[0],dbfile) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[0],dbfile); + perror("reason"); + rename(buf[1],dbfile); + goto err; + } + if (stat(buf[4],&sb) < 0) + { + if (errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR) +#endif + goto err; + } + else + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[4],buf[3]); +#endif + if (rename(buf[4],buf[3]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[4], buf[3]); + perror("reason"); + rename(dbfile,buf[0]); + rename(buf[1],dbfile); + goto err; + } + } +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", + buf[2],buf[4]); +#endif + if (rename(buf[2],buf[4]) < 0) + { + BIO_printf(bio_err, + "unable to rename %s to %s\n", + buf[2],buf[4]); + perror("reason"); + rename(buf[3],buf[4]); + rename(dbfile,buf[0]); + rename(buf[1],dbfile); + goto err; + } + return 1; + err: + return 0; + } + +void free_index(CA_DB *db) + { + if (db) + { + if (db->db) TXT_DB_free(db->db); + OPENSSL_free(db); + } + } diff --git a/apps/apps.h b/apps/apps.h index 7b1f8ded78..974eb4f1c9 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -121,7 +121,9 @@ #include <openssl/lhash.h> #include <openssl/conf.h> #include <openssl/txt_db.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #include <openssl/ossl_typ.h> int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn); @@ -179,30 +181,57 @@ extern BIO *bio_err; do_pipe_sig() # define apps_shutdown() #else -# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ - defined(OPENSSL_SYS_WIN32) -# ifdef _O_BINARY -# define apps_startup() \ - do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) +# ifndef OPENSSL_NO_ENGINE +# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ + defined(OPENSSL_SYS_WIN32) +# ifdef _O_BINARY +# define apps_startup() \ + do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ + ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ + ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) +# else +# define apps_startup() \ + do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ + ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ + ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) +# endif # else # define apps_startup() \ - do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) + do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ + ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \ + setup_ui_method(); } while(0) # endif +# define apps_shutdown() \ + do { CONF_modules_unload(1); destroy_ui_method(); \ + EVP_cleanup(); ENGINE_cleanup(); \ + CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ + ERR_free_strings(); } while(0) # else -# define apps_startup() \ - do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ - ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \ - setup_ui_method(); } while(0) +# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \ + defined(OPENSSL_SYS_WIN32) +# ifdef _O_BINARY +# define apps_startup() \ + do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ + ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ + setup_ui_method(); } while(0) +# else +# define apps_startup() \ + do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \ + ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ + setup_ui_method(); } while(0) +# endif +# else +# define apps_startup() \ + do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \ + ERR_load_crypto_strings(); \ + setup_ui_method(); } while(0) +# endif +# define apps_shutdown() \ + do { CONF_modules_unload(1); destroy_ui_method(); \ + EVP_cleanup(); \ + CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ + ERR_free_strings(); } while(0) # endif -# define apps_shutdown() \ - do { CONF_modules_unload(1); destroy_ui_method(); \ - EVP_cleanup(); ENGINE_cleanup(); \ - CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \ - ERR_free_strings(); } while(0) #endif typedef struct args_st @@ -248,7 +277,9 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); +#ifndef OPENSSL_NO_ENGINE ENGINE *setup_engine(BIO *err, const char *engine, int debug); +#endif int load_config(BIO *err, CONF *cnf); char *make_config_name(void); @@ -256,7 +287,37 @@ char *make_config_name(void); /* Functions defined in ca.c and also used in ocsp.c */ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str); -int make_serial_index(TXT_DB *db); + +#define DB_type 0 +#define DB_exp_date 1 +#define DB_rev_date 2 +#define DB_serial 3 /* index - unique */ +#define DB_file 4 +#define DB_name 5 /* index - unique when active and not disabled */ +#define DB_NUMBER 6 + +#define DB_TYPE_REV 'R' +#define DB_TYPE_EXP 'E' +#define DB_TYPE_VAL 'V' + +typedef struct db_attr_st + { + int unique_subject; + } DB_ATTR; +typedef struct ca_db_st + { + DB_ATTR attributes; + TXT_DB *db; + } CA_DB; + +BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai); +int save_serial(char *serialfile, BIGNUM *serial, ASN1_INTEGER **retai); +CA_DB *load_index(char *dbfile, DB_ATTR *dbattr); +int index_index(CA_DB *db); +int save_index(char *dbfile, char *suffix, CA_DB *db); +int rotate_index(char *dbfile, char *new_suffix, char *old_suffix); +void free_index(CA_DB *db); +int index_name_cmp(const char **a, const char **b); X509_NAME *do_subject(char *str, long chtype); @@ -143,18 +143,6 @@ #define ENV_DATABASE "database" -#define DB_type 0 -#define DB_exp_date 1 -#define DB_rev_date 2 -#define DB_serial 3 /* index - unique */ -#define DB_file 4 -#define DB_name 5 /* index - unique for active */ -#define DB_NUMBER 6 - -#define DB_TYPE_REV 'R' -#define DB_TYPE_EXP 'E' -#define DB_TYPE_VAL 'V' - /* Additional revocation information types */ #define REV_NONE 0 /* No addditional information */ @@ -196,7 +184,9 @@ static char *ca_usage[]={ " -extensions .. - Extension section (override value in config file)\n", " -extfile file - Configuration file with X509v3 extentions to add\n", " -crlexts .. - CRL extension section (override value in config file)\n", +#ifndef OPENSSL_NO_ENGINE " -engine e - use engine e, possibly a hardware device.\n", +#endif " -status serial - Shows certificate status given the serial number\n", " -updatedb - Updates db for expired certificates\n", NULL @@ -209,43 +199,36 @@ extern int EF_ALIGNMENT; #endif static void lookup_fail(char *name,char *tag); -static unsigned long index_serial_hash(const char **a); -static int index_serial_cmp(const char **a, const char **b); -static unsigned long index_name_hash(const char **a); -static int index_name_qual(char **a); -static int index_name_cmp(const char **a,const char **b); -static BIGNUM *load_serial(char *serialfile); -static int save_serial(char *serialfile, BIGNUM *serial); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, - const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db, + const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, - int default_op, int ext_copy); + int default_op, int ext_copy, int selfsign); static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial, char *subj, int email_dn, + CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *conf,int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, ENGINE *e); static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial,char *subj, int email_dn, + CA_DB *db, BIGNUM *serial,char *subj, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *conf, unsigned long certopt, unsigned long nameopt, int default_op, - int ext_copy); -static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval); -static int get_certificate_status(const char *ser_status, TXT_DB *db); -static int do_updatedb(TXT_DB *db); + int ext_copy, int selfsign); +static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval); +static int get_certificate_status(const char *ser_status, CA_DB *db); +static int do_updatedb(CA_DB *db); static int check_time_format(char *str); char *make_revocation_str(int rev_type, char *rev_arg); int make_revoked(X509_REVOKED *rev, char *str); @@ -257,11 +240,6 @@ static char *section=NULL; static int preserve=0; static int msie_hack=0; -static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) -static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) - int MAIN(int, char **); @@ -314,18 +292,18 @@ int MAIN(int argc, char **argv) unsigned long nameopt = 0, certopt = 0; int default_op = 1; int ext_copy = EXT_COPY_NONE; - X509 *x509=NULL; + int selfsign = 0; + X509 *x509=NULL, *x509p = NULL; X509 *x=NULL; BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL; char *dbfile=NULL; - TXT_DB *db=NULL; + CA_DB *db=NULL; X509_CRL *crl=NULL; X509_REVOKED *r=NULL; ASN1_TIME *tmptm; ASN1_INTEGER *tmpser; char **pp,*p,*f; int i,j; - long l; const EVP_MD *dgst=NULL; STACK_OF(CONF_VALUE) *attribs=NULL; STACK_OF(X509) *cert_sk=NULL; @@ -333,8 +311,11 @@ int MAIN(int argc, char **argv) #define BSIZE 256 MS_STATIC char buf[3][BSIZE]; char *randfile=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine = NULL; +#endif char *tofree=NULL; + DB_ATTR db_attr; #ifdef EFENCE EF_PROTECT_FREE=1; @@ -426,6 +407,8 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; certfile= *(++argv); } + else if (strcmp(*argv,"-selfsign") == 0) + selfsign=1; else if (strcmp(*argv,"-in") == 0) { if (--argc < 1) goto bad; @@ -537,11 +520,13 @@ EF_ALIGNMENT=0; rev_arg = *(++argv); rev_type = REV_CA_COMPROMISE; } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else { bad: @@ -562,7 +547,9 @@ bad: ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif /*****************************************************************/ tofree=NULL; @@ -651,6 +638,39 @@ bad: if (randfile == NULL) ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); + + db_attr.unique_subject = 1; + p = NCONF_get_string(conf, section, "unique_subject"); + if (p) + { +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p); +#endif + switch(*p) + { + case 'f': /* false */ + case 'F': /* FALSE */ + case 'n': /* no */ + case 'N': /* NO */ + db_attr.unique_subject = 0; + break; + case 't': /* true */ + case 'T': /* TRUE */ + case 'y': /* yes */ + case 'Y': /* YES */ + default: + db_attr.unique_subject = 1; + break; + } + } +#ifdef RL_DEBUG + else + BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p); +#endif +#ifdef RL_DEBUG + BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n", + db_attr.unique_subject); +#endif in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); @@ -671,17 +691,10 @@ bad: lookup_fail(section,ENV_DATABASE); goto err; } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); + db = load_index(dbfile,&db_attr); if (db == NULL) goto err; - if (!make_serial_index(db)) - goto err; + if (!index_index(db)) goto err; if (get_certificate_status(ser_status,db) != 1) BIO_printf(bio_err,"Error verifying serial %s!\n", @@ -690,7 +703,7 @@ bad: } /*****************************************************************/ - /* we definitely need a public key, so let's get it */ + /* we definitely need a private key, so let's get it */ if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf, section,ENV_PRIVATE_KEY)) == NULL)) @@ -718,22 +731,27 @@ bad: /*****************************************************************/ /* we need a certificate */ - if ((certfile == NULL) && ((certfile=NCONF_get_string(conf, - section,ENV_CERTIFICATE)) == NULL)) + if (!selfsign || spkac_file || ss_cert_file || gencrl) { - lookup_fail(section,ENV_CERTIFICATE); - goto err; - } - x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e, - "CA certificate"); - if (x509 == NULL) - goto err; + if ((certfile == NULL) + && ((certfile=NCONF_get_string(conf, + section,ENV_CERTIFICATE)) == NULL)) + { + lookup_fail(section,ENV_CERTIFICATE); + goto err; + } + x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e, + "CA certificate"); + if (x509 == NULL) + goto err; - if (!X509_check_private_key(x509,pkey)) - { - BIO_printf(bio_err,"CA certificate and CA private key do not match\n"); - goto err; + if (!X509_check_private_key(x509,pkey)) + { + BIO_printf(bio_err,"CA certificate and CA private key do not match\n"); + goto err; + } } + if (!selfsign) x509p = x509; f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE); if (f == NULL) @@ -841,19 +859,13 @@ bad: lookup_fail(section,ENV_DATABASE); goto err; } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); + db = load_index(dbfile, &db_attr); if (db == NULL) goto err; /* Lets check some fields */ - for (i=0; i<sk_num(db->data); i++) + for (i=0; i<sk_num(db->db->data); i++) { - pp=(char **)sk_value(db->data,i); + pp=(char **)sk_value(db->db->data,i); if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { @@ -904,23 +916,13 @@ bad: out = BIO_push(tmpbio, out); } #endif - TXT_DB_write(out,db); + TXT_DB_write(out,db->db); BIO_printf(bio_err,"%d entries loaded from the database\n", - db->data->num); + db->db->data->num); BIO_printf(bio_err,"generating index\n"); } - if (!make_serial_index(db)) - goto err; - - if (!TXT_DB_create_index(db, DB_name, index_name_qual, - LHASH_HASH_FN(index_name_hash), - LHASH_COMP_FN(index_name_cmp))) - { - BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - goto err; - } + if (!index_index(db)) goto err; /*****************************************************************/ /* Update the db file for expired certificates */ @@ -943,62 +945,9 @@ bad: } else { - out = BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile); -#else - j = BIO_snprintf(buf[0], sizeof buf[0], "%s-new", dbfile); -#endif - if (j < 0 || j >= sizeof buf[0]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n", - dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - - BIO_free(out); - out = NULL; -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile); -#else - j = BIO_snprintf(buf[1], sizeof buf[1], "%s-old", dbfile); -#endif - if (j < 0 || j >= sizeof buf[1]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } + if (!save_index(dbfile,"new",db)) goto err; + + if (!rotate_index(dbfile,"new","old")) goto err; if (verbose) BIO_printf(bio_err, "Done. %d entries marked as expired\n",i); @@ -1159,7 +1108,7 @@ bad: goto err; } - if ((serial=load_serial(serialfile)) == NULL) + if ((serial=load_serial(serialfile, 0, NULL)) == NULL) { BIO_printf(bio_err,"error while loading serial number\n"); goto err; @@ -1234,10 +1183,10 @@ bad: if (infile != NULL) { total++; - j=certify(&x,infile,pkey,x509,dgst,attribs,db, + j=certify(&x,infile,pkey,x509p,dgst,attribs,db, serial,subj,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, - default_op, ext_copy); + default_op, ext_copy, selfsign); if (j < 0) goto err; if (j > 0) { @@ -1254,10 +1203,10 @@ bad: for (i=0; i<argc; i++) { total++; - j=certify(&x,argv[i],pkey,x509,dgst,attribs,db, + j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db, serial,subj,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, - default_op, ext_copy); + default_op, ext_copy, selfsign); if (j < 0) goto err; if (j > 0) { @@ -1307,24 +1256,9 @@ bad: strcat(buf[0],".new"); #endif - if (!save_serial(buf[0],serial)) goto err; - - strcpy(buf[1],dbfile); - -#ifdef OPENSSL_SYS_VMS - strcat(buf[1],"-new"); -#else - strcat(buf[1],".new"); -#endif + if (!save_serial(buf[0],serial,NULL)) goto err; - if (BIO_write_filename(out,buf[1]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - l=TXT_DB_write(out,db); - if (l <= 0) goto err; + if (!save_index(dbfile, "new", db)) goto err; } if (verbose) @@ -1411,30 +1345,8 @@ bad: goto err; } - strncpy(buf[2],dbfile,BSIZE-4); - buf[2][BSIZE-4]='\0'; + if (!rotate_index(dbfile,"new","old")) goto err; -#ifdef OPENSSL_SYS_VMS - strcat(buf[2],"-old"); -#else - strcat(buf[2],".old"); -#endif - - if (rename(dbfile,buf[2]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - dbfile,buf[2]); - perror("reason"); - goto err; - } - if (rename(buf[1],dbfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", - buf[1],dbfile); - perror("reason"); - rename(buf[2],dbfile); - goto err; - } BIO_printf(bio_err,"Data Base Updated\n"); } } @@ -1493,9 +1405,9 @@ bad: ASN1_TIME_free(tmptm); - for (i=0; i<sk_num(db->data); i++) + for (i=0; i<sk_num(db->db->data); i++) { - pp=(char **)sk_value(db->data,i); + pp=(char **)sk_value(db->db->data,i); if (pp[DB_type][0] == DB_TYPE_REV) { if ((r=X509_REVOKED_new()) == NULL) goto err; @@ -1584,50 +1496,10 @@ bad: if (j <= 0) goto err; X509_free(revcert); - if(strlen(dbfile) > BSIZE-5) - { - BIO_printf(bio_err,"filename too long\n"); - goto err; - } + if (!save_index(dbfile, "new", db)) goto err; + + if (!rotate_index(dbfile, "new", "old")) goto err; - strcpy(buf[0],dbfile); -#ifndef OPENSSL_SYS_VMS - strcat(buf[0],".new"); -#else - strcat(buf[0],"-new"); -#endif - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - strncpy(buf[1],dbfile,BSIZE-4); - buf[1][BSIZE-4]='\0'; -#ifndef OPENSSL_SYS_VMS - strcat(buf[1],".old"); -#else - strcat(buf[1],"-old"); -#endif - BIO_free(in); - in = NULL; - BIO_free(out); - out = NULL; - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } BIO_printf(bio_err,"Data Base Updated\n"); } } @@ -1641,16 +1513,17 @@ err: BIO_free_all(out); BIO_free_all(in); - sk_X509_pop_free(cert_sk,X509_free); + if (cert_sk) + sk_X509_pop_free(cert_sk,X509_free); if (ret) ERR_print_errors(bio_err); app_RAND_write_file(randfile, bio_err); if (free_key && key) OPENSSL_free(key); BN_free(serial); - TXT_DB_free(db); + free_index(db); EVP_PKEY_free(pkey); - X509_free(x509); + if (x509) X509_free(x509); X509_CRL_free(crl); NCONF_free(conf); OBJ_cleanup(); @@ -1663,110 +1536,12 @@ static void lookup_fail(char *name, char *tag) BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); } -static unsigned long index_serial_hash(const char **a) - { - const char *n; - - n=a[DB_serial]; - while (*n == '0') n++; - return(lh_strhash(n)); - } - -static int index_serial_cmp(const char **a, const char **b) - { - const char *aa,*bb; - - for (aa=a[DB_serial]; *aa == '0'; aa++); - for (bb=b[DB_serial]; *bb == '0'; bb++); - return(strcmp(aa,bb)); - } - -static unsigned long index_name_hash(const char **a) - { return(lh_strhash(a[DB_name])); } - -static int index_name_qual(char **a) - { return(a[0][0] == 'V'); } - -static int index_name_cmp(const char **a, const char **b) - { return(strcmp(a[DB_name], - b[DB_name])); } - -static BIGNUM *load_serial(char *serialfile) - { - BIO *in=NULL; - BIGNUM *ret=NULL; - MS_STATIC char buf[1024]; - ASN1_INTEGER *ai=NULL; - - if ((in=BIO_new(BIO_s_file())) == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - - if (BIO_read_filename(in,serialfile) <= 0) - { - perror(serialfile); - goto err; - } - ai=ASN1_INTEGER_new(); - if (ai == NULL) goto err; - if (!a2i_ASN1_INTEGER(in,ai,buf,1024)) - { - BIO_printf(bio_err,"unable to load number from %s\n", - serialfile); - goto err; - } - ret=ASN1_INTEGER_to_BN(ai,NULL); - if (ret == NULL) - { - BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); - goto err; - } -err: - if (in != NULL) BIO_free(in); - if (ai != NULL) ASN1_INTEGER_free(ai); - return(ret); - } - -static int save_serial(char *serialfile, BIGNUM *serial) - { - BIO *out; - int ret=0; - ASN1_INTEGER *ai=NULL; - - out=BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - if (BIO_write_filename(out,serialfile) <= 0) - { - perror(serialfile); - goto err; - } - - if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL) - { - BIO_printf(bio_err,"error converting serial to ASN.1 format\n"); - goto err; - } - i2a_ASN1_INTEGER(out,ai); - BIO_puts(out,"\n"); - ret=1; -err: - if (out != NULL) BIO_free_all(out); - if (ai != NULL) ASN1_INTEGER_free(ai); - return(ret); - } - static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, - int ext_copy) + int ext_copy, int selfsign) { X509_REQ *req=NULL; BIO *in=NULL; @@ -1791,6 +1566,12 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err,"Check that the request matches the signature\n"); + if (selfsign && !X509_REQ_check_private_key(req,pkey)) + { + BIO_printf(bio_err,"Certificate request and CA private key do not match\n"); + ok=0; + goto err; + } if ((pktmp=X509_REQ_get_pubkey(req)) == NULL) { BIO_printf(bio_err,"error unpacking public key\n"); @@ -1815,7 +1596,7 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn, startdate,enddate,days,batch,verbose,req,ext_sect,lconf, - certopt, nameopt, default_op, ext_copy); + certopt, nameopt, default_op, ext_copy, selfsign); err: if (req != NULL) X509_REQ_free(req); @@ -1824,7 +1605,7 @@ err: } static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, @@ -1869,7 +1650,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate, days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op, - ext_copy); + ext_copy, 0); err: if (rreq != NULL) X509_REQ_free(rreq); @@ -1878,11 +1659,11 @@ err: } static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, int batch, int verbose, X509_REQ *req, char *ext_sect, CONF *lconf, unsigned long certopt, unsigned long nameopt, int default_op, - int ext_copy) + int ext_copy, int selfsign) { X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL; ASN1_UTCTIME *tm,*tmptm; @@ -1896,7 +1677,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, int ok= -1,i,j,last,nid; char *p; CONF_VALUE *cv; - char *row[DB_NUMBER],**rrow,**irow=NULL; + char *row[DB_NUMBER],**rrow=NULL,**irow=NULL; char buf[25]; tmptm=ASN1_UTCTIME_new(); @@ -1986,7 +1767,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, } /* take a copy of the issuer name before we mess with it. */ - CAname=X509_NAME_dup(x509->cert_info->subject); + if (selfsign) + CAname=X509_NAME_dup(name); + else + CAname=X509_NAME_dup(x509->cert_info->subject); if (CAname == NULL) goto err; str=str2=NULL; @@ -2133,15 +1917,19 @@ again2: goto err; } - rrow=TXT_DB_get_by_index(db,DB_name,row); - if (rrow != NULL) + if (db->attributes.unique_subject) { - BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n", - row[DB_name]); + rrow=TXT_DB_get_by_index(db->db,DB_name,row); + if (rrow != NULL) + { + BIO_printf(bio_err, + "ERROR:There is already a certificate for %s\n", + row[DB_name]); + } } - else + if (rrow == NULL) { - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow != NULL) { BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n", @@ -2189,13 +1977,21 @@ again2: #ifdef X509_V3 /* Make it an X509 v3 certificate. */ - if (!X509_set_version(x509,2)) goto err; + if (!X509_set_version(ret,2)) goto err; #endif if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL) goto err; - if (!X509_set_issuer_name(ret,X509_get_subject_name(x509))) - goto err; + if (selfsign) + { + if (!X509_set_issuer_name(ret,subject)) + goto err; + } + else + { + if (!X509_set_issuer_name(ret,X509_get_subject_name(x509))) + goto err; + } if (strcmp(startdate,"today") == 0) X509_gmtime_adj(X509_get_notBefore(ret),0); @@ -2230,7 +2026,10 @@ again2: ci->extensions = NULL; /* Initialize the context structure */ - X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); + if (selfsign) + X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0); + else + X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); if (extconf) { @@ -2297,7 +2096,7 @@ again2: BIO_printf(bio_err,"Certificate is to be certified until "); ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret)); - if (days) BIO_printf(bio_err," (%d days)",days); + if (days) BIO_printf(bio_err," (%ld days)",days); BIO_printf(bio_err, "\n"); if (!batch) @@ -2375,10 +2174,10 @@ again2: } irow[DB_NUMBER]=NULL; - if (!TXT_DB_insert(db,irow)) + if (!TXT_DB_insert(db->db,irow)) { BIO_printf(bio_err,"failed to update database\n"); - BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error); + BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); goto err; } ok=1; @@ -2429,7 +2228,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) } static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, + const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) @@ -2573,7 +2372,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, EVP_PKEY_free(pktmp); ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate, days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op, - ext_copy); + ext_copy, 0); err: if (req != NULL) X509_REQ_free(req); if (parms != NULL) CONF_free(parms); @@ -2608,7 +2407,7 @@ static int check_time_format(char *str) return(ASN1_UTCTIME_check(&tm)); } -static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) +static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) { ASN1_UTCTIME *tm=NULL; char *row[DB_NUMBER],**rrow,**irow; @@ -2633,10 +2432,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) /* We have to lookup by serial number because name lookup * skips revoked certs */ - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow == NULL) { - BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]); + BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]); /* We now just add it to the database */ row[DB_type]=(char *)OPENSSL_malloc(2); @@ -2676,10 +2475,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) } irow[DB_NUMBER]=NULL; - if (!TXT_DB_insert(db,irow)) + if (!TXT_DB_insert(db->db,irow)) { BIO_printf(bio_err,"failed to update database\n"); - BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error); + BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); goto err; } @@ -2724,7 +2523,7 @@ err: return(ok); } -static int get_certificate_status(const char *serial, TXT_DB *db) +static int get_certificate_status(const char *serial, CA_DB *db) { char *row[DB_NUMBER],**rrow; int ok=-1,i; @@ -2765,7 +2564,7 @@ static int get_certificate_status(const char *serial, TXT_DB *db) ok=1; /* Search for the certificate */ - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); if (rrow == NULL) { BIO_printf(bio_err,"Serial %s not present in db.\n", @@ -2812,7 +2611,7 @@ err: return(ok); } -static int do_updatedb (TXT_DB *db) +static int do_updatedb (CA_DB *db) { ASN1_UTCTIME *a_tm = NULL; int i, cnt = 0; @@ -2838,9 +2637,9 @@ static int do_updatedb (TXT_DB *db) else a_y2k = 0; - for (i = 0; i < sk_num(db->data); i++) + for (i = 0; i < sk_num(db->db->data); i++) { - rrow = (char **) sk_value(db->data, i); + rrow = (char **) sk_value(db->db->data, i); if (rrow[DB_type][0] == 'V') { @@ -3328,16 +3127,3 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_G return ret; } -int make_serial_index(TXT_DB *db) - { - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) - { - BIO_printf(bio_err, - "error creating serial number index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - return 0; - } - return 1; - } diff --git a/apps/crl.c b/apps/crl.c index c6089ace52..81d66587c1 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -81,6 +81,7 @@ static char *crl_usage[]={ " -in arg - input file - default stdin\n", " -out arg - output file - default stdout\n", " -hash - print hash value\n", +" -fingerprint - print the crl fingerprint\n", " -issuer - print issuer DN\n", " -lastupdate - lastUpdate field\n", " -nextupdate - nextUpdate field\n", diff --git a/apps/dgst.c b/apps/dgst.c index 280f79b4a2..47d1309b14 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -100,7 +100,9 @@ int MAIN(int argc, char **argv) EVP_PKEY *sigkey = NULL; unsigned char *sigbuf = NULL; int siglen = 0; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -166,11 +168,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) break; keyform=str2fmt(*(++argv)); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) break; engine= *(++argv); } +#endif else if (strcmp(*argv,"-hex") == 0) out_bin = 0; else if (strcmp(*argv,"-binary") == 0) @@ -208,7 +212,9 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n"); BIO_printf(bio_err,"-signature file signature to verify\n"); BIO_printf(bio_err,"-binary output in binary form\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n", LN_md5,LN_md5); @@ -228,7 +234,9 @@ int MAIN(int argc, char **argv) goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif in=BIO_new(BIO_s_file()); bmd=BIO_new(BIO_f_md()); @@ -87,12 +87,17 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DH *dh=NULL; int i,badops=0,text=0; BIO *in=NULL,*out=NULL; int informat,outformat,check=0,noout=0,C=0,ret=1; - char *infile,*outfile,*prog,*engine; + char *infile,*outfile,*prog; +#ifndef OPENSSL_NO_ENGINE + char *engine; +#endif apps_startup(); @@ -103,7 +108,9 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; +#ifndef OPENSSL_NO_ENGINE engine=NULL; +#endif infile=NULL; outfile=NULL; informat=FORMAT_PEM; @@ -134,11 +141,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outfile= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-check") == 0) check=1; else if (strcmp(*argv,"-text") == 0) @@ -170,13 +179,17 @@ bad: BIO_printf(bio_err," -text print a text form of the DH parameters\n"); BIO_printf(bio_err," -C Output C code\n"); BIO_printf(bio_err," -noout no output\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif goto end; } ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); diff --git a/apps/dhparam.c b/apps/dhparam.c index cbc65bcc5f..dc00355b95 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -148,7 +148,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DH *dh=NULL; int i,badops=0,text=0; #ifndef OPENSSL_NO_DSA @@ -157,7 +159,10 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*out=NULL; int informat,outformat,check=0,noout=0,C=0,ret=1; char *infile,*outfile,*prog; - char *inrand=NULL,*engine=NULL; + char *inrand=NULL; +#ifndef OPENSSL_NO_ENGINE + char *engine=NULL; +#endif int num = 0, g = 0; apps_startup(); @@ -199,11 +204,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outfile= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-check") == 0) check=1; else if (strcmp(*argv,"-text") == 0) @@ -249,7 +256,9 @@ bad: BIO_printf(bio_err," -2 generate parameters using 2 as the generator value\n"); BIO_printf(bio_err," -5 generate parameters using 5 as the generator value\n"); BIO_printf(bio_err," numbits number of bits in to generate (default 512)\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," - load the file (or the files in the directory) into\n"); BIO_printf(bio_err," the random number generator\n"); @@ -259,7 +268,9 @@ bad: ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (g && !num) num = DEFBITS; diff --git a/apps/dsa.c b/apps/dsa.c index 65988717bb..e9de3a3bdf 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -90,7 +90,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif int ret=1; DSA *dsa=NULL; int i,badops=0; @@ -98,7 +100,10 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*out=NULL; int informat,outformat,text=0,noout=0; int pubin = 0, pubout = 0; - char *infile,*outfile,*prog,*engine; + char *infile,*outfile,*prog; +#ifndef OPENSSL_NO_ENGINE + char *engine; +#endif char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; int modulus=0; @@ -112,7 +117,9 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; +#ifndef OPENSSL_NO_ENGINE engine=NULL; +#endif infile=NULL; outfile=NULL; informat=FORMAT_PEM; @@ -153,11 +160,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passargout= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-text") == 0) @@ -189,7 +198,9 @@ bad: BIO_printf(bio_err," -passin arg input file pass phrase source\n"); BIO_printf(bio_err," -out arg output file\n"); BIO_printf(bio_err," -passout arg output file pass phrase source\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -des encrypt PEM output with cbc des\n"); BIO_printf(bio_err," -des3 encrypt PEM output with ede cbc des using 168 bit key\n"); #ifndef OPENSSL_NO_IDEA @@ -207,7 +218,9 @@ bad: ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); diff --git a/apps/dsaparam.c b/apps/dsaparam.c index b6abe785ab..14e79f9a21 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -110,7 +110,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DSA *dsa=NULL; int i,badops=0,text=0; BIO *in=NULL,*out=NULL; @@ -118,7 +120,9 @@ int MAIN(int argc, char **argv) char *infile,*outfile,*prog,*inrand=NULL; int numbits= -1,num,genkey=0; int need_rand=0; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif #ifdef GENCB_TEST int timebomb=0; #endif @@ -162,11 +166,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outfile= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if(strcmp(*argv, "-engine") == 0) { if (--argc < 1) goto bad; engine = *(++argv); } +#endif #ifdef GENCB_TEST else if(strcmp(*argv, "-timebomb") == 0) { @@ -221,7 +227,9 @@ bad: BIO_printf(bio_err," -noout no output\n"); BIO_printf(bio_err," -genkey generate a DSA key\n"); BIO_printf(bio_err," -rand files to use for random number input\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif #ifdef GENCB_TEST BIO_printf(bio_err," -timebomb n interrupt keygen after <n> seconds\n"); #endif @@ -268,7 +276,9 @@ bad: } } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (need_rand) { diff --git a/apps/enc.c b/apps/enc.c index 308d5be825..7117a9c4ec 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -100,7 +100,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif static const char magic[]="Salted__"; char mbuf[sizeof magic-1]; char *strbuf=NULL; @@ -119,7 +121,9 @@ int MAIN(int argc, char **argv) BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; +#ifndef OPENSSL_NO_ENGINE char *engine = NULL; +#endif apps_startup(); @@ -163,11 +167,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passarg= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-d") == 0) enc=0; else if (strcmp(*argv,"-p") == 0) @@ -270,7 +276,9 @@ bad: BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv"); BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]"); BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e"); +#endif BIO_printf(bio_err,"Cipher Types\n"); OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, @@ -284,7 +292,9 @@ bad: argv++; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (bufsize != NULL) { diff --git a/apps/engine.c b/apps/engine.c index b718ae124c..feee965325 100644 --- a/apps/engine.c +++ b/apps/engine.c @@ -56,6 +56,8 @@ * */ +#ifndef OPENSSL_NO_ENGINE + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -77,7 +79,8 @@ static char *engine_usage[]={ " -vvv will also add the input flags for each command\n", " -vvvv will also show internal input flags\n", " -c - for each engine, also list the capabilities\n", -" -t - for each engine, check that they are really available\n", +" -t[t] - for each engine, check that they are really available\n", +" -tt will display error trace for unavailable engines\n", " -pre <cmd> - runs command 'cmd' against the ENGINE before any attempts\n", " to load it (if -t is used)\n", " -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n", @@ -342,7 +345,7 @@ int MAIN(int argc, char **argv) { int ret=1,i; char **pp; - int verbose=0, list_cap=0, test_avail=0; + int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0; ENGINE *e; STACK *engines = sk_new_null(); STACK *pre_cmds = sk_new_null(); @@ -380,8 +383,14 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-c") == 0) list_cap=1; - else if (strcmp(*argv,"-t") == 0) + else if (strncmp(*argv,"-t",2) == 0) + { test_avail=1; + if(strspn(*argv + 1, "t") < strlen(*argv + 1)) + goto skip_arg_loop; + if((test_avail_noise = strlen(*argv + 1) - 1) > 1) + goto skip_arg_loop; + } else if (strcmp(*argv,"-pre") == 0) { argc--; argv++; @@ -496,7 +505,8 @@ skip_digests: else { BIO_printf(bio_out, "[ unavailable ]\n"); - ERR_print_errors_fp(stdout); + if(test_avail_noise) + ERR_print_errors_fp(stdout); ERR_clear_error(); } } @@ -510,6 +520,7 @@ skip_digests: ret=0; end: + ERR_print_errors(bio_err); sk_pop_free(engines, identity); sk_pop_free(pre_cmds, identity); @@ -518,3 +529,10 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } +#else + +# if PEDANTIC +static void *dummy=&dummy; +# endif + +#endif diff --git a/apps/gendh.c b/apps/gendh.c index 574a13a57a..b90087493a 100644 --- a/apps/gendh.c +++ b/apps/gendh.c @@ -87,13 +87,17 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DH *dh=NULL; int ret=1,num=DEFBITS; int g=2; char *outfile=NULL; char *inrand=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif BIO *out=NULL; apps_startup(); @@ -121,11 +125,13 @@ int MAIN(int argc, char **argv) g=3; */ else if (strcmp(*argv,"-5") == 0) g=5; +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -144,14 +150,18 @@ bad: BIO_printf(bio_err," -2 - use 2 as the generator value\n"); /* BIO_printf(bio_err," -3 - use 3 as the generator value\n"); */ BIO_printf(bio_err," -5 - use 5 as the generator value\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," - load the file (or the files in the directory) into\n"); BIO_printf(bio_err," the random number generator\n"); goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif out=BIO_new(BIO_s_file()); if (out == NULL) diff --git a/apps/gendsa.c b/apps/gendsa.c index 4600711c36..6d2ed06c81 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -77,7 +77,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif DSA *dsa=NULL; int ret=1; char *outfile=NULL; @@ -85,7 +87,9 @@ int MAIN(int argc, char **argv) char *passargout = NULL, *passout = NULL; BIO *out=NULL,*in=NULL; const EVP_CIPHER *enc=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -111,11 +115,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passargout= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -167,7 +173,9 @@ bad: BIO_printf(bio_err," -aes128, -aes192, -aes256\n"); BIO_printf(bio_err," encrypt PEM output with cbc aes\n"); #endif +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," - load the file (or the files in the directory) into\n"); BIO_printf(bio_err," the random number generator\n"); @@ -176,7 +184,9 @@ bad: goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) { BIO_printf(bio_err, "Error getting password\n"); diff --git a/apps/genrsa.c b/apps/genrsa.c index 6079688ce9..0ce23946ef 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -87,7 +87,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif int ret=1; RSA *rsa=NULL; int i,num=DEFBITS; @@ -96,7 +98,9 @@ int MAIN(int argc, char **argv) unsigned long f4=RSA_F4; char *outfile=NULL; char *passargout = NULL, *passout = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif char *inrand=NULL; BIO *out=NULL; @@ -128,11 +132,13 @@ int MAIN(int argc, char **argv) f4=3; else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0) f4=RSA_F4; +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -183,7 +189,9 @@ bad: BIO_printf(bio_err," -passout arg output file pass phrase source\n"); BIO_printf(bio_err," -f4 use F4 (0x10001) for the E value\n"); BIO_printf(bio_err," -3 use 3 for the E value\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err," load the file (or the files in the directory) into\n"); BIO_printf(bio_err," the random number generator\n"); @@ -197,7 +205,9 @@ bad: goto err; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (outfile == NULL) { diff --git a/apps/ocsp.c b/apps/ocsp.c index 92922bc8ad..0cf4aad3f8 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -55,6 +55,7 @@ * Hudson (tjh@cryptsoft.com). * */ +#ifndef OPENSSL_NO_OCSP #include <stdio.h> #include <string.h> @@ -67,19 +68,6 @@ /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) -/* CA index.txt definitions */ -#define DB_type 0 -#define DB_exp_date 1 -#define DB_rev_date 2 -#define DB_serial 3 /* index - unique */ -#define DB_file 4 -#define DB_name 5 /* index - unique for active */ -#define DB_NUMBER 6 - -#define DB_TYPE_REV 'R' -#define DB_TYPE_EXP 'E' -#define DB_TYPE_VAL 'V' - static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, @@ -88,12 +76,12 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, STACK *names, STACK_OF(OCSP_CERTID) *ids, long nsec, long maxage); -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db, +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays); -static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser); +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); static BIO *init_responder(char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); @@ -141,7 +129,7 @@ int MAIN(int argc, char **argv) X509 *rca_cert = NULL; char *ridx_filename = NULL; char *rca_filename = NULL; - TXT_DB *rdb = NULL; + CA_DB *rdb = NULL; int nmin = 0, ndays = -1; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -523,7 +511,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-serial n serial number to check\n"); BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n"); BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n"); - BIO_printf (bio_err, "-sign_certs file additional certificates to include in signed request\n"); + BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n"); BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n"); BIO_printf (bio_err, "-req_text print text form of request\n"); BIO_printf (bio_err, "-resp_text print text form of response\n"); @@ -543,10 +531,10 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); BIO_printf (bio_err, "-noverify don't verify response at all\n"); - BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n"); + BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n"); BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n"); - BIO_printf (bio_err, "-no_sig_verify don't check signature on response\n"); + BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n"); BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n"); BIO_printf (bio_err, "-no_chain don't chain verify response\n"); BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); @@ -696,22 +684,9 @@ int MAIN(int argc, char **argv) if (ridx_filename && !rdb) { - BIO *db_bio = NULL; - db_bio = BIO_new_file(ridx_filename, "r"); - if (!db_bio) - { - BIO_printf(bio_err, "Error opening index file %s\n", ridx_filename); - goto end; - } - rdb = TXT_DB_read(db_bio, DB_NUMBER); - BIO_free(db_bio); - if (!rdb) - { - BIO_printf(bio_err, "Error reading index file %s\n", ridx_filename); - goto end; - } - if (!make_serial_index(rdb)) - goto end; + rdb = load_index(ridx_filename, NULL); + if (!rdb) goto end; + if (!index_index(rdb)) goto end; } if (rdb) @@ -722,7 +697,12 @@ int MAIN(int argc, char **argv) } else if (host) { +#ifndef OPENSSL_NO_SOCK cbio = BIO_new_connect(host); +#else + BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n"); + goto end; +#endif if (!cbio) { BIO_printf(bio_err, "Error creating connect BIO\n"); @@ -732,7 +712,16 @@ int MAIN(int argc, char **argv) if (use_ssl == 1) { BIO *sbio; +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) ctx = SSL_CTX_new(SSLv23_client_method()); +#elif !defined(OPENSSL_NO_SSL3) + ctx = SSL_CTX_new(SSLv3_client_method()); +#elif !defined(OPENSSL_NO_SSL2) + ctx = SSL_CTX_new(SSLv2_client_method()); +#else + BIO_printf(bio_err, "SSL is disabled\n"); + goto end; +#endif SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); @@ -792,7 +781,7 @@ int MAIN(int argc, char **argv) if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { - BIO_printf(out, "Responder Error: %s (%ld)\n", + BIO_printf(out, "Responder Error: %s (%d)\n", OCSP_response_status_str(i), i); ret = 0; goto end; @@ -856,7 +845,7 @@ int MAIN(int argc, char **argv) if(i <= 0) { - BIO_printf(bio_err, "Response Verify Failure\n", i); + BIO_printf(bio_err, "Response Verify Failure\n"); ERR_print_errors(bio_err); } else @@ -879,7 +868,7 @@ end: X509_free(cert); X509_free(rsigner); X509_free(rca_cert); - TXT_DB_free(rdb); + free_index(rdb); BIO_free_all(cbio); BIO_free_all(acbio); BIO_free(out); @@ -1021,7 +1010,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, } -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db, +static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays) @@ -1113,7 +1102,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *d } -static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser) +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) { int i; BIGNUM *bn = NULL; @@ -1126,7 +1115,7 @@ static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser) itmp = BN_bn2hex(bn); row[DB_serial] = itmp; BN_free(bn); - rrow=TXT_DB_get_by_index(db,DB_serial,row); + rrow=TXT_DB_get_by_index(db->db,DB_serial,row); OPENSSL_free(itmp); return rrow; } @@ -1139,7 +1128,11 @@ static BIO *init_responder(char *port) bufbio = BIO_new(BIO_f_buffer()); if (!bufbio) goto err; +#ifndef OPENSSL_NO_SOCK acbio = BIO_new_accept(port); +#else + BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n"); +#endif if (!acbio) goto err; BIO_set_accept_bios(acbio, bufbio); @@ -1226,3 +1219,4 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) return 1; } +#endif diff --git a/apps/openssl.c b/apps/openssl.c index e3875c484a..86d9fc51bc 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -122,7 +122,9 @@ #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/ssl.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */ #include "progs.h" #include "s_apps.h" diff --git a/apps/openssl.cnf b/apps/openssl.cnf index eca51c3322..2696044cf1 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -38,6 +38,8 @@ dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate diff --git a/apps/pkcs12.c b/apps/pkcs12.c index e445c24b9b..385011b457 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -120,7 +120,9 @@ int MAIN(int argc, char **argv) char *passin = NULL, *passout = NULL; char *inrand = NULL; char *CApath = NULL, *CAfile = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -259,11 +261,13 @@ int MAIN(int argc, char **argv) args++; CAfile = *args; } else badarg = 1; +#ifndef OPENSSL_NO_ENGINE } else if (!strcmp(*args,"-engine")) { if (args[1]) { args++; engine = *args; } else badarg = 1; +#endif } else badarg = 1; } else badarg = 1; @@ -311,14 +315,18 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-password p set import/export password source\n"); BIO_printf (bio_err, "-passin p input file pass phrase source\n"); BIO_printf (bio_err, "-passout p output file pass phrase source\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); BIO_printf(bio_err, " the random number generator\n"); goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(passarg) { if(export_cert) passargout = passarg; @@ -550,7 +558,7 @@ int MAIN(int argc, char **argv) CRYPTO_push_info("creating PKCS#12 structure"); #endif - p12 = PKCS12_create(pass, name, key, ucert, certs, + p12 = PKCS12_create(cpass, name, key, ucert, certs, key_pbe, cert_pbe, iter, -1, keytype); if (!p12) @@ -806,8 +814,9 @@ int alg_print (BIO *x, X509_ALGOR *alg) unsigned char *p; p = alg->parameter->value.sequence->data; pbe = d2i_PBEPARAM (NULL, &p, alg->parameter->value.sequence->length); - BIO_printf (bio_err, "%s, Iteration %d\n", - OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), ASN1_INTEGER_get(pbe->iter)); + BIO_printf (bio_err, "%s, Iteration %ld\n", + OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), + ASN1_INTEGER_get(pbe->iter)); PBEPARAM_free (pbe); return 0; } diff --git a/apps/pkcs7.c b/apps/pkcs7.c index 738dd853ce..6c58c67eb2 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -82,7 +82,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif PKCS7 *p7=NULL; int i,badops=0; BIO *in=NULL,*out=NULL; @@ -90,7 +92,9 @@ int MAIN(int argc, char **argv) char *infile,*outfile,*prog; int print_certs=0,text=0,noout=0; int ret=1; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -134,11 +138,13 @@ int MAIN(int argc, char **argv) text=1; else if (strcmp(*argv,"-print_certs") == 0) print_certs=1; +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -161,14 +167,18 @@ bad: BIO_printf(bio_err," -print_certs print any certs or crl in the input\n"); BIO_printf(bio_err," -text print full details of certificates\n"); BIO_printf(bio_err," -noout don't output encoded data\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif ret = 1; goto end; } ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 1debccb17e..ee8cf02813 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -85,7 +85,9 @@ int MAIN(int argc, char **argv) EVP_PKEY *pkey=NULL; char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; int badarg = 0; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); @@ -145,11 +147,13 @@ int MAIN(int argc, char **argv) if (!args[1]) goto bad; passargout= *(++args); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*args,"-engine") == 0) { if (!args[1]) goto bad; engine= *(++args); } +#endif else if (!strcmp (*args, "-in")) { if (args[1]) { args++; @@ -182,11 +186,15 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-nocrypt use or expect unencrypted private key\n"); BIO_printf(bio_err, "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n"); BIO_printf(bio_err, "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif return (1); } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -227,7 +235,7 @@ int MAIN(int argc, char **argv) return (1); } if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) { - BIO_printf(bio_err, "Error converting key\n", outfile); + BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); return (1); } @@ -251,8 +259,7 @@ int MAIN(int argc, char **argv) if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, p8pass, strlen(p8pass), NULL, 0, iter, p8inf))) { - BIO_printf(bio_err, "Error encrypting key\n", - outfile); + BIO_printf(bio_err, "Error encrypting key\n"); ERR_print_errors(bio_err); return (1); } @@ -295,7 +302,7 @@ int MAIN(int argc, char **argv) } if (!p8) { - BIO_printf (bio_err, "Error reading key\n", outfile); + BIO_printf (bio_err, "Error reading key\n"); ERR_print_errors(bio_err); return (1); } @@ -309,13 +316,13 @@ int MAIN(int argc, char **argv) } if (!p8inf) { - BIO_printf(bio_err, "Error decrypting key\n", outfile); + BIO_printf(bio_err, "Error decrypting key\n"); ERR_print_errors(bio_err); return (1); } if (!(pkey = EVP_PKCS82PKEY(p8inf))) { - BIO_printf(bio_err, "Error converting key\n", outfile); + BIO_printf(bio_err, "Error converting key\n"); ERR_print_errors(bio_err); return (1); } diff --git a/apps/progs.h b/apps/progs.h index 999de31bdd..131a721a39 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -37,7 +37,9 @@ extern int pkcs8_main(int argc,char *argv[]); extern int spkac_main(int argc,char *argv[]); extern int smime_main(int argc,char *argv[]); extern int rand_main(int argc,char *argv[]); +#ifndef OPENSSL_NO_ENGINE extern int engine_main(int argc,char *argv[]); +#endif extern int ocsp_main(int argc,char *argv[]); #define FUNC_TYPE_GENERAL 1 @@ -100,7 +102,9 @@ FUNCTION functions[] = { #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3)) {FUNC_TYPE_GENERAL,"s_client",s_client_main}, #endif +#ifndef OPENSSL_NO_SPEED {FUNC_TYPE_GENERAL,"speed",speed_main}, +#endif #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3)) {FUNC_TYPE_GENERAL,"s_time",s_time_main}, #endif @@ -119,7 +123,9 @@ FUNCTION functions[] = { {FUNC_TYPE_GENERAL,"spkac",spkac_main}, {FUNC_TYPE_GENERAL,"smime",smime_main}, {FUNC_TYPE_GENERAL,"rand",rand_main}, +#ifndef OPENSSL_NO_ENGINE {FUNC_TYPE_GENERAL,"engine",engine_main}, +#endif {FUNC_TYPE_GENERAL,"ocsp",ocsp_main}, #ifndef OPENSSL_NO_MD2 {FUNC_TYPE_MD,"md2",dgst_main}, diff --git a/apps/rand.c b/apps/rand.c index eaaa6e35a6..63724bc730 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -76,7 +76,9 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif int i, r, ret = 1; int badopt; char *outfile = NULL; @@ -84,7 +86,9 @@ int MAIN(int argc, char **argv) int base64 = 0; BIO *out = NULL; int num = -1; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -106,6 +110,7 @@ int MAIN(int argc, char **argv) else badopt = 1; } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(argv[i], "-engine") == 0) { if ((argv[i+1] != NULL) && (engine == NULL)) @@ -113,6 +118,7 @@ int MAIN(int argc, char **argv) else badopt = 1; } +#endif else if (strcmp(argv[i], "-rand") == 0) { if ((argv[i+1] != NULL) && (inrand == NULL)) @@ -150,13 +156,17 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "Usage: rand [options] num\n"); BIO_printf(bio_err, "where options are\n"); BIO_printf(bio_err, "-out file - write to file\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, "-engine e - use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, "-base64 - encode output\n"); goto err; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif app_RAND_load_file(NULL, bio_err, (inrand != NULL)); if (inrand != NULL) diff --git a/apps/req.c b/apps/req.c index 4fa5ae6fe8..80b623c506 100644 --- a/apps/req.c +++ b/apps/req.c @@ -133,7 +133,7 @@ static int add_attribute_object(X509_REQ *req, char *text, char *def, char *value, int nid, int n_min, int n_max, unsigned long chtype); static int add_DN_object(X509_NAME *n, char *text, char *def, char *value, - int nid,int n_min,int n_max, unsigned long chtype); + int nid,int n_min,int n_max, unsigned long chtype, int mval); #ifndef OPENSSL_NO_RSA static void MS_CALLBACK req_cb(int p,int n,void *arg); #endif @@ -172,7 +172,9 @@ int MAIN(int argc, char **argv) int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0; char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif char *extensions = NULL; char *req_exts = NULL; const EVP_CIPHER *cipher=NULL; @@ -220,11 +222,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; outformat=str2fmt(*(++argv)); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; @@ -488,7 +492,9 @@ bad: BIO_printf(bio_err," -verify verify signature on REQ\n"); BIO_printf(bio_err," -modulus RSA modulus\n"); BIO_printf(bio_err," -nodes don't encrypt the output key\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device\n"); +#endif BIO_printf(bio_err," -subject output the request's subject\n"); BIO_printf(bio_err," -passin private key password source\n"); BIO_printf(bio_err," -key file use the private key contained in file\n"); @@ -516,7 +522,7 @@ bad: BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n"); BIO_printf(bio_err," -reqexts .. specify request extension section (override value in config file)\n"); BIO_printf(bio_err," -utf8 input characters are UTF8 (default ASCII)\n"); - BIO_printf(bio_err," -nameopt arg - various certificate name options\n"); + BIO_printf(bio_err," -nameopt arg - various certificate name options\n"); BIO_printf(bio_err," -reqopt arg - various request text options\n\n"); goto end; } @@ -680,7 +686,9 @@ bad: if ((in == NULL) || (out == NULL)) goto end; +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (keyfile != NULL) { @@ -720,10 +728,10 @@ bad: if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA)) { BIO_printf(bio_err,"private key length is too short,\n"); - BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey); + BIO_printf(bio_err,"it needs to be at least %d bits, not %ld\n",MIN_KEY_LENGTH,newkey); goto end; } - BIO_printf(bio_err,"Generating a %d bit %s private key\n", + BIO_printf(bio_err,"Generating a %ld bit %s private key\n", newkey,(pkey_type == TYPE_RSA)?"RSA": (pkey_type == TYPE_DSA)?"DSA":"EC"); @@ -1251,7 +1259,7 @@ static int prompt_info(X509_REQ *req, int i; char *p,*q; char buf[100]; - int nid; + int nid, mval; long n_min,n_max; char *type,*def,*value; CONF_VALUE *v; @@ -1294,6 +1302,13 @@ start: for (;;) if(*p) type = p; break; } + if (*type == '+') + { + mval = -1; + type++; + } + else + mval = 0; /* If OBJ not recognised ignore it */ if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start; @@ -1318,14 +1333,20 @@ start: for (;;) sprintf(buf,"%s_min",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min)) + { + ERR_clear_error(); n_min = -1; + } sprintf(buf,"%s_max",v->name); if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max)) + { + ERR_clear_error(); n_max = -1; + } if (!add_DN_object(subj,v->value,def,value,nid, - n_min,n_max, chtype)) + n_min,n_max, chtype, mval)) return 0; } if (X509_NAME_entry_count(subj) == 0) @@ -1415,6 +1436,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) { + int mval; v=sk_CONF_VALUE_value(dn_sk,i); p=q=NULL; type=v->name; @@ -1431,8 +1453,19 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, if(*p) type = p; break; } +#ifndef CHARSET_EBCDIC + if (*p == '+') +#else + if (*p == os_toascii['+']) +#endif + { + p++; + mval = -1; + } + else + mval = 0; if (!X509_NAME_add_entry_by_txt(subj,type, chtype, - (unsigned char *) v->value,-1,-1,0)) return 0; + (unsigned char *) v->value,-1,-1,mval)) return 0; } @@ -1455,7 +1488,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, static int add_DN_object(X509_NAME *n, char *text, char *def, char *value, - int nid, int n_min, int n_max, unsigned long chtype) + int nid, int n_min, int n_max, unsigned long chtype, int mval) { int i,ret=0; MS_STATIC char buf[1024]; @@ -1505,7 +1538,7 @@ start: #endif if(!req_check_len(i, n_min, n_max)) goto start; if (!X509_NAME_add_entry_by_NID(n,nid, chtype, - (unsigned char *) buf, -1,-1,0)) goto err; + (unsigned char *) buf, -1,-1,mval)) goto err; ret=1; err: return(ret); diff --git a/apps/rsa.c b/apps/rsa.c index aebec744a2..0acdb08b24 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -104,7 +104,9 @@ int MAIN(int argc, char **argv) char *infile,*outfile,*prog; char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif int modulus=0; apps_startup(); @@ -156,11 +158,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passargout= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-sgckey") == 0) sgckey=1; else if (strcmp(*argv,"-pubin") == 0) @@ -212,13 +216,17 @@ bad: BIO_printf(bio_err," -check verify key consistency\n"); BIO_printf(bio_err," -pubin expect a public key in input file\n"); BIO_printf(bio_err," -pubout output a public key\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif goto end; } ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); diff --git a/apps/rsautl.c b/apps/rsautl.c index 36957e5b84..5a6fd115f4 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -85,7 +85,9 @@ int MAIN(int argc, char **argv) ENGINE *e = NULL; BIO *in = NULL, *out = NULL; char *infile = NULL, *outfile = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine = NULL; +#endif char *keyfile = NULL; char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY; int keyform = FORMAT_PEM; @@ -125,9 +127,11 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) badarg = 1; keyform=str2fmt(*(++argv)); +#ifndef OPENSSL_NO_ENGINE } else if(!strcmp(*argv, "-engine")) { if (--argc < 1) badarg = 1; engine = *(++argv); +#endif } else if(!strcmp(*argv, "-pubin")) { key_type = KEY_PUBKEY; } else if(!strcmp(*argv, "-certin")) { @@ -162,7 +166,9 @@ int MAIN(int argc, char **argv) goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif /* FIXME: seed PRNG only if needed */ app_RAND_load_file(NULL, bio_err, 0); @@ -305,7 +311,9 @@ static void usage() BIO_printf(bio_err, "-encrypt encrypt with public key\n"); BIO_printf(bio_err, "-decrypt decrypt with private key\n"); BIO_printf(bio_err, "-hexdump hex dump output\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif } diff --git a/apps/s_cb.c b/apps/s_cb.c index 675527df1f..1410178d65 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -239,14 +239,14 @@ long MS_CALLBACK bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi, if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) { - BIO_printf(out,"read from %08X [%08lX] (%d bytes => %ld (0x%X))\n", + BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n", bio,argp,argi,ret,ret); BIO_dump(out,argp,(int)ret); return(ret); } else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) { - BIO_printf(out,"write to %08X [%08lX] (%d bytes => %ld (0x%X))\n", + BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n", bio,argp,argi,ret,ret); BIO_dump(out,argp,(int)ret); } diff --git a/apps/s_client.c b/apps/s_client.c index ce6cca2676..7fea212e15 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -226,7 +226,9 @@ static void sc_usage(void) BIO_printf(bio_err," for those protocols that support it, where\n"); BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); BIO_printf(bio_err," only \"smtp\" is supported.\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); +#endif BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); } @@ -258,8 +260,10 @@ int MAIN(int argc, char **argv) SSL_METHOD *meth=NULL; BIO *sbio; char *inrand=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; ENGINE *e=NULL; +#endif #ifdef OPENSSL_SYS_WINDOWS struct timeval tv; #endif @@ -424,11 +428,13 @@ int MAIN(int argc, char **argv) else goto bad; } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine_id = *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -453,7 +459,9 @@ bad: OpenSSL_add_ssl_algorithms(); SSL_load_error_strings(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine_id, 1); +#endif if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL && !RAND_status()) diff --git a/apps/s_server.c b/apps/s_server.c index 437dda42ee..c857e47b97 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -259,7 +259,9 @@ static int s_msg=0; static int s_quiet=0; static int hack=0; +#ifndef OPENSSL_NO_ENGINE static char *engine_id=NULL; +#endif static const char *session_id_prefix=NULL; #ifdef MONOLITH @@ -284,7 +286,9 @@ static void s_server_init(void) s_msg=0; s_quiet=0; hack=0; +#ifndef OPENSSL_NO_ENGINE engine_id=NULL; +#endif } #endif @@ -341,7 +345,9 @@ static void sv_usage(void) BIO_printf(bio_err," -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); BIO_printf(bio_err," -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); BIO_printf(bio_err," with the assumption it contains a complete HTTP response.\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); +#endif BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); } @@ -516,7 +522,9 @@ int MAIN(int argc, char *argv[]) int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; SSL_METHOD *meth=NULL; +#ifndef OPENSSL_NO_ENGINE ENGINE *e=NULL; +#endif char *inrand=NULL; #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) @@ -700,11 +708,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; session_id_prefix = *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine_id= *(++argv); } +#endif else if (strcmp(*argv,"-rand") == 0) { if (--argc < 1) goto bad; @@ -729,7 +739,9 @@ bad: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine_id, 1); +#endif if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL && !RAND_status()) @@ -963,23 +975,23 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) { BIO_printf(bio,"%4ld items in the session cache\n", SSL_CTX_sess_number(ssl_ctx)); - BIO_printf(bio,"%4d client connects (SSL_connect())\n", + BIO_printf(bio,"%4ld client connects (SSL_connect())\n", SSL_CTX_sess_connect(ssl_ctx)); - BIO_printf(bio,"%4d client renegotiates (SSL_connect())\n", + BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n", SSL_CTX_sess_connect_renegotiate(ssl_ctx)); - BIO_printf(bio,"%4d client connects that finished\n", + BIO_printf(bio,"%4ld client connects that finished\n", SSL_CTX_sess_connect_good(ssl_ctx)); - BIO_printf(bio,"%4d server accepts (SSL_accept())\n", + BIO_printf(bio,"%4ld server accepts (SSL_accept())\n", SSL_CTX_sess_accept(ssl_ctx)); - BIO_printf(bio,"%4d server renegotiates (SSL_accept())\n", + BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n", SSL_CTX_sess_accept_renegotiate(ssl_ctx)); - BIO_printf(bio,"%4d server accepts that finished\n", + BIO_printf(bio,"%4ld server accepts that finished\n", SSL_CTX_sess_accept_good(ssl_ctx)); - BIO_printf(bio,"%4d session cache hits\n",SSL_CTX_sess_hits(ssl_ctx)); - BIO_printf(bio,"%4d session cache misses\n",SSL_CTX_sess_misses(ssl_ctx)); - BIO_printf(bio,"%4d session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx)); - BIO_printf(bio,"%4d callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx)); - BIO_printf(bio,"%4d cache full overflows (%d allowed)\n", + BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx)); + BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx)); + BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx)); + BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx)); + BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n", SSL_CTX_sess_cache_full(ssl_ctx), SSL_CTX_sess_get_cache_size(ssl_ctx)); } diff --git a/apps/smime.c b/apps/smime.c index ef0e477464..1d7d828e01 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -1,9 +1,9 @@ /* smime.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -104,7 +104,9 @@ int MAIN(int argc, char **argv) int need_rand = 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; int keyform = FORMAT_PEM; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif args = argv + 1; ret = 1; @@ -176,11 +178,13 @@ int MAIN(int argc, char **argv) inrand = *args; } else badarg = 1; need_rand = 1; +#ifndef OPENSSL_NO_ENGINE } else if (!strcmp(*args,"-engine")) { if (args[1]) { args++; engine = *args; } else badarg = 1; +#endif } else if (!strcmp(*args,"-passin")) { if (args[1]) { args++; @@ -330,7 +334,9 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf (bio_err, "-passin arg input file pass phrase source\n"); BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); @@ -339,7 +345,9 @@ int MAIN(int argc, char **argv) goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); @@ -470,8 +478,14 @@ int MAIN(int argc, char **argv) if(operation == SMIME_ENCRYPT) { p7 = PKCS7_encrypt(encerts, in, cipher, flags); } else if(operation == SMIME_SIGN) { + /* If detached data and SMIME output enable partial + * signing. + */ + if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME)) + flags |= PKCS7_STREAM; p7 = PKCS7_sign(signer, key, other, in, flags); - if (BIO_reset(in) != 0 && (flags & PKCS7_DETACHED)) { + /* Don't need to rewind for partial signing */ + if (!(flags & PKCS7_STREAM) && (BIO_reset(in) != 0)) { BIO_printf(bio_err, "Can't rewind input file\n"); goto end; } diff --git a/apps/speed.c b/apps/speed.c index ad455e5073..a634b11729 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -71,6 +71,8 @@ /* most of this code has been pilfered from my libdes speed.c program */ +#ifndef OPENSSL_NO_SPEED + #undef SECONDS #define SECONDS 3 #define RSA_SECONDS 10 @@ -394,11 +396,27 @@ static double Time_F(int s) #endif } + +static const int KDF1_SHA1_len = 20; +static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen) + { +#ifndef OPENSSL_NO_SHA + if (outlen != SHA_DIGEST_LENGTH) + return NULL; + return SHA1(in, inlen, out); +#else + return NULL; +#endif + } + + int MAIN(int, char **); int MAIN(int argc, char **argv) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; +#endif unsigned char *buf=NULL,*buf2=NULL; int mret=1; long count=0,save_count=0; @@ -731,6 +749,7 @@ int MAIN(int argc, char **argv) j--; /* Otherwise, -elapsed gets confused with an algorithm. */ } +#ifndef OPENSSL_NO_ENGINE else if ((argc > 0) && (strcmp(*argv,"-engine") == 0)) { argc--; @@ -747,6 +766,7 @@ int MAIN(int argc, char **argv) means all of them should be run) */ j--; } +#endif #ifdef HAVE_FORK else if ((argc > 0) && (strcmp(*argv,"-multi") == 0)) { @@ -1064,7 +1084,9 @@ int MAIN(int argc, char **argv) #if defined(TIMES) || defined(USE_TOD) BIO_printf(bio_err,"-elapsed measure time in real time instead of CPU user time.\n"); #endif +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); +#endif BIO_printf(bio_err,"-evp e use EVP e.\n"); BIO_printf(bio_err,"-decrypt time decryption instead of encryption (only EVP).\n"); BIO_printf(bio_err,"-mr produce machine readable output.\n"); @@ -1927,6 +1949,9 @@ int MAIN(int argc, char **argv) } else { +#if 1 + EC_GROUP_precompute_mult(ecdsa[j]->group, NULL); +#endif /* Perform ECDSA signature test */ EC_KEY_generate_key(ecdsa[j]); ret = ECDSA_sign(0, buf, 20, ecdsasig, @@ -2042,7 +2067,7 @@ int MAIN(int argc, char **argv) } else { - ecdh_b[j]->group = ecdh_a[j]->group; + ecdh_b[j]->group = EC_GROUP_dup(ecdh_a[j]->group); /* generate two ECDH key pairs */ if (!EC_KEY_generate_key(ecdh_a[j]) || @@ -2054,12 +2079,12 @@ int MAIN(int argc, char **argv) } else { - secret_size_a = ECDH_compute_key(secret_a, + secret_size_a = ECDH_compute_key(secret_a, KDF1_SHA1_len, ecdh_b[j]->pub_key, - ecdh_a[j]); - secret_size_b = ECDH_compute_key(secret_b, + ecdh_a[j], KDF1_SHA1); + secret_size_b = ECDH_compute_key(secret_b, KDF1_SHA1_len, ecdh_a[j]->pub_key, - ecdh_b[j]); + ecdh_b[j], KDF1_SHA1); if (secret_size_a != secret_size_b) ecdh_checks = 0; else @@ -2088,9 +2113,9 @@ int MAIN(int argc, char **argv) Time_F(START); for (count=0,run=1; COND(ecdh_c[j][0]); count++) { - ECDH_compute_key(secret_a, + ECDH_compute_key(secret_a, KDF1_SHA1_len, ecdh_b[j]->pub_key, - ecdh_a[j]); + ecdh_a[j], KDF1_SHA1); } d=Time_F(STOP); BIO_printf(bio_err, mr ? "+R7:%ld:%d:%.2f\n" :"%ld %d-bit ECDH ops in %.2fs\n", @@ -2357,8 +2382,8 @@ static void pkey_print_message(char *str, char *str2, long num, int bits, static void print_result(int alg,int run_no,int count,double time_used) { - BIO_printf(bio_err,mr ? "+R:%ld:%s:%f\n" - : "%ld %s's in %.2fs\n",count,names[alg],time_used); + BIO_printf(bio_err,mr ? "+R:%d:%s:%f\n" + : "%d %s's in %.2fs\n",count,names[alg],time_used); results[alg][run_no]=((double)count)/time_used*lengths[run_no]; } @@ -2570,3 +2595,4 @@ static int do_multi(int multi) return 1; } #endif +#endif diff --git a/apps/spkac.c b/apps/spkac.c index ed370c5ca9..47ee53f1ee 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -92,7 +92,9 @@ int MAIN(int argc, char **argv) CONF *conf = NULL; NETSCAPE_SPKI *spki = NULL; EVP_PKEY *pkey = NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif apps_startup(); @@ -141,11 +143,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; spksect= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-noout") == 0) noout=1; else if (strcmp(*argv,"-pubkey") == 0) @@ -171,7 +175,9 @@ bad: BIO_printf(bio_err," -noout don't print SPKAC\n"); BIO_printf(bio_err," -pubkey output public key\n"); BIO_printf(bio_err," -verify verify SPKAC signature\n"); +#ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); +#endif goto end; } @@ -181,7 +187,9 @@ bad: goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if(keyfile) { pkey = load_key(bio_err, diff --git a/apps/verify.c b/apps/verify.c index 9a18213ece..6a93c018b8 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -86,7 +86,9 @@ int MAIN(int argc, char **argv) STACK_OF(X509) *untrusted = NULL, *trusted = NULL; X509_STORE *cert_ctx=NULL; X509_LOOKUP *lookup=NULL; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif cert_ctx=X509_STORE_new(); if (cert_ctx == NULL) goto end; @@ -142,11 +144,13 @@ int MAIN(int argc, char **argv) if (argc-- < 1) goto end; trustfile= *(++argv); } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto end; engine= *(++argv); } +#endif else if (strcmp(*argv,"-help") == 0) goto end; else if (strcmp(*argv,"-ignore_critical") == 0) @@ -170,7 +174,9 @@ int MAIN(int argc, char **argv) break; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file()); if (lookup == NULL) abort(); @@ -219,7 +225,11 @@ int MAIN(int argc, char **argv) ret=0; end: if (ret == 1) { - BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...\n"); + BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); +#ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err," [-engine e]"); +#endif + BIO_printf(bio_err," cert1 cert2 ...\n"); BIO_printf(bio_err,"recognized usages:\n"); for(i = 0; i < X509_PURPOSE_get_count(); i++) { X509_PURPOSE *ptmp; diff --git a/apps/x509.c b/apps/x509.c index 9709628df3..efb7b0d8b2 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -131,7 +131,9 @@ static char *x509_usage[]={ " -extensions - section from config file with X509V3 extensions to add\n", " -clrext - delete extensions before signing and input certificate\n", " -nameopt arg - various certificate name options\n", +#ifndef OPENSSL_NO_ENGINE " -engine e - use engine e, possibly a hardware device.\n", +#endif " -certopt arg - various certificate text options\n", NULL }; @@ -183,7 +185,9 @@ int MAIN(int argc, char **argv) int need_rand = 0; int checkend=0,checkoffset=0; unsigned long nmflag = 0, certflag = 0; +#ifndef OPENSSL_NO_ENGINE char *engine=NULL; +#endif reqfile=0; @@ -354,17 +358,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; if (!set_name_ex(&nmflag, *(++argv))) goto bad; } - else if (strcmp(*argv,"-setalias") == 0) - { - if (--argc < 1) goto bad; - alias= *(++argv); - trustout = 1; - } +#ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } +#endif else if (strcmp(*argv,"-C") == 0) C= ++num; else if (strcmp(*argv,"-email") == 0) @@ -450,7 +450,9 @@ bad: goto end; } +#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); +#endif if (need_rand) app_RAND_load_file(NULL, bio_err, 0); @@ -1032,12 +1034,10 @@ end: OPENSSL_EXIT(ret); } -static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create) +static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create) { char *buf = NULL, *p; - MS_STATIC char buf2[1024]; - ASN1_INTEGER *bs = NULL, *bs2 = NULL; - BIO *io = NULL; + ASN1_INTEGER *bs = NULL; BIGNUM *serial = NULL; buf=OPENSSL_malloc( ((serialfile == NULL) @@ -1057,80 +1057,19 @@ static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create) } else strcpy(buf,serialfile); - serial=BN_new(); - bs=ASN1_INTEGER_new(); - if ((serial == NULL) || (bs == NULL)) - { - ERR_print_errors(bio_err); - goto end; - } - io=BIO_new(BIO_s_file()); - if (io == NULL) - { - ERR_print_errors(bio_err); - goto end; - } - - if (BIO_read_filename(io,buf) <= 0) - { - if (!create) - { - perror(buf); - goto end; - } - else - { - ASN1_INTEGER_set(bs,1); - BN_one(serial); - } - } - else - { - if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2)) - { - BIO_printf(bio_err,"unable to load serial number from %s\n",buf); - ERR_print_errors(bio_err); - goto end; - } - else - { - serial=BN_bin2bn(bs->data,bs->length,serial); - if (serial == NULL) - { - BIO_printf(bio_err,"error converting bin 2 bn"); - goto end; - } - } - } + serial = load_serial(buf, create, NULL); + if (serial == NULL) goto end; if (!BN_add_word(serial,1)) { BIO_printf(bio_err,"add_word failure\n"); goto end; } - if (!(bs2 = BN_to_ASN1_INTEGER(serial, NULL))) - { BIO_printf(bio_err,"error converting bn 2 asn1_integer\n"); goto end; } - if (BIO_write_filename(io,buf) <= 0) - { - BIO_printf(bio_err,"error attempting to write serial number file\n"); - perror(buf); - goto end; - } - i2a_ASN1_INTEGER(io,bs2); - BIO_puts(io,"\n"); - BIO_free(io); - if (buf) OPENSSL_free(buf); - ASN1_INTEGER_free(bs2); - BN_free(serial); - io=NULL; - return bs; + if (!save_serial(buf, serial, &bs)) goto end; - end: + end: if (buf) OPENSSL_free(buf); - BIO_free(io); - ASN1_INTEGER_free(bs); BN_free(serial); - return NULL; - + return bs; } static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, @@ -1152,7 +1091,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, goto end; } if (sno) bs = sno; - else if (!(bs = load_serial(CAfile, serialfile, create))) + else if (!(bs = x509_load_serial(CAfile, serialfile, create))) goto end; if (!X509_STORE_add_cert(ctx,x)) goto end; @@ -74,34 +74,27 @@ if [ "x$XREL" != "x" ]; then echo "whatever-whatever-sco5"; exit 0 ;; 4.2MP) - if [ "x$VERSION" = "x2.01" ]; then - echo "${MACHINE}-whatever-unixware201"; exit 0 - elif [ "x$VERSION" = "x2.02" ]; then - echo "${MACHINE}-whatever-unixware202"; exit 0 - elif [ "x$VERSION" = "x2.03" ]; then - echo "${MACHINE}-whatever-unixware203"; exit 0 - elif [ "x$VERSION" = "x2.1.1" ]; then - echo "${MACHINE}-whatever-unixware211"; exit 0 - elif [ "x$VERSION" = "x2.1.2" ]; then - echo "${MACHINE}-whatever-unixware212"; exit 0 - elif [ "x$VERSION" = "x2.1.3" ]; then - echo "${MACHINE}-whatever-unixware213"; exit 0 - else - echo "${MACHINE}-whatever-unixware2"; exit 0 - fi + case "x${VERSION}" in + x2.0*) echo "whatever-whatever-unixware20"; exit 0 ;; + x2.1*) echo "whatever-whatever-unixware21"; exit 0 ;; + x2*) echo "whatever-whatever-unixware2"; exit 0 ;; + esac ;; 4.2) echo "whatever-whatever-unixware1"; exit 0 ;; - OpenUNIX) - if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x8" ]; then - echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0 - fi - ;; 5) - if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x7" ]; then - echo "${MACHINE}-sco-unixware7"; exit 0 - fi + case "x${VERSION}" in + # We hardcode i586 in place of ${MACHINE} for the + # following reason. The catch is that even though Pentium + # is minimum requirement for platforms in question, + # ${MACHINE} gets always assigned to i386. Now, problem + # with i386 is that it makes ./config pass 386 to + # ./Configure, which in turn makes make generate + # inefficient SHA-1 (for this moment) code. + x7*) echo "i586-sco-unixware7"; exit 0 ;; + x8*) echo "i586-unkn-OpenUNIX${VERSION}"; exit 0 ;; + esac ;; esac fi @@ -464,6 +457,10 @@ if [ "${SYSTEM}-${MACHINE}" = "Linux-alpha" ]; then fi fi +if [ "${SYSTEM}" = "AIX" ]; then # favor vendor cc over gcc + (cc) 2>&1 | grep -iv "not found" > /dev/null && CC=cc +fi + CCVER=${CCVER:-0} # read the output of the embedded GuessOS @@ -476,7 +473,7 @@ echo Operating system: $GUESSOS # more time that I want to waste at the moment case "$GUESSOS" in mips2-sgi-irix) - CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 4000 ]; then options="$options -mips2" @@ -484,7 +481,7 @@ case "$GUESSOS" in OUT="irix-$CC" ;; mips3-sgi-irix) - CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then options="$options -mips4" @@ -500,7 +497,7 @@ case "$GUESSOS" in echo " You have about 5 seconds to press Ctrl-C to abort." (stty -icanon min 0 time 50; read waste) < /dev/tty fi - CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then options="$options -mips4" @@ -644,6 +641,7 @@ EOF *-*-sunos4) OUT="sunos-$CC" ;; alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;; sparc64-*-freebsd*) OUT="FreeBSD-sparc64" ;; + ia64-*-freebsd*) OUT="FreeBSD-ia64" ;; *-freebsd[3-9]*) OUT="FreeBSD-elf" ;; *-freebsd[1-2]*) OUT="FreeBSD" ;; *86*-*-netbsd) OUT="NetBSD-x86" ;; diff --git a/crypto/aes/aes.h b/crypto/aes/aes.h index 8294a41a3a..7f4b0e8066 100644 --- a/crypto/aes/aes.h +++ b/crypto/aes/aes.h @@ -52,6 +52,8 @@ #ifndef HEADER_AES_H #define HEADER_AES_H +#include <openssl/opensslconf.h> + #ifdef OPENSSL_NO_AES #error AES is disabled. #endif diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c index ea884f6f9e..2f41a825f8 100644 --- a/crypto/aes/aes_core.c +++ b/crypto/aes/aes_core.c @@ -750,7 +750,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, rk[2] = GETU32(userKey + 8); rk[3] = GETU32(userKey + 12); if (bits == 128) { - for (;;) { + while (1) { temp = rk[3]; rk[4] = rk[0] ^ (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ @@ -770,7 +770,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, rk[4] = GETU32(userKey + 16); rk[5] = GETU32(userKey + 20); if (bits == 192) { - for (;;) { + while (1) { temp = rk[ 5]; rk[ 6] = rk[ 0] ^ (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ @@ -792,7 +792,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, rk[6] = GETU32(userKey + 24); rk[7] = GETU32(userKey + 28); if (bits == 256) { - for (;;) { + while (1) { temp = rk[ 7]; rk[ 8] = rk[ 0] ^ (Te4[(temp >> 16) & 0xff] & 0xff000000) ^ diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c index 52ce7e3974..37e1e84a11 100644 --- a/crypto/asn1/a_sign.c +++ b/crypto/asn1/a_sign.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -229,10 +229,11 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, else a=algor2; if (a == NULL) continue; - if (type->pkey_type == NID_dsaWithSHA1) + if (type->pkey_type == NID_dsaWithSHA1 || + type->pkey_type == NID_ecdsa_with_SHA1) { - /* special case: RFC 2459 tells us to omit 'parameters' - * with id-dsa-with-sha1 */ + /* special case: RFC 3279 tells us to omit 'parameters' + * with id-dsa-with-sha1 and ecdsa-with-SHA1 */ ASN1_TYPE_free(a->parameter); a->parameter = NULL; } diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c index 04789d1c63..aa49e9d7d0 100644 --- a/crypto/asn1/a_strnid.c +++ b/crypto/asn1/a_strnid.c @@ -173,6 +173,7 @@ static ASN1_STRING_TABLE tbl_standard[] = { {NID_friendlyName, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}, {NID_name, 1, ub_name, DIRSTRING_TYPE, 0}, {NID_dnQualifier, -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}, +{NID_domainComponent, 1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK}, {NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK} }; @@ -249,4 +250,38 @@ static void st_free(ASN1_STRING_TABLE *tbl) if(tbl->flags & STABLE_FLAGS_MALLOC) OPENSSL_free(tbl); } + IMPLEMENT_STACK_OF(ASN1_STRING_TABLE) + +#ifdef STRING_TABLE_TEST + +main() +{ + ASN1_STRING_TABLE *tmp; + int i, last_nid = -1; + + for (tmp = tbl_standard, i = 0; + i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++) + { + if (tmp->nid < last_nid) + { + last_nid = 0; + break; + } + last_nid = tmp->nid; + } + + if (last_nid != 0) + { + printf("Table order OK\n"); + exit(0); + } + + for (tmp = tbl_standard, i = 0; + i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++) + printf("Index %d, NID %d, Name=%s\n", i, tmp->nid, + OBJ_nid2ln(tmp->nid)); + +} + +#endif diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c index 3a03c9e4e4..7348da9457 100644 --- a/crypto/asn1/a_time.c +++ b/crypto/asn1/a_time.c @@ -105,7 +105,10 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t) ts=OPENSSL_gmtime(&t,&data); if (ts == NULL) + { + ASN1err(ASN1_F_ASN1_TIME_SET, ASN1_R_ERROR_GETTING_TIME); return NULL; + } if((ts->tm_year >= 50) && (ts->tm_year < 150)) return ASN1_UTCTIME_set(s, t); return ASN1_GENERALIZEDTIME_set(s,t); diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 460e0eb6e7..790e7b967b 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -60,10 +60,10 @@ #define HEADER_ASN1_H #include <time.h> +#include <openssl/e_os2.h> #ifndef OPENSSL_NO_BIO #include <openssl/bio.h> #endif -#include <openssl/e_os2.h> #include <openssl/bn.h> #include <openssl/stack.h> #include <openssl/safestack.h> @@ -264,14 +264,15 @@ typedef struct ASN1_VALUE_st ASN1_VALUE; #define DECLARE_ASN1_FUNCTIONS(type) DECLARE_ASN1_FUNCTIONS_name(type, type) +#define DECLARE_ASN1_ALLOC_FUNCTIONS(type) \ + DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, type) + #define DECLARE_ASN1_FUNCTIONS_name(type, name) \ - type *name##_new(void); \ - void name##_free(type *a); \ + DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) #define DECLARE_ASN1_FUNCTIONS_fname(type, itname, name) \ - type *name##_new(void); \ - void name##_free(type *a); \ + DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) #define DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) \ @@ -291,6 +292,9 @@ typedef struct ASN1_VALUE_st ASN1_VALUE; name *name##_new(void); \ void name##_free(name *a); +#define DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \ + type *name##_new(void); \ + void name##_free(type *a); /* The following macros and typedefs allow an ASN1_ITEM * to be embedded in a structure and referenced. Since @@ -965,8 +969,8 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_A2I_ASN1_ENUMERATED 101 #define ASN1_F_A2I_ASN1_INTEGER 102 #define ASN1_F_A2I_ASN1_STRING 103 -#define ASN1_F_APPEND_TAG 177 -#define ASN1_F_ASN1_CB 178 +#define ASN1_F_APPEND_TAG 176 +#define ASN1_F_ASN1_CB 177 #define ASN1_F_ASN1_CHECK_TLEN 104 #define ASN1_F_ASN1_COLLATE_PRIMITIVE 105 #define ASN1_F_ASN1_COLLECT 106 @@ -977,7 +981,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_ASN1_DUP 111 #define ASN1_F_ASN1_ENUMERATED_SET 112 #define ASN1_F_ASN1_ENUMERATED_TO_BN 113 -#define ASN1_F_ASN1_GENERATE_V3 182 +#define ASN1_F_ASN1_GENERATE_V3 178 #define ASN1_F_ASN1_GET_OBJECT 114 #define ASN1_F_ASN1_HEADER_NEW 115 #define ASN1_F_ASN1_I2D_BIO 116 @@ -999,6 +1003,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_ASN1_TEMPLATE_D2I 131 #define ASN1_F_ASN1_TEMPLATE_EX_D2I 132 #define ASN1_F_ASN1_TEMPLATE_NEW 133 +#define ASN1_F_ASN1_TIME_SET 175 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING 134 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING 135 #define ASN1_F_ASN1_UNPACK_STRING 136 @@ -1028,15 +1033,14 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_D2I_X509_PKEY 159 #define ASN1_F_I2D_ASN1_TIME 160 #define ASN1_F_I2D_DSA_PUBKEY 161 -#define ASN1_F_I2D_ECDSA_PUBKEY 174 -#define ASN1_F_I2D_EC_PUBKEY 176 +#define ASN1_F_I2D_EC_PUBKEY 181 #define ASN1_F_I2D_NETSCAPE_RSA 162 #define ASN1_F_I2D_PRIVATEKEY 163 #define ASN1_F_I2D_PUBLICKEY 164 #define ASN1_F_I2D_RSA_PUBKEY 165 #define ASN1_F_LONG_C2I 166 -#define ASN1_F_OID_MODULE_INIT 175 -#define ASN1_F_PARSE_TAGGING 181 +#define ASN1_F_OID_MODULE_INIT 174 +#define ASN1_F_PARSE_TAGGING 182 #define ASN1_F_PKCS5_PBE2_SET 167 #define ASN1_F_X509_CINF_NEW 168 #define ASN1_F_X509_CRL_ADD0_REVOKED 169 @@ -1059,8 +1063,9 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_DATA_IS_WRONG 109 #define ASN1_R_DECODE_ERROR 110 #define ASN1_R_DECODING_ERROR 111 -#define ASN1_R_DEPTH_EXCEEDED 173 +#define ASN1_R_DEPTH_EXCEEDED 174 #define ASN1_R_ENCODE_ERROR 112 +#define ASN1_R_ERROR_GETTING_TIME 173 #define ASN1_R_ERROR_LOADING_SECTION 172 #define ASN1_R_ERROR_PARSING_SET_ELEMENT 113 #define ASN1_R_ERROR_SETTING_CIPHER_PARAMS 114 @@ -1073,57 +1078,57 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_FIELD_MISSING 121 #define ASN1_R_FIRST_NUM_TOO_LARGE 122 #define ASN1_R_HEADER_TOO_LONG 123 -#define ASN1_R_ILLEGAL_BITSTRING_FORMAT 174 -#define ASN1_R_ILLEGAL_BOOLEAN 175 +#define ASN1_R_ILLEGAL_BITSTRING_FORMAT 175 +#define ASN1_R_ILLEGAL_BOOLEAN 176 #define ASN1_R_ILLEGAL_CHARACTERS 124 -#define ASN1_R_ILLEGAL_FORMAT 176 -#define ASN1_R_ILLEGAL_HEX 177 -#define ASN1_R_ILLEGAL_IMPLICIT_TAG 178 -#define ASN1_R_ILLEGAL_INTEGER 179 -#define ASN1_R_ILLEGAL_NESTED_TAGGING 180 +#define ASN1_R_ILLEGAL_FORMAT 177 +#define ASN1_R_ILLEGAL_HEX 178 +#define ASN1_R_ILLEGAL_IMPLICIT_TAG 179 +#define ASN1_R_ILLEGAL_INTEGER 180 +#define ASN1_R_ILLEGAL_NESTED_TAGGING 181 #define ASN1_R_ILLEGAL_NULL 125 -#define ASN1_R_ILLEGAL_NULL_VALUE 181 -#define ASN1_R_ILLEGAL_OBJECT 182 +#define ASN1_R_ILLEGAL_NULL_VALUE 182 +#define ASN1_R_ILLEGAL_OBJECT 183 #define ASN1_R_ILLEGAL_OPTIONAL_ANY 126 #define ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE 170 #define ASN1_R_ILLEGAL_TAGGED_ANY 127 -#define ASN1_R_ILLEGAL_TIME_VALUE 183 -#define ASN1_R_INTEGER_NOT_ASCII_FORMAT 184 +#define ASN1_R_ILLEGAL_TIME_VALUE 184 +#define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128 #define ASN1_R_INVALID_BMPSTRING_LENGTH 129 #define ASN1_R_INVALID_DIGIT 130 -#define ASN1_R_INVALID_MODIFIER 185 -#define ASN1_R_INVALID_NUMBER 186 +#define ASN1_R_INVALID_MODIFIER 186 +#define ASN1_R_INVALID_NUMBER 187 #define ASN1_R_INVALID_SEPARATOR 131 #define ASN1_R_INVALID_TIME_FORMAT 132 #define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 133 #define ASN1_R_INVALID_UTF8STRING 134 #define ASN1_R_IV_TOO_LARGE 135 #define ASN1_R_LENGTH_ERROR 136 -#define ASN1_R_LIST_ERROR 187 +#define ASN1_R_LIST_ERROR 188 #define ASN1_R_MISSING_EOC 137 #define ASN1_R_MISSING_SECOND_NUMBER 138 -#define ASN1_R_MISSING_VALUE 188 +#define ASN1_R_MISSING_VALUE 189 #define ASN1_R_MSTRING_NOT_UNIVERSAL 139 #define ASN1_R_MSTRING_WRONG_TAG 140 #define ASN1_R_NON_HEX_CHARACTERS 141 -#define ASN1_R_NOT_ASCII_FORMAT 189 +#define ASN1_R_NOT_ASCII_FORMAT 190 #define ASN1_R_NOT_ENOUGH_DATA 142 #define ASN1_R_NO_MATCHING_CHOICE_TYPE 143 #define ASN1_R_NULL_IS_WRONG_LENGTH 144 -#define ASN1_R_OBJECT_NOT_ASCII_FORMAT 190 +#define ASN1_R_OBJECT_NOT_ASCII_FORMAT 191 #define ASN1_R_ODD_NUMBER_OF_CHARS 145 #define ASN1_R_PRIVATE_KEY_HEADER_MISSING 146 #define ASN1_R_SECOND_NUMBER_TOO_LARGE 147 #define ASN1_R_SEQUENCE_LENGTH_MISMATCH 148 #define ASN1_R_SEQUENCE_NOT_CONSTRUCTED 149 -#define ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG 195 +#define ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG 192 #define ASN1_R_SHORT_LINE 150 #define ASN1_R_STRING_TOO_LONG 151 #define ASN1_R_STRING_TOO_SHORT 152 #define ASN1_R_TAG_VALUE_TOO_HIGH 153 #define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 154 -#define ASN1_R_TIME_NOT_ASCII_FORMAT 191 +#define ASN1_R_TIME_NOT_ASCII_FORMAT 193 #define ASN1_R_TOO_LONG 155 #define ASN1_R_TYPE_NOT_CONSTRUCTED 156 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 @@ -1133,13 +1138,13 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 #define ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE 163 -#define ASN1_R_UNKNOWN_TAG 192 -#define ASN1_R_UNKOWN_FORMAT 193 +#define ASN1_R_UNKNOWN_TAG 194 +#define ASN1_R_UNKOWN_FORMAT 195 #define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE 164 #define ASN1_R_UNSUPPORTED_CIPHER 165 #define ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM 166 #define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 167 -#define ASN1_R_UNSUPPORTED_TYPE 194 +#define ASN1_R_UNSUPPORTED_TYPE 196 #define ASN1_R_WRONG_TAG 168 #define ASN1_R_WRONG_TYPE 169 diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 55aef5e790..d83ed65cdb 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -104,6 +104,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0), "ASN1_TEMPLATE_D2I"}, {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0), "ASN1_TEMPLATE_EX_D2I"}, {ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0), "ASN1_TEMPLATE_NEW"}, +{ERR_PACK(0,ASN1_F_ASN1_TIME_SET,0), "ASN1_TIME_set"}, {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0), "ASN1_TYPE_get_int_octetstring"}, {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0), "ASN1_TYPE_get_octetstring"}, {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0), "ASN1_unpack_string"}, @@ -133,7 +134,6 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0), "d2i_X509_PKEY"}, {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0), "I2D_ASN1_TIME"}, {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0), "i2d_DSA_PUBKEY"}, -{ERR_PACK(0,ASN1_F_I2D_ECDSA_PUBKEY,0), "I2D_ECDSA_PUBKEY"}, {ERR_PACK(0,ASN1_F_I2D_EC_PUBKEY,0), "i2d_EC_PUBKEY"}, {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"}, {ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0), "i2d_PrivateKey"}, @@ -169,6 +169,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ASN1_R_DECODING_ERROR ,"decoding error"}, {ASN1_R_DEPTH_EXCEEDED ,"depth exceeded"}, {ASN1_R_ENCODE_ERROR ,"encode error"}, +{ASN1_R_ERROR_GETTING_TIME ,"error getting time"}, {ASN1_R_ERROR_LOADING_SECTION ,"error loading section"}, {ASN1_R_ERROR_PARSING_SET_ELEMENT ,"error parsing set element"}, {ASN1_R_ERROR_SETTING_CIPHER_PARAMS ,"error setting cipher params"}, diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 097b4b8ecf..c035cc0f5d 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -578,6 +578,8 @@ static int asn1_str2tag(const char *tagstr, int len) ASN1_GEN_STR("T61", V_ASN1_T61STRING), ASN1_GEN_STR("T61STRING", V_ASN1_T61STRING), ASN1_GEN_STR("TELETEXSTRING", V_ASN1_T61STRING), + ASN1_GEN_STR("GeneralString", V_ASN1_GENERALSTRING), + ASN1_GEN_STR("GENSTR", V_ASN1_GENERALSTRING), /* Special cases */ ASN1_GEN_STR("SEQUENCE", V_ASN1_SEQUENCE), @@ -595,7 +597,7 @@ static int asn1_str2tag(const char *tagstr, int len) /* SEQUENCE wrapper */ ASN1_GEN_STR("SEQWRAP", ASN1_GEN_FLAG_SEQWRAP), /* SET wrapper */ - ASN1_GEN_STR("SETWRAP", ASN1_GEN_FLAG_SEQWRAP), + ASN1_GEN_STR("SETWRAP", ASN1_GEN_FLAG_SETWRAP), /* BIT STRING wrapper */ ASN1_GEN_STR("BITWRAP", ASN1_GEN_FLAG_BITWRAP), ASN1_GEN_STR("FORM", ASN1_GEN_FLAG_FORMAT), @@ -720,6 +722,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype) case V_ASN1_UTF8STRING: case V_ASN1_VISIBLESTRING: case V_ASN1_UNIVERSALSTRING: + case V_ASN1_GENERALSTRING: if (format == ASN1_GEN_FORMAT_ASCII) format = MBSTRING_ASC; diff --git a/crypto/asn1/asn1t.h b/crypto/asn1/asn1t.h index 479225bea0..c1a4bea8f1 100644 --- a/crypto/asn1/asn1t.h +++ b/crypto/asn1/asn1t.h @@ -775,6 +775,9 @@ typedef struct ASN1_AUX_st { #define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \ IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname) +#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname) \ + IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname) + #define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \ stname *fname##_new(void) \ { \ diff --git a/crypto/asn1/d2i_pu.c b/crypto/asn1/d2i_pu.c index cf97b83eac..4c2bd4e5c8 100644 --- a/crypto/asn1/d2i_pu.c +++ b/crypto/asn1/d2i_pu.c @@ -113,9 +113,8 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp, #endif #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: - if ((ret->pkey.eckey = ECPublicKey_set_octet_string( - &(ret->pkey.eckey), (const unsigned char **)pp, - length)) == NULL) + if ((ret->pkey.eckey = o2i_ECPublicKey(&(ret->pkey.eckey), + (const unsigned char **)pp, length)) == NULL) { ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB); goto err; diff --git a/crypto/asn1/i2d_pu.c b/crypto/asn1/i2d_pu.c index 85220b44d6..44f186442e 100644 --- a/crypto/asn1/i2d_pu.c +++ b/crypto/asn1/i2d_pu.c @@ -85,7 +85,7 @@ int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp) #endif #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: - return(ECPublicKey_get_octet_string(a->pkey.eckey, pp)); + return(i2o_ECPublicKey(a->pkey.eckey, pp)); #endif default: ASN1err(ASN1_F_I2D_PUBLICKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); diff --git a/crypto/asn1/n_pkey.c b/crypto/asn1/n_pkey.c index 766b51c538..a5a02e843c 100644 --- a/crypto/asn1/n_pkey.c +++ b/crypto/asn1/n_pkey.c @@ -56,9 +56,9 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_RSA #include <stdio.h> #include "cryptlib.h" +#ifndef OPENSSL_NO_RSA #include <openssl/rsa.h> #include <openssl/objects.h> #include <openssl/asn1t.h> diff --git a/crypto/asn1/t_crl.c b/crypto/asn1/t_crl.c index 757c148df8..f183a11b65 100644 --- a/crypto/asn1/t_crl.c +++ b/crypto/asn1/t_crl.c @@ -121,7 +121,7 @@ int X509_CRL_print(BIO *out, X509_CRL *x) r = sk_X509_REVOKED_value(rev, i); BIO_printf(out," Serial Number: "); i2a_ASN1_INTEGER(out,r->serialNumber); - BIO_printf(out,"\n Revocation Date: ",""); + BIO_printf(out,"\n Revocation Date: "); ASN1_TIME_print(out,r->revocationDate); BIO_printf(out,"\n"); X509V3_extensions_print(out, "CRL entry extensions", diff --git a/crypto/asn1/t_req.c b/crypto/asn1/t_req.c index b70bda71db..7088486a91 100644 --- a/crypto/asn1/t_req.c +++ b/crypto/asn1/t_req.c @@ -254,7 +254,7 @@ get_next: obj=X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(bp,obj); j=X509_EXTENSION_get_critical(ex); - if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0) + if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0) goto err; if(!X509V3_EXT_print(bp, ex, 0, 16)) { diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index 5ce38e1920..2e80655074 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -494,7 +494,10 @@ static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const A if(out) { if(usetag) ASN1_put_object(out, ndef, len, tag, aclass); asn1_ex_i2c(pval, *out, &utype, it); - *out += len; + if (ndef) + ASN1_put_eoc(out); + else + *out += len; } if(usetag) return ASN1_object_size(ndef, len, tag); @@ -598,7 +601,6 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_ { strtmp->data = cout; strtmp->length = 0; - ASN1_put_eoc(&cout); } /* Special return code */ return -2; diff --git a/crypto/bf/asm/.cvsignore b/crypto/bf/asm/.cvsignore index 9505a25ec6..3e14af16d0 100644 --- a/crypto/bf/asm/.cvsignore +++ b/crypto/bf/asm/.cvsignore @@ -1 +1,2 @@ bx86unix.cpp +bx86-elf.s diff --git a/crypto/bf/bftest.c b/crypto/bf/bftest.c index 24d526b14b..14bc4d7c8b 100644 --- a/crypto/bf/bftest.c +++ b/crypto/bf/bftest.c @@ -62,6 +62,7 @@ #include <stdio.h> #include <string.h> #include <stdlib.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_BF is defined */ #include "../e_os.h" diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index 3f5d6a74bf..a9e552f245 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -378,7 +378,7 @@ _dopr( case 'p': value = (long)va_arg(args, void *); fmtint(sbuffer, buffer, &currlen, maxlen, - value, 16, min, max, flags); + value, 16, min, max, flags|DP_F_NUM); break; case 'n': /* XXX */ if (cflags == DP_C_SHORT) { @@ -482,8 +482,9 @@ fmtint( int flags) { int signvalue = 0; + char *prefix = ""; unsigned LLONG uvalue; - char convert[DECIMAL_SIZE(value)+1]; + char convert[DECIMAL_SIZE(value)+3]; int place = 0; int spadlen = 0; int zpadlen = 0; @@ -501,6 +502,10 @@ fmtint( else if (flags & DP_F_SPACE) signvalue = ' '; } + if (flags & DP_F_NUM) { + if (base == 8) prefix = "0"; + if (base == 16) prefix = "0x"; + } if (flags & DP_F_UP) caps = 1; do { @@ -514,7 +519,7 @@ fmtint( convert[place] = 0; zpadlen = max - place; - spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0); + spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix); if (zpadlen < 0) zpadlen = 0; if (spadlen < 0) @@ -536,6 +541,12 @@ fmtint( if (signvalue) doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); + /* prefix */ + while (*prefix) { + doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); + prefix++; + } + /* zeros */ if (zpadlen > 0) { while (zpadlen > 0) { @@ -692,7 +703,7 @@ fmtfp( * Decimal point. This should probably use locale to find the correct * char to print out. */ - if (max > 0) { + if (max > 0 || (flags & DP_F_NUM)) { doapr_outch(sbuffer, buffer, currlen, maxlen, '.'); while (fplace > 0) diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c index cc6fb82ce2..73508d1691 100644 --- a/crypto/bio/b_sock.c +++ b/crypto/bio/b_sock.c @@ -56,8 +56,6 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SOCK - #include <stdio.h> #include <stdlib.h> #include <errno.h> @@ -65,6 +63,8 @@ #include "cryptlib.h" #include <openssl/bio.h> +#ifndef OPENSSL_NO_SOCK + #ifdef OPENSSL_SYS_WIN16 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */ #else @@ -523,7 +523,7 @@ void BIO_sock_cleanup(void) #ifdef OPENSSL_SYS_VMS int BIO_socket_ioctl(int fd, long type, UINT_L32p arg) /* changed for 64-bit API */ #else -int BIO_socket_ioctl(int fd, long type, unsigned long *arg) +int BIO_socket_ioctl(int fd, long type, void *arg) #endif { int i; @@ -774,7 +774,7 @@ int BIO_set_tcp_ndelay(int s, int on) int BIO_socket_nbio(int s, int mode) { int ret= -1; - unsigned long l; + int l; l=mode; #ifdef FIONBIO diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index 1ce2bfacc0..c72a23c2e1 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -127,7 +127,7 @@ static int nbiof_read(BIO *b, char *out, int outl) { NBIO_TEST *nt; int ret=0; -#if 0 +#if 1 int num; unsigned char n; #endif @@ -137,7 +137,7 @@ static int nbiof_read(BIO *b, char *out, int outl) nt=(NBIO_TEST *)b->ptr; BIO_clear_retry_flags(b); -#if 0 +#if 1 RAND_pseudo_bytes(&n,1); num=(n&0x07); diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h index c6d4e1c790..d350e12ac2 100644 --- a/crypto/bio/bio.h +++ b/crypto/bio/bio.h @@ -59,13 +59,14 @@ #ifndef HEADER_BIO_H #define HEADER_BIO_H +#include <openssl/e_os2.h> + #ifndef OPENSSL_NO_FP_API # include <stdio.h> #endif #include <stdarg.h> #include <openssl/crypto.h> -#include <openssl/e_os2.h> #ifdef __cplusplus extern "C" { @@ -244,7 +245,7 @@ typedef struct bio_method_st long (_far *ctrl)(); int (_far *create)(); int (_far *destroy)(); - long (_fat *callback_ctrl)(); + long (_far *callback_ctrl)(); } BIO_METHOD; #endif @@ -603,7 +604,7 @@ int BIO_sock_error(int sock); #ifdef OPENSSL_SYS_VMS int BIO_socket_ioctl(int fd, long type, UINT_L32p arg); #else -int BIO_socket_ioctl(int fd, long type, unsigned long *arg); +int BIO_socket_ioctl(int fd, long type, void *arg); #endif int BIO_socket_nbio(int fd,int mode); int BIO_get_port(const char *str, unsigned short *port_ptr); @@ -630,10 +631,17 @@ void BIO_copy_next_retry(BIO *b); /*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/ -int BIO_printf(BIO *bio, const char *format, ...); -int BIO_vprintf(BIO *bio, const char *format, va_list args); -int BIO_snprintf(char *buf, size_t n, const char *format, ...); -int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args); +#ifndef __GNUC__ +#define __attribute__(x) +#endif +int BIO_printf(BIO *bio, const char *format, ...) + __attribute__((__format__(__printf__,2,3))); +int BIO_vprintf(BIO *bio, const char *format, va_list args) + __attribute__((__format__(__printf__,2,0))); +int BIO_snprintf(char *buf, size_t n, const char *format, ...) + __attribute__((__format__(__printf__,3,4))); +int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) + __attribute__((__format__(__printf__,3,0))); /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/crypto/bio/bio_err.c b/crypto/bio/bio_err.c index 68a119d895..5df17ff892 100644 --- a/crypto/bio/bio_err.c +++ b/crypto/bio/bio_err.c @@ -61,6 +61,7 @@ #include <stdio.h> #include <openssl/err.h> #include <openssl/bio.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ERR is defined */ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index 98ce395519..692c8fb5c6 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -395,6 +395,8 @@ BIO *BIO_pop(BIO *b) if (b == NULL) return(NULL); ret=b->next_bio; + BIO_ctrl(b,BIO_CTRL_POP,0,NULL); + if (b->prev_bio != NULL) b->prev_bio->next_bio=b->next_bio; if (b->next_bio != NULL) @@ -402,7 +404,6 @@ BIO *BIO_pop(BIO *b) b->next_bio=NULL; b->prev_bio=NULL; - BIO_ctrl(b,BIO_CTRL_POP,0,NULL); return(ret); } diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c index 8ea1db158b..d090b7272f 100644 --- a/crypto/bio/bss_acpt.c +++ b/crypto/bio/bss_acpt.c @@ -56,14 +56,14 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SOCK - #include <stdio.h> #include <errno.h> #define USE_SOCKETS #include "cryptlib.h" #include <openssl/bio.h> +#ifndef OPENSSL_NO_SOCK + #ifdef OPENSSL_SYS_WIN16 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */ #else diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 72a4ea1f8d..d5c3f40da0 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -56,14 +56,14 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SOCK - #include <stdio.h> #include <errno.h> #define USE_SOCKETS #include "cryptlib.h" #include <openssl/bio.h> +#ifndef OPENSSL_NO_SOCK + #ifdef OPENSSL_SYS_WIN16 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */ #else diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c index d2a8857adc..946a7be8e0 100644 --- a/crypto/bio/bss_sock.c +++ b/crypto/bio/bss_sock.c @@ -56,8 +56,6 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SOCK - #include <stdio.h> #include <stdlib.h> #include <errno.h> @@ -354,7 +352,7 @@ int BIO_sock_non_fatal_error(int err) #endif #ifdef EAGAIN -#if EWOULDBLOCK != EAGAIN +# if EWOULDBLOCK != EAGAIN case EAGAIN: # endif #endif @@ -377,4 +375,3 @@ int BIO_sock_non_fatal_error(int err) } return(0); } -#endif diff --git a/crypto/bn/asm/.cvsignore b/crypto/bn/asm/.cvsignore index bb16ec91c3..671eb02019 100644 --- a/crypto/bn/asm/.cvsignore +++ b/crypto/bn/asm/.cvsignore @@ -1,2 +1,4 @@ bn86unix.cpp co86unix.cpp +bn86-elf.s +co86-elf.s diff --git a/crypto/bn/asm/ia64.S b/crypto/bn/asm/ia64.S index 04e0cc5409..7dfda85566 100644 --- a/crypto/bn/asm/ia64.S +++ b/crypto/bn/asm/ia64.S @@ -1,6 +1,6 @@ .explicit .text -.ident "ia64.S, Version 1.2" +.ident "ia64.S, Version 2.0" .ident "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>" // @@ -13,6 +13,35 @@ // disclaimed. // ==================================================================== // +// Version 2.x is Itanium2 re-tune. Few words about how Itanum2 is +// different from Itanium to this module viewpoint. Most notably, is it +// "wider" than Itanium? Can you experience loop scalability as +// discussed in commentary sections? Not really:-( Itanium2 has 6 +// integer ALU ports, i.e. it's 2 ports wider, but it's not enough to +// spin twice as fast, as I need 8 IALU ports. Amount of floating point +// ports is the same, i.e. 2, while I need 4. In other words, to this +// module Itanium2 remains effectively as "wide" as Itanium. Yet it's +// essentially different in respect to this module, and a re-tune was +// required. Well, because some intruction latencies has changed. Most +// noticeably those intensively used: +// +// Itanium Itanium2 +// ldf8 9 6 L2 hit +// ld8 2 1 L1 hit +// getf 2 5 +// xma[->getf] 7[+1] 4[+0] +// add[->st8] 1[+1] 1[+0] +// +// What does it mean? You might ratiocinate that the original code +// should run just faster... Because sum of latencies is smaller... +// Wrong! Note that getf latency increased. This means that if a loop is +// scheduled for lower latency (and they are), then it will suffer from +// stall condition and the code will therefore turn anti-scalable, e.g. +// original bn_mul_words spun at 5*n or 2.5 times slower than expected +// on Itanium2! What to do? Reschedule loops for Itanium2? But then +// Itanium would exhibit anti-scalability. So I've chosen to reschedule +// for worst latency for every instruction aiming for best *all-round* +// performance. // Q. How much faster does it get? // A. Here is the output from 'openssl speed rsa dsa' for vanilla @@ -283,7 +312,7 @@ bn_mul_words: #ifdef XMA_TEMPTATION { .mfi; alloc r2=ar.pfs,4,0,0,0 };; #else -{ .mfi; alloc r2=ar.pfs,4,4,0,8 };; +{ .mfi; alloc r2=ar.pfs,4,12,0,16 };; #endif { .mib; mov r8=r0 // return value cmp4.le p6,p0=r34,r0 @@ -296,8 +325,8 @@ bn_mul_words: .body { .mib; setf.sig f8=r35 // w - mov pr.rot=0x400001<<16 - // ------^----- serves as (p48) at first (p26) + mov pr.rot=0x800001<<16 + // ------^----- serves as (p50) at first (p27) brp.loop.imp .L_bn_mul_words_ctop,.L_bn_mul_words_cend-16 } @@ -312,14 +341,14 @@ bn_mul_words: mov r15=r33 // ap #endif mov ar.lc=r10 } -{ .mii; mov r39=0 // serves as r33 at first (p26) - mov ar.ec=12 };; +{ .mii; mov r40=0 // serves as r35 at first (p27) + mov ar.ec=13 };; -// This loop spins in 2*(n+11) ticks. It's scheduled for data in L2 -// cache (i.e. 9 ticks away) as floating point load/store instructions +// This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium +// L2 cache (i.e. 9 ticks away) as floating point load/store instructions // bypass L1 cache and L2 latency is actually best-case scenario for -// ldf8. The loop is not scalable and shall run in 2*(n+11) even on -// "wider" IA-64 implementations. It's a trade-off here. n+22 loop +// ldf8. The loop is not scalable and shall run in 2*(n+12) even on +// "wider" IA-64 implementations. It's a trade-off here. n+24 loop // would give us ~5% in *overall* performance improvement on "wider" // IA-64, but would hurt Itanium for about same because of longer // epilogue. As it's a matter of few percents in either case I've @@ -327,25 +356,25 @@ bn_mul_words: // this very instruction sequence in bn_mul_add_words loop which in // turn is scalable). .L_bn_mul_words_ctop: -{ .mfi; (p25) getf.sig r36=f49 // low - (p21) xmpy.lu f45=f37,f8 - (p27) cmp.ltu p52,p48=r39,r38 } +{ .mfi; (p25) getf.sig r36=f52 // low + (p21) xmpy.lu f48=f37,f8 + (p28) cmp.ltu p54,p50=r41,r39 } { .mfi; (p16) ldf8 f32=[r15],8 - (p21) xmpy.hu f38=f37,f8 + (p21) xmpy.hu f40=f37,f8 (p0) nop.i 0x0 };; -{ .mii; (p26) getf.sig r32=f43 // high - .pred.rel "mutex",p48,p52 - (p48) add r38=r37,r33 // (p26) - (p52) add r38=r37,r33,1 } // (p26) -{ .mfb; (p27) st8 [r14]=r39,8 +{ .mii; (p25) getf.sig r32=f44 // high + .pred.rel "mutex",p50,p54 + (p50) add r40=r38,r35 // (p27) + (p54) add r40=r38,r35,1 } // (p27) +{ .mfb; (p28) st8 [r14]=r41,8 (p0) nop.f 0x0 br.ctop.sptk .L_bn_mul_words_ctop };; .L_bn_mul_words_cend: { .mii; nop.m 0x0 -.pred.rel "mutex",p49,p53 -(p49) add r8=r34,r0 -(p53) add r8=r34,r0,1 } +.pred.rel "mutex",p51,p55 +(p51) add r8=r36,r0 +(p55) add r8=r36,r0,1 } { .mfb; nop.m 0x0 nop.f 0x0 nop.b 0x0 } @@ -412,8 +441,8 @@ bn_mul_add_words: .body { .mib; setf.sig f8=r35 // w - mov pr.rot=0x400001<<16 - // ------^----- serves as (p48) at first (p26) + mov pr.rot=0x800001<<16 + // ------^----- serves as (p50) at first (p27) brp.loop.imp .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16 } { .mii; @@ -425,55 +454,55 @@ bn_mul_add_words: mov r15=r33 // ap #endif mov ar.lc=r10 } -{ .mii; mov r39=0 // serves as r33 at first (p26) +{ .mii; mov r40=0 // serves as r35 at first (p27) #if defined(_HPUX_SOURCE) && defined(_ILP32) addp4 r18=0,r32 // rp copy #else mov r18=r32 // rp copy #endif - mov ar.ec=14 };; + mov ar.ec=15 };; -// This loop spins in 3*(n+13) ticks on Itanium and should spin in -// 2*(n+13) on "wider" IA-64 implementations (to be verified with new +// This loop spins in 3*(n+14) ticks on Itanium and should spin in +// 2*(n+14) on "wider" IA-64 implementations (to be verified with new // µ-architecture manuals as they become available). As usual it's // possible to compress the epilogue, down to 10 in this case, at the // cost of scalability. Compressed (and therefore non-scalable) loop -// running at 3*(n+10) would buy you ~10% on Itanium but take ~35% +// running at 3*(n+11) would buy you ~10% on Itanium but take ~35% // from "wider" IA-64 so let it be scalable! Special attention was // paid for having the loop body split at 64-byte boundary. ld8 is // scheduled for L1 cache as the data is more than likely there. // Indeed, bn_mul_words has put it there a moment ago:-) .L_bn_mul_add_words_ctop: -{ .mfi; (p25) getf.sig r36=f49 // low - (p21) xmpy.lu f45=f37,f8 - (p27) cmp.ltu p52,p48=r39,r38 } +{ .mfi; (p25) getf.sig r36=f52 // low + (p21) xmpy.lu f48=f37,f8 + (p28) cmp.ltu p54,p50=r41,r39 } { .mfi; (p16) ldf8 f32=[r15],8 - (p21) xmpy.hu f38=f37,f8 - (p27) add r43=r43,r39 };; -{ .mii; (p26) getf.sig r32=f43 // high - .pred.rel "mutex",p48,p52 - (p48) add r38=r37,r33 // (p26) - (p52) add r38=r37,r33,1 } // (p26) -{ .mfb; (p27) cmp.ltu.unc p56,p0=r43,r39 + (p21) xmpy.hu f40=f37,f8 + (p28) add r45=r45,r41 };; +{ .mii; (p25) getf.sig r32=f44 // high + .pred.rel "mutex",p50,p54 + (p50) add r40=r38,r35 // (p27) + (p54) add r40=r38,r35,1 } // (p27) +{ .mfb; (p28) cmp.ltu.unc p60,p0=r45,r41 (p0) nop.f 0x0 (p0) nop.b 0x0 } -{ .mii; (p26) ld8 r42=[r18],8 - (p58) cmp.eq.or p57,p0=-1,r44 - (p58) add r44=1,r44 } -{ .mfb; (p29) st8 [r14]=r45,8 +{ .mii; (p27) ld8 r44=[r18],8 + (p62) cmp.eq.or p61,p0=-1,r46 + (p62) add r46=1,r46 } +{ .mfb; (p30) st8 [r14]=r47,8 (p0) nop.f 0x0 br.ctop.sptk .L_bn_mul_add_words_ctop};; .L_bn_mul_add_words_cend: { .mii; nop.m 0x0 -.pred.rel "mutex",p51,p55 -(p51) add r8=r36,r0 -(p55) add r8=r36,r0,1 } +.pred.rel "mutex",p53,p57 +(p53) add r8=r38,r0 +(p57) add r8=r38,r0,1 } { .mfb; nop.m 0x0 nop.f 0x0 nop.b 0x0 };; { .mii; -(p59) add r8=1,r8 +(p63) add r8=1,r8 mov pr=r9,0x1ffff mov ar.lc=r3 } { .mfb; rum 1<<5 // clear um.mfh diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index 58263baf9a..d7a5fce6ea 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -261,6 +261,8 @@ typedef struct bn_blinding_st BIGNUM *A; BIGNUM *Ai; BIGNUM *mod; /* just a reference */ + unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; + * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */ } BN_BLINDING; /* Used for montgomery multiplication */ diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c index bcc7ff97af..747591f9cb 100644 --- a/crypto/bn/bn_err.c +++ b/crypto/bn/bn_err.c @@ -61,6 +61,7 @@ #include <stdio.h> #include <openssl/err.h> #include <openssl/bn.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ERR is defined */ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index 6c16029957..fd863933e5 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -142,6 +142,8 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b) { case 1: /* Deprecated-style callbacks */ + if(!cb->cb.cb_1) + return 1; cb->cb.cb_1(a, b, cb->arg); return 1; case 2: diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c index 0149e8c3c4..fe057dc22f 100644 --- a/crypto/bn/bntest.c +++ b/crypto/bn/bntest.c @@ -87,10 +87,6 @@ #include <openssl/x509.h> #include <openssl/err.h> -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif - const int num0 = 100; /* number of tests */ const int num1 = 50; /* additional tests for some functions */ const int num2 = 5; /* number of tests for slow functions */ @@ -124,11 +120,6 @@ int test_sqrt(BIO *bp,BN_CTX *ctx); int rand_neg(void); static int results=0; -#ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 -#include "bss_file.c" -#endif - static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9" "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0"; diff --git a/crypto/bn/exptest.c b/crypto/bn/exptest.c index 621e6a9eee..b09cf88705 100644 --- a/crypto/bn/exptest.c +++ b/crypto/bn/exptest.c @@ -66,9 +66,6 @@ #include <openssl/bn.h> #include <openssl/rand.h> #include <openssl/err.h> -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #define NUM_BITS (BN_BITS*2) diff --git a/crypto/buffer/buf_err.c b/crypto/buffer/buf_err.c index 5eee653e14..6559060784 100644 --- a/crypto/buffer/buf_err.c +++ b/crypto/buffer/buf_err.c @@ -61,6 +61,7 @@ #include <stdio.h> #include <openssl/err.h> #include <openssl/buffer.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ERR is defined */ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR diff --git a/crypto/cast/cast.h b/crypto/cast/cast.h index b28e4e4f3b..90b45b950a 100644 --- a/crypto/cast/cast.h +++ b/crypto/cast/cast.h @@ -63,6 +63,8 @@ extern "C" { #endif +#include <openssl/opensslconf.h> + #ifdef OPENSSL_NO_CAST #error CAST is disabled. #endif diff --git a/crypto/cast/casttest.c b/crypto/cast/casttest.c index 83e5a16c73..0d020d6975 100644 --- a/crypto/cast/casttest.c +++ b/crypto/cast/casttest.c @@ -59,6 +59,7 @@ #include <stdio.h> #include <string.h> #include <stdlib.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_CAST is defined */ #include "../e_os.h" diff --git a/crypto/comp/comp.h b/crypto/comp/comp.h index ab48b78ae9..5d59354a57 100644 --- a/crypto/comp/comp.h +++ b/crypto/comp/comp.h @@ -8,19 +8,26 @@ extern "C" { #endif +typedef struct comp_ctx_st COMP_CTX; + typedef struct comp_method_st { int type; /* NID for compression library */ const char *name; /* A text string to identify the library */ - int (*init)(); - void (*finish)(); - int (*compress)(); - int (*expand)(); - long (*ctrl)(); - long (*callback_ctrl)(); + int (*init)(COMP_CTX *ctx); + void (*finish)(COMP_CTX *ctx); + int (*compress)(COMP_CTX *ctx, + unsigned char *out, unsigned int olen, + unsigned char *in, unsigned int ilen); + int (*expand)(COMP_CTX *ctx, + unsigned char *out, unsigned int olen, + unsigned char *in, unsigned int ilen); + /* The following two do NOTHING, but are kept for backward compatibility */ + long (*ctrl)(void); + long (*callback_ctrl)(void); } COMP_METHOD; -typedef struct comp_ctx_st +struct comp_ctx_st { COMP_METHOD *meth; unsigned long compress_in; @@ -29,7 +36,7 @@ typedef struct comp_ctx_st unsigned long expand_out; CRYPTO_EX_DATA ex_data; - } COMP_CTX; + }; COMP_CTX *COMP_CTX_new(COMP_METHOD *meth); diff --git a/crypto/comp/comp_err.c b/crypto/comp/comp_err.c index 1652b8c2c4..54edbb0e9a 100644 --- a/crypto/comp/comp_err.c +++ b/crypto/comp/comp_err.c @@ -61,6 +61,7 @@ #include <stdio.h> #include <openssl/err.h> #include <openssl/comp.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ERR is defined */ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR diff --git a/crypto/conf/conf_err.c b/crypto/conf/conf_err.c index ee07bfe9d9..bc16eeaa57 100644 --- a/crypto/conf/conf_err.c +++ b/crypto/conf/conf_err.c @@ -61,6 +61,7 @@ #include <stdio.h> #include <openssl/err.h> #include <openssl/conf.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ERR is defined */ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR diff --git a/crypto/conf/conf_mall.c b/crypto/conf/conf_mall.c index d702af689b..4ba40cf44c 100644 --- a/crypto/conf/conf_mall.c +++ b/crypto/conf/conf_mall.c @@ -63,7 +63,9 @@ #include <openssl/dso.h> #include <openssl/x509.h> #include <openssl/asn1.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif /* Load all OpenSSL builtin modules */ @@ -71,6 +73,8 @@ void OPENSSL_load_builtin_modules(void) { /* Add builtin modules here */ ASN1_add_oid_module(); +#ifndef OPENSSL_NO_ENGINE ENGINE_add_conf_module(); +#endif } diff --git a/crypto/conf/conf_sap.c b/crypto/conf/conf_sap.c index 97fb174303..e15c2e5546 100644 --- a/crypto/conf/conf_sap.c +++ b/crypto/conf/conf_sap.c @@ -63,7 +63,9 @@ #include <openssl/dso.h> #include <openssl/x509.h> #include <openssl/asn1.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif /* This is the automatic configuration loader: it is called automatically by * OpenSSL when any of a number of standard initialisation functions are called, @@ -78,8 +80,10 @@ void OPENSSL_config(const char *config_name) return; OPENSSL_load_builtin_modules(); +#ifndef OPENSSL_NO_ENGINE /* Need to load ENGINEs */ ENGINE_load_builtin_engines(); +#endif /* Add others here? */ diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index fb3e93fe27..bc023e3f44 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -1,6 +1,6 @@ /* crypto/cryptlib.c */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -166,7 +166,8 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "ec", "ecdh", "bn", -#if CRYPTO_NUM_LOCKS != 36 + "ec_pre_comp", +#if CRYPTO_NUM_LOCKS != 37 # error "Inconsistency between crypto.h and cryptlib.c" #endif }; diff --git a/crypto/crypto-lib.com b/crypto/crypto-lib.com index ea28c9b0e9..dd5c62decd 100644 --- a/crypto/crypto-lib.com +++ b/crypto/crypto-lib.com @@ -274,7 +274,7 @@ $ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ - $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ - "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ - "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ - - "v3_ocsp,v3_akeya" + "v3_ocsp,v3_akeya,v3_pmaps,v3_pcons,v3_ncons" $ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall,conf_sap" $ LIB_TXT_DB = "txt_db" $ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ - diff --git a/crypto/crypto.h b/crypto/crypto.h index a7491fde13..0f15a56544 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -1,6 +1,6 @@ /* crypto/crypto.h */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -119,6 +119,8 @@ #include <stdlib.h> +#include <openssl/e_os2.h> + #ifndef OPENSSL_NO_FP_API #include <stdio.h> #endif @@ -189,7 +191,8 @@ extern "C" { #define CRYPTO_LOCK_EC 33 #define CRYPTO_LOCK_ECDH 34 #define CRYPTO_LOCK_BN 35 -#define CRYPTO_NUM_LOCKS 36 +#define CRYPTO_LOCK_EC_PRE_COMP 36 +#define CRYPTO_NUM_LOCKS 37 #define CRYPTO_LOCK 1 #define CRYPTO_UNLOCK 2 diff --git a/crypto/des/asm/.cvsignore b/crypto/des/asm/.cvsignore index f300536224..c8436379e4 100644 --- a/crypto/des/asm/.cvsignore +++ b/crypto/des/asm/.cvsignore @@ -1,2 +1,5 @@ dx86unix.cpp yx86unix.cpp +des_enc-sparc.S +dx86-elf.s +yx86-elf.s diff --git a/crypto/des/cbc_cksm.c b/crypto/des/cbc_cksm.c index 6c5305b99d..09a7ba56aa 100644 --- a/crypto/des/cbc_cksm.c +++ b/crypto/des/cbc_cksm.c @@ -93,5 +93,14 @@ DES_LONG DES_cbc_cksum(const unsigned char *in, DES_cblock *output, l2c(tout1,out); } tout0=tin0=tin1=tin[0]=tin[1]=0; + /* + Transform the data in tout1 so that it will + match the return value that the MIT Kerberos + mit_des_cbc_cksum API returns. + */ + tout1 = ((tout1 >> 24L) & 0x000000FF) + | ((tout1 >> 8L) & 0x0000FF00) + | ((tout1 << 8L) & 0x00FF0000) + | ((tout1 << 24L) & 0xFF000000); return(tout1); } diff --git a/crypto/des/des.h b/crypto/des/des.h index daaf239dbe..4475143db5 100644 --- a/crypto/des/des.h +++ b/crypto/des/des.h @@ -59,13 +59,13 @@ #ifndef HEADER_NEW_DES_H #define HEADER_NEW_DES_H +#include <openssl/e_os2.h> /* OPENSSL_EXTERN, OPENSSL_NO_DES, + DES_LONG (via openssl/opensslconf.h */ + #ifdef OPENSSL_NO_DES #error DES is disabled. #endif -#include <openssl/opensslconf.h> /* DES_LONG */ -#include <openssl/e_os2.h> /* OPENSSL_EXTERN */ - #ifdef OPENSSL_BUILD_SHLIBCRYPTO # undef OPENSSL_EXTERN # define OPENSSL_EXTERN OPENSSL_EXPORT diff --git a/crypto/des/des_old.h b/crypto/des/des_old.h index 1d840b474a..8a238d1ce1 100644 --- a/crypto/des/des_old.h +++ b/crypto/des/des_old.h @@ -91,6 +91,8 @@ #ifndef HEADER_DES_H #define HEADER_DES_H +#include <openssl/e_os2.h> /* OPENSSL_EXTERN, OPENSSL_NO_DES, DES_LONG */ + #ifdef OPENSSL_NO_DES #error DES is disabled. #endif @@ -103,8 +105,6 @@ #error <openssl/des_old.h> replaces <kerberos/des.h>. #endif -#include <openssl/opensslconf.h> /* DES_LONG */ -#include <openssl/e_os2.h> /* OPENSSL_EXTERN */ #include <openssl/symhacks.h> #ifdef OPENSSL_BUILD_SHLIBCRYPTO diff --git a/crypto/des/destest.c b/crypto/des/destest.c index 7799e6e4bf..687c00c792 100644 --- a/crypto/des/destest.c +++ b/crypto/des/destest.c @@ -320,7 +320,11 @@ static unsigned char ofb_cipher[24]= 0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3 }; +#if 0 static DES_LONG cbc_cksum_ret=0xB462FEF7L; +#else +static DES_LONG cbc_cksum_ret=0xF7FE62B4L; +#endif static unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4}; static char *pt(unsigned char *p); diff --git a/crypto/des/ede_cbcm_enc.c b/crypto/des/ede_cbcm_enc.c index fa45aa272b..adfcb75cf3 100644 --- a/crypto/des/ede_cbcm_enc.c +++ b/crypto/des/ede_cbcm_enc.c @@ -68,6 +68,8 @@ http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1998/CS/CS0928.ps.gz */ +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_DESCBCM is defined */ + #ifndef OPENSSL_NO_DESCBCM #include "des_locl.h" diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h index 62dba4055c..db4e11090d 100644 --- a/crypto/dh/dh.h +++ b/crypto/dh/dh.h @@ -59,6 +59,8 @@ #ifndef HEADER_DH_H #define HEADER_DH_H +#include <openssl/e_os2.h> + #ifdef OPENSSL_NO_DH #error DH is disabled. #endif diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c index d837950aec..443a741da6 100644 --- a/crypto/dh/dh_err.c +++ b/crypto/dh/dh_err.c @@ -61,6 +61,7 @@ #include <stdio.h> #include <openssl/err.h> #include <openssl/dh.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ERR is defined */ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 5e58e0032f..28c20750bd 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -61,7 +61,9 @@ #include <openssl/bn.h> #include <openssl/rand.h> #include <openssl/dh.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index ba5fd41057..09965ee2ea 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -60,7 +60,9 @@ #include "cryptlib.h" #include <openssl/bn.h> #include <openssl/dh.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT; @@ -85,11 +87,13 @@ int DH_set_method(DH *dh, const DH_METHOD *meth) const DH_METHOD *mtmp; mtmp = dh->meth; if (mtmp->finish) mtmp->finish(dh); +#ifndef OPENSSL_NO_ENGINE if (dh->engine) { ENGINE_finish(dh->engine); dh->engine = NULL; } +#endif dh->meth = meth; if (meth->init) meth->init(dh); return 1; @@ -112,6 +116,7 @@ DH *DH_new_method(ENGINE *engine) } ret->meth = DH_get_default_method(); +#ifndef OPENSSL_NO_ENGINE if (engine) { if (!ENGINE_init(engine)) @@ -135,6 +140,7 @@ DH *DH_new_method(ENGINE *engine) return NULL; } } +#endif ret->pad=0; ret->version=0; @@ -154,8 +160,10 @@ DH *DH_new_method(ENGINE *engine) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { +#ifndef OPENSSL_NO_ENGINE if (ret->engine) ENGINE_finish(ret->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); OPENSSL_free(ret); ret=NULL; @@ -182,8 +190,10 @@ void DH_free(DH *r) if (r->meth->finish) r->meth->finish(r); +#ifndef OPENSSL_NO_ENGINE if (r->engine) ENGINE_finish(r->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data); diff --git a/crypto/dh/dhtest.c b/crypto/dh/dhtest.c index 33a49f2d7d..dc25283f7c 100644 --- a/crypto/dh/dhtest.c +++ b/crypto/dh/dhtest.c @@ -68,9 +68,6 @@ #include "../e_os.h" -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #include <openssl/crypto.h> #include <openssl/bio.h> #include <openssl/bn.h> @@ -93,10 +90,6 @@ int main(int argc, char *argv[]) #endif static void MS_CALLBACK cb(int p, int n, void *arg); -#ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 -#include "bss_file.c" -#endif static const char rnd_seed[] = "string to make the random number generator think it has entropy"; diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h index 6ba79b01df..651add43ae 100644 --- a/crypto/dsa/dsa.h +++ b/crypto/dsa/dsa.h @@ -65,6 +65,8 @@ #ifndef HEADER_DSA_H #define HEADER_DSA_H +#include <openssl/e_os2.h> + #ifdef OPENSSL_NO_DSA #error DSA is disabled. #endif diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c index 79aa4ff526..b1064f07eb 100644 --- a/crypto/dsa/dsa_err.c +++ b/crypto/dsa/dsa_err.c @@ -61,6 +61,7 @@ #include <stdio.h> #include <openssl/err.h> #include <openssl/dsa.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ERR is defined */ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 4b9aff3689..dffd588ff1 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -69,6 +69,8 @@ #define HASH EVP_sha1() #endif +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_SHA is defined */ + #ifndef OPENSSL_NO_SHA #include <stdio.h> diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 48ff1f423c..8427b77970 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -56,10 +56,10 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SHA #include <stdio.h> #include <time.h> #include "cryptlib.h" +#ifndef OPENSSL_NO_SHA #include <openssl/bn.h> #include <openssl/dsa.h> #include <openssl/rand.h> diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 579f73f869..4171af24c6 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -63,7 +63,9 @@ #include <openssl/bn.h> #include <openssl/dsa.h> #include <openssl/asn1.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT; @@ -93,11 +95,13 @@ int DSA_set_method(DSA *dsa, const DSA_METHOD *meth) const DSA_METHOD *mtmp; mtmp = dsa->meth; if (mtmp->finish) mtmp->finish(dsa); +#ifndef OPENSSL_NO_ENGINE if (dsa->engine) { ENGINE_finish(dsa->engine); dsa->engine = NULL; } +#endif dsa->meth = meth; if (meth->init) meth->init(dsa); return 1; @@ -114,6 +118,7 @@ DSA *DSA_new_method(ENGINE *engine) return(NULL); } ret->meth = DSA_get_default_method(); +#ifndef OPENSSL_NO_ENGINE if (engine) { if (!ENGINE_init(engine)) @@ -138,6 +143,7 @@ DSA *DSA_new_method(ENGINE *engine) return NULL; } } +#endif ret->pad=0; ret->version=0; @@ -158,8 +164,10 @@ DSA *DSA_new_method(ENGINE *engine) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { +#ifndef OPENSSL_NO_ENGINE if (ret->engine) ENGINE_finish(ret->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); OPENSSL_free(ret); ret=NULL; @@ -189,8 +197,10 @@ void DSA_free(DSA *r) if(r->meth->finish) r->meth->finish(r); +#ifndef OPENSSL_NO_ENGINE if(r->engine) ENGINE_finish(r->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data); diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 70d60d9e29..b6e08584a6 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -64,7 +64,9 @@ #include <openssl/dsa.h> #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); @@ -72,20 +74,14 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); -static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, - BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont); -static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *m_ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", dsa_do_sign, dsa_sign_setup, dsa_do_verify, -dsa_mod_exp, -dsa_bn_mod_exp, +NULL, /* dsa_mod_exp, */ +NULL, /* dsa_bn_mod_exp, */ dsa_init, dsa_finish, 0, @@ -94,6 +90,41 @@ NULL, NULL }; +/* These macro wrappers replace attempts to use the dsa_mod_exp() and + * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of + * having a the macro work as an expression by bundling an "err_instr". So; + * + * if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx, + * dsa->method_mont_p)) goto err; + * + * can be replaced by; + * + * DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx, + * dsa->method_mont_p); + */ + +#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ + do { \ + int _tmp_res53; \ + if((dsa)->meth->dsa_mod_exp) \ + _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \ + (a2), (p2), (m), (ctx), (in_mont)); \ + else \ + _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \ + (m), (ctx), (in_mont)); \ + if(!_tmp_res53) err_instr; \ + } while(0) +#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ + do { \ + int _tmp_res53; \ + if((dsa)->meth->bn_mod_exp) \ + _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \ + (m), (ctx), (m_ctx)); \ + else \ + _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \ + if(!_tmp_res53) err_instr; \ + } while(0) + const DSA_METHOD *DSA_OpenSSL(void) { return &openssl_dsa_meth; @@ -208,8 +239,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) } /* Compute r = (g^k mod p) mod q */ - if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx, - (BN_MONT_CTX *)dsa->method_mont_p)) goto err; + DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx, + (BN_MONT_CTX *)dsa->method_mont_p); if (!BN_mod(r,r,dsa->q,ctx)) goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ @@ -287,31 +318,12 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, } mont=(BN_MONT_CTX *)dsa->method_mont_p; -#if 0 - { - BIGNUM t2; - - BN_init(&t2); - /* v = ( g^u1 * y^u2 mod p ) mod q */ - /* let t1 = g ^ u1 mod p */ - if (!BN_mod_exp_mont(&t1,dsa->g,&u1,dsa->p,ctx,mont)) goto err; - /* let t2 = y ^ u2 mod p */ - if (!BN_mod_exp_mont(&t2,dsa->pub_key,&u2,dsa->p,ctx,mont)) goto err; - /* let u1 = t1 * t2 mod p */ - if (!BN_mod_mul(&u1,&t1,&t2,dsa->p,ctx)) goto err_bn; - BN_free(&t2); - } - /* let u1 = u1 mod q */ - if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err; -#else - { - if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2, - dsa->p,ctx,mont)) goto err; + + DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont); /* BN_copy(&u1,&t1); */ /* let u1 = u1 mod q */ if (!BN_mod(&u1,&t1,dsa->q,ctx)) goto err; - } -#endif + /* V is now in u1. If the signature is correct, it will be * equal to R. */ ret=(BN_ucmp(&u1, sig->r) == 0); @@ -338,16 +350,3 @@ static int dsa_finish(DSA *dsa) return(1); } -static int dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, - BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont) -{ - return BN_mod_exp2_mont(rr, a1, p1, a2, p2, m, ctx, in_mont); -} - -static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *m_ctx) -{ - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); -} diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index e9469ca62f..5cdc8ed851 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -64,7 +64,9 @@ #include <openssl/dsa.h> #include <openssl/rand.h> #include <openssl/asn1.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { diff --git a/crypto/dsa/dsa_vrf.c b/crypto/dsa/dsa_vrf.c index 066c6b5b28..fffb129f8f 100644 --- a/crypto/dsa/dsa_vrf.c +++ b/crypto/dsa/dsa_vrf.c @@ -65,7 +65,9 @@ #include <openssl/rand.h> #include <openssl/asn1.h> #include <openssl/asn1_mac.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c index c341c1b49c..53c73c5cc2 100644 --- a/crypto/dsa/dsatest.c +++ b/crypto/dsa/dsatest.c @@ -74,9 +74,9 @@ #include <openssl/rand.h> #include <openssl/bio.h> #include <openssl/err.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" +#include <openssl/e_os2.h> #endif #ifdef OPENSSL_NO_DSA @@ -166,7 +166,7 @@ int main(int argc, char **argv) BIO_printf(bio_err,"%02X%02X%02X%02X ", seed[i],seed[i+1],seed[i+2],seed[i+3]); } - BIO_printf(bio_err,"\ncounter=%d h=%d\n",counter,h); + BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h); if (dsa == NULL) goto end; DSA_print(bio_err,dsa,0); diff --git a/crypto/dso/dso_err.c b/crypto/dso/dso_err.c index ac783e2796..8ec7ba9f9e 100644 --- a/crypto/dso/dso_err.c +++ b/crypto/dso/dso_err.c @@ -61,6 +61,7 @@ #include <stdio.h> #include <openssl/err.h> #include <openssl/dso.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ERR is defined */ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index 53fb8cfc57..431a28b38f 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -72,6 +72,8 @@ #ifndef HEADER_EC_H #define HEADER_EC_H +#include <openssl/opensslconf.h> + #ifdef OPENSSL_NO_EC #error EC is disabled. #endif @@ -101,7 +103,7 @@ typedef struct ec_group_st -- field definition -- curve coefficients -- optional generator with associated information (order, cofactor) - -- optional extra data (TODO: precomputed table for fast computation of multiples of generator) + -- optional extra data (precomputed table for fast computation of multiples of generator) -- ASN1 stuff */ EC_GROUP; @@ -241,7 +243,11 @@ int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); int EC_POINTs_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, size_t num, const EC_POINT *[], const BIGNUM *[], BN_CTX *); int EC_POINT_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, const EC_POINT *, const BIGNUM *, BN_CTX *); + +/* EC_GROUP_precompute_mult() stores multiples of generator for faster point multiplication */ int EC_GROUP_precompute_mult(EC_GROUP *, BN_CTX *); +/* EC_GROUP_have_precompute_mult() reports whether such precomputation has been done */ +int EC_GROUP_have_precompute_mult(const EC_GROUP *); @@ -315,16 +321,16 @@ int EC_KEY_generate_key(EC_KEY *); /* EC_KEY_check_key() */ int EC_KEY_check_key(const EC_KEY *); -/* de- and encode functions for the SEC1 ECPrivateKey */ +/* de- and encoding functions for SEC1 ECPrivateKey */ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len); int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out); -/* de- and encode functions for the elliptic curve parameters */ +/* de- and encoding functions for EC parameters */ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len); int i2d_ECParameters(EC_KEY *a, unsigned char **out); - -EC_KEY *ECPublicKey_set_octet_string(EC_KEY **a, const unsigned char **in, - long len); -int ECPublicKey_get_octet_string(EC_KEY *a, unsigned char **out); +/* de- and encoding functions for EC public key + * (octet string, not DER -- hence 'o2i' and 'i2o') */ +EC_KEY *o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len); +int i2o_ECPublicKey(EC_KEY *a, unsigned char **out); #ifndef OPENSSL_NO_BIO int ECParameters_print(BIO *bp, const EC_KEY *x); @@ -355,8 +361,6 @@ void ERR_load_EC_strings(void); #define EC_F_ECPARAMETERS_PRINT_FP 148 #define EC_F_ECPKPARAMETERS_PRINT 149 #define EC_F_ECPKPARAMETERS_PRINT_FP 150 -#define EC_F_ECPUBLICKEY_GET_OCTET 151 -#define EC_F_ECPUBLICKEY_SET_OCTET 152 #define EC_F_ECP_NIST_MOD_192 203 #define EC_F_ECP_NIST_MOD_224 204 #define EC_F_ECP_NIST_MOD_256 205 @@ -403,7 +407,6 @@ void ERR_load_EC_strings(void); #define EC_F_EC_GROUP_GET_CURVE_GF2M 172 #define EC_F_EC_GROUP_GET_CURVE_GFP 130 #define EC_F_EC_GROUP_GET_DEGREE 173 -#define EC_F_EC_GROUP_GET_EXTRA_DATA 107 #define EC_F_EC_GROUP_GET_ORDER 141 #define EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS 193 #define EC_F_EC_GROUP_GET_TRINOMIAL_BASIS 194 @@ -444,6 +447,7 @@ void ERR_load_EC_strings(void); #define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP 125 #define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP 126 #define EC_F_EC_POINT_SET_TO_INFINITY 127 +#define EC_F_EC_PRE_COMP_DUP 207 #define EC_F_EC_WNAF_MUL 187 #define EC_F_EC_WNAF_PRECOMPUTE_MULT 188 #define EC_F_GFP_MONT_GROUP_SET_CURVE 189 @@ -451,6 +455,8 @@ void ERR_load_EC_strings(void); #define EC_F_I2D_ECPARAMETERS 190 #define EC_F_I2D_ECPKPARAMETERS 191 #define EC_F_I2D_ECPRIVATEKEY 192 +#define EC_F_I2O_ECPUBLICKEY 151 +#define EC_F_O2I_ECPUBLICKEY 152 /* Reason codes. */ #define EC_R_ASN1_ERROR 115 @@ -462,7 +468,6 @@ void ERR_load_EC_strings(void); #define EC_R_GROUP2PKPARAMETERS_FAILURE 120 #define EC_R_I2D_ECPKPARAMETERS_FAILURE 121 #define EC_R_INCOMPATIBLE_OBJECTS 101 -#define EC_R_INTERNAL_ERROR 132 #define EC_R_INVALID_ARGUMENT 112 #define EC_R_INVALID_COMPRESSED_POINT 110 #define EC_R_INVALID_COMPRESSION_BIT 109 @@ -473,12 +478,11 @@ void ERR_load_EC_strings(void); #define EC_R_INVALID_PRIVATE_KEY 123 #define EC_R_MISSING_PARAMETERS 124 #define EC_R_MISSING_PRIVATE_KEY 125 -#define EC_R_NOT_A_NIST_PRIME 135 -#define EC_R_NOT_A_SUPPORTED_NIST_PRIME 136 +#define EC_R_NOT_A_NIST_PRIME 135 +#define EC_R_NOT_A_SUPPORTED_NIST_PRIME 136 #define EC_R_NOT_IMPLEMENTED 126 #define EC_R_NOT_INITIALIZED 111 #define EC_R_NO_FIELD_MOD 133 -#define EC_R_NO_SUCH_EXTRA_DATA 105 #define EC_R_PASSED_NULL_PARAMETER 134 #define EC_R_PKPARAMETERS2GROUP_FAILURE 127 #define EC_R_POINT_AT_INFINITY 106 diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c index eefb41a157..a0effa95ad 100644 --- a/crypto/ec/ec2_mult.c +++ b/crypto/ec/ec2_mult.c @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -326,9 +326,10 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, } /* This implementation is more efficient than the wNAF implementation for 2 - * or fewer points. Use the ec_wNAF_mul implementation for 3 or more points. + * or fewer points. Use the ec_wNAF_mul implementation for 3 or more points, + * or if we can perform a fast multiplication based on precomputation. */ - if ((scalar && (num > 1)) || (num > 2)) + if ((scalar && (num > 1)) || (num > 2) || (num == 0 && EC_GROUP_have_precompute_mult(group))) { ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); goto err; @@ -364,12 +365,15 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, } -/* Precomputation for point multiplication. */ +/* Precomputation for point multiplication: fall back to wNAF methods + * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */ + int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx) { - /* There is no precomputation to do for Montgomery scalar multiplication but - * since this implementation falls back to the wNAF multiplication for more than - * two points, call the wNAF implementation's precompute. - */ return ec_wNAF_precompute_mult(group, ctx); - } + } + +int ec_GF2m_have_precompute_mult(const EC_GROUP *group) + { + return ec_wNAF_have_precompute_mult(group); + } diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 1bc440eed1..89e8152015 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -99,13 +99,17 @@ const EC_METHOD *EC_GF2m_simple_method(void) ec_GF2m_simple_add, ec_GF2m_simple_dbl, ec_GF2m_simple_invert, - ec_GF2m_simple_mul, - ec_GF2m_precompute_mult, ec_GF2m_simple_is_at_infinity, ec_GF2m_simple_is_on_curve, ec_GF2m_simple_cmp, ec_GF2m_simple_make_affine, ec_GF2m_simple_points_make_affine, + + /* the following three method functions are defined in ec2_mult.c */ + ec_GF2m_simple_mul, + ec_GF2m_precompute_mult, + ec_GF2m_have_precompute_mult, + ec_GF2m_simple_field_mul, ec_GF2m_simple_field_sqr, ec_GF2m_simple_field_div, @@ -170,8 +174,8 @@ int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) dest->poly[2] = src->poly[2]; dest->poly[3] = src->poly[3]; dest->poly[4] = src->poly[4]; - bn_wexpand(&dest->a, (dest->poly[0] + BN_BITS2 - 1) / BN_BITS2); - bn_wexpand(&dest->b, (dest->poly[0] + BN_BITS2 - 1) / BN_BITS2); + bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2); + bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2); for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0; for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0; return 1; @@ -195,12 +199,12 @@ int ec_GF2m_simple_group_set_curve(EC_GROUP *group, /* group->a */ if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err; - bn_wexpand(&group->a, (group->poly[0] + BN_BITS2 - 1) / BN_BITS2); + bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2); for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0; /* group->b */ if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err; - bn_wexpand(&group->b, (group->poly[0] + BN_BITS2 - 1) / BN_BITS2); + bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2); for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0; ret = 1; diff --git a/crypto/ec/ec2_smpt.c b/crypto/ec/ec2_smpt.c index 1b014e5d96..f7e3d38150 100644 --- a/crypto/ec/ec2_smpt.c +++ b/crypto/ec/ec2_smpt.c @@ -61,7 +61,8 @@ * compressed coordinates. Uses algorithm 2.3.4 of SEC 1. * Note that the simple implementation only uses affine coordinates. * - * This algorithm is patented by Certicom Corp. under US Patent 6,141,420. + * This algorithm is patented by Certicom Corp. under US Patent 6,141,420 + * (for licensing information, contact licensing@certicom.com). * This function is disabled by default and can be enabled by defining the * preprocessor macro OPENSSL_EC_BIN_PT_COMP at Configure-time. */ diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 63d33a5f56..f31ac45d99 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -3,7 +3,7 @@ * Written by Nils Larsch for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -224,7 +224,7 @@ ASN1_SEQUENCE(ECPARAMETERS) = { ASN1_SIMPLE(ECPARAMETERS, curve, X9_62_CURVE), ASN1_SIMPLE(ECPARAMETERS, base, ASN1_OCTET_STRING), ASN1_SIMPLE(ECPARAMETERS, order, ASN1_INTEGER), - ASN1_SIMPLE(ECPARAMETERS, cofactor, ASN1_INTEGER) + ASN1_OPT(ECPARAMETERS, cofactor, ASN1_INTEGER) } ASN1_SEQUENCE_END(ECPARAMETERS) DECLARE_ASN1_FUNCTIONS_const(ECPARAMETERS) @@ -715,17 +715,15 @@ static ECPARAMETERS *ec_asn1_group2parameters(const EC_GROUP *group, goto err; } - /* set the cofactor */ - if (!EC_GROUP_get_cofactor(group, tmp, NULL)) + /* set the cofactor (optional) */ + if (EC_GROUP_get_cofactor(group, tmp, NULL)) { - ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_EC_LIB); - goto err; - } - ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor); - if (ret->cofactor == NULL) - { - ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB); - goto err; + ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor); + if (ret->cofactor == NULL) + { + ECerr(EC_F_EC_ASN1_GROUP2PARAMETERS, ERR_R_ASN1_LIB); + goto err; + } } ok = 1; @@ -978,9 +976,7 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) ret->seed_len = params->curve->seed->length; } - /* extract the order, cofactor and generator */ - if (!params->order || !params->cofactor || !params->base || - !params->base->data) + if (!params->order || !params->base || !params->base->data) { ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); goto err; @@ -988,14 +984,11 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) if ((point = EC_POINT_new(ret)) == NULL) goto err; - a = ASN1_INTEGER_to_BN(params->order, a); - b = ASN1_INTEGER_to_BN(params->cofactor, b); - if (!a || !b) - { - ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); - goto err; - } + /* set the point conversion form */ + EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t) + (params->base->data[0] & ~0x01)); + /* extract the ec point */ if (!EC_POINT_oct2point(ret, point, params->base->data, params->base->length, NULL)) { @@ -1003,10 +996,29 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) goto err; } - /* set the point conversion form */ - EC_GROUP_set_point_conversion_form(ret, (point_conversion_form_t) - (params->base->data[0] & ~0x01)); - + /* extract the order */ + if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); + goto err; + } + + /* extract the cofactor (optional) */ + if (params->cofactor == NULL) + { + if (b) + { + BN_free(b); + b = NULL; + } + } + else + if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); + goto err; + } + /* set the generator, order and cofactor (if present) */ if (!EC_GROUP_set_generator(ret, point, a, b)) { ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_EC_LIB); @@ -1394,8 +1406,7 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len) return ret; } -EC_KEY *ECPublicKey_set_octet_string(EC_KEY **a, const unsigned char **in, - long len) +EC_KEY *o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len) { EC_KEY *ret=NULL; @@ -1403,33 +1414,35 @@ EC_KEY *ECPublicKey_set_octet_string(EC_KEY **a, const unsigned char **in, { /* sorry, but a EC_GROUP-structur is necessary * to set the public key */ - ECerr(EC_F_ECPUBLICKEY_SET_OCTET, ERR_R_PASSED_NULL_PARAMETER); + ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER); return 0; } ret = *a; if (ret->pub_key == NULL && (ret->pub_key = EC_POINT_new(ret->group)) == NULL) { - ECerr(EC_F_ECPUBLICKEY_SET_OCTET, ERR_R_MALLOC_FAILURE); + ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_MALLOC_FAILURE); return 0; } if (!EC_POINT_oct2point(ret->group, ret->pub_key, *in, len, NULL)) { - ECerr(EC_F_ECPUBLICKEY_SET_OCTET, ERR_R_EC_LIB); + ECerr(EC_F_O2I_ECPUBLICKEY, ERR_R_EC_LIB); return 0; } /* save the point conversion form */ ret->conv_form = (point_conversion_form_t)(*in[0] & ~0x01); + *in += len; return ret; } -int ECPublicKey_get_octet_string(EC_KEY *a, unsigned char **out) +int i2o_ECPublicKey(EC_KEY *a, unsigned char **out) { - size_t buf_len=0; + size_t buf_len=0; + int new_buffer = 0; if (a == NULL) { - ECerr(EC_F_ECPUBLICKEY_GET_OCTET, ERR_R_PASSED_NULL_PARAMETER); + ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -1441,19 +1454,23 @@ int ECPublicKey_get_octet_string(EC_KEY *a, unsigned char **out) return buf_len; if (*out == NULL) + { if ((*out = OPENSSL_malloc(buf_len)) == NULL) { - ECerr(EC_F_ECPUBLICKEY_GET_OCTET, - ERR_R_MALLOC_FAILURE); + ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_MALLOC_FAILURE); return 0; } + new_buffer = 1; + } if (!EC_POINT_point2oct(a->group, a->pub_key, a->conv_form, *out, buf_len, NULL)) { - ECerr(EC_F_ECPUBLICKEY_GET_OCTET, ERR_R_EC_LIB); + ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB); OPENSSL_free(*out); *out = NULL; return 0; } + if (!new_buffer) + *out += buf_len; return buf_len; } diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c index 58ae9d682d..d74ddace58 100644 --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -1,6 +1,6 @@ /* crypto/ec/ec_err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -74,8 +74,6 @@ static ERR_STRING_DATA EC_str_functs[]= {ERR_PACK(0,EC_F_ECPARAMETERS_PRINT_FP,0), "ECParameters_print_fp"}, {ERR_PACK(0,EC_F_ECPKPARAMETERS_PRINT,0), "ECPKParameters_print"}, {ERR_PACK(0,EC_F_ECPKPARAMETERS_PRINT_FP,0), "ECPKParameters_print_fp"}, -{ERR_PACK(0,EC_F_ECPUBLICKEY_GET_OCTET,0), "ECPUBLICKEY_GET_OCTET"}, -{ERR_PACK(0,EC_F_ECPUBLICKEY_SET_OCTET,0), "ECPUBLICKEY_SET_OCTET"}, {ERR_PACK(0,EC_F_ECP_NIST_MOD_192,0), "ECP_NIST_MOD_192"}, {ERR_PACK(0,EC_F_ECP_NIST_MOD_224,0), "ECP_NIST_MOD_224"}, {ERR_PACK(0,EC_F_ECP_NIST_MOD_256,0), "ECP_NIST_MOD_256"}, @@ -122,7 +120,6 @@ static ERR_STRING_DATA EC_str_functs[]= {ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GF2M,0), "EC_GROUP_get_curve_GF2m"}, {ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0), "EC_GROUP_get_curve_GFp"}, {ERR_PACK(0,EC_F_EC_GROUP_GET_DEGREE,0), "EC_GROUP_get_degree"}, -{ERR_PACK(0,EC_F_EC_GROUP_GET_EXTRA_DATA,0), "EC_GROUP_get_extra_data"}, {ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0), "EC_GROUP_get_order"}, {ERR_PACK(0,EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS,0), "EC_GROUP_get_pentanomial_basis"}, {ERR_PACK(0,EC_F_EC_GROUP_GET_TRINOMIAL_BASIS,0), "EC_GROUP_get_trinomial_basis"}, @@ -163,6 +160,7 @@ static ERR_STRING_DATA EC_str_functs[]= {ERR_PACK(0,EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP,0), "EC_POINT_set_compressed_coordinates_GFp"}, {ERR_PACK(0,EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP,0), "EC_POINT_set_Jprojective_coordinates_GFp"}, {ERR_PACK(0,EC_F_EC_POINT_SET_TO_INFINITY,0), "EC_POINT_set_to_infinity"}, +{ERR_PACK(0,EC_F_EC_PRE_COMP_DUP,0), "EC_PRE_COMP_DUP"}, {ERR_PACK(0,EC_F_EC_WNAF_MUL,0), "ec_wNAF_mul"}, {ERR_PACK(0,EC_F_EC_WNAF_PRECOMPUTE_MULT,0), "ec_wNAF_precompute_mult"}, {ERR_PACK(0,EC_F_GFP_MONT_GROUP_SET_CURVE,0), "GFP_MONT_GROUP_SET_CURVE"}, @@ -170,6 +168,8 @@ static ERR_STRING_DATA EC_str_functs[]= {ERR_PACK(0,EC_F_I2D_ECPARAMETERS,0), "i2d_ECParameters"}, {ERR_PACK(0,EC_F_I2D_ECPKPARAMETERS,0), "i2d_ECPKParameters"}, {ERR_PACK(0,EC_F_I2D_ECPRIVATEKEY,0), "i2d_ECPrivateKey"}, +{ERR_PACK(0,EC_F_I2O_ECPUBLICKEY,0), "i2o_ECPublicKey"}, +{ERR_PACK(0,EC_F_O2I_ECPUBLICKEY,0), "o2i_ECPublicKey"}, {0,NULL} }; @@ -184,7 +184,6 @@ static ERR_STRING_DATA EC_str_reasons[]= {EC_R_GROUP2PKPARAMETERS_FAILURE ,"group2pkparameters failure"}, {EC_R_I2D_ECPKPARAMETERS_FAILURE ,"i2d ecpkparameters failure"}, {EC_R_INCOMPATIBLE_OBJECTS ,"incompatible objects"}, -{EC_R_INTERNAL_ERROR ,"internal error"}, {EC_R_INVALID_ARGUMENT ,"invalid argument"}, {EC_R_INVALID_COMPRESSED_POINT ,"invalid compressed point"}, {EC_R_INVALID_COMPRESSION_BIT ,"invalid compression bit"}, @@ -200,7 +199,6 @@ static ERR_STRING_DATA EC_str_reasons[]= {EC_R_NOT_IMPLEMENTED ,"not implemented"}, {EC_R_NOT_INITIALIZED ,"not initialized"}, {EC_R_NO_FIELD_MOD ,"no field mod"}, -{EC_R_NO_SUCH_EXTRA_DATA ,"no such extra data"}, {EC_R_PASSED_NULL_PARAMETER ,"passed null parameter"}, {EC_R_PKPARAMETERS2GROUP_FAILURE ,"pkparameters2group failure"}, {EC_R_POINT_AT_INFINITY ,"point at infinity"}, diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index d7758c91d3..aef3934c17 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -199,7 +199,7 @@ EC_KEY *EC_KEY_dup(const EC_KEY *eckey) /* copy the private key */ if (eckey->priv_key) { - ret->priv_key = BN_dup(ret->priv_key); + ret->priv_key = BN_dup(eckey->priv_key); if (ret->priv_key == NULL) ok = 0; } diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index a96d0df1a4..f59fe0e448 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -136,11 +136,6 @@ struct ec_method_st { int (*dbl)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *); int (*invert)(const EC_GROUP *, EC_POINT *, BN_CTX *); - /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult: */ - int (*mul)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); - int (*precompute_mult)(EC_GROUP *group, BN_CTX *); - /* used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp: */ int (*is_at_infinity)(const EC_GROUP *, const EC_POINT *); int (*is_on_curve)(const EC_GROUP *, const EC_POINT *, BN_CTX *); @@ -150,6 +145,13 @@ struct ec_method_st { int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *); int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); + /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult + * (default implementations are used if the 'mul' pointer is 0): */ + int (*mul)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); + int (*precompute_mult)(EC_GROUP *group, BN_CTX *); + int (*have_precompute_mult)(const EC_GROUP *group); + /* internal functions */ @@ -165,6 +167,13 @@ struct ec_method_st { int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *); } /* EC_METHOD */; +typedef struct ec_extra_data_st { + struct ec_extra_data_st *next; + void *data; + void *(*dup_func)(void *); + void (*free_func)(void *); + void (*clear_free_func)(void *); +} EC_EXTRA_DATA; /* used in EC_GROUP */ struct ec_group_st { const EC_METHOD *meth; @@ -179,10 +188,7 @@ struct ec_group_st { unsigned char *seed; /* optional seed for parameters (appears in ASN1) */ size_t seed_len; - void *extra_data; - void *(*extra_data_dup_func)(void *); - void (*extra_data_free_func)(void *); - void (*extra_data_clear_free_func)(void *); + EC_EXTRA_DATA *extra_data; /* linked list */ /* The following members are handled by the method functions, * even if they appear generic */ @@ -222,14 +228,17 @@ struct ec_group_st { * (with visibility limited to 'package' level for now). * We use the function pointers as index for retrieval; this obviates * global ex_data-style index tables. - * (Currently, we have one slot only, but is is possible to extend this - * if necessary.) */ -int EC_GROUP_set_extra_data(EC_GROUP *, void *extra_data, void *(*extra_data_dup_func)(void *), - void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *)); -void *EC_GROUP_get_extra_data(const EC_GROUP *, void *(*extra_data_dup_func)(void *), - void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *)); -void EC_GROUP_free_extra_data(EC_GROUP *); -void EC_GROUP_clear_free_extra_data(EC_GROUP *); + */ +int EC_GROUP_set_extra_data(EC_GROUP *, void *data, + void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); +void *EC_GROUP_get_extra_data(const EC_GROUP *, + void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); +void EC_GROUP_free_extra_data(EC_GROUP*, + void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); +void EC_GROUP_clear_free_extra_data(EC_GROUP*, + void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); +void EC_GROUP_free_all_extra_data(EC_GROUP *); +void EC_GROUP_clear_free_all_extra_data(EC_GROUP *); @@ -248,10 +257,13 @@ struct ec_point_st { -/* method functions in ec_mult.c */ +/* method functions in ec_mult.c + * (ec_lib.c uses these as defaults if group->method->mul is 0) */ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *); +int ec_wNAF_have_precompute_mult(const EC_GROUP *group); + /* method functions in ecp_smpl.c */ int ec_GFp_simple_group_init(EC_GROUP *); @@ -317,6 +329,7 @@ int ec_GFp_recp_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX * /* method functions in ecp_nist.c */ +int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); @@ -363,3 +376,4 @@ int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx); +int ec_GF2m_have_precompute_mult(const EC_GROUP *group); diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 2cc0dc0ec1..c00875cd73 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -98,9 +98,6 @@ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth) ret->meth = meth; ret->extra_data = NULL; - ret->extra_data_dup_func = 0; - ret->extra_data_free_func = 0; - ret->extra_data_clear_free_func = 0; ret->generator = NULL; BN_init(&ret->order); @@ -130,7 +127,7 @@ void EC_GROUP_free(EC_GROUP *group) if (group->meth->group_finish != 0) group->meth->group_finish(group); - EC_GROUP_free_extra_data(group); + EC_GROUP_free_all_extra_data(group); if (group->generator != NULL) EC_POINT_free(group->generator); @@ -153,7 +150,7 @@ void EC_GROUP_clear_free(EC_GROUP *group) else if (group->meth != NULL && group->meth->group_finish != 0) group->meth->group_finish(group); - EC_GROUP_clear_free_extra_data(group); + EC_GROUP_clear_free_all_extra_data(group); if (group->generator != NULL) EC_POINT_clear_free(group->generator); @@ -173,6 +170,8 @@ void EC_GROUP_clear_free(EC_GROUP *group) int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) { + EC_EXTRA_DATA *d; + if (dest->meth->group_copy == 0) { ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); @@ -186,19 +185,16 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) if (dest == src) return 1; - EC_GROUP_clear_free_extra_data(dest); - if (src->extra_data_dup_func) - { - if (src->extra_data != NULL) - { - dest->extra_data = src->extra_data_dup_func(src->extra_data); - if (dest->extra_data == NULL) - return 0; - } + EC_GROUP_free_all_extra_data(dest); - dest->extra_data_dup_func = src->extra_data_dup_func; - dest->extra_data_free_func = src->extra_data_free_func; - dest->extra_data_clear_free_func = src->extra_data_clear_free_func; + for (d = src->extra_data; d != NULL; d = d->next) + { + void *t = d->dup_func(d->data); + + if (t == NULL) + return 0; + if (!EC_GROUP_set_extra_data(dest, t, d->dup_func, d->free_func, d->clear_free_func)) + return 0; } if (src->generator != NULL) @@ -475,65 +471,148 @@ int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) /* this has 'package' visibility */ -int EC_GROUP_set_extra_data(EC_GROUP *group, void *extra_data, void *(*extra_data_dup_func)(void *), - void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *)) +int EC_GROUP_set_extra_data(EC_GROUP *group, void *data, + void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { - if ((group->extra_data != NULL) - || (group->extra_data_dup_func != 0) - || (group->extra_data_free_func != 0) - || (group->extra_data_clear_free_func != 0)) - { - ECerr(EC_F_EC_GROUP_SET_EXTRA_DATA, EC_R_SLOT_FULL); + EC_EXTRA_DATA *d; + + if (group == NULL) return 0; + + for (d = group->extra_data; d != NULL; d = d->next) + { + if (d->dup_func == dup_func && d->free_func == free_func && d->clear_free_func == clear_free_func) + { + ECerr(EC_F_EC_GROUP_SET_EXTRA_DATA, EC_R_SLOT_FULL); + return 0; + } } - group->extra_data = extra_data; - group->extra_data_dup_func = extra_data_dup_func; - group->extra_data_free_func = extra_data_free_func; - group->extra_data_clear_free_func = extra_data_clear_free_func; + if (data == NULL) + /* no explicit entry needed */ + return 1; + + d = OPENSSL_malloc(sizeof *d); + if (d == NULL) + return 0; + + d->data = data; + d->dup_func = dup_func; + d->free_func = free_func; + d->clear_free_func = clear_free_func; + + d->next = group->extra_data; + group->extra_data = d; + return 1; } - /* this has 'package' visibility */ -void *EC_GROUP_get_extra_data(const EC_GROUP *group, void *(*extra_data_dup_func)(void *), - void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *)) +void *EC_GROUP_get_extra_data(const EC_GROUP *group, + void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { - if ((group->extra_data_dup_func != extra_data_dup_func) - || (group->extra_data_free_func != extra_data_free_func) - || (group->extra_data_clear_free_func != extra_data_clear_free_func)) - { - ECerr(EC_F_EC_GROUP_GET_EXTRA_DATA, EC_R_NO_SUCH_EXTRA_DATA); + EC_EXTRA_DATA *d; + + if (group == NULL) return NULL; + + for (d = group->extra_data; d != NULL; d = d->next) + { + if (d->dup_func == dup_func && d->free_func == free_func && d->clear_free_func == clear_free_func) + return d->data; } + + return NULL; + } - return group->extra_data; +/* this has 'package' visibility */ +void EC_GROUP_free_extra_data(EC_GROUP *group, + void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) + { + EC_EXTRA_DATA **p; + + if (group == NULL) + return; + + for (p = &group->extra_data; *p != NULL; p = &((*p)->next)) + { + if ((*p)->dup_func == dup_func && (*p)->free_func == free_func && (*p)->clear_free_func == clear_free_func) + { + EC_EXTRA_DATA *next = (*p)->next; + + (*p)->free_func((*p)->data); + OPENSSL_free(*p); + + *p = next; + return; + } + } } +/* this has 'package' visibility */ +void EC_GROUP_clear_free_extra_data(EC_GROUP *group, + void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) + { + EC_EXTRA_DATA **p; + + if (group == NULL) + return; + + for (p = &group->extra_data; *p != NULL; p = &((*p)->next)) + { + if ((*p)->dup_func == dup_func && (*p)->free_func == free_func && (*p)->clear_free_func == clear_free_func) + { + EC_EXTRA_DATA *next = (*p)->next; + + (*p)->clear_free_func((*p)->data); + OPENSSL_free(*p); + + *p = next; + return; + } + } + } /* this has 'package' visibility */ -void EC_GROUP_free_extra_data(EC_GROUP *group) +void EC_GROUP_free_all_extra_data(EC_GROUP *group) { - if (group->extra_data_free_func) - group->extra_data_free_func(group->extra_data); + EC_EXTRA_DATA *d; + + if (group == NULL) + return; + + d = group->extra_data; + while (d) + { + EC_EXTRA_DATA *next = d->next; + + d->free_func(d->data); + OPENSSL_free(d); + + d = next; + } group->extra_data = NULL; - group->extra_data_dup_func = 0; - group->extra_data_free_func = 0; - group->extra_data_clear_free_func = 0; } - /* this has 'package' visibility */ -void EC_GROUP_clear_free_extra_data(EC_GROUP *group) +void EC_GROUP_clear_free_all_extra_data(EC_GROUP *group) { - if (group->extra_data_clear_free_func) - group->extra_data_clear_free_func(group->extra_data); - else if (group->extra_data_free_func) - group->extra_data_free_func(group->extra_data); + EC_EXTRA_DATA *d; + + if (group == NULL) + return; + + d = group->extra_data; + while (d) + { + EC_EXTRA_DATA *next = d->next; + + d->clear_free_func(d->data); + OPENSSL_free(d); + + d = next; + } group->extra_data = NULL; - group->extra_data_dup_func = 0; - group->extra_data_free_func = 0; - group->extra_data_clear_free_func = 0; } @@ -956,3 +1035,58 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], } return group->meth->points_make_affine(group, num, points, ctx); } + + +/* Functions for point multiplication. + * + * If group->meth->mul is 0, we use the wNAF-based implementations in ec_mult.c; + * otherwise we dispatch through methods. + */ + +int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) + { + if (group->meth->mul == 0) + /* use default */ + return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); + + return group->meth->mul(group, r, scalar, num, points, scalars, ctx); + } + +int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, + const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx) + { + /* just a convenient interface to EC_POINTs_mul() */ + + const EC_POINT *points[1]; + const BIGNUM *scalars[1]; + + points[0] = point; + scalars[0] = p_scalar; + + return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx); + } + +int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx) + { + if (group->meth->mul == 0) + /* use default */ + return ec_wNAF_precompute_mult(group, ctx); + + if (group->meth->precompute_mult != 0) + return group->meth->precompute_mult(group, ctx); + else + return 1; /* nothing to do, so report success */ + } + +int EC_GROUP_have_precompute_mult(const EC_GROUP *group) + { + if (group->meth->mul == 0) + /* use default */ + return ec_wNAF_have_precompute_mult(group); + + if (group->meth->have_precompute_mult != 0) + return group->meth->have_precompute_mult(group); + else + return 0; /* cannot tell whether precomputation has been performed */ + } diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index f5312aa23a..c71a69ac0d 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -1,9 +1,9 @@ /* crypto/ec/ec_mult.c */ /* - * Originally written by Bodo Moeller for the OpenSSL project. + * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -61,19 +61,120 @@ * and contributed to the OpenSSL project. */ +#include <string.h> + #include <openssl/err.h> #include "ec_lcl.h" -/* TODO: optional precomputation of multiples of the generator */ +/* + * This file implements the wNAF-based interleaving multi-exponentation method + * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>); + * for multiplication with precomputation, we use wNAF splitting + * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp>). + */ -/* - * wNAF-based interleaving multi-exponentation method - * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>) - */ + +/* structure for precomputed multiples of the generator */ +typedef struct ec_pre_comp_st { + const EC_GROUP *group; /* parent EC_GROUP object */ + size_t blocksize; /* block size for wNAF splitting */ + size_t numblocks; /* max. number of blocks for which we have precomputation */ + size_t w; /* window size */ + EC_POINT **points; /* array with pre-calculated multiples of generator: + * 'num' pointers to EC_POINT objects followed by a NULL */ + size_t num; /* numblocks * 2^(w-1) */ + int references; +} EC_PRE_COMP; + +/* functions to manage EC_PRE_COMP within the EC_GROUP extra_data framework */ +static void *ec_pre_comp_dup(void *); +static void ec_pre_comp_free(void *); +static void ec_pre_comp_clear_free(void *); + +static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group) + { + EC_PRE_COMP *ret = NULL; + + if (!group) + return NULL; + + ret = (EC_PRE_COMP *)OPENSSL_malloc(sizeof(EC_PRE_COMP)); + if (!ret) + return ret; + ret->group = group; + ret->blocksize = 8; /* default */ + ret->numblocks = 0; + ret->w = 4; /* default */ + ret->points = NULL; + ret->num = 0; + ret->references = 1; + return ret; + } + +static void *ec_pre_comp_dup(void *src_) + { + EC_PRE_COMP *src = src_; + + /* no need to actually copy, these objects never change! */ + + CRYPTO_add(&src->references, 1, CRYPTO_LOCK_EC_PRE_COMP); + + return src_; + } + +static void ec_pre_comp_free(void *pre_) + { + int i; + EC_PRE_COMP *pre = pre_; + + if (!pre) + return; + + i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP); + if (i > 0) + return; + + if (pre->points) + { + EC_POINT **p; + + for (p = pre->points; *p != NULL; p++) + EC_POINT_free(*p); + OPENSSL_free(pre->points); + } + OPENSSL_free(pre); + } + +static void ec_pre_comp_clear_free(void *pre_) + { + int i; + EC_PRE_COMP *pre = pre_; + + if (!pre) + return; + + i = CRYPTO_add(&pre->references, -1, CRYPTO_LOCK_EC_PRE_COMP); + if (i > 0) + return; + + if (pre->points) + { + EC_POINT **p; + + for (p = pre->points; *p != NULL; p++) + EC_POINT_clear_free(*p); + OPENSSL_cleanse(pre->points, sizeof pre->points); + OPENSSL_free(pre->points); + } + OPENSSL_cleanse(pre, sizeof pre); + OPENSSL_free(pre); + } + + /* Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'. @@ -108,7 +209,9 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) } len = BN_num_bits(scalar); - r = OPENSSL_malloc(len + 1); /* modified wNAF may be one digit longer than binary representation */ + r = OPENSSL_malloc(len + 1); /* modified wNAF may be one digit longer than binary representation + * (*ret_len will be set to the actual length, i.e. at most + * BN_num_bits(scalar) + 1) */ if (r == NULL) goto err; if (scalar->d == NULL || scalar->top == 0) @@ -224,6 +327,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, EC_POINT *generator = NULL; EC_POINT *tmp = NULL; size_t totalnum; + size_t blocksize = 0, numblocks = 0; /* for wNAF splitting */ + size_t pre_points_per_block = 0; size_t i, j; int k; int r_is_inverted = 0; @@ -235,19 +340,23 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num_val; EC_POINT **val = NULL; /* precomputation */ EC_POINT **v; - EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */ + EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or 'pre_comp->points' */ + const EC_PRE_COMP *pre_comp = NULL; + int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be treated like other scalars, + * i.e. precomputation is not available */ int ret = 0; - if (scalar != NULL) + if (group->meth != r->meth) { - generator = EC_GROUP_get0_generator(group); - if (generator == NULL) - { - ECerr(EC_F_EC_WNAF_MUL, EC_R_UNDEFINED_GENERATOR); - return 0; - } + ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); + return 0; } - + + if ((scalar == NULL) && (num == 0)) + { + return EC_POINT_set_to_infinity(group, r); + } + for (i = 0; i < num; i++) { if (group->meth != points[i]->meth) @@ -257,40 +366,209 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, } } - totalnum = num + (scalar != NULL); + if (ctx == NULL) + { + ctx = new_ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + } - wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]); - wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]); - wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]); - if (wNAF != NULL) + if (scalar != NULL) { - wNAF[0] = NULL; /* preliminary pivot */ + generator = EC_GROUP_get0_generator(group); + if (generator == NULL) + { + ECerr(EC_F_EC_WNAF_MUL, EC_R_UNDEFINED_GENERATOR); + goto err; + } + + /* look if we can use precomputed multiples of generator */ + + pre_comp = EC_GROUP_get_extra_data(group, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free); + + if (pre_comp && pre_comp->numblocks && (EC_POINT_cmp(group, generator, pre_comp->points[0], ctx) == 0)) + { + blocksize = pre_comp->blocksize; + + /* determine maximum number of blocks that wNAF splitting may yield + * (NB: maximum wNAF length is bit length plus one) */ + numblocks = (BN_num_bits(scalar) / blocksize) + 1; + + /* we cannot use more blocks than we have precomputation for */ + if (numblocks > pre_comp->numblocks) + numblocks = pre_comp->numblocks; + + pre_points_per_block = 1u << (pre_comp->w - 1); + + /* check that pre_comp looks sane */ + if (pre_comp->num != (pre_comp->numblocks * pre_points_per_block)) + { + ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); + goto err; + } + } + else + { + /* can't use precomputation */ + pre_comp = NULL; + numblocks = 1; + num_scalar = 1; /* treat 'scalar' like 'num'-th element of 'scalars' */ + } } - if (wsize == NULL || wNAF_len == NULL || wNAF == NULL) goto err; + + totalnum = num + numblocks; + + wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]); + wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]); + wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]); /* includes space for pivot */ + val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]); + + if (!wsize || !wNAF_len || !wNAF || !val_sub) + goto err; - /* num_val := total number of points to precompute */ + wNAF[0] = NULL; /* preliminary pivot */ + + /* num_val will be the total number of temporarily precomputed points */ num_val = 0; - for (i = 0; i < totalnum; i++) + + for (i = 0; i < num + num_scalar; i++) { size_t bits; bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar); wsize[i] = EC_window_bits_for_scalar_size(bits); num_val += 1u << (wsize[i] - 1); + wNAF[i + 1] = NULL; /* make sure we always have a pivot */ + wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]); + if (wNAF[i] == NULL) + goto err; + if (wNAF_len[i] > max_len) + max_len = wNAF_len[i]; + } + + if (numblocks) + { + /* we go here iff scalar != NULL */ + + if (pre_comp == NULL) + { + if (num_scalar != 1) + { + ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); + goto err; + } + /* we have already generated a wNAF for 'scalar' */ + } + else + { + signed char *tmp_wNAF = NULL; + size_t tmp_len = 0; + + if (num_scalar != 0) + { + ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); + goto err; + } + + /* use the window size for which we have precomputation */ + wsize[num] = pre_comp->w; + tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len); + if (!tmp_wNAF) + goto err; + + if (tmp_len <= max_len) + { + /* One of the other wNAFs is at least as long + * as the wNAF belonging to the generator, + * so wNAF splitting will not buy us anything. */ + + numblocks = 1; + totalnum = num + 1; /* don't use wNAF splitting */ + wNAF[num] = tmp_wNAF; + wNAF[num + 1] = NULL; + wNAF_len[num] = tmp_len; + if (tmp_len > max_len) + max_len = tmp_len; + /* pre_comp->points starts with the points that we need here: */ + val_sub[num] = pre_comp->points; + } + else + { + /* don't include tmp_wNAF directly into wNAF array + * - use wNAF splitting and include the blocks */ + + signed char *pp; + EC_POINT **tmp_points; + + if (tmp_len < numblocks * blocksize) + { + /* possibly we can do with fewer blocks than estimated */ + numblocks = (tmp_len + blocksize - 1) / blocksize; + if (numblocks > pre_comp->numblocks) + { + ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); + goto err; + } + totalnum = num + numblocks; + } + + /* split wNAF in 'numblocks' parts */ + pp = tmp_wNAF; + tmp_points = pre_comp->points; + + for (i = num; i < totalnum; i++) + { + if (i < totalnum - 1) + { + wNAF_len[i] = blocksize; + if (tmp_len < blocksize) + { + ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); + goto err; + } + tmp_len -= blocksize; + } + else + /* last block gets whatever is left + * (this could be more or less than 'blocksize'!) */ + wNAF_len[i] = tmp_len; + + wNAF[i + 1] = NULL; + wNAF[i] = OPENSSL_malloc(wNAF_len[i]); + if (wNAF[i] == NULL) + { + OPENSSL_free(tmp_wNAF); + goto err; + } + memcpy(wNAF[i], pp, wNAF_len[i]); + if (wNAF_len[i] > max_len) + max_len = wNAF_len[i]; + + if (*tmp_points == NULL) + { + ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); + OPENSSL_free(tmp_wNAF); + goto err; + } + val_sub[i] = tmp_points; + tmp_points += pre_points_per_block; + pp += blocksize; + } + OPENSSL_free(tmp_wNAF); + } + } } - /* all precomputed points go into a single array 'val', - * 'val_sub[i]' is a pointer to the subarray for the i-th point */ + /* All points we precompute now go into a single array 'val'. + * 'val_sub[i]' is a pointer to the subarray for the i-th point, + * or to a subarray of 'pre_comp->points' if we already have precomputation. */ val = OPENSSL_malloc((num_val + 1) * sizeof val[0]); if (val == NULL) goto err; val[num_val] = NULL; /* pivot element */ - val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]); - if (val_sub == NULL) goto err; - /* allocate points for precomputation */ v = val; - for (i = 0; i < totalnum; i++) + for (i = 0; i < num + num_scalar; i++) { val_sub[i] = v; for (j = 0; j < (1u << (wsize[i] - 1)); j++) @@ -306,15 +584,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, goto err; } - if (ctx == NULL) - { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; - } - - tmp = EC_POINT_new(group); - if (tmp == NULL) goto err; + if (!(tmp = EC_POINT_new(group))) + goto err; /* prepare precomputed values: * val_sub[i][0] := points[i] @@ -322,7 +593,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * val_sub[i][2] := 5 * points[i] * ... */ - for (i = 0; i < totalnum; i++) + for (i = 0; i < num + num_scalar; i++) { if (i < num) { @@ -341,16 +612,11 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err; } } - - wNAF[i + 1] = NULL; /* make sure we always have a pivot */ - wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]); - if (wNAF[i] == NULL) goto err; - if (wNAF_len[i] > max_len) - max_len = wNAF_len[i]; } #if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */ - if (!EC_POINTs_make_affine(group, num_val, val, ctx)) goto err; + if (!EC_POINTs_make_affine(group, num_val, val, ctx)) + goto err; #endif r_is_at_infinity = 1; @@ -446,86 +712,197 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, } -/* Generic multiplication method. - * If group->meth does not provide a multiplication method, default to ec_wNAF_mul; - * otherwise use the group->meth's multiplication. +/* ec_wNAF_precompute_mult() + * creates an EC_PRE_COMP object with preprecomputed multiples of the generator + * for use with wNAF splitting as implemented in ec_wNAF_mul(). + * + * 'pre_comp->points' is an array of multiples of the generator + * of the following form: + * points[0] = generator; + * points[1] = 3 * generator; + * ... + * points[2^(w-1)-1] = (2^(w-1)-1) * generator; + * points[2^(w-1)] = 2^blocksize * generator; + * points[2^(w-1)+1] = 3 * 2^blocksize * generator; + * ... + * points[2^(w-1)*(numblocks-1)-1] = (2^(w-1)) * 2^(blocksize*(numblocks-2)) * generator + * points[2^(w-1)*(numblocks-1)] = 2^(blocksize*(numblocks-1)) * generator + * ... + * points[2^(w-1)*numblocks-1] = (2^(w-1)) * 2^(blocksize*(numblocks-1)) * generator + * points[2^(w-1)*numblocks] = NULL */ -int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) - { - if (group->meth->mul == 0) - return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); - else - return group->meth->mul(group, r, scalar, num, points, scalars, ctx); - } - - -int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx) - { - const EC_POINT *points[1]; - const BIGNUM *scalars[1]; - - points[0] = point; - scalars[0] = p_scalar; - - return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx); - } - - int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) { const EC_POINT *generator; + EC_POINT *tmp_point = NULL, *base = NULL, **var; BN_CTX *new_ctx = NULL; BIGNUM *order; + size_t i, bits, w, pre_points_per_block, blocksize, numblocks, num; + EC_POINT **points = NULL; + EC_PRE_COMP *pre_comp; int ret = 0; + /* if there is an old EC_PRE_COMP object, throw it away */ + EC_GROUP_free_extra_data(group, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free); + + if ((pre_comp = ec_pre_comp_new(group)) == NULL) + return 0; + generator = EC_GROUP_get0_generator(group); if (generator == NULL) { ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR); - return 0; + goto err; } if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) - return 0; + goto err; } BN_CTX_start(ctx); order = BN_CTX_get(ctx); if (order == NULL) goto err; - if (!EC_GROUP_get_order(group, order, ctx)) return 0; + if (!EC_GROUP_get_order(group, order, ctx)) goto err; if (BN_is_zero(order)) { ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER); goto err; } - /* TODO */ + bits = BN_num_bits(order); + /* The following parameters mean we precompute (approximately) + * one point per bit. + * + * TBD: The combination 8, 4 is perfect for 160 bits; for other + * bit lengths, other parameter combinations might provide better + * efficiency. + */ + blocksize = 8; + w = 4; + if (EC_window_bits_for_scalar_size(bits) > w) + { + /* let's not make the window too small ... */ + w = EC_window_bits_for_scalar_size(bits); + } - ret = 1; + numblocks = (bits + blocksize - 1) / blocksize; /* max. number of blocks to use for wNAF splitting */ + + pre_points_per_block = 1u << (w - 1); + num = pre_points_per_block * numblocks; /* number of points to compute and store */ + + points = OPENSSL_malloc(sizeof (EC_POINT*)*(num + 1)); + if (!points) + { + ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE); + goto err; + } + + var = points; + var[num] = NULL; /* pivot */ + for (i = 0; i < num; i++) + { + if ((var[i] = EC_POINT_new(group)) == NULL) + { + ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE); + goto err; + } + } + + if (!(tmp_point = EC_POINT_new(group)) || !(base = EC_POINT_new(group))) + { + ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EC_POINT_copy(base, generator)) + goto err; + + /* do the precomputation */ + for (i = 0; i < numblocks; i++) + { + size_t j; + + if (!EC_POINT_dbl(group, tmp_point, base, ctx)) + goto err; + + if (!EC_POINT_copy(*var++, base)) + goto err; + + for (j = 1; j < pre_points_per_block; j++, var++) + { + /* calculate odd multiples of the current base point */ + if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx)) + goto err; + } + + if (i < numblocks - 1) + { + /* get the next base (multiply current one by 2^blocksize) */ + size_t k; + + if (blocksize <= 2) + { + ECerr(EC_F_EC_WNAF_PRECOMPUTE_MULT, ERR_R_INTERNAL_ERROR); + goto err; + } + + if (!EC_POINT_dbl(group, base, tmp_point, ctx)) + goto err; + for (k = 2; k < blocksize; k++) + { + if (!EC_POINT_dbl(group,base,base,ctx)) + goto err; + } + } + } + + if (!EC_POINTs_make_affine(group, num, points, ctx)) + goto err; + + pre_comp->group = group; + pre_comp->blocksize = blocksize; + pre_comp->numblocks = numblocks; + pre_comp->w = w; + pre_comp->points = points; + points = NULL; + pre_comp->num = num; + + if (!EC_GROUP_set_extra_data(group, pre_comp, + ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free)) + goto err; + pre_comp = NULL; + + ret = 1; err: BN_CTX_end(ctx); if (new_ctx != NULL) BN_CTX_free(new_ctx); + if (pre_comp) + ec_pre_comp_free(pre_comp); + if (points) + { + EC_POINT **p; + + for (p = points; *p != NULL; p++) + EC_POINT_free(*p); + OPENSSL_free(points); + } + if (tmp_point) + EC_POINT_free(tmp_point); + if (base) + EC_POINT_free(base); return ret; } -/* Generic multiplicaiton precomputation method. - * If group->meth does not provide a multiplication method, default to ec_wNAF_mul and do its - * precomputation; otherwise use the group->meth's precomputation if it exists. - */ -int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx) +int ec_wNAF_have_precompute_mult(const EC_GROUP *group) { - if (group->meth->mul == 0) - return ec_wNAF_precompute_mult(group, ctx); - else if (group->meth->precompute_mult != 0) - return group->meth->precompute_mult(group, ctx); - else + if (EC_GROUP_get_extra_data(group, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free) != NULL) return 1; + else + return 0; } diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 36f8236864..b64fa68b56 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -93,13 +93,14 @@ const EC_METHOD *EC_GFp_mont_method(void) ec_GFp_simple_add, ec_GFp_simple_dbl, ec_GFp_simple_invert, - 0 /* mul */, - 0 /* precompute_mult */, ec_GFp_simple_is_at_infinity, ec_GFp_simple_is_on_curve, ec_GFp_simple_cmp, ec_GFp_simple_make_affine, ec_GFp_simple_points_make_affine, + 0 /* mul */, + 0 /* precompute_mult */, + 0 /* have_precompute_mult */, ec_GFp_mont_field_mul, ec_GFp_mont_field_sqr, 0 /* field_div */, diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c index 559cb5c418..d2dbfe6743 100644 --- a/crypto/ec/ecp_nist.c +++ b/crypto/ec/ecp_nist.c @@ -3,7 +3,7 @@ * Written by Nils Larsch for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -72,7 +72,7 @@ const EC_METHOD *EC_GFp_nist_method(void) ec_GFp_simple_group_init, ec_GFp_simple_group_finish, ec_GFp_simple_group_clear_finish, - ec_GFp_simple_group_copy, + ec_GFp_nist_group_copy, ec_GFp_nist_group_set_curve, ec_GFp_simple_group_get_curve, ec_GFp_simple_group_get_degree, @@ -92,13 +92,14 @@ const EC_METHOD *EC_GFp_nist_method(void) ec_GFp_simple_add, ec_GFp_simple_dbl, ec_GFp_simple_invert, - 0 /* mul */, - 0 /* precompute_mult */, ec_GFp_simple_is_at_infinity, ec_GFp_simple_is_on_curve, ec_GFp_simple_cmp, ec_GFp_simple_make_affine, ec_GFp_simple_points_make_affine, + 0 /* mul */, + 0 /* precompute_mult */, + 0 /* have_precompute_mult */, ec_GFp_nist_field_mul, ec_GFp_nist_field_sqr, 0 /* field_div */, @@ -113,6 +114,12 @@ const EC_METHOD *EC_GFp_nist_method(void) #define NO_32_BIT_TYPE #endif +int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) + { + dest->field_mod_func = src->field_mod_func; + + return ec_GFp_simple_group_copy(dest, src); + } int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) @@ -165,21 +172,7 @@ int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, goto err; } - /* group->field */ - if (!BN_copy(&group->field, p)) goto err; - BN_set_sign(&group->field, 0); - - /* group->a */ - if (!group->field_mod_func(&group->a, a, p, ctx)) goto err; - - /* group->b */ - if (!group->field_mod_func(&group->b, b, p, ctx)) goto err; - - /* group->a_is_minus3 */ - if (!BN_add_word(tmp_bn, 3)) goto err; - group->a_is_minus3 = (0 == BN_cmp(tmp_bn, &group->field)); - - ret = 1; + ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); err: BN_CTX_end(ctx); diff --git a/crypto/ec/ecp_recp.c b/crypto/ec/ecp_recp.c index bf456dbc47..e0b28c1cfa 100644 --- a/crypto/ec/ecp_recp.c +++ b/crypto/ec/ecp_recp.c @@ -91,13 +91,14 @@ const EC_METHOD *EC_GFp_recp_method(void) ec_GFp_simple_add, ec_GFp_simple_dbl, ec_GFp_simple_invert, - 0 /* mul */, - 0 /* precompute_mult */, ec_GFp_simple_is_at_infinity, ec_GFp_simple_is_on_curve, ec_GFp_simple_cmp, ec_GFp_simple_make_affine, ec_GFp_simple_points_make_affine, + 0 /* mul */, + 0 /* precompute_mult */, + 0 /* have_precompute_mult */, ec_GFp_recp_field_mul, ec_GFp_recp_field_sqr, 0 /* field_div */, diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index 267134af4b..1abe831a37 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -94,13 +94,14 @@ const EC_METHOD *EC_GFp_simple_method(void) ec_GFp_simple_add, ec_GFp_simple_dbl, ec_GFp_simple_invert, - 0 /* mul */, - 0 /* precompute_mult */, ec_GFp_simple_is_at_infinity, ec_GFp_simple_is_on_curve, ec_GFp_simple_cmp, ec_GFp_simple_make_affine, ec_GFp_simple_points_make_affine, + 0 /* mul */, + 0 /* precompute_mult */, + 0 /* have_precompute_mult */, ec_GFp_simple_field_mul, ec_GFp_simple_field_sqr, 0 /* field_div */, diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c index e292da3384..e91c8fffb3 100644 --- a/crypto/ec/ectest.c +++ b/crypto/ec/ectest.c @@ -86,7 +86,9 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur #include <openssl/ec.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #include <openssl/err.h> #include <openssl/obj_mac.h> #include <openssl/objects.h> @@ -1227,7 +1229,9 @@ int main(int argc, char *argv[]) /* test the internal curves */ internal_curve_test(); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); diff --git a/crypto/ecdh/Makefile.ssl b/crypto/ecdh/Makefile.ssl index eb2e7605e8..8a0e43852a 100644 --- a/crypto/ecdh/Makefile.ssl +++ b/crypto/ecdh/Makefile.ssl @@ -112,12 +112,14 @@ ech_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h ech_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ech_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ecdh.h ech_lib.o: ech_lib.c -ech_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -ech_ossl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h +ech_ossl.o: ../../e_os.h ../../include/openssl/asn1.h +ech_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +ech_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h ech_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -ech_ossl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h -ech_ossl.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h +ech_ossl.o: ../../include/openssl/ecdh.h ../../include/openssl/err.h +ech_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +ech_ossl.o: ../../include/openssl/opensslconf.h ech_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ech_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ech_ossl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -ech_ossl.o: ecdh.h ech_ossl.c +ech_ossl.o: ../cryptlib.h ech_ossl.c diff --git a/crypto/ecdh/ecdh.h b/crypto/ecdh/ecdh.h index 1ab131cde9..db6fd48701 100644 --- a/crypto/ecdh/ecdh.h +++ b/crypto/ecdh/ecdh.h @@ -69,6 +69,8 @@ #ifndef HEADER_ECDH_H #define HEADER_ECDH_H +#include <openssl/opensslconf.h> + #ifdef OPENSSL_NO_ECDH #error ECDH is disabled. #endif @@ -84,7 +86,8 @@ extern "C" { typedef struct ecdh_method { const char *name; - int (*compute_key)(unsigned char *key,const EC_POINT *pub_key, EC_KEY *ecdh); + int (*compute_key)(void *key, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen)); #if 0 int (*init)(EC_KEY *eckey); int (*finish)(EC_KEY *eckey); @@ -118,9 +121,8 @@ void ECDH_set_default_method(const ECDH_METHOD *); const ECDH_METHOD *ECDH_get_default_method(void); int ECDH_set_method(EC_KEY *, const ECDH_METHOD *); -int ECDH_size(const EC_KEY *); -int ECDH_compute_key(unsigned char *key,const EC_POINT *pub_key, EC_KEY *ecdh); - +int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen)); int ECDH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); @@ -141,9 +143,9 @@ void ERR_load_ECDH_strings(void); #define ECDH_F_ECDH_DATA_NEW 101 /* Reason codes. */ +#define ECDH_R_KDF_FAILED 102 #define ECDH_R_NO_PRIVATE_VALUE 100 #define ECDH_R_POINT_ARITHMETIC_FAILURE 101 -#define ECDH_R_SHA1_DIGEST_FAILED 102 #ifdef __cplusplus } diff --git a/crypto/ecdh/ecdhtest.c b/crypto/ecdh/ecdhtest.c index 8af35322bb..f9162b7e8b 100644 --- a/crypto/ecdh/ecdhtest.c +++ b/crypto/ecdh/ecdhtest.c @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -73,15 +73,13 @@ #include "../e_os.h" -#ifdef OPENSSL_SYS_WINDOWS -#include "../bio/bss_file.c" -#endif #include <openssl/crypto.h> #include <openssl/bio.h> #include <openssl/bn.h> #include <openssl/ec.h> #include <openssl/objects.h> #include <openssl/rand.h> +#include <openssl/sha.h> #include <openssl/err.h> #ifdef OPENSSL_NO_ECDH @@ -103,12 +101,21 @@ int main(int argc, char *argv[]) static void MS_CALLBACK cb(int p, int n, void *arg); #endif -#ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 -#include "bss_file.c" +static const char rnd_seed[] = "string to make the random number generator think it has entropy"; + + +static const int KDF1_SHA1_len = 20; +static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen) + { +#ifndef OPENSSL_NO_SHA + if (outlen != SHA_DIGEST_LENGTH) + return NULL; + return SHA1(in, inlen, out); +#else + return NULL; #endif + } -static const char rnd_seed[] = "string to make the random number generator think it has entropy"; int test_ecdh_curve(int , char *, BN_CTX *, BIO *); @@ -188,9 +195,9 @@ int test_ecdh_curve(int nid, char *text, BN_CTX *ctx, BIO *out) BIO_flush(out); #endif - alen=ECDH_size(a); + alen=KDF1_SHA1_len; abuf=(unsigned char *)OPENSSL_malloc(alen); - aout=ECDH_compute_key(abuf,b->pub_key,a); + aout=ECDH_compute_key(abuf,alen,b->pub_key,a,KDF1_SHA1); #ifdef NOISY BIO_puts(out," key1 ="); @@ -205,9 +212,9 @@ int test_ecdh_curve(int nid, char *text, BN_CTX *ctx, BIO *out) BIO_flush(out); #endif - blen=ECDH_size(b); + blen=KDF1_SHA1_len; bbuf=(unsigned char *)OPENSSL_malloc(blen); - bout=ECDH_compute_key(bbuf,a->pub_key,b); + bout=ECDH_compute_key(bbuf,blen,a->pub_key,b,KDF1_SHA1); #ifdef NOISY BIO_puts(out," key2 ="); diff --git a/crypto/ecdh/ech_err.c b/crypto/ecdh/ech_err.c index 819b8abf4d..76fbe38387 100644 --- a/crypto/ecdh/ech_err.c +++ b/crypto/ecdh/ech_err.c @@ -73,9 +73,9 @@ static ERR_STRING_DATA ECDH_str_functs[]= static ERR_STRING_DATA ECDH_str_reasons[]= { +{ECDH_R_KDF_FAILED ,"KDF failed"}, {ECDH_R_NO_PRIVATE_VALUE ,"no private value"}, {ECDH_R_POINT_ARITHMETIC_FAILURE ,"point arithmetic failure"}, -{ECDH_R_SHA1_DIGEST_FAILED ,"sha1 digest failed"}, {0,NULL} }; diff --git a/crypto/ecdh/ech_key.c b/crypto/ecdh/ech_key.c index f000b8c8ad..923a7e9dd9 100644 --- a/crypto/ecdh/ech_key.c +++ b/crypto/ecdh/ech_key.c @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,10 +70,11 @@ #include "ecdh.h" #include <openssl/engine.h> -int ECDH_compute_key(unsigned char *key, const EC_POINT *pub_key, EC_KEY *eckey) +int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *eckey, + void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen)) { ECDH_DATA *ecdh = ecdh_check(eckey); if (ecdh == NULL) return 0; - return ecdh->meth->compute_key(key, pub_key, eckey); + return ecdh->meth->compute_key(out, outlen, pub_key, eckey, KDF); } diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c index 59526f33bd..8b3e5f1ddc 100644 --- a/crypto/ecdh/ech_lib.c +++ b/crypto/ecdh/ech_lib.c @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -203,12 +203,6 @@ static void ecdh_finish(EC_KEY *key) } -int ECDH_size(const EC_KEY *ecdh) - { - return 20; - } - - int ECDH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c index 182e825b74..b3cff5ad90 100644 --- a/crypto/ecdh/ech_ossl.c +++ b/crypto/ecdh/ech_ossl.c @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -68,12 +68,18 @@ */ -#include "ecdh.h" +#include <string.h> +#include <limits.h> + +#include "cryptlib.h" + +#include <openssl/ecdh.h> #include <openssl/err.h> #include <openssl/sha.h> #include <openssl/obj_mac.h> -static int ecdh_compute_key(unsigned char *key, const EC_POINT *pub_key, EC_KEY *ecdh); +static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen)); static ECDH_METHOD openssl_ecdh_meth = { "OpenSSL ECDH method", @@ -95,16 +101,23 @@ const ECDH_METHOD *ECDH_OpenSSL(void) /* This implementation is based on the following primitives in the IEEE 1363 standard: * - ECKAS-DH1 * - ECSVDP-DH - * - KDF1 with SHA-1 + * Finally an optional KDF is applied. */ -static int ecdh_compute_key(unsigned char *key, const EC_POINT *pub_key, EC_KEY *ecdh) +static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF)(void *in, size_t inlen, void *out, size_t outlen)) { BN_CTX *ctx; EC_POINT *tmp=NULL; BIGNUM *x=NULL, *y=NULL; - int ret= -1, len; + int ret= -1, buflen, len; unsigned char *buf=NULL; + if (outlen > INT_MAX) + { + ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */ + return -1; + } + if ((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); x = BN_CTX_get(ctx); @@ -145,26 +158,44 @@ static int ecdh_compute_key(unsigned char *key, const EC_POINT *pub_key, EC_KEY } } - if ((buf = (unsigned char *)OPENSSL_malloc(sizeof(unsigned char) * BN_num_bytes(x))) == NULL) + buflen = (EC_GROUP_get_degree(ecdh->group) + 7)/8; + len = BN_num_bytes(x); + if (len > buflen) + { + ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_INTERNAL_ERROR); + goto err; + } + if ((buf = OPENSSL_malloc(buflen)) == NULL) { ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); goto err; } - if ((len = BN_bn2bin(x,buf)) <= 0) + memset(buf, 0, buflen - len); + if (len != BN_bn2bin(x, buf + buflen - len)) { ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_BN_LIB); goto err; } - if ((SHA1(buf, len, key) == NULL)) + if (KDF != 0) { - ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_SHA1_DIGEST_FAILED); - goto err; + if (KDF(buf, buflen, out, outlen) == NULL) + { + ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ECDH_R_KDF_FAILED); + goto err; + } + ret = outlen; + } + else + { + /* no KDF, just copy as much as we can */ + if (outlen > buflen) + outlen = buflen; + memcpy(out, buf, outlen); + ret = outlen; } - ret = 20; - err: if (tmp) EC_POINT_free(tmp); if (ctx) BN_CTX_end(ctx); diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h index d72d0b1363..e82762d35d 100644 --- a/crypto/ecdsa/ecdsa.h +++ b/crypto/ecdsa/ecdsa.h @@ -55,6 +55,8 @@ #ifndef HEADER_ECDSA_H #define HEADER_ECDSA_H +#include <openssl/opensslconf.h> + #ifdef OPENSSL_NO_ECDSA #error ECDSA is disabled. #endif diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c index 402e988f46..7beae6f739 100644 --- a/crypto/ecdsa/ecdsatest.c +++ b/crypto/ecdsa/ecdsatest.c @@ -79,6 +79,8 @@ #include <stdlib.h> #include <string.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ECDSA is defined */ + #ifdef OPENSSL_NO_ECDSA int main(int argc, char * argv[]) { diff --git a/crypto/ecdsa/ecs_err.c b/crypto/ecdsa/ecs_err.c index 75c789448c..c9bed9dd8e 100644 --- a/crypto/ecdsa/ecs_err.c +++ b/crypto/ecdsa/ecs_err.c @@ -61,6 +61,7 @@ #include <stdio.h> #include <openssl/err.h> #include <openssl/ecdsa.h> +#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_ERR is defined */ /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c index 7cc05bfe0b..64ec2db901 100644 --- a/crypto/engine/eng_all.c +++ b/crypto/engine/eng_all.c @@ -72,34 +72,37 @@ void ENGINE_load_builtin_engines(void) ENGINE_load_dynamic(); #ifndef OPENSSL_NO_STATIC_ENGINE #ifndef OPENSSL_NO_HW +#ifndef OPENSSL_NO_HW_4758_CCA + ENGINE_load_4758cca(); +#endif +#ifndef OPENSSL_NO_HW_AEP + ENGINE_load_aep(); +#endif +#ifndef OPENSSL_NO_HW_ATALLA + ENGINE_load_atalla(); +#endif #ifndef OPENSSL_NO_HW_CSWIFT ENGINE_load_cswift(); #endif #ifndef OPENSSL_NO_HW_NCIPHER ENGINE_load_chil(); #endif -#ifndef OPENSSL_NO_HW_ATALLA - ENGINE_load_atalla(); -#endif #ifndef OPENSSL_NO_HW_NURON ENGINE_load_nuron(); #endif -#ifndef OPENSSL_NO_HW_UBSEC - ENGINE_load_ubsec(); -#endif -#ifndef OPENSSL_NO_HW_AEP - ENGINE_load_aep(); -#endif #ifndef OPENSSL_NO_HW_SUREWARE ENGINE_load_sureware(); #endif -#ifndef OPENSSL_NO_HW_4758_CCA - ENGINE_load_4758cca(); +#ifndef OPENSSL_NO_HW_UBSEC + ENGINE_load_ubsec(); #endif #endif #if defined(__OpenBSD__) || defined(__FreeBSD__) ENGINE_load_cryptodev(); #endif +#if defined(OPENSSL_USE_GMP) && !defined(OPENSSL_NO_HW_GMP) + ENGINE_load_gmp(); +#endif #endif } diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index a658528d31..b32be08c8e 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -35,7 +35,7 @@ #if (defined(__unix__) || defined(unix)) && !defined(USG) #include <sys/param.h> -# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 50000) || __FreeBSD_version >= 50041) +# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041) # define HAVE_CRYPTODEV # endif # if (OpenBSD >= 200110) diff --git a/crypto/engine/eng_fat.c b/crypto/engine/eng_fat.c index c0d03ccbfe..a5ffbec94c 100644 --- a/crypto/engine/eng_fat.c +++ b/crypto/engine/eng_fat.c @@ -71,26 +71,26 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags) if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e)) return 0; #ifndef OPENSSL_NO_RSA - if((flags & ENGINE_METHOD_RSA) & !ENGINE_set_default_RSA(e)) + if((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e)) return 0; #endif #ifndef OPENSSL_NO_DSA - if((flags & ENGINE_METHOD_DSA) & !ENGINE_set_default_DSA(e)) + if((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e)) return 0; #endif #ifndef OPENSSL_NO_DH - if((flags & ENGINE_METHOD_DH) & !ENGINE_set_default_DH(e)) + if((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e)) return 0; #endif #ifndef OPENSSL_NO_ECDH - if((flags & ENGINE_METHOD_ECDH) & !ENGINE_set_default_ECDH(e)) + if((flags & ENGINE_METHOD_ECDH) && !ENGINE_set_default_ECDH(e)) return 0; #endif #ifndef OPENSSL_NO_ECDSA - if((flags & ENGINE_METHOD_ECDSA) & !ENGINE_set_default_ECDSA(e)) + if((flags & ENGINE_METHOD_ECDSA) && !ENGINE_set_default_ECDSA(e)) return 0; #endif - if((flags & ENGINE_METHOD_RAND) & !ENGINE_set_default_RAND(e)) + if((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e)) return 0; return 1; } diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h index 8ed684c0ea..d4d08d9629 100644 --- a/crypto/engine/engine.h +++ b/crypto/engine/engine.h @@ -65,6 +65,11 @@ #define HEADER_ENGINE_H #include <openssl/opensslconf.h> + +#ifdef OPENSSL_NO_ENGINE +#error ENGINE is disabled. +#endif + #include <openssl/ossl_typ.h> #include <openssl/bn.h> #ifndef OPENSSL_NO_RSA @@ -271,11 +276,11 @@ typedef struct ENGINE_CMD_DEFN_st } ENGINE_CMD_DEFN; /* Generic function pointer */ -typedef int (*ENGINE_GEN_FUNC_PTR)(); +typedef int (*ENGINE_GEN_FUNC_PTR)(void); /* Generic function pointer taking no arguments */ typedef int (*ENGINE_GEN_INT_FUNC_PTR)(ENGINE *); /* Specific control function pointer */ -typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)()); +typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)(void)); /* Generic load_key function pointer */ typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *, UI_METHOD *ui_method, void *callback_data); @@ -320,14 +325,15 @@ ENGINE *ENGINE_by_id(const char *id); void ENGINE_load_openssl(void); void ENGINE_load_dynamic(void); #ifndef OPENSSL_NO_STATIC_ENGINE -void ENGINE_load_cswift(void); -void ENGINE_load_chil(void); +void ENGINE_load_4758cca(void); +void ENGINE_load_aep(void); void ENGINE_load_atalla(void); +void ENGINE_load_chil(void); +void ENGINE_load_cswift(void); +void ENGINE_load_gmp(void); void ENGINE_load_nuron(void); -void ENGINE_load_ubsec(void); -void ENGINE_load_aep(void); void ENGINE_load_sureware(void); -void ENGINE_load_4758cca(void); +void ENGINE_load_ubsec(void); #endif void ENGINE_load_cryptodev(void); void ENGINE_load_builtin_engines(void); @@ -391,7 +397,7 @@ int ENGINE_register_all_complete(void); * reference to an engine, but many control commands may require the engine be * functional. The caller should be aware of trying commands that require an * operational ENGINE, and only use functional references in such situations. */ -int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); +int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void)); /* This function tests if an ENGINE-specific command is usable as a "setting". * Eg. in an application's config file that gets processed through @@ -404,7 +410,7 @@ int ENGINE_cmd_is_executable(ENGINE *e, int cmd); * See the comment on ENGINE_ctrl_cmd_string() for an explanation on how to * use the cmd_name and cmd_optional. */ int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name, - long i, void *p, void (*f)(), int cmd_optional); + long i, void *p, void (*f)(void), int cmd_optional); /* This function passes a command-name and argument to an ENGINE. The cmd_name * is converted to a command number and the control command is called using @@ -679,6 +685,9 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, * values. */ void *ENGINE_get_static_state(void); +#if defined(__OpenBSD__) || defined(__FreeBSD__) +void ENGINE_setup_bsd_cryptodev(void); +#endif /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/crypto/engine/enginetest.c b/crypto/engine/enginetest.c index 87fa8c57b7..c2d0297392 100644 --- a/crypto/engine/enginetest.c +++ b/crypto/engine/enginetest.c @@ -56,9 +56,17 @@ * */ -#include <openssl/e_os2.h> #include <stdio.h> #include <string.h> + +#ifdef OPENSSL_NO_ENGINE +int main(int argc, char *argv[]) +{ + printf("No ENGINE support\n"); + return(0); +} +#else +#include <openssl/e_os2.h> #include <openssl/buffer.h> #include <openssl/crypto.h> #include <openssl/engine.h> @@ -272,3 +280,4 @@ end: CRYPTO_mem_leaks_fp(stderr); return to_return; } +#endif diff --git a/crypto/err/err.c b/crypto/err/err.c index 62e3f42b38..05437764c8 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -217,6 +217,7 @@ static ERR_STRING_DATA ERR_str_reasons[]= {0,NULL}, }; +#endif /* Define the predeclared (but externally opaque) "ERR_FNS" type */ @@ -497,6 +498,7 @@ static int int_err_get_next_lib(void) } +#ifndef OPENSSL_NO_ERR #define NUM_SYS_STR_REASONS 127 #define LEN_SYS_STR_REASON 32 diff --git a/crypto/err/err.h b/crypto/err/err.h index ec895c4d12..95658addf9 100644 --- a/crypto/err/err.h +++ b/crypto/err/err.h @@ -59,6 +59,8 @@ #ifndef HEADER_ERR_H #define HEADER_ERR_H +#include <openssl/e_os2.h> + #ifndef OPENSSL_NO_FP_API #include <stdio.h> #include <stdlib.h> diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index 812ab7cbe6..6da4326b2a 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -88,7 +88,9 @@ #include <openssl/pkcs12.h> #include <openssl/rand.h> #include <openssl/dso.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #include <openssl/ocsp.h> #include <openssl/err.h> @@ -134,7 +136,9 @@ void ERR_load_crypto_strings(void) ERR_load_PKCS12_strings(); ERR_load_RAND_strings(); ERR_load_DSO_strings(); +#ifndef OPENSSL_NO_ENGINE ERR_load_ENGINE_strings(); +#endif ERR_load_OCSP_strings(); ERR_load_UI_strings(); #endif diff --git a/crypto/evp/Makefile.ssl b/crypto/evp/Makefile.ssl index f6fcb9a4f8..0f82cf78df 100644 --- a/crypto/evp/Makefile.ssl +++ b/crypto/evp/Makefile.ssl @@ -70,7 +70,7 @@ links: @$(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) - @$(PERL) $(TOP)/util/mklink.pl ../../test $(TESTDATA) + cp $(TESTDATA) ../../test @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @@ -141,13 +141,18 @@ bio_ok.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bio_ok.o: ../cryptlib.h bio_ok.c c_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -c_all.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +c_all.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h +c_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +c_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +c_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h c_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +c_all.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h c_all.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -c_all.o: ../../include/openssl/symhacks.h ../cryptlib.h c_all.c +c_all.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h +c_all.o: ../cryptlib.h c_all.c c_allc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h c_allc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h c_allc.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c index 6e550f6a43..33349c2f98 100644 --- a/crypto/evp/bio_b64.c +++ b/crypto/evp/bio_b64.c @@ -184,7 +184,9 @@ static int b64_read(BIO *b, char *out, int outl) ret_code=0; while (outl > 0) { - if (ctx->cont <= 0) break; + + if (ctx->cont <= 0) + break; i=BIO_read(b->next_bio,&(ctx->tmp[ctx->tmp_len]), B64_BLOCK_SIZE-ctx->tmp_len); @@ -195,11 +197,21 @@ static int b64_read(BIO *b, char *out, int outl) /* Should be continue next time we are called? */ if (!BIO_should_retry(b->next_bio)) + { ctx->cont=i; - /* else we should continue when called again */ - break; + /* If buffer empty break */ + if(ctx->tmp_len == 0) + break; + /* Fall through and process what we have */ + else + i = 0; + } + /* else we retry and add more data to buffer */ + else + break; } i+=ctx->tmp_len; + ctx->tmp_len = i; /* We need to scan, a line at a time until we * have a valid line if we are starting. */ @@ -255,8 +267,12 @@ static int b64_read(BIO *b, char *out, int outl) * reading until a new line. */ if (p == (unsigned char *)&(ctx->tmp[0])) { - ctx->tmp_nl=1; - ctx->tmp_len=0; + /* Check buffer full */ + if (i == B64_BLOCK_SIZE) + { + ctx->tmp_nl=1; + ctx->tmp_len=0; + } } else if (p != q) /* finished on a '\n' */ { @@ -271,6 +287,11 @@ static int b64_read(BIO *b, char *out, int outl) else ctx->tmp_len=0; } + /* If buffer isn't full and we can retry then + * restart to read in more data. + */ + else if ((i < B64_BLOCK_SIZE) && (ctx->cont > 0)) + continue; if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL) { @@ -310,8 +331,8 @@ static int b64_read(BIO *b, char *out, int outl) i=EVP_DecodeUpdate(&(ctx->base64), (unsigned char *)ctx->buf,&ctx->buf_len, (unsigned char *)ctx->tmp,i); + ctx->tmp_len = 0; } - ctx->cont=i; ctx->buf_off=0; if (i < 0) { @@ -484,10 +505,7 @@ again: { i=b64_write(b,NULL,0); if (i < 0) - { - ret=i; - break; - } + return i; } if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL) { diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c index 510e1bc8a4..ab81851503 100644 --- a/crypto/evp/bio_enc.c +++ b/crypto/evp/bio_enc.c @@ -271,7 +271,7 @@ static int enc_write(BIO *b, const char *in, int inl) if (i <= 0) { BIO_copy_next_retry(b); - return(i); + return (ret == inl) ? i : ret - inl; } n-=i; ctx->buf_off+=i; @@ -325,10 +325,7 @@ again: { i=enc_write(b,NULL,0); if (i < 0) - { - ret=i; - break; - } + return i; } if (!ctx->finished) diff --git a/crypto/evp/c_all.c b/crypto/evp/c_all.c index af3dd26162..19737f39f6 100644 --- a/crypto/evp/c_all.c +++ b/crypto/evp/c_all.c @@ -59,6 +59,7 @@ #include <stdio.h> #include "cryptlib.h" #include <openssl/evp.h> +#include <openssl/engine.h> #if 0 #undef OpenSSL_add_all_algorithms diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 33013c41a6..b22eed4421 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -113,7 +113,9 @@ #include "cryptlib.h" #include <openssl/objects.h> #include <openssl/evp.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif void EVP_MD_CTX_init(EVP_MD_CTX *ctx) { @@ -138,6 +140,7 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED); +#ifndef OPENSSL_NO_ENGINE /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing * the previous handle, re-querying for an ENGINE, and having a @@ -183,11 +186,13 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) else ctx->engine = NULL; } - else if(!ctx->digest) + else + if(!ctx->digest) { EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_NO_DIGEST_SET); return 0; } +#endif if (ctx->digest != type) { if (ctx->digest && ctx->digest->ctx_size) @@ -196,7 +201,9 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) if (type->ctx_size) ctx->md_data=OPENSSL_malloc(type->ctx_size); } +#ifndef OPENSSL_NO_ENGINE skip_to_init: +#endif return ctx->digest->init(ctx); } @@ -246,12 +253,14 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED); return 0; } +#ifndef OPENSSL_NO_ENGINE /* Make sure it's safe to copy a digest context using an ENGINE */ if (in->engine && !ENGINE_init(in->engine)) { EVPerr(EVP_F_EVP_MD_CTX_COPY,ERR_R_ENGINE_LIB); return 0; } +#endif EVP_MD_CTX_cleanup(out); memcpy(out,in,sizeof *out); @@ -304,10 +313,12 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); } +#ifndef OPENSSL_NO_ENGINE if(ctx->engine) /* The EVP_MD we used belongs to an ENGINE, release the * functional reference we held for this reason. */ ENGINE_finish(ctx->engine); +#endif memset(ctx,'\0',sizeof *ctx); return 1; diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index c323fa2892..bf7c45fa2c 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -48,6 +48,7 @@ * */ +#include <openssl/opensslconf.h> #ifndef OPENSSL_NO_AES #include <openssl/evp.h> #include <openssl/err.h> diff --git a/crypto/evp/e_bf.c b/crypto/evp/e_bf.c index e74337567b..cc224e5363 100644 --- a/crypto/evp/e_bf.c +++ b/crypto/evp/e_bf.c @@ -56,9 +56,9 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_BF #include <stdio.h> #include "cryptlib.h" +#ifndef OPENSSL_NO_BF #include <openssl/evp.h> #include "evp_locl.h" #include <openssl/objects.h> diff --git a/crypto/evp/e_cast.c b/crypto/evp/e_cast.c index 3400fef187..d77bcd9298 100644 --- a/crypto/evp/e_cast.c +++ b/crypto/evp/e_cast.c @@ -56,10 +56,10 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_CAST - #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_CAST #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index 105266a4b3..92f6ebc343 100644 --- a/crypto/evp/e_des.c +++ b/crypto/evp/e_des.c @@ -56,9 +56,9 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_DES #include <stdio.h> #include "cryptlib.h" +#ifndef OPENSSL_NO_DES #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 077860e7b6..e036d07ba9 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -56,9 +56,9 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_DES #include <stdio.h> #include "cryptlib.h" +#ifndef OPENSSL_NO_DES #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" diff --git a/crypto/evp/e_idea.c b/crypto/evp/e_idea.c index b9efa75ae7..48c33a774a 100644 --- a/crypto/evp/e_idea.c +++ b/crypto/evp/e_idea.c @@ -56,10 +56,10 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_IDEA - #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_IDEA #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" diff --git a/crypto/evp/e_rc2.c b/crypto/evp/e_rc2.c index d42cbfd17e..3932f60e59 100644 --- a/crypto/evp/e_rc2.c +++ b/crypto/evp/e_rc2.c @@ -56,10 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_RC2 - #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_RC2 + #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" diff --git a/crypto/evp/e_rc4.c b/crypto/evp/e_rc4.c index d58f507837..eadd8d4274 100644 --- a/crypto/evp/e_rc4.c +++ b/crypto/evp/e_rc4.c @@ -56,10 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_RC4 - #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_RC4 + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/rc4.h> diff --git a/crypto/evp/e_rc5.c b/crypto/evp/e_rc5.c index 3c7713b181..19a10c6402 100644 --- a/crypto/evp/e_rc5.c +++ b/crypto/evp/e_rc5.c @@ -56,10 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_RC5 - #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_RC5 + #include <openssl/evp.h> #include <openssl/objects.h> #include "evp_locl.h" diff --git a/crypto/evp/e_xcbc_d.c b/crypto/evp/e_xcbc_d.c index a6f849e93d..cb82815a82 100644 --- a/crypto/evp/e_xcbc_d.c +++ b/crypto/evp/e_xcbc_d.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_DES #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_DES + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/des.h> diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index b084a35809..4e4a667ab8 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -754,6 +754,8 @@ int EVP_PKEY_missing_parameters(EVP_PKEY *pkey); int EVP_PKEY_save_parameters(EVP_PKEY *pkey,int mode); int EVP_PKEY_cmp_parameters(EVP_PKEY *a,EVP_PKEY *b); +int EVP_PKEY_cmp(EVP_PKEY *a,EVP_PKEY *b); + int EVP_CIPHER_type(const EVP_CIPHER *ctx); /* calls methods */ diff --git a/crypto/evp/evp_acnf.c b/crypto/evp/evp_acnf.c index a68b979bdb..54c073ca44 100644 --- a/crypto/evp/evp_acnf.c +++ b/crypto/evp/evp_acnf.c @@ -59,7 +59,9 @@ #include "cryptlib.h" #include <openssl/evp.h> #include <openssl/conf.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif /* Load all algorithms and configure OpenSSL. diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 66c48d1431..be0758a879 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -60,7 +60,9 @@ #include "cryptlib.h" #include <openssl/evp.h> #include <openssl/err.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #include "evp_locl.h" const char *EVP_version="EVP" OPENSSL_VERSION_PTEXT; @@ -91,6 +93,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp enc = 1; ctx->encrypt = enc; } +#ifndef OPENSSL_NO_ENGINE /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing * the previous handle, re-querying for an ENGINE, and having a @@ -98,6 +101,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp if (ctx->engine && ctx->cipher && (!cipher || (cipher && (cipher->nid == ctx->cipher->nid)))) goto skip_to_init; +#endif if (cipher) { /* Ensure a context left lying around from last time is cleared @@ -107,6 +111,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp /* Restore encrypt field: it is zeroed by cleanup */ ctx->encrypt = enc; +#ifndef OPENSSL_NO_ENGINE if(impl) { if (!ENGINE_init(impl)) @@ -140,6 +145,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp } else ctx->engine = NULL; +#endif ctx->cipher=cipher; ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size); @@ -159,7 +165,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_NO_CIPHER_SET); return 0; } +#ifndef OPENSSL_NO_ENGINE skip_to_init: +#endif /* we assume block size is a power of 2 in *cryptUpdate */ OPENSSL_assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 @@ -236,7 +244,7 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *imp int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv) { - return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0); + return EVP_CipherInit(ctx, cipher, key, iv, 0); } int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, @@ -460,10 +468,12 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) } if (c->cipher_data) OPENSSL_free(c->cipher_data); +#ifndef OPENSSL_NO_ENGINE if (c->engine) /* The EVP_CIPHER we used belongs to an ENGINE, release the * functional reference we held for this reason. */ ENGINE_finish(c->engine); +#endif memset(c,0,sizeof(EVP_CIPHER_CTX)); return 1; } diff --git a/crypto/evp/evp_test.c b/crypto/evp/evp_test.c index 698aff21dc..28460173f7 100644 --- a/crypto/evp/evp_test.c +++ b/crypto/evp/evp_test.c @@ -53,7 +53,10 @@ #include "../e_os.h" #include <openssl/evp.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif +#include <openssl/err.h> #include <openssl/conf.h> static void hexdump(FILE *f,const char *title,const unsigned char *s,int l) @@ -330,11 +333,14 @@ int main(int argc,char **argv) /* Load up the software EVP_CIPHER and EVP_MD definitions */ OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); +#ifndef OPENSSL_NO_ENGINE /* Load all compiled-in ENGINEs */ ENGINE_load_builtin_engines(); +#endif #if 0 OPENSSL_config(); #endif +#ifndef OPENSSL_NO_ENGINE /* Register all available ENGINE implementations of ciphers and digests. * This could perhaps be changed to "ENGINE_register_all_complete()"? */ ENGINE_register_all_ciphers(); @@ -343,6 +349,7 @@ int main(int argc,char **argv) * It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if * they weren't already initialised. */ /* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */ +#endif for( ; ; ) { @@ -384,7 +391,9 @@ int main(int argc,char **argv) } } +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); diff --git a/crypto/evp/m_dss1.c b/crypto/evp/m_dss1.c index f5668ebda0..9a0ebe0a50 100644 --- a/crypto/evp/m_dss1.c +++ b/crypto/evp/m_dss1.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SHA #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_SHA + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/crypto/evp/m_ecdsa.c b/crypto/evp/m_ecdsa.c index 4e8b010709..26e4206e5a 100644 --- a/crypto/evp/m_ecdsa.c +++ b/crypto/evp/m_ecdsa.c @@ -1,4 +1,57 @@ /* crypto/evp/m_ecdsa.c */ +/* ==================================================================== + * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/evp/m_md2.c b/crypto/evp/m_md2.c index 50914c83b3..38ce7f8cd7 100644 --- a/crypto/evp/m_md2.c +++ b/crypto/evp/m_md2.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_MD2 #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_MD2 + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/crypto/evp/m_md4.c b/crypto/evp/m_md4.c index e19b663754..a3f6be4f3b 100644 --- a/crypto/evp/m_md4.c +++ b/crypto/evp/m_md4.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_MD4 #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_MD4 + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/crypto/evp/m_md5.c b/crypto/evp/m_md5.c index b00a03e048..cc4216a538 100644 --- a/crypto/evp/m_md5.c +++ b/crypto/evp/m_md5.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_MD5 #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_MD5 + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/crypto/evp/m_mdc2.c b/crypto/evp/m_mdc2.c index 9f6467c931..58df547e0c 100644 --- a/crypto/evp/m_mdc2.c +++ b/crypto/evp/m_mdc2.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_MDC2 #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_MDC2 + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/crypto/evp/m_ripemd.c b/crypto/evp/m_ripemd.c index 64725528dc..ca8ed75851 100644 --- a/crypto/evp/m_ripemd.c +++ b/crypto/evp/m_ripemd.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_RIPEMD #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_RIPEMD + #include <openssl/ripemd.h> #include <openssl/evp.h> #include <openssl/objects.h> diff --git a/crypto/evp/m_sha.c b/crypto/evp/m_sha.c index 10697c7ed3..a3343bb2eb 100644 --- a/crypto/evp/m_sha.c +++ b/crypto/evp/m_sha.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SHA #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_SHA + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/crypto/evp/m_sha1.c b/crypto/evp/m_sha1.c index d6be3502f0..838225bf84 100644 --- a/crypto/evp/m_sha1.c +++ b/crypto/evp/m_sha1.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_SHA #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_SHA + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index 1f94e1ef88..b161d7664a 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -55,10 +55,10 @@ * Hudson (tjh@cryptsoft.com). * */ -#if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA) #include <stdio.h> #include <stdlib.h> #include "cryptlib.h" +#if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA) #include <openssl/x509.h> #include <openssl/evp.h> #include <openssl/hmac.h> diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index c7a3dee108..8d23c0bd72 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -237,6 +237,52 @@ int EVP_PKEY_cmp_parameters(EVP_PKEY *a, EVP_PKEY *b) return(-1); } +int EVP_PKEY_cmp(EVP_PKEY *a, EVP_PKEY *b) + { + if (a->type != b->type) + return -1; + + switch (a->type) + { +#ifndef OPENSSL_NO_RSA + case EVP_PKEY_RSA: + if (BN_cmp(b->pkey.rsa->n,a->pkey.rsa->n) != 0 + || BN_cmp(b->pkey.rsa->e,a->pkey.rsa->e) != 0) + return 0; + break; +#endif +#ifndef OPENSSL_NO_DSA + case EVP_PKEY_DSA: + if (BN_cmp(b->pkey.dsa->pub_key,a->pkey.dsa->pub_key) != 0) + return 0; + break; +#endif +#ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: + { + int r = EC_POINT_cmp(b->pkey.eckey->group, + b->pkey.eckey->pub_key,a->pkey.eckey->pub_key,NULL); + if (r != 0) + { + if (r == 1) + return 0; + else + return -2; + } + } + break; +#endif +#ifndef OPENSSL_NO_DH + case EVP_PKEY_DH: + return -2; +#endif + default: + return -2; + } + + return 1; + } + EVP_PKEY *EVP_PKEY_new(void) { EVP_PKEY *ret; diff --git a/crypto/evp/p_open.c b/crypto/evp/p_open.c index 5a933d1cda..bc3940847d 100644 --- a/crypto/evp/p_open.c +++ b/crypto/evp/p_open.c @@ -56,9 +56,11 @@ * [including the GNU Public Licence.] */ -#ifndef OPENSSL_NO_RSA #include <stdio.h> #include "cryptlib.h" + +#ifndef OPENSSL_NO_RSA + #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/x509.h> diff --git a/crypto/hmac/hmac.h b/crypto/hmac/hmac.h index 0364a1fcbd..72077ad19e 100644 --- a/crypto/hmac/hmac.h +++ b/crypto/hmac/hmac.h @@ -58,6 +58,8 @@ #ifndef HEADER_HMAC_H #define HEADER_HMAC_H +#include <openssl/opensslconf.h> + #ifdef OPENSSL_NO_HMAC #error HMAC is disabled. #endif diff --git a/crypto/idea/idea.h b/crypto/idea/idea.h index 67132414ee..5782e54b0f 100644 --- a/crypto/idea/idea.h +++ b/crypto/idea/idea.h @@ -59,6 +59,8 @@ #ifndef HEADER_IDEA_H #define HEADER_IDEA_H +#include <openssl/opensslconf.h> /* IDEA_INT, OPENSSL_NO_IDEA */ + #ifdef OPENSSL_NO_IDEA #error IDEA is disabled. #endif @@ -66,7 +68,6 @@ #define IDEA_ENCRYPT 1 #define IDEA_DECRYPT 0 -#include <openssl/opensslconf.h> /* IDEA_INT */ #define IDEA_BLOCK 8 #define IDEA_KEY_LENGTH 16 diff --git a/crypto/lhash/lhash.h b/crypto/lhash/lhash.h index dee8207333..7c1d486425 100644 --- a/crypto/lhash/lhash.h +++ b/crypto/lhash/lhash.h @@ -63,6 +63,7 @@ #ifndef HEADER_LHASH_H #define HEADER_LHASH_H +#include <openssl/e_os2.h> #ifndef OPENSSL_NO_FP_API #include <stdio.h> #endif diff --git a/crypto/md2/md2.h b/crypto/md2/md2.h index ad9241455c..6fcb9b1bdc 100644 --- a/crypto/md2/md2.h +++ b/crypto/md2/md2.h @@ -59,13 +59,13 @@ #ifndef HEADER_MD2_H #define HEADER_MD2_H +#include <openssl/opensslconf.h> /* OPENSSL_NO_MD2, MD2_INT */ #ifdef OPENSSL_NO_MD2 #error MD2 is disabled. #endif #define MD2_DIGEST_LENGTH 16 #define MD2_BLOCK 16 -#include <openssl/opensslconf.h> /* MD2_INT */ #ifdef __cplusplus extern "C" { diff --git a/crypto/md2/md2test.c b/crypto/md2/md2test.c index d2f6dce97f..901d0a7d8e 100644 --- a/crypto/md2/md2test.c +++ b/crypto/md2/md2test.c @@ -125,7 +125,6 @@ int main(int argc, char *argv[]) P++; } EXIT(err); - return(0); } static char *pt(unsigned char *md) diff --git a/crypto/md5/asm/.cvsignore b/crypto/md5/asm/.cvsignore index 085a1b1a96..5dd0091ca7 100644 --- a/crypto/md5/asm/.cvsignore +++ b/crypto/md5/asm/.cvsignore @@ -1 +1,2 @@ mx86unix.cpp +mx86-elf.s diff --git a/crypto/md5/md5.h b/crypto/md5/md5.h index cfdbf03fe1..a252e02115 100644 --- a/crypto/md5/md5.h +++ b/crypto/md5/md5.h @@ -78,7 +78,7 @@ extern "C" { #if defined(OPENSSL_SYS_WIN16) || defined(__LP32__) #define MD5_LONG unsigned long -#elif defined(OENSSL_SYS_CRAY) || defined(__ILP64__) +#elif defined(OPENSSL_SYS_CRAY) || defined(__ILP64__) #define MD5_LONG unsigned long #define MD5_LONG_LOG2 3 /* diff --git a/crypto/mem.c b/crypto/mem.c index 73bcdb6527..acfe5c7cf3 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -265,6 +265,8 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line) void *ret = NULL; extern unsigned char cleanse_ctr; + if (num < 0) return NULL; + allow_customize = 0; if (malloc_debug_func != NULL) { @@ -304,6 +306,8 @@ void *CRYPTO_malloc(int num, const char *file, int line) void *ret = NULL; extern unsigned char cleanse_ctr; + if (num < 0) return NULL; + allow_customize = 0; if (malloc_debug_func != NULL) { @@ -332,6 +336,9 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line) if (str == NULL) return CRYPTO_malloc(num, file, line); + + if (num < 0) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret = realloc_ex_func(str,num,file,line); @@ -351,6 +358,9 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, if (str == NULL) return CRYPTO_malloc(num, file, line); + + if (num < 0) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret=malloc_ex_func(num,file,line); diff --git a/crypto/o_time.c b/crypto/o_time.c index 1bc0297b36..723eb1b5af 100644 --- a/crypto/o_time.c +++ b/crypto/o_time.c @@ -80,6 +80,9 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) ts = result; #elif !defined(OPENSSL_SYS_VMS) ts = gmtime(timer); + if (ts == NULL) + return NULL; + memcpy(result, ts, sizeof(struct tm)); ts = result; #endif diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 56e6d87422..c16ff85819 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 718 -#define NUM_SN 713 -#define NUM_LN 713 -#define NUM_OBJ 687 +#define NUM_NID 721 +#define NUM_SN 716 +#define NUM_LN 716 +#define NUM_OBJ 690 -static unsigned char lvalues[4869]={ +static unsigned char lvalues[4879]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -755,6 +755,9 @@ static unsigned char lvalues[4869]={ 0x67,0x2B,0x0D,0x04,0x0C, /* [4843] OBJ_wap_wsg_idm_ecid_wtls12 */ 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [4848] OBJ_ms_smartcard_login */ 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4858] OBJ_ms_upn */ +0x55,0x1D,0x20,0x00, /* [4868] OBJ_any_policy */ +0x55,0x1D,0x21, /* [4872] OBJ_policy_mappings */ +0x55,0x1D,0x1E, /* [4875] OBJ_name_constraints */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -1879,6 +1882,11 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ 10,&(lvalues[4848]),0}, {"msUPN","Microsoft Universal Principal Name",NID_ms_upn,10, &(lvalues[4858]),0}, +{"anyPolicy","X509v3 Any Policy",NID_any_policy,4,&(lvalues[4868]),0}, +{"policyMappings","X509v3 Policy Mappings",NID_policy_mappings,3, + &(lvalues[4872]),0}, +{"nameConstraints","X509v3 Name Constraints",NID_name_constraints,3, + &(lvalues[4875]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -2019,6 +2027,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[363]),/* "ad_timestamping" */ &(nid_objs[376]),/* "algorithm" */ &(nid_objs[405]),/* "ansi-X9-62" */ +&(nid_objs[718]),/* "anyPolicy" */ &(nid_objs[370]),/* "archiveCutoff" */ &(nid_objs[484]),/* "associatedDomain" */ &(nid_objs[485]),/* "associatedName" */ @@ -2314,6 +2323,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[717]),/* "msUPN" */ &(nid_objs[481]),/* "nSRecord" */ &(nid_objs[173]),/* "name" */ +&(nid_objs[720]),/* "nameConstraints" */ &(nid_objs[369]),/* "noCheck" */ &(nid_objs[403]),/* "noRevAvail" */ &(nid_objs[72]),/* "nsBaseUrl" */ @@ -2361,6 +2371,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */ &(nid_objs[47]),/* "pkcs9" */ &(nid_objs[401]),/* "policyConstraints" */ +&(nid_objs[719]),/* "policyMappings" */ &(nid_objs[506]),/* "ppBasis" */ &(nid_objs[406]),/* "prime-field" */ &(nid_objs[409]),/* "prime192v1" */ @@ -2679,6 +2690,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[375]),/* "Trust Root" */ &(nid_objs[12]),/* "X509" */ &(nid_objs[402]),/* "X509v3 AC Targeting" */ +&(nid_objs[718]),/* "X509v3 Any Policy" */ &(nid_objs[90]),/* "X509v3 Authority Key Identifier" */ &(nid_objs[87]),/* "X509v3 Basic Constraints" */ &(nid_objs[103]),/* "X509v3 CRL Distribution Points" */ @@ -2689,8 +2701,10 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[126]),/* "X509v3 Extended Key Usage" */ &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */ &(nid_objs[83]),/* "X509v3 Key Usage" */ +&(nid_objs[720]),/* "X509v3 Name Constraints" */ &(nid_objs[403]),/* "X509v3 No Revocation Available" */ &(nid_objs[401]),/* "X509v3 Policy Constraints" */ +&(nid_objs[719]),/* "X509v3 Policy Mappings" */ &(nid_objs[84]),/* "X509v3 Private Key Usage Period" */ &(nid_objs[85]),/* "X509v3 Subject Alternative Name" */ &(nid_objs[82]),/* "X509v3 Subject Key Identifier" */ @@ -3319,8 +3333,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[434]),/* OBJ_data 0 9 */ &(nid_objs[181]),/* OBJ_iso 1 */ &(nid_objs[182]),/* OBJ_member_body 1 2 */ -&(nid_objs[379]),/* OBJ_org 1 3 */ &(nid_objs[527]),/* OBJ_identified_organization 1 3 */ +&(nid_objs[379]),/* OBJ_org 1 3 */ &(nid_objs[393]),/* OBJ_joint_iso_ccitt 2 */ &(nid_objs[11]),/* OBJ_X500 2 5 */ &(nid_objs[380]),/* OBJ_dod 1 3 6 */ @@ -3363,8 +3377,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[430]),/* OBJ_hold_instruction_code 2 5 29 23 */ &(nid_objs[142]),/* OBJ_invalidity_date 2 5 29 24 */ &(nid_objs[140]),/* OBJ_delta_crl 2 5 29 27 */ +&(nid_objs[720]),/* OBJ_name_constraints 2 5 29 30 */ &(nid_objs[103]),/* OBJ_crl_distribution_points 2 5 29 31 */ &(nid_objs[89]),/* OBJ_certificate_policies 2 5 29 32 */ +&(nid_objs[719]),/* OBJ_policy_mappings 2 5 29 33 */ &(nid_objs[90]),/* OBJ_authority_key_identifier 2 5 29 35 */ &(nid_objs[401]),/* OBJ_policy_constraints 2 5 29 36 */ &(nid_objs[126]),/* OBJ_ext_key_usage 2 5 29 37 */ @@ -3389,6 +3405,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[19]),/* OBJ_rsa 2 5 8 1 1 */ &(nid_objs[96]),/* OBJ_mdc2WithRSA 2 5 8 3 100 */ &(nid_objs[95]),/* OBJ_mdc2 2 5 8 3 101 */ +&(nid_objs[718]),/* OBJ_any_policy 2 5 29 32 0 */ &(nid_objs[583]),/* OBJ_setct_PANData 2 23 42 0 0 */ &(nid_objs[584]),/* OBJ_setct_PANToken 2 23 42 0 1 */ &(nid_objs[585]),/* OBJ_setct_PANOnly 2 23 42 0 2 */ diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h index 990e18113a..9417e8c7c9 100644 --- a/crypto/objects/obj_mac.h +++ b/crypto/objects/obj_mac.h @@ -2031,6 +2031,11 @@ #define NID_delta_crl 140 #define OBJ_delta_crl OBJ_id_ce,27L +#define SN_name_constraints "nameConstraints" +#define LN_name_constraints "X509v3 Name Constraints" +#define NID_name_constraints 720 +#define OBJ_name_constraints OBJ_id_ce,30L + #define SN_crl_distribution_points "crlDistributionPoints" #define LN_crl_distribution_points "X509v3 CRL Distribution Points" #define NID_crl_distribution_points 103 @@ -2041,6 +2046,16 @@ #define NID_certificate_policies 89 #define OBJ_certificate_policies OBJ_id_ce,32L +#define SN_any_policy "anyPolicy" +#define LN_any_policy "X509v3 Any Policy" +#define NID_any_policy 718 +#define OBJ_any_policy OBJ_certificate_policies,0L + +#define SN_policy_mappings "policyMappings" +#define LN_policy_mappings "X509v3 Policy Mappings" +#define NID_policy_mappings 719 +#define OBJ_policy_mappings OBJ_id_ce,33L + #define SN_authority_key_identifier "authorityKeyIdentifier" #define LN_authority_key_identifier "X509v3 Authority Key Identifier" #define NID_authority_key_identifier 90 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 81936507e8..e84922d458 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -715,3 +715,6 @@ wap_wsg_idm_ecid_wtls11 714 wap_wsg_idm_ecid_wtls12 715 ms_smartcard_login 716 ms_upn 717 +any_policy 718 +policy_mappings 719 +name_constraints 720 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 8ec0484c76..feeed99b57 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -658,10 +658,16 @@ id-ce 21 : CRLReason : X509v3 CRL Reason Code id-ce 24 : invalidityDate : Invalidity Date !Cname delta-crl id-ce 27 : deltaCRL : X509v3 Delta CRL Indicator +!Cname name-constraints +id-ce 30 : nameConstraints : X509v3 Name Constraints !Cname crl-distribution-points id-ce 31 : crlDistributionPoints : X509v3 CRL Distribution Points !Cname certificate-policies id-ce 32 : certificatePolicies : X509v3 Certificate Policies +!Cname any-policy +certificate-policies 0 : anyPolicy : X509v3 Any Policy +!Cname policy-mappings +id-ce 33 : policyMappings : X509v3 Policy Mappings !Cname authority-key-identifier id-ce 35 : authorityKeyIdentifier : X509v3 Authority Key Identifier !Cname policy-constraints diff --git a/crypto/ocsp/ocsp_ht.c b/crypto/ocsp/ocsp_ht.c index 357709a843..9213e58ae4 100644 --- a/crypto/ocsp/ocsp_ht.c +++ b/crypto/ocsp/ocsp_ht.c @@ -110,7 +110,7 @@ Content-Length: %d\r\n\r\n"; } /* Parse the HTTP response. This will look like this: * "HTTP/1.0 200 OK". We need to obtain the numeric code and - * informational message. + * (optional) informational message. */ /* Skip to first white space (passed protocol info) */ @@ -138,13 +138,19 @@ Content-Length: %d\r\n\r\n"; if(*r) goto err; /* Skip over any leading white space in message */ while(*q && isspace((unsigned char)*q)) q++; - if(!*q) goto err; + if(*q) { /* Finally zap any trailing white space in message (include CRLF) */ /* We know q has a non white space character so this is OK */ - for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0; + for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0; + } if(retcode != 200) { OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR); - ERR_add_error_data(4, "Code=", p, ",Reason=", q); + if(!*q) { + ERR_add_error_data(2, "Code=", p); + } + else { + ERR_add_error_data(4, "Code=", p, ",Reason=", q); + } goto err; } /* Find blank line marking beginning of content */ diff --git a/crypto/ocsp/ocsp_prn.c b/crypto/ocsp/ocsp_prn.c index 4b7bc28769..3dfb51c1e4 100644 --- a/crypto/ocsp/ocsp_prn.c +++ b/crypto/ocsp/ocsp_prn.c @@ -194,7 +194,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags) if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err; l=ASN1_ENUMERATED_get(o->responseStatus); - if (BIO_printf(bp," OCSP Response Status: %s (0x%x)\n", + if (BIO_printf(bp," OCSP Response Status: %s (0x%lx)\n", OCSP_response_status_str(l), l) <= 0) goto err; if (rb == NULL) return 1; if (BIO_puts(bp," Response Type: ") <= 0) @@ -252,7 +252,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags) { l=ASN1_ENUMERATED_get(rev->revocationReason); if (BIO_printf(bp, - "\n Revocation Reason: %s (0x%x)", + "\n Revocation Reason: %s (0x%lx)", OCSP_crl_reason_str(l), l) <= 0) goto err; } diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h index 02dd9f2b67..57a2cfe92c 100644 --- a/crypto/pem/pem.h +++ b/crypto/pem/pem.h @@ -59,6 +59,7 @@ #ifndef HEADER_PEM_H #define HEADER_PEM_H +#include <openssl/e_os2.h> #ifndef OPENSSL_NO_BIO #include <openssl/bio.h> #endif @@ -68,7 +69,6 @@ #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/pem2.h> -#include <openssl/e_os2.h> #ifdef __cplusplus extern "C" { diff --git a/crypto/perlasm/x86ms.pl b/crypto/perlasm/x86ms.pl index abcb7c1303..35f1a4ddb9 100644 --- a/crypto/perlasm/x86ms.pl +++ b/crypto/perlasm/x86ms.pl @@ -367,4 +367,10 @@ sub out1p push(@out,"\t$name\t ".&conv($p1)."\n"); } +sub main'picmeup + { + local($dst,$sym)=@_; + &main'lea($dst,&main'DWP($sym)); + } + sub main'blindpop { &out1("pop",@_); } diff --git a/crypto/perlasm/x86nasm.pl b/crypto/perlasm/x86nasm.pl index 796556159c..f30b7466d4 100644 --- a/crypto/perlasm/x86nasm.pl +++ b/crypto/perlasm/x86nasm.pl @@ -344,4 +344,10 @@ sub out1p push(@out,"\t$name\t ".&conv($p1)."\n"); } +sub main'picmeup + { + local($dst,$sym)=@_; + &main'lea($dst,&main'DWP($sym)); + } + sub main'blindpop { &out1("pop",@_); } diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index a549433eeb..af708a2743 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -107,7 +107,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) { STACK_OF(PKCS7) *asafes, *newsafes; STACK_OF(PKCS12_SAFEBAG) *bags; - int i, bagnid, pbe_nid, pbe_iter, pbe_saltlen; + int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0; PKCS7 *p7, *p7new; ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL; unsigned char mac[EVP_MAX_MD_SIZE]; diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c index 5100c84b88..431aff94f0 100644 --- a/crypto/pkcs7/pk7_mime.c +++ b/crypto/pkcs7/pk7_mime.c @@ -1,9 +1,9 @@ /* pk7_mime.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -86,6 +86,7 @@ STACK_OF(MIME_PARAM) *params; /* Zero or more parameters */ DECLARE_STACK_OF(MIME_HEADER) IMPLEMENT_STACK_OF(MIME_HEADER) +static int pkcs7_output_data(BIO *bio, BIO *data, PKCS7 *p7, int flags); static int B64_write_PKCS7(BIO *bio, PKCS7 *p7); static PKCS7 *B64_read_PKCS7(BIO *bio); static char * strip_ends(char *name); @@ -150,7 +151,6 @@ static PKCS7 *B64_read_PKCS7(BIO *bio) int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) { - char linebuf[MAX_SMLEN]; char bound[33], c; int i; if((flags & PKCS7_DETACHED) && data) { @@ -171,9 +171,9 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) BIO_printf(bio, "This is an S/MIME signed message\n\n"); /* Now write out the first part */ BIO_printf(bio, "------%s\r\n", bound); - if(flags & PKCS7_TEXT) BIO_printf(bio, "Content-Type: text/plain\n\n"); - while((i = BIO_read(data, linebuf, MAX_SMLEN)) > 0) - BIO_write(bio, linebuf, i); + + pkcs7_output_data(bio, data, p7, flags); + BIO_printf(bio, "\n------%s\n", bound); /* Headers for signature */ @@ -195,6 +195,47 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) return 1; } +/* Handle output of PKCS#7 data */ + + +static int pkcs7_output_data(BIO *out, BIO *data, PKCS7 *p7, int flags) + { + BIO *tmpbio, *p7bio; + + if (!(flags & PKCS7_STREAM)) + { + SMIME_crlf_copy(data, out, flags); + return 1; + } + + /* Partial sign operation */ + + /* Initialize sign operation */ + p7bio = PKCS7_dataInit(p7, out); + + /* Copy data across, computing digests etc */ + SMIME_crlf_copy(data, p7bio, flags); + + /* Must be detached */ + PKCS7_set_detached(p7, 1); + + /* Finalize signatures */ + PKCS7_dataFinal(p7, p7bio); + + /* Now remove any digests from output BIO */ + + while (1) + { + tmpbio = BIO_pop(p7bio); + if (tmpbio == out) + break; + BIO_free(tmpbio); + } + + return 1; + + } + /* SMIME reader: handle multipart/signed and opaque signing. * in multipart case the content is placed in a memory BIO * pointed to by "bcont". In opaque this is set to NULL @@ -314,7 +355,8 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags) BIO_write(out, linebuf, len); return 1; } - if(flags & PKCS7_TEXT) BIO_printf(out, "Content-Type: text/plain\r\n\r\n"); + if(flags & PKCS7_TEXT) + BIO_printf(out, "Content-Type: text/plain\r\n\r\n"); while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) { eol = 0; while(iscrlf(linebuf[len - 1])) { diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index f0d071e282..333a8aa38d 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -1,9 +1,9 @@ /* pk7_smime.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -97,14 +97,6 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, PKCS7_add_certificate(p7, sk_X509_value(certs, i)); } - if(!(p7bio = PKCS7_dataInit(p7, NULL))) { - PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE); - return NULL; - } - - - SMIME_crlf_copy(data, p7bio, flags); - if(!(flags & PKCS7_NOATTR)) { PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)); @@ -133,6 +125,16 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, } } + if (flags & PKCS7_STREAM) + return p7; + + if (!(p7bio = PKCS7_dataInit(p7, NULL))) { + PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE); + return NULL; + } + + SMIME_crlf_copy(data, p7bio, flags); + if(flags & PKCS7_DETACHED)PKCS7_set_detached(p7, 1); if (!PKCS7_dataFinal(p7,p7bio)) { diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h index 226fb64348..e6f6572666 100644 --- a/crypto/pkcs7/pkcs7.h +++ b/crypto/pkcs7/pkcs7.h @@ -260,6 +260,7 @@ DECLARE_PKCS12_STACK_OF(PKCS7) #define PKCS7_BINARY 0x80 #define PKCS7_NOATTR 0x100 #define PKCS7_NOSMIMECAP 0x200 +#define PKCS7_STREAM 0x400 /* Flags: for compatibility with older code */ diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h index 66e39991ec..606382dd21 100644 --- a/crypto/rand/rand.h +++ b/crypto/rand/rand.h @@ -87,7 +87,9 @@ extern int rand_predictable; int RAND_set_rand_method(const RAND_METHOD *meth); const RAND_METHOD *RAND_get_rand_method(void); +#ifndef OPENSSL_NO_ENGINE int RAND_set_rand_engine(ENGINE *engine); +#endif RAND_METHOD *RAND_SSLeay(void); void RAND_cleanup(void ); int RAND_bytes(unsigned char *buf,int num); diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 5cf5dc1188..513e338985 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -60,19 +60,25 @@ #include <time.h> #include "cryptlib.h" #include <openssl/rand.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif +#ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ static ENGINE *funct_ref =NULL; +#endif static const RAND_METHOD *default_RAND_meth = NULL; int RAND_set_rand_method(const RAND_METHOD *meth) { +#ifndef OPENSSL_NO_ENGINE if(funct_ref) { ENGINE_finish(funct_ref); funct_ref = NULL; } +#endif default_RAND_meth = meth; return 1; } @@ -81,6 +87,7 @@ const RAND_METHOD *RAND_get_rand_method(void) { if (!default_RAND_meth) { +#ifndef OPENSSL_NO_ENGINE ENGINE *e = ENGINE_get_default_RAND(); if(e) { @@ -94,11 +101,13 @@ const RAND_METHOD *RAND_get_rand_method(void) if(e) funct_ref = e; else +#endif default_RAND_meth = RAND_SSLeay(); } return default_RAND_meth; } +#ifndef OPENSSL_NO_ENGINE int RAND_set_rand_engine(ENGINE *engine) { const RAND_METHOD *tmp_meth = NULL; @@ -118,6 +127,7 @@ int RAND_set_rand_engine(ENGINE *engine) funct_ref = engine; return 1; } +#endif void RAND_cleanup(void) { diff --git a/crypto/rc2/rc2.h b/crypto/rc2/rc2.h index 7816b454dc..34c8362317 100644 --- a/crypto/rc2/rc2.h +++ b/crypto/rc2/rc2.h @@ -59,6 +59,7 @@ #ifndef HEADER_RC2_H #define HEADER_RC2_H +#include <openssl/opensslconf.h> /* OPENSSL_NO_RC2, RC2_INT */ #ifdef OPENSSL_NO_RC2 #error RC2 is disabled. #endif @@ -66,7 +67,6 @@ #define RC2_ENCRYPT 1 #define RC2_DECRYPT 0 -#include <openssl/opensslconf.h> /* RC2_INT */ #define RC2_BLOCK 8 #define RC2_KEY_LENGTH 16 diff --git a/crypto/rc4/asm/.cvsignore b/crypto/rc4/asm/.cvsignore index 0ec20dc6ff..b261702507 100644 --- a/crypto/rc4/asm/.cvsignore +++ b/crypto/rc4/asm/.cvsignore @@ -1 +1,2 @@ rx86unix.cpp +rx86-elf.s diff --git a/crypto/rc4/rc4.h b/crypto/rc4/rc4.h index 8722091f2e..7aec04fe93 100644 --- a/crypto/rc4/rc4.h +++ b/crypto/rc4/rc4.h @@ -59,12 +59,11 @@ #ifndef HEADER_RC4_H #define HEADER_RC4_H +#include <openssl/opensslconf.h> /* OPENSSL_NO_RC4, RC4_INT */ #ifdef OPENSSL_NO_RC4 #error RC4 is disabled. #endif -#include <openssl/opensslconf.h> /* RC4_INT */ - #ifdef __cplusplus extern "C" { #endif diff --git a/crypto/rc5/Makefile.ssl b/crypto/rc5/Makefile.ssl index 3ad6655946..fcdeb1e81e 100644 --- a/crypto/rc5/Makefile.ssl +++ b/crypto/rc5/Makefile.ssl @@ -99,9 +99,13 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -rc5_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h -rc5_ecb.o: rc5_ecb.c rc5_locl.h -rc5_enc.o: ../../include/openssl/rc5.h rc5_enc.c rc5_locl.h -rc5_skey.o: ../../include/openssl/rc5.h rc5_locl.h rc5_skey.c -rc5cfb64.o: ../../include/openssl/rc5.h rc5_locl.h rc5cfb64.c -rc5ofb64.o: ../../include/openssl/rc5.h rc5_locl.h rc5ofb64.c +rc5_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +rc5_ecb.o: ../../include/openssl/rc5.h rc5_ecb.c rc5_locl.h +rc5_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc5.h +rc5_enc.o: rc5_enc.c rc5_locl.h +rc5_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc5.h +rc5_skey.o: rc5_locl.h rc5_skey.c +rc5cfb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc5.h +rc5cfb64.o: rc5_locl.h rc5cfb64.c +rc5ofb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc5.h +rc5ofb64.o: rc5_locl.h rc5ofb64.c diff --git a/crypto/rc5/asm/.cvsignore b/crypto/rc5/asm/.cvsignore index f60a6a8d65..855415c90e 100644 --- a/crypto/rc5/asm/.cvsignore +++ b/crypto/rc5/asm/.cvsignore @@ -1 +1,2 @@ r586unix.cpp +r586-elf.s diff --git a/crypto/rc5/rc5.h b/crypto/rc5/rc5.h index 4adfd2db5a..4b3c153b50 100644 --- a/crypto/rc5/rc5.h +++ b/crypto/rc5/rc5.h @@ -59,6 +59,8 @@ #ifndef HEADER_RC5_H #define HEADER_RC5_H +#include <openssl/opensslconf.h> /* OPENSSL_NO_RC5 */ + #ifdef __cplusplus extern "C" { #endif diff --git a/crypto/ripemd/asm/.cvsignore b/crypto/ripemd/asm/.cvsignore index 64d70dbf32..e18b24f965 100644 --- a/crypto/ripemd/asm/.cvsignore +++ b/crypto/ripemd/asm/.cvsignore @@ -1 +1,2 @@ rm86unix.cpp +rm86-elf.s diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index b005b4b0b3..604fc26442 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -162,6 +162,11 @@ struct rsa_st #define RSA_FLAG_CACHE_PUBLIC 0x02 #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 +#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in + * RSA implementation now uses blinding by + * default (ignoring RSA_FLAG_BLINDING), + * but other engines might not need it + */ #define RSA_FLAG_THREAD_SAFE 0x10 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: @@ -174,6 +179,8 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x40 +#define RSA_FLAG_NO_BLINDING 0x80 + #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index cab34847df..ad6ccf634d 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -61,7 +61,9 @@ #include <openssl/bn.h> #include <openssl/rsa.h> #include <openssl/rand.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #ifndef RSA_NULL @@ -98,6 +100,43 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void) return(&rsa_pkcs1_eay_meth); } +/* Static helper to reduce oodles of code duplication. As a slight + * optimisation, the "MONT_HELPER() macro must be used as front-end to this + * function, to prevent unnecessary function calls - there is an initial test + * that is performed by the macro-generated code. */ +static int rsa_eay_mont_helper(BN_MONT_CTX **ptr, const BIGNUM *modulus, BN_CTX *ctx) + { + BN_MONT_CTX *bn_mont_ctx; + if((bn_mont_ctx = BN_MONT_CTX_new()) == NULL) + return 0; + if(!BN_MONT_CTX_set(bn_mont_ctx, modulus, ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + return 0; + } + if (*ptr == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (*ptr == NULL) /* check again in the lock to stop races */ + { + *ptr = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); + return 1; + } +/* Usage example; + * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); + */ +#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ + if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ + !rsa_eay_mont_helper(&((rsa)->_method_mod_##m), \ + (rsa)->m, (ctx))) \ + err_instr + static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { @@ -147,30 +186,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, goto err; } - if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) - { - BN_MONT_CTX* bn_mont_ctx; - if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) - { - BN_MONT_CTX_free(bn_mont_ctx); - goto err; - } - if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ - { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - if (rsa->_method_mod_n == NULL) - { - rsa->_method_mod_n = bn_mont_ctx; - bn_mont_ctx = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - } - if (bn_mont_ctx) - BN_MONT_CTX_free(bn_mont_ctx); - } - + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; @@ -194,6 +211,59 @@ err: return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa->blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ + ((rsa)->blinding == NULL) && \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + +static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) + { + BIGNUM *A, *Ai; + BN_BLINDING *ret = NULL; + + /* added in OpenSSL 0.9.6j and 0.9.7b */ + + /* NB: similar code appears in RSA_blinding_on (rsa_lib.c); + * this should be placed in a new function of its own, but for reasons + * of binary compatibility can't */ + + BN_CTX_start(ctx); + A = BN_CTX_get(ctx); + if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) + { + /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + if (!BN_pseudo_rand_range(A,rsa->n)) goto err; + } + else + { + if (!BN_rand_range(A,rsa->n)) goto err; + } + if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; + + if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) + goto err; + ret = BN_BLINDING_new(A,Ai,rsa->n); + BN_free(Ai); +err: + BN_CTX_end(ctx); + return ret; + } + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -202,6 +272,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, int i,j,k,num=0,r= -1; unsigned char *buf=NULL; BN_CTX *ctx=NULL; + int local_blinding = 0; + BN_BLINDING *blinding = NULL; BN_init(&f); BN_init(&ret); @@ -238,10 +310,39 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; + BLINDING_HELPER(rsa, ctx, goto err;); + blinding = rsa->blinding; + + /* Now unless blinding is disabled, 'blinding' is non-NULL. + * But the BN_BLINDING object may be owned by some other thread + * (we don't want to keep it constant and we don't want to use + * lots of locking to avoid race conditions, so only a single + * thread can use it; other threads have to use local blinding + * factors) */ + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) + { + if (blinding == NULL) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); + goto err; + } + } + + if (blinding != NULL) + { + if (blinding->thread_id != CRYPTO_thread_id()) + { + /* we need a local one-time blinding factor */ + + blinding = setup_blinding(rsa, ctx); + if (blinding == NULL) + goto err; + local_blinding = 1; + } + } + + if (blinding) + if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || ((rsa->p != NULL) && @@ -252,11 +353,13 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } else { - if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx, + rsa->_method_mod_n)) goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; + if (blinding) + if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; /* put in leading 0 bytes if the number is less than the * length of the modulus */ @@ -270,6 +373,8 @@ err: if (ctx != NULL) BN_CTX_free(ctx); BN_clear_free(&ret); BN_clear_free(&f); + if (local_blinding) + BN_BLINDING_free(blinding); if (buf != NULL) { OPENSSL_cleanse(buf,num); @@ -286,6 +391,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *p; unsigned char *buf=NULL; BN_CTX *ctx=NULL; + int local_blinding = 0; + BN_BLINDING *blinding = NULL; BN_init(&f); BN_init(&ret); @@ -317,10 +424,39 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; + BLINDING_HELPER(rsa, ctx, goto err;); + blinding = rsa->blinding; + + /* Now unless blinding is disabled, 'blinding' is non-NULL. + * But the BN_BLINDING object may be owned by some other thread + * (we don't want to keep it constant and we don't want to use + * lots of locking to avoid race conditions, so only a single + * thread can use it; other threads have to use local blinding + * factors) */ + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) + { + if (blinding == NULL) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); + goto err; + } + } + + if (blinding != NULL) + { + if (blinding->thread_id != CRYPTO_thread_id()) + { + /* we need a local one-time blinding factor */ + + blinding = setup_blinding(rsa, ctx); + if (blinding == NULL) + goto err; + local_blinding = 1; + } + } + + if (blinding) + if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; /* do the decrypt */ if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || @@ -332,12 +468,14 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } else { - if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx, + rsa->_method_mod_n)) goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; + if (blinding) + if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; p=buf; j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ @@ -416,31 +554,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, goto err; } - /* do the decrypt */ - if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) - { - BN_MONT_CTX* bn_mont_ctx; - if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) - { - BN_MONT_CTX_free(bn_mont_ctx); - goto err; - } - if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ - { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - if (rsa->_method_mod_n == NULL) - { - rsa->_method_mod_n = bn_mont_ctx; - bn_mont_ctx = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - } - if (bn_mont_ctx) - BN_MONT_CTX_free(bn_mont_ctx); - } - + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; @@ -485,57 +600,10 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) BN_init(&vrfy); if ((ctx=BN_CTX_new()) == NULL) goto err; - if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) - { - if (rsa->_method_mod_p == NULL) - { - BN_MONT_CTX* bn_mont_ctx; - if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) - { - BN_MONT_CTX_free(bn_mont_ctx); - goto err; - } - if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ - { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - if (rsa->_method_mod_p == NULL) - { - rsa->_method_mod_p = bn_mont_ctx; - bn_mont_ctx = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - } - if (bn_mont_ctx) - BN_MONT_CTX_free(bn_mont_ctx); - } + MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); + MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); + MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - if (rsa->_method_mod_q == NULL) - { - BN_MONT_CTX* bn_mont_ctx; - if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) - { - BN_MONT_CTX_free(bn_mont_ctx); - goto err; - } - if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ - { - CRYPTO_w_lock(CRYPTO_LOCK_RSA); - if (rsa->_method_mod_q == NULL) - { - rsa->_method_mod_q = bn_mont_ctx; - bn_mont_ctx = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_RSA); - } - if (bn_mont_ctx) - BN_MONT_CTX_free(bn_mont_ctx); - } - } - if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, rsa->_method_mod_q)) goto err; @@ -566,7 +634,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) if (rsa->e && rsa->n) { - if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; + if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; /* If 'I' was greater than (or equal to) rsa->n, the operation * will be equivalent to using 'I mod n'. However, the result of * the verify will *always* be less than 'n' so we don't check @@ -579,7 +647,8 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) /* 'I' and 'vrfy' aren't congruent mod n. Don't leak * miscalculated CRT output, just do a raw (slower) * mod_exp and return that instead. */ - if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; + if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx, + rsa->_method_mod_n)) goto err; } ret=1; err: diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 93235744f7..3ebde4fd93 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -62,7 +62,9 @@ #include <openssl/lhash.h> #include <openssl/bn.h> #include <openssl/rsa.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT; @@ -70,7 +72,9 @@ static const RSA_METHOD *default_RSA_meth=NULL; RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + + return r; } void RSA_set_default_method(const RSA_METHOD *meth) @@ -108,11 +112,13 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth) const RSA_METHOD *mtmp; mtmp = rsa->meth; if (mtmp->finish) mtmp->finish(rsa); +#ifndef OPENSSL_NO_ENGINE if (rsa->engine) { ENGINE_finish(rsa->engine); rsa->engine = NULL; } +#endif rsa->meth = meth; if (meth->init) meth->init(rsa); return 1; @@ -130,6 +136,7 @@ RSA *RSA_new_method(ENGINE *engine) } ret->meth = RSA_get_default_method(); +#ifndef OPENSSL_NO_ENGINE if (engine) { if (!ENGINE_init(engine)) @@ -154,6 +161,7 @@ RSA *RSA_new_method(ENGINE *engine) return NULL; } } +#endif ret->pad=0; ret->version=0; @@ -175,8 +183,10 @@ RSA *RSA_new_method(ENGINE *engine) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { +#ifndef OPENSSL_NO_ENGINE if (ret->engine) ENGINE_finish(ret->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); OPENSSL_free(ret); ret=NULL; @@ -205,8 +215,10 @@ void RSA_free(RSA *r) if (r->meth->finish) r->meth->finish(r); +#ifndef OPENSSL_NO_ENGINE if (r->engine) ENGINE_finish(r->engine); +#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); @@ -297,7 +309,8 @@ void RSA_blinding_off(RSA *rsa) BN_BLINDING_free(rsa->blinding); rsa->blinding=NULL; } - rsa->flags&= ~RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_BLINDING; + rsa->flags |= RSA_FLAG_NO_BLINDING; } int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) @@ -316,15 +329,32 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) if (rsa->blinding != NULL) BN_BLINDING_free(rsa->blinding); + /* NB: similar code appears in setup_blinding (rsa_eay.c); + * this should be placed in a new function of its own, but for reasons + * of binary compatibility can't */ + BN_CTX_start(ctx); A = BN_CTX_get(ctx); - if (!BN_rand_range(A,rsa->n)) goto err; + if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) + { + /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + if (!BN_pseudo_rand_range(A,rsa->n)) goto err; + } + else + { + if (!BN_rand_range(A,rsa->n)) goto err; + } if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) - goto err; - rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n); - rsa->flags|=RSA_FLAG_BLINDING; + goto err; + if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err; + /* to make things thread-safe without excessive locking, + * rsa->blinding will be used just by the current thread: */ + rsa->blinding->thread_id = CRYPTO_thread_id(); + rsa->flags |= RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_NO_BLINDING; BN_free(Ai); ret=1; err: diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 4ac2de3407..9dd62ac956 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -62,7 +62,9 @@ #include <openssl/rsa.h> #include <openssl/objects.h> #include <openssl/x509.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif /* Size of an SSL signature: MD5+SHA1 */ #define SSL_SIG_LENGTH 36 @@ -77,10 +79,12 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, const unsigned char *s = NULL; X509_ALGOR algor; ASN1_OCTET_STRING digest; +#ifndef OPENSSL_NO_ENGINE if((rsa->flags & RSA_FLAG_SIGN_VER) && ENGINE_get_RSA(rsa->engine)->rsa_sign) return ENGINE_get_RSA(rsa->engine)->rsa_sign(type, m, m_len, sigret, siglen, rsa); +#endif /* Special case: SSL signature, just check the length */ if(type == NID_md5_sha1) { if(m_len != SSL_SIG_LENGTH) { @@ -155,10 +159,12 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, return(0); } +#ifndef OPENSSL_NO_ENGINE if((rsa->flags & RSA_FLAG_SIGN_VER) && ENGINE_get_RSA(rsa->engine)->rsa_verify) return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa); +#endif s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen); if (s == NULL) diff --git a/crypto/rsa/rsa_test.c b/crypto/rsa/rsa_test.c index b8b462d33b..99abb1fde7 100644 --- a/crypto/rsa/rsa_test.c +++ b/crypto/rsa/rsa_test.c @@ -16,7 +16,9 @@ int main(int argc, char *argv[]) } #else #include <openssl/rsa.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #define SetKey \ key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \ diff --git a/crypto/sha/asm/.cvsignore b/crypto/sha/asm/.cvsignore index 5e8206257c..748a54a4b5 100644 --- a/crypto/sha/asm/.cvsignore +++ b/crypto/sha/asm/.cvsignore @@ -1 +1,2 @@ sx86unix.cpp +sx86-elf.s diff --git a/crypto/stack/safestack.h b/crypto/stack/safestack.h index ed9ed2c23a..ecb2b8ffed 100644 --- a/crypto/stack/safestack.h +++ b/crypto/stack/safestack.h @@ -544,6 +544,26 @@ STACK_OF(type) \ #define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st)) #define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st)) +#define sk_GENERAL_SUBTREE_new(st) SKM_sk_new(GENERAL_SUBTREE, (st)) +#define sk_GENERAL_SUBTREE_new_null() SKM_sk_new_null(GENERAL_SUBTREE) +#define sk_GENERAL_SUBTREE_free(st) SKM_sk_free(GENERAL_SUBTREE, (st)) +#define sk_GENERAL_SUBTREE_num(st) SKM_sk_num(GENERAL_SUBTREE, (st)) +#define sk_GENERAL_SUBTREE_value(st, i) SKM_sk_value(GENERAL_SUBTREE, (st), (i)) +#define sk_GENERAL_SUBTREE_set(st, i, val) SKM_sk_set(GENERAL_SUBTREE, (st), (i), (val)) +#define sk_GENERAL_SUBTREE_zero(st) SKM_sk_zero(GENERAL_SUBTREE, (st)) +#define sk_GENERAL_SUBTREE_push(st, val) SKM_sk_push(GENERAL_SUBTREE, (st), (val)) +#define sk_GENERAL_SUBTREE_unshift(st, val) SKM_sk_unshift(GENERAL_SUBTREE, (st), (val)) +#define sk_GENERAL_SUBTREE_find(st, val) SKM_sk_find(GENERAL_SUBTREE, (st), (val)) +#define sk_GENERAL_SUBTREE_delete(st, i) SKM_sk_delete(GENERAL_SUBTREE, (st), (i)) +#define sk_GENERAL_SUBTREE_delete_ptr(st, ptr) SKM_sk_delete_ptr(GENERAL_SUBTREE, (st), (ptr)) +#define sk_GENERAL_SUBTREE_insert(st, val, i) SKM_sk_insert(GENERAL_SUBTREE, (st), (val), (i)) +#define sk_GENERAL_SUBTREE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(GENERAL_SUBTREE, (st), (cmp)) +#define sk_GENERAL_SUBTREE_dup(st) SKM_sk_dup(GENERAL_SUBTREE, st) +#define sk_GENERAL_SUBTREE_pop_free(st, free_func) SKM_sk_pop_free(GENERAL_SUBTREE, (st), (free_func)) +#define sk_GENERAL_SUBTREE_shift(st) SKM_sk_shift(GENERAL_SUBTREE, (st)) +#define sk_GENERAL_SUBTREE_pop(st) SKM_sk_pop(GENERAL_SUBTREE, (st)) +#define sk_GENERAL_SUBTREE_sort(st) SKM_sk_sort(GENERAL_SUBTREE, (st)) + #define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st)) #define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY) #define sk_KRB5_APREQBODY_free(st) SKM_sk_free(KRB5_APREQBODY, (st)) @@ -944,6 +964,26 @@ STACK_OF(type) \ #define sk_POLICYQUALINFO_pop(st) SKM_sk_pop(POLICYQUALINFO, (st)) #define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st)) +#define sk_POLICY_MAPPING_new(st) SKM_sk_new(POLICY_MAPPING, (st)) +#define sk_POLICY_MAPPING_new_null() SKM_sk_new_null(POLICY_MAPPING) +#define sk_POLICY_MAPPING_free(st) SKM_sk_free(POLICY_MAPPING, (st)) +#define sk_POLICY_MAPPING_num(st) SKM_sk_num(POLICY_MAPPING, (st)) +#define sk_POLICY_MAPPING_value(st, i) SKM_sk_value(POLICY_MAPPING, (st), (i)) +#define sk_POLICY_MAPPING_set(st, i, val) SKM_sk_set(POLICY_MAPPING, (st), (i), (val)) +#define sk_POLICY_MAPPING_zero(st) SKM_sk_zero(POLICY_MAPPING, (st)) +#define sk_POLICY_MAPPING_push(st, val) SKM_sk_push(POLICY_MAPPING, (st), (val)) +#define sk_POLICY_MAPPING_unshift(st, val) SKM_sk_unshift(POLICY_MAPPING, (st), (val)) +#define sk_POLICY_MAPPING_find(st, val) SKM_sk_find(POLICY_MAPPING, (st), (val)) +#define sk_POLICY_MAPPING_delete(st, i) SKM_sk_delete(POLICY_MAPPING, (st), (i)) +#define sk_POLICY_MAPPING_delete_ptr(st, ptr) SKM_sk_delete_ptr(POLICY_MAPPING, (st), (ptr)) +#define sk_POLICY_MAPPING_insert(st, val, i) SKM_sk_insert(POLICY_MAPPING, (st), (val), (i)) +#define sk_POLICY_MAPPING_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(POLICY_MAPPING, (st), (cmp)) +#define sk_POLICY_MAPPING_dup(st) SKM_sk_dup(POLICY_MAPPING, st) +#define sk_POLICY_MAPPING_pop_free(st, free_func) SKM_sk_pop_free(POLICY_MAPPING, (st), (free_func)) +#define sk_POLICY_MAPPING_shift(st) SKM_sk_shift(POLICY_MAPPING, (st)) +#define sk_POLICY_MAPPING_pop(st) SKM_sk_pop(POLICY_MAPPING, (st)) +#define sk_POLICY_MAPPING_sort(st) SKM_sk_sort(POLICY_MAPPING, (st)) + #define sk_SSL_CIPHER_new(st) SKM_sk_new(SSL_CIPHER, (st)) #define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER) #define sk_SSL_CIPHER_free(st) SKM_sk_free(SSL_CIPHER, (st)) diff --git a/crypto/symhacks.h b/crypto/symhacks.h index c225602064..a40e4fa468 100644 --- a/crypto/symhacks.h +++ b/crypto/symhacks.h @@ -199,6 +199,8 @@ #define EC_GROUP_set_point_conversion_form EC_GROUP_set_point_conv_form #undef EC_GROUP_get_point_conversion_form #define EC_GROUP_get_point_conversion_form EC_GROUP_get_point_conv_form +#undef EC_GROUP_clear_free_all_extra_data +#define EC_GROUP_clear_free_all_extra_data EC_GROUP_clr_free_all_xtra_data #undef EC_POINT_set_Jprojective_coordinates_GFp #define EC_POINT_set_Jprojective_coordinates_GFp \ EC_POINT_set_Jproj_coords_GFp diff --git a/crypto/threads/mttest.c b/crypto/threads/mttest.c index 7142e4edc7..54d598565d 100644 --- a/crypto/threads/mttest.c +++ b/crypto/threads/mttest.c @@ -86,11 +86,6 @@ #include <openssl/err.h> #include <openssl/rand.h> -#ifdef OPENSSL_NO_FP_API -#define APPS_WIN16 -#include "../buffer/bss_file.c" -#endif - #define TEST_SERVER_CERT "../../apps/server.pem" #define TEST_CLIENT_CERT "../../apps/client.pem" diff --git a/crypto/threads/th-lock.c b/crypto/threads/th-lock.c index a6a79b9f45..14aae5f912 100644 --- a/crypto/threads/th-lock.c +++ b/crypto/threads/th-lock.c @@ -80,7 +80,7 @@ #include <openssl/lhash.h> #include <openssl/crypto.h> #include <openssl/buffer.h> -#include <openssl/e_os.h> +#include "../../e_os.h" #include <openssl/x509.h> #include <openssl/ssl.h> #include <openssl/err.h> diff --git a/crypto/txt_db/txt_db.h b/crypto/txt_db/txt_db.h index 563392aeff..c98e287703 100644 --- a/crypto/txt_db/txt_db.h +++ b/crypto/txt_db/txt_db.h @@ -59,6 +59,7 @@ #ifndef HEADER_TXT_DB_H #define HEADER_TXT_DB_H +#include <openssl/opensslconf.h> #ifndef OPENSSL_NO_BIO #include <openssl/bio.h> #endif diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c index 22be90cdcd..b4b04183d0 100644 --- a/crypto/x509/by_file.c +++ b/crypto/x509/by_file.c @@ -285,7 +285,8 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) if(itmp->x509) { X509_STORE_add_cert(ctx->store_ctx, itmp->x509); count++; - } else if(itmp->crl) { + } + if(itmp->crl) { X509_STORE_add_crl(ctx->store_ctx, itmp->crl); count++; } diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index f1ccc0f041..049308ba80 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -64,6 +64,7 @@ #ifndef HEADER_X509_H #define HEADER_X509_H +#include <openssl/e_os2.h> #include <openssl/symhacks.h> #ifndef OPENSSL_NO_BUFFER #include <openssl/buffer.h> @@ -104,7 +105,6 @@ #ifndef OPENSSL_NO_SHA #include <openssl/sha.h> #endif -#include <openssl/e_os2.h> #include <openssl/ossl_typ.h> #ifdef __cplusplus @@ -1038,6 +1038,8 @@ int X509_CRL_sort(X509_CRL *crl); int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); +int X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey); + int X509_check_private_key(X509 *x509,EVP_PKEY *pkey); int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b); @@ -1271,6 +1273,7 @@ void ERR_load_X509_strings(void); #define X509_F_X509_PRINT_FP 118 #define X509_F_X509_PUBKEY_GET 119 #define X509_F_X509_PUBKEY_SET 120 +#define X509_F_X509_REQ_CHECK_PRIVATE_KEY 144 #define X509_F_X509_REQ_PRINT 121 #define X509_F_X509_REQ_PRINT_FP 122 #define X509_F_X509_REQ_TO_X509 123 diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 9b28911409..5dfdcd41cb 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -374,62 +374,36 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k) int ok=0; xk=X509_get_pubkey(x); - if (xk->type != k->type) - { - X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH); - goto err; - } - switch (k->type) + switch (EVP_PKEY_cmp(xk, k)) { -#ifndef OPENSSL_NO_RSA - case EVP_PKEY_RSA: - if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0 - || BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0) - { - X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH); - goto err; - } + case 1: + ok=1; break; -#endif -#ifndef OPENSSL_NO_DSA - case EVP_PKEY_DSA: - if (BN_cmp(xk->pkey.dsa->pub_key,k->pkey.dsa->pub_key) != 0) - { - X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH); - goto err; - } + case 0: + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH); break; -#endif + case -1: + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH); + break; + case -2: #ifndef OPENSSL_NO_EC - case EVP_PKEY_EC: - { - int r = EC_POINT_cmp(xk->pkey.eckey->group, - xk->pkey.eckey->pub_key,k->pkey.eckey->pub_key,NULL); - if (r != 0) + if (k->type == EVP_PKEY_EC) { - if (r == 1) - X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_KEY_VALUES_MISMATCH); - else - X509err(X509_F_X509_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); - - goto err; + X509err(X509_F_X509_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); + break; } - } - break; #endif #ifndef OPENSSL_NO_DH - case EVP_PKEY_DH: - /* No idea */ - X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY); - goto err; + if (k->type == EVP_PKEY_DH) + { + /* No idea */ + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY); + break; + } #endif - default: X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); - goto err; } - ok=1; -err: EVP_PKEY_free(xk); return(ok); } diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index 5bbf4acf76..7a6d5a0072 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -1,6 +1,6 @@ /* crypto/x509/x509_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -95,6 +95,7 @@ static ERR_STRING_DATA X509_str_functs[]= {ERR_PACK(0,X509_F_X509_PRINT_FP,0), "X509_print_fp"}, {ERR_PACK(0,X509_F_X509_PUBKEY_GET,0), "X509_PUBKEY_get"}, {ERR_PACK(0,X509_F_X509_PUBKEY_SET,0), "X509_PUBKEY_set"}, +{ERR_PACK(0,X509_F_X509_REQ_CHECK_PRIVATE_KEY,0), "X509_REQ_check_private_key"}, {ERR_PACK(0,X509_F_X509_REQ_PRINT,0), "X509_REQ_print"}, {ERR_PACK(0,X509_F_X509_REQ_PRINT_FP,0), "X509_REQ_print_fp"}, {ERR_PACK(0,X509_F_X509_REQ_TO_X509,0), "X509_REQ_to_X509"}, diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index 0affa3bf30..b4ad53431e 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -113,6 +113,46 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) return(X509_PUBKEY_get(req->req_info->pubkey)); } +int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) + { + EVP_PKEY *xk=NULL; + int ok=0; + + xk=X509_REQ_get_pubkey(x); + switch (EVP_PKEY_cmp(xk, k)) + { + case 1: + ok=1; + break; + case 0: + X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH); + break; + case -1: + X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH); + break; + case -2: +#ifndef OPENSSL_NO_EC + if (k->type == EVP_PKEY_EC) + { + X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); + break; + } +#endif +#ifndef OPENSSL_NO_DH + if (k->type == EVP_PKEY_DH) + { + /* No idea */ + X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY); + break; + } +#endif + X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); + } + + EVP_PKEY_free(xk); + return(ok); + } + /* It seems several organisations had the same idea of including a list of * extensions in a certificate request. There are at least two OIDs that are * used and there may be more: so the list is configurable. diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index f0be21f452..3a0ccbe48d 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -65,6 +65,7 @@ #ifndef HEADER_X509_VFY_H #define HEADER_X509_VFY_H +#include <openssl/opensslconf.h> #ifndef OPENSSL_NO_LHASH #include <openssl/lhash.h> #endif diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl index 60af357a07..be8a6ca72f 100644 --- a/crypto/x509v3/Makefile.ssl +++ b/crypto/x509v3/Makefile.ssl @@ -26,11 +26,11 @@ LIB=$(TOP)/libcrypto.a LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \ v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \ -v3_ocsp.c v3_akeya.c +v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \ v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \ v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \ -v3_ocsp.o v3_akeya.o +v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o SRC= $(LIBSRC) @@ -321,6 +321,22 @@ v3_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h v3_lib.c +v3_ncons.o: ../../e_os.h ../../include/openssl/asn1.h +v3_ncons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h +v3_ncons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +v3_ncons.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +v3_ncons.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +v3_ncons.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +v3_ncons.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +v3_ncons.o: ../../include/openssl/err.h ../../include/openssl/evp.h +v3_ncons.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +v3_ncons.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +v3_ncons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +v3_ncons.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +v3_ncons.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +v3_ncons.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +v3_ncons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +v3_ncons.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ncons.c v3_ocsp.o: ../../e_os.h ../../include/openssl/asn1.h v3_ocsp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h v3_ocsp.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -337,6 +353,22 @@ v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c +v3_pcons.o: ../../e_os.h ../../include/openssl/asn1.h +v3_pcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h +v3_pcons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +v3_pcons.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +v3_pcons.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +v3_pcons.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +v3_pcons.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +v3_pcons.o: ../../include/openssl/err.h ../../include/openssl/evp.h +v3_pcons.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +v3_pcons.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +v3_pcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +v3_pcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +v3_pcons.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +v3_pcons.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +v3_pcons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +v3_pcons.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pcons.c v3_pku.o: ../../e_os.h ../../include/openssl/asn1.h v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_pku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h @@ -353,6 +385,22 @@ v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_pku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_pku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pku.c +v3_pmaps.o: ../../e_os.h ../../include/openssl/asn1.h +v3_pmaps.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h +v3_pmaps.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +v3_pmaps.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +v3_pmaps.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +v3_pmaps.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +v3_pmaps.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +v3_pmaps.o: ../../include/openssl/err.h ../../include/openssl/evp.h +v3_pmaps.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +v3_pmaps.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +v3_pmaps.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +v3_pmaps.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +v3_pmaps.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +v3_pmaps.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +v3_pmaps.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +v3_pmaps.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pmaps.c v3_prn.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_prn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_prn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h index 2fb97d8925..0879ae5ddc 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509v3/ext_dat.h @@ -64,6 +64,8 @@ extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; extern X509V3_EXT_METHOD v3_crl_hold; +extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; +extern X509V3_EXT_METHOD v3_name_constraints; /* This table will be searched using OBJ_bsearch so it *must* kept in * order of the ext_nid values. @@ -90,17 +92,26 @@ static X509V3_EXT_METHOD *standard_exts[] = { &v3_crld, &v3_ext_ku, &v3_crl_reason, +#ifndef OPENSSL_NO_OCSP &v3_crl_invdate, +#endif &v3_sxnet, &v3_info, +#ifndef OPENSSL_NO_OCSP &v3_ocsp_nonce, &v3_ocsp_crlid, &v3_ocsp_accresp, &v3_ocsp_nocheck, &v3_ocsp_acutoff, &v3_ocsp_serviceloc, +#endif &v3_sinfo, -&v3_crl_hold +&v3_policy_constraints, +#ifndef OPENSSL_NO_OCSP +&v3_crl_hold, +#endif +&v3_policy_mappings, +&v3_name_constraints }; /* Number of standard extensions */ diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c index 97e686f97a..c481b6f12d 100644 --- a/crypto/x509v3/v3_akey.c +++ b/crypto/x509v3/v3_akey.c @@ -68,15 +68,17 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -X509V3_EXT_METHOD v3_akey_id = { -NID_authority_key_identifier, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID), -0,0,0,0, -0,0, -(X509V3_EXT_I2V)i2v_AUTHORITY_KEYID, -(X509V3_EXT_V2I)v2i_AUTHORITY_KEYID, -0,0, -NULL -}; +X509V3_EXT_METHOD v3_akey_id = + { + NID_authority_key_identifier, + X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID), + 0,0,0,0, + 0,0, + (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID, + (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID, + 0,0, + NULL + }; static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist) @@ -108,83 +110,99 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values) -{ -char keyid=0, issuer=0; -int i; -CONF_VALUE *cnf; -ASN1_OCTET_STRING *ikeyid = NULL; -X509_NAME *isname = NULL; -GENERAL_NAMES * gens = NULL; -GENERAL_NAME *gen = NULL; -ASN1_INTEGER *serial = NULL; -X509_EXTENSION *ext; -X509 *cert; -AUTHORITY_KEYID *akeyid; -for(i = 0; i < sk_CONF_VALUE_num(values); i++) { - cnf = sk_CONF_VALUE_value(values, i); - if(!strcmp(cnf->name, "keyid")) { - keyid = 1; - if(cnf->value && !strcmp(cnf->value, "always")) keyid = 2; - } else if(!strcmp(cnf->name, "issuer")) { - issuer = 1; - if(cnf->value && !strcmp(cnf->value, "always")) issuer = 2; - } else { - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION); - ERR_add_error_data(2, "name=", cnf->name); + { + char keyid=0, issuer=0; + int i; + CONF_VALUE *cnf; + ASN1_OCTET_STRING *ikeyid = NULL; + X509_NAME *isname = NULL; + GENERAL_NAMES * gens = NULL; + GENERAL_NAME *gen = NULL; + ASN1_INTEGER *serial = NULL; + X509_EXTENSION *ext; + X509 *cert; + AUTHORITY_KEYID *akeyid; + + for(i = 0; i < sk_CONF_VALUE_num(values); i++) + { + cnf = sk_CONF_VALUE_value(values, i); + if(!strcmp(cnf->name, "keyid")) + { + keyid = 1; + if(cnf->value && !strcmp(cnf->value, "always")) + keyid = 2; + } + else if(!strcmp(cnf->name, "issuer")) + { + issuer = 1; + if(cnf->value && !strcmp(cnf->value, "always")) + issuer = 2; + } + else + { + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNKNOWN_OPTION); + ERR_add_error_data(2, "name=", cnf->name); + return NULL; + } + } + + if(!ctx || !ctx->issuer_cert) + { + if(ctx && (ctx->flags==CTX_TEST)) + return AUTHORITY_KEYID_new(); + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE); return NULL; - } -} - -if(!ctx || !ctx->issuer_cert) { - if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new(); - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE); + } + + cert = ctx->issuer_cert; + + if(keyid) + { + i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); + if((i >= 0) && (ext = X509_get_ext(cert, i))) + ikeyid = X509V3_EXT_d2i(ext); + if(keyid==2 && !ikeyid) + { + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); + return NULL; + } + } + + if((issuer && !ikeyid) || (issuer == 2)) + { + isname = X509_NAME_dup(X509_get_issuer_name(cert)); + serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert)); + if(!isname || !serial) + { + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS); + goto err; + } + } + + if(!(akeyid = AUTHORITY_KEYID_new())) goto err; + + if(isname) + { + if(!(gens = sk_GENERAL_NAME_new_null()) + || !(gen = GENERAL_NAME_new()) + || !sk_GENERAL_NAME_push(gens, gen)) + { + X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE); + goto err; + } + gen->type = GEN_DIRNAME; + gen->d.dirn = isname; + } + + akeyid->issuer = gens; + akeyid->serial = serial; + akeyid->keyid = ikeyid; + + return akeyid; + + err: + X509_NAME_free(isname); + M_ASN1_INTEGER_free(serial); + M_ASN1_OCTET_STRING_free(ikeyid); return NULL; -} - -cert = ctx->issuer_cert; - -if(keyid) { - i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); - if((i >= 0) && (ext = X509_get_ext(cert, i))) - ikeyid = X509V3_EXT_d2i(ext); - if(keyid==2 && !ikeyid) { - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); - return NULL; - } -} - -if((issuer && !ikeyid) || (issuer == 2)) { - isname = X509_NAME_dup(X509_get_issuer_name(cert)); - serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert)); - if(!isname || !serial) { - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS); - goto err; } -} - -if(!(akeyid = AUTHORITY_KEYID_new())) goto err; - -if(isname) { - if(!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new()) - || !sk_GENERAL_NAME_push(gens, gen)) { - X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE); - goto err; - } - gen->type = GEN_DIRNAME; - gen->d.dirn = isname; -} - -akeyid->issuer = gens; -akeyid->serial = serial; -akeyid->keyid = ikeyid; - -return akeyid; - -err: -X509_NAME_free(isname); -M_ASN1_INTEGER_free(serial); -M_ASN1_OCTET_STRING_free(ikeyid); -return NULL; - -} - diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c index baa9ca103d..ad6cb08e20 100644 --- a/crypto/x509v3/v3_alt.c +++ b/crypto/x509v3/v3_alt.c @@ -1,9 +1,9 @@ /* v3_alt.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project. */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,6 +66,7 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p); static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens); static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); +static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); X509V3_EXT_METHOD v3_alt[] = { { NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), @@ -100,7 +101,8 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret) { unsigned char *p; - char oline[256]; + char oline[256], htmp[5]; + int i; switch (gen->type) { case GEN_OTHERNAME: @@ -134,12 +136,25 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, case GEN_IPADD: p = gen->d.ip->data; - /* BUG: doesn't support IPV6 */ - if(gen->d.ip->length != 4) { + if(gen->d.ip->length == 4) + sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); + else if(gen->d.ip->length == 16) + { + oline[0] = 0; + for (i = 0; i < 8; i++) + { + sprintf(htmp, "%X", p[0] << 8 | p[1]); + p += 2; + strcat(oline, htmp); + if (i != 7) + strcat(oline, ":"); + } + } + else + { X509V3_add_value("IP Address","<invalid>", &ret); break; - } - sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); + } X509V3_add_value("IP Address",oline, &ret); break; @@ -154,6 +169,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) { unsigned char *p; + int i; switch (gen->type) { case GEN_OTHERNAME: @@ -188,12 +204,24 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) case GEN_IPADD: p = gen->d.ip->data; - /* BUG: doesn't support IPV6 */ - if(gen->d.ip->length != 4) { + if(gen->d.ip->length == 4) + BIO_printf(out, "IP Address:%d.%d.%d.%d", + p[0], p[1], p[2], p[3]); + else if(gen->d.ip->length == 16) + { + BIO_printf(out, "IP Address"); + for (i = 0; i < 8; i++) + { + BIO_printf(out, ":%X", p[0] << 8 | p[1]); + p += 2; + } + BIO_puts(out, "\n"); + } + else + { BIO_printf(out,"IP Address:<invalid>"); break; - } - BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]); + } break; case GEN_RID: @@ -379,91 +407,126 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf) -{ -char is_string = 0; -int type; -GENERAL_NAME *gen = NULL; + { + return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0); + } -char *name, *value; +GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, + X509V3_EXT_METHOD *method, X509V3_CTX *ctx, + CONF_VALUE *cnf, int is_nc) + { + char is_string = 0; + int type; + GENERAL_NAME *gen = NULL; -name = cnf->name; -value = cnf->value; + char *name, *value; -if(!value) { - X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE); - return NULL; -} + name = cnf->name; + value = cnf->value; -if(!(gen = GENERAL_NAME_new())) { - X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); - return NULL; -} + if(!value) + { + X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE); + return NULL; + } -if(!name_cmp(name, "email")) { - is_string = 1; - type = GEN_EMAIL; -} else if(!name_cmp(name, "URI")) { - is_string = 1; - type = GEN_URI; -} else if(!name_cmp(name, "DNS")) { - is_string = 1; - type = GEN_DNS; -} else if(!name_cmp(name, "RID")) { - ASN1_OBJECT *obj; - if(!(obj = OBJ_txt2obj(value,0))) { - X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT); - ERR_add_error_data(2, "value=", value); - goto err; - } - gen->d.rid = obj; - type = GEN_RID; -} else if(!name_cmp(name, "IP")) { - int i1,i2,i3,i4; - unsigned char ip[4]; - if((sscanf(value, "%d.%d.%d.%d",&i1,&i2,&i3,&i4) != 4) || - (i1 < 0) || (i1 > 255) || (i2 < 0) || (i2 > 255) || - (i3 < 0) || (i3 > 255) || (i4 < 0) || (i4 > 255) ) { - X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS); - ERR_add_error_data(2, "value=", value); - goto err; - } - ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4; - if(!(gen->d.ip = M_ASN1_OCTET_STRING_new()) || - !ASN1_STRING_set(gen->d.ip, ip, 4)) { + if (out) + gen = out; + else + { + gen = GENERAL_NAME_new(); + if(gen == NULL) + { X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); + return NULL; + } + } + + if(!name_cmp(name, "email")) + { + is_string = 1; + type = GEN_EMAIL; + } + else if(!name_cmp(name, "URI")) + { + is_string = 1; + type = GEN_URI; + } + else if(!name_cmp(name, "DNS")) + { + is_string = 1; + type = GEN_DNS; + } + else if(!name_cmp(name, "RID")) + { + ASN1_OBJECT *obj; + if(!(obj = OBJ_txt2obj(value,0))) + { + X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT); + ERR_add_error_data(2, "value=", value); goto err; - } - type = GEN_IPADD; -} else if(!name_cmp(name, "otherName")) { - if (!do_othername(gen, value, ctx)) + } + gen->d.rid = obj; + type = GEN_RID; + } + else if(!name_cmp(name, "IP")) { - X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_OTHERNAME_ERROR); + if (is_nc) + gen->d.ip = a2i_IPADDRESS_NC(value); + else + gen->d.ip = a2i_IPADDRESS(value); + if(gen->d.ip == NULL) + { + X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS); + ERR_add_error_data(2, "value=", value); + goto err; + } + type = GEN_IPADD; + } + else if(!name_cmp(name, "dirName")) + { + type = GEN_DIRNAME; + if (!do_dirname(gen, value, ctx)) + { + X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_DIRNAME_ERROR); + goto err; + } + } + else if(!name_cmp(name, "otherName")) + { + if (!do_othername(gen, value, ctx)) + { + X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_OTHERNAME_ERROR); + goto err; + } + type = GEN_OTHERNAME; + } + else + { + X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION); + ERR_add_error_data(2, "name=", name); goto err; } - type = GEN_OTHERNAME; -} else { - X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION); - ERR_add_error_data(2, "name=", name); - goto err; -} -if(is_string) { - if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) || - !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value, - strlen(value))) { - X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); - goto err; - } -} + if(is_string) + { + if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) || + !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value, + strlen(value))) + { + X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE); + goto err; + } + } -gen->type = type; + gen->type = type; -return gen; + return gen; -err: -GENERAL_NAME_free(gen); -return NULL; -} + err: + GENERAL_NAME_free(gen); + return NULL; + } static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) { @@ -489,3 +552,27 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) return 0; return 1; } + +static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) + { + int ret; + STACK_OF(CONF_VALUE) *sk; + X509_NAME *nm; + if (!(nm = X509_NAME_new())) + return 0; + sk = X509V3_get_section(ctx, value); + if (!sk) + { + X509V3err(X509V3_F_DO_DIRNAME,X509V3_R_SECTION_NOT_FOUND); + ERR_add_error_data(2, "section=", value); + X509_NAME_free(nm); + return 0; + } + /* FIXME: should allow other character types... */ + ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC); + if (!ret) + X509_NAME_free(nm); + gen->d.dirn = nm; + + return ret; + } diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c index 372c65d885..7e813db0d7 100644 --- a/crypto/x509v3/v3_conf.c +++ b/crypto/x509v3/v3_conf.c @@ -134,7 +134,7 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, { if(*value == '@') nval = NCONF_get_section(conf, value + 1); else nval = X509V3_parse_list(value); - if(!nval) + if(sk_CONF_VALUE_num(nval) <= 0) { X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING); ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value); @@ -151,7 +151,7 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, } else if(method->r2i) { - if(!ctx->db) + if(!ctx->db || !ctx->db_meth) { X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_NO_CONFIG_DATABASE); return NULL; @@ -383,6 +383,11 @@ int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section) { + if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) + { + X509V3err(X509V3_F_X509V3_GET_STRING,X509V3_R_OPERATION_NOT_DEFINED); + return NULL; + } if (ctx->db_meth->get_string) return ctx->db_meth->get_string(ctx->db, name, section); return NULL; @@ -390,6 +395,11 @@ char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section) STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section) { + if(!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) + { + X509V3err(X509V3_F_X509V3_GET_SECTION,X509V3_R_OPERATION_NOT_DEFINED); + return NULL; + } if (ctx->db_meth->get_section) return ctx->db_meth->get_section(ctx->db, section); return NULL; diff --git a/crypto/x509v3/v3_info.c b/crypto/x509v3/v3_info.c index e269df1373..4e1a1f3a4d 100644 --- a/crypto/x509v3/v3_info.c +++ b/crypto/x509v3/v3_info.c @@ -158,8 +158,7 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *metho objlen = ptmp - cnf->name; ctmp.name = ptmp + 1; ctmp.value = cnf->value; - GENERAL_NAME_free(acc->location); - if(!(acc->location = v2i_GENERAL_NAME(method, ctx, &ctmp))) + if(!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0)) goto err; if(!(objtmp = OPENSSL_malloc(objlen + 1))) { X509V3err(X509V3_F_V2I_ACCESS_DESCRIPTION,ERR_R_MALLOC_FAILURE); diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509v3/v3_ocsp.c index 083112314e..21badc13f9 100644 --- a/crypto/x509v3/v3_ocsp.c +++ b/crypto/x509v3/v3_ocsp.c @@ -56,6 +56,8 @@ * */ +#ifndef OPENSSL_NO_OCSP + #include <stdio.h> #include "cryptlib.h" #include <openssl/conf.h> @@ -270,3 +272,4 @@ static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int err: return 0; } +#endif diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c index aeaf6170fe..9be6c95a63 100644 --- a/crypto/x509v3/v3_prn.c +++ b/crypto/x509v3/v3_prn.c @@ -178,11 +178,11 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts ASN1_OBJECT *obj; X509_EXTENSION *ex; ex=sk_X509_EXTENSION_value(exts, i); - if (BIO_printf(bp,"%*s",indent, "") <= 0) return 0; + if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0; obj=X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(bp,obj); j=X509_EXTENSION_get_critical(ex); - if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0) + if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0) return 0; if(!X509V3_EXT_print(bp, ex, flag, 12)) { diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index b739e4fd83..4d145f71fd 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -378,6 +378,10 @@ static void x509v3_cache_extensions(X509 *x) case NID_time_stamp: x->ex_xkusage |= XKU_TIMESTAMP; break; + + case NID_dvcs: + x->ex_xkusage |= XKU_DVCS; + break; } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509v3/v3_sxnet.c index d3f4ba3a72..860909a83b 100644 --- a/crypto/x509v3/v3_sxnet.c +++ b/crypto/x509v3/v3_sxnet.c @@ -109,7 +109,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, SXNETID *id; int i; v = ASN1_INTEGER_get(sx->version); - BIO_printf(out, "%*sVersion: %d (0x%X)", indent, "", v + 1, v); + BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v); for(i = 0; i < sk_SXNETID_num(sx->ids); i++) { id = sk_SXNETID_value(sx->ids, i); tmp = i2s_ASN1_INTEGER(NULL, id->zone); diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index a11243db8f..a2bb7b0043 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -1,9 +1,9 @@ /* v3_utl.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,6 +70,12 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens); static void str_free(void *str); static int append_ia5(STACK **sk, ASN1_IA5STRING *email); +static int a2i_ipadd(unsigned char *ipout, const char *ipasc); +static int ipv4_from_asc(unsigned char *v4, const char *in); +static int ipv6_from_asc(unsigned char *v6, const char *in); +static int ipv6_cb(const char *elem, int len, void *usr); +static int ipv6_hex(unsigned char *out, const char *in, int inlen); + /* Add a CONF_VALUE name value pair to stack */ int X509V3_add_value(const char *name, const char *value, @@ -534,3 +540,305 @@ void X509_email_free(STACK *sk) { sk_pop_free(sk, str_free); } + +/* Convert IP addresses both IPv4 and IPv6 into an + * OCTET STRING compatible with RFC3280. + */ + +ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc) + { + unsigned char ipout[16]; + ASN1_OCTET_STRING *ret; + int iplen; + + /* If string contains a ':' assume IPv6 */ + + iplen = a2i_ipadd(ipout, ipasc); + + if (!iplen) + return NULL; + + ret = ASN1_OCTET_STRING_new(); + if (!ret) + return NULL; + if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) + { + ASN1_OCTET_STRING_free(ret); + return NULL; + } + return ret; + } + +ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) + { + ASN1_OCTET_STRING *ret = NULL; + unsigned char ipout[32]; + char *iptmp = NULL, *p; + int iplen1, iplen2; + p = strchr(ipasc,'/'); + if (!p) + return NULL; + iptmp = BUF_strdup(ipasc); + if (!iptmp) + return NULL; + p = iptmp + (p - ipasc); + *p++ = 0; + + iplen1 = a2i_ipadd(ipout, iptmp); + + if (!iplen1) + goto err; + + iplen2 = a2i_ipadd(ipout + iplen1, p); + + OPENSSL_free(iptmp); + iptmp = NULL; + + if (!iplen2 || (iplen1 != iplen2)) + goto err; + + ret = ASN1_OCTET_STRING_new(); + if (!ret) + goto err; + if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2)) + goto err; + + return ret; + + err: + if (iptmp) + OPENSSL_free(iptmp); + if (ret) + ASN1_OCTET_STRING_free(ret); + return NULL; + } + + +static int a2i_ipadd(unsigned char *ipout, const char *ipasc) + { + /* If string contains a ':' assume IPv6 */ + + if (strchr(ipasc, ':')) + { + if (!ipv6_from_asc(ipout, ipasc)) + return 0; + return 16; + } + else + { + if (!ipv4_from_asc(ipout, ipasc)) + return 0; + return 4; + } + } + +static int ipv4_from_asc(unsigned char *v4, const char *in) + { + int a0, a1, a2, a3; + if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) + return 0; + if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) + || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255)) + return 0; + v4[0] = a0; + v4[1] = a1; + v4[2] = a2; + v4[3] = a3; + return 1; + } + +typedef struct { + /* Temporary store for IPV6 output */ + unsigned char tmp[16]; + /* Total number of bytes in tmp */ + int total; + /* The position of a zero (corresponding to '::') */ + int zero_pos; + /* Number of zeroes */ + int zero_cnt; + } IPV6_STAT; + + +static int ipv6_from_asc(unsigned char *v6, const char *in) + { + IPV6_STAT v6stat; + v6stat.total = 0; + v6stat.zero_pos = -1; + v6stat.zero_cnt = 0; + /* Treat the IPv6 representation as a list of values + * separated by ':'. The presence of a '::' will parse + * as one, two or three zero length elements. + */ + if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat)) + return 0; + + /* Now for some sanity checks */ + + if (v6stat.zero_pos == -1) + { + /* If no '::' must have exactly 16 bytes */ + if (v6stat.total != 16) + return 0; + } + else + { + /* If '::' must have less than 16 bytes */ + if (v6stat.total == 16) + return 0; + /* More than three zeroes is an error */ + if (v6stat.zero_cnt > 3) + return 0; + /* Can only have three zeroes if nothing else present */ + else if (v6stat.zero_cnt == 3) + { + if (v6stat.total > 0) + return 0; + } + /* Can only have two zeroes if at start or end */ + else if (v6stat.zero_cnt == 2) + { + if ((v6stat.zero_pos != 0) + && (v6stat.zero_pos != v6stat.total)) + return 0; + } + else + /* Can only have one zero if *not* start or end */ + { + if ((v6stat.zero_pos == 0) + || (v6stat.zero_pos == v6stat.total)) + return 0; + } + } + + /* Format result */ + + /* Copy initial part */ + if (v6stat.zero_pos > 0) + memcpy(v6, v6stat.tmp, v6stat.zero_pos); + /* Zero middle */ + if (v6stat.total != 16) + memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total); + /* Copy final part */ + if (v6stat.total != v6stat.zero_pos) + memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total, + v6stat.tmp + v6stat.zero_pos, + v6stat.total - v6stat.zero_pos); + + return 1; + } + +static int ipv6_cb(const char *elem, int len, void *usr) + { + IPV6_STAT *s = usr; + /* Error if 16 bytes written */ + if (s->total == 16) + return 0; + if (len == 0) + { + /* Zero length element, corresponds to '::' */ + if (s->zero_pos == -1) + s->zero_pos = s->total; + /* If we've already got a :: its an error */ + else if (s->zero_pos != s->total) + return 0; + s->zero_cnt++; + } + else + { + /* If more than 4 characters could be final a.b.c.d form */ + if (len > 4) + { + /* Need at least 4 bytes left */ + if (s->total > 12) + return 0; + /* Must be end of string */ + if (elem[len]) + return 0; + if (!ipv4_from_asc(s->tmp + s->total, elem)) + return 0; + s->total += 4; + } + else + { + if (!ipv6_hex(s->tmp + s->total, elem, len)) + return 0; + s->total += 2; + } + } + return 1; + } + +/* Convert a string of up to 4 hex digits into the corresponding + * IPv6 form. + */ + +static int ipv6_hex(unsigned char *out, const char *in, int inlen) + { + unsigned char c; + unsigned int num = 0; + if (inlen > 4) + return 0; + while(inlen--) + { + c = *in++; + num <<= 4; + if ((c >= '0') && (c <= '9')) + num |= c - '0'; + else if ((c >= 'A') && (c <= 'F')) + num |= c - 'A' + 10; + else if ((c >= 'a') && (c <= 'f')) + num |= c - 'a' + 10; + else + return 0; + } + out[0] = num >> 8; + out[1] = num & 0xff; + return 1; + } + + +int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, + unsigned long chtype) + { + CONF_VALUE *v; + int i, mval; + char *p, *type; + if (!nm) + return 0; + + for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) + { + v=sk_CONF_VALUE_value(dn_sk,i); + type=v->name; + /* Skip past any leading X. X: X, etc to allow for + * multiple instances + */ + for(p = type; *p ; p++) +#ifndef CHARSET_EBCDIC + if ((*p == ':') || (*p == ',') || (*p == '.')) +#else + if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.'])) +#endif + { + p++; + if(*p) type = p; + break; + } +#ifndef CHARSET_EBCDIC + if (*p == '+') +#else + if (*p == os_toascii['+']) +#endif + { + mval = -1; + p++; + } + else + mval = 0; + if (!X509_NAME_add_entry_by_txt(nm,type, chtype, + (unsigned char *) v->value,-1,-1,mval)) + return 0; + + } + return 1; + } diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c index 3cb543e629..648ed3562c 100644 --- a/crypto/x509v3/v3err.c +++ b/crypto/x509v3/v3err.c @@ -1,6 +1,6 @@ /* crypto/x509v3/v3err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -68,8 +68,10 @@ static ERR_STRING_DATA X509V3_str_functs[]= { {ERR_PACK(0,X509V3_F_COPY_EMAIL,0), "COPY_EMAIL"}, {ERR_PACK(0,X509V3_F_COPY_ISSUER,0), "COPY_ISSUER"}, +{ERR_PACK(0,X509V3_F_DO_DIRNAME,0), "DO_DIRNAME"}, {ERR_PACK(0,X509V3_F_DO_EXT_CONF,0), "DO_EXT_CONF"}, {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0), "DO_EXT_I2D"}, +{ERR_PACK(0,X509V3_F_DO_I2V_NAME_CONSTRAINTS,0), "DO_I2V_NAME_CONSTRAINTS"}, {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0), "hex_to_string"}, {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0), "i2s_ASN1_ENUMERATED"}, {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0), "i2s_ASN1_INTEGER"}, @@ -97,6 +99,9 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0), "V2I_EXT_KU"}, {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0), "v2i_GENERAL_NAME"}, {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0), "v2i_GENERAL_NAMES"}, +{ERR_PACK(0,X509V3_F_V2I_NAME_CONSTRAINTS,0), "V2I_NAME_CONSTRAINTS"}, +{ERR_PACK(0,X509V3_F_V2I_POLICY_CONSTRAINTS,0), "V2I_POLICY_CONSTRAINTS"}, +{ERR_PACK(0,X509V3_F_V2I_POLICY_MAPPINGS,0), "V2I_POLICY_MAPPINGS"}, {ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0), "V3_GENERIC_EXTENSION"}, {ERR_PACK(0,X509V3_F_X509V3_ADD_I2D,0), "X509V3_ADD_I2D"}, {ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0), "X509V3_add_value"}, @@ -104,6 +109,8 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0), "X509V3_EXT_add_alias"}, {ERR_PACK(0,X509V3_F_X509V3_EXT_CONF,0), "X509V3_EXT_conf"}, {ERR_PACK(0,X509V3_F_X509V3_EXT_I2D,0), "X509V3_EXT_i2d"}, +{ERR_PACK(0,X509V3_F_X509V3_GET_SECTION,0), "X509V3_get_section"}, +{ERR_PACK(0,X509V3_F_X509V3_GET_STRING,0), "X509V3_get_string"}, {ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0), "X509V3_get_value_bool"}, {ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0), "X509V3_parse_list"}, {ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0), "X509_PURPOSE_add"}, @@ -117,6 +124,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_BAD_OBJECT ,"bad object"}, {X509V3_R_BN_DEC2BN_ERROR ,"bn dec2bn error"}, {X509V3_R_BN_TO_ASN1_INTEGER_ERROR ,"bn to asn1 integer error"}, +{X509V3_R_DIRNAME_ERROR ,"dirname error"}, {X509V3_R_DUPLICATE_ZONE_ID ,"duplicate zone id"}, {X509V3_R_ERROR_CONVERTING_ZONE ,"error converting zone"}, {X509V3_R_ERROR_CREATING_EXTENSION ,"error creating extension"}, @@ -127,6 +135,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_EXTENSION_NOT_FOUND ,"extension not found"}, {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"}, {X509V3_R_EXTENSION_VALUE_ERROR ,"extension value error"}, +{X509V3_R_ILLEGAL_EMPTY_EXTENSION ,"illegal empty extension"}, {X509V3_R_ILLEGAL_HEX_DIGIT ,"illegal hex digit"}, {X509V3_R_INVALID_BOOLEAN_STRING ,"invalid boolean string"}, {X509V3_R_INVALID_EXTENSION_STRING ,"invalid extension string"}, @@ -152,7 +161,9 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {X509V3_R_NO_PUBLIC_KEY ,"no public key"}, {X509V3_R_NO_SUBJECT_DETAILS ,"no subject details"}, {X509V3_R_ODD_NUMBER_OF_DIGITS ,"odd number of digits"}, +{X509V3_R_OPERATION_NOT_DEFINED ,"operation not defined"}, {X509V3_R_OTHERNAME_ERROR ,"othername error"}, +{X509V3_R_SECTION_NOT_FOUND ,"section not found"}, {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS ,"unable to get issuer details"}, {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID ,"unable to get issuer keyid"}, {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT ,"unknown bit string argument"}, diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index e1334b4717..25b049bfbb 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -286,6 +286,33 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; DECLARE_STACK_OF(POLICYINFO) DECLARE_ASN1_SET_OF(POLICYINFO) +typedef struct POLICY_MAPPING_st { + ASN1_OBJECT *issuerDomainPolicy; + ASN1_OBJECT *subjectDomainPolicy; +} POLICY_MAPPING; + +DECLARE_STACK_OF(POLICY_MAPPING) + +typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; + +typedef struct GENERAL_SUBTREE_st { + GENERAL_NAME *base; + ASN1_INTEGER *minimum; + ASN1_INTEGER *maximum; +} GENERAL_SUBTREE; + +DECLARE_STACK_OF(GENERAL_SUBTREE) + +typedef struct NAME_CONSTRAINTS_st { + STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; + STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; +} NAME_CONSTRAINTS; + +typedef struct POLICY_CONSTRAINTS_st { + ASN1_INTEGER *requireExplicitPolicy; + ASN1_INTEGER *inhibitPolicyMapping; +} POLICY_CONSTRAINTS; + #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \ ",name:", val->name, ",value:", val->value); @@ -351,6 +378,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO) #define XKU_SGC 0x10 #define XKU_OCSP_SIGN 0x20 #define XKU_TIMESTAMP 0x40 +#define XKU_DVCS 0x80 #define X509_PURPOSE_DYNAMIC 0x1 #define X509_PURPOSE_DYNAMIC_NAME 0x2 @@ -454,8 +482,24 @@ DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME) DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) +DECLARE_ASN1_ITEM(POLICY_MAPPING) +DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) +DECLARE_ASN1_ITEM(POLICY_MAPPINGS) + +DECLARE_ASN1_ITEM(GENERAL_SUBTREE) +DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) + +DECLARE_ASN1_ITEM(NAME_CONSTRAINTS) +DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) + +DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) +DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) + #ifdef HEADER_CONF_H -GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf); +GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, + CONF_VALUE *cnf); +GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc); void X509V3_conf_free(CONF_VALUE *val); X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value); @@ -546,6 +590,10 @@ STACK *X509_get1_email(X509 *x); STACK *X509_REQ_get1_email(X509_REQ *x); void X509_email_free(STACK *sk); +ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); +ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); +int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, + unsigned long chtype); /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes @@ -558,8 +606,10 @@ void ERR_load_X509V3_strings(void); /* Function codes. */ #define X509V3_F_COPY_EMAIL 122 #define X509V3_F_COPY_ISSUER 123 +#define X509V3_F_DO_DIRNAME 144 #define X509V3_F_DO_EXT_CONF 124 #define X509V3_F_DO_EXT_I2D 135 +#define X509V3_F_DO_I2V_NAME_CONSTRAINTS 148 #define X509V3_F_HEX_TO_STRING 111 #define X509V3_F_I2S_ASN1_ENUMERATED 121 #define X509V3_F_I2S_ASN1_INTEGER 120 @@ -587,6 +637,9 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_V2I_EXT_KU 103 #define X509V3_F_V2I_GENERAL_NAME 117 #define X509V3_F_V2I_GENERAL_NAMES 118 +#define X509V3_F_V2I_NAME_CONSTRAINTS 147 +#define X509V3_F_V2I_POLICY_CONSTRAINTS 146 +#define X509V3_F_V2I_POLICY_MAPPINGS 145 #define X509V3_F_V3_GENERIC_EXTENSION 116 #define X509V3_F_X509V3_ADD_I2D 140 #define X509V3_F_X509V3_ADD_VALUE 105 @@ -594,6 +647,8 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_X509V3_EXT_ADD_ALIAS 106 #define X509V3_F_X509V3_EXT_CONF 107 #define X509V3_F_X509V3_EXT_I2D 136 +#define X509V3_F_X509V3_GET_SECTION 142 +#define X509V3_F_X509V3_GET_STRING 143 #define X509V3_F_X509V3_GET_VALUE_BOOL 110 #define X509V3_F_X509V3_PARSE_LIST 109 #define X509V3_F_X509_PURPOSE_ADD 137 @@ -604,6 +659,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_BAD_OBJECT 119 #define X509V3_R_BN_DEC2BN_ERROR 100 #define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 101 +#define X509V3_R_DIRNAME_ERROR 149 #define X509V3_R_DUPLICATE_ZONE_ID 133 #define X509V3_R_ERROR_CONVERTING_ZONE 131 #define X509V3_R_ERROR_CREATING_EXTENSION 144 @@ -614,6 +670,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_EXTENSION_NOT_FOUND 102 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 103 #define X509V3_R_EXTENSION_VALUE_ERROR 116 +#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151 #define X509V3_R_ILLEGAL_HEX_DIGIT 113 #define X509V3_R_INVALID_BOOLEAN_STRING 104 #define X509V3_R_INVALID_EXTENSION_STRING 105 @@ -639,7 +696,9 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_NO_PUBLIC_KEY 114 #define X509V3_R_NO_SUBJECT_DETAILS 125 #define X509V3_R_ODD_NUMBER_OF_DIGITS 112 +#define X509V3_R_OPERATION_NOT_DEFINED 148 #define X509V3_R_OTHERNAME_ERROR 147 +#define X509V3_R_SECTION_NOT_FOUND 150 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 122 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 123 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 111 diff --git a/demos/x509/mkcert.c b/demos/x509/mkcert.c index 8304d30e0b..c5e67b8e28 100644 --- a/demos/x509/mkcert.c +++ b/demos/x509/mkcert.c @@ -9,7 +9,9 @@ #include <openssl/pem.h> #include <openssl/conf.h> #include <openssl/x509v3.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days); int add_ext(X509 *cert, int nid, char *value); @@ -35,7 +37,9 @@ int main(int argc, char **argv) X509_free(x509); EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif CRYPTO_cleanup_all_ex_data(); CRYPTO_mem_leaks(bio_err); diff --git a/demos/x509/mkreq.c b/demos/x509/mkreq.c index d69dcc392b..3dfc65f164 100644 --- a/demos/x509/mkreq.c +++ b/demos/x509/mkreq.c @@ -8,7 +8,9 @@ #include <openssl/pem.h> #include <openssl/conf.h> #include <openssl/x509v3.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif int mkreq(X509_REQ **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days); int add_ext(STACK_OF(X509_REQUEST) *sk, int nid, char *value); @@ -33,7 +35,9 @@ int main(int argc, char **argv) X509_REQ_free(req); EVP_PKEY_free(pkey); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif CRYPTO_cleanup_all_ex_data(); CRYPTO_mem_leaks(bio_err); diff --git a/doc/HOWTO/certificates.txt b/doc/HOWTO/certificates.txt index 82166e0dc2..a8a34c7abc 100644 --- a/doc/HOWTO/certificates.txt +++ b/doc/HOWTO/certificates.txt @@ -48,7 +48,7 @@ you have your own certificate authority, you may sign it yourself, or if you need a self-signed certificate (because you just want a test certificate or because you are setting up your own CA). -The certificate is created like this: +The certificate request is created like this: openssl req -new -key privkey.pem -out cert.csr @@ -66,18 +66,15 @@ Section 5 will tell you more on how to handle the certificate you received. -4. Creating a self-signed certificate +4. Creating a self-signed test certificate If you don't want to deal with another certificate authority, or just -want to create a test certificate for yourself, or are setting up a -certificate authority of your own, you may want to make the requested -certificate a self-signed one. If you have created a certificate -request as shown above, you can sign it using the 'openssl x509' -command, for example like this (to create a self-signed CA -certificate): - - openssl x509 -req -in cert.csr -extfile openssl.cnf -extensions v3_ca \ - -signkey privkey.pem -out cacert.pem -trustout +want to create a test certificate for yourself. This is similar to +creating a certificate request, but creates a certificate instead of +a certificate request. This is NOT the recommended way to create a +CA certificate, see ca.txt. + + openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 5. What to do with the certificate diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 183cd475c8..de66c534b5 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -43,6 +43,7 @@ B<openssl> B<ca> [B<-msie_hack>] [B<-extensions section>] [B<-extfile section>] +[B<-engine id>] =head1 DESCRIPTION @@ -195,6 +196,13 @@ an additional configuration file to read certificate extensions from (using the default section unless the B<-extensions> option is also used). +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 CRL OPTIONS diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod index ff8a6e5e5b..c31db95a47 100644 --- a/doc/apps/dhparam.pod +++ b/doc/apps/dhparam.pod @@ -18,6 +18,7 @@ B<openssl dhparam> [B<-2>] [B<-5>] [B<-rand> I<file(s)>] +[B<-engine id>] [I<numbits>] =head1 DESCRIPTION @@ -96,6 +97,13 @@ this option prints out the DH parameters in human readable form. this option converts the parameters into C code. The parameters can then be loaded by calling the B<get_dh>I<numbits>B<()> function. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 WARNINGS diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod index 28e534bb95..ed06b8806d 100644 --- a/doc/apps/dsa.pod +++ b/doc/apps/dsa.pod @@ -21,6 +21,7 @@ B<openssl> B<dsa> [B<-modulus>] [B<-pubin>] [B<-pubout>] +[B<-engine id>] =head1 DESCRIPTION @@ -106,6 +107,13 @@ by default a private key is output. With this option a public key will be output instead. This option is automatically set if the input is a public key. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 NOTES diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod index 50c2f61242..b9b1b93b42 100644 --- a/doc/apps/dsaparam.pod +++ b/doc/apps/dsaparam.pod @@ -16,6 +16,7 @@ B<openssl dsaparam> [B<-C>] [B<-rand file(s)>] [B<-genkey>] +[B<-engine id>] [B<numbits>] =head1 DESCRIPTION @@ -82,6 +83,13 @@ this option specifies that a parameter set should be generated of size B<numbits>. It must be the last option. If this option is included then the input file (if any) is ignored. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 NOTES diff --git a/doc/apps/gendsa.pod b/doc/apps/gendsa.pod index 74318fe7fb..2c56cc7888 100644 --- a/doc/apps/gendsa.pod +++ b/doc/apps/gendsa.pod @@ -12,6 +12,7 @@ B<openssl> B<gendsa> [B<-des3>] [B<-idea>] [B<-rand file(s)>] +[B<-engine id>] [B<paramfile>] =head1 DESCRIPTION @@ -37,6 +38,13 @@ Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =item B<paramfile> This option specifies the DSA parameter file to use. The parameters in this diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod index cdcc03c123..25af4d1475 100644 --- a/doc/apps/genrsa.pod +++ b/doc/apps/genrsa.pod @@ -15,6 +15,7 @@ B<openssl> B<genrsa> [B<-f4>] [B<-3>] [B<-rand file(s)>] +[B<-engine id>] [B<numbits>] =head1 DESCRIPTION @@ -54,6 +55,13 @@ Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =item B<numbits> the size of the private key to generate in bits. This must be the last option diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index da201b95e6..4f266058e5 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -11,6 +11,10 @@ B<openssl> B<ocsp> [B<-issuer file>] [B<-cert file>] [B<-serial n>] +[B<-signer file>] +[B<-signkey file>] +[B<-sign_other file>] +[B<-no_certs>] [B<-req_text>] [B<-resp_text>] [B<-text>] @@ -20,27 +24,36 @@ B<openssl> B<ocsp> [B<-respin file>] [B<-nonce>] [B<-no_nonce>] -[B<-url responder_url>] +[B<-url URL>] [B<-host host:n>] [B<-path>] -[B<-CApath file>] +[B<-CApath dir>] [B<-CAfile file>] [B<-VAfile file>] -[B<-verify_certs file>] +[B<-validity_period n>] +[B<-status_age n>] [B<-noverify>] +[B<-verify_other file>] [B<-trust_other>] [B<-no_intern>] -[B<-no_sig_verify>] +[B<-no_signature_verify>] [B<-no_cert_verify>] [B<-no_chain>] [B<-no_cert_checks>] -[B<-validity_period nsec>] -[B<-status_age nsec>] +[B<-port num>] +[B<-index file>] +[B<-CA file>] +[B<-rsigner file>] +[B<-rkey file>] +[B<-rother file>] +[B<-resp_no_certs>] +[B<-nmin n>] +[B<-ndays n>] +[B<-resp_key_id>] +[B<-nrequest n>] =head1 DESCRIPTION -B<WARNING: this documentation is preliminary and subject to change.> - The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate (RFC 2560). @@ -83,6 +96,10 @@ the B<signkey> option is not present then the private key is read from the same file as the certificate. If neither option is specified then the OCSP request is not signed. +=item B<-sign_other filename> + +Additional certificates to include in the signed request. + =item B<-nonce>, B<-no_nonce> Add an OCSP nonce extension to a request or disable OCSP nonce addition. @@ -120,7 +137,7 @@ or "/" by default. file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. -=item B<-verify_certs file> +=item B<-verify_other file> file containing additional certificates to search when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer's @@ -151,7 +168,7 @@ ignore certificates contained in the OCSP response when searching for the signers certificate. With this option the signers certificate must be specified with either the B<-verify_certs> or B<-VAfile> options. -=item B<-no_sig_verify> +=item B<-no_signature_verify> don't check the signature on the OCSP response. Since this option tolerates invalid signatures on OCSP responses it will normally only be used for testing purposes. diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod index 9871c0e0cd..a0a636328b 100644 --- a/doc/apps/pkcs7.pod +++ b/doc/apps/pkcs7.pod @@ -14,6 +14,7 @@ B<openssl> B<pkcs7> [B<-print_certs>] [B<-text>] [B<-noout>] +[B<-engine id>] =head1 DESCRIPTION @@ -59,6 +60,13 @@ issuer names. don't output the encoded version of the PKCS#7 structure (or certificates is B<-print_certs> is set). +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 EXAMPLES diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod index a56b2dd002..68ecd65b10 100644 --- a/doc/apps/pkcs8.pod +++ b/doc/apps/pkcs8.pod @@ -21,6 +21,7 @@ B<openssl> B<pkcs8> [B<-nsdb>] [B<-v2 alg>] [B<-v1 alg>] +[B<-engine id>] =head1 DESCRIPTION @@ -122,6 +123,13 @@ B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used. This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete list of possible algorithms is included below. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 NOTES diff --git a/doc/apps/req.pod b/doc/apps/req.pod index d9f2476557..e2b5d0d8ec 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -41,6 +41,7 @@ B<openssl> B<req> [B<-nameopt>] [B<-batch>] [B<-verbose>] +[B<-engine id>] =head1 DESCRIPTION @@ -244,6 +245,13 @@ non-interactive mode. print extra details about the operations being performed. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 CONFIGURATION FILE FORMAT diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod index ef74f1adff..4d7640995e 100644 --- a/doc/apps/rsa.pod +++ b/doc/apps/rsa.pod @@ -24,6 +24,7 @@ B<openssl> B<rsa> [B<-check>] [B<-pubin>] [B<-pubout>] +[B<-engine id>] =head1 DESCRIPTION @@ -117,6 +118,13 @@ by default a private key is output: with this option a public key will be output instead. This option is automatically set if the input is a public key. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + =back =head1 NOTES diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 7fca9cbdbd..47dc93cb3f 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -33,6 +33,7 @@ B<openssl> B<s_client> [B<-no_tls1>] [B<-bugs>] [B<-cipher cipherlist>] +[B<-starttls protocol>] [B<-engine id>] [B<-rand file(s)>] @@ -163,6 +164,12 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B<ciphers> command for more information. +=item B<-starttls protocol> + +send the protocol-specific message(s) to switch to TLS for communication. +B<protocol> is a keyword for the intended protocol. Currently, the only +supported keyword is "smtp". + =item B<-engine id> specifying an engine (by it's unique B<id> string) will cause B<s_client> diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 4b1e4260ef..1d21921e47 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -42,6 +42,7 @@ B<openssl> B<s_server> [B<-WWW>] [B<-HTTP>] [B<-engine id>] +[B<-id_prefix arg>] [B<-rand file(s)>] =head1 DESCRIPTION @@ -209,6 +210,13 @@ to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. +=item B<-id_prefix arg> + +generate SSL/TLS session IDs prefixed by B<arg>. This is mostly useful +for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple +servers, when each of which might be generating a unique range of session +IDs (eg. with a certain prefix). + =item B<-rand file(s)> a file or files containing random data used to seed the random number diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod index bb84dfbe33..c3f1ff9c64 100644 --- a/doc/apps/spkac.pod +++ b/doc/apps/spkac.pod @@ -17,7 +17,7 @@ B<openssl> B<spkac> [B<-spksect section>] [B<-noout>] [B<-verify>] - +[B<-engine id>] =head1 DESCRIPTION @@ -79,6 +79,12 @@ being created). verifies the digital signature on the supplied SPKAC. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. =back diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index f044177835..50343cd685 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -50,6 +50,7 @@ B<openssl> B<x509> [B<-clrext>] [B<-extfile filename>] [B<-extensions section>] +[B<-engine id>] =head1 DESCRIPTION @@ -98,6 +99,12 @@ digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not specified then MD5 is used. If the key being used to sign with is a DSA key then this option has no effect: SHA1 is always used with DSA keys. +=item B<-engine id> + +specifying an engine (by it's unique B<id> string) will cause B<req> +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. =back diff --git a/doc/crypto/ASN1_generate_nconf.pod b/doc/crypto/ASN1_generate_nconf.pod index b4c89377f6..ba6e3c2e81 100644 --- a/doc/crypto/ASN1_generate_nconf.pod +++ b/doc/crypto/ASN1_generate_nconf.pod @@ -97,7 +97,7 @@ bits is set to zero. =item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>, B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>, B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>, -B<T61STRING>, B<TELETEXSTRING> +B<T61STRING>, B<TELETEXSTRING>, B<GeneralString> These encode the corresponding string types. B<value> represents the contents of this structure. The format can be B<ASCII> or B<UTF8>. diff --git a/doc/crypto/BIO_f_cipher.pod b/doc/crypto/BIO_f_cipher.pod index 4182f2c309..02439cea94 100644 --- a/doc/crypto/BIO_f_cipher.pod +++ b/doc/crypto/BIO_f_cipher.pod @@ -28,7 +28,7 @@ BIO_flush() on an encryption BIO that is being written through is used to signal that no more data is to be encrypted: this is used to flush and possibly pad the final block through the BIO. -BIO_set_cipher() sets the cipher of BIO <b> to B<cipher> using key B<key> +BIO_set_cipher() sets the cipher of BIO B<b> to B<cipher> using key B<key> and IV B<iv>. B<enc> should be set to 1 for encryption and zero for decryption. diff --git a/doc/crypto/EVP_SealInit.pod b/doc/crypto/EVP_SealInit.pod index 25ef07f7c7..b5e477e294 100644 --- a/doc/crypto/EVP_SealInit.pod +++ b/doc/crypto/EVP_SealInit.pod @@ -18,22 +18,28 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption =head1 DESCRIPTION The EVP envelope routines are a high level interface to envelope -encryption. They generate a random key and then "envelope" it by -using public key encryption. Data can then be encrypted using this -key. +encryption. They generate a random key and IV (if required) then +"envelope" it by using public key encryption. Data can then be +encrypted using this key. EVP_SealInit() initializes a cipher context B<ctx> for encryption -with cipher B<type> using a random secret key and IV supplied in -the B<iv> parameter. B<type> is normally supplied by a function such -as EVP_des_cbc(). The secret key is encrypted using one or more public -keys, this allows the same encrypted data to be decrypted using any -of the corresponding private keys. B<ek> is an array of buffers where -the public key encrypted secret key will be written, each buffer must -contain enough room for the corresponding encrypted key: that is +with cipher B<type> using a random secret key and IV. B<type> is normally +supplied by a function such as EVP_des_cbc(). The secret key is encrypted +using one or more public keys, this allows the same encrypted data to be +decrypted using any of the corresponding private keys. B<ek> is an array of +buffers where the public key encrypted secret key will be written, each buffer +must contain enough room for the corresponding encrypted key: that is B<ek[i]> must have room for B<EVP_PKEY_size(pubk[i])> bytes. The actual size of each encrypted secret key is written to the array B<ekl>. B<pubk> is an array of B<npubk> public keys. +The B<iv> parameter is a buffer where the generated IV is written to. It must +contain enough room for the corresponding cipher's IV, as determined by (for +example) EVP_CIPHER_iv_length(type). + +If the cipher does not require an IV then the B<iv> parameter is ignored +and can be B<NULL>. + EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual diff --git a/doc/crypto/PKCS7_sign.pod b/doc/crypto/PKCS7_sign.pod index fc7e649b34..ffd0c734b0 100644 --- a/doc/crypto/PKCS7_sign.pod +++ b/doc/crypto/PKCS7_sign.pod @@ -51,6 +51,24 @@ If present the SMIMECapabilities attribute indicates support for the following algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of these algorithms is disabled then it will not be included. +If the flags B<PKCS7_PARTSIGN> is set then the returned B<PKCS7> structure +is just initialized ready to perform the signing operation. The signing +is however B<not> performed and the data to be signed is not read from +the B<data> parameter. Signing is deferred until after the data has been +written. In this way data can be signed in a single pass. Currently the +flag B<PKCS7_DETACHED> B<must> also be set. + +=head1 NOTES + +Currently the flag B<PKCS7_PARTSIGN> is only supported for detached +data. If this flag is set the returned B<PKCS7> structure is B<not> +complete and outputting its contents via a function that does not +properly finalize the B<PKCS7> structure will give unpredictable +results. + +At present only the SMIME_write_PKCS7() function properly finalizes the +structure. + =head1 BUGS PKCS7_sign() is somewhat limited. It does not support multiple signers, some @@ -64,10 +82,6 @@ signed due to memory restraints. There should be a way to sign data without having to hold it all in memory, this would however require fairly major revisions of the OpenSSL ASN1 code. -Clear text signing does not store the content in memory but the way PKCS7_sign() -operates means that two passes of the data must typically be made: one to compute -the signatures and a second to output the data along with the signature. There -should be a way to process the data with only a single pass. =head1 RETURN VALUES @@ -82,4 +96,6 @@ L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_verify(3)|PKCS7_verify(3)> PKCS7_sign() was added to OpenSSL 0.9.5 +The B<PKCS7_PARTSIGN> flag was added in OpenSSL 0.9.8 + =cut diff --git a/doc/crypto/SMIME_write_PKCS7.pod b/doc/crypto/SMIME_write_PKCS7.pod index 2cfad2e049..61945b3887 100644 --- a/doc/crypto/SMIME_write_PKCS7.pod +++ b/doc/crypto/SMIME_write_PKCS7.pod @@ -30,18 +30,20 @@ If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are added to the content, this only makes sense if B<PKCS7_DETACHED> is also set. -If cleartext signing is being used then the data must be read twice: -once to compute the signature in PKCS7_sign() and once to output the -S/MIME message. +If the B<PKCS7_PARTSIGN> flag is set the signed data is finalized +and output along with the content. This flag should only be set +if B<PKCS7_DETACHED> is also set and the previous call to PKCS7_sign() +also set these flags. + +If cleartext signing is being used and B<PKCS7_PARTSIGN> not set then +the data must be read twice: once to compute the signature in PKCS7_sign() +and once to output the S/MIME message. =head1 BUGS SMIME_write_PKCS7() always base64 encodes PKCS#7 structures, there should be an option to disable this. -There should really be a way to produce cleartext signing using only -a single pass of the data. - =head1 RETURN VALUES SMIME_write_PKCS7() returns 1 for success or 0 for failure. diff --git a/doc/crypto/engine.pod b/doc/crypto/engine.pod index 61e0264bb7..c77dad5562 100644 --- a/doc/crypto/engine.pod +++ b/doc/crypto/engine.pod @@ -187,7 +187,7 @@ tell which one you are dealing with at any given point in time (after all they are both simply (ENGINE *) pointers, the difference is in the way they are used). -=head3 Structural references +I<Structural references> This basic type of reference is typically used for creating new ENGINEs dynamically, iterating across OpenSSL's internal linked-list of loaded @@ -224,7 +224,7 @@ To clarify a particular function's handling of references, one should always consult that function's documentation "man" page, or failing that the openssl/engine.h header file includes some hints. -=head3 Functional references +I<Functional references> As mentioned, functional references exist when the cryptographic functionality of an ENGINE is required to be available. A functional @@ -386,7 +386,7 @@ things, so we will simply illustrate the consequences as they apply to a couple of simple cases and leave developers to consider these and the source code to openssl's builtin utilities as guides. -=head3 Using a specific ENGINE implementation +I<Using a specific ENGINE implementation> Here we'll assume an application has been configured by its user or admin to want to use the "ACME" ENGINE if it is available in the version of @@ -418,7 +418,7 @@ illustrates how to approach this; /* Release the structural reference from ENGINE_by_id() */ ENGINE_free(e); -=head3 Automatically using builtin ENGINE implementations +I<Automatically using builtin ENGINE implementations> Here we'll assume we want to load and register all ENGINE implementations bundled with OpenSSL, such that for any cryptographic algorithm required by @@ -469,7 +469,7 @@ in same cases both. ENGINE implementations should provide indications of this in the descriptions attached to builtin control commands and/or in external product documentation. -=head3 Issuing control commands to an ENGINE +I<Issuing control commands to an ENGINE> Let's illustrate by example; a function for which the caller supplies the name of the ENGINE it wishes to use, a table of string-pairs for use before @@ -526,7 +526,7 @@ return success without doing anything. In this case we assume the user is only supplying commands specific to the given ENGINE so we set this to FALSE. -=head3 Discovering supported control commands +I<Discovering supported control commands> It is possible to discover at run-time the names, numerical-ids, descriptions and input parameters of the control commands supported from a structural diff --git a/doc/ssl/SSL_CTX_free.pod b/doc/ssl/SSL_CTX_free.pod index 55e592f5f8..51d8676968 100644 --- a/doc/ssl/SSL_CTX_free.pod +++ b/doc/ssl/SSL_CTX_free.pod @@ -20,12 +20,22 @@ It also calls the free()ing procedures for indirectly affected items, if applicable: the session cache, the list of ciphers, the list of Client CAs, the certificates and keys. +=head1 WARNINGS + +If a session-remove callback is set (SSL_CTX_sess_set_remove_cb()), this +callback will be called for each session being freed from B<ctx>'s +session cache. This implies, that all corresponding sessions from an +external session cache are removed as well. If this is not desired, the user +should explicitly unset the callback by calling +SSL_CTX_sess_set_remove_cb(B<ctx>, NULL) prior to calling SSL_CTX_free(). + =head1 RETURN VALUES SSL_CTX_free() does not provide diagnostic information. =head1 SEE ALSO -L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)> +L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>, +L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)> =cut diff --git a/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/doc/ssl/SSL_CTX_sess_set_get_cb.pod index 7c0b2baf6c..b9d54a40a1 100644 --- a/doc/ssl/SSL_CTX_sess_set_get_cb.pod +++ b/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -60,10 +60,11 @@ B<sess>. If the callback returns B<0>, the session will be immediately removed again. The remove_session_cb() is called, whenever the SSL engine removes a session -from the internal cache. This happens if the session is removed because -it is expired or when a connection was not shutdown cleanly. The -remove_session_cb() is passed the B<ctx> and the ssl session B<sess>. -It does not provide any feedback. +from the internal cache. This happens when the session is removed because +it is expired or when a connection was not shutdown cleanly. It also happens +for all sessions in the internal session cache when +L<SSL_CTX_free(3)|SSL_CTX_free(3)> is called. The remove_session_cb() is passed +the B<ctx> and the ssl session B<sess>. It does not provide any feedback. The get_session_cb() is only called on SSL/TLS servers with the session id proposed by the client. The get_session_cb() is always called, also when @@ -80,6 +81,7 @@ L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>. L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>, L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>, -L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> +L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, +L<SSL_CTX_free(3)|SSL_CTX_free(3)> =cut diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index f5e2ec3555..766f0c9200 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -176,7 +176,7 @@ will send his list of preferences to the client and the client chooses. =item SSL_OP_NETSCAPE_CA_DN_BUG If we accept a netscape connection, demand a client cert, have a -non-self-sighed CA which does not have it's CA in netscape, and the +non-self-signed CA which does not have its CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG diff --git a/doc/standards.txt b/doc/standards.txt index 44d263bd1a..edbe2f3a57 100644 --- a/doc/standards.txt +++ b/doc/standards.txt @@ -45,10 +45,6 @@ whole or at least great parts) in OpenSSL. 2315 PKCS 7: Cryptographic Message Syntax Version 1.5. B. Kaliski. March 1998. (Format: TXT=69679 bytes) (Status: INFORMATIONAL) -2437 PKCS #1: RSA Cryptography Specifications Version 2.0. B. Kaliski, - J. Staddon. October 1998. (Format: TXT=73529 bytes) (Obsoletes - RFC2313) (Status: INFORMATIONAL) - PKCS#8: Private-Key Information Syntax Standard PKCS#12: Personal Information Exchange Syntax Standard, version 1.0. @@ -87,6 +83,11 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0. Ford, D. Solo. April 2002. (Format: TXT=295556 bytes) (Obsoletes RFC2459) (Status: PROPOSED STANDARD) +3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography + Specifications Version 2.1. J. Jonsson, B. Kaliski. February 2003. + (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status: + INFORMATIONAL) + Related: -------- @@ -184,7 +184,6 @@ extern "C" { #endif #ifdef WIN16 -# define OPENSSL_NO_FP_API # define MS_CALLBACK _far _loadds # define MS_FAR _far #else @@ -193,6 +192,7 @@ extern "C" { #endif #ifdef OPENSSL_NO_STDIO +# undef OPENSSL_NO_FP_API # define OPENSSL_NO_FP_API #endif @@ -200,6 +200,9 @@ extern "C" { /* Specials for I/O an exit */ +#ifdef OPENSSL_SYS_WIN16 +# define OPENSSL_NO_FP_API +#endif #ifdef OPENSSL_SYS_MSDOS # define OPENSSL_UNISTD_IO <io.h> # define OPENSSL_DECLARE_EXIT extern void exit(int); diff --git a/engines/.cvsignore b/engines/.cvsignore index bb22714f15..d7169dd1f3 100644 --- a/engines/.cvsignore +++ b/engines/.cvsignore @@ -1,2 +1,3 @@ Makefile.save +lib libs diff --git a/engines/Makefile.ssl b/engines/Makefile.ssl index d20f2bdab0..6a010e05d6 100644 --- a/engines/Makefile.ssl +++ b/engines/Makefile.ssl @@ -27,12 +27,13 @@ TEST= APPS= LIB=$(TOP)/libcrypto.a -LIBNAMES= 4758_cca aep atalla cswift ncipher nuron sureware ubsec +LIBNAMES= 4758_cca aep atalla cswift gmp ncipher nuron sureware ubsec LIBSRC= e_4758_cca.c \ e_aep.c \ e_atalla.c \ e_cswift.c \ + e_gmp.c \ e_ncipher.c \ e_nuron.c \ e_sureware.c \ @@ -41,6 +42,7 @@ LIBOBJ= e_4758_cca.o \ e_aep.o \ e_atalla.o \ e_cswift.o \ + e_gmp.o \ e_ncipher.o \ e_nuron.o \ e_sureware.o \ @@ -53,6 +55,7 @@ HEADER= e_4758_cca_err.c e_4758_cca_err.h \ e_aep_err.c e_aep_err.h \ e_atalla_err.c e_atalla_err.h \ e_cswift_err.c e_cswift_err.h \ + e_gmp_err.c e_gmp_err.h \ e_ncipher_err.c e_ncipher_err.h \ e_nuron_err.c e_nuron_err.h \ e_sureware_err.c e_sureware_err.h \ @@ -181,6 +184,18 @@ e_cswift.o: ../include/openssl/rand.h ../include/openssl/rsa.h e_cswift.o: ../include/openssl/safestack.h ../include/openssl/stack.h e_cswift.o: ../include/openssl/symhacks.h ../include/openssl/ui.h e_cswift.c e_cswift.o: e_cswift_err.c e_cswift_err.h vendor_defns/cswift.h +e_gmp.o: ../include/openssl/asn1.h ../include/openssl/bio.h +e_gmp.o: ../include/openssl/bn.h ../include/openssl/buffer.h +e_gmp.o: ../include/openssl/crypto.h ../include/openssl/dh.h +e_gmp.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +e_gmp.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +e_gmp.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +e_gmp.o: ../include/openssl/err.h ../include/openssl/lhash.h +e_gmp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +e_gmp.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h +e_gmp.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +e_gmp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +e_gmp.o: ../include/openssl/ui.h e_gmp.c e_ncipher.o: ../include/openssl/asn1.h ../include/openssl/bio.h e_ncipher.o: ../include/openssl/bn.h ../include/openssl/buffer.h e_ncipher.o: ../include/openssl/crypto.h ../include/openssl/dh.h diff --git a/ms/mingw32.bat b/ms/mingw32.bat index 1968f4150b..8c7c63e0f2 100644 --- a/ms/mingw32.bat +++ b/ms/mingw32.bat @@ -1,7 +1,7 @@ @rem OpenSSL with Mingw32+GNU as
@rem ---------------------------
-perl Configure Mingw32 %1 %2 %3 %4 %5 %6 %7 %8
+perl Configure mingw %1 %2 %3 %4 %5 %6 %7 %8
@echo off
@@ -66,21 +66,16 @@ cd ..\..\.. echo Generating makefile
perl util\mkfiles.pl >MINFO
perl util\mk1mf.pl gaswin Mingw32 >ms\mingw32a.mak
-perl util\mk1mf.pl gaswin Mingw32-files >ms\mingw32f.mak
echo Generating DLL definition files
perl util\mkdef.pl 32 libeay >ms\libeay32.def
if errorlevel 1 goto end
perl util\mkdef.pl 32 ssleay >ms\ssleay32.def
if errorlevel 1 goto end
-rem Create files -- this can be skipped if using the GNU file utilities
-make -f ms/mingw32f.mak
-echo You can ignore the error messages above
-
-copy ms\tlhelp32.h outinc
+rem copy ms\tlhelp32.h outinc
echo Building the libraries
-make -f ms/mingw32a.mak
+mingw32-make -f ms/mingw32a.mak
if errorlevel 1 goto end
echo Generating the DLLs and input libraries
@@ -4,17 +4,12 @@ @rem Makefile
perl util\mkfiles.pl >MINFO
perl util\mk1mf.pl Mingw32 >ms\mingw32.mak
-perl util\mk1mf.pl Mingw32-files >ms\mingw32f.mak
@rem DLL definition files
perl util\mkdef.pl 32 libeay >ms\libeay32.def
if errorlevel 1 goto end
perl util\mkdef.pl 32 ssleay >ms\ssleay32.def
if errorlevel 1 goto end
-@rem Create files -- this can be skipped if using the GNU file utilities
-make -f ms/mingw32f.mak
-echo You can ignore the error messages above
-
@rem Build the libraries
make -f ms/mingw32.mak
if errorlevel 1 goto end
diff --git a/ms/test.bat b/ms/test.bat index 8f69194283..c3a1b0c28d 100755 --- a/ms/test.bat +++ b/ms/test.bat @@ -67,6 +67,10 @@ echo dsatest dsatest
if errorlevel 1 goto done
+echo ectest
+ectest
+if errorlevel 1 goto done
+
echo testenc
call %test%\testenc openssl
if errorlevel 1 goto done
diff --git a/shlib/svr5-shared-gcc.sh b/shlib/svr5-shared-gcc.sh index 76957df947..c5d0cc56ac 100755 --- a/shlib/svr5-shared-gcc.sh +++ b/shlib/svr5-shared-gcc.sh @@ -1,7 +1,7 @@ #!/usr/bin/sh major="0" -minor="9.7" +minor="9.7b" slib=libssl sh_slib=$slib.so.$major.$minor diff --git a/shlib/svr5-shared-installed b/shlib/svr5-shared-installed index 544f5a9417..b1def35d5c 100755 --- a/shlib/svr5-shared-installed +++ b/shlib/svr5-shared-installed @@ -1,7 +1,7 @@ #!/usr/bin/sh major="0" -minor="9.7" +minor="9.7b" slib=libssl sh_slib=$slib.so.$major.$minor @@ -25,4 +25,3 @@ rm -f $INSTALLTOP/$slib.so ln -s $INSTALLTOP/$sh_slib $slib.so cd $PWD - diff --git a/shlib/svr5-shared.sh b/shlib/svr5-shared.sh index a70bb65baa..9edf26e9a7 100755 --- a/shlib/svr5-shared.sh +++ b/shlib/svr5-shared.sh @@ -1,7 +1,7 @@ #!/usr/bin/sh major="0" -minor="9.7" +minor="9.7b" slib=libssl sh_slib=$slib.so.$major.$minor diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 467e149947..d683ee43e1 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -403,6 +403,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) { BIO_free_all(ssl->wbio); } + if (b->next_bio != NULL) + { + CRYPTO_add(&b->next_bio->references,1,CRYPTO_LOCK_BIO); + } ssl->wbio=NULL; ssl->rbio=NULL; break; @@ -509,6 +513,7 @@ static int ssl_puts(BIO *bp, const char *str) BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx) { +#ifndef OPENSSL_NO_SOCK BIO *ret=NULL,*buf=NULL,*ssl=NULL; if ((buf=BIO_new(BIO_f_buffer())) == NULL) @@ -521,6 +526,7 @@ BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx) err: if (buf != NULL) BIO_free(buf); if (ssl != NULL) BIO_free(ssl); +#endif return(NULL); } diff --git a/ssl/kssl.c b/ssl/kssl.c index 327b92f33b..a80f5b2f74 100644 --- a/ssl/kssl.c +++ b/ssl/kssl.c @@ -70,6 +70,7 @@ #define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */ #include <time.h> +#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */ #include <string.h> #include <openssl/ssl.h> diff --git a/ssl/s3_both.c b/ssl/s3_both.c index a17b87273a..94df0e5c6c 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -273,6 +273,13 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) X509_STORE_CTX xs_ctx; X509_OBJECT obj; + int no_chain; + + if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) + no_chain = 1; + else + no_chain = 0; + /* TLSv1 sends a chain with nothing in it, instead of an alert */ buf=s->init_buf; if (!BUF_MEM_grow_clean(buf,10)) @@ -282,7 +289,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) } if (x != NULL) { - if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) + if(!no_chain && !X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); return(0); @@ -300,6 +307,10 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) l2n3(n,p); i2d_X509(x,&p); l+=n+3; + + if (no_chain) + break; + if (X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)) == 0) break; @@ -311,8 +322,8 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) * ref count */ X509_free(x); } - - X509_STORE_CTX_cleanup(&xs_ctx); + if (!no_chain) + X509_STORE_CTX_cleanup(&xs_ctx); } /* Thawte special :-) */ diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 477b681645..211dd03b11 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -785,7 +785,7 @@ static int ssl3_get_server_certificate(SSL *s) STACK_OF(X509) *sk=NULL; SESS_CERT *sc; EVP_PKEY *pkey=NULL; - int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ + int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ n=ssl3_get_message(s, SSL3_ST_CR_CERT_A, @@ -860,10 +860,10 @@ static int ssl3_get_server_certificate(SSL *s) i=ssl_verify_cert_chain(s,sk); if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) #ifndef OPENSSL_NO_KRB5 - && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) - != (SSL_aKRB5|SSL_kKRB5) + && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) + != (SSL_aKRB5|SSL_kKRB5) #endif /* OPENSSL_NO_KRB5 */ - ) + ) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); @@ -886,16 +886,16 @@ static int ssl3_get_server_certificate(SSL *s) pkey=X509_get_pubkey(x); - /* VRS: allow null cert if auth == KRB5 */ - need_cert = ((s->s3->tmp.new_cipher->algorithms - & (SSL_MKEY_MASK|SSL_AUTH_MASK)) - == (SSL_aKRB5|SSL_kKRB5))? 0: 1; + /* VRS: allow null cert if auth == KRB5 */ + need_cert = ((s->s3->tmp.new_cipher->algorithms + & (SSL_MKEY_MASK|SSL_AUTH_MASK)) + == (SSL_aKRB5|SSL_kKRB5))? 0: 1; #ifdef KSSL_DEBUG printf("pkey,x = %p, %p\n", pkey,x); printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, - s->s3->tmp.new_cipher->algorithms, need_cert); + s->s3->tmp.new_cipher->algorithms, need_cert); #endif /* KSSL_DEBUG */ if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) @@ -917,31 +917,31 @@ static int ssl3_get_server_certificate(SSL *s) goto f_err; } - if (need_cert) - { - sc->peer_cert_type=i; - CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); - /* Why would the following ever happen? - * We just created sc a couple of lines ago. */ - if (sc->peer_pkeys[i].x509 != NULL) - X509_free(sc->peer_pkeys[i].x509); - sc->peer_pkeys[i].x509=x; - sc->peer_key= &(sc->peer_pkeys[i]); - - if (s->session->peer != NULL) - X509_free(s->session->peer); - CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); - s->session->peer=x; - } - else - { - sc->peer_cert_type=i; - sc->peer_key= NULL; - - if (s->session->peer != NULL) - X509_free(s->session->peer); - s->session->peer=NULL; - } + if (need_cert) + { + sc->peer_cert_type=i; + CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); + /* Why would the following ever happen? + * We just created sc a couple of lines ago. */ + if (sc->peer_pkeys[i].x509 != NULL) + X509_free(sc->peer_pkeys[i].x509); + sc->peer_pkeys[i].x509=x; + sc->peer_key= &(sc->peer_pkeys[i]); + + if (s->session->peer != NULL) + X509_free(s->session->peer); + CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); + s->session->peer=x; + } + else + { + sc->peer_cert_type=i; + sc->peer_key= NULL; + + if (s->session->peer != NULL) + X509_free(s->session->peer); + s->session->peer=NULL; + } s->session->verify_result = s->verify_result; x=NULL; @@ -1574,6 +1574,19 @@ static int ssl3_get_server_done(SSL *s) return(ret); } + +static const int KDF1_SHA1_len = 20; +static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen) + { +#ifndef OPENSSL_NO_SHA + if (outlen != SHA_DIGEST_LENGTH) + return NULL; + return SHA1(in, inlen, out); +#else + return NULL; +#endif + } + static int ssl3_send_client_key_exchange(SSL *s) { unsigned char *p,*d; @@ -1584,7 +1597,7 @@ static int ssl3_send_client_key_exchange(SSL *s) EVP_PKEY *pkey=NULL; #endif #ifndef OPENSSL_NO_KRB5 - KSSL_ERR kssl_err; + KSSL_ERR kssl_err; #endif /* OPENSSL_NO_KRB5 */ #ifndef OPENSSL_NO_ECDH EC_KEY *clnt_ecdh = NULL; @@ -1602,8 +1615,8 @@ static int ssl3_send_client_key_exchange(SSL *s) l=s->s3->tmp.new_cipher->algorithms; - /* Fool emacs indentation */ - if (0) {} + /* Fool emacs indentation */ + if (0) {} #ifndef OPENSSL_NO_RSA else if (l & SSL_kRSA) { @@ -1665,12 +1678,12 @@ static int ssl3_send_client_key_exchange(SSL *s) #endif #ifndef OPENSSL_NO_KRB5 else if (l & SSL_kKRB5) - { - krb5_error_code krb5rc; - KSSL_CTX *kssl_ctx = s->kssl_ctx; - /* krb5_data krb5_ap_req; */ - krb5_data *enc_ticket; - krb5_data authenticator, *authp = NULL; + { + krb5_error_code krb5rc; + KSSL_CTX *kssl_ctx = s->kssl_ctx; + /* krb5_data krb5_ap_req; */ + krb5_data *enc_ticket; + krb5_data authenticator, *authp = NULL; EVP_CIPHER_CTX ciph_ctx; EVP_CIPHER *enc = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; @@ -1682,8 +1695,8 @@ static int ssl3_send_client_key_exchange(SSL *s) EVP_CIPHER_CTX_init(&ciph_ctx); #ifdef KSSL_DEBUG - printf("ssl3_send_client_key_exchange(%lx & %lx)\n", - l, SSL_kKRB5); + printf("ssl3_send_client_key_exchange(%lx & %lx)\n", + l, SSL_kKRB5); #endif /* KSSL_DEBUG */ authp = NULL; @@ -1691,37 +1704,37 @@ static int ssl3_send_client_key_exchange(SSL *s) if (KRB5SENDAUTH) authp = &authenticator; #endif /* KRB5SENDAUTH */ - krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, + krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, &kssl_err); enc = kssl_map_enc(kssl_ctx->enctype); - if (enc == NULL) - goto err; + if (enc == NULL) + goto err; #ifdef KSSL_DEBUG - { - printf("kssl_cget_tkt rtn %d\n", krb5rc); - if (krb5rc && kssl_err.text) + { + printf("kssl_cget_tkt rtn %d\n", krb5rc); + if (krb5rc && kssl_err.text) printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); - } + } #endif /* KSSL_DEBUG */ - if (krb5rc) - { - ssl3_send_alert(s,SSL3_AL_FATAL, + if (krb5rc) + { + ssl3_send_alert(s,SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason); - goto err; - } + goto err; + } /* 20010406 VRS - Earlier versions used KRB5 AP_REQ ** in place of RFC 2712 KerberosWrapper, as in: ** - ** Send ticket (copy to *p, set n = length) - ** n = krb5_ap_req.length; - ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); - ** if (krb5_ap_req.data) - ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); - ** + ** Send ticket (copy to *p, set n = length) + ** n = krb5_ap_req.length; + ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); + ** if (krb5_ap_req.data) + ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); + ** ** Now using real RFC 2712 KerberosWrapper ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) ** Note: 2712 "opaque" types are here replaced @@ -1786,14 +1799,14 @@ static int ssl3_send_client_key_exchange(SSL *s) p+=outl; n+=outl + 2; - s->session->master_key_length= - s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key_length= + s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); OPENSSL_cleanse(epms, outl); - } + } #endif #ifndef OPENSSL_NO_DH else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) @@ -1928,7 +1941,7 @@ static int ssl3_send_client_key_exchange(SSL *s) clnt_ecdh->group = srvr_group; if (ecdh_clnt_cert) { - /* Reuse key info from our certificate + /* Reuse key info from our certificate * We only need our private key to perform * the ECDH computation. */ @@ -1945,25 +1958,25 @@ static int ssl3_send_client_key_exchange(SSL *s) } } - /* use the 'p' output buffer for the ECDH key, but - * make sure to clear it out afterwards + /* use the 'p' output buffer for the ECDH key, but + * make sure to clear it out afterwards */ - n=ECDH_compute_key(p, srvr_ecpoint, clnt_ecdh); + n=ECDH_compute_key(p, KDF1_SHA1_len, srvr_ecpoint, clnt_ecdh, KDF1_SHA1); if (n <= 0) - { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); - goto err; + goto err; } - /* generate master key from the result */ - s->session->master_key_length = s->method->ssl3_enc \ + /* generate master key from the result */ + s->session->master_key_length = s->method->ssl3_enc \ -> generate_master_secret(s, s->session->master_key, p, n); - memset(p, 0, n); /* clean up */ + memset(p, 0, n); /* clean up */ if (ecdh_clnt_cert) { @@ -1999,7 +2012,7 @@ static int ssl3_send_client_key_exchange(SSL *s) encodedPoint, encoded_pt_len, bn_ctx); *p = n; /* length of encoded point */ - /* Encoded point will be copied here */ + /* Encoded point will be copied here */ p += 1; /* copy the point */ memcpy((unsigned char *)p, encodedPoint, n); @@ -2012,7 +2025,7 @@ static int ssl3_send_client_key_exchange(SSL *s) if (encodedPoint != NULL) OPENSSL_free(encodedPoint); if (clnt_ecdh != NULL) { - /* group is shared */ + /* group is shared */ clnt_ecdh->group = NULL; EC_KEY_free(clnt_ecdh); } @@ -2049,7 +2062,7 @@ err: clnt_ecdh->group = NULL; EC_KEY_free(clnt_ecdh); } - EVP_PKEY_free(srvr_pub_pkey); + EVP_PKEY_free(srvr_pub_pkey); #endif return(-1); } diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 35fde29c8a..559924d368 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -474,6 +474,7 @@ int ssl3_enc(SSL *s, int send) ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); return 0; } + /* otherwise, rec->length >= bs */ } EVP_Cipher(ds,rec->data,rec->input,l); @@ -482,7 +483,7 @@ int ssl3_enc(SSL *s, int send) { i=rec->data[l-1]+1; /* SSL 3.0 bounds the number of padding bytes by the block size; - * padding bytes (except that last) are arbitrary */ + * padding bytes (except the last one) are arbitrary */ if (i > bs) { /* Incorrect padding. SSLerr() and ssl3_alert are done @@ -491,6 +492,7 @@ int ssl3_enc(SSL *s, int send) * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ return -1; } + /* now i <= bs <= rec->length */ rec->length-=i; } } diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 6ccea9aee5..3f88429e79 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -238,6 +238,8 @@ static int ssl3_get_record(SSL *s) unsigned int mac_size; int clear=0; size_t extra; + int decryption_failed_or_bad_record_mac = 0; + unsigned char *mac = NULL; rr= &(s->s3->rrec); sess=s->session; @@ -353,8 +355,11 @@ again: /* SSLerr() and ssl3_send_alert() have been called */ goto err; - /* otherwise enc_err == -1 */ - goto decryption_failed_or_bad_record_mac; + /* Otherwise enc_err == -1, which indicates bad padding + * (rec->length has not been changed in this case). + * To minimize information leaked via timing, we will perform + * the MAC computation anyway. */ + decryption_failed_or_bad_record_mac = 1; } #ifdef TLS_DEBUG @@ -380,28 +385,46 @@ printf("\n"); SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; #endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ - if (rr->length < mac_size) + if (rr->length >= mac_size) { + rr->length -= mac_size; + mac = &rr->data[rr->length]; + } + else + { + /* record (minus padding) is too short to contain a MAC */ #if 0 /* OK only for stream ciphers */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; + rr->length = 0; #endif } - rr->length-=mac_size; i=s->method->ssl3_enc->mac(s,md,0); - if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) + if (mac == NULL || memcmp(md, mac, mac_size) != 0) { - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; } } + if (decryption_failed_or_bad_record_mac) + { + /* A separate 'decryption_failed' alert was introduced with TLS 1.0, + * SSL 3.0 only has 'bad_record_mac'. But unless a decryption + * failure is directly visible from the ciphertext anyway, + * we should not reveal which kind of error occured -- this + * might become visible to an attacker (e.g. via a logfile) */ + al=SSL_AD_BAD_RECORD_MAC; + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + goto f_err; + } + /* r->length is now just compressed */ if (s->expand != NULL) { @@ -443,14 +466,6 @@ printf("\n"); return(1); -decryption_failed_or_bad_record_mac: - /* Separate 'decryption_failed' alert was introduced with TLS 1.0, - * SSL 3.0 only has 'bad_record_mac'. But unless a decryption - * failure is directly visible from the ciphertext anyway, - * we should not reveal which kind of error occured -- this - * might become visible to an attacker (e.g. via logfile) */ - al=SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 3db3e78d5e..e941068416 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1577,6 +1577,19 @@ err: return(-1); } + +static const int KDF1_SHA1_len = 20; +static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen) + { +#ifndef OPENSSL_NO_SHA + if (outlen != SHA_DIGEST_LENGTH) + return NULL; + return SHA1(in, inlen, out); +#else + return NULL; +#endif + } + static int ssl3_get_client_key_exchange(SSL *s) { int i,al,ok; @@ -1671,7 +1684,7 @@ static int ssl3_get_client_key_exchange(SSL *s) if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ } if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) @@ -1687,30 +1700,28 @@ static int ssl3_get_client_key_exchange(SSL *s) (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); - goto f_err; + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ + + /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (http://eprint.iacr.org/2003/052/) exploits the version + * number check as a "bad version oracle" -- an alert would + * reveal that the plaintext corresponding to some ciphertext + * made up by the adversary is properly formatted except + * that the version number is wrong. To avoid such attacks, + * we should treat this just like any other decryption error. */ } } if (al != -1) { -#if 0 - goto f_err; -#else /* Some decryption failure -- use random value instead as countermeasure * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding - * (see RFC 2246, section 7.4.7.1). - * But note that due to length and protocol version checking, the - * attack is impractical anyway (see section 5 in D. Bleichenbacher: - * "Chosen Ciphertext Attacks Against Protocols Based on the RSA - * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). - */ + * (see RFC 2246, section 7.4.7.1). */ ERR_clear_error(); i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ -#endif } s->session->master_key_length= @@ -2047,7 +2058,7 @@ static int ssl3_get_client_key_exchange(SSL *s) } /* Compute the shared pre-master secret */ - i = ECDH_compute_key(p, clnt_ecpoint, srvr_ecdh); + i = ECDH_compute_key(p, KDF1_SHA1_len, clnt_ecpoint, srvr_ecdh, KDF1_SHA1); if (i <= 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, @@ -529,6 +529,8 @@ typedef struct ssl_session_st /* Never bother the application with retries if the transport * is blocking: */ #define SSL_MODE_AUTO_RETRY 0x00000004L +/* Don't attempt to automatically build certificate chain */ +#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, @@ -1241,14 +1243,12 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM t STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *file); -#ifndef OPENSSL_SYS_WIN32 #ifndef OPENSSL_SYS_VMS #ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *dir); #endif #endif -#endif #endif @@ -1266,6 +1266,7 @@ void SSL_copy_session_id(SSL *to,SSL *from); SSL_SESSION *SSL_SESSION_new(void); unsigned long SSL_SESSION_hash(SSL_SESSION *a); int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b); +const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len); #ifndef OPENSSL_NO_FP_API int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses); #endif diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index b0e20ed941..144b90dd17 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -810,7 +810,7 @@ err: #endif #endif -#else +#else /* OPENSSL_SYS_WIN32 */ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 68c7ae7b6e..ea76cf1172 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2047,6 +2047,7 @@ SSL *SSL_dup(SSL *s) * they should not both point to the same object, * and thus we can't use SSL_copy_session_id. */ + ret->method->ssl_free(ret); ret->method = s->method; ret->method->ssl_new(ret); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index fbc30b94e6..b4fb90448f 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -127,6 +127,13 @@ SSL_SESSION *SSL_SESSION_new(void) return(ss); } +const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if(len) + *len = s->session_id_length; + return s->session_id; + } + /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly * until we have no conflict is going to complete in one iteration pretty much diff --git a/ssl/ssltest.c b/ssl/ssltest.c index fc27f018d1..a304398b9f 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -133,7 +133,9 @@ #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/ssl.h> +#ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> +#endif #include <openssl/err.h> #include <openssl/rand.h> @@ -145,7 +147,6 @@ #ifdef OPENSSL_SYS_WINDOWS #include <winsock.h> -#include "../crypto/bio/bss_file.c" #else #include OPENSSL_UNISTD #endif @@ -828,7 +829,9 @@ end: #ifndef OPENSSL_NO_RSA free_tmp_rsa(); #endif +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); @@ -1594,7 +1597,7 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) (void)BIO_flush(bio_err); if(!RSA_generate_key_ex(rsa_tmp,keylength,RSA_F4,NULL)) { - BIO_printf(bio_err, "Error generating key.", keylength); + BIO_printf(bio_err, "Error generating key."); RSA_free(rsa_tmp); rsa_tmp = NULL; } diff --git a/test/CAss.cnf b/test/CAss.cnf index b941b7ae15..0884fee361 100644 --- a/test/CAss.cnf +++ b/test/CAss.cnf @@ -23,3 +23,52 @@ organizationName_value = Dodgy Brothers commonName = Common Name (eg, YOUR name) commonName_value = Dodgy CA + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = v3_ca # The extentions to add to the cert + +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering + +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + + + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true diff --git a/test/Makefile.ssl b/test/Makefile.ssl index 6d4d6292bc..2b61e6f007 100644 --- a/test/Makefile.ssl +++ b/test/Makefile.ssl @@ -11,10 +11,14 @@ INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP= /usr/local/ssl MAKEFILE= Makefile.ssl -MAKE= make -f $(MAKEFILE) +NEWMAKE= make +MAKE= $(NEWMAKE) -f $(MAKEFILE) MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) PERL= perl +# KRB5 stuff +KRB5_INCLUDES= +LIBKRB5= PEX_LIBS= EX_LIBS= #-lnsl -lsocket @@ -123,7 +127,11 @@ tests: exe apps $(TESTS) apps: @(cd ..; $(MAKE) DIRS=apps all) -SET_SO_PATHS=LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$$LIBPATH"; DYLD_LIBRARY_PATH="$$LIBPATH"; SHLIB_PATH="$$LIBPATH"; \ +SET_SO_PATHS=OSSL_LIBPATH="`cd ..; pwd`"; \ + LD_LIBRARY_PATH="$$OSSL_LIBPATH:$$LD_LIBRARY_PATH"; \ + DYLD_LIBRARY_PATH="$$OSSL_LIBPATH:$$DYLD_LIBRARY_PATH"; \ + SHLIB_PATH="$$OSSL_LIBPATH:$$SHLIB_PATH"; \ + LIBPATH="$$OSSL_LIBPATH:$$LIBPATH"; \ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="$${LIBPATH}:$$PATH"; fi; \ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH @@ -297,200 +305,452 @@ $(DLIBCRYPTO): (cd ..; $(MAKE) DIRS=crypto all) $(RSATEST): $(RSATEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(RSATEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(RSATEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(BNTEST): $(BNTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(BNTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(BNTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(ECTEST): $(ECTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(ECTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(ECTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(EXPTEST): $(EXPTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(EXPTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(EXPTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(IDEATEST): $(IDEATEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(IDEATEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(IDEATEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(MD2TEST): $(MD2TEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(MD2TEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(MD2TEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(SHATEST): $(SHATEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(SHATEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(SHATEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(SHA1TEST): $(SHA1TEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(SHA1TEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(SHA1TEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(RMDTEST): $(RMDTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(RMDTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(RMDTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(MDC2TEST): $(MDC2TEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(MDC2TEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(MDC2TEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(MD4TEST): $(MD4TEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(MD4TEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(MD4TEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(MD5TEST): $(MD5TEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(MD5TEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(MD5TEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(HMACTEST): $(HMACTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(HMACTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(HMACTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(RC2TEST): $(RC2TEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(RC2TEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(RC2TEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(BFTEST): $(BFTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(BFTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(BFTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(CASTTEST): $(CASTTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(CASTTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(CASTTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(RC4TEST): $(RC4TEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(RC4TEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(RC4TEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(RC5TEST): $(RC5TEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(RC5TEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(RC5TEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(DESTEST): $(DESTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(DESTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(DESTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(RANDTEST): $(RANDTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(RANDTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(RANDTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(DHTEST): $(DHTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(DHTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(DHTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(DSATEST): $(DSATEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(DSATEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(DSATEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(METHTEST): $(METHTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(METHTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(METHTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO)"; \ else \ - $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(SSLTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(SSLTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(ENGINETEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(ENGINETEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(EVPTEST): $(EVPTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(EVPTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(EVPTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(ECDSATEST): $(ECDSATEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(ECDSATEST) $(CFLAGS) $(ECDSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(ECDSATEST) $(CFLAGS) $(ECDSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(ECDSATEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(ECDSATEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} $(ECDHTEST): $(ECDHTEST).o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o $(ECDHTEST) $(CFLAGS) $(ECDHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o $(ECDHTEST) $(CFLAGS) $(ECDHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=$(ECDHTEST) LDFLAGS="$(CFLAGS)" \ + OBJECTS="$(ECDHTEST).o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} #$(AESTEST).o: $(AESTEST).c # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c @@ -503,11 +763,20 @@ $(ECDHTEST): $(ECDHTEST).o $(DLIBCRYPTO) # fi dummytest: dummytest.o $(DLIBCRYPTO) - if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \ - $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \ + shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + if [ "$${shlib_target}" = "hpux-shared" -o "$${shlib_target}" = "darwin-shared" ] ; then \ + LIBRARIES="$(DLIBCRYPTO)"; \ else \ - $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ - fi + LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(NEWMAKE) -f $(TOP)/Makefile.shared \ + APPNAME=dummytest LDFLAGS="$(CFLAGS)" \ + OBJECTS="dummytest.o" \ + LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ + LIBRPATH=$(INSTALLTOP)/lib \ + link_app.$${shlib_target} # DO NOT DELETE THIS LINE -- make depend depends on it. @@ -561,7 +830,8 @@ ecdhtest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h ecdhtest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ecdhtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ecdhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h -ecdhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ecdhtest.c +ecdhtest.o: ../include/openssl/sha.h ../include/openssl/stack.h +ecdhtest.o: ../include/openssl/symhacks.h ecdhtest.c ecdsatest.o: ../include/openssl/asn1.h ../include/openssl/bio.h ecdsatest.o: ../include/openssl/bn.h ../include/openssl/crypto.h ecdsatest.o: ../include/openssl/dh.h ../include/openssl/dsa.h diff --git a/util/bat.sh b/util/bat.sh index c6f48e8a7b..4d9a8287d0 100755 --- a/util/bat.sh +++ b/util/bat.sh @@ -62,6 +62,7 @@ sub var_add local($dir,$val)=@_; local(@a,$_,$ret); + return("") if $no_engine && $dir =~ /\/engine/; return("") if $no_idea && $dir =~ /\/idea/; return("") if $no_rc2 && $dir =~ /\/rc2/; return("") if $no_rc4 && $dir =~ /\/rc4/; @@ -116,6 +117,7 @@ sub var_add @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1; @a=grep(!/_mdc2$/,@a) if $no_mdc2; + @a=grep(!/^engine$/,@a) if $no_engine; @a=grep(!/(^rsa$)|(^genrsa$)|(^req$)|(^ca$)/,@a) if $no_rsa; @a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa; @a=grep(!/^gendsa$/,@a) if $no_sha1; diff --git a/util/libeay.num b/util/libeay.num index 069c13d0bd..c83c89ad6d 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -1881,72 +1881,72 @@ BIO_f_linebuffer 2463 EXIST:VMS:FUNCTION: BN_bntest_rand 2464 EXIST::FUNCTION: OPENSSL_issetugid 2465 EXIST::FUNCTION: BN_rand_range 2466 EXIST::FUNCTION: -ERR_load_ENGINE_strings 2467 EXIST::FUNCTION: -ENGINE_set_DSA 2468 EXIST::FUNCTION: -ENGINE_get_finish_function 2469 EXIST::FUNCTION: -ENGINE_get_default_RSA 2470 EXIST::FUNCTION: +ERR_load_ENGINE_strings 2467 EXIST::FUNCTION:ENGINE +ENGINE_set_DSA 2468 EXIST::FUNCTION:ENGINE +ENGINE_get_finish_function 2469 EXIST::FUNCTION:ENGINE +ENGINE_get_default_RSA 2470 EXIST::FUNCTION:ENGINE ENGINE_get_BN_mod_exp 2471 NOEXIST::FUNCTION: DSA_get_default_openssl_method 2472 NOEXIST::FUNCTION: -ENGINE_set_DH 2473 EXIST::FUNCTION: +ENGINE_set_DH 2473 EXIST::FUNCTION:ENGINE ENGINE_set_def_BN_mod_exp_crt 2474 NOEXIST::FUNCTION: ENGINE_set_default_BN_mod_exp_crt 2474 NOEXIST::FUNCTION: -ENGINE_init 2475 EXIST::FUNCTION: +ENGINE_init 2475 EXIST::FUNCTION:ENGINE DH_get_default_openssl_method 2476 NOEXIST::FUNCTION: RSA_set_default_openssl_method 2477 NOEXIST::FUNCTION: -ENGINE_finish 2478 EXIST::FUNCTION: -ENGINE_load_public_key 2479 EXIST::FUNCTION: -ENGINE_get_DH 2480 EXIST::FUNCTION: -ENGINE_ctrl 2481 EXIST::FUNCTION: -ENGINE_get_init_function 2482 EXIST::FUNCTION: -ENGINE_set_init_function 2483 EXIST::FUNCTION: -ENGINE_set_default_DSA 2484 EXIST::FUNCTION: -ENGINE_get_name 2485 EXIST::FUNCTION: -ENGINE_get_last 2486 EXIST::FUNCTION: -ENGINE_get_prev 2487 EXIST::FUNCTION: -ENGINE_get_default_DH 2488 EXIST::FUNCTION: -ENGINE_get_RSA 2489 EXIST::FUNCTION: -ENGINE_set_default 2490 EXIST::FUNCTION: -ENGINE_get_RAND 2491 EXIST::FUNCTION: -ENGINE_get_first 2492 EXIST::FUNCTION: -ENGINE_by_id 2493 EXIST::FUNCTION: -ENGINE_set_finish_function 2494 EXIST::FUNCTION: +ENGINE_finish 2478 EXIST::FUNCTION:ENGINE +ENGINE_load_public_key 2479 EXIST::FUNCTION:ENGINE +ENGINE_get_DH 2480 EXIST::FUNCTION:ENGINE +ENGINE_ctrl 2481 EXIST::FUNCTION:ENGINE +ENGINE_get_init_function 2482 EXIST::FUNCTION:ENGINE +ENGINE_set_init_function 2483 EXIST::FUNCTION:ENGINE +ENGINE_set_default_DSA 2484 EXIST::FUNCTION:ENGINE +ENGINE_get_name 2485 EXIST::FUNCTION:ENGINE +ENGINE_get_last 2486 EXIST::FUNCTION:ENGINE +ENGINE_get_prev 2487 EXIST::FUNCTION:ENGINE +ENGINE_get_default_DH 2488 EXIST::FUNCTION:ENGINE +ENGINE_get_RSA 2489 EXIST::FUNCTION:ENGINE +ENGINE_set_default 2490 EXIST::FUNCTION:ENGINE +ENGINE_get_RAND 2491 EXIST::FUNCTION:ENGINE +ENGINE_get_first 2492 EXIST::FUNCTION:ENGINE +ENGINE_by_id 2493 EXIST::FUNCTION:ENGINE +ENGINE_set_finish_function 2494 EXIST::FUNCTION:ENGINE ENGINE_get_def_BN_mod_exp_crt 2495 NOEXIST::FUNCTION: ENGINE_get_default_BN_mod_exp_crt 2495 NOEXIST::FUNCTION: RSA_get_default_openssl_method 2496 NOEXIST::FUNCTION: -ENGINE_set_RSA 2497 EXIST::FUNCTION: -ENGINE_load_private_key 2498 EXIST::FUNCTION: -ENGINE_set_default_RAND 2499 EXIST::FUNCTION: +ENGINE_set_RSA 2497 EXIST::FUNCTION:ENGINE +ENGINE_load_private_key 2498 EXIST::FUNCTION:ENGINE +ENGINE_set_default_RAND 2499 EXIST::FUNCTION:ENGINE ENGINE_set_BN_mod_exp 2500 NOEXIST::FUNCTION: -ENGINE_remove 2501 EXIST::FUNCTION: -ENGINE_free 2502 EXIST::FUNCTION: +ENGINE_remove 2501 EXIST::FUNCTION:ENGINE +ENGINE_free 2502 EXIST::FUNCTION:ENGINE ENGINE_get_BN_mod_exp_crt 2503 NOEXIST::FUNCTION: -ENGINE_get_next 2504 EXIST::FUNCTION: -ENGINE_set_name 2505 EXIST::FUNCTION: -ENGINE_get_default_DSA 2506 EXIST::FUNCTION: +ENGINE_get_next 2504 EXIST::FUNCTION:ENGINE +ENGINE_set_name 2505 EXIST::FUNCTION:ENGINE +ENGINE_get_default_DSA 2506 EXIST::FUNCTION:ENGINE ENGINE_set_default_BN_mod_exp 2507 NOEXIST::FUNCTION: -ENGINE_set_default_RSA 2508 EXIST::FUNCTION: -ENGINE_get_default_RAND 2509 EXIST::FUNCTION: +ENGINE_set_default_RSA 2508 EXIST::FUNCTION:ENGINE +ENGINE_get_default_RAND 2509 EXIST::FUNCTION:ENGINE ENGINE_get_default_BN_mod_exp 2510 NOEXIST::FUNCTION: -ENGINE_set_RAND 2511 EXIST::FUNCTION: -ENGINE_set_id 2512 EXIST::FUNCTION: +ENGINE_set_RAND 2511 EXIST::FUNCTION:ENGINE +ENGINE_set_id 2512 EXIST::FUNCTION:ENGINE ENGINE_set_BN_mod_exp_crt 2513 NOEXIST::FUNCTION: -ENGINE_set_default_DH 2514 EXIST::FUNCTION: -ENGINE_new 2515 EXIST::FUNCTION: -ENGINE_get_id 2516 EXIST::FUNCTION: +ENGINE_set_default_DH 2514 EXIST::FUNCTION:ENGINE +ENGINE_new 2515 EXIST::FUNCTION:ENGINE +ENGINE_get_id 2516 EXIST::FUNCTION:ENGINE DSA_set_default_openssl_method 2517 NOEXIST::FUNCTION: -ENGINE_add 2518 EXIST::FUNCTION: +ENGINE_add 2518 EXIST::FUNCTION:ENGINE DH_set_default_openssl_method 2519 NOEXIST::FUNCTION: -ENGINE_get_DSA 2520 EXIST::FUNCTION: -ENGINE_get_ctrl_function 2521 EXIST::FUNCTION: -ENGINE_set_ctrl_function 2522 EXIST::FUNCTION: +ENGINE_get_DSA 2520 EXIST::FUNCTION:ENGINE +ENGINE_get_ctrl_function 2521 EXIST::FUNCTION:ENGINE +ENGINE_set_ctrl_function 2522 EXIST::FUNCTION:ENGINE BN_pseudo_rand_range 2523 EXIST::FUNCTION: X509_STORE_CTX_set_verify_cb 2524 EXIST::FUNCTION: ERR_load_COMP_strings 2525 EXIST::FUNCTION: PKCS12_item_decrypt_d2i 2526 EXIST::FUNCTION: ASN1_UTF8STRING_it 2527 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_UTF8STRING_it 2527 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_unregister_ciphers 2528 EXIST::FUNCTION: -ENGINE_get_ciphers 2529 EXIST::FUNCTION: +ENGINE_unregister_ciphers 2528 EXIST::FUNCTION:ENGINE +ENGINE_get_ciphers 2529 EXIST::FUNCTION:ENGINE d2i_OCSP_BASICRESP 2530 EXIST::FUNCTION: KRB5_CHECKSUM_it 2531 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: KRB5_CHECKSUM_it 2531 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -1959,15 +1959,15 @@ X509V3_add1_i2d 2536 EXIST::FUNCTION: PKCS7_ENVELOPE_it 2537 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKCS7_ENVELOPE_it 2537 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: UI_add_input_boolean 2538 EXIST::FUNCTION: -ENGINE_unregister_RSA 2539 EXIST::FUNCTION: +ENGINE_unregister_RSA 2539 EXIST::FUNCTION:ENGINE X509V3_EXT_nconf 2540 EXIST::FUNCTION: ASN1_GENERALSTRING_free 2541 EXIST::FUNCTION: d2i_OCSP_CERTSTATUS 2542 EXIST::FUNCTION: X509_REVOKED_set_serialNumber 2543 EXIST::FUNCTION: X509_print_ex 2544 EXIST::FUNCTION:BIO OCSP_ONEREQ_get1_ext_d2i 2545 EXIST::FUNCTION: -ENGINE_register_all_RAND 2546 EXIST::FUNCTION: -ENGINE_load_dynamic 2547 EXIST::FUNCTION: +ENGINE_register_all_RAND 2546 EXIST::FUNCTION:ENGINE +ENGINE_load_dynamic 2547 EXIST::FUNCTION:ENGINE PBKDF2PARAM_it 2548 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PBKDF2PARAM_it 2548 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: EXTENDED_KEY_USAGE_new 2549 EXIST::FUNCTION: @@ -1987,7 +1987,7 @@ X509_STORE_set_purpose 2559 EXIST::FUNCTION: i2d_ASN1_GENERALSTRING 2560 EXIST::FUNCTION: OCSP_response_status 2561 EXIST::FUNCTION: i2d_OCSP_SERVICELOC 2562 EXIST::FUNCTION: -ENGINE_get_digest_engine 2563 EXIST::FUNCTION: +ENGINE_get_digest_engine 2563 EXIST::FUNCTION:ENGINE EC_GROUP_set_curve_GFp 2564 EXIST::FUNCTION:EC OCSP_REQUEST_get_ext_by_OBJ 2565 EXIST::FUNCTION: _ossl_old_des_random_key 2566 EXIST::FUNCTION:DES @@ -2011,7 +2011,7 @@ _shadow_DES_rw_mode 2581 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA _shadow_DES_rw_mode 2581 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DES asn1_do_adb 2582 EXIST::FUNCTION: ASN1_template_i2d 2583 EXIST::FUNCTION: -ENGINE_register_DH 2584 EXIST::FUNCTION: +ENGINE_register_DH 2584 EXIST::FUNCTION:ENGINE UI_construct_prompt 2585 EXIST::FUNCTION: X509_STORE_set_trust 2586 EXIST::FUNCTION: UI_dup_input_string 2587 EXIST::FUNCTION: @@ -2039,7 +2039,7 @@ OCSP_resp_find 2605 EXIST::FUNCTION: BN_nnmod 2606 EXIST::FUNCTION: X509_CRL_sort 2607 EXIST::FUNCTION: X509_REVOKED_set_revocationDate 2608 EXIST::FUNCTION: -ENGINE_register_RAND 2609 EXIST::FUNCTION: +ENGINE_register_RAND 2609 EXIST::FUNCTION:ENGINE OCSP_SERVICELOC_new 2610 EXIST::FUNCTION: EC_POINT_set_affine_coordinates_GFp 2611 EXIST:!VMS:FUNCTION:EC EC_POINT_set_affine_coords_GFp 2611 EXIST:VMS:FUNCTION:EC @@ -2049,11 +2049,11 @@ SXNET_it 2613 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI UI_dup_input_boolean 2614 EXIST::FUNCTION: PKCS12_add_CSPName_asc 2615 EXIST::FUNCTION: EC_POINT_is_at_infinity 2616 EXIST::FUNCTION:EC -ENGINE_load_cryptodev 2617 EXIST::FUNCTION: +ENGINE_load_cryptodev 2617 EXIST::FUNCTION:ENGINE DSO_convert_filename 2618 EXIST::FUNCTION: POLICYQUALINFO_it 2619 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: POLICYQUALINFO_it 2619 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_register_ciphers 2620 EXIST::FUNCTION: +ENGINE_register_ciphers 2620 EXIST::FUNCTION:ENGINE BN_mod_lshift_quick 2621 EXIST::FUNCTION: DSO_set_filename 2622 EXIST::FUNCTION: ASN1_item_free 2623 EXIST::FUNCTION: @@ -2062,7 +2062,7 @@ AUTHORITY_KEYID_it 2625 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA AUTHORITY_KEYID_it 2625 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: KRB5_APREQBODY_new 2626 EXIST::FUNCTION: X509V3_EXT_REQ_add_nconf 2627 EXIST::FUNCTION: -ENGINE_ctrl_cmd_string 2628 EXIST::FUNCTION: +ENGINE_ctrl_cmd_string 2628 EXIST::FUNCTION:ENGINE i2d_OCSP_RESPDATA 2629 EXIST::FUNCTION: EVP_MD_CTX_init 2630 EXIST::FUNCTION: EXTENDED_KEY_USAGE_free 2631 EXIST::FUNCTION: @@ -2071,8 +2071,8 @@ PKCS7_ATTR_SIGN_it 2632 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI UI_add_error_string 2633 EXIST::FUNCTION: KRB5_CHECKSUM_free 2634 EXIST::FUNCTION: OCSP_REQUEST_get_ext 2635 EXIST::FUNCTION: -ENGINE_load_ubsec 2636 EXIST::FUNCTION:STATIC_ENGINE -ENGINE_register_all_digests 2637 EXIST::FUNCTION: +ENGINE_load_ubsec 2636 EXIST::FUNCTION:ENGINE,STATIC_ENGINE +ENGINE_register_all_digests 2637 EXIST::FUNCTION:ENGINE PKEY_USAGE_PERIOD_it 2638 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKEY_USAGE_PERIOD_it 2638 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: PKCS12_unpack_authsafes 2639 EXIST::FUNCTION: @@ -2098,16 +2098,16 @@ OCSP_CERTSTATUS_free 2653 EXIST::FUNCTION: _ossl_old_des_crypt 2654 EXIST::FUNCTION:DES ASN1_item_i2d 2655 EXIST::FUNCTION: EVP_DecryptFinal_ex 2656 EXIST::FUNCTION: -ENGINE_load_openssl 2657 EXIST::FUNCTION: -ENGINE_get_cmd_defns 2658 EXIST::FUNCTION: -ENGINE_set_load_privkey_function 2659 EXIST:!VMS:FUNCTION: -ENGINE_set_load_privkey_fn 2659 EXIST:VMS:FUNCTION: +ENGINE_load_openssl 2657 EXIST::FUNCTION:ENGINE +ENGINE_get_cmd_defns 2658 EXIST::FUNCTION:ENGINE +ENGINE_set_load_privkey_function 2659 EXIST:!VMS:FUNCTION:ENGINE +ENGINE_set_load_privkey_fn 2659 EXIST:VMS:FUNCTION:ENGINE EVP_EncryptFinal_ex 2660 EXIST::FUNCTION: -ENGINE_set_default_digests 2661 EXIST::FUNCTION: +ENGINE_set_default_digests 2661 EXIST::FUNCTION:ENGINE X509_get0_pubkey_bitstr 2662 EXIST::FUNCTION: asn1_ex_i2c 2663 EXIST::FUNCTION: -ENGINE_register_RSA 2664 EXIST::FUNCTION: -ENGINE_unregister_DSA 2665 EXIST::FUNCTION: +ENGINE_register_RSA 2664 EXIST::FUNCTION:ENGINE +ENGINE_unregister_DSA 2665 EXIST::FUNCTION:ENGINE _ossl_old_des_key_sched 2666 EXIST::FUNCTION:DES X509_EXTENSION_it 2667 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_EXTENSION_it 2667 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2120,7 +2120,7 @@ PKCS12_certbag2x509 2672 EXIST::FUNCTION: _ossl_old_des_ofb64_encrypt 2673 EXIST::FUNCTION:DES d2i_EXTENDED_KEY_USAGE 2674 EXIST::FUNCTION: ERR_print_errors_cb 2675 EXIST::FUNCTION: -ENGINE_set_ciphers 2676 EXIST::FUNCTION: +ENGINE_set_ciphers 2676 EXIST::FUNCTION:ENGINE d2i_KRB5_APREQBODY 2677 EXIST::FUNCTION: UI_method_get_flusher 2678 EXIST::FUNCTION: X509_PUBKEY_it 2679 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2156,7 +2156,7 @@ NCONF_get_number_e 2704 EXIST::FUNCTION: _ossl_old_des_decrypt3 2705 EXIST::FUNCTION:DES X509_signature_print 2706 EXIST::FUNCTION:EVP OCSP_SINGLERESP_free 2707 EXIST::FUNCTION: -ENGINE_load_builtin_engines 2708 EXIST::FUNCTION: +ENGINE_load_builtin_engines 2708 EXIST::FUNCTION:ENGINE i2d_OCSP_ONEREQ 2709 EXIST::FUNCTION: OCSP_REQUEST_add_ext 2710 EXIST::FUNCTION: OCSP_RESPBYTES_new 2711 EXIST::FUNCTION: @@ -2184,7 +2184,7 @@ X509_CERT_AUX_it 2727 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI CERTIFICATEPOLICIES_it 2728 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: CERTIFICATEPOLICIES_it 2728 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: _ossl_old_des_ede3_cbc_encrypt 2729 EXIST::FUNCTION:DES -RAND_set_rand_engine 2730 EXIST::FUNCTION: +RAND_set_rand_engine 2730 EXIST::FUNCTION:ENGINE DSO_get_loaded_filename 2731 EXIST::FUNCTION: X509_ATTRIBUTE_it 2732 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_ATTRIBUTE_it 2732 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2206,7 +2206,7 @@ i2d_OCSP_BASICRESP 2744 EXIST::FUNCTION: i2d_OCSP_RESPBYTES 2745 EXIST::FUNCTION: PKCS12_unpack_p7encdata 2746 EXIST::FUNCTION: HMAC_CTX_init 2747 EXIST::FUNCTION:HMAC -ENGINE_get_digest 2748 EXIST::FUNCTION: +ENGINE_get_digest 2748 EXIST::FUNCTION:ENGINE OCSP_RESPONSE_print 2749 EXIST::FUNCTION: KRB5_TKTBODY_it 2750 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: KRB5_TKTBODY_it 2750 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2219,16 +2219,16 @@ PBE2PARAM_it 2753 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI PKCS12_certbag2x509crl 2754 EXIST::FUNCTION: PKCS7_SIGNED_it 2755 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKCS7_SIGNED_it 2755 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_get_cipher 2756 EXIST::FUNCTION: +ENGINE_get_cipher 2756 EXIST::FUNCTION:ENGINE i2d_OCSP_CRLID 2757 EXIST::FUNCTION: OCSP_SINGLERESP_new 2758 EXIST::FUNCTION: -ENGINE_cmd_is_executable 2759 EXIST::FUNCTION: +ENGINE_cmd_is_executable 2759 EXIST::FUNCTION:ENGINE RSA_up_ref 2760 EXIST::FUNCTION:RSA ASN1_GENERALSTRING_it 2761 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_GENERALSTRING_it 2761 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_register_DSA 2762 EXIST::FUNCTION: +ENGINE_register_DSA 2762 EXIST::FUNCTION:ENGINE X509V3_EXT_add_nconf_sk 2763 EXIST::FUNCTION: -ENGINE_set_load_pubkey_function 2764 EXIST::FUNCTION: +ENGINE_set_load_pubkey_function 2764 EXIST::FUNCTION:ENGINE PKCS8_decrypt 2765 EXIST::FUNCTION: PEM_bytes_read_bio 2766 EXIST::FUNCTION:BIO DIRECTORYSTRING_it 2767 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2265,7 +2265,7 @@ UI_method_set_flusher 2789 EXIST::FUNCTION: X509_ocspid_print 2790 EXIST::FUNCTION:BIO KRB5_ENCDATA_it 2791 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: KRB5_ENCDATA_it 2791 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_get_load_pubkey_function 2792 EXIST::FUNCTION: +ENGINE_get_load_pubkey_function 2792 EXIST::FUNCTION:ENGINE UI_add_user_data 2793 EXIST::FUNCTION: OCSP_REQUEST_delete_ext 2794 EXIST::FUNCTION: UI_get_method 2795 EXIST::FUNCTION: @@ -2289,16 +2289,16 @@ ASN1_FBOOLEAN_it 2806 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA ASN1_FBOOLEAN_it 2806 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: UI_set_ex_data 2807 EXIST::FUNCTION: _ossl_old_des_string_to_key 2808 EXIST::FUNCTION:DES -ENGINE_register_all_RSA 2809 EXIST::FUNCTION: +ENGINE_register_all_RSA 2809 EXIST::FUNCTION:ENGINE d2i_KRB5_PRINCNAME 2810 EXIST::FUNCTION: OCSP_RESPBYTES_it 2811 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: OCSP_RESPBYTES_it 2811 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: X509_CINF_it 2812 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_CINF_it 2812 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_unregister_digests 2813 EXIST::FUNCTION: +ENGINE_unregister_digests 2813 EXIST::FUNCTION:ENGINE d2i_EDIPARTYNAME 2814 EXIST::FUNCTION: d2i_OCSP_SERVICELOC 2815 EXIST::FUNCTION: -ENGINE_get_digests 2816 EXIST::FUNCTION: +ENGINE_get_digests 2816 EXIST::FUNCTION:ENGINE _ossl_old_des_set_odd_parity 2817 EXIST::FUNCTION:DES OCSP_RESPDATA_free 2818 EXIST::FUNCTION: d2i_KRB5_TICKET 2819 EXIST::FUNCTION: @@ -2309,7 +2309,7 @@ d2i_ASN1_GENERALSTRING 2822 EXIST::FUNCTION: X509_CRL_set_version 2823 EXIST::FUNCTION: BN_mod_sub 2824 EXIST::FUNCTION: OCSP_SINGLERESP_get_ext_by_NID 2825 EXIST::FUNCTION: -ENGINE_get_ex_new_index 2826 EXIST::FUNCTION: +ENGINE_get_ex_new_index 2826 EXIST::FUNCTION:ENGINE OCSP_REQUEST_free 2827 EXIST::FUNCTION: OCSP_REQUEST_add1_ext_i2d 2828 EXIST::FUNCTION: X509_VAL_it 2829 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2343,7 +2343,7 @@ EC_POINT_method_of 2852 EXIST::FUNCTION:EC i2d_KRB5_APREQBODY 2853 EXIST::FUNCTION: _ossl_old_des_ecb3_encrypt 2854 EXIST::FUNCTION:DES CRYPTO_get_mem_ex_functions 2855 EXIST::FUNCTION: -ENGINE_get_ex_data 2856 EXIST::FUNCTION: +ENGINE_get_ex_data 2856 EXIST::FUNCTION:ENGINE UI_destroy_method 2857 EXIST::FUNCTION: ASN1_item_i2d_bio 2858 EXIST::FUNCTION:BIO OCSP_ONEREQ_get_ext_by_OBJ 2859 EXIST::FUNCTION: @@ -2367,7 +2367,7 @@ PKCS12_SAFEBAGS_it 2872 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA PKCS12_SAFEBAGS_it 2872 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: d2i_OCSP_SIGNATURE 2873 EXIST::FUNCTION: OCSP_request_add1_nonce 2874 EXIST::FUNCTION: -ENGINE_set_cmd_defns 2875 EXIST::FUNCTION: +ENGINE_set_cmd_defns 2875 EXIST::FUNCTION:ENGINE OCSP_SERVICELOC_free 2876 EXIST::FUNCTION: EC_GROUP_free 2877 EXIST::FUNCTION:EC ASN1_BIT_STRING_it 2878 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2384,7 +2384,7 @@ EC_GROUP_new_curve_GFp 2885 EXIST::FUNCTION:EC OCSP_REQUEST_get1_ext_d2i 2886 EXIST::FUNCTION: PKCS12_item_pack_safebag 2887 EXIST::FUNCTION: asn1_ex_c2i 2888 EXIST::FUNCTION: -ENGINE_register_digests 2889 EXIST::FUNCTION: +ENGINE_register_digests 2889 EXIST::FUNCTION:ENGINE i2d_OCSP_REVOKEDINFO 2890 EXIST::FUNCTION: asn1_enc_restore 2891 EXIST::FUNCTION: UI_free 2892 EXIST::FUNCTION: @@ -2395,7 +2395,7 @@ EC_POINT_invert 2896 EXIST::FUNCTION:EC OCSP_basic_sign 2897 EXIST::FUNCTION: i2d_OCSP_RESPID 2898 EXIST::FUNCTION: OCSP_check_nonce 2899 EXIST::FUNCTION: -ENGINE_ctrl_cmd 2900 EXIST::FUNCTION: +ENGINE_ctrl_cmd 2900 EXIST::FUNCTION:ENGINE d2i_KRB5_ENCKEY 2901 EXIST::FUNCTION: OCSP_parse_url 2902 EXIST::FUNCTION: OCSP_SINGLERESP_get_ext 2903 EXIST::FUNCTION: @@ -2403,12 +2403,12 @@ OCSP_CRLID_free 2904 EXIST::FUNCTION: OCSP_BASICRESP_get1_ext_d2i 2905 EXIST::FUNCTION: RSAPrivateKey_it 2906 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA RSAPrivateKey_it 2906 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA -ENGINE_register_all_DH 2907 EXIST::FUNCTION: +ENGINE_register_all_DH 2907 EXIST::FUNCTION:ENGINE i2d_EDIPARTYNAME 2908 EXIST::FUNCTION: EC_POINT_get_affine_coordinates_GFp 2909 EXIST:!VMS:FUNCTION:EC EC_POINT_get_affine_coords_GFp 2909 EXIST:VMS:FUNCTION:EC OCSP_CRLID_new 2910 EXIST::FUNCTION: -ENGINE_get_flags 2911 EXIST::FUNCTION: +ENGINE_get_flags 2911 EXIST::FUNCTION:ENGINE OCSP_ONEREQ_it 2912 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: OCSP_ONEREQ_it 2912 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: UI_process 2913 EXIST::FUNCTION: @@ -2416,8 +2416,8 @@ ASN1_INTEGER_it 2914 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA ASN1_INTEGER_it 2914 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: EVP_CipherInit_ex 2915 EXIST::FUNCTION: UI_get_string_type 2916 EXIST::FUNCTION: -ENGINE_unregister_DH 2917 EXIST::FUNCTION: -ENGINE_register_all_DSA 2918 EXIST::FUNCTION: +ENGINE_unregister_DH 2917 EXIST::FUNCTION:ENGINE +ENGINE_register_all_DSA 2918 EXIST::FUNCTION:ENGINE OCSP_ONEREQ_get_ext_by_critical 2919 EXIST::FUNCTION: bn_dup_expand 2920 EXIST::FUNCTION: OCSP_cert_id_new 2921 EXIST::FUNCTION: @@ -2438,11 +2438,11 @@ BN_mod_sub_quick 2933 EXIST::FUNCTION: OCSP_ONEREQ_add_ext 2934 EXIST::FUNCTION: OCSP_request_sign 2935 EXIST::FUNCTION: EVP_DigestFinal_ex 2936 EXIST::FUNCTION: -ENGINE_set_digests 2937 EXIST::FUNCTION: +ENGINE_set_digests 2937 EXIST::FUNCTION:ENGINE OCSP_id_issuer_cmp 2938 EXIST::FUNCTION: OBJ_NAME_do_all 2939 EXIST::FUNCTION: EC_POINTs_mul 2940 EXIST::FUNCTION:EC -ENGINE_register_complete 2941 EXIST::FUNCTION: +ENGINE_register_complete 2941 EXIST::FUNCTION:ENGINE X509V3_EXT_nconf_nid 2942 EXIST::FUNCTION: ASN1_SEQUENCE_it 2943 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_SEQUENCE_it 2943 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2451,7 +2451,7 @@ RAND_query_egd_bytes 2945 EXIST::FUNCTION: UI_method_get_writer 2946 EXIST::FUNCTION: UI_OpenSSL 2947 EXIST::FUNCTION: PEM_def_callback 2948 EXIST::FUNCTION: -ENGINE_cleanup 2949 EXIST::FUNCTION: +ENGINE_cleanup 2949 EXIST::FUNCTION:ENGINE DIST_POINT_it 2950 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: DIST_POINT_it 2950 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: OCSP_SINGLERESP_it 2951 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2475,7 +2475,7 @@ OCSP_RESPID_new 2967 EXIST::FUNCTION: OCSP_RESPDATA_it 2968 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: OCSP_RESPDATA_it 2968 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: d2i_OCSP_RESPDATA 2969 EXIST::FUNCTION: -ENGINE_register_all_complete 2970 EXIST::FUNCTION: +ENGINE_register_all_complete 2970 EXIST::FUNCTION:ENGINE OCSP_check_validity 2971 EXIST::FUNCTION: PKCS12_BAGS_it 2972 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKCS12_BAGS_it 2972 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2487,7 +2487,7 @@ KRB5_AUTHENTBODY_it 2976 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI X509_supported_extension 2977 EXIST::FUNCTION: i2d_KRB5_AUTHDATA 2978 EXIST::FUNCTION: UI_method_get_opener 2979 EXIST::FUNCTION: -ENGINE_set_ex_data 2980 EXIST::FUNCTION: +ENGINE_set_ex_data 2980 EXIST::FUNCTION:ENGINE OCSP_REQUEST_print 2981 EXIST::FUNCTION: CBIGNUM_it 2982 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: CBIGNUM_it 2982 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2501,7 +2501,7 @@ OCSP_single_get0_status 2989 EXIST::FUNCTION: BN_swap 2990 EXIST::FUNCTION: POLICYINFO_it 2991 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: POLICYINFO_it 2991 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_set_destroy_function 2992 EXIST::FUNCTION: +ENGINE_set_destroy_function 2992 EXIST::FUNCTION:ENGINE asn1_enc_free 2993 EXIST::FUNCTION: OCSP_RESPID_it 2994 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: OCSP_RESPID_it 2994 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2523,8 +2523,8 @@ EDIPARTYNAME_it 3005 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI NETSCAPE_SPKI_it 3006 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: NETSCAPE_SPKI_it 3006 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: UI_get0_test_string 3007 EXIST::FUNCTION: -ENGINE_get_cipher_engine 3008 EXIST::FUNCTION: -ENGINE_register_all_ciphers 3009 EXIST::FUNCTION: +ENGINE_get_cipher_engine 3008 EXIST::FUNCTION:ENGINE +ENGINE_register_all_ciphers 3009 EXIST::FUNCTION:ENGINE EC_POINT_copy 3010 EXIST::FUNCTION:EC BN_kronecker 3011 EXIST::FUNCTION: _ossl_old_des_ede3_ofb64_encrypt 3012 EXIST:!VMS:FUNCTION:DES @@ -2545,9 +2545,9 @@ OCSP_RESPONSE_new 3023 EXIST::FUNCTION: AES_set_encrypt_key 3024 EXIST::FUNCTION:AES OCSP_resp_count 3025 EXIST::FUNCTION: KRB5_CHECKSUM_new 3026 EXIST::FUNCTION: -ENGINE_load_cswift 3027 EXIST::FUNCTION:STATIC_ENGINE +ENGINE_load_cswift 3027 EXIST::FUNCTION:ENGINE,STATIC_ENGINE OCSP_onereq_get0_id 3028 EXIST::FUNCTION: -ENGINE_set_default_ciphers 3029 EXIST::FUNCTION: +ENGINE_set_default_ciphers 3029 EXIST::FUNCTION:ENGINE NOTICEREF_it 3030 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: NOTICEREF_it 3030 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: X509V3_EXT_CRL_add_nconf 3031 EXIST::FUNCTION: @@ -2565,7 +2565,7 @@ AES_decrypt 3040 EXIST::FUNCTION:AES asn1_enc_init 3041 EXIST::FUNCTION: UI_get_result_maxsize 3042 EXIST::FUNCTION: OCSP_CERTID_new 3043 EXIST::FUNCTION: -ENGINE_unregister_RAND 3044 EXIST::FUNCTION: +ENGINE_unregister_RAND 3044 EXIST::FUNCTION:ENGINE UI_method_get_closer 3045 EXIST::FUNCTION: d2i_KRB5_ENCDATA 3046 EXIST::FUNCTION: OCSP_request_onereq_count 3047 EXIST::FUNCTION: @@ -2576,7 +2576,7 @@ ASN1_primitive_free 3051 EXIST::FUNCTION: i2d_EXTENDED_KEY_USAGE 3052 EXIST::FUNCTION: i2d_OCSP_SIGNATURE 3053 EXIST::FUNCTION: asn1_enc_save 3054 EXIST::FUNCTION: -ENGINE_load_nuron 3055 EXIST::FUNCTION:STATIC_ENGINE +ENGINE_load_nuron 3055 EXIST::FUNCTION:ENGINE,STATIC_ENGINE _ossl_old_des_pcbc_encrypt 3056 EXIST::FUNCTION:DES PKCS12_MAC_DATA_it 3057 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKCS12_MAC_DATA_it 3057 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -2598,15 +2598,15 @@ ASN1_item_d2i_bio 3069 EXIST::FUNCTION:BIO EC_POINT_dbl 3070 EXIST::FUNCTION:EC asn1_get_choice_selector 3071 EXIST::FUNCTION: i2d_KRB5_CHECKSUM 3072 EXIST::FUNCTION: -ENGINE_set_table_flags 3073 EXIST::FUNCTION: +ENGINE_set_table_flags 3073 EXIST::FUNCTION:ENGINE AES_options 3074 EXIST::FUNCTION:AES -ENGINE_load_chil 3075 EXIST::FUNCTION:STATIC_ENGINE +ENGINE_load_chil 3075 EXIST::FUNCTION:ENGINE,STATIC_ENGINE OCSP_id_cmp 3076 EXIST::FUNCTION: OCSP_BASICRESP_new 3077 EXIST::FUNCTION: OCSP_REQUEST_get_ext_by_NID 3078 EXIST::FUNCTION: KRB5_APREQ_it 3079 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: KRB5_APREQ_it 3079 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_get_destroy_function 3080 EXIST::FUNCTION: +ENGINE_get_destroy_function 3080 EXIST::FUNCTION:ENGINE CONF_set_nconf 3081 EXIST::FUNCTION: ASN1_PRINTABLE_free 3082 EXIST::FUNCTION: OCSP_BASICRESP_get_ext_by_NID 3083 EXIST::FUNCTION: @@ -2667,7 +2667,7 @@ OCSP_CRLID_it 3127 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA OCSP_CRLID_it 3127 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: i2d_KRB5_AUTHENTBODY 3128 EXIST::FUNCTION: OCSP_REQUEST_get_ext_count 3129 EXIST::FUNCTION: -ENGINE_load_atalla 3130 EXIST::FUNCTION:STATIC_ENGINE +ENGINE_load_atalla 3130 EXIST::FUNCTION:ENGINE,STATIC_ENGINE X509_NAME_it 3131 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_NAME_it 3131 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: USERNOTICE_it 3132 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2685,7 +2685,7 @@ UI_method_set_opener 3140 EXIST::FUNCTION: ASN1_item_ex_free 3141 EXIST::FUNCTION: ASN1_BOOLEAN_it 3142 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_BOOLEAN_it 3142 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_get_table_flags 3143 EXIST::FUNCTION: +ENGINE_get_table_flags 3143 EXIST::FUNCTION:ENGINE UI_create_method 3144 EXIST::FUNCTION: OCSP_ONEREQ_add1_ext_i2d 3145 EXIST::FUNCTION: _shadow_DES_check_key 3146 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DES @@ -2709,7 +2709,7 @@ PKCS7_it 3160 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA PKCS7_it 3160 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: OCSP_REQUEST_get_ext_by_critical 3161 EXIST:!VMS:FUNCTION: OCSP_REQUEST_get_ext_by_crit 3161 EXIST:VMS:FUNCTION: -ENGINE_set_flags 3162 EXIST::FUNCTION: +ENGINE_set_flags 3162 EXIST::FUNCTION:ENGINE _ossl_old_des_ecb_encrypt 3163 EXIST::FUNCTION:DES OCSP_response_get1_basic 3164 EXIST::FUNCTION: EVP_Digest 3165 EXIST::FUNCTION: @@ -2721,8 +2721,8 @@ ASN1_TIME_to_generalizedtime 3169 EXIST::FUNCTION: BIGNUM_it 3170 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: BIGNUM_it 3170 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: AES_cbc_encrypt 3171 EXIST::FUNCTION:AES -ENGINE_get_load_privkey_function 3172 EXIST:!VMS:FUNCTION: -ENGINE_get_load_privkey_fn 3172 EXIST:VMS:FUNCTION: +ENGINE_get_load_privkey_function 3172 EXIST:!VMS:FUNCTION:ENGINE +ENGINE_get_load_privkey_fn 3172 EXIST:VMS:FUNCTION:ENGINE OCSP_RESPONSE_free 3173 EXIST::FUNCTION: UI_method_set_reader 3174 EXIST::FUNCTION: i2d_ASN1_T61STRING 3175 EXIST::FUNCTION: @@ -2736,7 +2736,7 @@ OCSP_crlID_new 3181 EXIST:!OS2,!VMS,!WIN16:FUNCTION: OCSP_crlID2_new 3181 EXIST:OS2,VMS,WIN16:FUNCTION: CONF_modules_load_file 3182 EXIST::FUNCTION: CONF_imodule_set_usr_data 3183 EXIST::FUNCTION: -ENGINE_set_default_string 3184 EXIST::FUNCTION: +ENGINE_set_default_string 3184 EXIST::FUNCTION:ENGINE CONF_module_get_usr_data 3185 EXIST::FUNCTION: ASN1_add_oid_module 3186 EXIST::FUNCTION: CONF_modules_finish 3187 EXIST::FUNCTION: @@ -2754,7 +2754,7 @@ CONF_imodule_get_name 3198 EXIST::FUNCTION: ERR_peek_top_error 3199 NOEXIST::FUNCTION: CONF_imodule_get_usr_data 3200 EXIST::FUNCTION: CONF_imodule_set_flags 3201 EXIST::FUNCTION: -ENGINE_add_conf_module 3202 EXIST::FUNCTION: +ENGINE_add_conf_module 3202 EXIST::FUNCTION:ENGINE ERR_peek_last_error_line 3203 EXIST::FUNCTION: ERR_peek_last_error_line_data 3204 EXIST::FUNCTION: ERR_peek_last_error 3205 EXIST::FUNCTION: @@ -2762,8 +2762,8 @@ DES_read_2passwords 3206 EXIST::FUNCTION:DES DES_read_password 3207 EXIST::FUNCTION:DES UI_UTIL_read_pw 3208 EXIST::FUNCTION: UI_UTIL_read_pw_string 3209 EXIST::FUNCTION: -ENGINE_load_aep 3210 EXIST::FUNCTION:STATIC_ENGINE -ENGINE_load_sureware 3211 EXIST::FUNCTION:STATIC_ENGINE +ENGINE_load_aep 3210 EXIST::FUNCTION:ENGINE,STATIC_ENGINE +ENGINE_load_sureware 3211 EXIST::FUNCTION:ENGINE,STATIC_ENGINE OPENSSL_add_all_algorithms_noconf 3212 EXIST:!VMS:FUNCTION: OPENSSL_add_all_algo_noconf 3212 EXIST:VMS:FUNCTION: OPENSSL_add_all_algorithms_conf 3213 EXIST:!VMS:FUNCTION: @@ -2772,7 +2772,7 @@ OPENSSL_load_builtin_modules 3214 EXIST::FUNCTION: AES_ofb128_encrypt 3215 EXIST::FUNCTION:AES AES_ctr128_encrypt 3216 EXIST::FUNCTION:AES AES_cfb128_encrypt 3217 EXIST::FUNCTION:AES -ENGINE_load_4758cca 3218 EXIST::FUNCTION:STATIC_ENGINE +ENGINE_load_4758cca 3218 EXIST::FUNCTION:ENGINE,STATIC_ENGINE _ossl_096_des_random_seed 3219 EXIST::FUNCTION:DES EVP_aes_256_ofb 3220 EXIST::FUNCTION:AES EVP_aes_192_ofb 3221 EXIST::FUNCTION:AES @@ -2793,7 +2793,7 @@ ASN1_UNIVERSALSTRING_it 3234 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI d2i_ASN1_UNIVERSALSTRING 3235 EXIST::FUNCTION: EVP_des_ede3_ecb 3236 EXIST::FUNCTION:DES X509_REQ_print_ex 3237 EXIST::FUNCTION:BIO -ENGINE_up_ref 3238 EXIST::FUNCTION: +ENGINE_up_ref 3238 EXIST::FUNCTION:ENGINE BUF_MEM_grow_clean 3239 EXIST::FUNCTION: CRYPTO_realloc_clean 3240 EXIST::FUNCTION: BUF_strlcat 3241 EXIST::FUNCTION: @@ -2802,12 +2802,12 @@ BUF_strlcpy 3243 EXIST::FUNCTION: OpenSSLDie 3244 EXIST::FUNCTION: OPENSSL_cleanse 3245 EXIST::FUNCTION: BN_get0_nist_prime_384 3246 EXIST::FUNCTION: -ENGINE_register_ECDSA 3247 EXIST::FUNCTION: +ENGINE_register_ECDSA 3247 EXIST::FUNCTION:ENGINE BN_nist_mod_192 3248 EXIST::FUNCTION: EC_GROUP_get_trinomial_basis 3249 EXIST::FUNCTION:EC ECDH_get_default_method 3250 EXIST::FUNCTION:ECDH PKCS12_add_safe 3251 EXIST::FUNCTION: -ENGINE_register_ECDH 3252 EXIST::FUNCTION: +ENGINE_register_ECDH 3252 EXIST::FUNCTION:ENGINE i2d_ECPrivateKey 3253 EXIST::FUNCTION:EC BN_get0_nist_prime_192 3254 EXIST::FUNCTION: EC_POINT_set_affine_coordinates_GF2m 3255 EXIST:!VMS:FUNCTION:EC @@ -2821,10 +2821,10 @@ EC_GROUP_check_discriminant 3261 EXIST::FUNCTION:EC EC_POINT_point2bn 3262 EXIST::FUNCTION:EC EC_GROUP_new_curve_GF2m 3263 EXIST::FUNCTION:EC EVP_PKEY_get1_EC_KEY 3264 EXIST::FUNCTION:EC -ENGINE_get_default_ECDH 3265 EXIST::FUNCTION: +ENGINE_get_default_ECDH 3265 EXIST::FUNCTION:ENGINE ASN1_OCTET_STRING_NDEF_it 3266 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: ASN1_OCTET_STRING_NDEF_it 3266 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ENGINE_get_static_state 3267 EXIST::FUNCTION: +ENGINE_get_static_state 3267 EXIST::FUNCTION:ENGINE ECDSA_SIG_new 3268 EXIST::FUNCTION:ECDSA BN_GF2m_mod_sqr 3269 EXIST::FUNCTION: EC_POINT_bn2point 3270 EXIST::FUNCTION:EC @@ -2845,7 +2845,7 @@ BN_GF2m_mod_arr 3283 EXIST::FUNCTION: PEM_write_bio_X509_CERT_PAIR 3284 EXIST::FUNCTION: ECDH_get_ex_data 3285 EXIST::FUNCTION:ECDH ECDSA_do_sign 3286 EXIST::FUNCTION:ECDSA -ENGINE_unregister_ECDH 3287 EXIST::FUNCTION: +ENGINE_unregister_ECDH 3287 EXIST::FUNCTION:ENGINE ECDH_OpenSSL 3288 EXIST::FUNCTION:ECDH EC_POINT_dup 3289 EXIST::FUNCTION:EC EC_get_builtin_curves 3290 EXIST::FUNCTION:EC @@ -2863,7 +2863,7 @@ i2d_ECParameters 3301 EXIST::FUNCTION:EC i2d_ECPKParameters 3302 EXIST::FUNCTION:EC BN_ncopy 3303 EXIST::FUNCTION: d2i_ECPKParameters 3304 EXIST::FUNCTION:EC -ENGINE_set_ECDH 3305 EXIST::FUNCTION: +ENGINE_set_ECDH 3305 EXIST::FUNCTION:ENGINE PEM_write_bio_EC_PUBKEY 3306 EXIST::FUNCTION:EC ECParameters_print 3307 EXIST::FUNCTION:BIO,EC ASN1_generate_nconf 3308 EXIST::FUNCTION: @@ -2871,7 +2871,7 @@ BN_GF2m_mod_mul 3309 EXIST::FUNCTION: EC_GROUP_set_seed 3310 EXIST::FUNCTION:EC EC_GROUP_get_curve_GF2m 3311 EXIST::FUNCTION:EC PEM_read_X509_CERT_PAIR 3312 EXIST:!WIN16:FUNCTION: -ECPublicKey_set_octet_string 3313 EXIST::FUNCTION:EC +o2i_ECPublicKey 3313 EXIST::FUNCTION:EC ECDSA_get_ex_data 3314 EXIST::FUNCTION:ECDSA BN_GF2m_mod 3315 EXIST::FUNCTION: EC_GROUP_get_seed_len 3316 EXIST::FUNCTION:EC @@ -2886,12 +2886,12 @@ X509_CERT_PAIR_it 3324 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA X509_CERT_PAIR_it 3324 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: BN_GF2m_mod_sqr_arr 3325 EXIST::FUNCTION: EC_GROUP_set_curve_GF2m 3326 EXIST::FUNCTION:EC -ENGINE_set_default_ECDSA 3327 EXIST::FUNCTION: +ENGINE_set_default_ECDSA 3327 EXIST::FUNCTION:ENGINE BN_GF2m_mod_sqrt 3328 EXIST::FUNCTION: ECDH_set_default_method 3329 EXIST::FUNCTION:ECDH EC_KEY_generate_key 3330 EXIST::FUNCTION:EC BN_GF2m_arr2poly 3331 EXIST::FUNCTION: -ECPublicKey_get_octet_string 3332 EXIST::FUNCTION:EC +i2o_ECPublicKey 3332 EXIST::FUNCTION:EC EC_GROUP_check 3333 EXIST::FUNCTION:EC d2i_ECPrivateKey_bio 3334 EXIST::FUNCTION:BIO,EC d2i_ECPrivateKey 3335 EXIST::FUNCTION:EC @@ -2905,13 +2905,13 @@ BN_nist_mod_224 3342 EXIST::FUNCTION: i2d_EC_PUBKEY_bio 3343 EXIST::FUNCTION:BIO,EC EC_GROUP_get_asn1_flag 3344 EXIST::FUNCTION:EC ECDH_get_ex_new_index 3345 EXIST::FUNCTION:ECDH -ECDH_size 3346 EXIST::FUNCTION:ECDH +ECDH_size 3346 NOEXIST::FUNCTION: BN_GF2m_mod_inv 3347 EXIST::FUNCTION: BN_GF2m_mod_exp 3348 EXIST::FUNCTION: EC_GROUP_get0_seed 3349 EXIST::FUNCTION:EC ecdsa_check 3350 EXIST::FUNCTION:ECDSA BN_GF2m_mod_div_arr 3351 EXIST::FUNCTION: -ENGINE_set_ECDSA 3352 EXIST::FUNCTION: +ENGINE_set_ECDSA 3352 EXIST::FUNCTION:ENGINE ECPKParameters_print 3353 EXIST::FUNCTION:BIO,EC PEM_write_EC_PUBKEY 3354 EXIST:!WIN16:FUNCTION:EC ECDH_set_method 3355 EXIST::FUNCTION:ECDH @@ -2935,14 +2935,14 @@ BN_nist_mod_384 3370 EXIST::FUNCTION: i2d_X509_CERT_PAIR 3371 EXIST::FUNCTION: PEM_write_ECPKParameters 3372 EXIST:!WIN16:FUNCTION:EC ECDH_compute_key 3373 EXIST::FUNCTION:ECDH -ENGINE_register_all_ECDH 3374 EXIST::FUNCTION: +ENGINE_register_all_ECDH 3374 EXIST::FUNCTION:ENGINE BN_GF2m_mod_solve_quad 3375 EXIST::FUNCTION: i2d_ECPrivateKey_fp 3376 EXIST::FUNCTION:EC,FP_API -ENGINE_register_all_ECDSA 3377 EXIST::FUNCTION: +ENGINE_register_all_ECDSA 3377 EXIST::FUNCTION:ENGINE EC_POINT_get_affine_coordinates_GF2m 3378 EXIST:!VMS:FUNCTION:EC EC_POINT_get_affine_coords_GF2m 3378 EXIST:VMS:FUNCTION:EC EC_GROUP_dup 3379 EXIST::FUNCTION:EC -ENGINE_get_default_ECDSA 3380 EXIST::FUNCTION: +ENGINE_get_default_ECDSA 3380 EXIST::FUNCTION:ENGINE EC_KEY_new 3381 EXIST::FUNCTION:EC ECDSA_verify 3382 EXIST::FUNCTION:ECDSA EC_POINT_point2hex 3383 EXIST::FUNCTION:EC @@ -2962,10 +2962,10 @@ ECDSA_size 3396 EXIST::FUNCTION:ECDSA d2i_EC_PUBKEY_bio 3397 EXIST::FUNCTION:BIO,EC BN_get0_nist_prime_521 3398 EXIST::FUNCTION: PEM_read_bio_ECPrivateKey 3399 EXIST::FUNCTION:EC -ENGINE_get_ECDH 3400 EXIST::FUNCTION: +ENGINE_get_ECDH 3400 EXIST::FUNCTION:ENGINE d2i_ECDSA_SIG 3401 EXIST::FUNCTION:ECDSA ECDSA_sign 3402 EXIST::FUNCTION:ECDSA -ENGINE_get_ECDSA 3403 EXIST::FUNCTION: +ENGINE_get_ECDSA 3403 EXIST::FUNCTION:ENGINE EVP_ecdsa 3404 EXIST::FUNCTION:SHA PKCS12_add_cert 3405 EXIST::FUNCTION: ERR_load_ECDH_strings 3406 EXIST::FUNCTION:ECDH @@ -2982,12 +2982,12 @@ d2i_EC_PUBKEY_fp 3416 EXIST::FUNCTION:EC,FP_API ecdh_check 3417 EXIST::FUNCTION:ECDH ECDSA_DATA_new_method 3418 EXIST::FUNCTION:ECDSA PEM_read_bio_X509_CERT_PAIR 3419 EXIST::FUNCTION: -ENGINE_set_default_ECDH 3420 EXIST::FUNCTION: +ENGINE_set_default_ECDH 3420 EXIST::FUNCTION:ENGINE PKCS12_add_key 3421 EXIST::FUNCTION: DSO_merge 3422 EXIST::FUNCTION: EC_POINT_hex2point 3423 EXIST::FUNCTION:EC BN_GF2m_mod_inv_arr 3424 EXIST::FUNCTION: -ENGINE_unregister_ECDSA 3425 EXIST::FUNCTION: +ENGINE_unregister_ECDSA 3425 EXIST::FUNCTION:ENGINE BN_GENCB_call 3426 EXIST::FUNCTION: BN_is_prime_ex 3427 EXIST::FUNCTION: RSA_generate_key_ex 3428 EXIST::FUNCTION:RSA @@ -2995,3 +2995,28 @@ DSA_generate_parameters_ex 3429 EXIST::FUNCTION:DSA BN_generate_prime_ex 3430 EXIST::FUNCTION: DH_generate_parameters_ex 3431 EXIST::FUNCTION:DH BN_is_prime_fasttest_ex 3432 EXIST::FUNCTION: +ENGINE_load_gmp 3433 EXIST::FUNCTION:ENGINE,STATIC_ENGINE +a2i_IPADDRESS 3434 EXIST::FUNCTION: +ENGINE_setup_bsd_cryptodev 3435 EXIST:__FreeBSD__:FUNCTION:ENGINE +EC_GROUP_have_precompute_mult 3436 EXIST::FUNCTION:EC +X509V3_NAME_from_section 3437 EXIST::FUNCTION: +POLICY_MAPPING_it 3438 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +POLICY_MAPPING_it 3438 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +POLICY_MAPPINGS_it 3439 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +POLICY_MAPPINGS_it 3439 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +POLICY_MAPPING_new 3440 EXIST::FUNCTION: +POLICY_MAPPING_free 3441 EXIST::FUNCTION: +POLICY_CONSTRAINTS_new 3442 EXIST::FUNCTION: +POLICY_CONSTRAINTS_it 3443 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +POLICY_CONSTRAINTS_it 3443 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +POLICY_CONSTRAINTS_free 3444 EXIST::FUNCTION: +v2i_GENERAL_NAME_ex 3445 EXIST::FUNCTION: +NAME_CONSTRAINTS_free 3446 EXIST::FUNCTION: +a2i_IPADDRESS_NC 3447 EXIST::FUNCTION: +NAME_CONSTRAINTS_it 3448 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +NAME_CONSTRAINTS_it 3448 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +NAME_CONSTRAINTS_new 3449 EXIST::FUNCTION: +GENERAL_SUBTREE_it 3450 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +GENERAL_SUBTREE_it 3450 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +GENERAL_SUBTREE_free 3451 EXIST::FUNCTION: +GENERAL_SUBTREE_new 3452 EXIST::FUNCTION: diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 8c6370bc5d..d85a20a605 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -65,6 +65,9 @@ and [options] can be one of no-krb5 - No KRB5 no-ec - No EC no-ecdsa - No ECDSA + no-ecdh - No ECDH + no-engine - No engine + no-hw - No hw nasm - Use NASM for x86 asm gaswin - Use GNU as with Mingw32 no-socks - No socket code @@ -219,7 +222,7 @@ $cflags.=" -DOPENSSL_NO_MD4" if $no_md4; $cflags.=" -DOPENSSL_NO_MD5" if $no_md5; $cflags.=" -DOPENSSL_NO_SHA" if $no_sha; $cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1; -$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_rmd160; +$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_ripemd; $cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2; $cflags.=" -DOPENSSL_NO_BF" if $no_bf; $cflags.=" -DOPENSSL_NO_CAST" if $no_cast; @@ -234,6 +237,9 @@ $cflags.=" -DOPENSSL_NO_ERR" if $no_err; $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5; $cflags.=" -DOPENSSL_NO_EC" if $no_ec; $cflags.=" -DOPENSSL_NO_ECDSA" if $no_ecdsa; +$cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh; +$cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine; +$cflags.=" -DOPENSSL_NO_HW" if $no_hw; #$cflags.=" -DRSAref" if $rsaref ne ""; ## if ($unix) @@ -663,6 +669,8 @@ sub var_add local($dir,$val)=@_; local(@a,$_,$ret); + return("") if $no_engine && $dir =~ /\/engine/; + return("") if $no_hw && $dir =~ /\/hw/; return("") if $no_idea && $dir =~ /\/idea/; return("") if $no_aes && $dir =~ /\/aes/; return("") if $no_rc2 && $dir =~ /\/rc2/; @@ -672,6 +680,7 @@ sub var_add return("") if $no_rsa && $dir =~ /^rsaref/; return("") if $no_dsa && $dir =~ /\/dsa/; return("") if $no_dh && $dir =~ /\/dh/; + return("") if $no_ec && $dir =~ /\/ec/; if ($no_des && $dir =~ /\/des/) { if ($val =~ /read_pwd/) @@ -706,7 +715,7 @@ sub var_add @a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2; @a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4; @a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5; - @a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160; + @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd; @a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa; @a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa; @@ -723,6 +732,8 @@ sub var_add @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1; @a=grep(!/_mdc2$/,@a) if $no_mdc2; + @a=grep(!/^engine$/,@a) if $no_engine; + @a=grep(!/^hw$/,@a) if $no_hw; @a=grep(!/(^rsa$)|(^genrsa$)/,@a) if $no_rsa; @a=grep(!/(^dsa$)|(^gendsa$)|(^dsaparam$)/,@a) if $no_dsa; @a=grep(!/^gendsa$/,@a) if $no_sha1; @@ -925,10 +936,13 @@ sub read_options elsif (/^no-krb5$/) { $no_krb5=1; } elsif (/^no-ec$/) { $no_ec=1; } elsif (/^no-ecdsa$/) { $no_ecdsa=1; } + elsif (/^no-ecdh$/) { $no_ecdh=1; } + elsif (/^no-engine$/) { $no_engine=1; } + elsif (/^no-hw$/) { $no_hw=1; } elsif (/^just-ssl$/) { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1; $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1; - $no_ssl2=$no_err=$no_rmd160=$no_rc5=1; + $no_ssl2=$no_err=$no_ripemd=$no_rc5=1; $no_aes=1; } elsif (/^rsaref$/) { } diff --git a/util/mkdef.pl b/util/mkdef.pl index d868a35036..4c15a942d2 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -93,7 +93,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", # External "algorithms" "FP_API", "STDIO", "SOCK", "KRB5", # Engines - "STATIC_ENGINE", + "STATIC_ENGINE", "ENGINE", "HW", # Deprecated functions "DEPRECATED" ); @@ -111,7 +111,7 @@ my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf; my $no_cast; my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5; -my $no_ec; my $no_ecdsa; my $no_ecdh; +my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_fp_api; my $no_static_engine; my $no_deprecated; foreach (@ARGV, split(/ /, $options)) @@ -182,6 +182,8 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-comp$/) { $no_comp=1; } elsif (/^no-dso$/) { $no_dso=1; } elsif (/^no-krb5$/) { $no_krb5=1; } + elsif (/^no-engine$/) { $no_engine=1; } + elsif (/^no-hw$/) { $no_hw=1; } } @@ -243,7 +245,7 @@ $crypto.=" crypto/ecdsa/ecdsa.h" ; # unless $no_ecdsa; $crypto.=" crypto/ecdh/ecdh.h" ; # unless $no_ecdh; $crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac; -$crypto.=" crypto/engine/engine.h"; +$crypto.=" crypto/engine/engine.h"; # unless $no_engine; $crypto.=" crypto/stack/stack.h" ; # unless $no_stack; $crypto.=" crypto/buffer/buffer.h" ; # unless $no_buffer; $crypto.=" crypto/bio/bio.h" ; # unless $no_bio; @@ -446,6 +448,10 @@ sub do_defs } s/\/\*.*?\*\///gs; # ignore comments + if (/\/\*/) { # if we have part + $line = $_; # of a comment, + next; # continue reading + } s/{[^{}]*}//gs; # ignore {} blocks print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne ""; print STDERR "DEBUG: \$_=\"$_\"\n" if $debug; @@ -671,6 +677,10 @@ sub do_defs "EXPORT_VAR_AS_FUNCTION", "FUNCTION"); next; + } elsif (/^\s*DECLARE_ASN1_ALLOC_FUNCTIONS\s*\(\s*(\w*)\s*\)/) { + $def .= "int $1_free(void);"; + $def .= "int $1_new(void);"; + next; } elsif (/^\s*DECLARE_ASN1_FUNCTIONS_name\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) { $def .= "int d2i_$2(void);"; $def .= "int i2d_$2(void);"; @@ -823,14 +833,14 @@ sub do_defs } elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) { $s = $1; print STDERR "DEBUG: found ANSI C function $s\n" if $debug; - } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s) { + } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s) { # K&R C print STDERR "DEBUG: found K&R C function $s\n" if $debug; next; - } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)$/s) { - while (not /\(\)$/s) { - s/[^\(\)]*\)$/\)/s; - s/\([^\(\)]*\)\)$/\)/s; + } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) { + while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) { + s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s; + s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s; } s/\(void\)//; /(\w+(\{[0-9]+\})?)\W*\(\)/s; @@ -1065,6 +1075,8 @@ sub is_valid if ($keyword eq "COMP" && $no_comp) { return 0; } if ($keyword eq "DSO" && $no_dso) { return 0; } if ($keyword eq "KRB5" && $no_krb5) { return 0; } + if ($keyword eq "ENGINE" && $no_engine) { return 0; } + if ($keyword eq "HW" && $no_hw) { return 0; } if ($keyword eq "FP_API" && $no_fp_api) { return 0; } if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; } if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; } diff --git a/util/mkerr.pl b/util/mkerr.pl index 4105047b21..cf34a35ce1 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -128,20 +128,20 @@ while (($hdr, $lib) = each %libinc) s/^[\n\s]*//g; s/[\n\s]*$//g; next if(/typedef\W/); - if (/\(\*(\w*)\([^\)]+/) { + if (/\(\*(\w*)\([^\)]+\)(\s*__attribute__\(.*\)\s*)?$/) { my $name = $1; $name =~ tr/[a-z]/[A-Z]/; $ftrans{$name} = $1; - } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s){ + } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s){ # K&R C next ; - } elsif (/\w+\W+\w+\W*\(.*\)$/s) { - while (not /\(\)$/s) { - s/[^\(\)]*\)$/\)/s; - s/\([^\(\)]*\)\)$/\)/s; + } elsif (/\w+\W+\w+\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) { + while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) { + s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s; + s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s; } s/\(void\)//; - /(\w+)\W*\(\)/s; + /(\w+(\{[0-9]+\})?)\W*\(\)/s; my $name = $1; $name =~ tr/[a-z]/[A-Z]/; $ftrans{$name} = $1; @@ -262,7 +262,7 @@ foreach $lib (keys %csrc) } else { push @out, "/* ====================================================================\n", -" * Copyright (c) 2001-2002 The OpenSSL Project. All rights reserved.\n", +" * Copyright (c) 2001-2003 The OpenSSL Project. All rights reserved.\n", " *\n", " * Redistribution and use in source and binary forms, with or without\n", " * modification, are permitted provided that the following conditions\n", @@ -404,7 +404,7 @@ EOF print OUT <<"EOF"; /* $cfile */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/util/pl/Mingw32.pl b/util/pl/Mingw32.pl index 45ab685974..d0472df278 100644 --- a/util/pl/Mingw32.pl +++ b/util/pl/Mingw32.pl @@ -1,17 +1,17 @@ #!/usr/local/bin/perl # -# Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools) +# Mingw32.pl -- Mingw # $o='/'; $cp='cp'; -$rm='rem'; # use 'rm -f' if using GNU file utilities +$rm='rm -f'; $mkdir='gmkdir'; -# gcc wouldn't accept backslashes in paths -#$o='\\'; -#$cp='copy'; -#$rm='del'; +$o='\\'; +$cp='copy'; +$rm='del'; +$mkdir='mkdir'; # C compiler stuff @@ -19,31 +19,31 @@ $cc='gcc'; if ($debug) { $cflags="-DL_ENDIAN -DDSO_WIN32 -g2 -ggdb"; } else - { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -m486 -Wall"; } + { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; } if ($gaswin and !$no_asm) { - $bn_asm_obj='$(OBJ_D)/bn-win32.o'; + $bn_asm_obj='$(OBJ_D)\bn-win32.o'; $bn_asm_src='crypto/bn/asm/bn-win32.s'; - $bnco_asm_obj='$(OBJ_D)/co-win32.o'; + $bnco_asm_obj='$(OBJ_D)\co-win32.o'; $bnco_asm_src='crypto/bn/asm/co-win32.s'; - $des_enc_obj='$(OBJ_D)/d-win32.o $(OBJ_D)/y-win32.o'; + $des_enc_obj='$(OBJ_D)\d-win32.o $(OBJ_D)\y-win32.o'; $des_enc_src='crypto/des/asm/d-win32.s crypto/des/asm/y-win32.s'; - $bf_enc_obj='$(OBJ_D)/b-win32.o'; + $bf_enc_obj='$(OBJ_D)\b-win32.o'; $bf_enc_src='crypto/bf/asm/b-win32.s'; -# $cast_enc_obj='$(OBJ_D)/c-win32.o'; +# $cast_enc_obj='$(OBJ_D)\c-win32.o'; # $cast_enc_src='crypto/cast/asm/c-win32.s'; - $rc4_enc_obj='$(OBJ_D)/r4-win32.o'; + $rc4_enc_obj='$(OBJ_D)\r4-win32.o'; $rc4_enc_src='crypto/rc4/asm/r4-win32.s'; - $rc5_enc_obj='$(OBJ_D)/r5-win32.o'; + $rc5_enc_obj='$(OBJ_D)\r5-win32.o'; $rc5_enc_src='crypto/rc5/asm/r5-win32.s'; - $md5_asm_obj='$(OBJ_D)/m5-win32.o'; + $md5_asm_obj='$(OBJ_D)\m5-win32.o'; $md5_asm_src='crypto/md5/asm/m5-win32.s'; - $rmd160_asm_obj='$(OBJ_D)/rm-win32.o'; + $rmd160_asm_obj='$(OBJ_D)\rm-win32.o'; $rmd160_asm_src='crypto/ripemd/asm/rm-win32.s'; - $sha1_asm_obj='$(OBJ_D)/s1-win32.o'; + $sha1_asm_obj='$(OBJ_D)\s1-win32.o'; $sha1_asm_src='crypto/sha/asm/s1-win32.s'; - $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM"; + $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DOPENSSL_BN_ASM_PART_WORDS"; } diff --git a/util/pl/Mingw32f.pl b/util/pl/Mingw32f.pl deleted file mode 100644 index 44f5673d7a..0000000000 --- a/util/pl/Mingw32f.pl +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/local/bin/perl -# -# Mingw32f.pl -- copy files; Mingw32.pl is needed to do the compiling. -# - -$o='\\'; -$cp='copy'; -$rm='del'; - -# C compiler stuff - -$cc='gcc'; -if ($debug) - { $cflags="-g2 -ggdb -DDSO_WIN32"; } -else - { $cflags="-O3 -fomit-frame-pointer -DDSO_WIN32"; } - -$obj='.o'; -$ofile='-o '; - -# EXE linking stuff -$link='${CC}'; -$lflags='${CFLAGS}'; -$efile='-o '; -$exep=''; -$ex_libs="-lwsock32 -lgdi32"; - -# static library stuff -$mklib='ar r'; -$mlflags=''; -$ranlib='ranlib'; -$plib='lib'; -$libp=".a"; -$shlibp=".a"; -$lfile=''; - -$asm='as'; -$afile='-o '; -$bn_asm_obj=""; -$bn_asm_src=""; -$des_enc_obj=""; -$des_enc_src=""; -$bf_enc_obj=""; -$bf_enc_src=""; - -sub do_lib_rule - { - local($obj,$target,$name,$shlib)=@_; - local($ret,$_,$Name); - - $target =~ s/\//$o/g if $o ne '/'; - $target="$target"; - ($Name=$name) =~ tr/a-z/A-Z/; - - $ret.="$target: \$(${Name}OBJ)\n"; - $ret.="\t\$(RM) $target\n"; - $ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n"; - $ret.="\t\$(RANLIB) $target\n\n"; - } - -sub do_link_rule - { - local($target,$files,$dep_libs,$libs)=@_; - local($ret,$_); - - $file =~ s/\//$o/g if $o ne '/'; - $n=&bname($target); - $ret.="$target: $files $dep_libs\n"; - $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n"; - return($ret); - } -1; - diff --git a/util/pl/VC-16.pl b/util/pl/VC-16.pl index 7cda5e67a9..ab97c4c9b8 100644 --- a/util/pl/VC-16.pl +++ b/util/pl/VC-16.pl @@ -44,7 +44,7 @@ if ($win16) else { $no_sock=1; - $cflags.=" -DMSDOS"; + $cflags.=" -DOPENSSL_SYSNAME_MSDOS"; $lflags.=" /EXEPACK"; $ex_libs.="oldnames.lib llibce.lib"; } diff --git a/util/pl/VC-CE.pl b/util/pl/VC-CE.pl index 1805ef9d97..3267cd4893 100644 --- a/util/pl/VC-CE.pl +++ b/util/pl/VC-CE.pl @@ -12,7 +12,7 @@ $rm='del'; # C compiler stuff $cc='$(CC)'; -$cflags=' /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo $(WCETARGETDEFS) -DUNICODE -D_UNICODE -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -I$(WCECOMPAT)/include'; +$cflags=' /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo $(WCETARGETDEFS) -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -I$(WCECOMPAT)/include'; $lflags='/nologo /subsystem:windowsce,$(WCELDVERSION) /machine:$(WCELDMACHINE) /opt:ref'; $mlflags=''; @@ -22,7 +22,7 @@ $inc_def="inc32"; if ($debug) { - $cflags=" /MDd /W3 /WX /Zi /Yd /Od /nologo -DWIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32"; + $cflags=" /MDd /W3 /WX /Zi /Yd /Od /nologo -DOPENSSL_SYSNAME_WINCE -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32"; $lflags.=" /debug"; $mlflags.=' /debug'; } diff --git a/util/pl/linux.pl b/util/pl/linux.pl index 8924ed5480..d24f7b7291 100644 --- a/util/pl/linux.pl +++ b/util/pl/linux.pl @@ -39,7 +39,7 @@ if (!$no_asm) $rmd160_asm_src='crypto/ripemd/asm/rm86unix.cpp'; $sha1_asm_obj='$(OBJ_D)/sx86-elf.o'; $sha1_asm_src='crypto/sha/asm/sx86unix.cpp'; - $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM"; + $cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM -DOPENSSL_BN_ASM_PART_WORDS"; } $cflags.=" -DTERMIO -DL_ENDIAN -m486 -Wall"; diff --git a/util/ssleay.num b/util/ssleay.num index d027a1c45a..865005ac64 100755 --- a/util/ssleay.num +++ b/util/ssleay.num @@ -169,7 +169,7 @@ SSL_add_file_cert_subjects_to_stack 185 EXIST:!VMS:FUNCTION:STDIO SSL_add_file_cert_subjs_to_stk 185 EXIST:VMS:FUNCTION:STDIO SSL_set_tmp_rsa_callback 186 EXIST::FUNCTION:RSA SSL_set_tmp_dh_callback 187 EXIST::FUNCTION:DH -SSL_add_dir_cert_subjects_to_stack 188 EXIST:!VMS,!WIN32:FUNCTION:STDIO +SSL_add_dir_cert_subjects_to_stack 188 EXIST:!VMS:FUNCTION:STDIO SSL_add_dir_cert_subjs_to_stk 188 NOEXIST::FUNCTION: SSL_set_session_id_context 189 EXIST::FUNCTION: SSL_CTX_use_certificate_chain_file 222 EXIST:!VMS:FUNCTION:STDIO @@ -217,3 +217,4 @@ SSL_CTX_set_msg_callback 266 EXIST::FUNCTION: SSL_set_msg_callback 267 EXIST::FUNCTION: SSL_set_tmp_ecdh_callback 268 EXIST::FUNCTION:ECDH SSL_CTX_set_tmp_ecdh_callback 269 EXIST::FUNCTION:ECDH +SSL_SESSION_get_id 270 EXIST::FUNCTION: |