aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJacques Vidrine <nectar@FreeBSD.org>2003-02-21 16:33:02 +0000
committerJacques Vidrine <nectar@FreeBSD.org>2003-02-21 16:33:02 +0000
commitffb98d177e8c5e079c75275046c58cf892ca40ba (patch)
tree454c1a5007cedbdf2f75e78978a3e2f5d459699c
parentf9ed240692690069fb33b086fb2222b0a7137c1e (diff)
downloadsrc-ffb98d177e8c5e079c75275046c58cf892ca40ba.tar.gz
src-ffb98d177e8c5e079c75275046c58cf892ca40ba.zip
Merge from RELENG_4_7: Update to OpenSSL 0.9.6i.
Notes
Notes: svn path=/releng/4.6/; revision=111218
-rw-r--r--UPDATING4
-rw-r--r--crypto/openssl/CHANGES112
-rwxr-xr-xcrypto/openssl/Configure40
-rw-r--r--crypto/openssl/FAQ74
-rw-r--r--crypto/openssl/INSTALL18
-rw-r--r--crypto/openssl/Makefile.org50
-rw-r--r--crypto/openssl/Makefile.ssl90
-rw-r--r--crypto/openssl/NEWS31
-rw-r--r--crypto/openssl/README4
-rw-r--r--crypto/openssl/apps/Makefile.ssl6
-rw-r--r--crypto/openssl/apps/apps.h2
-rw-r--r--crypto/openssl/apps/asn1pars.c2
-rw-r--r--crypto/openssl/apps/ca.c29
-rw-r--r--crypto/openssl/apps/ciphers.c2
-rw-r--r--crypto/openssl/apps/crl.c2
-rw-r--r--crypto/openssl/apps/crl2p7.c4
-rw-r--r--crypto/openssl/apps/dgst.c4
-rw-r--r--crypto/openssl/apps/dh.c2
-rw-r--r--crypto/openssl/apps/dhparam.c2
-rw-r--r--crypto/openssl/apps/dsa.c2
-rw-r--r--crypto/openssl/apps/dsaparam.c2
-rw-r--r--crypto/openssl/apps/enc.c6
-rw-r--r--crypto/openssl/apps/errstr.c2
-rw-r--r--crypto/openssl/apps/gendh.c2
-rw-r--r--crypto/openssl/apps/gendsa.c2
-rw-r--r--crypto/openssl/apps/genrsa.c2
-rw-r--r--crypto/openssl/apps/nseq.c4
-rw-r--r--crypto/openssl/apps/openssl.c4
-rw-r--r--crypto/openssl/apps/openssl.cnf1
-rw-r--r--crypto/openssl/apps/passwd.c4
-rw-r--r--crypto/openssl/apps/pkcs12.c12
-rw-r--r--crypto/openssl/apps/pkcs7.c4
-rw-r--r--crypto/openssl/apps/pkcs8.c3
-rw-r--r--crypto/openssl/apps/rand.c2
-rw-r--r--crypto/openssl/apps/req.c4
-rw-r--r--crypto/openssl/apps/rsa.c2
-rw-r--r--crypto/openssl/apps/s_client.c6
-rw-r--r--crypto/openssl/apps/s_server.c20
-rw-r--r--crypto/openssl/apps/s_time.c9
-rw-r--r--crypto/openssl/apps/sess_id.c2
-rw-r--r--crypto/openssl/apps/speed.c6
-rw-r--r--crypto/openssl/apps/spkac.c2
-rw-r--r--crypto/openssl/apps/verify.c2
-rw-r--r--crypto/openssl/apps/version.c2
-rw-r--r--crypto/openssl/apps/x509.c6
-rwxr-xr-xcrypto/openssl/config18
-rw-r--r--crypto/openssl/crypto/Makefile.ssl9
-rw-r--r--crypto/openssl/crypto/asn1/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/asn1/a_sign.c6
-rw-r--r--crypto/openssl/crypto/asn1/a_strex.c4
-rw-r--r--crypto/openssl/crypto/asn1/a_utctm.c2
-rw-r--r--crypto/openssl/crypto/asn1/a_verify.c2
-rw-r--r--crypto/openssl/crypto/asn1/asn1_lib.c7
-rw-r--r--crypto/openssl/crypto/asn1/n_pkey.c4
-rw-r--r--crypto/openssl/crypto/asn1/p8_pkey.c4
-rw-r--r--crypto/openssl/crypto/bf/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/bf/bftest.c4
-rw-r--r--crypto/openssl/crypto/bio/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/bio/b_print.c2
-rw-r--r--crypto/openssl/crypto/bio/bio.h2
-rw-r--r--crypto/openssl/crypto/bn/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/bn/bn.h4
-rw-r--r--crypto/openssl/crypto/bn/bn_lib.c4
-rw-r--r--crypto/openssl/crypto/bn/bn_rand.c2
-rw-r--r--crypto/openssl/crypto/bn/bn_word.c5
-rw-r--r--crypto/openssl/crypto/bn/bntest.c12
-rw-r--r--crypto/openssl/crypto/bn/exptest.c19
-rw-r--r--crypto/openssl/crypto/buffer/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/cast/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/cast/casttest.c4
-rw-r--r--crypto/openssl/crypto/comp/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/conf/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/conf/conf_def.c7
-rw-r--r--crypto/openssl/crypto/cryptlib.c39
-rw-r--r--crypto/openssl/crypto/cryptlib.h4
-rw-r--r--crypto/openssl/crypto/crypto.h55
-rw-r--r--crypto/openssl/crypto/des/Makefile.ssl16
-rw-r--r--crypto/openssl/crypto/des/des.c33
-rw-r--r--crypto/openssl/crypto/des/read2pwd.c9
-rw-r--r--crypto/openssl/crypto/des/read_pwd.c2
-rw-r--r--crypto/openssl/crypto/des/str2key.c5
-rw-r--r--crypto/openssl/crypto/dh/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/dh/dhtest.c7
-rw-r--r--crypto/openssl/crypto/dsa/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/dsa/dsatest.c13
-rw-r--r--crypto/openssl/crypto/dso/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/err/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/err/err_all.c1
-rw-r--r--crypto/openssl/crypto/evp/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/evp/bio_enc.c2
-rw-r--r--crypto/openssl/crypto/evp/bio_ok.c2
-rw-r--r--crypto/openssl/crypto/evp/c_allc.c4
-rw-r--r--crypto/openssl/crypto/evp/c_alld.c4
-rw-r--r--crypto/openssl/crypto/evp/e_idea.c2
-rw-r--r--crypto/openssl/crypto/evp/evp.h2
-rw-r--r--crypto/openssl/crypto/evp/evp_key.c4
-rw-r--r--crypto/openssl/crypto/evp/p5_crpt.c6
-rw-r--r--crypto/openssl/crypto/evp/p5_crpt2.c2
-rw-r--r--crypto/openssl/crypto/evp/p_open.c2
-rw-r--r--crypto/openssl/crypto/hmac/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/hmac/hmactest.c4
-rw-r--r--crypto/openssl/crypto/idea/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/idea/i_cbc.c1
-rw-r--r--crypto/openssl/crypto/idea/i_cfb64.c1
-rw-r--r--crypto/openssl/crypto/idea/i_ecb.c1
-rw-r--r--crypto/openssl/crypto/idea/i_ofb64.c1
-rw-r--r--crypto/openssl/crypto/idea/i_skey.c1
-rw-r--r--crypto/openssl/crypto/idea/idea.h1
-rw-r--r--crypto/openssl/crypto/idea/idea_lcl.h1
-rw-r--r--crypto/openssl/crypto/idea/idea_spd.c1
-rw-r--r--crypto/openssl/crypto/idea/ideatest.c5
-rw-r--r--crypto/openssl/crypto/idea/version1
-rw-r--r--crypto/openssl/crypto/lhash/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/md2/Makefile.ssl8
-rw-r--r--crypto/openssl/crypto/md2/md2_dgst.c3
-rw-r--r--crypto/openssl/crypto/md2/md2_one.c2
-rw-r--r--crypto/openssl/crypto/md2/md2test.c4
-rw-r--r--crypto/openssl/crypto/md32_common.h2
-rw-r--r--crypto/openssl/crypto/md4/Makefile.ssl6
-rw-r--r--crypto/openssl/crypto/md4/md4_one.c3
-rw-r--r--crypto/openssl/crypto/md4/md4test.c4
-rw-r--r--crypto/openssl/crypto/md5/Makefile.ssl6
-rw-r--r--crypto/openssl/crypto/md5/md5_one.c3
-rw-r--r--crypto/openssl/crypto/md5/md5test.c4
-rw-r--r--crypto/openssl/crypto/mdc2/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/mdc2/mdc2_one.c2
-rw-r--r--crypto/openssl/crypto/mdc2/mdc2test.c4
-rw-r--r--crypto/openssl/crypto/mem.c23
-rw-r--r--crypto/openssl/crypto/mem_dbg.c18
-rw-r--r--crypto/openssl/crypto/objects/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/objects/obj_dat.c2
-rw-r--r--crypto/openssl/crypto/objects/obj_dat.h22
-rw-r--r--crypto/openssl/crypto/objects/obj_mac.h10
-rw-r--r--crypto/openssl/crypto/objects/obj_mac.num2
-rw-r--r--crypto/openssl/crypto/objects/objects.txt4
-rw-r--r--crypto/openssl/crypto/opensslconf.h21
-rw-r--r--crypto/openssl/crypto/opensslv.h4
-rw-r--r--crypto/openssl/crypto/pem/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/pem/pem_info.c4
-rw-r--r--crypto/openssl/crypto/pem/pem_lib.c21
-rw-r--r--crypto/openssl/crypto/pem/pem_seal.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_crpt.c4
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_decr.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_key.c2
-rw-r--r--crypto/openssl/crypto/pkcs7/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/pkcs7/bio_ber.c2
-rw-r--r--crypto/openssl/crypto/pkcs7/pk7_doit.c4
-rw-r--r--crypto/openssl/crypto/rand/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/rand/md_rand.c4
-rw-r--r--crypto/openssl/crypto/rand/rand_egd.c2
-rw-r--r--crypto/openssl/crypto/rand/rand_win.c20
-rw-r--r--crypto/openssl/crypto/rand/randfile.c7
-rw-r--r--crypto/openssl/crypto/rand/randtest.c4
-rw-r--r--crypto/openssl/crypto/rc2/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/rc2/rc2test.c4
-rw-r--r--crypto/openssl/crypto/rc4/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/rc4/rc4.c4
-rw-r--r--crypto/openssl/crypto/rc4/rc4test.c4
-rw-r--r--crypto/openssl/crypto/rc5/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/rc5/rc5test.c4
-rw-r--r--crypto/openssl/crypto/ripemd/Makefile.ssl6
-rw-r--r--crypto/openssl/crypto/ripemd/rmd_one.c3
-rw-r--r--crypto/openssl/crypto/ripemd/rmdtest.c4
-rw-r--r--crypto/openssl/crypto/rsa/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/rsa/rsa.h3
-rw-r--r--crypto/openssl/crypto/rsa/rsa_eay.c9
-rw-r--r--crypto/openssl/crypto/rsa/rsa_lib.c1
-rw-r--r--crypto/openssl/crypto/rsa/rsa_pk1.c2
-rw-r--r--crypto/openssl/crypto/rsa/rsa_saos.c6
-rw-r--r--crypto/openssl/crypto/rsa/rsa_sign.c6
-rw-r--r--crypto/openssl/crypto/sha/Makefile.ssl10
-rw-r--r--crypto/openssl/crypto/sha/sha1_one.c3
-rw-r--r--crypto/openssl/crypto/sha/sha1test.c4
-rw-r--r--crypto/openssl/crypto/sha/sha_one.c3
-rw-r--r--crypto/openssl/crypto/sha/shatest.c4
-rw-r--r--crypto/openssl/crypto/stack/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/threads/mttest.c121
-rw-r--r--crypto/openssl/crypto/tmdiff.c5
-rw-r--r--crypto/openssl/crypto/txt_db/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/uid.c2
-rw-r--r--crypto/openssl/crypto/x509/Makefile.ssl2
-rw-r--r--crypto/openssl/crypto/x509/by_file.c17
-rw-r--r--crypto/openssl/crypto/x509/x509_cmp.c110
-rw-r--r--crypto/openssl/crypto/x509/x509_vfy.c2
-rw-r--r--crypto/openssl/crypto/x509v3/Makefile.ssl2
-rw-r--r--crypto/openssl/demos/selfsign.c2
-rw-r--r--crypto/openssl/doc/apps/passwd.pod2
-rw-r--r--crypto/openssl/doc/apps/req.pod8
-rw-r--r--crypto/openssl/doc/apps/smime.pod4
-rw-r--r--crypto/openssl/doc/apps/x509.pod18
-rw-r--r--crypto/openssl/doc/c-indentation.el10
-rw-r--r--crypto/openssl/doc/crypto/BN_CTX_new.pod2
-rw-r--r--crypto/openssl/doc/crypto/BN_add.pod2
-rw-r--r--crypto/openssl/doc/crypto/BN_add_word.pod2
-rw-r--r--crypto/openssl/doc/crypto/BN_bn2bin.pod2
-rw-r--r--crypto/openssl/doc/crypto/BN_copy.pod2
-rw-r--r--crypto/openssl/doc/crypto/BN_generate_prime.pod4
-rw-r--r--crypto/openssl/doc/crypto/BN_mod_inverse.pod2
-rw-r--r--crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod2
-rw-r--r--crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod2
-rw-r--r--crypto/openssl/doc/crypto/BN_new.pod2
-rw-r--r--crypto/openssl/doc/crypto/BN_rand.pod2
-rw-r--r--crypto/openssl/doc/crypto/DH_generate_key.pod2
-rw-r--r--crypto/openssl/doc/crypto/DH_generate_parameters.pod3
-rw-r--r--crypto/openssl/doc/crypto/DH_get_ex_new_index.pod36
-rw-r--r--crypto/openssl/doc/crypto/DH_new.pod2
-rw-r--r--crypto/openssl/doc/crypto/DSA_SIG_new.pod3
-rw-r--r--crypto/openssl/doc/crypto/DSA_do_sign.pod2
-rw-r--r--crypto/openssl/doc/crypto/DSA_dup_DH.pod2
-rw-r--r--crypto/openssl/doc/crypto/DSA_generate_key.pod3
-rw-r--r--crypto/openssl/doc/crypto/DSA_generate_parameters.pod2
-rw-r--r--crypto/openssl/doc/crypto/DSA_new.pod2
-rw-r--r--crypto/openssl/doc/crypto/DSA_sign.pod2
-rw-r--r--crypto/openssl/doc/crypto/EVP_SealInit.pod5
-rw-r--r--crypto/openssl/doc/crypto/RAND_bytes.pod3
-rw-r--r--crypto/openssl/doc/crypto/RSA_check_key.pod2
-rw-r--r--crypto/openssl/doc/crypto/RSA_generate_key.pod3
-rw-r--r--crypto/openssl/doc/crypto/RSA_print.pod6
-rw-r--r--crypto/openssl/doc/crypto/RSA_private_encrypt.pod3
-rw-r--r--crypto/openssl/doc/crypto/RSA_public_encrypt.pod3
-rw-r--r--crypto/openssl/doc/crypto/RSA_sign.pod4
-rw-r--r--crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod4
-rw-r--r--crypto/openssl/doc/openssl.txt2
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_add_session.pod8
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod53
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_new.pod98
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod53
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod61
-rw-r--r--crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod59
-rw-r--r--crypto/openssl/doc/ssl/SSL_new.pod43
-rw-r--r--crypto/openssl/doc/ssl/ssl.pod2
-rw-r--r--crypto/openssl/e_os.h30
-rw-r--r--crypto/openssl/openssl.spec2
-rw-r--r--crypto/openssl/ssl/Makefile.ssl2
-rw-r--r--crypto/openssl/ssl/s23_clnt.c24
-rw-r--r--crypto/openssl/ssl/s23_lib.c2
-rw-r--r--crypto/openssl/ssl/s23_meth.c19
-rw-r--r--crypto/openssl/ssl/s23_srvr.c19
-rw-r--r--crypto/openssl/ssl/s2_clnt.c68
-rw-r--r--crypto/openssl/ssl/s2_enc.c5
-rw-r--r--crypto/openssl/ssl/s2_lib.c52
-rw-r--r--crypto/openssl/ssl/s2_meth.c21
-rw-r--r--crypto/openssl/ssl/s2_pkt.c1
-rw-r--r--crypto/openssl/ssl/s2_srvr.c78
-rw-r--r--crypto/openssl/ssl/s3_clnt.c58
-rw-r--r--crypto/openssl/ssl/s3_enc.c12
-rw-r--r--crypto/openssl/ssl/s3_lib.c19
-rw-r--r--crypto/openssl/ssl/s3_meth.c19
-rw-r--r--crypto/openssl/ssl/s3_pkt.c47
-rw-r--r--crypto/openssl/ssl/s3_srvr.c29
-rw-r--r--crypto/openssl/ssl/ssl.h13
-rw-r--r--crypto/openssl/ssl/ssl_asn1.c5
-rw-r--r--crypto/openssl/ssl/ssl_err.c6
-rw-r--r--crypto/openssl/ssl/ssl_lib.c21
-rw-r--r--crypto/openssl/ssl/ssl_locl.h2
-rw-r--r--crypto/openssl/ssl/ssl_sess.c24
-rw-r--r--crypto/openssl/ssl/ssltest.c26
-rw-r--r--crypto/openssl/ssl/t1_clnt.c17
-rw-r--r--crypto/openssl/ssl/t1_enc.c12
-rw-r--r--crypto/openssl/ssl/t1_meth.c20
-rw-r--r--crypto/openssl/ssl/t1_srvr.c17
-rw-r--r--crypto/openssl/test/Makefile.ssl91
-rw-r--r--crypto/openssl/test/methtest.c4
-rw-r--r--crypto/openssl/test/testssl16
-rw-r--r--crypto/openssl/tools/c_rehash6
-rw-r--r--crypto/openssl/tools/c_rehash.in6
-rwxr-xr-xcrypto/openssl/util/libeay.num7
-rwxr-xr-xcrypto/openssl/util/mk1mf.pl6
-rwxr-xr-xcrypto/openssl/util/mkcerts.sh6
-rw-r--r--crypto/openssl/util/mkerr.pl2
-rw-r--r--crypto/openssl/util/pl/BC-32.pl4
-rw-r--r--crypto/openssl/util/pl/Mingw32.pl1
-rwxr-xr-xcrypto/openssl/util/pod2mantest22
-rw-r--r--secure/lib/libcrypto/Makefile4
-rw-r--r--sys/conf/newvers.sh2
277 files changed, 1777 insertions, 1188 deletions
diff --git a/UPDATING b/UPDATING
index f7f4b100914d..b5d3121b2754 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,10 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20030221: p8 FreeBSD-SA-03:02.openssl
+ Update to OpenSSL 0.9.6i in order to correct `Timing-based
+ attacks on SSL/TLS with CBC encryption' vulnerability.
+
20030204: p7 FreeBSD-SA-03:01.cvs
Correct a double-free bug and disable a dangerous feature in
cvs.
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index be4d128b834a..cf7444a1a9c3 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -2,8 +2,114 @@
OpenSSL CHANGES
_______________
+ Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
+
+ *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
+ via timing by performing a MAC computation even if incorrrect
+ block cipher padding has been found. This is a countermeasure
+ against active attacks where the attacker has to distinguish
+ between bad padding and a MAC verification error. (CAN-2003-0078)
+
+ [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
+ Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
+ Martin Vuagnoux (EPFL, Ilion)]
+
+ Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
+
+ *) New function OPENSSL_cleanse(), which is used to cleanse a section of
+ memory from it's contents. This is done with a counter that will
+ place alternating values in each byte. This can be used to solve
+ two issues: 1) the removal of calls to memset() by highly optimizing
+ compilers, and 2) cleansing with other values than 0, since those can
+ be read through on certain media, for example a swap space on disk.
+ [Geoff Thorpe]
+
+ *) Bugfix: client side session caching did not work with external caching,
+ because the session->cipher setting was not restored when reloading
+ from the external cache. This problem was masked, when
+ SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
+ (Found by Steve Haslam <steve@araqnid.ddts.net>.)
+ [Lutz Jaenicke]
+
+ *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
+ length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
+ [Zeev Lieber <zeev-l@yahoo.com>]
+
+ *) Undo an undocumented change introduced in 0.9.6e which caused
+ repeated calls to OpenSSL_add_all_ciphers() and
+ OpenSSL_add_all_digests() to be ignored, even after calling
+ EVP_cleanup().
+ [Richard Levitte]
+
+ *) Change the default configuration reader to deal with last line not
+ being properly terminated.
+ [Richard Levitte]
+
+ *) Change X509_NAME_cmp() so it applies the special rules on handling
+ DN values that are of type PrintableString, as well as RDNs of type
+ emailAddress where the value has the type ia5String.
+ [stefank@valicert.com via Richard Levitte]
+
+ *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
+ the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
+ doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
+ the bitwise-OR of the two for use by the majority of applications
+ wanting this behaviour, and update the docs. The documented
+ behaviour and actual behaviour were inconsistent and had been
+ changing anyway, so this is more a bug-fix than a behavioural
+ change.
+ [Geoff Thorpe, diagnosed by Nadav Har'El]
+
+ *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
+ (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
+ [Bodo Moeller]
+
+ *) Fix initialization code race conditions in
+ SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(),
+ SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(),
+ SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(),
+ TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(),
+ ssl2_get_cipher_by_char(),
+ ssl3_get_cipher_by_char().
+ [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
+
+ *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
+ the cached sessions are flushed, as the remove_cb() might use ex_data
+ contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
+ (see [openssl.org #212]).
+ [Geoff Thorpe, Lutz Jaenicke]
+
+ *) Fix typo in OBJ_txt2obj which incorrectly passed the content
+ length, instead of the encoding length to d2i_ASN1_OBJECT.
+ [Steve Henson]
+
+ Changes between 0.9.6f and 0.9.6g [9 Aug 2002]
+
+ *) [In 0.9.6g-engine release:]
+ Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
+ [Lynn Gazis <lgazis@rainbow.com>]
+
+ Changes between 0.9.6e and 0.9.6f [8 Aug 2002]
+
+ *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
+ and get fix the header length calculation.
+ [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
+ Alon Kantor <alonk@checkpoint.com> (and others),
+ Steve Henson]
+
+ *) Use proper error handling instead of 'assertions' in buffer
+ overflow checks added in 0.9.6e. This prevents DoS (the
+ assertions could call abort()).
+ [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
+
Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
+ *) Add various sanity checks to asn1_get_length() to reject
+ the ASN1 length bytes if they exceed sizeof(long), will appear
+ negative or the content length exceeds the length of the
+ supplied buffer.
+ [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
+
*) Fix cipher selection routines: ciphers without encryption had no flags
for the cipher strength set and where therefore not handled correctly
by the selection routines (PR #130).
@@ -35,7 +141,7 @@
*) Add various sanity checks to asn1_get_length() to reject
the ASN1 length bytes if they exceed sizeof(long), will appear
negative or the content length exceeds the length of the
- supplied buffer.
+ supplied buffer. (CAN-2002-0659)
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
*) Assertions for various potential buffer overflows, not known to
@@ -140,8 +246,8 @@
value is 0.
[Richard Levitte]
- *) [In 0.9.6c-engine release:]
- Fix a crashbug and a logic bug in hwcrhk_load_pubkey()
+ *) [In 0.9.6d-engine release:]
+ Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
*) Add the configuration target linux-s390x.
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index 871fb637d665..672f9d858bbe 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -122,7 +122,7 @@ my %table=(
"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn",
+"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wstrict-prototypes -Wmissing-prototypes -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"dist", "cc:-O::(unknown):::::",
# Basic configs that should work on any (32 and less bit) box
@@ -344,8 +344,8 @@ my %table=(
"linux-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
-"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
-"linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::SIXTY_FOUR_BIT_LONG:::::::::::linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR),\$(SHLIB_MINOR)",
+"linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -395,7 +395,7 @@ my %table=(
"aix-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::",
"aix-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::",
"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
-"aix43-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix43-gcc", "gcc:-O1 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
#
# Cray T90 and similar (SDSC)
@@ -477,7 +477,7 @@ my %table=(
# Cygwin
"Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -march=i486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll",
# Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown)::::::",
@@ -495,12 +495,18 @@ my %table=(
"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
"darwin-ppc-cc","cc:-O3 -D_DARWIN -DB_ENDIAN -fno-common::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+##### A/UX
+"aux3-gcc","gcc:-O2 -DTERMIO::(unknown):-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
+
##### Sony NEWS-OS 4.x
"newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
##### VxWorks for various targets
"vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DVXWORKS -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::-r:::::",
+##### Compaq Non-Stop Kernel (Tandem)
+"tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown)::THIRTY_TWO_BIT:::",
+
);
my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32
@@ -577,6 +583,7 @@ my $libs;
my $target;
my $options;
my $symlink;
+my $make_depend=0;
my @argvcopy=@ARGV;
my $argvstring="";
@@ -619,7 +626,7 @@ PROCESS_ARGS:
{ $threads=1; }
elsif (/^no-shared$/)
{ $no_shared=1; }
- elsif (/^shared$/)
+ elsif (/^shared$/ || /^-shared$/ || /^--shared$/)
{ $no_shared=0; }
elsif (/^no-symlinks$/)
{ $symlink=0; }
@@ -1188,11 +1195,13 @@ if($IsWindows) {
EOF
close(OUT);
} else {
- (system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?
- if $symlink;
- ### (system 'make depend') == 0 or exit $? if $depflags ne "";
- # Run "make depend" manually if you want to be able to delete
- # the source code files of ciphers you left out.
+ my $make_command = "make -f Makefile.ssl PERL=\'$perl\'";
+ my $make_targets = "";
+ $make_targets .= " links" if $symlink;
+ $make_targets .= " depend" if $depflags ne "" && $make_depend;
+ $make_targets .= " gentests" if $symlink;
+ (system $make_command.$make_targets) == 0 or exit $?
+ if $make_targets ne "";
if ( $perl =~ m@^/@) {
&dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
&dofile("apps/der_chop",$perl,'^#!/', '#!%s');
@@ -1202,6 +1211,15 @@ EOF
&dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
&dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
&dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
+ }
+ if ($depflags ne "" && !$make_depend) {
+ print <<EOF;
+
+Since you've disabled at least one algorithm, you need to do the following
+before building:
+
+ make depend
+EOF
}
}
diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ
index ad75299f8820..e2e7adf46a5a 100644
--- a/crypto/openssl/FAQ
+++ b/crypto/openssl/FAQ
@@ -9,6 +9,7 @@ OpenSSL - Frequently Asked Questions
* Where can I get a compiled version of OpenSSL?
* Why aren't tools like 'autoconf' and 'libtool' used?
* What is an 'engine' version?
+* How do I check the authenticity of the OpenSSL distribution?
[LEGAL] Legal questions
@@ -35,6 +36,7 @@ OpenSSL - Frequently Asked Questions
* Why does the linker complain about undefined symbols?
* Why does the OpenSSL test fail with "bc: command not found"?
* Why does the OpenSSL test fail with "bc: 1 no implemented"?
+* Why does the OpenSSL test fail with "bc: stack empty"?
* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
* Why does the OpenSSL compilation fail with "ar: command not found"?
* Why does the OpenSSL compilation fail on Win32 with VC++?
@@ -61,7 +63,7 @@ OpenSSL - Frequently Asked Questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6e was released on 30 May, 2002.
+OpenSSL 0.9.7a was released on February 19, 2003.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
@@ -132,6 +134,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With
version 0.9.7 (not yet released) the changes were merged into the main
development line, so that the special release is no longer necessary.
+* How do I check the authenticity of the OpenSSL distribution?
+
+We provide MD5 digests and ASC signatures of each tarball.
+Use MD5 to check that a tarball from a mirror site is identical:
+
+ md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
+
+You can check authenticity using pgp or gpg. You need the OpenSSL team
+member public key used to sign it (download it from a key server). Then
+just do:
+
+ pgp TARBALL.asc
+
[LEGAL] =======================================================================
* Do I need patent licenses to use OpenSSL?
@@ -169,18 +184,30 @@ for permission to use their software with OpenSSL.
Cryptographic software needs a source of unpredictable data to work
correctly. Many open source operating systems provide a "randomness
-device" that serves this purpose. On other systems, applications have
-to call the RAND_add() or RAND_seed() function with appropriate data
-before generating keys or performing public key encryption.
-(These functions initialize the pseudo-random number generator, PRNG.)
-
-Some broken applications do not do this. As of version 0.9.5, the
-OpenSSL functions that need randomness report an error if the random
-number generator has not been seeded with at least 128 bits of
-randomness. If this error occurs, please contact the author of the
-application you are using. It is likely that it never worked
-correctly. OpenSSL 0.9.5 and later make the error visible by refusing
-to perform potentially insecure encryption.
+device" (/dev/urandom or /dev/random) that serves this purpose.
+All OpenSSL versions try to use /dev/urandom by default; starting with
+version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
+available.
+
+On other systems, applications have to call the RAND_add() or
+RAND_seed() function with appropriate data before generating keys or
+performing public key encryption. (These functions initialize the
+pseudo-random number generator, PRNG.) Some broken applications do
+not do this. As of version 0.9.5, the OpenSSL functions that need
+randomness report an error if the random number generator has not been
+seeded with at least 128 bits of randomness. If this error occurs and
+is not discussed in the documentation of the application you are
+using, please contact the author of that application; it is likely
+that it never worked correctly. OpenSSL 0.9.5 and later make the
+error visible by refusing to perform potentially insecure encryption.
+
+If you are using Solaris 8, you can add /dev/urandom and /dev/random
+devices by installing patch 112438 (Sparc) or 112439 (x86), which are
+available via the Patchfinder at <URL: http://sunsolve.sun.com>
+(Solaris 9 includes these devices by default). For /dev/random support
+for earlier Solaris versions, see Sun's statement at
+<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
+(the SUNWski package is available in patch 105710).
On systems without /dev/urandom and /dev/random, it is a good idea to
use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
@@ -213,16 +240,6 @@ OpenSSL command line tools. Applications using the OpenSSL library
provide their own configuration options to specify the entropy source,
please check out the documentation coming the with application.
-For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
-installing the SUNski package from Sun patch 105710-01 (Sparc) which
-adds a /dev/random device and make sure it gets used, usually through
-$RANDFILE. There are probably similar patches for the other Solaris
-versions. An official statement from Sun with respect to /dev/random
-support can be found at
- http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
-However, be warned that /dev/random is usually a blocking device, which
-may have some effects on OpenSSL.
-
* Why do I get an "unable to write 'random state'" error message?
@@ -392,6 +409,17 @@ and compile/install it. GNU bc (see http://www.gnu.org/software/software.html
for download instructions) can be safely used, for example.
+* Why does the OpenSSL test fail with "bc: stack empty"?
+
+On some DG/ux versions, bc seems to have a too small stack for calculations
+that the OpenSSL bntest throws at it. This gets triggered when you run the
+test suite (using "make test"). The message returned is "bc: stack empty".
+
+The best way to deal with this is to find another implementation of bc
+and compile/install it. GNU bc (see http://www.gnu.org/software/software.html
+for download instructions) can be safely used, for example.
+
+
* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
On some Alpha installations running Tru64 Unix and Compaq C, the compilation
diff --git a/crypto/openssl/INSTALL b/crypto/openssl/INSTALL
index 75a843b15f4e..e78e283a9876 100644
--- a/crypto/openssl/INSTALL
+++ b/crypto/openssl/INSTALL
@@ -129,8 +129,8 @@
standard headers). If it is a problem with OpenSSL itself, please
report the problem to <openssl-bugs@openssl.org> (note that your
message will be recorded in the request tracker publicly readable
- via http://www.openssl.org/rt2.html and will be forwarded to a public
- mailing list). Include the output of "make report" in your message.
+ via http://www.openssl.org/support/rt2.html and will be forwarded to a
+ public mailing list). Include the output of "make report" in your message.
Please check out the request tracker. Maybe the bug was already
reported or has already been fixed.
@@ -151,7 +151,7 @@
in Makefile.ssl and run "make clean; make". Please send a bug
report to <openssl-bugs@openssl.org>, including the output of
"make report" in order to be added to the request tracker at
- http://www.openssl.org/rt2.html.
+ http://www.openssl.org/support/rt2.html.
4. If everything tests ok, install OpenSSL with
@@ -285,3 +285,15 @@
targets for shared library creation, like linux-shared. Those targets
can currently be used on their own just as well, but this is expected
to change in future versions of OpenSSL.
+
+ Note on random number generation
+ --------------------------------
+
+ Availability of cryptographically secure random numbers is required for
+ secret key generation. OpenSSL provides several options to seed the
+ internal PRNG. If not properly seeded, the internal PRNG will refuse
+ to deliver random bytes and a "PRNG not seeded error" will occur.
+ On systems without /dev/urandom (or similar) device, it may be necessary
+ to install additional support software to obtain random seed.
+ Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
+ and the FAQ for more information.
diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org
index 2ee1656498dd..cdf2d1b69032 100644
--- a/crypto/openssl/Makefile.org
+++ b/crypto/openssl/Makefile.org
@@ -247,7 +247,8 @@ link-shared:
for i in $(SHLIBDIRS); do \
prev=lib$$i$(SHLIB_EXT); \
for j in $${tmp:-x}; do \
- ( set -x; ln -f -s $$prev lib$$i$$j ); \
+ ( set -x; \
+ rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \
prev=lib$$i$$j; \
done; \
done; \
@@ -269,9 +270,7 @@ do_gnu-shared:
done
DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
- collect2=`gcc -print-prog-name=collect2 2>&1` && \
- [ -n "$$collect2" ] && \
- my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
+ my_ld=`${CC} -print-prog-name=ld 2>&1` && \
[ -n "$$my_ld" ] && \
$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
@@ -528,6 +527,10 @@ links:
fi; \
done;
+gentests:
+ @(cd test && echo "generating dummy tests (if needed)..." && \
+ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+
dclean:
rm -f *.bak
@for i in $(DIRS) ;\
@@ -609,6 +612,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
tar:
+ find . -type d -print | xargs chmod 755
+ find . -type f -print | xargs chmod a+r
+ find . -type f -perm -0100 -print | xargs chmod a+x
find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
tardy --user_number=0 --user_name=openssl \
@@ -651,9 +657,10 @@ install: all install_docs
do \
if [ -f "$$i" ]; then \
( echo installing $$i; \
- cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
- $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
fi; \
done
@if [ -n "$(SHARED_LIBS)" ]; then \
@@ -663,20 +670,24 @@ install: all install_docs
if [ -f "$$i" -o -f "$$i.a" ]; then \
( echo installing $$i; \
if [ "$(PLATFORM)" != "Cygwin" ]; then \
- cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
else \
c=`echo $$i | sed 's/^lib/cyg/'`; \
- cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
- chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
- cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+ cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+ mv $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+ cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+ mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
fi ); \
fi; \
done; \
( here="`pwd`"; \
cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
- make -f $$here/Makefile link-shared ); \
+ set $(MAKE); \
+ $$1 -f $$here/Makefile link-shared ); \
fi
install_docs:
@@ -685,22 +696,23 @@ install_docs:
$(INSTALL_PREFIX)$(MANDIR)/man3 \
$(INSTALL_PREFIX)$(MANDIR)/man5 \
$(INSTALL_PREFIX)$(MANDIR)/man7
- @for i in doc/apps/*.pod; do \
+ @pod2man="`cd util; ./pod2mantest $(PERL)`"; \
+ for i in doc/apps/*.pod; do \
fn=`basename $$i .pod`; \
if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
+ sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
- done
- @for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+ done; \
+ for i in doc/crypto/*.pod doc/ssl/*.pod; do \
fn=`basename $$i .pod`; \
if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
+ sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl
index 4693ffa111c3..0d31698695b3 100644
--- a/crypto/openssl/Makefile.ssl
+++ b/crypto/openssl/Makefile.ssl
@@ -4,23 +4,23 @@
## Makefile for OpenSSL
##
-VERSION=0.9.6e
+VERSION=0.9.6i
MAJOR=0
MINOR=9.6
SHLIB_VERSION_NUMBER=0.9.6
SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=0
SHLIB_MINOR=9.6
-SHLIB_EXT=
-PLATFORM=dist
-OPTIONS=
-CONFIGURE_ARGS=dist
-SHLIB_TARGET=
+SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+PLATFORM=FreeBSD-elf
+OPTIONS=386
+CONFIGURE_ARGS=FreeBSD-elf 386
+SHLIB_TARGET=bsd-gcc-shared
# INSTALL_PREFIX is for package builders so that they can configure
# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
# Normally it is left empty.
-INSTALL_PREFIX=/home/nectar/SSL
+INSTALL_PREFIX=/var/tmp/ssl
INSTALLTOP=/usr/local/ssl
# Do not edit this manually. Use Configure --openssldir=DIR do change this!
@@ -55,9 +55,9 @@ OPENSSLDIR=/usr/local/ssl
# equal 4.
# PKCS1_CHECK - pkcs1 tests.
-CC= cc
+CC= gcc
#CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-CFLAG= -O
+CFLAG= -fPIC -DTHREADS -pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
DEPFLAG=
PEX_LIBS=
EX_LIBS=
@@ -69,7 +69,7 @@ TAR= tar
TARFLAGS= --no-recursion
# Set BN_ASM to bn_asm.o if you want to use the C version
-BN_ASM= bn_asm.o
+BN_ASM= asm/bn86-elf.o asm/co86-elf.o
#BN_ASM= bn_asm.o
#BN_ASM= asm/bn86-elf.o # elf, linux-elf
#BN_ASM= asm/bn86-sol.o # solaris
@@ -85,11 +85,11 @@ BN_ASM= bn_asm.o
# For x86 assembler: Set PROCESSOR to 386 if you want to support
# the 80386.
-PROCESSOR=
+PROCESSOR= 386
# Set DES_ENC to des_enc.o if you want to use the C version
#There are 4 x86 assember options.
-DES_ENC= des_enc.o fcrypt_b.o
+DES_ENC= asm/dx86-elf.o asm/yx86-elf.o
#DES_ENC= des_enc.o fcrypt_b.o # C
#DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
#DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris
@@ -98,7 +98,7 @@ DES_ENC= des_enc.o fcrypt_b.o
# Set BF_ENC to bf_enc.o if you want to use the C version
#There are 4 x86 assember options.
-BF_ENC= bf_enc.o
+BF_ENC= asm/bx86-elf.o
#BF_ENC= bf_enc.o
#BF_ENC= asm/bx86-elf.o # elf
#BF_ENC= asm/bx86-sol.o # solaris
@@ -107,7 +107,7 @@ BF_ENC= bf_enc.o
# Set CAST_ENC to c_enc.o if you want to use the C version
#There are 4 x86 assember options.
-CAST_ENC= c_enc.o
+CAST_ENC= asm/cx86-elf.o
#CAST_ENC= c_enc.o
#CAST_ENC= asm/cx86-elf.o # elf
#CAST_ENC= asm/cx86-sol.o # solaris
@@ -116,7 +116,7 @@ CAST_ENC= c_enc.o
# Set RC4_ENC to rc4_enc.o if you want to use the C version
#There are 4 x86 assember options.
-RC4_ENC= rc4_enc.o
+RC4_ENC= asm/rx86-elf.o
#RC4_ENC= rc4_enc.o
#RC4_ENC= asm/rx86-elf.o # elf
#RC4_ENC= asm/rx86-sol.o # solaris
@@ -125,7 +125,7 @@ RC4_ENC= rc4_enc.o
# Set RC5_ENC to rc5_enc.o if you want to use the C version
#There are 4 x86 assember options.
-RC5_ENC= rc5_enc.o
+RC5_ENC= asm/r586-elf.o
#RC5_ENC= rc5_enc.o
#RC5_ENC= asm/r586-elf.o # elf
#RC5_ENC= asm/r586-sol.o # solaris
@@ -133,21 +133,21 @@ RC5_ENC= rc5_enc.o
#RC5_ENC= asm/r586bsdi.o # bsdi
# Also need MD5_ASM defined
-MD5_ASM_OBJ=
+MD5_ASM_OBJ= asm/mx86-elf.o
#MD5_ASM_OBJ= asm/mx86-elf.o # elf
#MD5_ASM_OBJ= asm/mx86-sol.o # solaris
#MD5_ASM_OBJ= asm/mx86-out.o # a.out, FreeBSD
#MD5_ASM_OBJ= asm/mx86bsdi.o # bsdi
# Also need SHA1_ASM defined
-SHA1_ASM_OBJ=
+SHA1_ASM_OBJ= asm/sx86-elf.o
#SHA1_ASM_OBJ= asm/sx86-elf.o # elf
#SHA1_ASM_OBJ= asm/sx86-sol.o # solaris
#SHA1_ASM_OBJ= asm/sx86-out.o # a.out, FreeBSD
#SHA1_ASM_OBJ= asm/sx86bsdi.o # bsdi
# Also need RMD160_ASM defined
-RMD160_ASM_OBJ=
+RMD160_ASM_OBJ= asm/rm86-elf.o
#RMD160_ASM_OBJ= asm/rm86-elf.o # elf
#RMD160_ASM_OBJ= asm/rm86-sol.o # solaris
#RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD
@@ -184,7 +184,7 @@ LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
SHARED_SSL=libssl$(SHLIB_EXT)
SHARED_LIBS=
-SHARED_LIBS_LINK_EXTS=
+SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so
SHARED_LDFLAGS=
GENERAL= Makefile
@@ -249,7 +249,8 @@ link-shared:
for i in $(SHLIBDIRS); do \
prev=lib$$i$(SHLIB_EXT); \
for j in $${tmp:-x}; do \
- ( set -x; ln -f -s $$prev lib$$i$$j ); \
+ ( set -x; \
+ rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \
prev=lib$$i$$j; \
done; \
done; \
@@ -271,9 +272,7 @@ do_gnu-shared:
done
DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
- collect2=`gcc -print-prog-name=collect2 2>&1` && \
- [ -n "$$collect2" ] && \
- my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
+ my_ld=`${CC} -print-prog-name=ld 2>&1` && \
[ -n "$$my_ld" ] && \
$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
@@ -530,6 +529,10 @@ links:
fi; \
done;
+gentests:
+ @(cd test && echo "generating dummy tests (if needed)..." && \
+ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+
dclean:
rm -f *.bak
@for i in $(DIRS) ;\
@@ -611,6 +614,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
tar:
+ find . -type d -print | xargs chmod 755
+ find . -type f -print | xargs chmod a+r
+ find . -type f -perm -0100 -print | xargs chmod a+x
find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
tardy --user_number=0 --user_name=openssl \
@@ -653,9 +659,10 @@ install: all install_docs
do \
if [ -f "$$i" ]; then \
( echo installing $$i; \
- cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
- $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
fi; \
done
@if [ -n "$(SHARED_LIBS)" ]; then \
@@ -665,20 +672,24 @@ install: all install_docs
if [ -f "$$i" -o -f "$$i.a" ]; then \
( echo installing $$i; \
if [ "$(PLATFORM)" != "Cygwin" ]; then \
- cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+ mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
else \
c=`echo $$i | sed 's/^lib/cyg/'`; \
- cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
- chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
- cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
- chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+ cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+ mv $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+ cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+ mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
fi ); \
fi; \
done; \
( here="`pwd`"; \
cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
- make -f $$here/Makefile link-shared ); \
+ set $(MAKE); \
+ $$1 -f $$here/Makefile link-shared ); \
fi
install_docs:
@@ -687,22 +698,23 @@ install_docs:
$(INSTALL_PREFIX)$(MANDIR)/man3 \
$(INSTALL_PREFIX)$(MANDIR)/man5 \
$(INSTALL_PREFIX)$(MANDIR)/man7
- @for i in doc/apps/*.pod; do \
+ @pod2man="`cd util; ./pod2mantest $(PERL)`"; \
+ for i in doc/apps/*.pod; do \
fn=`basename $$i .pod`; \
if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
+ sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
- done
- @for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+ done; \
+ for i in doc/crypto/*.pod doc/ssl/*.pod; do \
fn=`basename $$i .pod`; \
if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
+ sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index 0af2ded253c0..8a4bb3597c5f 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -5,6 +5,37 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
+
+ o Important security related bugfixes.
+
+ Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
+
+ o New configuration targets for Tandem OSS and A/UX.
+ o New OIDs for Microsoft attributes.
+ o Better handling of SSL session caching.
+ o Better comparison of distinguished names.
+ o Better handling of shared libraries in a mixed GNU/non-GNU environment.
+ o Support assembler code with Borland C.
+ o Fixes for length problems.
+ o Fixes for uninitialised variables.
+ o Fixes for memory leaks, some unusual crashes and some race conditions.
+ o Fixes for smaller building problems.
+ o Updates of manuals, FAQ and other instructive documents.
+
+ Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
+
+ o Important building fixes on Unix.
+
+ Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
+
+ o Various important bugfixes.
+
+ Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
+
+ o Important security related bugfixes.
+ o Various SSL/TLS library bugfixes.
+
Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
o Various SSL/TLS library bugfixes.
diff --git a/crypto/openssl/README b/crypto/openssl/README
index 48d492ebf234..62e311837cce 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,7 +1,7 @@
- OpenSSL 0.9.6e 30 July 2002
+ OpenSSL 0.9.6i Feb 19 2003
- Copyright (c) 1998-2002 The OpenSSL Project
+ Copyright (c) 1998-2003 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl
index 0b3208f0de82..3b74fc96bbcb 100644
--- a/crypto/openssl/apps/Makefile.ssl
+++ b/crypto/openssl/apps/Makefile.ssl
@@ -117,7 +117,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -128,10 +128,10 @@ clean:
rm -f req
$(DLIBSSL):
- (cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+ (cd ..; $(MAKE) DIRS=ssl all)
$(DLIBCRYPTO):
- (cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+ (cd ..; $(MAKE) DIRS=crypto all)
$(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
$(RM) $(PROGRAM)
diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h
index 82587b977056..1c6956a2882c 100644
--- a/crypto/openssl/apps/apps.h
+++ b/crypto/openssl/apps/apps.h
@@ -92,8 +92,10 @@ int WIN32_rename(char *oldname,char *newname);
#define MAIN(a,v) main(a,v)
#ifndef NON_MAIN
+LHASH *config=NULL;
BIO *bio_err=NULL;
#else
+extern LHASH *config;
extern BIO *bio_err;
#endif
diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c
index 5339166e0885..8cc13ee2d113 100644
--- a/crypto/openssl/apps/asn1pars.c
+++ b/crypto/openssl/apps/asn1pars.c
@@ -328,6 +328,6 @@ end:
if (at != NULL) ASN1_TYPE_free(at);
if (osk != NULL) sk_free(osk);
OBJ_cleanup();
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c
index 0618bb566086..b8487208c6d2 100644
--- a/crypto/openssl/apps/ca.c
+++ b/crypto/openssl/apps/ca.c
@@ -543,7 +543,7 @@ bad:
goto err;
}
pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key);
- if(key) memset(key,0,strlen(key));
+ if(key) OPENSSL_cleanse(key,strlen(key));
if (pkey == NULL)
{
BIO_printf(bio_err,"unable to load CA private key\n");
@@ -606,12 +606,14 @@ bad:
that to access(). However, time's too short to do that just
now.
*/
+#ifndef VXWORKS
if (access(outdir,R_OK|W_OK|X_OK) != 0)
{
BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
perror(outdir);
goto err;
}
+#endif
if (stat(outdir,&sb) != 0)
{
@@ -829,9 +831,14 @@ bad:
}
if (verbose)
{
- if ((f=BN_bn2hex(serial)) == NULL) goto err;
- BIO_printf(bio_err,"next serial number is %s\n",f);
- OPENSSL_free(f);
+ if (BN_is_zero(serial))
+ BIO_printf(bio_err,"next serial number is 00\n");
+ else
+ {
+ if ((f=BN_bn2hex(serial)) == NULL) goto err;
+ BIO_printf(bio_err,"next serial number is %s\n",f);
+ OPENSSL_free(f);
+ }
}
if ((attribs=CONF_get_section(conf,policy)) == NULL)
@@ -1275,7 +1282,7 @@ err:
X509_CRL_free(crl);
CONF_free(conf);
OBJ_cleanup();
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
static void lookup_fail(char *name, char *tag)
@@ -1340,7 +1347,7 @@ static BIGNUM *load_serial(char *serialfile)
ret=ASN1_INTEGER_to_BN(ai,NULL);
if (ret == NULL)
{
- BIO_printf(bio_err,"error converting number from bin to BIGNUM");
+ BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
goto err;
}
err:
@@ -1728,7 +1735,10 @@ again2:
BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
row[DB_name]=X509_NAME_oneline(subject,NULL,0);
- row[DB_serial]=BN_bn2hex(serial);
+ if (BN_is_zero(serial))
+ row[DB_serial]=BUF_strdup("00");
+ else
+ row[DB_serial]=BN_bn2hex(serial);
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
{
BIO_printf(bio_err,"Memory allocation failure\n");
@@ -2142,7 +2152,10 @@ static int do_revoke(X509 *x509, TXT_DB *db)
row[i]=NULL;
row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
- row[DB_serial]=BN_bn2hex(bn);
+ if (BN_is_zero(bn))
+ row[DB_serial]=BUF_strdup("00");
+ else
+ row[DB_serial]=BN_bn2hex(bn);
BN_free(bn);
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
{
diff --git a/crypto/openssl/apps/ciphers.c b/crypto/openssl/apps/ciphers.c
index b6e2f966d86e..0dc30d65e401 100644
--- a/crypto/openssl/apps/ciphers.c
+++ b/crypto/openssl/apps/ciphers.c
@@ -202,6 +202,6 @@ end:
if (ctx != NULL) SSL_CTX_free(ctx);
if (ssl != NULL) SSL_free(ssl);
if (STDout != NULL) BIO_free_all(STDout);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
diff --git a/crypto/openssl/apps/crl.c b/crypto/openssl/apps/crl.c
index 3b5725f23f2c..648a32ee4cf9 100644
--- a/crypto/openssl/apps/crl.c
+++ b/crypto/openssl/apps/crl.c
@@ -364,7 +364,7 @@ end:
X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
}
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
static X509_CRL *load_crl(char *infile, int format)
diff --git a/crypto/openssl/apps/crl2p7.c b/crypto/openssl/apps/crl2p7.c
index 7f853b65ab2b..3ef55dd2bb4e 100644
--- a/crypto/openssl/apps/crl2p7.c
+++ b/crypto/openssl/apps/crl2p7.c
@@ -166,7 +166,7 @@ bad:
BIO_printf(bio_err," -certfile arg certificates file of chain to a trusted CA\n");
BIO_printf(bio_err," (can be used more than once)\n");
BIO_printf(bio_err," -nocrl no crl to load, just certs from '-certfile'\n");
- EXIT(1);
+ OPENSSL_EXIT(1);
}
ERR_load_crypto_strings();
@@ -278,7 +278,7 @@ end:
if (p7 != NULL) PKCS7_free(p7);
if (crl != NULL) X509_CRL_free(crl);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
/*
diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c
index 482b0238571e..e339811365c0 100644
--- a/crypto/openssl/apps/dgst.c
+++ b/crypto/openssl/apps/dgst.c
@@ -327,7 +327,7 @@ int MAIN(int argc, char **argv)
end:
if (buf != NULL)
{
- memset(buf,0,BUFSIZE);
+ OPENSSL_cleanse(buf,BUFSIZE);
OPENSSL_free(buf);
}
if (in != NULL) BIO_free(in);
@@ -335,7 +335,7 @@ end:
EVP_PKEY_free(sigkey);
if(sigbuf) OPENSSL_free(sigbuf);
if (bmd != NULL) BIO_free(bmd);
- EXIT(err);
+ OPENSSL_EXIT(err);
}
void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
diff --git a/crypto/openssl/apps/dh.c b/crypto/openssl/apps/dh.c
index 7465442e49f1..ee2514a07ea1 100644
--- a/crypto/openssl/apps/dh.c
+++ b/crypto/openssl/apps/dh.c
@@ -319,6 +319,6 @@ end:
if (in != NULL) BIO_free(in);
if (out != NULL) BIO_free_all(out);
if (dh != NULL) DH_free(dh);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
#endif
diff --git a/crypto/openssl/apps/dhparam.c b/crypto/openssl/apps/dhparam.c
index 5f9b60148d6f..baf0d3302aac 100644
--- a/crypto/openssl/apps/dhparam.c
+++ b/crypto/openssl/apps/dhparam.c
@@ -506,7 +506,7 @@ end:
if (in != NULL) BIO_free(in);
if (out != NULL) BIO_free_all(out);
if (dh != NULL) DH_free(dh);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
/* dh_cb is identical to dsa_cb in apps/dsaparam.c */
diff --git a/crypto/openssl/apps/dsa.c b/crypto/openssl/apps/dsa.c
index 7c4a46f78eae..04efe16b5836 100644
--- a/crypto/openssl/apps/dsa.c
+++ b/crypto/openssl/apps/dsa.c
@@ -293,6 +293,6 @@ end:
if(dsa != NULL) DSA_free(dsa);
if(passin) OPENSSL_free(passin);
if(passout) OPENSSL_free(passout);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
#endif
diff --git a/crypto/openssl/apps/dsaparam.c b/crypto/openssl/apps/dsaparam.c
index 0c2529e2859a..ea29b0cf65af 100644
--- a/crypto/openssl/apps/dsaparam.c
+++ b/crypto/openssl/apps/dsaparam.c
@@ -357,7 +357,7 @@ end:
if (in != NULL) BIO_free(in);
if (out != NULL) BIO_free_all(out);
if (dsa != NULL) DSA_free(dsa);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c
index e37536324213..397b0e9c12ea 100644
--- a/crypto/openssl/apps/enc.c
+++ b/crypto/openssl/apps/enc.c
@@ -506,9 +506,9 @@ bad:
* bug picked up by
* Larry J. Hughes Jr. <hughes@indiana.edu> */
if (str == strbuf)
- memset(str,0,SIZE);
+ OPENSSL_cleanse(str,SIZE);
else
- memset(str,0,strlen(str));
+ OPENSSL_cleanse(str,strlen(str));
}
if ((hiv != NULL) && !set_hex(hiv,iv,8))
{
@@ -604,7 +604,7 @@ end:
if (benc != NULL) BIO_free(benc);
if (b64 != NULL) BIO_free(b64);
if(pass) OPENSSL_free(pass);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
int set_hex(char *in, unsigned char *out, int size)
diff --git a/crypto/openssl/apps/errstr.c b/crypto/openssl/apps/errstr.c
index e392328f93d2..de7d5fd6501a 100644
--- a/crypto/openssl/apps/errstr.c
+++ b/crypto/openssl/apps/errstr.c
@@ -121,5 +121,5 @@ int MAIN(int argc, char **argv)
ret++;
}
}
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
diff --git a/crypto/openssl/apps/gendh.c b/crypto/openssl/apps/gendh.c
index e0c7889a31e1..f02f87d17b3d 100644
--- a/crypto/openssl/apps/gendh.c
+++ b/crypto/openssl/apps/gendh.c
@@ -184,7 +184,7 @@ end:
ERR_print_errors(bio_err);
if (out != NULL) BIO_free_all(out);
if (dh != NULL) DH_free(dh);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
static void MS_CALLBACK dh_cb(int p, int n, void *arg)
diff --git a/crypto/openssl/apps/gendsa.c b/crypto/openssl/apps/gendsa.c
index 6022d8f1427a..4abd7786b1b8 100644
--- a/crypto/openssl/apps/gendsa.c
+++ b/crypto/openssl/apps/gendsa.c
@@ -220,6 +220,6 @@ end:
if (out != NULL) BIO_free_all(out);
if (dsa != NULL) DSA_free(dsa);
if(passout) OPENSSL_free(passout);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
#endif
diff --git a/crypto/openssl/apps/genrsa.c b/crypto/openssl/apps/genrsa.c
index ac0b709e7af9..1f0f2d780942 100644
--- a/crypto/openssl/apps/genrsa.c
+++ b/crypto/openssl/apps/genrsa.c
@@ -224,7 +224,7 @@ err:
if(passout) OPENSSL_free(passout);
if (ret != 0)
ERR_print_errors(bio_err);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
static void MS_CALLBACK genrsa_cb(int p, int n, void *arg)
diff --git a/crypto/openssl/apps/nseq.c b/crypto/openssl/apps/nseq.c
index 1d73d1ad5231..da5277d4c441 100644
--- a/crypto/openssl/apps/nseq.c
+++ b/crypto/openssl/apps/nseq.c
@@ -102,7 +102,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-in file input file\n");
BIO_printf (bio_err, "-out file output file\n");
BIO_printf (bio_err, "-toseq output NS Sequence file\n");
- EXIT(1);
+ OPENSSL_EXIT(1);
}
if (infile) {
@@ -162,6 +162,6 @@ end:
BIO_free_all(out);
NETSCAPE_CERT_SEQUENCE_free(seq);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c
index 24450ddb71f4..95e1e00a8d04 100644
--- a/crypto/openssl/apps/openssl.c
+++ b/crypto/openssl/apps/openssl.c
@@ -77,11 +77,11 @@ static unsigned long MS_CALLBACK hash(FUNCTION *a);
static int MS_CALLBACK cmp(FUNCTION *a,FUNCTION *b);
static LHASH *prog_init(void );
static int do_cmd(LHASH *prog,int argc,char *argv[]);
-LHASH *config=NULL;
char *default_config_file=NULL;
/* Make sure there is only one when MONOLITH is defined */
#ifdef MONOLITH
+LHASH *config=NULL;
BIO *bio_err=NULL;
#endif
@@ -215,7 +215,7 @@ end:
BIO_free(bio_err);
bio_err=NULL;
}
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
#define LIST_STANDARD_COMMANDS "list-standard-commands"
diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf
index 2ba3b2aa3935..dbe8cbefe0ea 100644
--- a/crypto/openssl/apps/openssl.cnf
+++ b/crypto/openssl/apps/openssl.cnf
@@ -2,7 +2,6 @@
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
-# $FreeBSD$
# This definition stops the following lines choking if HOME isn't
# defined.
diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c
index ea2b089e24a7..eaa90312fc83 100644
--- a/crypto/openssl/apps/passwd.c
+++ b/crypto/openssl/apps/passwd.c
@@ -284,7 +284,7 @@ err:
BIO_free(in);
if (out)
BIO_free_all(out);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
@@ -498,6 +498,6 @@ err:
int MAIN(int argc, char **argv)
{
fputs("Program not available.\n", stderr)
- EXIT(1);
+ OPENSSL_EXIT(1);
}
#endif
diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c
index aeba62ea08c9..4e20c0cc369f 100644
--- a/crypto/openssl/apps/pkcs12.c
+++ b/crypto/openssl/apps/pkcs12.c
@@ -480,9 +480,10 @@ int MAIN(int argc, char **argv)
/* Exclude verified certificate */
for (i = 1; i < sk_X509_num (chain2) ; i++)
sk_X509_push(certs, sk_X509_value (chain2, i));
- }
- sk_X509_free(chain2);
- if (vret) {
+ /* Free first certificate */
+ X509_free(sk_X509_value(chain2, 0));
+ sk_X509_free(chain2);
+ } else {
BIO_printf (bio_err, "Error %s getting chain.\n",
X509_verify_cert_error_string(vret));
goto export_end;
@@ -509,8 +510,6 @@ int MAIN(int argc, char **argv)
}
sk_X509_pop_free(certs, X509_free);
certs = NULL;
- /* ucert is part of certs so it is already freed */
- ucert = NULL;
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
@@ -598,7 +597,6 @@ int MAIN(int argc, char **argv)
if (certs) sk_X509_pop_free(certs, X509_free);
if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
- if (ucert) X509_free(ucert);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
@@ -668,7 +666,7 @@ int MAIN(int argc, char **argv)
if (canames) sk_free(canames);
if(passin) OPENSSL_free(passin);
if(passout) OPENSSL_free(passout);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
diff --git a/crypto/openssl/apps/pkcs7.c b/crypto/openssl/apps/pkcs7.c
index a9fff11e5cf9..f100c8d05377 100644
--- a/crypto/openssl/apps/pkcs7.c
+++ b/crypto/openssl/apps/pkcs7.c
@@ -154,7 +154,7 @@ bad:
BIO_printf(bio_err," -print_certs print any certs or crl in the input\n");
BIO_printf(bio_err," -text print full details of certificates\n");
BIO_printf(bio_err," -noout don't output encoded data\n");
- EXIT(1);
+ OPENSSL_EXIT(1);
}
ERR_load_crypto_strings();
@@ -289,5 +289,5 @@ end:
if (p7 != NULL) PKCS7_free(p7);
if (in != NULL) BIO_free(in);
if (out != NULL) BIO_free_all(out);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
diff --git a/crypto/openssl/apps/pkcs8.c b/crypto/openssl/apps/pkcs8.c
index 7b588e433707..926af8675fd0 100644
--- a/crypto/openssl/apps/pkcs8.c
+++ b/crypto/openssl/apps/pkcs8.c
@@ -236,7 +236,8 @@ int MAIN(int argc, char **argv)
if(passout) p8pass = passout;
else {
p8pass = pass;
- EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1);
+ if (EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1))
+ return (1);
}
app_RAND_load_file(NULL, bio_err, 0);
if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
diff --git a/crypto/openssl/apps/rand.c b/crypto/openssl/apps/rand.c
index 04764d7ffb6c..498a802650e3 100644
--- a/crypto/openssl/apps/rand.c
+++ b/crypto/openssl/apps/rand.c
@@ -144,5 +144,5 @@ err:
ERR_print_errors(bio_err);
if (out)
BIO_free_all(out);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c
index 11c4e5f03fa6..0fb426d9023e 100644
--- a/crypto/openssl/apps/req.c
+++ b/crypto/openssl/apps/req.c
@@ -422,7 +422,7 @@ bad:
if (template != NULL)
{
- long errline;
+ long errline = -1;
BIO_printf(bio_err,"Using configuration from %s\n",template);
req_conf=CONF_load(NULL,template,&errline);
@@ -909,7 +909,7 @@ end:
#ifndef NO_DSA
if (dsa_params != NULL) DSA_free(dsa_params);
#endif
- EXIT(ex);
+ OPENSSL_EXIT(ex);
}
static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, int attribs)
diff --git a/crypto/openssl/apps/rsa.c b/crypto/openssl/apps/rsa.c
index b4b0651a94bd..f35b6d166e97 100644
--- a/crypto/openssl/apps/rsa.c
+++ b/crypto/openssl/apps/rsa.c
@@ -389,7 +389,7 @@ end:
if(rsa != NULL) RSA_free(rsa);
if(passin) OPENSSL_free(passin);
if(passout) OPENSSL_free(passout);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
#else /* !NO_RSA */
diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
index 9cfe2b15804b..3e2a2953d77b 100644
--- a/crypto/openssl/apps/s_client.c
+++ b/crypto/openssl/apps/s_client.c
@@ -768,14 +768,14 @@ end:
if (con != NULL) SSL_free(con);
if (con2 != NULL) SSL_free(con2);
if (ctx != NULL) SSL_CTX_free(ctx);
- if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); }
- if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); }
+ if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
+ if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
if (bio_c_out != NULL)
{
BIO_free(bio_c_out);
bio_c_out=NULL;
}
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c
index 624dfb5e4198..e6ecafd4ed1e 100644
--- a/crypto/openssl/apps/s_server.c
+++ b/crypto/openssl/apps/s_server.c
@@ -253,10 +253,10 @@ static char **local_argv;
static int ebcdic_new(BIO *bi);
static int ebcdic_free(BIO *a);
static int ebcdic_read(BIO *b, char *out, int outl);
-static int ebcdic_write(BIO *b, char *in, int inl);
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr);
+static int ebcdic_write(BIO *b, const char *in, int inl);
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
static int ebcdic_gets(BIO *bp, char *buf, int size);
-static int ebcdic_puts(BIO *bp, char *str);
+static int ebcdic_puts(BIO *bp, const char *str);
#define BIO_TYPE_EBCDIC_FILTER (18|0x0200)
static BIO_METHOD methods_ebcdic=
@@ -321,7 +321,7 @@ static int ebcdic_read(BIO *b, char *out, int outl)
return(ret);
}
-static int ebcdic_write(BIO *b, char *in, int inl)
+static int ebcdic_write(BIO *b, const char *in, int inl)
{
EBCDIC_OUTBUFF *wbuf;
int ret=0;
@@ -354,7 +354,7 @@ static int ebcdic_write(BIO *b, char *in, int inl)
return(ret);
}
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
{
long ret;
@@ -373,7 +373,7 @@ static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
static int ebcdic_gets(BIO *bp, char *buf, int size)
{
- int i, ret;
+ int i, ret=0;
if (bp->next_bio == NULL) return(0);
/* return(BIO_gets(bp->next_bio,buf,size));*/
for (i=0; i<size-1; ++i)
@@ -392,7 +392,7 @@ static int ebcdic_gets(BIO *bp, char *buf, int size)
return (ret < 0 && i == 0) ? ret : i;
}
-static int ebcdic_puts(BIO *bp, char *str)
+static int ebcdic_puts(BIO *bp, const char *str)
{
if (bp->next_bio == NULL) return(0);
return ebcdic_write(bp, str, strlen(str));
@@ -741,7 +741,7 @@ end:
BIO_free(bio_s_out);
bio_s_out=NULL;
}
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
@@ -1043,7 +1043,7 @@ err:
BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
if (buf != NULL)
{
- memset(buf,0,bufsize);
+ OPENSSL_cleanse(buf,bufsize);
OPENSSL_free(buf);
}
if (ret >= 0)
@@ -1250,7 +1250,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
else
{
BIO_printf(bio_s_out,"read R BLOCK\n");
-#ifndef MSDOS
+#if !defined(MSDOS) && !defined(VXWORKS)
sleep(1);
#endif
continue;
diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c
index 2d8e2b24d228..895741d4cde7 100644
--- a/crypto/openssl/apps/s_time.c
+++ b/crypto/openssl/apps/s_time.c
@@ -116,6 +116,11 @@
#include <sys/param.h>
#endif
+#ifdef VXWORKS
+#include <tickLib.h>
+#undef SIGALRM
+#endif
+
/* The following if from times(3) man page. It may need to be changed
*/
#ifndef HZ
@@ -461,7 +466,7 @@ int MAIN(int argc, char **argv)
if (tm_cipher == NULL ) {
fprintf( stderr, "No CIPHER specified\n" );
-/* EXIT(1); */
+/* OPENSSL_EXIT(1); */
}
if (!(perform & 1)) goto next;
@@ -628,7 +633,7 @@ end:
SSL_CTX_free(tm_ctx);
tm_ctx=NULL;
}
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
/***********************************************************************
diff --git a/crypto/openssl/apps/sess_id.c b/crypto/openssl/apps/sess_id.c
index 60cc3f1e496a..cf15006ca72a 100644
--- a/crypto/openssl/apps/sess_id.c
+++ b/crypto/openssl/apps/sess_id.c
@@ -272,7 +272,7 @@ bad:
end:
if (out != NULL) BIO_free_all(out);
if (x != NULL) SSL_SESSION_free(x);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
static SSL_SESSION *load_sess_id(char *infile, int format)
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index ad3ebadeef25..6ae0c8d6ebf7 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
/* most of this code has been pilfered from my libdes speed.c program */
@@ -691,7 +689,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,"\n");
#endif
-#ifdef TIMES
+#if defined(TIMES) || defined(USE_TOD)
BIO_printf(bio_err,"\n");
BIO_printf(bio_err,"Available options:\n");
BIO_printf(bio_err,"-elapsed measure time in real time instead of CPU user time.\n");
@@ -1414,7 +1412,7 @@ end:
if (dsa_key[i] != NULL)
DSA_free(dsa_key[i]);
#endif
- EXIT(mret);
+ OPENSSL_EXIT(mret);
}
static void print_message(char *s, long num, int length)
diff --git a/crypto/openssl/apps/spkac.c b/crypto/openssl/apps/spkac.c
index 459d730a704a..94723a79c359 100644
--- a/crypto/openssl/apps/spkac.c
+++ b/crypto/openssl/apps/spkac.c
@@ -288,5 +288,5 @@ end:
BIO_free(key);
EVP_PKEY_free(pkey);
if(passin) OPENSSL_free(passin);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
diff --git a/crypto/openssl/apps/verify.c b/crypto/openssl/apps/verify.c
index 47e602d4a3c6..3ff1c0f9e7d4 100644
--- a/crypto/openssl/apps/verify.c
+++ b/crypto/openssl/apps/verify.c
@@ -213,7 +213,7 @@ end:
if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
sk_X509_pop_free(untrusted, X509_free);
sk_X509_pop_free(trusted, X509_free);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose)
diff --git a/crypto/openssl/apps/version.c b/crypto/openssl/apps/version.c
index f5c9adc25471..b67f2d18126c 100644
--- a/crypto/openssl/apps/version.c
+++ b/crypto/openssl/apps/version.c
@@ -128,5 +128,5 @@ int MAIN(int argc, char **argv)
}
if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
end:
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c
index b9b13285f112..d20cf15267fa 100644
--- a/crypto/openssl/apps/x509.c
+++ b/crypto/openssl/apps/x509.c
@@ -121,7 +121,7 @@ static char *x509_usage[]={
" -CAkey arg - set the CA key, must be PEM format\n",
" missing, it is assumed to be in the CA file.\n",
" -CAcreateserial - create serial number file if it does not exist\n",
-" -CAserial - serial file\n",
+" -CAserial arg - serial file\n",
" -text - print the certificate in text form\n",
" -C - print out C code forms\n",
" -md2/-md5/-sha1/-mdc2 - digest to use\n",
@@ -447,7 +447,7 @@ bad:
if (extfile)
{
- long errorline;
+ long errorline = -1;
X509V3_CTX ctx2;
if (!(extconf=CONF_load(NULL,extfile,&errorline)))
{
@@ -961,7 +961,7 @@ end:
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
if (passin) OPENSSL_free(passin);
- EXIT(ret);
+ OPENSSL_EXIT(ret);
}
static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
diff --git a/crypto/openssl/config b/crypto/openssl/config
index 4f7b41877fec..583fa70f6755 100755
--- a/crypto/openssl/config
+++ b/crypto/openssl/config
@@ -317,6 +317,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
*CRAY*)
echo "j90-cray-unicos"; exit 0;
;;
+
+ NONSTOP_KERNEL*)
+ echo "nsr-tandem-nsk"; exit 0;
+ ;;
esac
#
@@ -384,6 +388,9 @@ done
GCCVER=`(gcc -dumpversion) 2>/dev/null`
if [ "$GCCVER" != "" ]; then
CC=gcc
+ # then strip off whatever prefix egcs prepends the number with...
+ # Hopefully, this will work for any future prefixes as well.
+ GCCVER=`echo $GCCVER | sed 's/^[a-zA-Z]*\-//'`
# Since gcc 3.1 gcc --version behaviour has changed. gcc -dumpversion
# does give us what we want though, so we use that. We just just the
# major and minor version numbers.
@@ -392,6 +399,7 @@ if [ "$GCCVER" != "" ]; then
else
CC=cc
fi
+GCCVER=${GCCVER:-0}
if [ "$SYSTEM" = "HP-UX" ];then
# By default gcc is a ILP32 compiler (with long long == 64).
GCC_BITS="32"
@@ -469,7 +477,8 @@ case "$GUESSOS" in
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke './Configure irix64-mips4-$CC' *manually*."
echo " Type return if you want to continue, Ctrl-C to abort."
- read waste < /dev/tty
+ # Do not stop if /dev/tty is unavailable
+ (read waste < /dev/tty) || true
CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
CPU=${CPU:-0}
if [ $CPU -ge 5000 ]; then
@@ -524,7 +533,8 @@ EOF
#echo "WARNING! If you wish to build 64-bit library, then you have to"
#echo " invoke './Configure linux64-sparcv9' *manually*."
#echo " Type return if you want to continue, Ctrl-C to abort."
- #read waste < /dev/tty
+ # Do not stop if /dev/tty is unavailable
+ #(read waste < /dev/tty) || true
OUT="linux-sparcv9" ;;
sparc-*-linux2)
KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
@@ -565,7 +575,8 @@ EOF
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke './Configure solaris64-sparcv9-cc' *manually*."
echo " Type return if you want to continue, Ctrl-C to abort."
- read waste < /dev/tty
+ # Do not stop if /dev/tty is unavailable
+ (read waste < /dev/tty) || true
fi
OUT="solaris-sparcv9-$CC" ;;
sun4m-*-solaris2) OUT="solaris-sparcv8-$CC" ;;
@@ -626,6 +637,7 @@ EOF
*-*-cygwin) OUT="Cygwin" ;;
t3e-cray-unicosmk) OUT="cray-t3e" ;;
j90-cray-unicos) OUT="cray-j90" ;;
+ nsr-tandem-nsk) OUT="tandem-c89" ;;
*) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
esac
diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl
index f96154cacd14..727d94970335 100644
--- a/crypto/openssl/crypto/Makefile.ssl
+++ b/crypto/openssl/crypto/Makefile.ssl
@@ -34,8 +34,8 @@ SDIRS= md2 md5 sha mdc2 hmac ripemd \
GENERAL=Makefile README crypto-lib.com install.com
LIB= $(TOP)/libcrypto.a
-LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
+LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
SRC= $(LIBSRC)
@@ -129,7 +129,7 @@ lint:
depend:
if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
- $(MAKEDEPEND) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
if [ ! -s buildinf.h ]; then rm buildinf.h; fi
@for i in $(SDIRS) ;\
do \
@@ -185,6 +185,9 @@ mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h
mem.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
mem.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
mem.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+mem_clr.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h
+mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+mem_clr.o: ../include/openssl/symhacks.h
mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h
mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h
diff --git a/crypto/openssl/crypto/asn1/Makefile.ssl b/crypto/openssl/crypto/asn1/Makefile.ssl
index 73ef4d2ca937..329a235edc94 100644
--- a/crypto/openssl/crypto/asn1/Makefile.ssl
+++ b/crypto/openssl/crypto/asn1/Makefile.ssl
@@ -104,7 +104,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/asn1/a_sign.c b/crypto/openssl/crypto/asn1/a_sign.c
index 94829d889e0d..c5cf0e3133f6 100644
--- a/crypto/openssl/crypto/asn1/a_sign.c
+++ b/crypto/openssl/crypto/asn1/a_sign.c
@@ -199,10 +199,10 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
err:
- memset(&ctx,0,sizeof(ctx));
+ OPENSSL_cleanse(&ctx,sizeof(ctx));
if (buf_in != NULL)
- { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+ { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
if (buf_out != NULL)
- { memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+ { OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
return(outl);
}
diff --git a/crypto/openssl/crypto/asn1/a_strex.c b/crypto/openssl/crypto/asn1/a_strex.c
index 569b81199858..9a57eba270d9 100644
--- a/crypto/openssl/crypto/asn1/a_strex.c
+++ b/crypto/openssl/crypto/asn1/a_strex.c
@@ -519,7 +519,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
{
ASN1_STRING stmp, *str = &stmp;
int mbflag, type, ret;
- if(!*out || !in) return -1;
+ if(!in) return -1;
type = in->type;
if((type < 0) || (type > 30)) return -1;
mbflag = tag2nbyte[type];
@@ -528,6 +528,6 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
stmp.data = NULL;
ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
if(ret < 0) return ret;
- if(out) *out = stmp.data;
+ *out = stmp.data;
return stmp.length;
}
diff --git a/crypto/openssl/crypto/asn1/a_utctm.c b/crypto/openssl/crypto/asn1/a_utctm.c
index dd5955ac9fdd..1aafb663f6a3 100644
--- a/crypto/openssl/crypto/asn1/a_utctm.c
+++ b/crypto/openssl/crypto/asn1/a_utctm.c
@@ -246,6 +246,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
ts=(struct tm *)localtime(&t);
}
#endif
+ if (ts == NULL)
+ return(NULL);
p=(char *)s->data;
if ((p == NULL) || (s->length < 14))
{
diff --git a/crypto/openssl/crypto/asn1/a_verify.c b/crypto/openssl/crypto/asn1/a_verify.c
index 2a11927e5c1c..faa34501b98d 100644
--- a/crypto/openssl/crypto/asn1/a_verify.c
+++ b/crypto/openssl/crypto/asn1/a_verify.c
@@ -100,7 +100,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
EVP_VerifyInit(&ctx,type);
EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
- memset(buf_in,0,(unsigned int)inl);
+ OPENSSL_cleanse(buf_in,(unsigned int)inl);
OPENSSL_free(buf_in);
if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c
index a3681c0e23c7..e4a56a926af7 100644
--- a/crypto/openssl/crypto/asn1/asn1_lib.c
+++ b/crypto/openssl/crypto/asn1/asn1_lib.c
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/asn1_mac.h>
@@ -141,7 +142,7 @@ err:
static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
{
unsigned char *p= *pp;
- long ret=0;
+ unsigned long ret=0;
int i;
if (max-- < 1) return(0);
@@ -170,10 +171,10 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
else
ret=i;
}
- if (ret < 0)
+ if (ret > LONG_MAX)
return 0;
*pp=p;
- *rl=ret;
+ *rl=(long)ret;
return(1);
}
diff --git a/crypto/openssl/crypto/asn1/n_pkey.c b/crypto/openssl/crypto/asn1/n_pkey.c
index 984019353899..5f8ba3cc3203 100644
--- a/crypto/openssl/crypto/asn1/n_pkey.c
+++ b/crypto/openssl/crypto/asn1/n_pkey.c
@@ -181,7 +181,7 @@ int i2d_RSA_NET(RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
}
EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
- memset(buf,0,256);
+ OPENSSL_cleanse(buf,256);
EVP_CIPHER_CTX_init(&ctx);
EVP_EncryptInit(&ctx,EVP_rc4(),key,NULL);
@@ -292,7 +292,7 @@ RSA *d2i_RSA_NET_2(RSA **a, unsigned char **pp, long length,
}
EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
- memset(buf,0,256);
+ OPENSSL_cleanse(buf,256);
EVP_CIPHER_CTX_init(&ctx);
EVP_DecryptInit(&ctx,EVP_rc4(),key,NULL);
diff --git a/crypto/openssl/crypto/asn1/p8_pkey.c b/crypto/openssl/crypto/asn1/p8_pkey.c
index fa6cbfb6f885..3e0ebef50775 100644
--- a/crypto/openssl/crypto/asn1/p8_pkey.c
+++ b/crypto/openssl/crypto/asn1/p8_pkey.c
@@ -119,8 +119,8 @@ void PKCS8_PRIV_KEY_INFO_free (PKCS8_PRIV_KEY_INFO *a)
X509_ALGOR_free(a->pkeyalg);
/* Clear sensitive data */
if (a->pkey->value.octet_string)
- memset (a->pkey->value.octet_string->data,
- 0, a->pkey->value.octet_string->length);
+ OPENSSL_cleanse(a->pkey->value.octet_string->data,
+ a->pkey->value.octet_string->length);
ASN1_TYPE_free (a->pkey);
sk_X509_ATTRIBUTE_pop_free (a->attributes, X509_ATTRIBUTE_free);
OPENSSL_free (a);
diff --git a/crypto/openssl/crypto/bf/Makefile.ssl b/crypto/openssl/crypto/bf/Makefile.ssl
index 2d61ec50f422..f60b2e957825 100644
--- a/crypto/openssl/crypto/bf/Makefile.ssl
+++ b/crypto/openssl/crypto/bf/Makefile.ssl
@@ -96,7 +96,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/bf/bftest.c b/crypto/openssl/crypto/bf/bftest.c
index cf67cadefd42..212edfaf622e 100644
--- a/crypto/openssl/crypto/bf/bftest.c
+++ b/crypto/openssl/crypto/bf/bftest.c
@@ -63,6 +63,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_BF
int main(int argc, char *argv[])
{
@@ -275,7 +277,7 @@ int main(int argc, char *argv[])
else
ret=test();
- exit(ret);
+ EXIT(ret);
return(0);
}
diff --git a/crypto/openssl/crypto/bio/Makefile.ssl b/crypto/openssl/crypto/bio/Makefile.ssl
index 300987309e57..76b9caf6fb7d 100644
--- a/crypto/openssl/crypto/bio/Makefile.ssl
+++ b/crypto/openssl/crypto/bio/Makefile.ssl
@@ -78,7 +78,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c
index 90011db54496..fa4e350a7f93 100644
--- a/crypto/openssl/crypto/bio/b_print.c
+++ b/crypto/openssl/crypto/bio/b_print.c
@@ -109,7 +109,7 @@
* o ... (for OpenSSL)
*/
-#if HAVE_LONG_DOUBLE
+#ifdef HAVE_LONG_DOUBLE
#define LDOUBLE long double
#else
#define LDOUBLE double
diff --git a/crypto/openssl/crypto/bio/bio.h b/crypto/openssl/crypto/bio/bio.h
index fd3aaa05856e..d7fc0e645605 100644
--- a/crypto/openssl/crypto/bio/bio.h
+++ b/crypto/openssl/crypto/bio/bio.h
@@ -241,7 +241,7 @@ typedef struct bio_method_st
long (_far *ctrl)();
int (_far *create)();
int (_far *destroy)();
- long (_fat *callback_ctrl)();
+ long (_far *callback_ctrl)();
} BIO_METHOD;
#endif
diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl
index 9e075a2b0f11..cfc2274569a2 100644
--- a/crypto/openssl/crypto/bn/Makefile.ssl
+++ b/crypto/openssl/crypto/bn/Makefile.ssl
@@ -159,7 +159,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h
index 2ea9cd7203af..c0d6b1612d51 100644
--- a/crypto/openssl/crypto/bn/bn.h
+++ b/crypto/openssl/crypto/bn/bn.h
@@ -155,7 +155,7 @@ extern "C" {
#define BN_BYTES 4
#define BN_BITS2 32
#define BN_BITS4 16
-#ifdef _MSC_VER
+#if defined(_MSC_VER) || defined(__BORLANDC__)
/* VC++ doesn't like the LL suffix */
#define BN_MASK (0xffffffffffffffffL)
#else
@@ -413,7 +413,7 @@ int BN_mod_mul_montgomery(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_MONT_CTX *mont,
BN_CTX *ctx);
int BN_from_montgomery(BIGNUM *r,BIGNUM *a,BN_MONT_CTX *mont,BN_CTX *ctx);
void BN_MONT_CTX_free(BN_MONT_CTX *mont);
-int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *modulus,BN_CTX *ctx);
+int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx);
BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c
index 7767d6517022..5f121dea1e49 100644
--- a/crypto/openssl/crypto/bn/bn_lib.c
+++ b/crypto/openssl/crypto/bn/bn_lib.c
@@ -263,12 +263,12 @@ void BN_clear_free(BIGNUM *a)
if (a == NULL) return;
if (a->d != NULL)
{
- memset(a->d,0,a->dmax*sizeof(a->d[0]));
+ OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0]));
if (!(BN_get_flags(a,BN_FLG_STATIC_DATA)))
OPENSSL_free(a->d);
}
i=BN_get_flags(a,BN_FLG_MALLOCED);
- memset(a,0,sizeof(BIGNUM));
+ OPENSSL_cleanse(a,sizeof(BIGNUM));
if (i)
OPENSSL_free(a);
}
diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c
index 4944ffbf232f..eb65c28cbb41 100644
--- a/crypto/openssl/crypto/bn/bn_rand.c
+++ b/crypto/openssl/crypto/bn/bn_rand.c
@@ -201,7 +201,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
err:
if (buf != NULL)
{
- memset(buf,0,bytes);
+ OPENSSL_cleanse(buf,bytes);
OPENSSL_free(buf);
}
return(ret);
diff --git a/crypto/openssl/crypto/bn/bn_word.c b/crypto/openssl/crypto/bn/bn_word.c
index cd59baa2c490..988e0ca7b37f 100644
--- a/crypto/openssl/crypto/bn/bn_word.c
+++ b/crypto/openssl/crypto/bn/bn_word.c
@@ -123,7 +123,10 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
i=0;
for (;;)
{
- l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
+ if (i >= a->top)
+ l=w;
+ else
+ l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
a->d[i]=l;
if (w > l)
w=1;
diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c
index af0c2629e87e..6ae2b4aff08c 100644
--- a/crypto/openssl/crypto/bn/bntest.c
+++ b/crypto/openssl/crypto/bn/bntest.c
@@ -139,10 +139,10 @@ int main(int argc, char *argv[])
ctx=BN_CTX_new();
- if (ctx == NULL) exit(1);
+ if (ctx == NULL) EXIT(1);
out=BIO_new(BIO_s_file());
- if (out == NULL) exit(1);
+ if (out == NULL) EXIT(1);
if (outfile == NULL)
{
BIO_set_fp(out,stdout,BIO_NOCLOSE);
@@ -152,7 +152,7 @@ int main(int argc, char *argv[])
if (!BIO_write_filename(out,outfile))
{
perror(outfile);
- exit(1);
+ EXIT(1);
}
}
@@ -228,14 +228,14 @@ int main(int argc, char *argv[])
BIO_free(out);
/**/
- exit(0);
+ EXIT(0);
err:
BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
* the failure, see test_bn in test/Makefile.ssl*/
BIO_flush(out);
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
- exit(1);
+ EXIT(1);
return(1);
}
@@ -746,7 +746,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
while ((l=ERR_get_error()))
fprintf(stderr,"ERROR:%s\n",
ERR_error_string(l,NULL));
- exit(1);
+ EXIT(1);
}
if (bp != NULL)
{
diff --git a/crypto/openssl/crypto/bn/exptest.c b/crypto/openssl/crypto/bn/exptest.c
index 3e86f2ea0e0b..b3b807af387c 100644
--- a/crypto/openssl/crypto/bn/exptest.c
+++ b/crypto/openssl/crypto/bn/exptest.c
@@ -59,6 +59,9 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+
+#include "../e_os.h"
+
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
@@ -86,7 +89,7 @@ int main(int argc, char *argv[])
ERR_load_BN_strings();
ctx=BN_CTX_new();
- if (ctx == NULL) exit(1);
+ if (ctx == NULL) EXIT(1);
r_mont=BN_new();
r_recp=BN_new();
r_simple=BN_new();
@@ -99,7 +102,7 @@ int main(int argc, char *argv[])
out=BIO_new(BIO_s_file());
- if (out == NULL) exit(1);
+ if (out == NULL) EXIT(1);
BIO_set_fp(out,stdout,BIO_NOCLOSE);
for (i=0; i<200; i++)
@@ -124,7 +127,7 @@ int main(int argc, char *argv[])
{
printf("BN_mod_exp_mont() problems\n");
ERR_print_errors(out);
- exit(1);
+ EXIT(1);
}
ret=BN_mod_exp_recp(r_recp,a,b,m,ctx);
@@ -132,7 +135,7 @@ int main(int argc, char *argv[])
{
printf("BN_mod_exp_recp() problems\n");
ERR_print_errors(out);
- exit(1);
+ EXIT(1);
}
ret=BN_mod_exp_simple(r_simple,a,b,m,ctx);
@@ -140,7 +143,7 @@ int main(int argc, char *argv[])
{
printf("BN_mod_exp_simple() problems\n");
ERR_print_errors(out);
- exit(1);
+ EXIT(1);
}
if (BN_cmp(r_simple, r_mont) == 0
@@ -163,7 +166,7 @@ int main(int argc, char *argv[])
printf("\nrecp ="); BN_print(out,r_recp);
printf("\nmont ="); BN_print(out,r_mont);
printf("\n");
- exit(1);
+ EXIT(1);
}
}
BN_free(r_mont);
@@ -177,11 +180,11 @@ int main(int argc, char *argv[])
CRYPTO_mem_leaks(out);
BIO_free(out);
printf(" done\n");
- exit(0);
+ EXIT(0);
err:
ERR_load_crypto_strings();
ERR_print_errors(out);
- exit(1);
+ EXIT(1);
return(1);
}
diff --git a/crypto/openssl/crypto/buffer/Makefile.ssl b/crypto/openssl/crypto/buffer/Makefile.ssl
index c088ec6b3c76..a96488919961 100644
--- a/crypto/openssl/crypto/buffer/Makefile.ssl
+++ b/crypto/openssl/crypto/buffer/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/cast/Makefile.ssl b/crypto/openssl/crypto/cast/Makefile.ssl
index 0aa1cbc55a29..b60524a37821 100644
--- a/crypto/openssl/crypto/cast/Makefile.ssl
+++ b/crypto/openssl/crypto/cast/Makefile.ssl
@@ -97,7 +97,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/cast/casttest.c b/crypto/openssl/crypto/cast/casttest.c
index ab2aeac606ea..0e1034da45bc 100644
--- a/crypto/openssl/crypto/cast/casttest.c
+++ b/crypto/openssl/crypto/cast/casttest.c
@@ -60,6 +60,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_CAST
int main(int argc, char *argv[])
{
@@ -224,7 +226,7 @@ int main(int argc, char *argv[])
}
#endif
- exit(err);
+ EXIT(err);
return(err);
}
#endif
diff --git a/crypto/openssl/crypto/comp/Makefile.ssl b/crypto/openssl/crypto/comp/Makefile.ssl
index a61c7de0fba8..0bf9280609bb 100644
--- a/crypto/openssl/crypto/comp/Makefile.ssl
+++ b/crypto/openssl/crypto/comp/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/conf/Makefile.ssl b/crypto/openssl/crypto/conf/Makefile.ssl
index 1a433abacd8c..847443fa0ae9 100644
--- a/crypto/openssl/crypto/conf/Makefile.ssl
+++ b/crypto/openssl/crypto/conf/Makefile.ssl
@@ -69,7 +69,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c
index d43c9de3f5f0..adc28eebff13 100644
--- a/crypto/openssl/crypto/conf/conf_def.c
+++ b/crypto/openssl/crypto/conf/conf_def.c
@@ -224,9 +224,9 @@ static int def_load(CONF *conf, BIO *in, long *line)
section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
bufnum=0;
+ again=0;
for (;;)
{
- again=0;
if (!BUF_MEM_grow(buff,bufnum+BUFSIZE))
{
CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
@@ -237,7 +237,8 @@ static int def_load(CONF *conf, BIO *in, long *line)
BIO_gets(in, p, BUFSIZE-1);
p[BUFSIZE-1]='\0';
ii=i=strlen(p);
- if (i == 0) break;
+ if (i == 0 && !again) break;
+ again=0;
while (i > 0)
{
if ((p[i-1] != '\r') && (p[i-1] != '\n'))
@@ -247,7 +248,7 @@ static int def_load(CONF *conf, BIO *in, long *line)
}
/* we removed some trailing stuff so there is a new
* line on the end. */
- if (i == ii)
+ if (ii && i == ii)
again=1; /* long line */
else
{
diff --git a/crypto/openssl/crypto/cryptlib.c b/crypto/openssl/crypto/cryptlib.c
index 832c6c012d83..aa87ffd6ec77 100644
--- a/crypto/openssl/crypto/cryptlib.c
+++ b/crypto/openssl/crypto/cryptlib.c
@@ -58,6 +58,7 @@
#include <stdio.h>
#include <string.h>
+#include <assert.h>
#include "cryptlib.h"
#include <openssl/crypto.h>
#include <openssl/safestack.h>
@@ -89,6 +90,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
"ssl_session",
"ssl_sess_cert",
"ssl",
+ /* "ssl_method", */
"rand",
"rand2",
"debug_malloc",
@@ -204,10 +206,18 @@ int CRYPTO_get_new_dynlockid(void)
i=sk_CRYPTO_dynlock_find(dyn_locks,NULL);
/* If there was none, push, thereby creating a new one */
if (i == -1)
- i=sk_CRYPTO_dynlock_push(dyn_locks,pointer);
+ /* Since sk_push() returns the number of items on the
+ stack, not the location of the pushed item, we need
+ to transform the returned number into a position,
+ by decreasing it. */
+ i=sk_CRYPTO_dynlock_push(dyn_locks,pointer) - 1;
+ else
+ /* If we found a place with a NULL pointer, put our pointer
+ in it. */
+ sk_CRYPTO_dynlock_set(dyn_locks,i,pointer);
CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
- if (!i)
+ if (i == -1)
{
dynlock_destroy_callback(pointer->data,__FILE__,__LINE__);
OPENSSL_free(pointer);
@@ -399,16 +409,17 @@ void CRYPTO_lock(int mode, int type, const char *file, int line)
#endif
if (type < 0)
{
- int i = -type - 1;
- struct CRYPTO_dynlock_value *pointer
- = CRYPTO_get_dynlock_value(i);
-
- if (pointer && dynlock_lock_callback)
+ if (dynlock_lock_callback != NULL)
{
+ struct CRYPTO_dynlock_value *pointer
+ = CRYPTO_get_dynlock_value(type);
+
+ assert(pointer != NULL);
+
dynlock_lock_callback(mode, pointer, file, line);
- }
- CRYPTO_destroy_dynlockid(i);
+ CRYPTO_destroy_dynlockid(type);
+ }
}
else
if (locking_callback != NULL)
@@ -459,7 +470,7 @@ const char *CRYPTO_get_lock_name(int type)
return("dynamic");
else if (type < CRYPTO_NUM_LOCKS)
return(lock_names[type]);
- else if (type-CRYPTO_NUM_LOCKS >= sk_num(app_locks))
+ else if (type-CRYPTO_NUM_LOCKS > sk_num(app_locks))
return("ERROR");
else
return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
@@ -491,11 +502,3 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
#endif
#endif
-
-void OpenSSLDie(const char *file,int line,const char *assertion)
- {
- fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
- file,line,assertion);
- abort();
- }
-
diff --git a/crypto/openssl/crypto/cryptlib.h b/crypto/openssl/crypto/cryptlib.h
index 576cbd6e3596..075b79db0580 100644
--- a/crypto/openssl/crypto/cryptlib.h
+++ b/crypto/openssl/crypto/cryptlib.h
@@ -93,10 +93,6 @@ extern "C" {
#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1)
#define HEX_SIZE(type) ((sizeof(type)*2)
-/* die if we have to */
-void OpenSSLDie(const char *file,int line,const char *assertion);
-#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
-
#ifdef __cplusplus
}
#endif
diff --git a/crypto/openssl/crypto/crypto.h b/crypto/openssl/crypto/crypto.h
index 8fba87131cb5..c539c435b529 100644
--- a/crypto/openssl/crypto/crypto.h
+++ b/crypto/openssl/crypto/crypto.h
@@ -95,35 +95,38 @@ extern "C" {
* names in cryptlib.c
*/
-#define CRYPTO_LOCK_ERR 1
-#define CRYPTO_LOCK_ERR_HASH 2
-#define CRYPTO_LOCK_X509 3
-#define CRYPTO_LOCK_X509_INFO 4
-#define CRYPTO_LOCK_X509_PKEY 5
+#define CRYPTO_LOCK_ERR 1
+#define CRYPTO_LOCK_ERR_HASH 2
+#define CRYPTO_LOCK_X509 3
+#define CRYPTO_LOCK_X509_INFO 4
+#define CRYPTO_LOCK_X509_PKEY 5
#define CRYPTO_LOCK_X509_CRL 6
#define CRYPTO_LOCK_X509_REQ 7
#define CRYPTO_LOCK_DSA 8
#define CRYPTO_LOCK_RSA 9
#define CRYPTO_LOCK_EVP_PKEY 10
-#define CRYPTO_LOCK_X509_STORE 11
-#define CRYPTO_LOCK_SSL_CTX 12
-#define CRYPTO_LOCK_SSL_CERT 13
-#define CRYPTO_LOCK_SSL_SESSION 14
-#define CRYPTO_LOCK_SSL_SESS_CERT 15
-#define CRYPTO_LOCK_SSL 16
-#define CRYPTO_LOCK_RAND 17
-#define CRYPTO_LOCK_RAND2 18
-#define CRYPTO_LOCK_MALLOC 19
-#define CRYPTO_LOCK_BIO 20
-#define CRYPTO_LOCK_GETHOSTBYNAME 21
-#define CRYPTO_LOCK_GETSERVBYNAME 22
-#define CRYPTO_LOCK_READDIR 23
-#define CRYPTO_LOCK_RSA_BLINDING 24
-#define CRYPTO_LOCK_DH 25
-#define CRYPTO_LOCK_MALLOC2 26
-#define CRYPTO_LOCK_DSO 27
-#define CRYPTO_LOCK_DYNLOCK 28
-#define CRYPTO_NUM_LOCKS 29
+#define CRYPTO_LOCK_X509_STORE 11
+#define CRYPTO_LOCK_SSL_CTX 12
+#define CRYPTO_LOCK_SSL_CERT 13
+#define CRYPTO_LOCK_SSL_SESSION 14
+#define CRYPTO_LOCK_SSL_SESS_CERT 15
+#define CRYPTO_LOCK_SSL 16
+/* for binary compatibility between 0.9.6 minor versions,
+ * reuse an existing lock (later version use a new one): */
+# define CRYPTO_LOCK_SSL_METHOD CRYPTO_LOCK_SSL_CTX
+#define CRYPTO_LOCK_RAND 17
+#define CRYPTO_LOCK_RAND2 18
+#define CRYPTO_LOCK_MALLOC 19
+#define CRYPTO_LOCK_BIO 20
+#define CRYPTO_LOCK_GETHOSTBYNAME 21
+#define CRYPTO_LOCK_GETSERVBYNAME 22
+#define CRYPTO_LOCK_READDIR 23
+#define CRYPTO_LOCK_RSA_BLINDING 24
+#define CRYPTO_LOCK_DH 25
+#define CRYPTO_LOCK_MALLOC2 26
+#define CRYPTO_LOCK_DSO 27
+#define CRYPTO_LOCK_DYNLOCK 28
+#define CRYPTO_NUM_LOCKS 29
#define CRYPTO_LOCK 1
#define CRYPTO_UNLOCK 2
@@ -145,7 +148,7 @@ extern "C" {
#endif
#else
#define CRYPTO_w_lock(a)
-#define CRYPTO_w_unlock(a)
+#define CRYPTO_w_unlock(a)
#define CRYPTO_r_lock(a)
#define CRYPTO_r_unlock(a)
#define CRYPTO_add(a,b,c) ((*(a))+=(b))
@@ -342,6 +345,8 @@ void CRYPTO_free(void *);
void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
+void OPENSSL_cleanse(void *ptr, size_t len);
+
void CRYPTO_set_mem_debug_options(long bits);
long CRYPTO_get_mem_debug_options(void);
diff --git a/crypto/openssl/crypto/des/Makefile.ssl b/crypto/openssl/crypto/des/Makefile.ssl
index 28e58f4207ff..d52a22480159 100644
--- a/crypto/openssl/crypto/des/Makefile.ssl
+++ b/crypto/openssl/crypto/des/Makefile.ssl
@@ -130,7 +130,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -192,8 +192,11 @@ qud_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
qud_cksm.o: ../../include/openssl/opensslconf.h des_locl.h
rand_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
rand_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
-read2pwd.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-read2pwd.o: ../../include/openssl/opensslconf.h des_locl.h
+read2pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+read2pwd.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+read2pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+read2pwd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+read2pwd.o: des_locl.h
read_pwd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
read_pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
read_pwd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
@@ -206,7 +209,10 @@ rpc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
rpc_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_ver.h rpc_des.h
set_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
set_key.o: ../../include/openssl/opensslconf.h des_locl.h
-str2key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-str2key.o: ../../include/openssl/opensslconf.h des_locl.h
+str2key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+str2key.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+str2key.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+str2key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+str2key.o: des_locl.h
xcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
xcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h
diff --git a/crypto/openssl/crypto/des/des.c b/crypto/openssl/crypto/des/des.c
index 215d7413c076..470432e10fb7 100644
--- a/crypto/openssl/crypto/des/des.c
+++ b/crypto/openssl/crypto/des/des.c
@@ -86,6 +86,7 @@
#endif
#include <sys/stat.h>
#endif
+#include <openssl/crypto.h>
#include <openssl/des.h>
#include <openssl/rand.h>
@@ -423,7 +424,7 @@ void doencryption(void)
k2[i-8]=k;
}
des_set_key_unchecked(&k2,ks2);
- memset(k2,0,sizeof(k2));
+ OPENSSL_cleanse(k2,sizeof(k2));
}
else if (longk || flag3)
{
@@ -431,7 +432,7 @@ void doencryption(void)
{
des_string_to_2keys(key,&kk,&k2);
des_set_key_unchecked(&k2,ks2);
- memset(k2,0,sizeof(k2));
+ OPENSSL_cleanse(k2,sizeof(k2));
}
else
des_string_to_key(key,&kk);
@@ -453,8 +454,8 @@ void doencryption(void)
}
des_set_key_unchecked(&kk,ks);
- memset(key,0,sizeof(key));
- memset(kk,0,sizeof(kk));
+ OPENSSL_cleanse(key,sizeof(key));
+ OPENSSL_cleanse(kk,sizeof(kk));
/* woops - A bug that does not showup under unix :-( */
memset(iv,0,sizeof(iv));
memset(iv2,0,sizeof(iv2));
@@ -662,18 +663,18 @@ void doencryption(void)
if (l) fclose(CKSUM_OUT);
}
problems:
- memset(buf,0,sizeof(buf));
- memset(obuf,0,sizeof(obuf));
- memset(ks,0,sizeof(ks));
- memset(ks2,0,sizeof(ks2));
- memset(iv,0,sizeof(iv));
- memset(iv2,0,sizeof(iv2));
- memset(kk,0,sizeof(kk));
- memset(k2,0,sizeof(k2));
- memset(uubuf,0,sizeof(uubuf));
- memset(b,0,sizeof(b));
- memset(bb,0,sizeof(bb));
- memset(cksum,0,sizeof(cksum));
+ OPENSSL_cleanse(buf,sizeof(buf));
+ OPENSSL_cleanse(obuf,sizeof(obuf));
+ OPENSSL_cleanse(ks,sizeof(ks));
+ OPENSSL_cleanse(ks2,sizeof(ks2));
+ OPENSSL_cleanse(iv,sizeof(iv));
+ OPENSSL_cleanse(iv2,sizeof(iv2));
+ OPENSSL_cleanse(kk,sizeof(kk));
+ OPENSSL_cleanse(k2,sizeof(k2));
+ OPENSSL_cleanse(uubuf,sizeof(uubuf));
+ OPENSSL_cleanse(b,sizeof(b));
+ OPENSSL_cleanse(bb,sizeof(bb));
+ OPENSSL_cleanse(cksum,sizeof(cksum));
if (Exit) EXIT(Exit);
}
diff --git a/crypto/openssl/crypto/des/read2pwd.c b/crypto/openssl/crypto/des/read2pwd.c
index a8ceaf088a90..115132deecbd 100644
--- a/crypto/openssl/crypto/des/read2pwd.c
+++ b/crypto/openssl/crypto/des/read2pwd.c
@@ -57,6 +57,7 @@
*/
#include "des_locl.h"
+#include <openssl/crypto.h>
int des_read_password(des_cblock *key, const char *prompt, int verify)
{
@@ -65,8 +66,8 @@ int des_read_password(des_cblock *key, const char *prompt, int verify)
if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
des_string_to_key(buf,key);
- memset(buf,0,BUFSIZ);
- memset(buff,0,BUFSIZ);
+ OPENSSL_cleanse(buf,BUFSIZ);
+ OPENSSL_cleanse(buff,BUFSIZ);
return(ok);
}
@@ -78,7 +79,7 @@ int des_read_2passwords(des_cblock *key1, des_cblock *key2, const char *prompt,
if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
des_string_to_2keys(buf,key1,key2);
- memset(buf,0,BUFSIZ);
- memset(buff,0,BUFSIZ);
+ OPENSSL_cleanse(buf,BUFSIZ);
+ OPENSSL_cleanse(buff,BUFSIZ);
return(ok);
}
diff --git a/crypto/openssl/crypto/des/read_pwd.c b/crypto/openssl/crypto/des/read_pwd.c
index cba52cad7865..a8f15909430c 100644
--- a/crypto/openssl/crypto/des/read_pwd.c
+++ b/crypto/openssl/crypto/des/read_pwd.c
@@ -218,7 +218,7 @@ int des_read_pw_string(char *buf, int length, const char *prompt,
int ret;
ret=des_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
- memset(buff,0,BUFSIZ);
+ OPENSSL_cleanse(buff,BUFSIZ);
return(ret);
}
diff --git a/crypto/openssl/crypto/des/str2key.c b/crypto/openssl/crypto/des/str2key.c
index c6abb872012f..10e1dc174d93 100644
--- a/crypto/openssl/crypto/des/str2key.c
+++ b/crypto/openssl/crypto/des/str2key.c
@@ -56,6 +56,7 @@
* [including the GNU Public Licence.]
*/
+#include <openssl/crypto.h>
#include "des_locl.h"
void des_string_to_key(const char *str, des_cblock *key)
@@ -88,7 +89,7 @@ void des_string_to_key(const char *str, des_cblock *key)
des_set_odd_parity(key);
des_set_key_unchecked(key,ks);
des_cbc_cksum((const unsigned char*)str,key,length,ks,key);
- memset(ks,0,sizeof(ks));
+ OPENSSL_cleanse(ks,sizeof(ks));
des_set_odd_parity(key);
}
@@ -149,7 +150,7 @@ void des_string_to_2keys(const char *str, des_cblock *key1, des_cblock *key2)
des_cbc_cksum((const unsigned char*)str,key1,length,ks,key1);
des_set_key_unchecked(key2,ks);
des_cbc_cksum((const unsigned char*)str,key2,length,ks,key2);
- memset(ks,0,sizeof(ks));
+ OPENSSL_cleanse(ks,sizeof(ks));
des_set_odd_parity(key1);
des_set_odd_parity(key2);
}
diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl
index ccee00eeca2c..f0c620a69579 100644
--- a/crypto/openssl/crypto/dh/Makefile.ssl
+++ b/crypto/openssl/crypto/dh/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/dh/dhtest.c b/crypto/openssl/crypto/dh/dhtest.c
index a38465da130e..c57cac099d49 100644
--- a/crypto/openssl/crypto/dh/dhtest.c
+++ b/crypto/openssl/crypto/dh/dhtest.c
@@ -59,6 +59,9 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+
+#include "../e_os.h"
+
#ifdef WINDOWS
#include "../bio/bss_file.c"
#endif
@@ -107,7 +110,7 @@ int main(int argc, char *argv[])
RAND_seed(rnd_seed, sizeof rnd_seed);
out=BIO_new(BIO_s_file());
- if (out == NULL) exit(1);
+ if (out == NULL) EXIT(1);
BIO_set_fp(out,stdout,BIO_NOCLOSE);
a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
@@ -188,7 +191,7 @@ err:
if(b != NULL) DH_free(b);
if(a != NULL) DH_free(a);
BIO_free(out);
- exit(ret);
+ EXIT(ret);
return(ret);
}
diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl
index 1dfdb2d76922..bf2d8bfde0ff 100644
--- a/crypto/openssl/crypto/dsa/Makefile.ssl
+++ b/crypto/openssl/crypto/dsa/Makefile.ssl
@@ -70,7 +70,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/dsa/dsatest.c b/crypto/openssl/crypto/dsa/dsatest.c
index 309a7cda8992..2a25f3fe4753 100644
--- a/crypto/openssl/crypto/dsa/dsatest.c
+++ b/crypto/openssl/crypto/dsa/dsatest.c
@@ -61,6 +61,9 @@
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
+
+#include "../e_os.h"
+
#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/bio.h>
@@ -207,10 +210,16 @@ end:
BIO_free(bio_err);
bio_err = NULL;
}
- exit(!ret);
+ EXIT(!ret);
return(0);
}
+static int cb_exit(int ec)
+ {
+ EXIT(ec);
+ return(0); /* To keep some compilers quiet */
+ }
+
static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
{
char c='*';
@@ -226,7 +235,7 @@ static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
if (!ok && (p == 0) && (num > 1))
{
BIO_printf((BIO *)arg,"error in dsatest\n");
- exit(1);
+ cb_exit(1);
}
}
#endif
diff --git a/crypto/openssl/crypto/dso/Makefile.ssl b/crypto/openssl/crypto/dso/Makefile.ssl
index 33630e0bbb25..1fe2fd7f40c9 100644
--- a/crypto/openssl/crypto/dso/Makefile.ssl
+++ b/crypto/openssl/crypto/dso/Makefile.ssl
@@ -70,7 +70,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/err/Makefile.ssl b/crypto/openssl/crypto/err/Makefile.ssl
index 33348217cdef..bf634f89927d 100644
--- a/crypto/openssl/crypto/err/Makefile.ssl
+++ b/crypto/openssl/crypto/err/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/err/err_all.c b/crypto/openssl/crypto/err/err_all.c
index 5449a31c4e94..638ed3fe715d 100644
--- a/crypto/openssl/crypto/err/err_all.c
+++ b/crypto/openssl/crypto/err/err_all.c
@@ -1,5 +1,4 @@
/* crypto/err/err_all.c */
-/* $FreeBSD$ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl
index fb9945db1684..e8499190cc1e 100644
--- a/crypto/openssl/crypto/evp/Makefile.ssl
+++ b/crypto/openssl/crypto/evp/Makefile.ssl
@@ -87,7 +87,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/evp/bio_enc.c b/crypto/openssl/crypto/evp/bio_enc.c
index c425a971afb2..a04e8b11b255 100644
--- a/crypto/openssl/crypto/evp/bio_enc.c
+++ b/crypto/openssl/crypto/evp/bio_enc.c
@@ -128,7 +128,7 @@ static int enc_free(BIO *a)
if (a == NULL) return(0);
b=(BIO_ENC_CTX *)a->ptr;
EVP_CIPHER_CTX_cleanup(&(b->cipher));
- memset(a->ptr,0,sizeof(BIO_ENC_CTX));
+ OPENSSL_cleanse(a->ptr,sizeof(BIO_ENC_CTX));
OPENSSL_free(a->ptr);
a->ptr=NULL;
a->init=0;
diff --git a/crypto/openssl/crypto/evp/bio_ok.c b/crypto/openssl/crypto/evp/bio_ok.c
index e617ce1d4370..e884552a4470 100644
--- a/crypto/openssl/crypto/evp/bio_ok.c
+++ b/crypto/openssl/crypto/evp/bio_ok.c
@@ -208,7 +208,7 @@ static int ok_new(BIO *bi)
static int ok_free(BIO *a)
{
if (a == NULL) return(0);
- memset(a->ptr,0,sizeof(BIO_OK_CTX));
+ OPENSSL_cleanse(a->ptr,sizeof(BIO_OK_CTX));
OPENSSL_free(a->ptr);
a->ptr=NULL;
a->init=0;
diff --git a/crypto/openssl/crypto/evp/c_allc.c b/crypto/openssl/crypto/evp/c_allc.c
index 0820557fdbf5..f24d3756c904 100644
--- a/crypto/openssl/crypto/evp/c_allc.c
+++ b/crypto/openssl/crypto/evp/c_allc.c
@@ -64,10 +64,6 @@
void OpenSSL_add_all_ciphers(void)
{
- static int done=0;
-
- if (done) return;
- done=1;
#ifndef NO_DES
EVP_add_cipher(EVP_des_cfb());
EVP_add_cipher(EVP_des_ede_cfb());
diff --git a/crypto/openssl/crypto/evp/c_alld.c b/crypto/openssl/crypto/evp/c_alld.c
index 41695df1067b..bbf059eb85e2 100644
--- a/crypto/openssl/crypto/evp/c_alld.c
+++ b/crypto/openssl/crypto/evp/c_alld.c
@@ -64,10 +64,6 @@
void OpenSSL_add_all_digests(void)
{
- static int done=0;
-
- if (done) return;
- done=1;
#ifndef NO_MD2
EVP_add_digest(EVP_md2());
#endif
diff --git a/crypto/openssl/crypto/evp/e_idea.c b/crypto/openssl/crypto/evp/e_idea.c
index 8d3c88deb710..50f7503f32d7 100644
--- a/crypto/openssl/crypto/evp/e_idea.c
+++ b/crypto/openssl/crypto/evp/e_idea.c
@@ -103,7 +103,7 @@ static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
idea_set_encrypt_key(key,&tmp);
idea_set_decrypt_key(&tmp,&(ctx->c.idea_ks));
- memset((unsigned char *)&tmp,0,
+ OPENSSL_cleanse((unsigned char *)&tmp,
sizeof(IDEA_KEY_SCHEDULE));
}
return 1;
diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h
index e22089aebe72..dd1b8fa2b8e0 100644
--- a/crypto/openssl/crypto/evp/evp.h
+++ b/crypto/openssl/crypto/evp/evp.h
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#ifndef HEADER_ENVELOPE_H
diff --git a/crypto/openssl/crypto/evp/evp_key.c b/crypto/openssl/crypto/evp/evp_key.c
index e7434ef9b270..a31af2924e2e 100644
--- a/crypto/openssl/crypto/evp/evp_key.c
+++ b/crypto/openssl/crypto/evp/evp_key.c
@@ -152,8 +152,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md,
}
if ((nkey == 0) && (niv == 0)) break;
}
- memset(&c,0,sizeof(c));
- memset(&(md_buf[0]),0,EVP_MAX_MD_SIZE);
+ OPENSSL_cleanse(&c,sizeof(c));
+ OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE);
return(type->key_len);
}
diff --git a/crypto/openssl/crypto/evp/p5_crpt.c b/crypto/openssl/crypto/evp/p5_crpt.c
index 6bfa2c5acb17..0422fa588318 100644
--- a/crypto/openssl/crypto/evp/p5_crpt.c
+++ b/crypto/openssl/crypto/evp/p5_crpt.c
@@ -142,8 +142,8 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
memcpy (iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
EVP_CIPHER_iv_length(cipher));
EVP_CipherInit(cctx, cipher, key, iv, en_de);
- memset(md_tmp, 0, EVP_MAX_MD_SIZE);
- memset(key, 0, EVP_MAX_KEY_LENGTH);
- memset(iv, 0, EVP_MAX_IV_LENGTH);
+ OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
+ OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+ OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
return 1;
}
diff --git a/crypto/openssl/crypto/evp/p5_crpt2.c b/crypto/openssl/crypto/evp/p5_crpt2.c
index 717fad68ca8f..74c8769e460a 100644
--- a/crypto/openssl/crypto/evp/p5_crpt2.c
+++ b/crypto/openssl/crypto/evp/p5_crpt2.c
@@ -228,7 +228,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
iter = ASN1_INTEGER_get(kdf->iter);
PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
EVP_CipherInit(ctx, NULL, key, NULL, en_de);
- memset(key, 0, keylen);
+ OPENSSL_cleanse(key, keylen);
PBKDF2PARAM_free(kdf);
return 1;
diff --git a/crypto/openssl/crypto/evp/p_open.c b/crypto/openssl/crypto/evp/p_open.c
index 2760c00fec10..c766a3a912bc 100644
--- a/crypto/openssl/crypto/evp/p_open.c
+++ b/crypto/openssl/crypto/evp/p_open.c
@@ -101,7 +101,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *ek,
ret=1;
err:
- if (key != NULL) memset(key,0,size);
+ if (key != NULL) OPENSSL_cleanse(key,size);
OPENSSL_free(key);
return(ret);
}
diff --git a/crypto/openssl/crypto/hmac/Makefile.ssl b/crypto/openssl/crypto/hmac/Makefile.ssl
index ed3c8c64d1ca..4d36069f1d21 100644
--- a/crypto/openssl/crypto/hmac/Makefile.ssl
+++ b/crypto/openssl/crypto/hmac/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/hmac/hmactest.c b/crypto/openssl/crypto/hmac/hmactest.c
index 4b56b8ee1355..3bc476b9c770 100644
--- a/crypto/openssl/crypto/hmac/hmactest.c
+++ b/crypto/openssl/crypto/hmac/hmactest.c
@@ -60,6 +60,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_HMAC
int main(int argc, char *argv[])
{
@@ -143,7 +145,7 @@ int main(int argc, char *argv[])
else
printf("test %d ok\n",i);
}
- exit(err);
+ EXIT(err);
return(0);
}
diff --git a/crypto/openssl/crypto/idea/Makefile.ssl b/crypto/openssl/crypto/idea/Makefile.ssl
index 8923d7d066ca..bc5c5f04c52b 100644
--- a/crypto/openssl/crypto/idea/Makefile.ssl
+++ b/crypto/openssl/crypto/idea/Makefile.ssl
@@ -1,6 +1,5 @@
#
# SSLeay/crypto/idea/Makefile
-# $FreeBSD$
#
DIR= idea
@@ -69,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/idea/i_cbc.c b/crypto/openssl/crypto/idea/i_cbc.c
index d141cc2e2e8f..ecb9cb8b8367 100644
--- a/crypto/openssl/crypto/idea/i_cbc.c
+++ b/crypto/openssl/crypto/idea/i_cbc.c
@@ -54,7 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- * $FreeBSD$
*/
#include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/i_cfb64.c b/crypto/openssl/crypto/idea/i_cfb64.c
index 6f7e364fcb5a..66d49d520eb3 100644
--- a/crypto/openssl/crypto/idea/i_cfb64.c
+++ b/crypto/openssl/crypto/idea/i_cfb64.c
@@ -54,7 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- * $FreeBSD$
*/
#include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/i_ecb.c b/crypto/openssl/crypto/idea/i_ecb.c
index 3789cb523294..fb613db595c4 100644
--- a/crypto/openssl/crypto/idea/i_ecb.c
+++ b/crypto/openssl/crypto/idea/i_ecb.c
@@ -54,7 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- * $FreeBSD$
*/
#include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/i_ofb64.c b/crypto/openssl/crypto/idea/i_ofb64.c
index b3397f9a8e11..e749e88e34ae 100644
--- a/crypto/openssl/crypto/idea/i_ofb64.c
+++ b/crypto/openssl/crypto/idea/i_ofb64.c
@@ -54,7 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- * $FreeBSD$
*/
#include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/i_skey.c b/crypto/openssl/crypto/idea/i_skey.c
index 5fea5cc2f675..1c95bc9c7b88 100644
--- a/crypto/openssl/crypto/idea/i_skey.c
+++ b/crypto/openssl/crypto/idea/i_skey.c
@@ -54,7 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- * $FreeBSD$
*/
#include <openssl/idea.h>
diff --git a/crypto/openssl/crypto/idea/idea.h b/crypto/openssl/crypto/idea/idea.h
index 31d3c895af99..f14adf83985e 100644
--- a/crypto/openssl/crypto/idea/idea.h
+++ b/crypto/openssl/crypto/idea/idea.h
@@ -54,7 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- * $FreeBSD$
*/
#ifndef HEADER_IDEA_H
diff --git a/crypto/openssl/crypto/idea/idea_lcl.h b/crypto/openssl/crypto/idea/idea_lcl.h
index 019059977145..463aa36ce9c0 100644
--- a/crypto/openssl/crypto/idea/idea_lcl.h
+++ b/crypto/openssl/crypto/idea/idea_lcl.h
@@ -54,7 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- * $FreeBSD$
*/
/* The new form of this macro (check if the a*b == 0) was suggested by
diff --git a/crypto/openssl/crypto/idea/idea_spd.c b/crypto/openssl/crypto/idea/idea_spd.c
index aefe1783b601..301946b19846 100644
--- a/crypto/openssl/crypto/idea/idea_spd.c
+++ b/crypto/openssl/crypto/idea/idea_spd.c
@@ -54,7 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- * $FreeBSD$
*/
/* 11-Sep-92 Andrew Daviel Support for Silicon Graphics IRIX added */
diff --git a/crypto/openssl/crypto/idea/ideatest.c b/crypto/openssl/crypto/idea/ideatest.c
index 810f351713ec..01d43adb19da 100644
--- a/crypto/openssl/crypto/idea/ideatest.c
+++ b/crypto/openssl/crypto/idea/ideatest.c
@@ -54,13 +54,14 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- * $FreeBSD$
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_IDEA
int main(int argc, char *argv[])
{
@@ -168,7 +169,7 @@ int main(int argc, char *argv[])
else
printf("ok\n");
- exit(err);
+ EXIT(err);
return(err);
}
diff --git a/crypto/openssl/crypto/idea/version b/crypto/openssl/crypto/idea/version
index c269d8531e4d..3f2229379549 100644
--- a/crypto/openssl/crypto/idea/version
+++ b/crypto/openssl/crypto/idea/version
@@ -1,4 +1,3 @@
-# $FreeBSD$
1.1 07/12/95 - eay
Many thanks to Rhys Weatherley <rweather@us.oracle.com>
for pointing out that I was assuming little endian byte
diff --git a/crypto/openssl/crypto/lhash/Makefile.ssl b/crypto/openssl/crypto/lhash/Makefile.ssl
index 60bb6b12e406..7a706e25f14f 100644
--- a/crypto/openssl/crypto/lhash/Makefile.ssl
+++ b/crypto/openssl/crypto/lhash/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/md2/Makefile.ssl b/crypto/openssl/crypto/md2/Makefile.ssl
index cda8385347eb..ecb80115fd6e 100644
--- a/crypto/openssl/crypto/md2/Makefile.ssl
+++ b/crypto/openssl/crypto/md2/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -79,8 +79,10 @@ clean:
# DO NOT DELETE THIS LINE -- make depend depends on it.
-md2_dgst.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
-md2_dgst.o: ../../include/openssl/opensslv.h
+md2_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/md2.h
+md2_dgst.o: ../../include/openssl/opensslconf.h
+md2_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md2_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
md2_one.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
md2_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
diff --git a/crypto/openssl/crypto/md2/md2_dgst.c b/crypto/openssl/crypto/md2/md2_dgst.c
index 608baefa8f34..fc25280469a4 100644
--- a/crypto/openssl/crypto/md2/md2_dgst.c
+++ b/crypto/openssl/crypto/md2/md2_dgst.c
@@ -61,6 +61,7 @@
#include <string.h>
#include <openssl/md2.h>
#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT;
@@ -194,7 +195,7 @@ static void md2_block(MD2_CTX *c, const unsigned char *d)
t=(t+i)&0xff;
}
memcpy(sp1,state,16*sizeof(MD2_INT));
- memset(state,0,48*sizeof(MD2_INT));
+ OPENSSL_cleanse(state,48*sizeof(MD2_INT));
}
void MD2_Final(unsigned char *md, MD2_CTX *c)
diff --git a/crypto/openssl/crypto/md2/md2_one.c b/crypto/openssl/crypto/md2/md2_one.c
index b12c37ce4def..835160ef56d1 100644
--- a/crypto/openssl/crypto/md2/md2_one.c
+++ b/crypto/openssl/crypto/md2/md2_one.c
@@ -88,6 +88,6 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md)
}
#endif
MD2_Final(md,&c);
- memset(&c,0,sizeof(c)); /* Security consideration */
+ OPENSSL_cleanse(&c,sizeof(c)); /* Security consideration */
return(md);
}
diff --git a/crypto/openssl/crypto/md2/md2test.c b/crypto/openssl/crypto/md2/md2test.c
index e3f4fb4c341a..4d7231753bed 100644
--- a/crypto/openssl/crypto/md2/md2test.c
+++ b/crypto/openssl/crypto/md2/md2test.c
@@ -60,6 +60,8 @@
#include <stdlib.h>
#include <string.h>
+#include "../e_os.h"
+
#ifdef NO_MD2
int main(int argc, char *argv[])
{
@@ -119,7 +121,7 @@ int main(int argc, char *argv[])
R++;
P++;
}
- exit(err);
+ EXIT(err);
return(0);
}
diff --git a/crypto/openssl/crypto/md32_common.h b/crypto/openssl/crypto/md32_common.h
index ad7c4194c243..07f6010c4eaf 100644
--- a/crypto/openssl/crypto/md32_common.h
+++ b/crypto/openssl/crypto/md32_common.h
@@ -602,6 +602,6 @@ void HASH_FINAL (unsigned char *md, HASH_CTX *c)
c->num=0;
/* clear stuff, HASH_BLOCK may be leaving some stuff on the stack
* but I'm not worried :-)
- memset((void *)c,0,sizeof(HASH_CTX));
+ OPENSSL_cleanse((void *)c,sizeof(HASH_CTX));
*/
}
diff --git a/crypto/openssl/crypto/md4/Makefile.ssl b/crypto/openssl/crypto/md4/Makefile.ssl
index bc38badb0a2b..1843a3f7c027 100644
--- a/crypto/openssl/crypto/md4/Makefile.ssl
+++ b/crypto/openssl/crypto/md4/Makefile.ssl
@@ -69,7 +69,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -82,4 +82,6 @@ clean:
md4_dgst.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h
md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_locl.h
-md4_one.o: ../../include/openssl/md4.h
+md4_one.o: ../../include/openssl/crypto.h ../../include/openssl/md4.h
+md4_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md4_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
diff --git a/crypto/openssl/crypto/md4/md4_one.c b/crypto/openssl/crypto/md4/md4_one.c
index 87a995d38d43..00565507e4bb 100644
--- a/crypto/openssl/crypto/md4/md4_one.c
+++ b/crypto/openssl/crypto/md4/md4_one.c
@@ -59,6 +59,7 @@
#include <stdio.h>
#include <string.h>
#include <openssl/md4.h>
+#include <openssl/crypto.h>
#ifdef CHARSET_EBCDIC
#include <openssl/ebcdic.h>
@@ -89,7 +90,7 @@ unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md)
}
#endif
MD4_Final(md,&c);
- memset(&c,0,sizeof(c)); /* security consideration */
+ OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
return(md);
}
diff --git a/crypto/openssl/crypto/md4/md4test.c b/crypto/openssl/crypto/md4/md4test.c
index 97e6e21efd15..faa9e84a9a3d 100644
--- a/crypto/openssl/crypto/md4/md4test.c
+++ b/crypto/openssl/crypto/md4/md4test.c
@@ -60,6 +60,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_MD4
int main(int argc, char *argv[])
{
@@ -115,7 +117,7 @@ int main(int argc, char *argv[])
R++;
P++;
}
- exit(err);
+ EXIT(err);
return(0);
}
diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl
index e5ec4a21ae33..ebd356cb3fa9 100644
--- a/crypto/openssl/crypto/md5/Makefile.ssl
+++ b/crypto/openssl/crypto/md5/Makefile.ssl
@@ -118,7 +118,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -131,4 +131,6 @@ clean:
md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_locl.h
-md5_one.o: ../../include/openssl/md5.h
+md5_one.o: ../../include/openssl/crypto.h ../../include/openssl/md5.h
+md5_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+md5_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
diff --git a/crypto/openssl/crypto/md5/md5_one.c b/crypto/openssl/crypto/md5/md5_one.c
index b89dec850d2d..c5dd2d81db49 100644
--- a/crypto/openssl/crypto/md5/md5_one.c
+++ b/crypto/openssl/crypto/md5/md5_one.c
@@ -59,6 +59,7 @@
#include <stdio.h>
#include <string.h>
#include <openssl/md5.h>
+#include <openssl/crypto.h>
#ifdef CHARSET_EBCDIC
#include <openssl/ebcdic.h>
@@ -89,7 +90,7 @@ unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md)
}
#endif
MD5_Final(md,&c);
- memset(&c,0,sizeof(c)); /* security consideration */
+ OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
return(md);
}
diff --git a/crypto/openssl/crypto/md5/md5test.c b/crypto/openssl/crypto/md5/md5test.c
index 6bd86563020e..e3258cc0bf10 100644
--- a/crypto/openssl/crypto/md5/md5test.c
+++ b/crypto/openssl/crypto/md5/md5test.c
@@ -60,6 +60,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_MD5
int main(int argc, char *argv[])
{
@@ -115,7 +117,7 @@ int main(int argc, char *argv[])
R++;
P++;
}
- exit(err);
+ EXIT(err);
return(0);
}
diff --git a/crypto/openssl/crypto/mdc2/Makefile.ssl b/crypto/openssl/crypto/mdc2/Makefile.ssl
index 4b1b3e36961a..92be945f91d4 100644
--- a/crypto/openssl/crypto/mdc2/Makefile.ssl
+++ b/crypto/openssl/crypto/mdc2/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/mdc2/mdc2_one.c b/crypto/openssl/crypto/mdc2/mdc2_one.c
index 6cd141b4d621..37f06c8d77cf 100644
--- a/crypto/openssl/crypto/mdc2/mdc2_one.c
+++ b/crypto/openssl/crypto/mdc2/mdc2_one.c
@@ -69,7 +69,7 @@ unsigned char *MDC2(const unsigned char *d, unsigned long n, unsigned char *md)
MDC2_Init(&c);
MDC2_Update(&c,d,n);
MDC2_Final(md,&c);
- memset(&c,0,sizeof(c)); /* security consideration */
+ OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
return(md);
}
diff --git a/crypto/openssl/crypto/mdc2/mdc2test.c b/crypto/openssl/crypto/mdc2/mdc2test.c
index 46c25aeff4c6..bad02979ee0e 100644
--- a/crypto/openssl/crypto/mdc2/mdc2test.c
+++ b/crypto/openssl/crypto/mdc2/mdc2test.c
@@ -60,6 +60,8 @@
#include <stdlib.h>
#include <string.h>
+#include "../e_os.h"
+
#if defined(NO_DES) && !defined(NO_MDC2)
#define NO_MDC2
#endif
@@ -134,7 +136,7 @@ int main(int argc, char *argv[])
else
printf("pad2 - ok\n");
- exit(ret);
+ EXIT(ret);
return(ret);
}
#endif
diff --git a/crypto/openssl/crypto/mem.c b/crypto/openssl/crypto/mem.c
index 3b5b2bbc6814..0df0a2a5491d 100644
--- a/crypto/openssl/crypto/mem.c
+++ b/crypto/openssl/crypto/mem.c
@@ -173,6 +173,9 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
void *CRYPTO_malloc_locked(int num, const char *file, int line)
{
void *ret = NULL;
+ extern unsigned char cleanse_ctr;
+
+ if (num < 0) return NULL;
allow_customize = 0;
if (malloc_debug_func != NULL)
@@ -187,6 +190,12 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line)
if (malloc_debug_func != NULL)
malloc_debug_func(ret, num, file, line, 1);
+ /* Create a dependency on the value of 'cleanse_ctr' so our memory
+ * sanitisation function can't be optimised out. NB: We only do
+ * this for >2Kb so the overhead doesn't bother us. */
+ if(ret && (num > 2048))
+ ((unsigned char *)ret)[0] = cleanse_ctr;
+
return ret;
}
@@ -205,6 +214,9 @@ void CRYPTO_free_locked(void *str)
void *CRYPTO_malloc(int num, const char *file, int line)
{
void *ret = NULL;
+ extern unsigned char cleanse_ctr;
+
+ if (num < 0) return NULL;
allow_customize = 0;
if (malloc_debug_func != NULL)
@@ -219,6 +231,12 @@ void *CRYPTO_malloc(int num, const char *file, int line)
if (malloc_debug_func != NULL)
malloc_debug_func(ret, num, file, line, 1);
+ /* Create a dependency on the value of 'cleanse_ctr' so our memory
+ * sanitisation function can't be optimised out. NB: We only do
+ * this for >2Kb so the overhead doesn't bother us. */
+ if(ret && (num > 2048))
+ ((unsigned char *)ret)[0] = cleanse_ctr;
+
return ret;
}
@@ -226,6 +244,11 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
{
void *ret = NULL;
+ if (str == NULL)
+ return CRYPTO_malloc(num, file, line);
+
+ if (num < 0) return NULL;
+
if (realloc_debug_func != NULL)
realloc_debug_func(str, NULL, num, file, line, 0);
ret = realloc_func(str,num);
diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c
index ef19d8f84489..5d3547790fdf 100644
--- a/crypto/openssl/crypto/mem_dbg.c
+++ b/crypto/openssl/crypto/mem_dbg.c
@@ -102,6 +102,8 @@ typedef struct app_mem_info_st
int references;
} APP_INFO;
+static void app_info_free(APP_INFO *);
+
static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's
* that are at the top of their thread's stack
* (with `thread' as key);
@@ -140,6 +142,18 @@ static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0.
* thread named in disabling_thread).
*/
+static void app_info_free(APP_INFO *inf)
+ {
+ if (--(inf->references) <= 0)
+ {
+ if (inf->next != NULL)
+ {
+ app_info_free(inf->next);
+ }
+ OPENSSL_free(inf);
+ }
+ }
+
int CRYPTO_mem_ctrl(int mode)
{
int ret=mh_mode;
@@ -496,9 +510,7 @@ void CRYPTO_dbg_free(void *addr, int before_p)
mp->order, mp->addr, mp->num);
#endif
if (mp->app_info != NULL)
- {
- mp->app_info->references--;
- }
+ app_info_free(mp->app_info);
OPENSSL_free(mp);
}
diff --git a/crypto/openssl/crypto/objects/Makefile.ssl b/crypto/openssl/crypto/objects/Makefile.ssl
index 7b1c51cdb128..bcce2fa085eb 100644
--- a/crypto/openssl/crypto/objects/Makefile.ssl
+++ b/crypto/openssl/crypto/objects/Makefile.ssl
@@ -76,7 +76,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/objects/obj_dat.c b/crypto/openssl/crypto/objects/obj_dat.c
index 41fdf6e7b2cc..76f2e05f5080 100644
--- a/crypto/openssl/crypto/objects/obj_dat.c
+++ b/crypto/openssl/crypto/objects/obj_dat.c
@@ -417,7 +417,7 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
a2d_ASN1_OBJECT(p,i,s,-1);
p=buf;
- op=d2i_ASN1_OBJECT(NULL,&p,i);
+ op=d2i_ASN1_OBJECT(NULL,&p,j);
OPENSSL_free(buf);
return op;
}
diff --git a/crypto/openssl/crypto/objects/obj_dat.h b/crypto/openssl/crypto/objects/obj_dat.h
index 63e11f73547a..b8423af2f109 100644
--- a/crypto/openssl/crypto/objects/obj_dat.h
+++ b/crypto/openssl/crypto/objects/obj_dat.h
@@ -62,12 +62,12 @@
* [including the GNU Public Licence.]
*/
-#define NUM_NID 404
-#define NUM_SN 402
-#define NUM_LN 402
-#define NUM_OBJ 376
+#define NUM_NID 406
+#define NUM_SN 404
+#define NUM_LN 404
+#define NUM_OBJ 378
-static unsigned char lvalues[2951]={
+static unsigned char lvalues[2971]={
0x00, /* [ 0] OBJ_undef */
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */
@@ -444,6 +444,8 @@ static unsigned char lvalues[2951]={
0x55,0x1D,0x24, /* [2941] OBJ_policy_constraints */
0x55,0x1D,0x37, /* [2944] OBJ_target_information */
0x55,0x1D,0x38, /* [2947] OBJ_no_rev_avail */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [2950] OBJ_ms_smartcard_login */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [2960] OBJ_ms_upn */
};
static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1075,6 +1077,10 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
&(lvalues[2944]),0},
{"noRevAvail","X509v3 No Revocation Available",NID_no_rev_avail,3,
&(lvalues[2947]),0},
+{"msSmartcardLogin","Microsoft Smartcardlogin",NID_ms_smartcard_login,
+ 10,&(lvalues[2950]),0},
+{"msUPN","Microsoft Universal Principal Name",NID_ms_upn,10,
+ &(lvalues[2960]),0},
};
static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -1417,6 +1423,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[138]),/* "msEFS" */
&(nid_objs[171]),/* "msExtReq" */
&(nid_objs[137]),/* "msSGC" */
+&(nid_objs[404]),/* "msSmartcardLogin" */
+&(nid_objs[405]),/* "msUPN" */
&(nid_objs[173]),/* "name" */
&(nid_objs[369]),/* "noCheck" */
&(nid_objs[403]),/* "noRevAvail" */
@@ -1510,7 +1518,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
&(nid_objs[171]),/* "Microsoft Extension Request" */
&(nid_objs[134]),/* "Microsoft Individual Code Signing" */
&(nid_objs[137]),/* "Microsoft Server Gated Crypto" */
+&(nid_objs[404]),/* "Microsoft Smartcardlogin" */
&(nid_objs[136]),/* "Microsoft Trust List Signing" */
+&(nid_objs[405]),/* "Microsoft Universal Principal Name" */
&(nid_objs[72]),/* "Netscape Base Url" */
&(nid_objs[76]),/* "Netscape CA Policy Url" */
&(nid_objs[74]),/* "Netscape CA Revocation Url" */
@@ -2196,6 +2206,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
&(nid_objs[136]),/* OBJ_ms_ctl_sign 1 3 6 1 4 1 311 10 3 1 */
&(nid_objs[137]),/* OBJ_ms_sgc 1 3 6 1 4 1 311 10 3 3 */
&(nid_objs[138]),/* OBJ_ms_efs 1 3 6 1 4 1 311 10 3 4 */
+&(nid_objs[404]),/* OBJ_ms_smartcard_login 1 3 6 1 4 1 311 20 2 2 */
+&(nid_objs[405]),/* OBJ_ms_upn 1 3 6 1 4 1 311 20 2 3 */
&(nid_objs[196]),/* OBJ_id_smime_mod_cms 1 2 840 113549 1 9 16 0 1 */
&(nid_objs[197]),/* OBJ_id_smime_mod_ess 1 2 840 113549 1 9 16 0 2 */
&(nid_objs[198]),/* OBJ_id_smime_mod_oid 1 2 840 113549 1 9 16 0 3 */
diff --git a/crypto/openssl/crypto/objects/obj_mac.h b/crypto/openssl/crypto/objects/obj_mac.h
index a2a960ee370d..8e8952d2936d 100644
--- a/crypto/openssl/crypto/objects/obj_mac.h
+++ b/crypto/openssl/crypto/objects/obj_mac.h
@@ -780,6 +780,16 @@
#define NID_ms_efs 138
#define OBJ_ms_efs 1L,3L,6L,1L,4L,1L,311L,10L,3L,4L
+#define SN_ms_smartcard_login "msSmartcardLogin"
+#define LN_ms_smartcard_login "Microsoft Smartcardlogin"
+#define NID_ms_smartcard_login 404
+#define OBJ_ms_smartcard_login 1L,3L,6L,1L,4L,1L,311L,20L,2L,2L
+
+#define SN_ms_upn "msUPN"
+#define LN_ms_upn "Microsoft Universal Principal Name"
+#define NID_ms_upn 405
+#define OBJ_ms_upn 1L,3L,6L,1L,4L,1L,311L,20L,2L,3L
+
#define SN_idea_cbc "IDEA-CBC"
#define LN_idea_cbc "idea-cbc"
#define NID_idea_cbc 34
diff --git a/crypto/openssl/crypto/objects/obj_mac.num b/crypto/openssl/crypto/objects/obj_mac.num
index a6baa8c5f953..1e73da17813e 100644
--- a/crypto/openssl/crypto/objects/obj_mac.num
+++ b/crypto/openssl/crypto/objects/obj_mac.num
@@ -401,3 +401,5 @@ role 400
policy_constraints 401
target_information 402
no_rev_avail 403
+ms_smartcard_login 404
+ms_upn 405
diff --git a/crypto/openssl/crypto/objects/objects.txt b/crypto/openssl/crypto/objects/objects.txt
index fb73408f4657..a5f6c3759ba6 100644
--- a/crypto/openssl/crypto/objects/objects.txt
+++ b/crypto/openssl/crypto/objects/objects.txt
@@ -246,6 +246,10 @@ rsadsi 3 8 : RC5-CBC : rc5-cbc
1 3 6 1 4 1 311 10 3 3 : msSGC : Microsoft Server Gated Crypto
!Cname ms-efs
1 3 6 1 4 1 311 10 3 4 : msEFS : Microsoft Encrypted File System
+!Cname ms-smartcard-login
+1 3 6 1 4 1 311 20 2 2 : msSmartcardLogin : Microsoft Smartcardlogin
+!Cname ms-upn
+1 3 6 1 4 1 311 20 2 3 : msUPN : Microsoft Universal Principal Name
1 3 6 1 4 1 188 7 1 1 2 : IDEA-CBC : idea-cbc
: IDEA-ECB : idea-ecb
diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h
index 2c6ddaed31f6..48718f9d5095 100644
--- a/crypto/openssl/crypto/opensslconf.h
+++ b/crypto/openssl/crypto/opensslconf.h
@@ -6,14 +6,23 @@
/* no ciphers excluded */
#endif
#ifdef OPENSSL_THREAD_DEFINES
+# ifndef THREADS
+# define THREADS
+# endif
#endif
#ifdef OPENSSL_OTHER_DEFINES
+# ifndef DSO_DLFCN
+# define DSO_DLFCN
+# endif
+# ifndef HAVE_DLFCN_H
+# define HAVE_DLFCN_H
+# endif
#endif
/* crypto/opensslconf.h.in */
/* Generate 80386 code? */
-#undef I386_ONLY
+#define I386_ONLY
#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
@@ -66,7 +75,7 @@
#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
+#define BN_LLONG
/* Should we define BN_DIV2W here? */
@@ -85,7 +94,7 @@
#define CONFIG_HEADER_RC4_LOCL_H
/* if this is defined data[i] is used instead of *data, this is a %20
* speedup on x86 */
-#undef RC4_INDEX
+#define RC4_INDEX
#endif
#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
@@ -99,14 +108,14 @@
/* the following is tweaked from a config script, that is why it is a
* protected undef/define */
#ifndef DES_PTR
-#undef DES_PTR
+#define DES_PTR
#endif
/* This helps C compiler generate the correct code for multiple functional
* units. It reduces register dependancies at the expense of 2 more
* registers */
#ifndef DES_RISC1
-#undef DES_RISC1
+#define DES_RISC1
#endif
#ifndef DES_RISC2
@@ -120,7 +129,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
/* Unroll the inner loop, this sometimes helps, sometimes hinders.
* Very mucy CPU dependant */
#ifndef DES_UNROLL
-#undef DES_UNROLL
+#define DES_UNROLL
#endif
/* These default values were supplied by
diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h
index 7ee8f76dc90e..6806ef725fa8 100644
--- a/crypto/openssl/crypto/opensslv.h
+++ b/crypto/openssl/crypto/opensslv.h
@@ -25,8 +25,8 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x0090605fL
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6e 30 Jul 2002"
+#define OPENSSL_VERSION_NUMBER 0x0090609fL
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6i Feb 19 2003"
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/openssl/crypto/pem/Makefile.ssl b/crypto/openssl/crypto/pem/Makefile.ssl
index 111dbc1ae460..1788f3fecd13 100644
--- a/crypto/openssl/crypto/pem/Makefile.ssl
+++ b/crypto/openssl/crypto/pem/Makefile.ssl
@@ -69,7 +69,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/pem/pem_info.c b/crypto/openssl/crypto/pem/pem_info.c
index ef02599d55b5..2453e933dcdb 100644
--- a/crypto/openssl/crypto/pem/pem_info.c
+++ b/crypto/openssl/crypto/pem/pem_info.c
@@ -358,7 +358,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
ret=1;
err:
- memset((char *)&ctx,0,sizeof(ctx));
- memset(buf,0,PEM_BUFSIZE);
+ OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
+ OPENSSL_cleanse(buf,PEM_BUFSIZE);
return(ret);
}
diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c
index 01759f75c3b5..e024bd787304 100644
--- a/crypto/openssl/crypto/pem/pem_lib.c
+++ b/crypto/openssl/crypto/pem/pem_lib.c
@@ -380,7 +380,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
* NOT taken from the BytesToKey function */
EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
- if (kstr == (unsigned char *)buf) memset(buf,0,PEM_BUFSIZE);
+ if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE);
buf[0]='\0';
PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
@@ -401,12 +401,15 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
i=PEM_write_bio(bp,name,buf,data,i);
if (i <= 0) ret=0;
err:
- memset(key,0,sizeof(key));
- memset(iv,0,sizeof(iv));
- memset((char *)&ctx,0,sizeof(ctx));
- memset(buf,0,PEM_BUFSIZE);
- memset(data,0,(unsigned int)dsize);
- OPENSSL_free(data);
+ OPENSSL_cleanse(key,sizeof(key));
+ OPENSSL_cleanse(iv,sizeof(iv));
+ OPENSSL_cleanse((char *)&ctx,sizeof(ctx));
+ OPENSSL_cleanse(buf,PEM_BUFSIZE);
+ if (data != NULL)
+ {
+ OPENSSL_cleanse(data,(unsigned int)dsize);
+ OPENSSL_free(data);
+ }
return(ret);
}
@@ -444,8 +447,8 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
EVP_DecryptUpdate(&ctx,data,&i,data,j);
o=EVP_DecryptFinal(&ctx,&(data[i]),&j);
EVP_CIPHER_CTX_cleanup(&ctx);
- memset((char *)buf,0,sizeof(buf));
- memset((char *)key,0,sizeof(key));
+ OPENSSL_cleanse((char *)buf,sizeof(buf));
+ OPENSSL_cleanse((char *)key,sizeof(key));
j+=i;
if (!o)
{
diff --git a/crypto/openssl/crypto/pem/pem_seal.c b/crypto/openssl/crypto/pem/pem_seal.c
index 2a6c5133481a..ed1d3412cfd1 100644
--- a/crypto/openssl/crypto/pem/pem_seal.c
+++ b/crypto/openssl/crypto/pem/pem_seal.c
@@ -109,7 +109,7 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
ret=npubk;
err:
if (s != NULL) OPENSSL_free(s);
- memset(key,0,EVP_MAX_KEY_LENGTH);
+ OPENSSL_cleanse(key,EVP_MAX_KEY_LENGTH);
return(ret);
}
diff --git a/crypto/openssl/crypto/pkcs12/Makefile.ssl b/crypto/openssl/crypto/pkcs12/Makefile.ssl
index c92dd276398c..7a4994812a01 100644
--- a/crypto/openssl/crypto/pkcs12/Makefile.ssl
+++ b/crypto/openssl/crypto/pkcs12/Makefile.ssl
@@ -74,7 +74,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/pkcs12/p12_crpt.c b/crypto/openssl/crypto/pkcs12/p12_crpt.c
index 7b96584f07d7..17d8d546f17c 100644
--- a/crypto/openssl/crypto/pkcs12/p12_crpt.c
+++ b/crypto/openssl/crypto/pkcs12/p12_crpt.c
@@ -118,7 +118,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
}
PBEPARAM_free(pbe);
EVP_CipherInit(ctx, cipher, key, iv, en_de);
- memset(key, 0, EVP_MAX_KEY_LENGTH);
- memset(iv, 0, EVP_MAX_IV_LENGTH);
+ OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+ OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
return 1;
}
diff --git a/crypto/openssl/crypto/pkcs12/p12_decr.c b/crypto/openssl/crypto/pkcs12/p12_decr.c
index 8cd7e2f41470..68488db86405 100644
--- a/crypto/openssl/crypto/pkcs12/p12_decr.c
+++ b/crypto/openssl/crypto/pkcs12/p12_decr.c
@@ -137,7 +137,7 @@ char * PKCS12_decrypt_d2i (X509_ALGOR *algor, char * (*d2i)(),
if (seq & 1) ret = (char *) d2i_ASN1_SET(NULL, &p, outlen, d2i,
free_func, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
else ret = d2i(NULL, &p, outlen);
- if (seq & 2) memset(out, 0, outlen);
+ if (seq & 2) OPENSSL_cleanse(out, outlen);
if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
OPENSSL_free (out);
return ret;
diff --git a/crypto/openssl/crypto/pkcs12/p12_key.c b/crypto/openssl/crypto/pkcs12/p12_key.c
index a4fd5b98ec9a..298e4c506b6b 100644
--- a/crypto/openssl/crypto/pkcs12/p12_key.c
+++ b/crypto/openssl/crypto/pkcs12/p12_key.c
@@ -91,7 +91,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
id, iter, n, out, md_type);
if(unipass) {
- memset(unipass, 0, uniplen); /* Clear password from memory */
+ OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */
OPENSSL_free(unipass);
}
return ret;
diff --git a/crypto/openssl/crypto/pkcs7/Makefile.ssl b/crypto/openssl/crypto/pkcs7/Makefile.ssl
index da0ff22ab22d..fd4a267e8ac7 100644
--- a/crypto/openssl/crypto/pkcs7/Makefile.ssl
+++ b/crypto/openssl/crypto/pkcs7/Makefile.ssl
@@ -87,7 +87,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/pkcs7/bio_ber.c b/crypto/openssl/crypto/pkcs7/bio_ber.c
index 5447e6981861..e73556e3023c 100644
--- a/crypto/openssl/crypto/pkcs7/bio_ber.c
+++ b/crypto/openssl/crypto/pkcs7/bio_ber.c
@@ -145,7 +145,7 @@ static int ber_free(BIO *a)
if (a == NULL) return(0);
b=(BIO_BER_CTX *)a->ptr;
- memset(a->ptr,0,sizeof(BIO_BER_CTX));
+ OPENSSL_cleanse(a->ptr,sizeof(BIO_BER_CTX));
OPENSSL_free(a->ptr);
a->ptr=NULL;
a->init=0;
diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c
index a45cf76c6873..aa4d49e28be9 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_doit.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c
@@ -241,7 +241,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj);
}
OPENSSL_free(tmp);
- memset(key, 0, keylen);
+ OPENSSL_cleanse(key, keylen);
if (out == NULL)
out=btmp;
@@ -448,7 +448,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
}
EVP_CipherInit(evp_ctx,NULL,tmp,NULL,0);
- memset(tmp,0,jj);
+ OPENSSL_cleanse(tmp,jj);
if (out == NULL)
out=etmp;
diff --git a/crypto/openssl/crypto/rand/Makefile.ssl b/crypto/openssl/crypto/rand/Makefile.ssl
index e9a6876b5a74..8da0c777b344 100644
--- a/crypto/openssl/crypto/rand/Makefile.ssl
+++ b/crypto/openssl/crypto/rand/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/rand/md_rand.c b/crypto/openssl/crypto/rand/md_rand.c
index 349629c4843e..5df32b4fe6a8 100644
--- a/crypto/openssl/crypto/rand/md_rand.c
+++ b/crypto/openssl/crypto/rand/md_rand.c
@@ -177,10 +177,10 @@ RAND_METHOD *RAND_SSLeay(void)
static void ssleay_rand_cleanup(void)
{
- memset(state,0,sizeof(state));
+ OPENSSL_cleanse(state,sizeof(state));
state_num=0;
state_index=0;
- memset(md,0,MD_DIGEST_LENGTH);
+ OPENSSL_cleanse(md,MD_DIGEST_LENGTH);
md_count[0]=0;
md_count[1]=0;
entropy=0;
diff --git a/crypto/openssl/crypto/rand/rand_egd.c b/crypto/openssl/crypto/rand/rand_egd.c
index a6601696ad9e..ce169367857a 100644
--- a/crypto/openssl/crypto/rand/rand_egd.c
+++ b/crypto/openssl/crypto/rand/rand_egd.c
@@ -59,7 +59,7 @@
/* Query the EGD <URL: http://www.lothar.com/tech/crypto/>.
*/
-#if defined(WIN32) || defined(VMS) || defined(__VMS)
+#if defined(WIN32) || defined(MSDOS) || defined(VMS) || defined(__VMS) || defined(VXWORKS)
int RAND_egd(const char *path)
{
return(-1);
diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c
index 2b4b1446edb6..3e148ad4d254 100644
--- a/crypto/openssl/crypto/rand/rand_win.c
+++ b/crypto/openssl/crypto/rand/rand_win.c
@@ -254,6 +254,10 @@ int RAND_poll(void)
* at random times on Windows 2000. Reported by Jeffrey Altman.
* Only use it on NT.
*/
+ /* Wolfgang Marczy <WMarczy@topcall.co.at> reports that
+ * the RegQueryValueEx call below can hang on NT4.0 (SP6).
+ * So we don't use this at all for now. */
+#if 0
if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT &&
osverinfo.dwMajorVersion < 5)
{
@@ -283,13 +287,23 @@ int RAND_poll(void)
{
/* For entropy count assume only least significant
* byte of each DWORD is random.
- */
+ */
RAND_add(&length, sizeof(length), 0);
RAND_add(buf, length, length / 4.0);
+
+ /* Close the Registry Key to allow Windows to cleanup/close
+ * the open handle
+ * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened
+ * when the RegQueryValueEx above is done. However, if
+ * it is not explicitly closed, it can cause disk
+ * partition manipulation problems.
+ */
+ RegCloseKey(HKEY_PERFORMANCE_DATA);
}
if (buf)
free(buf);
}
+#endif
if (advapi)
{
@@ -461,7 +475,7 @@ int RAND_poll(void)
hlist.th32ProcessID,
hlist.th32HeapID))
{
- int entrycnt = 50;
+ int entrycnt = 80;
do
RAND_add(&hentry,
hentry.dwSize, 5);
@@ -718,8 +732,10 @@ int RAND_poll(void)
/* put in some default random data, we need more than just this */
l=curr_pid;
RAND_add(&l,sizeof(l),0);
+#ifndef VXWORKS
l=getuid();
RAND_add(&l,sizeof(l),0);
+#endif
l=time(NULL);
RAND_add(&l,sizeof(l),0);
diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c
index c2ae28c3a2a4..f64c7383b2b6 100644
--- a/crypto/openssl/crypto/rand/randfile.c
+++ b/crypto/openssl/crypto/rand/randfile.c
@@ -61,6 +61,8 @@
#include <stdlib.h>
#include <string.h>
+#include "openssl/e_os.h"
+
#ifdef VMS
#include <unixio.h>
#endif
@@ -73,7 +75,6 @@
# include <sys/stat.h>
#endif
-#include "openssl/e_os.h"
#include <openssl/crypto.h>
#include <openssl/rand.h>
@@ -124,7 +125,7 @@ int RAND_load_file(const char *file, long bytes)
}
}
fclose(in);
- memset(buf,0,BUFSIZE);
+ OPENSSL_cleanse(buf,BUFSIZE);
err:
return(ret);
}
@@ -189,7 +190,7 @@ int RAND_write_file(const char *file)
#endif /* VMS */
fclose(out);
- memset(buf,0,BUFSIZE);
+ OPENSSL_cleanse(buf,BUFSIZE);
err:
return (rand_err ? -1 : ret);
}
diff --git a/crypto/openssl/crypto/rand/randtest.c b/crypto/openssl/crypto/rand/randtest.c
index da96e3f6959a..abee3f7b2b2d 100644
--- a/crypto/openssl/crypto/rand/randtest.c
+++ b/crypto/openssl/crypto/rand/randtest.c
@@ -60,6 +60,8 @@
#include <stdlib.h>
#include <openssl/rand.h>
+#include "../e_os.h"
+
/* some FIPS 140-1 random number test */
/* some simple tests */
@@ -202,6 +204,6 @@ int main()
}
printf("test 4 done\n");
err=((err)?1:0);
- exit(err);
+ EXIT(err);
return(err);
}
diff --git a/crypto/openssl/crypto/rc2/Makefile.ssl b/crypto/openssl/crypto/rc2/Makefile.ssl
index 6966e01b6f27..90b6bd988079 100644
--- a/crypto/openssl/crypto/rc2/Makefile.ssl
+++ b/crypto/openssl/crypto/rc2/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/rc2/rc2test.c b/crypto/openssl/crypto/rc2/rc2test.c
index 521269ded18c..bf8bc5d02fa4 100644
--- a/crypto/openssl/crypto/rc2/rc2test.c
+++ b/crypto/openssl/crypto/rc2/rc2test.c
@@ -63,6 +63,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_RC2
int main(int argc, char *argv[])
{
@@ -203,7 +205,7 @@ int main(int argc, char *argv[])
printf("ok\n");
#endif
- exit(err);
+ EXIT(err);
return(err);
}
diff --git a/crypto/openssl/crypto/rc4/Makefile.ssl b/crypto/openssl/crypto/rc4/Makefile.ssl
index 8ffff0a74e3d..f3a4dad8768e 100644
--- a/crypto/openssl/crypto/rc4/Makefile.ssl
+++ b/crypto/openssl/crypto/rc4/Makefile.ssl
@@ -97,7 +97,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/rc4/rc4.c b/crypto/openssl/crypto/rc4/rc4.c
index 709b7aff35ae..04799009e6f3 100644
--- a/crypto/openssl/crypto/rc4/rc4.c
+++ b/crypto/openssl/crypto/rc4/rc4.c
@@ -155,7 +155,7 @@ bad:
i=EVP_read_pw_string(buf,BUFSIZ,"Enter RC4 password:",0);
if (i != 0)
{
- memset(buf,0,BUFSIZ);
+ OPENSSL_cleanse(buf,BUFSIZ);
fprintf(stderr,"bad password read\n");
exit(1);
}
@@ -163,7 +163,7 @@ bad:
}
MD5((unsigned char *)keystr,(unsigned long)strlen(keystr),md);
- memset(keystr,0,strlen(keystr));
+ OPENSSL_cleanse(keystr,strlen(keystr));
RC4_set_key(&key,MD5_DIGEST_LENGTH,md);
for(;;)
diff --git a/crypto/openssl/crypto/rc4/rc4test.c b/crypto/openssl/crypto/rc4/rc4test.c
index 3914eb6c3831..3aa40ed23510 100644
--- a/crypto/openssl/crypto/rc4/rc4test.c
+++ b/crypto/openssl/crypto/rc4/rc4test.c
@@ -60,6 +60,8 @@
#include <stdlib.h>
#include <string.h>
+#include "../e_os.h"
+
#ifdef NO_RC4
int main(int argc, char *argv[])
{
@@ -195,7 +197,7 @@ int main(int argc, char *argv[])
}
}
printf("done\n");
- exit(err);
+ EXIT(err);
return(0);
}
#endif
diff --git a/crypto/openssl/crypto/rc5/Makefile.ssl b/crypto/openssl/crypto/rc5/Makefile.ssl
index cf5d176859ba..0497a573a093 100644
--- a/crypto/openssl/crypto/rc5/Makefile.ssl
+++ b/crypto/openssl/crypto/rc5/Makefile.ssl
@@ -94,7 +94,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/rc5/rc5test.c b/crypto/openssl/crypto/rc5/rc5test.c
index 634ceac7c7ee..84e7c71d216a 100644
--- a/crypto/openssl/crypto/rc5/rc5test.c
+++ b/crypto/openssl/crypto/rc5/rc5test.c
@@ -63,6 +63,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_RC5
int main(int argc, char *argv[])
{
@@ -318,7 +320,7 @@ int main(int argc, char *argv[])
}
if (err == 0) printf("cbc RC5 ok\n");
- exit(err);
+ EXIT(err);
return(err);
}
diff --git a/crypto/openssl/crypto/ripemd/Makefile.ssl b/crypto/openssl/crypto/ripemd/Makefile.ssl
index 0b1cd7394132..2838fe40b400 100644
--- a/crypto/openssl/crypto/ripemd/Makefile.ssl
+++ b/crypto/openssl/crypto/ripemd/Makefile.ssl
@@ -92,7 +92,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -106,4 +106,6 @@ clean:
rmd_dgst.o: ../../include/openssl/opensslconf.h
rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
rmd_dgst.o: ../md32_common.h rmd_locl.h rmdconst.h
-rmd_one.o: ../../include/openssl/ripemd.h
+rmd_one.o: ../../include/openssl/crypto.h ../../include/openssl/opensslv.h
+rmd_one.o: ../../include/openssl/ripemd.h ../../include/openssl/safestack.h
+rmd_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
diff --git a/crypto/openssl/crypto/ripemd/rmd_one.c b/crypto/openssl/crypto/ripemd/rmd_one.c
index efdf2dd6efc2..f8b580c33a3a 100644
--- a/crypto/openssl/crypto/ripemd/rmd_one.c
+++ b/crypto/openssl/crypto/ripemd/rmd_one.c
@@ -59,6 +59,7 @@
#include <stdio.h>
#include <string.h>
#include <openssl/ripemd.h>
+#include <openssl/crypto.h>
unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
RIPEMD160_Init(&c);
RIPEMD160_Update(&c,d,n);
RIPEMD160_Final(md,&c);
- memset(&c,0,sizeof(c)); /* security consideration */
+ OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */
return(md);
}
diff --git a/crypto/openssl/crypto/ripemd/rmdtest.c b/crypto/openssl/crypto/ripemd/rmdtest.c
index 5d79c997253b..dd3a49d7058b 100644
--- a/crypto/openssl/crypto/ripemd/rmdtest.c
+++ b/crypto/openssl/crypto/ripemd/rmdtest.c
@@ -60,6 +60,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_RIPEMD
int main(int argc, char *argv[])
{
@@ -124,7 +126,7 @@ int main(int argc, char *argv[])
R++;
P++;
}
- exit(err);
+ EXIT(err);
return(0);
}
diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl
index 1be9a1cd2397..3584942d769e 100644
--- a/crypto/openssl/crypto/rsa/Makefile.ssl
+++ b/crypto/openssl/crypto/rsa/Makefile.ssl
@@ -70,7 +70,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/rsa/rsa.h b/crypto/openssl/crypto/rsa/rsa.h
index 179706a2d430..76aed3cb3852 100644
--- a/crypto/openssl/crypto/rsa/rsa.h
+++ b/crypto/openssl/crypto/rsa/rsa.h
@@ -1,5 +1,4 @@
/* crypto/rsa/rsa.h */
-/* $FreeBSD$ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -170,6 +169,8 @@ struct rsa_st
#define RSA_NO_PADDING 3
#define RSA_PKCS1_OAEP_PADDING 4
+#define RSA_PKCS1_PADDING_SIZE 11
+
#define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
#define RSA_get_app_data(s) RSA_get_ex_data(s,0)
diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c
index e861a491adfb..c49abe6e3eed 100644
--- a/crypto/openssl/crypto/rsa/rsa_eay.c
+++ b/crypto/openssl/crypto/rsa/rsa_eay.c
@@ -1,5 +1,4 @@
/* crypto/rsa/rsa_eay.c */
-/* $FreeBSD$ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -185,7 +184,7 @@ err:
BN_clear_free(&ret);
if (buf != NULL)
{
- memset(buf,0,num);
+ OPENSSL_cleanse(buf,num);
OPENSSL_free(buf);
}
return(r);
@@ -269,7 +268,7 @@ err:
BN_clear_free(&f);
if (buf != NULL)
{
- memset(buf,0,num);
+ OPENSSL_cleanse(buf,num);
OPENSSL_free(buf);
}
return(r);
@@ -368,7 +367,7 @@ err:
BN_clear_free(&ret);
if (buf != NULL)
{
- memset(buf,0,num);
+ OPENSSL_cleanse(buf,num);
OPENSSL_free(buf);
}
return(r);
@@ -465,7 +464,7 @@ err:
BN_clear_free(&ret);
if (buf != NULL)
{
- memset(buf,0,num);
+ OPENSSL_cleanse(buf,num);
OPENSSL_free(buf);
}
return(r);
diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c
index 5220f5f5562c..422643e9f2e8 100644
--- a/crypto/openssl/crypto/rsa/rsa_lib.c
+++ b/crypto/openssl/crypto/rsa/rsa_lib.c
@@ -1,5 +1,4 @@
/* crypto/rsa/rsa_lib.c */
-/* $FreeBSD$ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
diff --git a/crypto/openssl/crypto/rsa/rsa_pk1.c b/crypto/openssl/crypto/rsa/rsa_pk1.c
index 48a32bc264a8..b3f1c2200dd5 100644
--- a/crypto/openssl/crypto/rsa/rsa_pk1.c
+++ b/crypto/openssl/crypto/rsa/rsa_pk1.c
@@ -68,7 +68,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
int j;
unsigned char *p;
- if (flen > (tlen-11))
+ if (flen > (tlen-RSA_PKCS1_PADDING_SIZE))
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return(0);
diff --git a/crypto/openssl/crypto/rsa/rsa_saos.c b/crypto/openssl/crypto/rsa/rsa_saos.c
index c77f4381ffb1..749fb209655d 100644
--- a/crypto/openssl/crypto/rsa/rsa_saos.c
+++ b/crypto/openssl/crypto/rsa/rsa_saos.c
@@ -76,7 +76,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
i=i2d_ASN1_OCTET_STRING(&sig,NULL);
j=RSA_size(rsa);
- if ((i-RSA_PKCS1_PADDING) > j)
+ if (i > (j-RSA_PKCS1_PADDING_SIZE))
{
RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
return(0);
@@ -95,7 +95,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
else
*siglen=i;
- memset(s,0,(unsigned int)j+1);
+ OPENSSL_cleanse(s,(unsigned int)j+1);
OPENSSL_free(s);
return(ret);
}
@@ -137,7 +137,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, unsigned char *m,
ret=1;
err:
if (sig != NULL) M_ASN1_OCTET_STRING_free(sig);
- memset(s,0,(unsigned int)siglen);
+ OPENSSL_cleanse(s,(unsigned int)siglen);
OPENSSL_free(s);
return(ret);
}
diff --git a/crypto/openssl/crypto/rsa/rsa_sign.c b/crypto/openssl/crypto/rsa/rsa_sign.c
index 31049b979194..83764a2ce3e8 100644
--- a/crypto/openssl/crypto/rsa/rsa_sign.c
+++ b/crypto/openssl/crypto/rsa/rsa_sign.c
@@ -109,7 +109,7 @@ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
i=i2d_X509_SIG(&sig,NULL);
}
j=RSA_size(rsa);
- if ((i-RSA_PKCS1_PADDING) > j)
+ if (i > (j-RSA_PKCS1_PADDING_SIZE))
{
RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
return(0);
@@ -131,7 +131,7 @@ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
*siglen=i;
if(type != NID_md5_sha1) {
- memset(s,0,(unsigned int)j+1);
+ OPENSSL_cleanse(s,(unsigned int)j+1);
OPENSSL_free(s);
}
return(ret);
@@ -214,7 +214,7 @@ int RSA_verify(int dtype, unsigned char *m, unsigned int m_len,
}
err:
if (sig != NULL) X509_SIG_free(sig);
- memset(s,0,(unsigned int)siglen);
+ OPENSSL_cleanse(s,(unsigned int)siglen);
OPENSSL_free(s);
return(ret);
}
diff --git a/crypto/openssl/crypto/sha/Makefile.ssl b/crypto/openssl/crypto/sha/Makefile.ssl
index 75d3e0bf4ff3..d0e656cb033f 100644
--- a/crypto/openssl/crypto/sha/Makefile.ssl
+++ b/crypto/openssl/crypto/sha/Makefile.ssl
@@ -92,7 +92,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -103,11 +103,15 @@ clean:
# DO NOT DELETE THIS LINE -- make depend depends on it.
-sha1_one.o: ../../include/openssl/sha.h
+sha1_one.o: ../../include/openssl/crypto.h ../../include/openssl/opensslv.h
+sha1_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+sha1_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
sha1dgst.o: ../../include/openssl/opensslconf.h
sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
sha1dgst.o: ../md32_common.h sha_locl.h
sha_dgst.o: ../../include/openssl/opensslconf.h
sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
sha_dgst.o: ../md32_common.h sha_locl.h
-sha_one.o: ../../include/openssl/sha.h
+sha_one.o: ../../include/openssl/crypto.h ../../include/openssl/opensslv.h
+sha_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+sha_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
diff --git a/crypto/openssl/crypto/sha/sha1_one.c b/crypto/openssl/crypto/sha/sha1_one.c
index 861752eaa7ea..acf3e92ff22b 100644
--- a/crypto/openssl/crypto/sha/sha1_one.c
+++ b/crypto/openssl/crypto/sha/sha1_one.c
@@ -59,6 +59,7 @@
#include <stdio.h>
#include <string.h>
#include <openssl/sha.h>
+#include <openssl/crypto.h>
#ifndef NO_SHA1
unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
SHA1_Init(&c);
SHA1_Update(&c,d,n);
SHA1_Final(md,&c);
- memset(&c,0,sizeof(c));
+ OPENSSL_cleanse(&c,sizeof(c));
return(md);
}
#endif
diff --git a/crypto/openssl/crypto/sha/sha1test.c b/crypto/openssl/crypto/sha/sha1test.c
index 688d06c63747..8c2bd33f56fa 100644
--- a/crypto/openssl/crypto/sha/sha1test.c
+++ b/crypto/openssl/crypto/sha/sha1test.c
@@ -60,6 +60,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_SHA
int main(int argc, char *argv[])
{
@@ -152,7 +154,7 @@ int main(int argc, char *argv[])
}
else
printf("test 3 ok\n");
- exit(err);
+ EXIT(err);
return(0);
}
diff --git a/crypto/openssl/crypto/sha/sha_one.c b/crypto/openssl/crypto/sha/sha_one.c
index 2d955de16286..ece37146c21d 100644
--- a/crypto/openssl/crypto/sha/sha_one.c
+++ b/crypto/openssl/crypto/sha/sha_one.c
@@ -59,6 +59,7 @@
#include <stdio.h>
#include <string.h>
#include <openssl/sha.h>
+#include <openssl/crypto.h>
#ifndef NO_SHA0
unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
@@ -70,7 +71,7 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
SHA_Init(&c);
SHA_Update(&c,d,n);
SHA_Final(md,&c);
- memset(&c,0,sizeof(c));
+ OPENSSL_cleanse(&c,sizeof(c));
return(md);
}
#endif
diff --git a/crypto/openssl/crypto/sha/shatest.c b/crypto/openssl/crypto/sha/shatest.c
index a5786bbf768d..d9329f0307b5 100644
--- a/crypto/openssl/crypto/sha/shatest.c
+++ b/crypto/openssl/crypto/sha/shatest.c
@@ -60,6 +60,8 @@
#include <string.h>
#include <stdlib.h>
+#include "../e_os.h"
+
#ifdef NO_SHA
int main(int argc, char *argv[])
{
@@ -152,7 +154,7 @@ int main(int argc, char *argv[])
}
else
printf("test 3 ok\n");
- exit(err);
+ EXIT(err);
return(0);
}
diff --git a/crypto/openssl/crypto/stack/Makefile.ssl b/crypto/openssl/crypto/stack/Makefile.ssl
index 2027d3946ce1..dde60c934cd5 100644
--- a/crypto/openssl/crypto/stack/Makefile.ssl
+++ b/crypto/openssl/crypto/stack/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/threads/mttest.c b/crypto/openssl/crypto/threads/mttest.c
index 100165948c02..3d1b212b1c74 100644
--- a/crypto/openssl/crypto/threads/mttest.c
+++ b/crypto/openssl/crypto/threads/mttest.c
@@ -77,6 +77,10 @@
#ifdef PTHREADS
#include <pthread.h>
#endif
+#ifdef VXWORKS
+#include <taskLib.h>
+#include <semLib.h>
+#endif
#include <openssl/lhash.h>
#include <openssl/crypto.h>
#include <openssl/buffer.h>
@@ -105,10 +109,12 @@ void irix_locking_callback(int mode,int type,char *file,int line);
void solaris_locking_callback(int mode,int type,char *file,int line);
void win32_locking_callback(int mode,int type,char *file,int line);
void pthreads_locking_callback(int mode,int type,char *file,int line);
+void vxworks_locking_callback(int mode,int type,char *file,int line);
unsigned long irix_thread_id(void );
unsigned long solaris_thread_id(void );
unsigned long pthreads_thread_id(void );
+unsigned long vxworks_thread_id(void );
BIO *bio_err=NULL;
BIO *bio_stdout=NULL;
@@ -1097,4 +1103,119 @@ unsigned long pthreads_thread_id(void)
#endif /* PTHREADS */
+#ifdef VXWORKS
+
+#define DEFAULT_TASK_NAME NULL
+#define DEFAULT_TASK_PRIORITY 100
+#define DEFAULT_TASK_OPTIONS 0
+#define DEFAULT_TASK_STACK_BYTES 32768
+
+static SEM_ID *lock_cs;
+static long *lock_count;
+
+extern int sysClkRateGet();
+
+void thread_setup(void)
+ {
+ int i;
+
+ lock_cs=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(SEM_ID));
+ lock_count=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+ for (i=0; i<CRYPTO_num_locks(); i++)
+ {
+ lock_count[i]=0;
+ lock_cs[i] = semMCreate(SEM_Q_PRIORITY | SEM_INVERSION_SAFE);
+ }
+
+ CRYPTO_set_id_callback((unsigned long (*)())vxworks_thread_id);
+ CRYPTO_set_locking_callback((void (*)())vxworks_locking_callback);
+ }
+
+void thread_cleanup(void)
+ {
+ int i;
+
+ CRYPTO_set_locking_callback(NULL);
+ fprintf(stderr,"cleanup\n");
+ for (i=0; i<CRYPTO_num_locks(); i++)
+ {
+ semDelete(lock_cs[i]);
+ fprintf(stderr,"%8ld:%s\n",lock_count[i],
+ CRYPTO_get_lock_name(i));
+ }
+ OPENSSL_free(lock_cs);
+ OPENSSL_free(lock_count);
+
+ fprintf(stderr,"done cleanup\n");
+ }
+
+void vxworks_locking_callback(int mode, int type, char *file, int line)
+ {
+#ifdef undef
+ fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
+ CRYPTO_thread_id(),
+ (mode&CRYPTO_LOCK)?"l":"u",
+ (type&CRYPTO_READ)?"r":"w",file,line);
+#endif
+/*
+ if (CRYPTO_LOCK_SSL_CERT == type)
+ fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
+ CRYPTO_thread_id(),
+ mode,file,line);
+*/
+ if (mode & CRYPTO_LOCK)
+ {
+ semTake(lock_cs[type], WAIT_FOREVER);
+ lock_count[type]++;
+ }
+ else
+ {
+ semGive(lock_cs[type]);
+ }
+ }
+
+
+void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
+ {
+ SSL_CTX *ssl_ctx[2];
+ int thread_ctx[MAX_THREAD_NUMBER];
+ int i;
+
+ ssl_ctx[0]=s_ctx;
+ ssl_ctx[1]=c_ctx;
+
+ /*
+ thr_setconcurrency(thread_number);
+ */
+ for (i=0; i<thread_number; i++)
+ {
+ thread_ctx[i] = taskSpawn(DEFAULT_TASK_NAME,
+ DEFAULT_TASK_PRIORITY,
+ DEFAULT_TASK_OPTIONS,
+ DEFAULT_TASK_STACK_BYTES,
+ (FUNCPTR)ndoit,
+ (int)ssl_ctx, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+
+ printf("Spawned task %d (%x)\n", i, thread_ctx[i]);
+ }
+
+ printf("reaping\n");
+ for (i=0; i<thread_number; i++)
+ {
+ while(taskIdVerify(thread_ctx[i]) != ERROR)
+ {
+ taskDelay(sysClkRateGet()/10);
+ }
+ printf("Reaped task %d (%x)\n", i, thread_ctx[i]);
+ }
+
+ printf("vxworks threads done (%d,%d)\n",
+ s_ctx->references,c_ctx->references);
+ }
+
+unsigned long vxworks_thread_id(void)
+ {
+ return((unsigned long)taskIdSelf());
+ }
+#endif /* VXWORKS */
diff --git a/crypto/openssl/crypto/tmdiff.c b/crypto/openssl/crypto/tmdiff.c
index 830092210f42..fc38e139a71d 100644
--- a/crypto/openssl/crypto/tmdiff.c
+++ b/crypto/openssl/crypto/tmdiff.c
@@ -105,6 +105,11 @@
#include <windows.h>
#endif
+#ifdef VXWORKS
+#include <tickLib.h>
+#include <drv/timer/timerDev.h>
+#endif
+
/* The following if from times(3) man page. It may need to be changed */
#ifndef HZ
# ifndef CLK_TCK
diff --git a/crypto/openssl/crypto/txt_db/Makefile.ssl b/crypto/openssl/crypto/txt_db/Makefile.ssl
index 567202abb771..8c5db888fa5e 100644
--- a/crypto/openssl/crypto/txt_db/Makefile.ssl
+++ b/crypto/openssl/crypto/txt_db/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/uid.c b/crypto/openssl/crypto/uid.c
index b5b61b76d4e3..4bd283592ca8 100644
--- a/crypto/openssl/crypto/uid.c
+++ b/crypto/openssl/crypto/uid.c
@@ -64,7 +64,7 @@ int OPENSSL_issetugid(void)
return issetugid();
}
-#elif defined(WIN32)
+#elif defined(WIN32) || defined(VXWORKS)
int OPENSSL_issetugid(void)
{
diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl
index bcee4b362348..ef19cdd7c089 100644
--- a/crypto/openssl/crypto/x509/Makefile.ssl
+++ b/crypto/openssl/crypto/x509/Makefile.ssl
@@ -78,7 +78,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/crypto/x509/by_file.c b/crypto/openssl/crypto/x509/by_file.c
index 78e9240a8d09..05a3a0293bee 100644
--- a/crypto/openssl/crypto/x509/by_file.c
+++ b/crypto/openssl/crypto/x509/by_file.c
@@ -100,18 +100,19 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT)
{
- ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
- X509_FILETYPE_PEM) != 0);
+ file = (char *)Getenv(X509_get_default_cert_file_env());
+ if (file)
+ ok = (X509_load_cert_crl_file(ctx,file,
+ X509_FILETYPE_PEM) != 0);
+
+ if (!ok)
+ ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
+ X509_FILETYPE_PEM) != 0);
+
if (!ok)
{
X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
}
- else
- {
- file=(char *)Getenv(X509_get_default_cert_file_env());
- ok = (X509_load_cert_crl_file(ctx,file,
- X509_FILETYPE_PEM) != 0);
- }
}
else
{
diff --git a/crypto/openssl/crypto/x509/x509_cmp.c b/crypto/openssl/crypto/x509/x509_cmp.c
index 3f9f9b3d472e..792781009820 100644
--- a/crypto/openssl/crypto/x509/x509_cmp.c
+++ b/crypto/openssl/crypto/x509/x509_cmp.c
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <ctype.h>
#include "cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/objects.h>
@@ -157,6 +158,99 @@ int X509_cmp(const X509 *a, const X509 *b)
}
#endif
+
+/* Case insensitive string comparision */
+static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+ int i;
+
+ if (a->length != b->length)
+ return (a->length - b->length);
+
+ for (i=0; i<a->length; i++)
+ {
+ int ca, cb;
+
+ ca = tolower(a->data[i]);
+ cb = tolower(b->data[i]);
+
+ if (ca != cb)
+ return(ca-cb);
+ }
+ return 0;
+}
+
+/* Case insensitive string comparision with space normalization
+ * Space normalization - ignore leading, trailing spaces,
+ * multiple spaces between characters are replaced by single space
+ */
+static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
+{
+ unsigned char *pa = NULL, *pb = NULL;
+ int la, lb;
+
+ la = a->length;
+ lb = b->length;
+ pa = a->data;
+ pb = b->data;
+
+ /* skip leading spaces */
+ while (la > 0 && isspace(*pa))
+ {
+ la--;
+ pa++;
+ }
+ while (lb > 0 && isspace(*pb))
+ {
+ lb--;
+ pb++;
+ }
+
+ /* skip trailing spaces */
+ while (la > 0 && isspace(pa[la-1]))
+ la--;
+ while (lb > 0 && isspace(pb[lb-1]))
+ lb--;
+
+ /* compare strings with space normalization */
+ while (la > 0 && lb > 0)
+ {
+ int ca, cb;
+
+ /* compare character */
+ ca = tolower(*pa);
+ cb = tolower(*pb);
+ if (ca != cb)
+ return (ca - cb);
+
+ pa++; pb++;
+ la--; lb--;
+
+ if (la <= 0 || lb <= 0)
+ break;
+
+ /* is white space next character ? */
+ if (isspace(*pa) && isspace(*pb))
+ {
+ /* skip remaining white spaces */
+ while (la > 0 && isspace(*pa))
+ {
+ la--;
+ pa++;
+ }
+ while (lb > 0 && isspace(*pb))
+ {
+ lb--;
+ pb++;
+ }
+ }
+ }
+ if (la > 0 || lb > 0)
+ return la - lb;
+
+ return 0;
+}
+
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
{
int i,j;
@@ -170,10 +264,20 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
{
na=sk_X509_NAME_ENTRY_value(a->entries,i);
nb=sk_X509_NAME_ENTRY_value(b->entries,i);
- j=na->value->length-nb->value->length;
+ j=na->value->type-nb->value->type;
if (j) return(j);
- j=memcmp(na->value->data,nb->value->data,
- na->value->length);
+ if (na->value->type == V_ASN1_PRINTABLESTRING)
+ j=nocase_spacenorm_cmp(na->value, nb->value);
+ else if (na->value->type == V_ASN1_IA5STRING
+ && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
+ j=nocase_cmp(na->value, nb->value);
+ else
+ {
+ j=na->value->length-nb->value->length;
+ if (j) return(j);
+ j=memcmp(na->value->data,nb->value->data,
+ na->value->length);
+ }
if (j) return(j);
j=na->set-nb->set;
if (j) return(j);
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c
index 7a3009224777..9ad9276ff76b 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/crypto/openssl/crypto/x509/x509_vfy.c
@@ -567,7 +567,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
{
char *str;
ASN1_TIME atm;
- time_t offset;
+ long offset;
char buff1[24],buff2[24],*p;
int i,j;
diff --git a/crypto/openssl/crypto/x509v3/Makefile.ssl b/crypto/openssl/crypto/x509v3/Makefile.ssl
index 672290a7f93b..c7d00bb8d054 100644
--- a/crypto/openssl/crypto/x509v3/Makefile.ssl
+++ b/crypto/openssl/crypto/x509v3/Makefile.ssl
@@ -72,7 +72,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/demos/selfsign.c b/crypto/openssl/demos/selfsign.c
index 68904c611eac..3d90caaa6463 100644
--- a/crypto/openssl/demos/selfsign.c
+++ b/crypto/openssl/demos/selfsign.c
@@ -106,7 +106,7 @@ int days;
}
rsa=NULL;
- X509_set_version(x,3);
+ X509_set_version(x,2);
ASN1_INTEGER_set(X509_get_serialNumber(x),serial);
X509_gmtime_adj(X509_get_notBefore(x),0);
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
diff --git a/crypto/openssl/doc/apps/passwd.pod b/crypto/openssl/doc/apps/passwd.pod
index 6e098940c750..d56f0e7a1cd7 100644
--- a/crypto/openssl/doc/apps/passwd.pod
+++ b/crypto/openssl/doc/apps/passwd.pod
@@ -69,7 +69,7 @@ to each password hash.
B<openssl passwd -crypt -salt xx password> prints B<xxj31ZMTZzkVA>.
-B<openssl passwd -1 -salt xxxxxxxx password> prints B<$1$xxxxxxxx$8XJIcl6ZXqBMCK0qFevqT1>.
+B<openssl passwd -1 -salt xxxxxxxx password> prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>.
B<openssl passwd -apr1 -salt xxxxxxxx password> prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>.
diff --git a/crypto/openssl/doc/apps/req.pod b/crypto/openssl/doc/apps/req.pod
index a3f54f45a30d..ed5c7effb8f8 100644
--- a/crypto/openssl/doc/apps/req.pod
+++ b/crypto/openssl/doc/apps/req.pod
@@ -457,13 +457,13 @@ Sample configuration containing all field values:
The header and footer lines in the B<PEM> format are normally:
- -----BEGIN CERTIFICATE REQUEST----
- -----END CERTIFICATE REQUEST----
+ -----BEGIN CERTIFICATE REQUEST-----
+ -----END CERTIFICATE REQUEST-----
some software (some versions of Netscape certificate server) instead needs:
- -----BEGIN NEW CERTIFICATE REQUEST----
- -----END NEW CERTIFICATE REQUEST----
+ -----BEGIN NEW CERTIFICATE REQUEST-----
+ -----END NEW CERTIFICATE REQUEST-----
which is produced with the B<-newhdr> option but is otherwise compatible.
Either form is accepted transparently on input.
diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod
index fa5d23e8dc3b..2453dd2738d1 100644
--- a/crypto/openssl/doc/apps/smime.pod
+++ b/crypto/openssl/doc/apps/smime.pod
@@ -340,8 +340,8 @@ detached signature format. You can use this program to verify the
signature by line wrapping the base64 encoded structure and surrounding
it with:
- -----BEGIN PKCS7----
- -----END PKCS7----
+ -----BEGIN PKCS7-----
+ -----END PKCS7-----
and using the command,
diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod
index 84f76cb421be..890e7b5f6235 100644
--- a/crypto/openssl/doc/apps/x509.pod
+++ b/crypto/openssl/doc/apps/x509.pod
@@ -321,7 +321,7 @@ The default filename consists of the CA certificate file base name with
".srl" appended. For example if the CA certificate file is called
"mycacert.pem" it expects to find a serial number file called "mycacert.srl".
-=item B<-CAcreateserial filename>
+=item B<-CAcreateserial>
with this option the CA serial number file is created if it does not exist:
it will contain the serial number "02" and the certificate being signed will
@@ -532,25 +532,25 @@ certificate extensions:
Set a certificate to be trusted for SSL client use and change set its alias to
"Steve's Class 1 CA"
- openssl x509 -in cert.pem -addtrust sslclient \
- -alias "Steve's Class 1 CA" -out trust.pem
+ openssl x509 -in cert.pem -addtrust clientAuth \
+ -setalias "Steve's Class 1 CA" -out trust.pem
=head1 NOTES
The PEM format uses the header and footer lines:
- -----BEGIN CERTIFICATE----
- -----END CERTIFICATE----
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
it will also handle files containing:
- -----BEGIN X509 CERTIFICATE----
- -----END X509 CERTIFICATE----
+ -----BEGIN X509 CERTIFICATE-----
+ -----END X509 CERTIFICATE-----
Trusted certificates have the lines
- -----BEGIN TRUSTED CERTIFICATE----
- -----END TRUSTED CERTIFICATE----
+ -----BEGIN TRUSTED CERTIFICATE-----
+ -----END TRUSTED CERTIFICATE-----
The conversion to UTF8 format used with the name options assumes that
T61Strings use the ISO8859-1 character set. This is wrong but Netscape
diff --git a/crypto/openssl/doc/c-indentation.el b/crypto/openssl/doc/c-indentation.el
index 48ca3cf69b30..cbf01cb1720a 100644
--- a/crypto/openssl/doc/c-indentation.el
+++ b/crypto/openssl/doc/c-indentation.el
@@ -13,12 +13,10 @@
;
; Apparently statement blocks that are not introduced by a statement
; such as "if" and that are not the body of a function cannot
-; be handled too well by CC mode with this indentation style.
-; The style defined below does not indent them at all.
-; To insert tabs manually, prefix them with ^Q (the "quoted-insert"
-; command of Emacs). If you know a solution to this problem
-; or find other problems with this indentation style definition,
-; please send e-mail to bodo@openssl.org.
+; be handled too well by CC mode with this indentation style,
+; so you have to indent them manually (you can use C-q tab).
+;
+; For suggesting improvements, please send e-mail to bodo@openssl.org.
(c-add-style "eay"
'((c-basic-offset . 8)
diff --git a/crypto/openssl/doc/crypto/BN_CTX_new.pod b/crypto/openssl/doc/crypto/BN_CTX_new.pod
index c94d8c610da5..ad8d07db89af 100644
--- a/crypto/openssl/doc/crypto/BN_CTX_new.pod
+++ b/crypto/openssl/doc/crypto/BN_CTX_new.pod
@@ -42,7 +42,7 @@ BN_CTX_init() and BN_CTX_free() have no return values.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
L<BN_CTX_start(3)|BN_CTX_start(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/BN_add.pod b/crypto/openssl/doc/crypto/BN_add.pod
index 0541d4564352..7baed2d4920e 100644
--- a/crypto/openssl/doc/crypto/BN_add.pod
+++ b/crypto/openssl/doc/crypto/BN_add.pod
@@ -86,7 +86,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
L<BN_add_word(3)|BN_add_word(3)>, L<BN_set_bit(3)|BN_set_bit(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/BN_add_word.pod b/crypto/openssl/doc/crypto/BN_add_word.pod
index 66bedfb92442..94244adea4cd 100644
--- a/crypto/openssl/doc/crypto/BN_add_word.pod
+++ b/crypto/openssl/doc/crypto/BN_add_word.pod
@@ -46,7 +46,7 @@ BN_mod_word() and BN_div_word() return B<a>%B<w>.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/BN_bn2bin.pod b/crypto/openssl/doc/crypto/BN_bn2bin.pod
index b62d1af0ff6d..a4b17ca60a89 100644
--- a/crypto/openssl/doc/crypto/BN_bn2bin.pod
+++ b/crypto/openssl/doc/crypto/BN_bn2bin.pod
@@ -80,7 +80,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_zero(3)|BN_zero(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_zero(3)|BN_zero(3)>,
L<ASN1_INTEGER_to_BN(3)|ASN1_INTEGER_to_BN(3)>,
L<BN_num_bytes(3)|BN_num_bytes(3)>
diff --git a/crypto/openssl/doc/crypto/BN_copy.pod b/crypto/openssl/doc/crypto/BN_copy.pod
index 8ad25e7834f6..388dd7df2653 100644
--- a/crypto/openssl/doc/crypto/BN_copy.pod
+++ b/crypto/openssl/doc/crypto/BN_copy.pod
@@ -25,7 +25,7 @@ by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/BN_generate_prime.pod b/crypto/openssl/doc/crypto/BN_generate_prime.pod
index 638f6514ee8a..7dccacbc1e55 100644
--- a/crypto/openssl/doc/crypto/BN_generate_prime.pod
+++ b/crypto/openssl/doc/crypto/BN_generate_prime.pod
@@ -70,7 +70,7 @@ If B<do_trial_division == 0>, this test is skipped.
Both BN_is_prime() and BN_is_prime_fasttest() perform a Miller-Rabin
probabilistic primality test with B<checks> iterations. If
-B<checks == BN_prime_check>, a number of iterations is used that
+B<checks == BN_prime_checks>, a number of iterations is used that
yields a false positive rate of at most 2^-80 for random input.
If B<callback> is not B<NULL>, B<callback(1, j, cb_arg)> is called
@@ -90,7 +90,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/BN_mod_inverse.pod b/crypto/openssl/doc/crypto/BN_mod_inverse.pod
index 49e62daf9f2e..3ea3975c7422 100644
--- a/crypto/openssl/doc/crypto/BN_mod_inverse.pod
+++ b/crypto/openssl/doc/crypto/BN_mod_inverse.pod
@@ -27,7 +27,7 @@ NULL on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_err
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod b/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod
index 0b8ab512df87..f3cee924b93a 100644
--- a/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod
+++ b/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod
@@ -81,7 +81,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
L<BN_CTX_new(3)|BN_CTX_new(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod b/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod
index a28925f8a93a..74a216ddc2ad 100644
--- a/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod
+++ b/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod
@@ -69,7 +69,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
L<BN_CTX_new(3)|BN_CTX_new(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/BN_new.pod b/crypto/openssl/doc/crypto/BN_new.pod
index c1394ff2a37d..3033789c5147 100644
--- a/crypto/openssl/doc/crypto/BN_new.pod
+++ b/crypto/openssl/doc/crypto/BN_new.pod
@@ -42,7 +42,7 @@ values.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/BN_rand.pod b/crypto/openssl/doc/crypto/BN_rand.pod
index 9cec238f9e24..81f93c2eb3a4 100644
--- a/crypto/openssl/doc/crypto/BN_rand.pod
+++ b/crypto/openssl/doc/crypto/BN_rand.pod
@@ -45,7 +45,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/DH_generate_key.pod b/crypto/openssl/doc/crypto/DH_generate_key.pod
index 920995b2e5aa..81f09fdf45ea 100644
--- a/crypto/openssl/doc/crypto/DH_generate_key.pod
+++ b/crypto/openssl/doc/crypto/DH_generate_key.pod
@@ -40,7 +40,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/DH_generate_parameters.pod b/crypto/openssl/doc/crypto/DH_generate_parameters.pod
index a7d0c75f0cb3..9081e9ea7cf9 100644
--- a/crypto/openssl/doc/crypto/DH_generate_parameters.pod
+++ b/crypto/openssl/doc/crypto/DH_generate_parameters.pod
@@ -59,7 +59,8 @@ a usable generator.
=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_free(3)|DH_free(3)>
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DH_free(3)|DH_free(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod b/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod
index 733f7add4065..fa5eab26502a 100644
--- a/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod
+++ b/crypto/openssl/doc/crypto/DH_get_ex_new_index.pod
@@ -34,39 +34,3 @@ DH_get_ex_new_index(), DH_set_ex_data() and DH_get_ex_data() are
available since OpenSSL 0.9.5.
=cut
-=pod
-
-=head1 NAME
-
-DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific data to DH structures
-
-=head1 SYNOPSIS
-
- #include <openssl/dh.h>
-
- int DH_get_ex_new_index(long argl, void *argp,
- CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func);
-
- int DH_set_ex_data(DH *d, int idx, void *arg);
-
- char *DH_get_ex_data(DH *d, int idx);
-
-=head1 DESCRIPTION
-
-These functions handle application specific data in DH
-structures. Their usage is identical to that of
-RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
-as described in L<RSA_get_ex_new_index(3)>.
-
-=head1 SEE ALSO
-
-L<RSA_get_ex_new_index()|RSA_get_ex_new_index()>, L<dh(3)|dh(3)>
-
-=head1 HISTORY
-
-DH_get_ex_new_index(), DH_set_ex_data() and DH_get_ex_data() are
-available since OpenSSL 0.9.5.
-
-=cut
diff --git a/crypto/openssl/doc/crypto/DH_new.pod b/crypto/openssl/doc/crypto/DH_new.pod
index 64624b9d1560..60c930093e02 100644
--- a/crypto/openssl/doc/crypto/DH_new.pod
+++ b/crypto/openssl/doc/crypto/DH_new.pod
@@ -29,7 +29,7 @@ DH_free() returns no value.
=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<err(3)|err(3)>,
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
L<DH_generate_key(3)|DH_generate_key(3)>
diff --git a/crypto/openssl/doc/crypto/DSA_SIG_new.pod b/crypto/openssl/doc/crypto/DSA_SIG_new.pod
index 671655554a53..3ac614003816 100644
--- a/crypto/openssl/doc/crypto/DSA_SIG_new.pod
+++ b/crypto/openssl/doc/crypto/DSA_SIG_new.pod
@@ -30,7 +30,8 @@ DSA_SIG_free() returns no value.
=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)>
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<DSA_do_sign(3)|DSA_do_sign(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/DSA_do_sign.pod b/crypto/openssl/doc/crypto/DSA_do_sign.pod
index a24fd5714efe..5dfc733b20e2 100644
--- a/crypto/openssl/doc/crypto/DSA_do_sign.pod
+++ b/crypto/openssl/doc/crypto/DSA_do_sign.pod
@@ -36,7 +36,7 @@ L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
L<DSA_SIG_new(3)|DSA_SIG_new(3)>,
L<DSA_sign(3)|DSA_sign(3)>
diff --git a/crypto/openssl/doc/crypto/DSA_dup_DH.pod b/crypto/openssl/doc/crypto/DSA_dup_DH.pod
index 29cb1075d110..695f99a13b19 100644
--- a/crypto/openssl/doc/crypto/DSA_dup_DH.pod
+++ b/crypto/openssl/doc/crypto/DSA_dup_DH.pod
@@ -27,7 +27,7 @@ Be careful to avoid small subgroup attacks when using this.
=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>
+L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/DSA_generate_key.pod b/crypto/openssl/doc/crypto/DSA_generate_key.pod
index 52890db5be20..af83ccfaa16b 100644
--- a/crypto/openssl/doc/crypto/DSA_generate_key.pod
+++ b/crypto/openssl/doc/crypto/DSA_generate_key.pod
@@ -24,7 +24,8 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/DSA_generate_parameters.pod b/crypto/openssl/doc/crypto/DSA_generate_parameters.pod
index 43f60b0eb955..be7c924ff8f9 100644
--- a/crypto/openssl/doc/crypto/DSA_generate_parameters.pod
+++ b/crypto/openssl/doc/crypto/DSA_generate_parameters.pod
@@ -90,7 +90,7 @@ Seed lengths E<gt> 20 are not supported.
=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
L<DSA_free(3)|DSA_free(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/DSA_new.pod b/crypto/openssl/doc/crypto/DSA_new.pod
index 7dde54445b75..301af912dd53 100644
--- a/crypto/openssl/doc/crypto/DSA_new.pod
+++ b/crypto/openssl/doc/crypto/DSA_new.pod
@@ -30,7 +30,7 @@ DSA_free() returns no value.
=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
L<DSA_generate_key(3)|DSA_generate_key(3)>
diff --git a/crypto/openssl/doc/crypto/DSA_sign.pod b/crypto/openssl/doc/crypto/DSA_sign.pod
index f6e60a8ca32e..97389e8ec885 100644
--- a/crypto/openssl/doc/crypto/DSA_sign.pod
+++ b/crypto/openssl/doc/crypto/DSA_sign.pod
@@ -55,7 +55,7 @@ Standard, DSS), ANSI X9.30
=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
+L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
L<DSA_do_sign(3)|DSA_do_sign(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/EVP_SealInit.pod b/crypto/openssl/doc/crypto/EVP_SealInit.pod
index 0451eb648a39..7cd12491cda0 100644
--- a/crypto/openssl/doc/crypto/EVP_SealInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_SealInit.pod
@@ -12,7 +12,7 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl, unsigned char *in, int inl);
- int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ void EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl);
=head1 DESCRIPTION
@@ -43,8 +43,7 @@ page.
EVP_SealInit() returns 0 on error or B<npubk> if successful.
-EVP_SealUpdate() and EVP_SealFinal() return 1 for success and 0 for
-failure.
+EVP_SealUpdate() returns 1 for success and 0 for failure.
=head1 NOTES
diff --git a/crypto/openssl/doc/crypto/RAND_bytes.pod b/crypto/openssl/doc/crypto/RAND_bytes.pod
index b6ebd5052788..ce6329ce54af 100644
--- a/crypto/openssl/doc/crypto/RAND_bytes.pod
+++ b/crypto/openssl/doc/crypto/RAND_bytes.pod
@@ -35,7 +35,8 @@ method.
=head1 SEE ALSO
-L<rand(3)|rand(3)>, L<err(3)|err(3)>, L<RAND_add(3)|RAND_add(3)>
+L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
+L<RAND_add(3)|RAND_add(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/RSA_check_key.pod b/crypto/openssl/doc/crypto/RSA_check_key.pod
index 8a42d2e0d47e..f476a56ac8ea 100644
--- a/crypto/openssl/doc/crypto/RSA_check_key.pod
+++ b/crypto/openssl/doc/crypto/RSA_check_key.pod
@@ -39,7 +39,7 @@ key data too.
=head1 SEE ALSO
-L<rsa(3)|rsa(3)>, L<err(3)|err(3)>
+L<rsa(3)|rsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/RSA_generate_key.pod b/crypto/openssl/doc/crypto/RSA_generate_key.pod
index 8714f7179d65..52dbb14a537d 100644
--- a/crypto/openssl/doc/crypto/RSA_generate_key.pod
+++ b/crypto/openssl/doc/crypto/RSA_generate_key.pod
@@ -59,7 +59,8 @@ RSA_generate_key() goes into an infinite loop for illegal input values.
=head1 SEE ALSO
-L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_free(3)|RSA_free(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_free(3)|RSA_free(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/RSA_print.pod b/crypto/openssl/doc/crypto/RSA_print.pod
index 67876facc5df..e28d107d1c6e 100644
--- a/crypto/openssl/doc/crypto/RSA_print.pod
+++ b/crypto/openssl/doc/crypto/RSA_print.pod
@@ -2,9 +2,9 @@
=head1 NAME
-RSA_print, RSA_print_fp, DHparams_print, DHparams_print_fp, DSA_print,
-DSA_print_fp, DHparams_print, DHparams_print_fp - print cryptographic
-parameters
+RSA_print, RSA_print_fp,
+DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp,
+DHparams_print, DHparams_print_fp - print cryptographic parameters
=head1 SYNOPSIS
diff --git a/crypto/openssl/doc/crypto/RSA_private_encrypt.pod b/crypto/openssl/doc/crypto/RSA_private_encrypt.pod
index 6861a98a109a..746a80c79ea0 100644
--- a/crypto/openssl/doc/crypto/RSA_private_encrypt.pod
+++ b/crypto/openssl/doc/crypto/RSA_private_encrypt.pod
@@ -59,7 +59,8 @@ obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
-L<err(3)|err(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/RSA_public_encrypt.pod b/crypto/openssl/doc/crypto/RSA_public_encrypt.pod
index 02edb7aa756f..9ae5f93152f9 100644
--- a/crypto/openssl/doc/crypto/RSA_public_encrypt.pod
+++ b/crypto/openssl/doc/crypto/RSA_public_encrypt.pod
@@ -72,7 +72,8 @@ SSL, PKCS #1 v2.0
=head1 SEE ALSO
-L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_size(3)|RSA_size(3)>
+L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<RSA_size(3)|RSA_size(3)>
=head1 NOTES
diff --git a/crypto/openssl/doc/crypto/RSA_sign.pod b/crypto/openssl/doc/crypto/RSA_sign.pod
index f0bf6eea1b35..71688a665e13 100644
--- a/crypto/openssl/doc/crypto/RSA_sign.pod
+++ b/crypto/openssl/doc/crypto/RSA_sign.pod
@@ -50,8 +50,8 @@ SSL, PKCS #1 v2.0
=head1 SEE ALSO
-L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
+L<rsa(3)|rsa(3)>, L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
L<RSA_public_decrypt(3)|RSA_public_decrypt(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
index df9ceb339a63..e70380bbfc96 100644
--- a/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
+++ b/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
@@ -47,8 +47,8 @@ These functions serve no recognizable purpose.
=head1 SEE ALSO
-L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rand(3)|rand(3)>,
-L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
+L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
L<RSA_verify(3)|RSA_verify(3)>
=head1 HISTORY
diff --git a/crypto/openssl/doc/openssl.txt b/crypto/openssl/doc/openssl.txt
index 5da519e7e465..432a17b66cf8 100644
--- a/crypto/openssl/doc/openssl.txt
+++ b/crypto/openssl/doc/openssl.txt
@@ -344,7 +344,7 @@ the extension.
Examples:
-subjectAltName=email:copy,email:my@other.address,URL:http://my.url.here/
+subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
subjectAltName=email:my@other.address,RID:1.2.3.4
Issuer Alternative Name.
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod
index af326c2f7340..82676b26b239 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod
@@ -37,6 +37,14 @@ removed and replaced by the new session. If the session is actually
identical (the SSL_SESSION object is identical), SSL_CTX_add_session()
is a no-op, and the return value is 0.
+If a server SSL_CTX is configured with the SSL_SESS_CACHE_NO_INTERNAL_STORE
+flag then the internal cache will not be populated automatically by new
+sessions negotiated by the SSL/TLS implementation, even though the internal
+cache will be searched automatically for session-resume requests (the
+latter can be surpressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the
+application can use SSL_CTX_add_session() directly to have full control
+over the sessions that can be resumed if desired.
+
=head1 RETURN VALUES
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
index 18616c6fdceb..5686faf29982 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
@@ -51,56 +51,3 @@ L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
=cut
-=pod
-
-=head1 NAME
-
-SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal application specific data functions
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- int SSL_CTX_get_ex_new_index(long argl, void *argp,
- CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func);
-
- int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg);
-
- void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx);
-
- typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int idx, long argl, void *argp);
- typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int idx, long argl, void *argp);
- typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
- int idx, long argl, void *argp);
-
-=head1 DESCRIPTION
-
-Several OpenSSL structures can have application specific data attached to them.
-These functions are used internally by OpenSSL to manipulate application
-specific data attached to a specific structure.
-
-SSL_CTX_get_ex_new_index() is used to register a new index for application
-specific data.
-
-SSL_CTX_set_ex_data() is used to store application data at B<arg> for B<idx>
-into the B<ctx> object.
-
-SSL_CTX_get_ex_data() is used to retrieve the information for B<idx> from
-B<ctx>.
-
-A detailed description for the B<*_get_ex_new_index()> functionality
-can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>.
-The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>,
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_new.pod b/crypto/openssl/doc/ssl/SSL_CTX_new.pod
index 8ab7c2c31f3a..465220a75c0a 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_new.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_new.pod
@@ -92,101 +92,3 @@ L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>,
L<ssl(3)|ssl(3)>, L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
=cut
-=pod
-
-=head1 NAME
-
-SSL_CTX_new - create a new SSL_CTX object as framework for TLS/SSL enabled functions
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- SSL_CTX *SSL_CTX_new(SSL_METHOD *method);
-
-=head1 DESCRIPTION
-
-SSL_CTX_new() creates a new B<SSL_CTX> object as framework to establish
-TLS/SSL enabled connections.
-
-=head1 NOTES
-
-The SSL_CTX object uses B<method> as connection method. The methods exist
-in a generic type (for client and server use), a server only type, and a
-client only type. B<method> can be of the following types:
-
-=over 4
-
-=item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
-
-A TLS/SSL connection established with these methods will only understand
-the SSLv2 protocol. A client will send out SSLv2 client hello messages
-and will also indicate that it only understand SSLv2. A server will only
-understand SSLv2 client hello messages.
-
-=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
-
-A TLS/SSL connection established with these methods will only understand the
-SSLv3 protocol. A client will send out SSLv3 client hello messages
-and will indicate that it only understands SSLv3. A server will only understand
-SSLv3 client hello messages. This especially means, that it will
-not understand SSLv2 client hello messages which are widely used for
-compatibility reasons, see SSLv23_*_method().
-
-=item TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void)
-
-A TLS/SSL connection established with these methods will only understand the
-TLSv1 protocol. A client will send out TLSv1 client hello messages
-and will indicate that it only understands TLSv1. A server will only understand
-TLSv1 client hello messages. This especially means, that it will
-not understand SSLv2 client hello messages which are widely used for
-compatibility reasons, see SSLv23_*_method(). It will also not understand
-SSLv3 client hello messages.
-
-=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
-
-A TLS/SSL connection established with these methods will understand the SSLv2,
-SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages
-and will indicate that it also understands SSLv3 and TLSv1. A server will
-understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best
-choice when compatibility is a concern.
-
-=back
-
-If a generic method is used, it is necessary to explicitly set client or
-server mode with L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
-or SSL_set_accept_state().
-
-The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
-SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B<SSL_CTX_set_options()> or
-B<SSL_set_options()> functions. Using these options it is possible to choose
-e.g. SSLv23_server_method() and be able to negotiate with all possible
-clients, but to only allow newer protocols like SSLv3 or TLSv1.
-
-SSL_CTX_new() initializes the list of ciphers, the session cache setting,
-the callbacks, the keys and certificates, and the options to its default
-values.
-
-=head1 RETURN VALUES
-
-The following return values can occur:
-
-=over 4
-
-=item NULL
-
-The creation of a new SSL_CTX object failed. Check the error stack to
-find out the reason.
-
-=item Pointer to an SSL_CTX object
-
-The return value points to an allocated SSL_CTX object.
-
-=back
-
-=head1 SEE ALSO
-
-L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<ssl(3)|ssl(3)>, L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
index 9aa6c6b2e393..c5d2f43dff15 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
@@ -26,12 +26,14 @@ SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX
object.
In order to reuse a session, a client must send the session's id to the
-server. It can only send exactly one id. The server then decides whether it
-agrees in reusing the session or starts the handshake for a new session.
+server. It can only send exactly one id. The server then either
+agrees to reuse the session or it starts a full handshake (to create a new
+session).
-A server will lookup up the session in its internal session storage. If
-the session is not found in internal storage or internal storage is
-deactivated, the server will try the external storage if available.
+A server will lookup up the session in its internal session storage. If the
+session is not found in internal storage or lookups for the internal storage
+have been deactivated (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP), the server will try
+the external storage if available.
Since a client may try to reuse a session intended for use in a different
context, the session id context must be set by the server (see
@@ -57,9 +59,10 @@ function. This option is not activated by default.
=item SSL_SESS_CACHE_SERVER
Server sessions are added to the session cache. When a client proposes a
-session to be reused, the session is looked up in the internal session cache.
-If the session is found, the server will try to reuse the session.
-This is the default.
+session to be reused, the server looks for the corresponding session in (first)
+the internal session cache (unless SSL_SESS_CACHE_NO_INTERNAL_LOOKUP is set),
+then (second) in the external cache if available. If the session is found, the
+server will try to reuse the session. This is the default.
=item SSL_SESS_CACHE_BOTH
@@ -77,12 +80,32 @@ explicitly by the application.
=item SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
-By setting this flag sessions are cached in the internal storage but
-they are not looked up automatically. If an external session cache
-is enabled, sessions are looked up in the external cache. As automatic
-lookup only applies for SSL/TLS servers, the flag has no effect on
+By setting this flag, session-resume operations in an SSL/TLS server will not
+automatically look up sessions in the internal cache, even if sessions are
+automatically stored there. If external session caching callbacks are in use,
+this flag guarantees that all lookups are directed to the external cache.
+As automatic lookup only applies for SSL/TLS servers, the flag has no effect on
clients.
+=item SSL_SESS_CACHE_NO_INTERNAL_STORE
+
+Depending on the presence of SSL_SESS_CACHE_CLIENT and/or SSL_SESS_CACHE_SERVER,
+sessions negotiated in an SSL/TLS handshake may be cached for possible reuse.
+Normally a new session is added to the internal cache as well as any external
+session caching (callback) that is configured for the SSL_CTX. This flag will
+prevent sessions being stored in the internal cache (though the application can
+add them manually using L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>). Note:
+in any SSL/TLS servers where external caching is configured, any successful
+session lookups in the external cache (ie. for session-resume requests) would
+normally be copied into the local cache before processing continues - this flag
+prevents these additions to the internal cache as well.
+
+=item SSL_SESS_CACHE_NO_INTERNAL
+
+Enable both SSL_SESS_CACHE_NO_INTERNAL_LOOKUP and
+SSL_SESS_CACHE_NO_INTERNAL_STORE at the same time.
+
+
=back
The default mode is SSL_SESS_CACHE_SERVER.
@@ -98,6 +121,7 @@ SSL_CTX_get_session_cache_mode() returns the currently set cache mode.
L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
L<SSL_session_reused(3)|SSL_session_reused(3)>,
+L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
@@ -105,4 +129,9 @@ L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
+=head1 HISTORY
+
+SSL_SESS_CACHE_NO_INTERNAL_STORE and SSL_SESS_CACHE_NO_INTERNAL
+were introduced in OpenSSL 0.9.6h.
+
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
index 5bb21ca53570..d15b2a3a1a5b 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
@@ -235,7 +235,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
* At this point, err contains the last verification error. We can use
* it for something special
*/
- if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)
+ if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT))
{
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
printf("issuer= %s\n", buf);
diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
index 261438fe9072..da0bcf1590ca 100644
--- a/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
+++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
@@ -59,64 +59,3 @@ L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
=cut
-=pod
-
-=head1 NAME
-
-SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data - internal application specific data functions
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- int SSL_SESSION_get_ex_new_index(long argl, void *argp,
- CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func);
-
- int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg);
-
- void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx);
-
- typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int idx, long argl, void *argp);
- typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int idx, long argl, void *argp);
- typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
- int idx, long argl, void *argp);
-
-=head1 DESCRIPTION
-
-Several OpenSSL structures can have application specific data attached to them.
-These functions are used internally by OpenSSL to manipulate application
-specific data attached to a specific structure.
-
-SSL_SESSION_get_ex_new_index() is used to register a new index for application
-specific data.
-
-SSL_SESSION_set_ex_data() is used to store application data at B<arg> for B<idx>
-into the B<session> object.
-
-SSL_SESSION_get_ex_data() is used to retrieve the information for B<idx> from
-B<session>.
-
-A detailed description for the B<*_get_ex_new_index()> functionality
-can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>.
-The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
-
-=head1 WARNINGS
-
-The application data is only maintained for sessions held in memory. The
-application data is not included when dumping the session with
-i2d_SSL_SESSION() (and all functions indirectly calling the dump functions
-like PEM_write_SSL_SESSION() and PEM_write_bio_SSL_SESSION()) and can
-therefore not be restored.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>,
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
index 5ea3306501bd..6644ef8fbc10 100644
--- a/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
@@ -57,62 +57,3 @@ L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>,
L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
=cut
-=pod
-
-=head1 NAME
-
-SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application specific data functions
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- int SSL_get_ex_new_index(long argl, void *argp,
- CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func);
-
- int SSL_set_ex_data(SSL *ssl, int idx, void *arg);
-
- void *SSL_get_ex_data(SSL *ssl, int idx);
-
- typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int idx, long argl, void *argp);
- typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int idx, long argl, void *argp);
- typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
- int idx, long argl, void *argp);
-
-=head1 DESCRIPTION
-
-Several OpenSSL structures can have application specific data attached to them.
-These functions are used internally by OpenSSL to manipulate application
-specific data attached to a specific structure.
-
-SSL_get_ex_new_index() is used to register a new index for application
-specific data.
-
-SSL_set_ex_data() is used to store application data at B<arg> for B<idx> into
-the B<ssl> object.
-
-SSL_get_ex_data() is used to retrieve the information for B<idx> from
-B<ssl>.
-
-A detailed description for the B<*_get_ex_new_index()> functionality
-can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>.
-The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
-
-=head1 EXAMPLES
-
-An example on how to use the functionality is included in the example
-verify_callback() in L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>,
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>,
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_new.pod b/crypto/openssl/doc/ssl/SSL_new.pod
index 7a2e70a9a296..25300e978f02 100644
--- a/crypto/openssl/doc/ssl/SSL_new.pod
+++ b/crypto/openssl/doc/ssl/SSL_new.pod
@@ -42,46 +42,3 @@ L<SSL_get_SSL_CTX(3)|SSL_get_SSL_CTX(3)>,
L<ssl(3)|ssl(3)>
=cut
-=pod
-
-=head1 NAME
-
-SSL_new - create a new SSL structure for a connection
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- SSL *SSL_new(SSL_CTX *ctx);
-
-=head1 DESCRIPTION
-
-SSL_new() creates a new B<SSL> structure which is needed to hold the
-data for a TLS/SSL connection. The new structure inherits the settings
-of the underlying context B<ctx>: connection method (SSLv2/v3/TLSv1),
-options, verification settings, timeout settings.
-
-=head1 RETURN VALUES
-
-The following return values can occur:
-
-=over 4
-
-=item NULL
-
-The creation of a new SSL structure failed. Check the error stack to
-find out the reason.
-
-=item Pointer to an SSL structure
-
-The return value points to an allocated SSL structure.
-
-=back
-
-=head1 SEE ALSO
-
-L<SSL_free(3)|SSL_free(3)>, L<SSL_clear(3)|SSL_clear(3)>,
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
-L<ssl(3)|ssl(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod
index 2dcee0385a40..8c4970491c22 100644
--- a/crypto/openssl/doc/ssl/ssl.pod
+++ b/crypto/openssl/doc/ssl/ssl.pod
@@ -347,7 +347,7 @@ appropriate size (using ???) and return it.
long B<SSL_set_tmp_rsa_callback>(SSL *ssl, RSA *(*cb)(SSL *ssl, int export, int keylength));
-The same as L<"SSL_CTX_set_tmp_rsa_callback">, except it operates on an SSL
+The same as B<SSL_CTX_set_tmp_rsa_callback>, except it operates on an SSL
session instead of a context.
=item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void))
diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h
index d49c6ef7e739..58df717722c4 100644
--- a/crypto/openssl/e_os.h
+++ b/crypto/openssl/e_os.h
@@ -219,10 +219,11 @@ extern "C" {
# define _kbhit kbhit
# endif
-# if defined(WIN16) && !defined(MONOLITH) && defined(SSLEAY) && defined(_WINEXITNOPERSIST)
-# define EXIT(n) { if (n == 0) _wsetexit(_WINEXITNOPERSIST); return(n); }
+# if defined(WIN16) && defined(SSLEAY) && defined(_WINEXITNOPERSIST)
+# define EXIT(n) _wsetexit(_WINEXITNOPERSIST)
+# define OPENSSL_EXIT(n) do { if (n == 0) EXIT(n); return(n); } while(0)
# else
-# define EXIT(n) return(n);
+# define EXIT(n) return(n)
# endif
# define LIST_SEPARATOR_CHAR ';'
# ifndef X_OK
@@ -275,18 +276,13 @@ extern "C" {
the status is tagged as an error, which I believe is what is wanted here.
-- Richard Levitte
*/
-# if !defined(MONOLITH) || defined(OPENSSL_C)
-# define EXIT(n) do { int __VMS_EXIT = n; \
+# define EXIT(n) do { int __VMS_EXIT = n; \
if (__VMS_EXIT == 0) \
__VMS_EXIT = 1; \
else \
__VMS_EXIT = (n << 3) | 2; \
__VMS_EXIT |= 0x10000000; \
- exit(__VMS_EXIT); \
- return(__VMS_EXIT); } while(0)
-# else
-# define EXIT(n) return(n)
-# endif
+ exit(__VMS_EXIT); } while(0)
# define NO_SYS_PARAM_H
# else
/* !defined VMS */
@@ -317,11 +313,7 @@ extern "C" {
# define RFILE ".rnd"
# define LIST_SEPARATOR_CHAR ':'
# define NUL_DEV "/dev/null"
-# ifndef MONOLITH
-# define EXIT(n) exit(n); return(n)
-# else
-# define EXIT(n) return(n)
-# endif
+# define EXIT(n) exit(n)
# endif
# define SSLeay_getpid() getpid()
@@ -441,6 +433,14 @@ extern char *sys_errlist[]; extern int sys_nerr;
(((errnum)<0 || (errnum)>=sys_nerr) ? NULL : sys_errlist[errnum])
#endif
+#ifndef OPENSSL_EXIT
+# if defined(MONOLITH) && !defined(OPENSSL_C)
+# define OPENSSL_EXIT(n) return(n)
+# else
+# define OPENSSL_EXIT(n) do { EXIT(n); return(n); } while(0)
+# endif
+#endif
+
/***********************************************/
/* do we need to do this for getenv.
diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec
index 7eb93ecaf8ac..c3ca2610e4ad 100644
--- a/crypto/openssl/openssl.spec
+++ b/crypto/openssl/openssl.spec
@@ -1,7 +1,7 @@
%define libmaj 0
%define libmin 9
%define librel 6
-%define librev d
+%define librev i
Release: 1
%define openssldir /var/ssl
diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl
index 4b8053ace67c..c25e6c8ea1af 100644
--- a/crypto/openssl/ssl/Makefile.ssl
+++ b/crypto/openssl/ssl/Makefile.ssl
@@ -84,7 +84,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
index 4a7aff59ad94..8c198d44b30b 100644
--- a/crypto/openssl/ssl/s23_clnt.c
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include <stdio.h>
@@ -89,18 +87,25 @@ SSL_METHOD *SSLv23_client_method(void)
if (init)
{
- memcpy((char *)&SSLv23_client_data,
- (char *)sslv23_base_method(),sizeof(SSL_METHOD));
- SSLv23_client_data.ssl_connect=ssl23_connect;
- SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv23_client_data,
+ (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+ SSLv23_client_data.ssl_connect=ssl23_connect;
+ SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv23_client_data);
}
int ssl23_connect(SSL *s)
{
- BUF_MEM *buf;
+ BUF_MEM *buf=NULL;
unsigned long Time=time(NULL);
void (*cb)()=NULL;
int ret= -1;
@@ -154,6 +159,7 @@ int ssl23_connect(SSL *s)
goto end;
}
s->init_buf=buf;
+ buf=NULL;
}
if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -202,6 +208,8 @@ int ssl23_connect(SSL *s)
}
end:
s->in_handshake--;
+ if (buf != NULL)
+ BUF_MEM_free(buf);
if (cb != NULL)
cb(s,SSL_CB_CONNECT_EXIT,ret);
return(ret);
diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c
index fe7e2d117363..ad2d8dadf755 100644
--- a/crypto/openssl/ssl/s23_lib.c
+++ b/crypto/openssl/ssl/s23_lib.c
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include <stdio.h>
diff --git a/crypto/openssl/ssl/s23_meth.c b/crypto/openssl/ssl/s23_meth.c
index 40684311db30..f207140835f8 100644
--- a/crypto/openssl/ssl/s23_meth.c
+++ b/crypto/openssl/ssl/s23_meth.c
@@ -80,12 +80,19 @@ SSL_METHOD *SSLv23_method(void)
if (init)
{
- memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(),
- sizeof(SSL_METHOD));
- SSLv23_data.ssl_connect=ssl23_connect;
- SSLv23_data.ssl_accept=ssl23_accept;
- SSLv23_data.get_ssl_method=ssl23_get_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv23_data.ssl_connect=ssl23_connect;
+ SSLv23_data.ssl_accept=ssl23_accept;
+ SSLv23_data.get_ssl_method=ssl23_get_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv23_data);
}
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
index b93f315bedab..40ffb65efd0a 100644
--- a/crypto/openssl/ssl/s23_srvr.c
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
@@ -141,11 +139,18 @@ SSL_METHOD *SSLv23_server_method(void)
if (init)
{
- memcpy((char *)&SSLv23_server_data,
- (char *)sslv23_base_method(),sizeof(SSL_METHOD));
- SSLv23_server_data.ssl_accept=ssl23_accept;
- SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv23_server_data,
+ (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+ SSLv23_server_data.ssl_accept=ssl23_accept;
+ SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv23_server_data);
}
diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c
index 5f83570e0690..61adfcf199e2 100644
--- a/crypto/openssl/ssl/s2_clnt.c
+++ b/crypto/openssl/ssl/s2_clnt.c
@@ -107,7 +107,6 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
- * $FreeBSD$
*/
#include "ssl_locl.h"
@@ -146,11 +145,18 @@ SSL_METHOD *SSLv2_client_method(void)
if (init)
{
- memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
- sizeof(SSL_METHOD));
- SSLv2_client_data.ssl_connect=ssl2_connect;
- SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv2_client_data.ssl_connect=ssl2_connect;
+ SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv2_client_data);
}
@@ -202,10 +208,13 @@ int ssl2_connect(SSL *s)
if (!BUF_MEM_grow(buf,
SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
{
+ if (buf == s->init_buf)
+ buf=NULL;
ret= -1;
goto end;
}
s->init_buf=buf;
+ buf=NULL;
s->init_num=0;
s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
s->ctx->stats.sess_connect++;
@@ -332,6 +341,8 @@ int ssl2_connect(SSL *s)
}
end:
s->in_handshake--;
+ if (buf != NULL)
+ BUF_MEM_free(buf);
if (cb != NULL)
cb(s,SSL_CB_CONNECT_EXIT,ret);
return(ret);
@@ -519,7 +530,12 @@ static int get_server_hello(SSL *s)
}
s->s2->conn_id_length=s->s2->tmp.conn_id_length;
- die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
+ if (s->s2->conn_id_length > sizeof s->s2->conn_id)
+ {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_SSL2_CONNECTION_ID_TOO_LONG);
+ return -1;
+ }
memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
return(1);
}
@@ -621,7 +637,12 @@ static int client_master_key(SSL *s)
/* make key_arg data */
i=EVP_CIPHER_iv_length(c);
sess->key_arg_length=i;
- die(i <= SSL_MAX_KEY_ARG_LENGTH);
+ if (i > SSL_MAX_KEY_ARG_LENGTH)
+ {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
/* make a master key */
@@ -629,7 +650,12 @@ static int client_master_key(SSL *s)
sess->master_key_length=i;
if (i > 0)
{
- die(i <= sizeof sess->master_key);
+ if (i > sizeof sess->master_key)
+ {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
if (RAND_bytes(sess->master_key,i) <= 0)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
@@ -673,7 +699,12 @@ static int client_master_key(SSL *s)
d+=enc;
karg=sess->key_arg_length;
s2n(karg,p); /* key arg size */
- die(karg <= sizeof sess->key_arg);
+ if (karg > sizeof sess->key_arg)
+ {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
memcpy(d,sess->key_arg,(unsigned int)karg);
d+=karg;
@@ -694,7 +725,11 @@ static int client_finished(SSL *s)
{
p=(unsigned char *)s->init_buf->data;
*(p++)=SSL2_MT_CLIENT_FINISHED;
- die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
+ if (s->s2->conn_id_length > sizeof s->s2->conn_id)
+ {
+ SSLerr(SSL_F_CLIENT_FINISHED, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
s->state=SSL2_ST_SEND_CLIENT_FINISHED_B;
@@ -722,8 +757,8 @@ static int client_certificate(SSL *s)
if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A)
{
i=ssl2_read(s,(char *)&(buf[s->init_num]),
- SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num);
- if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num))
+ SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num);
+ if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num))
return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
s->init_num += i;
@@ -951,10 +986,9 @@ static int get_server_finished(SSL *s)
{
if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
{
- die(s->session->session_id_length
- <= sizeof s->session->session_id);
- if (memcmp(buf,s->session->session_id,
- (unsigned int)s->session->session_id_length) != 0)
+ if ((s->session->session_id_length > sizeof s->session->session_id)
+ || (0 != memcmp(buf, s->session->session_id,
+ (unsigned int)s->session->session_id_length)))
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_SSL_SESSION_ID_IS_DIFFERENT);
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
index 69e5997b66a8..8e5975cdc82f 100644
--- a/crypto/openssl/ssl/s2_enc.c
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include "ssl_locl.h"
@@ -98,7 +96,8 @@ int ssl2_enc_init(SSL *s, int client)
num=c->key_len;
s->s2->key_material_length=num*2;
- ssl2_generate_key_material(s);
+ if (ssl2_generate_key_material(s) <= 0)
+ return 0;
EVP_EncryptInit(ws,c,&(s->s2->key_material[(client)?num:0]),
s->session->key_arg);
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index 5f8d7b130863..bc4113cd6811 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include "ssl_locl.h"
@@ -309,7 +307,7 @@ void ssl2_free(SSL *s)
s2=s->s2;
if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
- memset(s2,0,sizeof *s2);
+ OPENSSL_cleanse(s2,sizeof *s2);
OPENSSL_free(s2);
s->s2=NULL;
}
@@ -378,15 +376,19 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
{
CRYPTO_w_lock(CRYPTO_LOCK_SSL);
- for (i=0; i<SSL2_NUM_CIPHERS; i++)
- sorted[i]= &(ssl2_ciphers[i]);
+ if (init)
+ {
+ for (i=0; i<SSL2_NUM_CIPHERS; i++)
+ sorted[i]= &(ssl2_ciphers[i]);
- qsort( (char *)sorted,
- SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
- FP_ICC ssl_cipher_ptr_id_cmp);
+ qsort((char *)sorted,
+ SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+ FP_ICC ssl_cipher_ptr_id_cmp);
+ init=0;
+ }
+
CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
- init=0;
}
id=0x02000000L|((unsigned long)p[0]<<16L)|
@@ -417,7 +419,7 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
return(3);
}
-void ssl2_generate_key_material(SSL *s)
+int ssl2_generate_key_material(SSL *s)
{
unsigned int i;
MD5_CTX ctx;
@@ -430,14 +432,24 @@ void ssl2_generate_key_material(SSL *s)
#endif
km=s->s2->key_material;
- die(s->s2->key_material_length <= sizeof s->s2->key_material);
+
+ if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key)
+ {
+ SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR);
+ return 0;
+ }
+
for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
{
+ if (((km - s->s2->key_material) + MD5_DIGEST_LENGTH) > sizeof s->s2->key_material)
+ {
+ /* MD5_Final() below would write beyond buffer */
+ SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR);
+ return 0;
+ }
+
MD5_Init(&ctx);
- die(s->session->master_key_length >= 0
- && s->session->master_key_length
- < sizeof s->session->master_key);
MD5_Update(&ctx,s->session->master_key,s->session->master_key_length);
MD5_Update(&ctx,&c,1);
c++;
@@ -446,6 +458,8 @@ void ssl2_generate_key_material(SSL *s)
MD5_Final(km,&ctx);
km+=MD5_DIGEST_LENGTH;
}
+
+ return 1;
}
void ssl2_return_error(SSL *s, int err)
@@ -470,18 +484,20 @@ void ssl2_write_error(SSL *s)
buf[2]=(s->error_code)&0xff;
/* state=s->rwstate;*/
- error=s->error;
+
+ error=s->error; /* number of bytes left to write */
s->error=0;
- die(error >= 0 && error <= 3);
+ if (error < 0 || error > sizeof buf) /* can't happen */
+ return;
+
i=ssl2_write(s,&(buf[3-error]),error);
+
/* if (i == error) s->rwstate=state; */
if (i < 0)
s->error=error;
else if (i != s->error)
s->error=error-i;
- /* else
- s->error=0; */
}
int ssl2_shutdown(SSL *s)
diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c
index 01cc05ff51f6..4483572fcec9 100644
--- a/crypto/openssl/ssl/s2_meth.c
+++ b/crypto/openssl/ssl/s2_meth.c
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include "ssl_locl.h"
@@ -79,12 +77,19 @@ SSL_METHOD *SSLv2_method(void)
if (init)
{
- memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
- sizeof(SSL_METHOD));
- SSLv2_data.ssl_connect=ssl2_connect;
- SSLv2_data.ssl_accept=ssl2_accept;
- SSLv2_data.get_ssl_method=ssl2_get_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv2_data.ssl_connect=ssl2_connect;
+ SSLv2_data.ssl_accept=ssl2_accept;
+ SSLv2_data.get_ssl_method=ssl2_get_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv2_data);
}
diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c
index 067d9dfa68b4..3cd7597fe700 100644
--- a/crypto/openssl/ssl/s2_pkt.c
+++ b/crypto/openssl/ssl/s2_pkt.c
@@ -107,7 +107,6 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
- * $FreeBSD$
*/
#include "ssl_locl.h"
diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c
index b725800d1f92..4ba8fb6534d5 100644
--- a/crypto/openssl/ssl/s2_srvr.c
+++ b/crypto/openssl/ssl/s2_srvr.c
@@ -107,7 +107,6 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
- * $FreeBSD$
*/
#include "ssl_locl.h"
@@ -146,11 +145,18 @@ SSL_METHOD *SSLv2_server_method(void)
if (init)
{
- memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
- sizeof(SSL_METHOD));
- SSLv2_server_data.ssl_accept=ssl2_accept;
- SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv2_server_data.ssl_accept=ssl2_accept;
+ SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv2_server_data);
}
@@ -400,8 +406,7 @@ static int get_client_master_key(SSL *s)
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE);
}
else
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
- SSL_R_PEER_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR);
return(-1);
}
@@ -409,8 +414,7 @@ static int get_client_master_key(SSL *s)
if (cp == NULL)
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
- SSL_R_NO_CIPHER_MATCH);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
return(-1);
}
s->session->cipher= cp;
@@ -421,8 +425,8 @@ static int get_client_master_key(SSL *s)
n2s(p,i); s->session->key_arg_length=i;
if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
{
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
- SSL_R_KEY_ARG_TOO_LONG);
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
return -1;
}
s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
@@ -430,11 +434,17 @@ static int get_client_master_key(SSL *s)
/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
p=(unsigned char *)s->init_buf->data;
- die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER);
+ if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
+ {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
keya=s->session->key_arg_length;
len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
{
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
return -1;
}
@@ -511,7 +521,13 @@ static int get_client_master_key(SSL *s)
#endif
if (is_export) i+=s->s2->tmp.clear;
- die(i <= SSL_MAX_MASTER_KEY_LENGTH);
+
+ if (i > SSL_MAX_MASTER_KEY_LENGTH)
+ {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
s->session->master_key_length=i;
memcpy(s->session->master_key,p,(unsigned int)i);
return(1);
@@ -561,6 +577,7 @@ static int get_client_hello(SSL *s)
if ( (i < SSL2_MIN_CHALLENGE_LENGTH) ||
(i > SSL2_MAX_CHALLENGE_LENGTH))
{
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH);
return(-1);
}
@@ -572,6 +589,7 @@ static int get_client_hello(SSL *s)
len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length;
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
{
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG);
return -1;
}
@@ -659,7 +677,12 @@ static int get_client_hello(SSL *s)
p+=s->s2->tmp.session_id_length;
/* challenge */
- die(s->s2->challenge_length <= sizeof s->s2->challenge);
+ if (s->s2->challenge_length > sizeof s->s2->challenge)
+ {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
return(1);
mem_err:
@@ -811,7 +834,12 @@ static int get_client_finished(SSL *s)
}
/* SSL2_ST_GET_CLIENT_FINISHED_B */
- die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
+ if (s->s2->conn_id_length > sizeof s->s2->conn_id)
+ {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
len = 1 + (unsigned long)s->s2->conn_id_length;
n = (int)len - s->init_num;
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
@@ -837,7 +865,11 @@ static int server_verify(SSL *s)
{
p=(unsigned char *)s->init_buf->data;
*(p++)=SSL2_MT_SERVER_VERIFY;
- die(s->s2->challenge_length <= sizeof s->s2->challenge);
+ if (s->s2->challenge_length > sizeof s->s2->challenge)
+ {
+ SSLerr(SSL_F_SERVER_VERIFY, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
/* p+=s->s2->challenge_length; */
@@ -857,10 +889,12 @@ static int server_finish(SSL *s)
p=(unsigned char *)s->init_buf->data;
*(p++)=SSL2_MT_SERVER_FINISHED;
- die(s->session->session_id_length
- <= sizeof s->session->session_id);
- memcpy(p,s->session->session_id,
- (unsigned int)s->session->session_id_length);
+ if (s->session->session_id_length > sizeof s->session->session_id)
+ {
+ SSLerr(SSL_F_SERVER_FINISH, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
+ memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
/* p+=s->session->session_id_length; */
s->state=SSL2_ST_SEND_SERVER_FINISHED_B;
@@ -974,7 +1008,7 @@ static int request_certificate(SSL *s)
len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
{
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
+ SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG);
goto end;
}
j = (int)len - s->init_num;
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index b921d9a43d0e..60c97ee62940 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -146,18 +146,25 @@ SSL_METHOD *SSLv3_client_method(void)
if (init)
{
- init=0;
- memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
- sizeof(SSL_METHOD));
- SSLv3_client_data.ssl_connect=ssl3_connect;
- SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv3_client_data.ssl_connect=ssl3_connect;
+ SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv3_client_data);
}
int ssl3_connect(SSL *s)
{
- BUF_MEM *buf;
+ BUF_MEM *buf=NULL;
unsigned long Time=time(NULL),l;
long num1;
void (*cb)()=NULL;
@@ -218,6 +225,7 @@ int ssl3_connect(SSL *s)
goto end;
}
s->init_buf=buf;
+ buf=NULL;
}
if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -496,6 +504,8 @@ int ssl3_connect(SSL *s)
}
end:
s->in_handshake--;
+ if (buf != NULL)
+ BUF_MEM_free(buf);
if (cb != NULL)
cb(s,SSL_CB_CONNECT_EXIT,ret);
return(ret);
@@ -546,7 +556,11 @@ static int ssl3_client_hello(SSL *s)
*(p++)=i;
if (i != 0)
{
- die(i <= sizeof s->session->session_id);
+ if (i > sizeof s->session->session_id)
+ {
+ SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_INTERNAL_ERROR);
+ goto err;
+ }
memcpy(p,s->session->session_id,i);
p+=i;
}
@@ -628,23 +642,11 @@ static int ssl3_get_server_hello(SSL *s)
/* get the session-id */
j= *(p++);
- if(j > sizeof s->session->session_id)
- {
- al=SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
- SSL_R_SSL3_SESSION_ID_TOO_LONG);
- goto f_err;
- }
-
- if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
+ if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
{
- /* SSLref returns 16 :-( */
- if (j < SSL2_SSL_SESSION_ID_LENGTH)
- {
- al=SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
- goto f_err;
- }
+ al=SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
+ goto f_err;
}
if (j != 0 && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
@@ -652,6 +654,7 @@ static int ssl3_get_server_hello(SSL *s)
if(s->sid_ctx_length != s->session->sid_ctx_length
|| memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
{
+ /* actually a client application bug */
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;
@@ -695,7 +698,12 @@ static int ssl3_get_server_hello(SSL *s)
goto f_err;
}
- if (s->hit && (s->session->cipher != c))
+ /* Depending on the session caching (internal/external), the cipher
+ and/or cipher_id values may not be set. Make sure that
+ cipher_id is set and use it for comparison. */
+ if (s->session->cipher)
+ s->session->cipher_id = s->session->cipher->id;
+ if (s->hit && (s->session->cipher_id != c->id))
{
if (!(s->options &
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
@@ -1456,7 +1464,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,
tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
- memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
+ OPENSSL_cleanse(tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
}
else
#endif
diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c
index 79fa4f97c24f..bbadac0d3705 100644
--- a/crypto/openssl/ssl/s3_enc.c
+++ b/crypto/openssl/ssl/s3_enc.c
@@ -174,7 +174,7 @@ static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
km+=MD5_DIGEST_LENGTH;
}
- memset(smd,0,SHA_DIGEST_LENGTH);
+ OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
}
int ssl3_change_cipher_state(SSL *s, int which)
@@ -318,8 +318,8 @@ int ssl3_change_cipher_state(SSL *s, int which)
EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
- memset(&(exp_key[0]),0,sizeof(exp_key));
- memset(&(exp_iv[0]),0,sizeof(exp_iv));
+ OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
+ OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
return(1);
err:
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
@@ -390,7 +390,7 @@ void ssl3_cleanup_key_block(SSL *s)
{
if (s->s3->tmp.key_block != NULL)
{
- memset(s->s3->tmp.key_block,0,
+ OPENSSL_cleanse(s->s3->tmp.key_block,
s->s3->tmp.key_block_length);
OPENSSL_free(s->s3->tmp.key_block);
s->s3->tmp.key_block=NULL;
@@ -456,6 +456,7 @@ int ssl3_enc(SSL *s, int send)
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
return 0;
}
+ /* otherwise, rec->length >= bs */
}
EVP_Cipher(ds,rec->data,rec->input,l);
@@ -464,7 +465,7 @@ int ssl3_enc(SSL *s, int send)
{
i=rec->data[l-1]+1;
/* SSL 3.0 bounds the number of padding bytes by the block size;
- * padding bytes (except that last) are arbitrary */
+ * padding bytes (except the last one) are arbitrary */
if (i > bs)
{
/* Incorrect padding. SSLerr() and ssl3_alert are done
@@ -473,6 +474,7 @@ int ssl3_enc(SSL *s, int send)
* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
return -1;
}
+ /* now i <= bs <= rec->length */
rec->length-=i;
}
}
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
index 9951ebb4191e..fb8ce5e2e318 100644
--- a/crypto/openssl/ssl/s3_lib.c
+++ b/crypto/openssl/ssl/s3_lib.c
@@ -732,7 +732,7 @@ void ssl3_free(SSL *s)
#endif
if (s->s3->tmp.ca_names != NULL)
sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
- memset(s->s3,0,sizeof *s->s3);
+ OPENSSL_cleanse(s->s3,sizeof *s->s3);
OPENSSL_free(s->s3);
s->s3=NULL;
}
@@ -1084,16 +1084,19 @@ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
{
CRYPTO_w_lock(CRYPTO_LOCK_SSL);
- for (i=0; i<SSL3_NUM_CIPHERS; i++)
- sorted[i]= &(ssl3_ciphers[i]);
+ if (init)
+ {
+ for (i=0; i<SSL3_NUM_CIPHERS; i++)
+ sorted[i]= &(ssl3_ciphers[i]);
- qsort( (char *)sorted,
- SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
- FP_ICC ssl_cipher_ptr_id_cmp);
+ qsort(sorted,
+ SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+ FP_ICC ssl_cipher_ptr_id_cmp);
+ init=0;
+ }
+
CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-
- init=0;
}
id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
diff --git a/crypto/openssl/ssl/s3_meth.c b/crypto/openssl/ssl/s3_meth.c
index 81bcad89c52f..1fd7a96f87ba 100644
--- a/crypto/openssl/ssl/s3_meth.c
+++ b/crypto/openssl/ssl/s3_meth.c
@@ -76,12 +76,19 @@ SSL_METHOD *SSLv3_method(void)
if (init)
{
- memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(),
- sizeof(SSL_METHOD));
- SSLv3_data.ssl_connect=ssl3_connect;
- SSLv3_data.ssl_accept=ssl3_accept;
- SSLv3_data.get_ssl_method=ssl3_get_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv3_data.ssl_connect=ssl3_connect;
+ SSLv3_data.ssl_accept=ssl3_accept;
+ SSLv3_data.get_ssl_method=ssl3_get_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv3_data);
}
diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
index f52303c7c3e0..caf975d68880 100644
--- a/crypto/openssl/ssl/s3_pkt.c
+++ b/crypto/openssl/ssl/s3_pkt.c
@@ -238,6 +238,8 @@ static int ssl3_get_record(SSL *s)
unsigned int mac_size;
int clear=0;
size_t extra;
+ int decryption_failed_or_bad_record_mac = 0;
+ unsigned char *mac = NULL;
rr= &(s->s3->rrec);
sess=s->session;
@@ -353,8 +355,11 @@ again:
/* SSLerr() and ssl3_send_alert() have been called */
goto err;
- /* otherwise enc_err == -1 */
- goto decryption_failed_or_bad_record_mac;
+ /* Otherwise enc_err == -1, which indicates bad padding
+ * (rec->length has not been changed in this case).
+ * To minimize information leaked via timing, we will perform
+ * the MAC computation anyway. */
+ decryption_failed_or_bad_record_mac = 1;
}
#ifdef TLS_DEBUG
@@ -380,28 +385,46 @@ printf("\n");
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
#else
- goto decryption_failed_or_bad_record_mac;
+ decryption_failed_or_bad_record_mac = 1;
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
- if (rr->length < mac_size)
+ if (rr->length >= mac_size)
{
+ rr->length -= mac_size;
+ mac = &rr->data[rr->length];
+ }
+ else
+ {
+ /* record (minus padding) is too short to contain a MAC */
#if 0 /* OK only for stream ciphers */
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err;
#else
- goto decryption_failed_or_bad_record_mac;
+ decryption_failed_or_bad_record_mac = 1;
+ rr->length = 0;
#endif
}
- rr->length-=mac_size;
i=s->method->ssl3_enc->mac(s,md,0);
- if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+ if (mac == NULL || memcmp(md, mac, mac_size) != 0)
{
- goto decryption_failed_or_bad_record_mac;
+ decryption_failed_or_bad_record_mac = 1;
}
}
+ if (decryption_failed_or_bad_record_mac)
+ {
+ /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
+ * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
+ * failure is directly visible from the ciphertext anyway,
+ * we should not reveal which kind of error occured -- this
+ * might become visible to an attacker (e.g. via a logfile) */
+ al=SSL_AD_BAD_RECORD_MAC;
+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+ goto f_err;
+ }
+
/* r->length is now just compressed */
if (s->expand != NULL)
{
@@ -443,14 +466,6 @@ printf("\n");
return(1);
-decryption_failed_or_bad_record_mac:
- /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
- * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
- * failure is directly visible from the ciphertext anyway,
- * we should not reveal which kind of error occured -- this
- * might become visible to an attacker (e.g. via logfile) */
- al=SSL_AD_BAD_RECORD_MAC;
- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index d211fd48cb40..6b414cfa5c8b 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -151,11 +151,18 @@ SSL_METHOD *SSLv3_server_method(void)
if (init)
{
- memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
- sizeof(SSL_METHOD));
- SSLv3_server_data.ssl_accept=ssl3_accept;
- SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv3_server_data.ssl_accept=ssl3_accept;
+ SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv3_server_data);
}
@@ -949,7 +956,11 @@ static int ssl3_send_server_hello(SSL *s)
s->session->session_id_length=0;
sl=s->session->session_id_length;
- die(sl <= sizeof s->session->session_id);
+ if (sl > sizeof s->session->session_id)
+ {
+ SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
*(p++)=sl;
memcpy(p,s->session->session_id,sl);
p+=sl;
@@ -1460,7 +1471,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,
p,i);
- memset(p,0,i);
+ OPENSSL_cleanse(p,i);
}
else
#endif
@@ -1523,7 +1534,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,p,i);
- memset(p,0,i);
+ OPENSSL_cleanse(p,i);
}
else
#endif
@@ -1555,7 +1566,7 @@ static int ssl3_get_cert_verify(SSL *s)
SSL3_ST_SR_CERT_VRFY_A,
SSL3_ST_SR_CERT_VRFY_B,
-1,
- 512, /* 512? */
+ 514, /* 514? */
&ok);
if (!ok) return((int)n);
diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
index e0c0be727ae1..ed2eae96e3a1 100644
--- a/crypto/openssl/ssl/ssl.h
+++ b/crypto/openssl/ssl/ssl.h
@@ -551,10 +551,11 @@ struct ssl_ctx_st
#define SSL_SESS_CACHE_SERVER 0x0002
#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
-/* This one, when set, makes the server session-id lookup not look
- * in the cache. If there is an application get_session callback
- * defined, this will still get called. */
+/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
+#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
+#define SSL_SESS_CACHE_NO_INTERNAL \
+ (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
#define SSL_CTX_sess_number(ctx) \
@@ -1285,6 +1286,7 @@ void ERR_load_SSL_strings(void);
/* Function codes. */
#define SSL_F_CLIENT_CERTIFICATE 100
+#define SSL_F_CLIENT_FINISHED 238
#define SSL_F_CLIENT_HELLO 101
#define SSL_F_CLIENT_MASTER_KEY 102
#define SSL_F_D2I_SSL_SESSION 103
@@ -1298,7 +1300,9 @@ void ERR_load_SSL_strings(void);
#define SSL_F_I2D_SSL_SESSION 111
#define SSL_F_READ_N 112
#define SSL_F_REQUEST_CERTIFICATE 113
+#define SSL_F_SERVER_FINISH 239
#define SSL_F_SERVER_HELLO 114
+#define SSL_F_SERVER_VERIFY 240
#define SSL_F_SSL23_ACCEPT 115
#define SSL_F_SSL23_CLIENT_HELLO 116
#define SSL_F_SSL23_CONNECT 117
@@ -1310,6 +1314,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL2_ACCEPT 122
#define SSL_F_SSL2_CONNECT 123
#define SSL_F_SSL2_ENC_INIT 124
+#define SSL_F_SSL2_GENERATE_KEY_MATERIAL 241
#define SSL_F_SSL2_PEEK 234
#define SSL_F_SSL2_READ 125
#define SSL_F_SSL2_READ_INTERNAL 236
@@ -1345,6 +1350,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE 154
+#define SSL_F_SSL3_SEND_SERVER_HELLO 242
#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE 155
#define SSL_F_SSL3_SETUP_BUFFERS 156
#define SSL_F_SSL3_SETUP_KEY_BLOCK 157
@@ -1559,6 +1565,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_SHORT_READ 219
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
+#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 1114
#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113
#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c
index 3de1dbc42e79..00f9fda357ae 100644
--- a/crypto/openssl/ssl/ssl_asn1.c
+++ b/crypto/openssl/ssl/ssl_asn1.c
@@ -273,10 +273,11 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
if (os.length > i)
- os.length=i;
+ os.length = i;
+ if (os.length > sizeof ret->session_id) /* can't happen */
+ os.length = sizeof ret->session_id;
ret->session_id_length=os.length;
- die(os.length <= sizeof ret->session_id);
memcpy(ret->session_id,os.data,os.length);
M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c
index b1b7c22e6b86..b77b35feefd1 100644
--- a/crypto/openssl/ssl/ssl_err.c
+++ b/crypto/openssl/ssl/ssl_err.c
@@ -67,6 +67,7 @@
static ERR_STRING_DATA SSL_str_functs[]=
{
{ERR_PACK(0,SSL_F_CLIENT_CERTIFICATE,0), "CLIENT_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_CLIENT_FINISHED,0), "CLIENT_FINISHED"},
{ERR_PACK(0,SSL_F_CLIENT_HELLO,0), "CLIENT_HELLO"},
{ERR_PACK(0,SSL_F_CLIENT_MASTER_KEY,0), "CLIENT_MASTER_KEY"},
{ERR_PACK(0,SSL_F_D2I_SSL_SESSION,0), "d2i_SSL_SESSION"},
@@ -80,7 +81,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_I2D_SSL_SESSION,0), "i2d_SSL_SESSION"},
{ERR_PACK(0,SSL_F_READ_N,0), "READ_N"},
{ERR_PACK(0,SSL_F_REQUEST_CERTIFICATE,0), "REQUEST_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_SERVER_FINISH,0), "SERVER_FINISH"},
{ERR_PACK(0,SSL_F_SERVER_HELLO,0), "SERVER_HELLO"},
+{ERR_PACK(0,SSL_F_SERVER_VERIFY,0), "SERVER_VERIFY"},
{ERR_PACK(0,SSL_F_SSL23_ACCEPT,0), "SSL23_ACCEPT"},
{ERR_PACK(0,SSL_F_SSL23_CLIENT_HELLO,0), "SSL23_CLIENT_HELLO"},
{ERR_PACK(0,SSL_F_SSL23_CONNECT,0), "SSL23_CONNECT"},
@@ -92,6 +95,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"},
{ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"},
{ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"},
+{ERR_PACK(0,SSL_F_SSL2_GENERATE_KEY_MATERIAL,0), "SSL2_GENERATE_KEY_MATERIAL"},
{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"},
{ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"},
{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"},
@@ -127,6 +131,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,0), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
{ERR_PACK(0,SSL_F_SSL3_SEND_CLIENT_VERIFY,0), "SSL3_SEND_CLIENT_VERIFY"},
{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_CERTIFICATE,0), "SSL3_SEND_SERVER_CERTIFICATE"},
+{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_HELLO,0), "SSL3_SEND_SERVER_HELLO"},
{ERR_PACK(0,SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,0), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
{ERR_PACK(0,SSL_F_SSL3_SETUP_BUFFERS,0), "SSL3_SETUP_BUFFERS"},
{ERR_PACK(0,SSL_F_SSL3_SETUP_KEY_BLOCK,0), "SSL3_SETUP_KEY_BLOCK"},
@@ -344,6 +349,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_SHORT_READ ,"short read"},
{SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
{SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"},
+{SSL_R_SSL2_CONNECTION_ID_TOO_LONG ,"ssl2 connection id too long"},
{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"},
{SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"},
{SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"},
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index 4f84a3476da0..6bc3d4d70ea9 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -1245,13 +1245,24 @@ void SSL_CTX_free(SSL_CTX *a)
abort(); /* ok */
}
#endif
+
+ /*
+ * Free internal session cache. However: the remove_cb() may reference
+ * the ex_data of SSL_CTX, thus the ex_data store can only be removed
+ * after the sessions were flushed.
+ * As the ex_data handling routines might also touch the session cache,
+ * the most secure solution seems to be: empty (flush) the cache, then
+ * free ex_data, then finally free the cache.
+ * (See ticket [openssl.org #212].)
+ */
+ if (a->sessions != NULL)
+ SSL_CTX_flush_sessions(a,0);
+
CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data);
if (a->sessions != NULL)
- {
- SSL_CTX_flush_sessions(a,0);
- lh_free(a->sessions);
- }
+ lh_free(a->sessions);
+
if (a->cert_store != NULL)
X509_STORE_free(a->cert_store);
if (a->cipher_list != NULL)
@@ -1472,7 +1483,7 @@ void ssl_update_cache(SSL *s,int mode)
i=s->ctx->session_cache_mode;
if ((i & mode) && (!s->hit)
- && ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)
+ && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
|| SSL_CTX_add_session(s->ctx,s->session))
&& (s->ctx->new_session_cb != NULL))
{
diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h
index 9297cd2dc34a..d15b33048eaf 100644
--- a/crypto/openssl/ssl/ssl_locl.h
+++ b/crypto/openssl/ssl/ssl_locl.h
@@ -500,7 +500,7 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
int ssl_verify_alarm_type(long type);
int ssl2_enc_init(SSL *s, int client);
-void ssl2_generate_key_material(SSL *s);
+int ssl2_generate_key_material(SSL *s);
void ssl2_enc(SSL *s,int send_data);
void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
index 87cd8a9b86c0..a8668e42e640 100644
--- a/crypto/openssl/ssl/ssl_sess.c
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -200,7 +200,12 @@ int ssl_get_new_session(SSL *s, int session)
ss->session_id_length=0;
}
- die(s->sid_ctx_length <= sizeof ss->sid_ctx);
+ if (s->sid_ctx_length > sizeof ss->sid_ctx)
+ {
+ SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_INTERNAL_ERROR);
+ SSL_SESSION_free(ss);
+ return 0;
+ }
memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
ss->sid_ctx_length=s->sid_ctx_length;
s->session=ss;
@@ -253,9 +258,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
if (copy)
CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
- /* The following should not return 1, otherwise,
- * things are very strange */
- SSL_CTX_add_session(s->ctx,ret);
+ /* Add the externally cached session to the internal
+ * cache as well if and only if we are supposed to. */
+ if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
+ /* The following should not return 1, otherwise,
+ * things are very strange */
+ SSL_CTX_add_session(s->ctx,ret);
}
if (ret == NULL)
goto err;
@@ -469,13 +477,13 @@ void SSL_SESSION_free(SSL_SESSION *ss)
CRYPTO_free_ex_data(ssl_session_meth,ss,&ss->ex_data);
- memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
- memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
- memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
+ OPENSSL_cleanse(ss->key_arg,SSL_MAX_KEY_ARG_LENGTH);
+ OPENSSL_cleanse(ss->master_key,SSL_MAX_MASTER_KEY_LENGTH);
+ OPENSSL_cleanse(ss->session_id,SSL_MAX_SSL_SESSION_ID_LENGTH);
if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
if (ss->peer != NULL) X509_free(ss->peer);
if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
- memset(ss,0,sizeof(*ss));
+ OPENSSL_cleanse(ss,sizeof(*ss));
OPENSSL_free(ss);
}
diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c
index 5f91ed19c737..3de9663e51ae 100644
--- a/crypto/openssl/ssl/ssltest.c
+++ b/crypto/openssl/ssl/ssltest.c
@@ -224,12 +224,13 @@ int main(int argc, char *argv[])
verbose = 0;
debug = 0;
cipher = 0;
-
+
+ bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
RAND_seed(rnd_seed, sizeof rnd_seed);
- bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
argc--;
@@ -247,12 +248,22 @@ int main(int argc, char *argv[])
debug=1;
else if (strcmp(*argv,"-reuse") == 0)
reuse=1;
-#ifndef NO_DH
else if (strcmp(*argv,"-dhe1024") == 0)
+ {
+#ifndef NO_DH
dhe1024=1;
+#else
+ fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
+#endif
+ }
else if (strcmp(*argv,"-dhe1024dsa") == 0)
+ {
+#ifndef NO_DH
dhe1024dsa=1;
+#else
+ fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
#endif
+ }
else if (strcmp(*argv,"-no_dhe") == 0)
no_dhe=1;
else if (strcmp(*argv,"-ssl2") == 0)
@@ -355,7 +366,7 @@ bad:
"the test anyway (and\n-d to see what happens), "
"or add one of -ssl2, -ssl3, -tls1, -reuse\n"
"to avoid protocol mismatch.\n");
- exit(1);
+ EXIT(1);
}
if (print_time)
@@ -620,6 +631,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
int i, r;
clock_t c_clock = clock();
+ memset(cbuf, 0, sizeof(cbuf));
+
if (debug)
if (SSL_in_init(c_ssl))
printf("client waiting in SSL_connect - %s\n",
@@ -704,6 +717,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
int i, r;
clock_t s_clock = clock();
+ memset(sbuf, 0, sizeof(sbuf));
+
if (debug)
if (SSL_in_init(s_ssl))
printf("server waiting in SSL_accept - %s\n",
@@ -947,6 +962,9 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
int c_write,s_write;
int do_server=0,do_client=0;
+ memset(cbuf,0,sizeof(cbuf));
+ memset(sbuf,0,sizeof(sbuf));
+
c_to_s=BIO_new(BIO_s_mem());
s_to_c=BIO_new(BIO_s_mem());
if ((s_to_c == NULL) || (c_to_s == NULL))
diff --git a/crypto/openssl/ssl/t1_clnt.c b/crypto/openssl/ssl/t1_clnt.c
index 9745630a008c..f68b9cc08567 100644
--- a/crypto/openssl/ssl/t1_clnt.c
+++ b/crypto/openssl/ssl/t1_clnt.c
@@ -79,11 +79,18 @@ SSL_METHOD *TLSv1_client_method(void)
if (init)
{
- memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
- sizeof(SSL_METHOD));
- TLSv1_client_data.ssl_connect=ssl3_connect;
- TLSv1_client_data.get_ssl_method=tls1_get_client_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
+ sizeof(SSL_METHOD));
+ TLSv1_client_data.ssl_connect=ssl3_connect;
+ TLSv1_client_data.get_ssl_method=tls1_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&TLSv1_client_data);
}
diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c
index f3ecc5f5869e..a11e1130d8de 100644
--- a/crypto/openssl/ssl/t1_enc.c
+++ b/crypto/openssl/ssl/t1_enc.c
@@ -158,7 +158,7 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
}
HMAC_cleanup(&ctx);
HMAC_cleanup(&ctx_tmp);
- memset(A1,0,sizeof(A1));
+ OPENSSL_cleanse(A1,sizeof(A1));
}
static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
@@ -372,10 +372,10 @@ printf("\niv=");
printf("\n");
#endif
- memset(tmp1,0,sizeof(tmp1));
- memset(tmp2,0,sizeof(tmp1));
- memset(iv1,0,sizeof(iv1));
- memset(iv2,0,sizeof(iv2));
+ OPENSSL_cleanse(tmp1,sizeof(tmp1));
+ OPENSSL_cleanse(tmp2,sizeof(tmp1));
+ OPENSSL_cleanse(iv1,sizeof(iv1));
+ OPENSSL_cleanse(iv2,sizeof(iv2));
return(1);
err:
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
@@ -426,7 +426,7 @@ printf("pre-master\n");
{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
#endif
tls1_generate_key_block(s,p1,p2,num);
- memset(p2,0,num);
+ OPENSSL_cleanse(p2,num);
OPENSSL_free(p2);
#ifdef TLS_DEBUG
printf("\nkey block\n");
diff --git a/crypto/openssl/ssl/t1_meth.c b/crypto/openssl/ssl/t1_meth.c
index 9bb36a7d1ca9..fcc243f78264 100644
--- a/crypto/openssl/ssl/t1_meth.c
+++ b/crypto/openssl/ssl/t1_meth.c
@@ -76,13 +76,21 @@ SSL_METHOD *TLSv1_method(void)
if (init)
{
- memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
- sizeof(SSL_METHOD));
- TLSv1_data.ssl_connect=ssl3_connect;
- TLSv1_data.ssl_accept=ssl3_accept;
- TLSv1_data.get_ssl_method=tls1_get_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
+ sizeof(SSL_METHOD));
+ TLSv1_data.ssl_connect=ssl3_connect;
+ TLSv1_data.ssl_accept=ssl3_accept;
+ TLSv1_data.get_ssl_method=tls1_get_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
+
return(&TLSv1_data);
}
diff --git a/crypto/openssl/ssl/t1_srvr.c b/crypto/openssl/ssl/t1_srvr.c
index 996b7ca8e2ef..7486c553de4e 100644
--- a/crypto/openssl/ssl/t1_srvr.c
+++ b/crypto/openssl/ssl/t1_srvr.c
@@ -80,11 +80,18 @@ SSL_METHOD *TLSv1_server_method(void)
if (init)
{
- memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
- sizeof(SSL_METHOD));
- TLSv1_server_data.ssl_accept=ssl3_accept;
- TLSv1_server_data.get_ssl_method=tls1_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
+ sizeof(SSL_METHOD));
+ TLSv1_server_data.ssl_accept=ssl3_accept;
+ TLSv1_server_data.get_ssl_method=tls1_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&TLSv1_server_data);
}
diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl
index 3cb1283d7c60..a6e22a3b86c0 100644
--- a/crypto/openssl/test/Makefile.ssl
+++ b/crypto/openssl/test/Makefile.ssl
@@ -85,7 +85,7 @@ top:
all: exe
-exe: $(EXE)
+exe: $(EXE) dummytest
files:
$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
@@ -93,6 +93,10 @@ files:
links:
@@$(TOP)/util/point.sh Makefile.ssl Makefile
+generate: $(SRC)
+$(SRC):
+ @$(TOP)/util/point.sh dummytest.c $@
+
errors:
install:
@@ -109,7 +113,7 @@ tests: exe apps \
test_ss test_ca test_ssl
apps:
- @(cd ../apps; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all)
+ @(cd ..; $(MAKE) DIRS=apps all)
test_des:
./$(DESTEST)
@@ -233,7 +237,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+ $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -243,10 +247,10 @@ clean:
rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log
$(DLIBSSL):
- (cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+ (cd ..; $(MAKE) DIRS=ssl all)
$(DLIBCRYPTO):
- (cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+ (cd ..; $(MAKE) DIRS=crypto all)
$(RSATEST): $(RSATEST).o $(DLIBCRYPTO)
$(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
@@ -317,9 +321,13 @@ $(METHTEST): $(METHTEST).o $(DLIBCRYPTO)
$(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS)
+dummytest: dummytest.o $(DLIBCRYPTO)
+ $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
+
# DO NOT DELETE THIS LINE -- make depend depends on it.
-bftest.o: ../include/openssl/blowfish.h
+bftest.o: ../e_os.h ../include/openssl/blowfish.h ../include/openssl/e_os2.h
+bftest.o: ../include/openssl/opensslconf.h
bntest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
bntest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
bntest.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@@ -339,29 +347,31 @@ bntest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h
bntest.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
bntest.o: ../include/openssl/x509_vfy.h
-casttest.o: ../include/openssl/cast.h
+casttest.o: ../e_os.h ../include/openssl/cast.h ../include/openssl/e_os2.h
+casttest.o: ../include/openssl/opensslconf.h
destest.o: ../include/openssl/des.h ../include/openssl/e_os2.h
destest.o: ../include/openssl/opensslconf.h
-dhtest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+dhtest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-dhtest.o: ../include/openssl/err.h ../include/openssl/lhash.h
-dhtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
-dhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dsatest.o: ../include/openssl/bio.h ../include/openssl/bn.h
+dhtest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+dhtest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+dhtest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
+dhtest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+dhtest.o: ../include/openssl/symhacks.h
+dsatest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-dsatest.o: ../include/openssl/dsa.h ../include/openssl/err.h
-dsatest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-dsatest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
-dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-dsatest.o: ../include/openssl/symhacks.h
-exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h
-exptest.o: ../include/openssl/crypto.h ../include/openssl/err.h
-exptest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-exptest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
-exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-exptest.o: ../include/openssl/symhacks.h
-hmactest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+dsatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+dsatest.o: ../include/openssl/err.h ../include/openssl/lhash.h
+dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+dsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+exptest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
+exptest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+exptest.o: ../include/openssl/err.h ../include/openssl/lhash.h
+exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+exptest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+exptest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+hmactest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
hmactest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
hmactest.o: ../include/openssl/cast.h ../include/openssl/crypto.h
hmactest.o: ../include/openssl/des.h ../include/openssl/dh.h
@@ -376,17 +386,26 @@ hmactest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
hmactest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
hmactest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
hmactest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ideatest.o: ../include/openssl/idea.h ../include/openssl/opensslconf.h
-md2test.o: ../include/openssl/md2.h ../include/openssl/opensslconf.h
-md4test.o: ../include/openssl/md4.h
-md5test.o: ../include/openssl/md5.h
-mdc2test.o: ../include/openssl/des.h ../include/openssl/e_os2.h
+ideatest.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/idea.h
+ideatest.o: ../include/openssl/opensslconf.h
+md2test.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/md2.h
+md2test.o: ../include/openssl/opensslconf.h
+md4test.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/md4.h
+md4test.o: ../include/openssl/opensslconf.h
+md5test.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/md5.h
+md5test.o: ../include/openssl/opensslconf.h
+mdc2test.o: ../e_os.h ../include/openssl/des.h ../include/openssl/e_os2.h
mdc2test.o: ../include/openssl/mdc2.h ../include/openssl/opensslconf.h
-randtest.o: ../include/openssl/rand.h
+randtest.o: ../e_os.h ../include/openssl/e_os2.h
+randtest.o: ../include/openssl/opensslconf.h ../include/openssl/rand.h
+rc2test.o: ../e_os.h ../include/openssl/e_os2.h
rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h
+rc4test.o: ../e_os.h ../include/openssl/e_os2.h
rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h
-rc5test.o: ../include/openssl/rc5.h
-rmdtest.o: ../include/openssl/ripemd.h
+rc5test.o: ../e_os.h ../include/openssl/e_os2.h
+rc5test.o: ../include/openssl/opensslconf.h ../include/openssl/rc5.h
+rmdtest.o: ../e_os.h ../include/openssl/e_os2.h
+rmdtest.o: ../include/openssl/opensslconf.h ../include/openssl/ripemd.h
rsa_test.o: ../include/openssl/bio.h ../include/openssl/bn.h
rsa_test.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h
@@ -394,8 +413,10 @@ rsa_test.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/rand.h
rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
rsa_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-sha1test.o: ../include/openssl/sha.h
-shatest.o: ../include/openssl/sha.h
+sha1test.o: ../e_os.h ../include/openssl/e_os2.h
+sha1test.o: ../include/openssl/opensslconf.h ../include/openssl/sha.h
+shatest.o: ../e_os.h ../include/openssl/e_os2.h
+shatest.o: ../include/openssl/opensslconf.h ../include/openssl/sha.h
ssltest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
ssltest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
ssltest.o: ../include/openssl/buffer.h ../include/openssl/cast.h
diff --git a/crypto/openssl/test/methtest.c b/crypto/openssl/test/methtest.c
index 06ccb3b31087..005c2f48220e 100644
--- a/crypto/openssl/test/methtest.c
+++ b/crypto/openssl/test/methtest.c
@@ -96,10 +96,10 @@ char *argv[];
METH_init(top);
METH_control(tmp1,METH_CONTROL_DUMP,stdout);
METH_control(tmp2,METH_CONTROL_DUMP,stdout);
- exit(0);
+ EXIT(0);
err:
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
- exit(1);
+ EXIT(1);
return(0);
}
diff --git a/crypto/openssl/test/testssl b/crypto/openssl/test/testssl
index 2151a6438cda..ad4f45f1fa13 100644
--- a/crypto/openssl/test/testssl
+++ b/crypto/openssl/test/testssl
@@ -112,8 +112,12 @@ $ssltest -bio_pair -server_auth -client_auth $CA || exit 1
#############################################################################
-echo test tls1 with 1024bit anonymous DH, multiple handshakes
-$ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time || exit 1
+if ../apps/openssl no-dh; then
+ echo skipping anonymous DH tests
+else
+ echo test tls1 with 1024bit anonymous DH, multiple handshakes
+ $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time || exit 1
+fi
if ../apps/openssl no-rsa; then
echo skipping RSA tests
@@ -121,8 +125,12 @@ else
echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time || exit 1
- echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
- ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time || exit 1
+ if ../apps/openssl no-dh; then
+ echo skipping RSA+DHE tests
+ else
+ echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
+ ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time || exit 1
+ fi
fi
exit 0
diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash
index 5f3bd4c7d98b..5b521d96eb6b 100644
--- a/crypto/openssl/tools/c_rehash
+++ b/crypto/openssl/tools/c_rehash
@@ -100,7 +100,8 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
- my ($hash, $fprint) = `$openssl x509 -hash -fingerprint -noout -in $fname`;
+ $fname =~ s/'/'\\''/g;
+ my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`;
chomp $hash;
chomp $fprint;
$fprint =~ s/^.*=//;
@@ -130,7 +131,8 @@ sub link_hash_cert {
sub link_hash_crl {
my $fname = $_[0];
- my ($hash, $fprint) = `$openssl crl -hash -fingerprint -noout -in $fname`;
+ $fname =~ s/'/'\\''/g;
+ my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
chomp $hash;
chomp $fprint;
$fprint =~ s/^.*=//;
diff --git a/crypto/openssl/tools/c_rehash.in b/crypto/openssl/tools/c_rehash.in
index 26db8999d8c8..132c0e4cebb5 100644
--- a/crypto/openssl/tools/c_rehash.in
+++ b/crypto/openssl/tools/c_rehash.in
@@ -100,7 +100,8 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
- my ($hash, $fprint) = `$openssl x509 -hash -fingerprint -noout -in $fname`;
+ $fname =~ s/'/'\\''/g;
+ my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`;
chomp $hash;
chomp $fprint;
$fprint =~ s/^.*=//;
@@ -130,7 +131,8 @@ sub link_hash_cert {
sub link_hash_crl {
my $fname = $_[0];
- my ($hash, $fprint) = `$openssl crl -hash -fingerprint -noout -in $fname`;
+ $fname =~ s/'/'\\''/g;
+ my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
chomp $hash;
chomp $fprint;
$fprint =~ s/^.*=//;
diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num
index ef6573cc7d3d..cfae8e59ddb8 100755
--- a/crypto/openssl/util/libeay.num
+++ b/crypto/openssl/util/libeay.num
@@ -301,8 +301,8 @@ EVP_des_ede_cfb 308 EXIST::FUNCTION:DES
EVP_des_ede_ofb 309 EXIST::FUNCTION:DES
EVP_des_ofb 310 EXIST::FUNCTION:DES
EVP_desx_cbc 311 EXIST::FUNCTION:DES
-EVP_dss 312 EXIST::FUNCTION:SHA,DSA
-EVP_dss1 313 EXIST::FUNCTION:SHA,DSA
+EVP_dss 312 EXIST::FUNCTION:DSA,SHA
+EVP_dss1 313 EXIST::FUNCTION:DSA,SHA
EVP_enc_null 314 EXIST::FUNCTION:
EVP_get_cipherbyname 315 EXIST::FUNCTION:
EVP_get_digestbyname 316 EXIST::FUNCTION:
@@ -1212,7 +1212,7 @@ name_cmp 1239 EXIST::FUNCTION:
str_dup 1240 NOEXIST::FUNCTION:
i2s_ASN1_ENUMERATED 1241 EXIST::FUNCTION:
i2s_ASN1_ENUMERATED_TABLE 1242 EXIST::FUNCTION:
-BIO_s_log 1243 EXIST:!WIN16,!WIN32,!macintosh:FUNCTION:
+BIO_s_log 1243 EXIST:!WIN32,!macintosh,!WIN16:FUNCTION:
BIO_f_reliable 1244 EXIST::FUNCTION:
PKCS7_dataFinal 1245 EXIST::FUNCTION:
PKCS7_dataDecode 1246 EXIST::FUNCTION:
@@ -1934,3 +1934,4 @@ ENGINE_set_ctrl_function 2522 NOEXIST::FUNCTION:
BN_pseudo_rand_range 2523 EXIST::FUNCTION:
X509_STORE_CTX_set_verify_cb 2524 EXIST::FUNCTION:
ERR_load_COMP_strings 2525 EXIST::FUNCTION:
+OPENSSL_cleanse 3245 EXIST::FUNCTION:
diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl
index 4cc7881d8d73..efdf77e74fb3 100755
--- a/crypto/openssl/util/mk1mf.pl
+++ b/crypto/openssl/util/mk1mf.pl
@@ -206,7 +206,7 @@ $cflags.=" -DNO_MD4" if $no_md4;
$cflags.=" -DNO_MD5" if $no_md5;
$cflags.=" -DNO_SHA" if $no_sha;
$cflags.=" -DNO_SHA1" if $no_sha1;
-$cflags.=" -DNO_RIPEMD" if $no_rmd160;
+$cflags.=" -DNO_RIPEMD" if $no_ripemd;
$cflags.=" -DNO_MDC2" if $no_mdc2;
$cflags.=" -DNO_BF" if $no_bf;
$cflags.=" -DNO_CAST" if $no_cast;
@@ -674,7 +674,7 @@ sub var_add
@a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2;
@a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4;
@a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5;
- @a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160;
+ @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd;
@a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa;
@a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa;
@@ -883,7 +883,7 @@ sub read_options
elsif (/^just-ssl$/) { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1;
$no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1;
- $no_ssl2=$no_err=$no_rmd160=$no_rc5=1; }
+ $no_ssl2=$no_err=$no_ripemd=$no_rc5=1; }
elsif (/^rsaref$/) { $rsaref=1; }
elsif (/^gcc$/) { $gcc=1; }
diff --git a/crypto/openssl/util/mkcerts.sh b/crypto/openssl/util/mkcerts.sh
index 5f8a1dae7395..0184fcb70ece 100755
--- a/crypto/openssl/util/mkcerts.sh
+++ b/crypto/openssl/util/mkcerts.sh
@@ -1,4 +1,4 @@
-#!bin/sh
+#!/bin/sh
# This script will re-make all the required certs.
# cd apps
@@ -12,8 +12,8 @@
#
CAbits=1024
-SSLEAY="../apps/ssleay"
-CONF="-config ../apps/ssleay.cnf"
+SSLEAY="../apps/openssl"
+CONF="-config ../apps/openssl.cnf"
# create pca request.
echo creating $CAbits bit PCA cert request
diff --git a/crypto/openssl/util/mkerr.pl b/crypto/openssl/util/mkerr.pl
index f833bfe87a1a..449aa57bbaf0 100644
--- a/crypto/openssl/util/mkerr.pl
+++ b/crypto/openssl/util/mkerr.pl
@@ -320,7 +320,7 @@ EOF
print OUT <<"EOF";
/* $cfile */
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/crypto/openssl/util/pl/BC-32.pl b/crypto/openssl/util/pl/BC-32.pl
index c268c495507c..655606cc1666 100644
--- a/crypto/openssl/util/pl/BC-32.pl
+++ b/crypto/openssl/util/pl/BC-32.pl
@@ -52,9 +52,9 @@ $lfile='';
$shlib_ex_obj="";
$app_ex_obj="c0x32.obj";
-$asm='n_o_T_a_s_m';
+$asm='nasmw -f obj';
$asm.=" /Zi" if $debug;
-$afile='/Fo';
+$afile='-o';
$bn_mulw_obj='';
$bn_mulw_src='';
diff --git a/crypto/openssl/util/pl/Mingw32.pl b/crypto/openssl/util/pl/Mingw32.pl
index 02a5086f8236..37f36126f371 100644
--- a/crypto/openssl/util/pl/Mingw32.pl
+++ b/crypto/openssl/util/pl/Mingw32.pl
@@ -1,7 +1,6 @@
#!/usr/local/bin/perl
#
# Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools)
-# $FreeBSD$
#
$o='/';
diff --git a/crypto/openssl/util/pod2mantest b/crypto/openssl/util/pod2mantest
index 449ef14f1b43..026a6a1789d2 100755
--- a/crypto/openssl/util/pod2mantest
+++ b/crypto/openssl/util/pod2mantest
@@ -11,7 +11,8 @@
IFS=:
-try_without_dir=false
+
+try_without_dir=true
# First we try "pod2man", then "$dir/pod2man" for each item in $PATH.
for dir in dummy:$PATH; do
if [ "$try_without_dir" = true ]; then
@@ -29,9 +30,16 @@ for dir in dummy:$PATH; do
if [ ! "$pod2man" = '' ]; then
failure=none
+ if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | fgrep OpenSSL >/dev/null; then
+ :
+ else
+ failure=BasicTest
+ fi
- if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | grep '^MARKER - ' >/dev/null 2>&1; then
- failure=MultilineTest
+ if [ "$failure" = none ]; then
+ if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | grep '^MARKER - ' >/dev/null; then
+ failure=MultilineTest
+ fi
fi
@@ -45,9 +53,5 @@ for dir in dummy:$PATH; do
done
echo "No working pod2man found. Consider installing a new version." >&2
-if [ "$1" = ignore ]; then
- echo "As a workaround, we'll use a bundled old copy of pod2man.pl." >&2
- echo "../../util/pod2man.pl"
- exit 0
-fi
-exit 1
+echo "As a workaround, we'll use a bundled old copy of pod2man.pl." >&2
+echo "$1 ../../util/pod2man.pl"
diff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile
index c5ce1c656033..85f31390e791 100644
--- a/secure/lib/libcrypto/Makefile
+++ b/secure/lib/libcrypto/Makefile
@@ -35,8 +35,8 @@ SHLIB_MAJOR= 2
MAINTAINER= kris
# base sources
-SRCS+= cpt_err.c cryptlib.c cversion.c ebcdic.c ex_data.c mem.c mem_dbg.c \
- tmdiff.c uid.c
+SRCS+= cpt_err.c cryptlib.c cversion.c ebcdic.c ex_data.c mem.c mem_clr.c \
+ mem_dbg.c tmdiff.c uid.c
# asn1
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 088f4cb7dbbd..5635fe2708dc 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.6.2"
-BRANCH="RELEASE-p7"
+BRANCH="RELEASE-p8"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"