aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2009-06-14 19:45:16 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2009-06-14 19:45:16 +0000
commitdb522d3ae42d8f706499b4b4bc97836292ab180b (patch)
tree90cf0e59374e08e88c1514f35c4b2aab0cccd66d
parentc2919fd8ff94c932db22574ea40588912805799e (diff)
parent27de41c0e2f408da6b42112c27b4dad0a07432e0 (diff)
downloadsrc-db522d3ae42d8f706499b4b4bc97836292ab180b.tar.gz
src-db522d3ae42d8f706499b4b4bc97836292ab180b.zip
Merge OpenSSL 0.9.8k into head.
Approved by: re
Notes
Notes: svn path=/head/; revision=194206
-rw-r--r--crypto/openssl/CHANGES473
-rw-r--r--crypto/openssl/ChangeLog.0_9_7-stable_not-in-head163
-rw-r--r--crypto/openssl/ChangeLog.0_9_7-stable_not-in-head_FIPS1494
-rwxr-xr-xcrypto/openssl/Configure423
-rw-r--r--crypto/openssl/FAQ85
-rw-r--r--crypto/openssl/INSTALL4
-rw-r--r--crypto/openssl/LICENSE2
-rw-r--r--crypto/openssl/Makefile158
-rw-r--r--crypto/openssl/Makefile.org158
-rw-r--r--crypto/openssl/Makefile.shared50
-rw-r--r--crypto/openssl/NEWS33
-rw-r--r--crypto/openssl/README19
-rw-r--r--crypto/openssl/apps/Makefile555
-rw-r--r--crypto/openssl/apps/apps.c236
-rw-r--r--crypto/openssl/apps/apps.h22
-rw-r--r--crypto/openssl/apps/asn1pars.c2
-rw-r--r--crypto/openssl/apps/ca.c11
-rw-r--r--crypto/openssl/apps/cms.c1347
-rw-r--r--crypto/openssl/apps/crl.c21
-rw-r--r--crypto/openssl/apps/dgst.c77
-rw-r--r--crypto/openssl/apps/dsa.c44
-rw-r--r--crypto/openssl/apps/ec.c2
-rw-r--r--crypto/openssl/apps/enc.c16
-rw-r--r--crypto/openssl/apps/engine.c6
-rw-r--r--crypto/openssl/apps/gendsa.c8
-rw-r--r--crypto/openssl/apps/genpkey.c440
-rw-r--r--crypto/openssl/apps/genrsa.c23
l---------crypto/openssl/apps/md4.c1
-rw-r--r--crypto/openssl/apps/nseq.c2
-rw-r--r--crypto/openssl/apps/ocsp.c216
-rw-r--r--crypto/openssl/apps/openssl.c14
-rw-r--r--crypto/openssl/apps/pkcs12.c32
-rw-r--r--crypto/openssl/apps/pkcs8.c2
-rw-r--r--crypto/openssl/apps/pkey.c284
-rw-r--r--crypto/openssl/apps/pkeyparam.c201
-rw-r--r--crypto/openssl/apps/pkeyutl.c570
-rw-r--r--crypto/openssl/apps/progs.h19
-rw-r--r--crypto/openssl/apps/progs.pl8
-rw-r--r--crypto/openssl/apps/rand.c29
-rw-r--r--crypto/openssl/apps/req.c3
-rw-r--r--crypto/openssl/apps/rsa.c4
-rw-r--r--crypto/openssl/apps/rsautl.c38
-rw-r--r--crypto/openssl/apps/s_apps.h3
-rw-r--r--crypto/openssl/apps/s_cb.c61
-rw-r--r--crypto/openssl/apps/s_client.c275
-rw-r--r--crypto/openssl/apps/s_server.c503
-rw-r--r--crypto/openssl/apps/smime.c9
-rw-r--r--crypto/openssl/apps/speed.c142
-rw-r--r--crypto/openssl/apps/spkac.c2
-rw-r--r--crypto/openssl/apps/ts.c1144
-rw-r--r--crypto/openssl/apps/tsget195
-rw-r--r--crypto/openssl/apps/version.c2
-rw-r--r--crypto/openssl/apps/x509.c11
-rw-r--r--crypto/openssl/certs/README.RootCerts4
-rw-r--r--crypto/openssl/certs/RegTP-5R.pem19
-rw-r--r--crypto/openssl/certs/RegTP-6R.pem19
-rw-r--r--crypto/openssl/certs/aol1.pem22
-rw-r--r--crypto/openssl/certs/aol2.pem33
-rw-r--r--crypto/openssl/certs/aoltw1.pem23
-rw-r--r--crypto/openssl/certs/aoltw2.pem34
-rw-r--r--crypto/openssl/certs/argena.pem39
-rw-r--r--crypto/openssl/certs/argeng.pem23
-rw-r--r--crypto/openssl/certs/demo/nortelCA.pem16
-rw-r--r--crypto/openssl/certs/demo/timCA.pem16
-rw-r--r--crypto/openssl/certs/demo/tjhCA.pem15
-rw-r--r--crypto/openssl/certs/demo/vsigntca.pem18
-rw-r--r--crypto/openssl/certs/eng1.pem23
-rw-r--r--crypto/openssl/certs/eng2.pem23
-rw-r--r--crypto/openssl/certs/eng3.pem34
-rw-r--r--crypto/openssl/certs/eng4.pem23
-rw-r--r--crypto/openssl/certs/eng5.pem23
-rw-r--r--crypto/openssl/certs/expired/ICE-CA.pem59
-rw-r--r--crypto/openssl/certs/expired/ICE-root.pem48
-rw-r--r--crypto/openssl/certs/expired/ICE-user.pem63
-rw-r--r--crypto/openssl/certs/expired/RegTP-4R.pem19
-rw-r--r--crypto/openssl/certs/expired/factory.pem15
-rw-r--r--crypto/openssl/certs/expired/rsa-cca.pem19
-rw-r--r--crypto/openssl/certs/expired/rsa-ssca.pem19
-rw-r--r--crypto/openssl/certs/expired/vsign2.pem18
-rw-r--r--crypto/openssl/certs/expired/vsign3.pem18
-rw-r--r--crypto/openssl/certs/thawteCb.pem19
-rw-r--r--crypto/openssl/certs/thawteCp.pem19
-rw-r--r--crypto/openssl/certs/vsign1.pem17
-rw-r--r--crypto/openssl/certs/vsign3.pem17
-rw-r--r--crypto/openssl/certs/vsignss.pem17
-rw-r--r--crypto/openssl/certs/wellsfgo.pem23
-rwxr-xr-xcrypto/openssl/config37
-rw-r--r--crypto/openssl/crypto/Makefile30
-rw-r--r--crypto/openssl/crypto/aes/Makefile20
-rw-r--r--crypto/openssl/crypto/aes/aes.h10
-rw-r--r--crypto/openssl/crypto/aes/aes_cbc.c2
-rw-r--r--crypto/openssl/crypto/aes/aes_core.c8
-rw-r--r--crypto/openssl/crypto/aes/aes_ige.c206
-rw-r--r--crypto/openssl/crypto/aes/aes_wrap.c259
-rw-r--r--crypto/openssl/crypto/aes/aes_x86core.c1063
-rwxr-xr-xcrypto/openssl/crypto/aes/asm/aes-586.pl15
-rwxr-xr-xcrypto/openssl/crypto/aes/asm/aes-armv4.pl1030
-rw-r--r--crypto/openssl/crypto/aes/asm/aes-ia64.S1819
-rwxr-xr-xcrypto/openssl/crypto/aes/asm/aes-ppc.pl1176
-rwxr-xr-xcrypto/openssl/crypto/aes/asm/aes-s390x.pl1333
-rwxr-xr-xcrypto/openssl/crypto/aes/asm/aes-sparcv9.pl1181
-rwxr-xr-xcrypto/openssl/crypto/aes/asm/aes-x86_64.pl1579
-rw-r--r--crypto/openssl/crypto/asn1/Makefile496
-rw-r--r--crypto/openssl/crypto/asn1/a_bytes.c2
-rw-r--r--crypto/openssl/crypto/asn1/a_mbstr.c2
-rw-r--r--crypto/openssl/crypto/asn1/a_object.c1
-rw-r--r--crypto/openssl/crypto/asn1/a_sign.c7
-rw-r--r--crypto/openssl/crypto/asn1/a_strex.c2
-rw-r--r--crypto/openssl/crypto/asn1/a_strnid.c2
-rw-r--r--crypto/openssl/crypto/asn1/a_type.c26
-rw-r--r--crypto/openssl/crypto/asn1/a_verify.c7
-rw-r--r--crypto/openssl/crypto/asn1/ameth_lib.c446
-rw-r--r--crypto/openssl/crypto/asn1/asn1.h118
-rw-r--r--crypto/openssl/crypto/asn1/asn1_err.c19
-rw-r--r--crypto/openssl/crypto/asn1/asn1_gen.c2
-rw-r--r--crypto/openssl/crypto/asn1/asn1_lib.c8
-rw-r--r--crypto/openssl/crypto/asn1/asn1_locl.h134
-rw-r--r--crypto/openssl/crypto/asn1/asn1_par.c2
-rw-r--r--crypto/openssl/crypto/asn1/asn1t.h9
-rw-r--r--crypto/openssl/crypto/asn1/asn_mime.c874
-rw-r--r--crypto/openssl/crypto/asn1/asn_moid.c4
-rw-r--r--crypto/openssl/crypto/asn1/asn_pack.c2
-rw-r--r--crypto/openssl/crypto/asn1/bio_asn1.c495
-rw-r--r--crypto/openssl/crypto/asn1/bio_ndef.c246
-rw-r--r--crypto/openssl/crypto/asn1/nsseq.c2
-rw-r--r--crypto/openssl/crypto/asn1/p5_pbe.c2
-rw-r--r--crypto/openssl/crypto/asn1/p5_pbev2.c2
-rw-r--r--crypto/openssl/crypto/asn1/p8_pkey.c2
-rw-r--r--crypto/openssl/crypto/asn1/t_bitst.c2
-rw-r--r--crypto/openssl/crypto/asn1/t_crl.c2
-rw-r--r--crypto/openssl/crypto/asn1/t_req.c4
-rw-r--r--crypto/openssl/crypto/asn1/t_spki.c2
-rw-r--r--crypto/openssl/crypto/asn1/t_x509.c22
-rw-r--r--crypto/openssl/crypto/asn1/t_x509a.c2
-rw-r--r--crypto/openssl/crypto/asn1/tasn_dec.c40
-rw-r--r--crypto/openssl/crypto/asn1/tasn_enc.c6
-rw-r--r--crypto/openssl/crypto/asn1/tasn_fre.c6
-rw-r--r--crypto/openssl/crypto/asn1/tasn_new.c2
-rw-r--r--crypto/openssl/crypto/asn1/tasn_prn.c2
-rw-r--r--crypto/openssl/crypto/asn1/tasn_typ.c2
-rw-r--r--crypto/openssl/crypto/asn1/tasn_utl.c2
-rw-r--r--crypto/openssl/crypto/asn1/x_algor.c59
-rw-r--r--crypto/openssl/crypto/asn1/x_bignum.c2
-rw-r--r--crypto/openssl/crypto/asn1/x_crl.c2
-rw-r--r--crypto/openssl/crypto/asn1/x_exten.c7
-rw-r--r--crypto/openssl/crypto/asn1/x_long.c2
-rw-r--r--crypto/openssl/crypto/asn1/x_name.c40
-rw-r--r--crypto/openssl/crypto/asn1/x_nx509.c72
-rw-r--r--crypto/openssl/crypto/asn1/x_x509a.c2
-rw-r--r--crypto/openssl/crypto/bf/Makefile10
-rw-r--r--crypto/openssl/crypto/bf/bf_skey.c7
-rw-r--r--crypto/openssl/crypto/bf/blowfish.h4
-rw-r--r--crypto/openssl/crypto/bio/Makefile2
-rw-r--r--crypto/openssl/crypto/bio/b_print.c4
-rw-r--r--crypto/openssl/crypto/bio/b_sock.c32
-rw-r--r--crypto/openssl/crypto/bio/bio.h17
-rw-r--r--crypto/openssl/crypto/bio/bss_bio.c2
-rw-r--r--crypto/openssl/crypto/bio/bss_dgram.c70
-rw-r--r--crypto/openssl/crypto/bio/bss_file.c10
-rw-r--r--crypto/openssl/crypto/bio/bss_mem.c22
-rw-r--r--crypto/openssl/crypto/bio/bss_sock.c5
-rw-r--r--crypto/openssl/crypto/bn/Makefile25
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/alpha-mont.pl317
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/armv4-mont.pl200
-rw-r--r--crypto/openssl/crypto/bn/asm/ia64.S35
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/mips3-mont.pl327
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/mo-586.pl603
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/ppc-mont.pl323
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/ppc64-mont.pl918
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/s390x-mont.pl225
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/s390x.S678
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/sparcv9-mont.pl606
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/sparcv9a-mont.pl882
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/via-mont.pl242
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/x86-mont.pl591
-rwxr-xr-xcrypto/openssl/crypto/bn/asm/x86_64-mont.pl214
-rw-r--r--crypto/openssl/crypto/bn/bn.h40
-rw-r--r--crypto/openssl/crypto/bn/bn_blind.c12
-rw-r--r--crypto/openssl/crypto/bn/bn_div.c249
-rw-r--r--crypto/openssl/crypto/bn/bn_err.c4
-rw-r--r--crypto/openssl/crypto/bn/bn_exp.c20
-rw-r--r--crypto/openssl/crypto/bn/bn_gcd.c161
-rw-r--r--crypto/openssl/crypto/bn/bn_gf2m.c6
-rw-r--r--crypto/openssl/crypto/bn/bn_lcl.h1
-rw-r--r--crypto/openssl/crypto/bn/bn_lib.c21
-rw-r--r--crypto/openssl/crypto/bn/bn_mont.c321
-rw-r--r--crypto/openssl/crypto/bn/bn_mul.c15
-rw-r--r--crypto/openssl/crypto/bn/bn_nist.c877
-rw-r--r--crypto/openssl/crypto/bn/bn_opt.c87
-rw-r--r--crypto/openssl/crypto/bn/bn_prime.c4
-rw-r--r--crypto/openssl/crypto/bn/bn_prime.h4
-rw-r--r--crypto/openssl/crypto/bn/bn_prime.pl4
-rw-r--r--crypto/openssl/crypto/bn/bn_rand.c6
-rw-r--r--crypto/openssl/crypto/bn/bn_shift.c2
-rw-r--r--crypto/openssl/crypto/bn/bn_x931p.c272
-rw-r--r--crypto/openssl/crypto/bn/bntest.c64
-rw-r--r--crypto/openssl/crypto/buffer/Makefile13
-rw-r--r--crypto/openssl/crypto/buffer/buf_str.c116
-rw-r--r--crypto/openssl/crypto/buffer/buffer.c58
-rw-r--r--crypto/openssl/crypto/camellia/Makefile2
-rwxr-xr-xcrypto/openssl/crypto/camellia/asm/cmll-x86.pl1138
-rwxr-xr-xcrypto/openssl/crypto/camellia/asm/cmll-x86_64.pl1080
-rw-r--r--crypto/openssl/crypto/camellia/camellia.h5
-rw-r--r--crypto/openssl/crypto/camellia/cmll_misc.c13
-rw-r--r--crypto/openssl/crypto/cast/Makefile9
-rw-r--r--crypto/openssl/crypto/cast/c_skey.c7
-rw-r--r--crypto/openssl/crypto/cast/cast.h4
-rw-r--r--crypto/openssl/crypto/cms/Makefile183
-rw-r--r--crypto/openssl/crypto/cms/cms.h473
-rw-r--r--crypto/openssl/crypto/cms/cms_asn1.c346
-rw-r--r--crypto/openssl/crypto/cms/cms_att.c195
-rw-r--r--crypto/openssl/crypto/cms/cms_cd.c134
-rw-r--r--crypto/openssl/crypto/cms/cms_dd.c148
-rw-r--r--crypto/openssl/crypto/cms/cms_enc.c262
-rw-r--r--crypto/openssl/crypto/cms/cms_env.c825
-rw-r--r--crypto/openssl/crypto/cms/cms_err.c236
-rw-r--r--crypto/openssl/crypto/cms/cms_ess.c420
-rw-r--r--crypto/openssl/crypto/cms/cms_io.c140
-rw-r--r--crypto/openssl/crypto/cms/cms_lcl.h460
-rw-r--r--crypto/openssl/crypto/cms/cms_lib.c623
-rw-r--r--crypto/openssl/crypto/cms/cms_sd.c1014
-rw-r--r--crypto/openssl/crypto/cms/cms_smime.c811
-rw-r--r--crypto/openssl/crypto/comp/Makefile2
-rw-r--r--crypto/openssl/crypto/comp/c_zlib.c391
-rw-r--r--crypto/openssl/crypto/comp/comp.h14
-rw-r--r--crypto/openssl/crypto/comp/comp_err.c9
-rw-r--r--crypto/openssl/crypto/conf/Makefile17
-rw-r--r--crypto/openssl/crypto/conf/conf.h1
-rw-r--r--crypto/openssl/crypto/conf/conf_api.c2
-rw-r--r--crypto/openssl/crypto/conf/conf_mall.c4
-rw-r--r--crypto/openssl/crypto/conf/conf_mod.c13
-rw-r--r--crypto/openssl/crypto/conf/conf_sap.c6
-rw-r--r--crypto/openssl/crypto/cryptlib.c351
-rw-r--r--crypto/openssl/crypto/cryptlib.h1
-rw-r--r--crypto/openssl/crypto/crypto.h85
-rw-r--r--crypto/openssl/crypto/des/Makefile33
-rw-r--r--crypto/openssl/crypto/des/asm/des_enc.m4345
-rw-r--r--crypto/openssl/crypto/des/des.h3
-rw-r--r--crypto/openssl/crypto/des/des_enc.c4
-rw-r--r--crypto/openssl/crypto/des/des_lib.c106
-rw-r--r--crypto/openssl/crypto/des/des_old.c2
-rw-r--r--crypto/openssl/crypto/des/des_old.h3
-rw-r--r--crypto/openssl/crypto/des/ecb_enc.c47
-rw-r--r--crypto/openssl/crypto/des/enc_read.c4
-rw-r--r--crypto/openssl/crypto/des/enc_writ.c4
-rw-r--r--crypto/openssl/crypto/des/set_key.c11
-rw-r--r--crypto/openssl/crypto/des/times/usparc.cc2
-rw-r--r--crypto/openssl/crypto/des/xcbc_enc.c4
-rw-r--r--crypto/openssl/crypto/dh/Makefile20
-rw-r--r--crypto/openssl/crypto/dh/dh.h11
-rw-r--r--crypto/openssl/crypto/dh/dh_asn1.c2
-rw-r--r--crypto/openssl/crypto/dh/dh_check.c6
-rw-r--r--crypto/openssl/crypto/dh/dh_err.c6
-rw-r--r--crypto/openssl/crypto/dh/dh_gen.c4
-rw-r--r--crypto/openssl/crypto/dh/dh_key.c8
-rw-r--r--crypto/openssl/crypto/dsa/Makefile77
-rw-r--r--crypto/openssl/crypto/dsa/dsa.h39
-rw-r--r--crypto/openssl/crypto/dsa/dsa_asn1.c82
-rw-r--r--crypto/openssl/crypto/dsa/dsa_err.c10
-rw-r--r--crypto/openssl/crypto/dsa/dsa_gen.c14
-rw-r--r--crypto/openssl/crypto/dsa/dsa_key.c6
-rw-r--r--crypto/openssl/crypto/dsa/dsa_lib.c49
-rw-r--r--crypto/openssl/crypto/dsa/dsa_ossl.c5
-rw-r--r--crypto/openssl/crypto/dsa/dsa_sign.c31
-rw-r--r--crypto/openssl/crypto/dsa/dsa_utl.c95
-rw-r--r--crypto/openssl/crypto/dsa/dsa_vrf.c32
-rw-r--r--crypto/openssl/crypto/dso/Makefile2
-rw-r--r--crypto/openssl/crypto/dyn_lck.c428
-rw-r--r--crypto/openssl/crypto/ec/Makefile2
-rw-r--r--crypto/openssl/crypto/ec/ec.h1
-rw-r--r--crypto/openssl/crypto/ec/ec_err.c3
-rw-r--r--crypto/openssl/crypto/ec/ec_key.c16
-rw-r--r--crypto/openssl/crypto/ec/ec_mult.c34
-rw-r--r--crypto/openssl/crypto/ec/ectest.c14
-rw-r--r--crypto/openssl/crypto/ecdh/Makefile35
-rw-r--r--crypto/openssl/crypto/ecdh/ecdhtest.c10
-rw-r--r--crypto/openssl/crypto/ecdsa/Makefile49
-rw-r--r--crypto/openssl/crypto/ecdsa/ecdsatest.c22
-rw-r--r--crypto/openssl/crypto/ecdsa/ecs_ossl.c25
-rw-r--r--crypto/openssl/crypto/engine/Makefile395
-rw-r--r--crypto/openssl/crypto/engine/eng_all.c3
-rw-r--r--crypto/openssl/crypto/engine/eng_cnf.c11
-rw-r--r--crypto/openssl/crypto/engine/eng_err.c3
-rw-r--r--crypto/openssl/crypto/engine/eng_int.h2
-rw-r--r--crypto/openssl/crypto/engine/eng_padlock.c9
-rw-r--r--crypto/openssl/crypto/engine/eng_pkey.c42
-rw-r--r--crypto/openssl/crypto/engine/eng_table.c12
-rw-r--r--crypto/openssl/crypto/engine/engine.h16
-rw-r--r--crypto/openssl/crypto/engine/enginetest.c2
-rw-r--r--crypto/openssl/crypto/err/Makefile49
-rw-r--r--crypto/openssl/crypto/err/err.c780
-rw-r--r--crypto/openssl/crypto/err/err.h12
-rw-r--r--crypto/openssl/crypto/err/err_all.c19
-rw-r--r--crypto/openssl/crypto/err/err_bio.c75
-rw-r--r--crypto/openssl/crypto/err/err_def.c665
-rw-r--r--crypto/openssl/crypto/err/err_prn.c70
-rw-r--r--crypto/openssl/crypto/err/err_str.c295
-rw-r--r--crypto/openssl/crypto/err/openssl.ec4
-rw-r--r--crypto/openssl/crypto/evp/Makefile679
-rw-r--r--crypto/openssl/crypto/evp/bio_md.c9
-rw-r--r--crypto/openssl/crypto/evp/c_allc.c9
-rw-r--r--crypto/openssl/crypto/evp/dig_eng.c180
-rw-r--r--crypto/openssl/crypto/evp/digest.c154
-rw-r--r--crypto/openssl/crypto/evp/e_aes.c35
-rw-r--r--crypto/openssl/crypto/evp/e_camellia.c2
-rw-r--r--crypto/openssl/crypto/evp/e_des.c9
-rw-r--r--crypto/openssl/crypto/evp/e_des3.c29
-rw-r--r--crypto/openssl/crypto/evp/e_null.c2
-rw-r--r--crypto/openssl/crypto/evp/e_rc4.c1
-rw-r--r--crypto/openssl/crypto/evp/e_seed.c83
-rw-r--r--crypto/openssl/crypto/evp/enc_min.c390
-rw-r--r--crypto/openssl/crypto/evp/evp.h89
-rw-r--r--crypto/openssl/crypto/evp/evp_acnf.c2
-rw-r--r--crypto/openssl/crypto/evp/evp_cnf.c125
-rw-r--r--crypto/openssl/crypto/evp/evp_enc.c267
-rw-r--r--crypto/openssl/crypto/evp/evp_err.c16
-rw-r--r--crypto/openssl/crypto/evp/evp_lib.c39
-rw-r--r--crypto/openssl/crypto/evp/evp_locl.h30
-rw-r--r--crypto/openssl/crypto/evp/evp_pbe.c2
-rw-r--r--crypto/openssl/crypto/evp/evp_pkey.c2
-rw-r--r--crypto/openssl/crypto/evp/evp_test.c17
-rw-r--r--crypto/openssl/crypto/evp/evptests.txt9
-rw-r--r--crypto/openssl/crypto/evp/m_dss.c2
-rw-r--r--crypto/openssl/crypto/evp/m_dss1.c3
-rw-r--r--crypto/openssl/crypto/evp/m_md2.c1
-rw-r--r--crypto/openssl/crypto/evp/m_md4.c1
-rw-r--r--crypto/openssl/crypto/evp/m_md5.c1
-rw-r--r--crypto/openssl/crypto/evp/m_mdc2.c1
-rw-r--r--crypto/openssl/crypto/evp/m_sha.c1
-rw-r--r--crypto/openssl/crypto/evp/m_sha1.c7
-rw-r--r--crypto/openssl/crypto/evp/names.c7
-rw-r--r--crypto/openssl/crypto/evp/p5_crpt.c2
-rw-r--r--crypto/openssl/crypto/evp/p5_crpt2.c2
-rw-r--r--crypto/openssl/crypto/evp/p_sign.c24
-rw-r--r--crypto/openssl/crypto/evp/p_verify.c26
-rw-r--r--crypto/openssl/crypto/ex_data.c2
-rw-r--r--crypto/openssl/crypto/fips_err.c7
-rw-r--r--crypto/openssl/crypto/fips_err.h137
-rw-r--r--crypto/openssl/crypto/hmac/Makefile15
-rw-r--r--crypto/openssl/crypto/hmac/hmac.c10
-rw-r--r--crypto/openssl/crypto/hmac/hmac.h1
-rw-r--r--crypto/openssl/crypto/idea/Makefile8
-rw-r--r--crypto/openssl/crypto/idea/i_skey.c17
-rw-r--r--crypto/openssl/crypto/idea/idea.h3
-rw-r--r--crypto/openssl/crypto/jpake/Makefile64
-rw-r--r--crypto/openssl/crypto/jpake/jpake.c483
-rw-r--r--crypto/openssl/crypto/jpake/jpake.h129
-rw-r--r--crypto/openssl/crypto/jpake/jpake_err.c105
-rw-r--r--crypto/openssl/crypto/jpake/jpaketest.c192
-rw-r--r--crypto/openssl/crypto/krb5/Makefile2
-rw-r--r--crypto/openssl/crypto/lhash/Makefile2
-rw-r--r--crypto/openssl/crypto/md2/Makefile6
-rw-r--r--crypto/openssl/crypto/md2/md2.h3
-rw-r--r--crypto/openssl/crypto/md2/md2_dgst.c7
-rw-r--r--crypto/openssl/crypto/md32_common.h373
-rw-r--r--crypto/openssl/crypto/md4/Makefile12
-rw-r--r--crypto/openssl/crypto/md4/md4.h3
-rw-r--r--crypto/openssl/crypto/md4/md4_dgst.c96
-rw-r--r--crypto/openssl/crypto/md4/md4_locl.h44
-rw-r--r--crypto/openssl/crypto/md4/md4test.c6
-rw-r--r--crypto/openssl/crypto/md5/Makefile30
-rw-r--r--crypto/openssl/crypto/md5/asm/md5-586.pl2
-rw-r--r--crypto/openssl/crypto/md5/asm/md5-sparcv9.S1031
-rwxr-xr-xcrypto/openssl/crypto/md5/asm/md5-x86_64.pl8
-rw-r--r--crypto/openssl/crypto/md5/md5.h3
-rw-r--r--crypto/openssl/crypto/md5/md5_dgst.c113
-rw-r--r--crypto/openssl/crypto/md5/md5_locl.h54
-rw-r--r--crypto/openssl/crypto/md5/md5test.c6
-rw-r--r--crypto/openssl/crypto/mdc2/Makefile2
-rw-r--r--crypto/openssl/crypto/mdc2/mdc2.h4
-rw-r--r--crypto/openssl/crypto/mdc2/mdc2dgst.c7
-rw-r--r--crypto/openssl/crypto/mem.c47
-rw-r--r--crypto/openssl/crypto/mem_clr.c12
-rw-r--r--crypto/openssl/crypto/mem_dbg.c28
-rw-r--r--crypto/openssl/crypto/o_init.c86
-rw-r--r--crypto/openssl/crypto/o_str.c4
-rw-r--r--crypto/openssl/crypto/objects/Makefile18
-rw-r--r--crypto/openssl/crypto/objects/obj_dat.c1
-rw-r--r--crypto/openssl/crypto/objects/obj_dat.h3032
-rw-r--r--crypto/openssl/crypto/objects/obj_dat.pl4
-rw-r--r--crypto/openssl/crypto/objects/obj_mac.h369
-rw-r--r--crypto/openssl/crypto/objects/obj_mac.num87
-rw-r--r--crypto/openssl/crypto/objects/objects.txt134
-rw-r--r--crypto/openssl/crypto/ocsp/Makefile81
-rw-r--r--crypto/openssl/crypto/ocsp/ocsp.h19
-rw-r--r--crypto/openssl/crypto/ocsp/ocsp_asn.c2
-rw-r--r--crypto/openssl/crypto/ocsp/ocsp_err.c3
-rw-r--r--crypto/openssl/crypto/ocsp/ocsp_ht.c473
-rwxr-xr-xcrypto/openssl/crypto/ocsp/ocsp_srv.c2
-rw-r--r--crypto/openssl/crypto/ocsp/ocsp_vfy.c2
-rw-r--r--crypto/openssl/crypto/opensslconf.h41
-rw-r--r--crypto/openssl/crypto/opensslconf.h.in15
-rw-r--r--crypto/openssl/crypto/opensslv.h6
-rw-r--r--crypto/openssl/crypto/ossl_typ.h9
-rw-r--r--crypto/openssl/crypto/pem/Makefile134
-rw-r--r--crypto/openssl/crypto/pem/pem.h73
-rw-r--r--crypto/openssl/crypto/pem/pem_all.c174
-rw-r--r--crypto/openssl/crypto/pem/pem_info.c2
-rw-r--r--crypto/openssl/crypto/pem/pem_lib.c3
-rw-r--r--crypto/openssl/crypto/pem/pem_x509.c2
-rw-r--r--crypto/openssl/crypto/pem/pem_xaux.c2
-rwxr-xr-xcrypto/openssl/crypto/perlasm/x86_64-xlate.pl80
-rw-r--r--crypto/openssl/crypto/perlasm/x86ms.pl30
-rw-r--r--crypto/openssl/crypto/perlasm/x86nasm.pl4
-rw-r--r--crypto/openssl/crypto/perlasm/x86unix.pl42
-rw-r--r--crypto/openssl/crypto/pkcs12/Makefile177
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_add.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_asn.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_attr.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_crpt.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_crt.c42
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_decr.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_init.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_key.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_kiss.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_mutl.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_npas.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_p8d.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_p8e.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_utl.c2
-rw-r--r--crypto/openssl/crypto/pkcs12/pkcs12.h2
-rw-r--r--crypto/openssl/crypto/pkcs7/Makefile43
-rw-r--r--crypto/openssl/crypto/pkcs7/pk7_asn1.c2
-rw-r--r--crypto/openssl/crypto/pkcs7/pk7_attr.c2
-rw-r--r--crypto/openssl/crypto/pkcs7/pk7_mime.c57
-rw-r--r--crypto/openssl/crypto/pkcs7/pk7_smime.c8
-rwxr-xr-xcrypto/openssl/crypto/ppccpuid.pl94
-rw-r--r--crypto/openssl/crypto/pqueue/Makefile2
-rw-r--r--crypto/openssl/crypto/pqueue/pq_compat.h7
-rw-r--r--crypto/openssl/crypto/rand/Makefile86
-rw-r--r--crypto/openssl/crypto/rand/md_rand.c12
-rw-r--r--crypto/openssl/crypto/rand/rand.h29
-rw-r--r--crypto/openssl/crypto/rand/rand_eng.c152
-rw-r--r--crypto/openssl/crypto/rand/rand_err.c20
-rwxr-xr-xcrypto/openssl/crypto/rand/rand_lcl.h11
-rw-r--r--crypto/openssl/crypto/rand/rand_lib.c71
-rw-r--r--crypto/openssl/crypto/rand/rand_nw.c11
-rw-r--r--crypto/openssl/crypto/rand/rand_unix.c2
-rw-r--r--crypto/openssl/crypto/rand/randfile.c74
-rw-r--r--crypto/openssl/crypto/rc2/Makefile8
-rw-r--r--crypto/openssl/crypto/rc2/rc2.h4
-rw-r--r--crypto/openssl/crypto/rc2/rc2_skey.c17
-rw-r--r--crypto/openssl/crypto/rc4/Makefile20
-rw-r--r--crypto/openssl/crypto/rc4/asm/rc4-586.pl4
-rw-r--r--crypto/openssl/crypto/rc4/asm/rc4-ia64.S5
-rwxr-xr-xcrypto/openssl/crypto/rc4/asm/rc4-x86_64.pl132
-rw-r--r--crypto/openssl/crypto/rc4/rc4.h3
-rw-r--r--crypto/openssl/crypto/rc4/rc4_fblk.c75
-rw-r--r--crypto/openssl/crypto/rc4/rc4_skey.c21
-rw-r--r--crypto/openssl/crypto/rc5/Makefile2
-rw-r--r--crypto/openssl/crypto/rc5/rc5.h5
-rw-r--r--crypto/openssl/crypto/rc5/rc5_skey.c17
-rw-r--r--crypto/openssl/crypto/ripemd/Makefile11
-rw-r--r--crypto/openssl/crypto/ripemd/README2
-rw-r--r--crypto/openssl/crypto/ripemd/asm/rmd-586.pl4
-rw-r--r--crypto/openssl/crypto/ripemd/ripemd.h4
-rw-r--r--crypto/openssl/crypto/ripemd/rmd_dgst.c208
-rw-r--r--crypto/openssl/crypto/ripemd/rmd_locl.h16
-rw-r--r--crypto/openssl/crypto/ripemd/rmdtest.c6
-rw-r--r--crypto/openssl/crypto/rsa/Makefile77
-rw-r--r--crypto/openssl/crypto/rsa/rsa.h57
-rw-r--r--crypto/openssl/crypto/rsa/rsa_asn1.c2
-rw-r--r--crypto/openssl/crypto/rsa/rsa_eay.c134
-rw-r--r--crypto/openssl/crypto/rsa/rsa_eng.c348
-rw-r--r--crypto/openssl/crypto/rsa/rsa_err.c10
-rw-r--r--crypto/openssl/crypto/rsa/rsa_gen.c36
-rw-r--r--crypto/openssl/crypto/rsa/rsa_lib.c290
-rw-r--r--crypto/openssl/crypto/rsa/rsa_null.c2
-rw-r--r--crypto/openssl/crypto/rsa/rsa_oaep.c25
-rw-r--r--crypto/openssl/crypto/rsa/rsa_pss.c6
-rw-r--r--crypto/openssl/crypto/rsa/rsa_sign.c24
-rw-r--r--crypto/openssl/crypto/rsa/rsa_ssl.c2
-rw-r--r--crypto/openssl/crypto/rsa/rsa_test.c28
-rw-r--r--crypto/openssl/crypto/rsa/rsa_x931.c2
-rw-r--r--crypto/openssl/crypto/rsa/rsa_x931g.c255
-rw-r--r--crypto/openssl/crypto/s390xcpuid.S90
-rw-r--r--crypto/openssl/crypto/seed/Makefile87
-rw-r--r--crypto/openssl/crypto/seed/seed.c286
-rw-r--r--crypto/openssl/crypto/seed/seed.h135
-rw-r--r--crypto/openssl/crypto/seed/seed_cbc.c129
-rw-r--r--crypto/openssl/crypto/seed/seed_cfb.c144
-rw-r--r--crypto/openssl/crypto/seed/seed_ecb.c60
-rw-r--r--crypto/openssl/crypto/seed/seed_locl.h116
-rw-r--r--crypto/openssl/crypto/seed/seed_ofb.c128
-rw-r--r--crypto/openssl/crypto/sha/Makefile40
-rw-r--r--crypto/openssl/crypto/sha/asm/sha1-586.pl433
-rw-r--r--crypto/openssl/crypto/sha/asm/sha1-ia64.pl347
-rwxr-xr-xcrypto/openssl/crypto/sha/asm/sha1-x86_64.pl242
-rwxr-xr-xcrypto/openssl/crypto/sha/asm/sha512-ia64.pl422
-rwxr-xr-xcrypto/openssl/crypto/sha/asm/sha512-x86_64.pl344
-rw-r--r--crypto/openssl/crypto/sha/sha.h3
-rw-r--r--crypto/openssl/crypto/sha/sha1_one.c2
-rw-r--r--crypto/openssl/crypto/sha/sha1dgst.c4
-rw-r--r--crypto/openssl/crypto/sha/sha1test.c6
-rw-r--r--crypto/openssl/crypto/sha/sha256.c91
-rw-r--r--crypto/openssl/crypto/sha/sha512.c113
-rw-r--r--crypto/openssl/crypto/sha/sha_dgst.c6
-rw-r--r--crypto/openssl/crypto/sha/sha_locl.h285
-rw-r--r--crypto/openssl/crypto/sha/shatest.c6
-rw-r--r--crypto/openssl/crypto/sparcv9cap.c154
-rw-r--r--crypto/openssl/crypto/stack/Makefile2
-rw-r--r--crypto/openssl/crypto/stack/safestack.h274
-rw-r--r--crypto/openssl/crypto/store/Makefile18
-rw-r--r--crypto/openssl/crypto/store/str_lib.c2
-rw-r--r--crypto/openssl/crypto/symhacks.h26
-rw-r--r--crypto/openssl/crypto/txt_db/Makefile2
-rw-r--r--crypto/openssl/crypto/ui/Makefile2
-rw-r--r--crypto/openssl/crypto/ui/ui_lib.c1
-rw-r--r--crypto/openssl/crypto/ui/ui_openssl.c2
-rw-r--r--crypto/openssl/crypto/x509/Makefile199
-rw-r--r--crypto/openssl/crypto/x509/by_dir.c4
-rw-r--r--crypto/openssl/crypto/x509/x509.h13
-rw-r--r--crypto/openssl/crypto/x509/x509_att.c43
-rw-r--r--crypto/openssl/crypto/x509/x509_cmp.c11
-rw-r--r--crypto/openssl/crypto/x509/x509_trs.c2
-rw-r--r--crypto/openssl/crypto/x509/x509_txt.c2
-rw-r--r--crypto/openssl/crypto/x509/x509_vfy.c16
-rw-r--r--crypto/openssl/crypto/x509/x509_vpm.c20
-rw-r--r--crypto/openssl/crypto/x509/x509cset.c2
-rw-r--r--crypto/openssl/crypto/x509/x509spki.c2
-rw-r--r--crypto/openssl/crypto/x509v3/Makefile457
-rw-r--r--crypto/openssl/crypto/x509v3/ext_dat.h2
-rw-r--r--crypto/openssl/crypto/x509v3/pcy_cache.c2
-rw-r--r--crypto/openssl/crypto/x509v3/pcy_data.c10
-rw-r--r--crypto/openssl/crypto/x509v3/pcy_int.h2
-rw-r--r--crypto/openssl/crypto/x509v3/pcy_lib.c2
-rw-r--r--crypto/openssl/crypto/x509v3/pcy_map.c2
-rw-r--r--crypto/openssl/crypto/x509v3/pcy_node.c2
-rw-r--r--crypto/openssl/crypto/x509v3/pcy_tree.c24
-rw-r--r--crypto/openssl/crypto/x509v3/tabtest.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_addr.c46
-rw-r--r--crypto/openssl/crypto/x509v3/v3_akey.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_akeya.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_alt.c5
-rw-r--r--crypto/openssl/crypto/x509v3/v3_asid.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_bcons.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_bitst.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_conf.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_cpols.c9
-rw-r--r--crypto/openssl/crypto/x509v3/v3_crld.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_enum.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_extku.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_genn.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_ia5.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_info.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_int.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_lib.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_ncons.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_ocsp.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_pci.c11
-rw-r--r--crypto/openssl/crypto/x509v3/v3_pcons.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_pku.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_pmaps.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_prn.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_purp.c8
-rw-r--r--crypto/openssl/crypto/x509v3/v3_skey.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_sxnet.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_utl.c49
-rw-r--r--crypto/openssl/crypto/x509v3/v3conf.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3prin.c2
-rw-r--r--crypto/openssl/crypto/x509v3/x509v3.h7
-rw-r--r--crypto/openssl/crypto/x86_64cpuid.pl99
-rw-r--r--crypto/openssl/crypto/x86cpuid.pl32
-rw-r--r--crypto/openssl/demos/asn1/ocsp.c2
-rw-r--r--crypto/openssl/demos/engines/cluster_labs/hw_cluster_labs_err.h4
-rw-r--r--crypto/openssl/demos/engines/ibmca/hw_ibmca_err.h4
-rw-r--r--crypto/openssl/demos/engines/zencod/hw_zencod_err.h4
-rw-r--r--crypto/openssl/demos/jpake/Makefile7
-rw-r--r--crypto/openssl/demos/jpake/jpakedemo.c469
-rw-r--r--crypto/openssl/doc/apps/ciphers.pod34
-rw-r--r--crypto/openssl/doc/apps/dgst.pod5
-rw-r--r--crypto/openssl/doc/apps/enc.pod8
-rw-r--r--crypto/openssl/doc/apps/ocsp.pod8
-rw-r--r--crypto/openssl/doc/apps/openssl.pod16
-rw-r--r--crypto/openssl/doc/apps/rand.pod5
-rw-r--r--crypto/openssl/doc/apps/rsautl.pod2
-rw-r--r--crypto/openssl/doc/apps/s_client.pod31
-rw-r--r--crypto/openssl/doc/apps/s_server.pod21
-rw-r--r--crypto/openssl/doc/apps/verify.pod2
-rw-r--r--crypto/openssl/doc/apps/x509.pod2
-rw-r--r--crypto/openssl/doc/c-indentation.el1
-rw-r--r--crypto/openssl/doc/crypto/ASN1_generate_nconf.pod35
-rw-r--r--crypto/openssl/doc/crypto/DH_set_method.pod2
-rw-r--r--crypto/openssl/doc/crypto/DSA_set_method.pod2
-rw-r--r--crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod36
-rw-r--r--crypto/openssl/doc/crypto/RAND_bytes.pod3
-rw-r--r--crypto/openssl/doc/crypto/RAND_egd.pod7
-rw-r--r--crypto/openssl/doc/crypto/RAND_set_rand_method.pod2
-rw-r--r--crypto/openssl/doc/crypto/RSA_set_method.pod2
-rw-r--r--crypto/openssl/doc/crypto/X509_NAME_print_ex.pod4
-rw-r--r--crypto/openssl/doc/crypto/des_modes.pod2
-rw-r--r--crypto/openssl/doc/crypto/engine.pod6
-rw-r--r--crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_options.pod9
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_SESSION_free.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_free.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_read.pod6
-rw-r--r--crypto/openssl/doc/ssleay.txt4
-rw-r--r--crypto/openssl/doc/standards.txt9
-rw-r--r--crypto/openssl/e_os.h68
-rw-r--r--crypto/openssl/engines/Makefile198
-rw-r--r--crypto/openssl/engines/e_4758cca_err.h4
-rw-r--r--crypto/openssl/engines/e_aep.c13
-rw-r--r--crypto/openssl/engines/e_aep_err.h4
-rw-r--r--crypto/openssl/engines/e_atalla_err.h4
-rw-r--r--crypto/openssl/engines/e_capi.c1781
-rw-r--r--crypto/openssl/engines/e_capi.ec1
-rw-r--r--crypto/openssl/engines/e_capi_err.c183
-rw-r--r--crypto/openssl/engines/e_capi_err.h123
-rw-r--r--crypto/openssl/engines/e_chil.c12
-rw-r--r--crypto/openssl/engines/e_chil_err.c1
-rw-r--r--crypto/openssl/engines/e_chil_err.h5
-rw-r--r--crypto/openssl/engines/e_cswift_err.h4
-rw-r--r--crypto/openssl/engines/e_gmp.c87
-rw-r--r--crypto/openssl/engines/e_gmp_err.h4
-rw-r--r--crypto/openssl/engines/e_nuron_err.h4
-rw-r--r--crypto/openssl/engines/e_sureware_err.h4
-rw-r--r--crypto/openssl/engines/e_ubsec.c4
-rw-r--r--crypto/openssl/engines/e_ubsec_err.h4
-rw-r--r--crypto/openssl/fips/Makefile226
-rw-r--r--crypto/openssl/fips/aes/Makefile111
-rw-r--r--crypto/openssl/fips/aes/fips_aes_selftest.c101
-rw-r--r--crypto/openssl/fips/aes/fips_aesavs.c939
-rw-r--r--crypto/openssl/fips/des/Makefile111
-rw-r--r--crypto/openssl/fips/des/fips_des_selftest.c137
-rw-r--r--crypto/openssl/fips/des/fips_desmovs.c705
-rw-r--r--crypto/openssl/fips/dh/Makefile115
-rw-r--r--crypto/openssl/fips/dh/dh_gen.c179
-rw-r--r--crypto/openssl/fips/dh/fips_dh_check.c147
-rw-r--r--crypto/openssl/fips/dh/fips_dh_gen.c192
-rw-r--r--crypto/openssl/fips/dh/fips_dh_key.c276
-rw-r--r--crypto/openssl/fips/dh/fips_dh_lib.c95
-rw-r--r--crypto/openssl/fips/dsa/Makefile191
-rw-r--r--crypto/openssl/fips/dsa/fips_dsa_gen.c339
-rw-r--r--crypto/openssl/fips/dsa/fips_dsa_key.c169
-rw-r--r--crypto/openssl/fips/dsa/fips_dsa_lib.c95
-rw-r--r--crypto/openssl/fips/dsa/fips_dsa_ossl.c435
-rw-r--r--crypto/openssl/fips/dsa/fips_dsa_selftest.c180
-rw-r--r--crypto/openssl/fips/dsa/fips_dsa_sign.c256
-rw-r--r--crypto/openssl/fips/dsa/fips_dsatest.c271
-rw-r--r--crypto/openssl/fips/dsa/fips_dssvs.c542
-rw-r--r--crypto/openssl/fips/fips-nodiff.txt7
-rw-r--r--crypto/openssl/fips/fips.c519
-rw-r--r--crypto/openssl/fips/fips.h163
-rw-r--r--crypto/openssl/fips/fips_canister.c186
-rw-r--r--crypto/openssl/fips/fips_locl.h73
-rw-r--r--crypto/openssl/fips/fips_premain.c176
-rw-r--r--crypto/openssl/fips/fips_premain.c.sha11
-rw-r--r--crypto/openssl/fips/fips_test_suite.c588
-rw-r--r--crypto/openssl/fips/fips_utl.h343
-rwxr-xr-xcrypto/openssl/fips/fipsalgtest.pl848
-rwxr-xr-xcrypto/openssl/fips/fipsld170
-rwxr-xr-xcrypto/openssl/fips/fipstests.sh400
-rw-r--r--crypto/openssl/fips/hmac/Makefile123
-rw-r--r--crypto/openssl/fips/hmac/fips_hmac.c191
-rw-r--r--crypto/openssl/fips/hmac/fips_hmac_selftest.c135
-rw-r--r--crypto/openssl/fips/hmac/fips_hmactest.c328
-rwxr-xr-xcrypto/openssl/fips/mkfipsscr.pl632
-rwxr-xr-xcrypto/openssl/fips/openssl_fips_fingerprint31
-rw-r--r--crypto/openssl/fips/rand/Makefile149
-rw-r--r--crypto/openssl/fips/rand/fips_rand.c410
-rw-r--r--crypto/openssl/fips/rand/fips_rand.h77
-rw-r--r--crypto/openssl/fips/rand/fips_rand_selftest.c371
-rw-r--r--crypto/openssl/fips/rand/fips_randtest.c248
-rw-r--r--crypto/openssl/fips/rand/fips_rngvs.c230
-rw-r--r--crypto/openssl/fips/rsa/Makefile215
-rw-r--r--crypto/openssl/fips/rsa/fips_rsa_eay.c934
-rw-r--r--crypto/openssl/fips/rsa/fips_rsa_gen.c310
-rw-r--r--crypto/openssl/fips/rsa/fips_rsa_lib.c101
-rw-r--r--crypto/openssl/fips/rsa/fips_rsa_selftest.c432
-rw-r--r--crypto/openssl/fips/rsa/fips_rsa_sign.c554
-rw-r--r--crypto/openssl/fips/rsa/fips_rsa_x931g.c280
-rw-r--r--crypto/openssl/fips/rsa/fips_rsagtest.c390
-rw-r--r--crypto/openssl/fips/rsa/fips_rsastest.c370
-rw-r--r--crypto/openssl/fips/rsa/fips_rsavtest.c377
-rw-r--r--crypto/openssl/fips/sha/Makefile158
-rw-r--r--crypto/openssl/fips/sha/fips_sha1_selftest.c97
-rw-r--r--crypto/openssl/fips/sha/fips_shatest.c388
-rw-r--r--crypto/openssl/fips/sha/fips_standalone_sha1.c173
-rw-r--r--crypto/openssl/openssl.spec2
-rw-r--r--crypto/openssl/ssl/Makefile233
-rw-r--r--crypto/openssl/ssl/d1_both.c22
-rw-r--r--crypto/openssl/ssl/d1_clnt.c30
-rw-r--r--crypto/openssl/ssl/d1_enc.c19
-rw-r--r--crypto/openssl/ssl/d1_lib.c21
-rw-r--r--crypto/openssl/ssl/d1_pkt.c118
-rw-r--r--crypto/openssl/ssl/d1_srvr.c49
-rw-r--r--crypto/openssl/ssl/dtls1.h7
-rw-r--r--crypto/openssl/ssl/kssl.c4
-rw-r--r--crypto/openssl/ssl/s23_clnt.c34
-rw-r--r--crypto/openssl/ssl/s23_srvr.c9
-rw-r--r--crypto/openssl/ssl/s2_clnt.c4
-rw-r--r--crypto/openssl/ssl/s2_srvr.c6
-rw-r--r--crypto/openssl/ssl/s3_clnt.c312
-rw-r--r--crypto/openssl/ssl/s3_enc.c4
-rw-r--r--crypto/openssl/ssl/s3_lib.c295
-rw-r--r--crypto/openssl/ssl/s3_pkt.c16
-rw-r--r--crypto/openssl/ssl/s3_srvr.c285
-rw-r--r--crypto/openssl/ssl/ssl.h130
-rw-r--r--crypto/openssl/ssl/ssl3.h10
-rw-r--r--crypto/openssl/ssl/ssl_algs.c5
-rw-r--r--crypto/openssl/ssl/ssl_asn1.c106
-rw-r--r--crypto/openssl/ssl/ssl_cert.c2
-rw-r--r--crypto/openssl/ssl/ssl_ciph.c38
-rw-r--r--crypto/openssl/ssl/ssl_err.c22
-rw-r--r--crypto/openssl/ssl/ssl_lib.c120
-rw-r--r--crypto/openssl/ssl/ssl_locl.h42
-rw-r--r--crypto/openssl/ssl/ssl_rsa.c2
-rw-r--r--crypto/openssl/ssl/ssl_sess.c126
-rw-r--r--crypto/openssl/ssl/ssl_stat.c4
-rw-r--r--crypto/openssl/ssl/ssl_txt.c15
-rw-r--r--crypto/openssl/ssl/ssltest.c41
-rw-r--r--crypto/openssl/ssl/t1_enc.c72
-rw-r--r--crypto/openssl/ssl/t1_lib.c759
-rw-r--r--crypto/openssl/ssl/tls1.h104
-rw-r--r--crypto/openssl/test/CAss.cnf2
-rw-r--r--crypto/openssl/test/Makefile484
-rw-r--r--crypto/openssl/test/SHAmix.r99
-rw-r--r--crypto/openssl/test/SHAmix.x129
-rw-r--r--crypto/openssl/test/Uss.cnf2
l---------crypto/openssl/test/bftest.c1
l---------crypto/openssl/test/bntest.c1
l---------crypto/openssl/test/casttest.c1
-rwxr-xr-xcrypto/openssl/test/cms-examples.pl409
-rwxr-xr-xcrypto/openssl/test/cms-test.pl453
l---------crypto/openssl/test/destest.c1
l---------crypto/openssl/test/dhtest.c1
l---------crypto/openssl/test/dsatest.c1
l---------crypto/openssl/test/ecdhtest.c1
l---------crypto/openssl/test/ecdsatest.c1
l---------crypto/openssl/test/ectest.c1
l---------crypto/openssl/test/enginetest.c1
l---------crypto/openssl/test/evp_test.c1
-rw-r--r--crypto/openssl/test/evptests.txt9
l---------crypto/openssl/test/exptest.c1
l---------crypto/openssl/test/fips_aesavs.c1
l---------crypto/openssl/test/fips_desmovs.c1
l---------crypto/openssl/test/fips_dsatest.c1
l---------crypto/openssl/test/fips_dssvs.c1
l---------crypto/openssl/test/fips_hmactest.c1
l---------crypto/openssl/test/fips_randtest.c1
l---------crypto/openssl/test/fips_rngvs.c1
l---------crypto/openssl/test/fips_rsagtest.c1
l---------crypto/openssl/test/fips_rsastest.c1
l---------crypto/openssl/test/fips_rsavtest.c1
l---------crypto/openssl/test/fips_shatest.c1
l---------crypto/openssl/test/fips_test_suite.c1
l---------crypto/openssl/test/hmactest.c1
l---------crypto/openssl/test/ideatest.c1
-rw-r--r--crypto/openssl/test/igetest.c21
l---------crypto/openssl/test/jpaketest.c1
l---------crypto/openssl/test/md2test.c1
l---------crypto/openssl/test/md4test.c1
l---------crypto/openssl/test/md5test.c1
l---------crypto/openssl/test/mdc2test.c1
l---------crypto/openssl/test/randtest.c1
l---------crypto/openssl/test/rc2test.c1
l---------crypto/openssl/test/rc4test.c1
l---------crypto/openssl/test/rc5test.c1
l---------crypto/openssl/test/rmdtest.c1
l---------crypto/openssl/test/rsa_test.c1
l---------crypto/openssl/test/sha1test.c1
l---------crypto/openssl/test/sha256t.c1
l---------crypto/openssl/test/sha512t.c1
l---------crypto/openssl/test/shatest.c1
-rw-r--r--crypto/openssl/test/smcont.txt1
-rw-r--r--crypto/openssl/test/smime-certs/smdsa1.pem34
-rw-r--r--crypto/openssl/test/smime-certs/smdsa2.pem34
-rw-r--r--crypto/openssl/test/smime-certs/smdsa3.pem34
-rw-r--r--crypto/openssl/test/smime-certs/smdsap.pem9
-rw-r--r--crypto/openssl/test/smime-certs/smroot.pem30
-rw-r--r--crypto/openssl/test/smime-certs/smrsa1.pem31
-rw-r--r--crypto/openssl/test/smime-certs/smrsa2.pem31
-rw-r--r--crypto/openssl/test/smime-certs/smrsa3.pem31
l---------crypto/openssl/test/ssltest.c1
-rw-r--r--crypto/openssl/test/testfipsssl113
-rw-r--r--crypto/openssl/test/times2
-rwxr-xr-xcrypto/openssl/util/arx.pl15
-rwxr-xr-xcrypto/openssl/util/clean-depend.pl7
-rw-r--r--crypto/openssl/util/copy.pl11
-rwxr-xr-xcrypto/openssl/util/domd2
-rwxr-xr-xcrypto/openssl/util/fipslink.pl78
-rwxr-xr-xcrypto/openssl/util/libeay.num295
-rwxr-xr-xcrypto/openssl/util/mk1mf.pl467
-rwxr-xr-xcrypto/openssl/util/mkdef.pl43
-rw-r--r--crypto/openssl/util/mkerr.pl7
-rwxr-xr-xcrypto/openssl/util/mkfiles.pl12
-rwxr-xr-xcrypto/openssl/util/mklink.pl12
-rwxr-xr-xcrypto/openssl/util/mksdef.pl87
-rwxr-xr-xcrypto/openssl/util/opensslwrap.sh4
-rw-r--r--crypto/openssl/util/pl/VC-32.pl216
-rw-r--r--crypto/openssl/util/pl/netware.pl375
-rwxr-xr-xcrypto/openssl/util/shlib_wrap.sh33
-rwxr-xr-xcrypto/openssl/util/ssleay.num4
795 files changed, 76865 insertions, 14045 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index c5a639f9891c..04d332e338bd 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -2,13 +2,455 @@
OpenSSL CHANGES
_______________
- Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
+ Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
+
+ *) Don't set val to NULL when freeing up structures, it is freed up by
+ underlying code. If sizeof(void *) > sizeof(long) this can result in
+ zeroing past the valid field. (CVE-2009-0789)
+ [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
+
+ *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
+ checked correctly. This would allow some invalid signed attributes to
+ appear to verify correctly. (CVE-2009-0591)
+ [Ivan Nestlerode <inestlerode@us.ibm.com>]
+
+ *) Reject UniversalString and BMPString types with invalid lengths. This
+ prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
+ a legal length. (CVE-2009-0590)
+ [Steve Henson]
+
+ *) Set S/MIME signing as the default purpose rather than setting it
+ unconditionally. This allows applications to override it at the store
+ level.
+ [Steve Henson]
+
+ *) Permit restricted recursion of ASN1 strings. This is needed in practice
+ to handle some structures.
+ [Steve Henson]
+
+ *) Improve efficiency of mem_gets: don't search whole buffer each time
+ for a '\n'
+ [Jeremy Shapiro <jnshapir@us.ibm.com>]
+
+ *) New -hex option for openssl rand.
+ [Matthieu Herrb]
+
+ *) Print out UTF8String and NumericString when parsing ASN1.
+ [Steve Henson]
+
+ *) Support NumericString type for name components.
+ [Steve Henson]
+
+ *) Allow CC in the environment to override the automatically chosen
+ compiler. Note that nothing is done to ensure flags work with the
+ chosen compiler.
+ [Ben Laurie]
+
+ Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
+
+ *) Properly check EVP_VerifyFinal() and similar return values
+ (CVE-2008-5077).
+ [Ben Laurie, Bodo Moeller, Google Security Team]
+
+ *) Enable TLS extensions by default.
+ [Ben Laurie]
+
+ *) Allow the CHIL engine to be loaded, whether the application is
+ multithreaded or not. (This does not release the developer from the
+ obligation to set up the dynamic locking callbacks.)
+ [Sander Temme <sander@temme.net>]
+
+ *) Use correct exit code if there is an error in dgst command.
+ [Steve Henson; problem pointed out by Roland Dirlewanger]
+
+ *) Tweak Configure so that you need to say "experimental-jpake" to enable
+ JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
+ [Bodo Moeller]
+
+ *) Add experimental JPAKE support, including demo authentication in
+ s_client and s_server.
+ [Ben Laurie]
+
+ *) Set the comparison function in v3_addr_canonize().
+ [Rob Austein <sra@hactrn.net>]
+
+ *) Add support for XMPP STARTTLS in s_client.
+ [Philip Paeps <philip@freebsd.org>]
+
+ *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
+ to ensure that even with this option, only ciphersuites in the
+ server's preference list will be accepted. (Note that the option
+ applies only when resuming a session, so the earlier behavior was
+ just about the algorithm choice for symmetric cryptography.)
+ [Bodo Moeller]
+
+ Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
+
+ *) Fix a state transitition in s3_srvr.c and d1_srvr.c
+ (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
+ [Nagendra Modadugu]
+
+ *) The fix in 0.9.8c that supposedly got rid of unsafe
+ double-checked locking was incomplete for RSA blinding,
+ addressing just one layer of what turns out to have been
+ doubly unsafe triple-checked locking.
+
+ So now fix this for real by retiring the MONT_HELPER macro
+ in crypto/rsa/rsa_eay.c.
+
+ [Bodo Moeller; problem pointed out by Marius Schilder]
+
+ *) Various precautionary measures:
+
+ - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
+
+ - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
+ (NB: This would require knowledge of the secret session ticket key
+ to exploit, in which case you'd be SOL either way.)
+
+ - Change bn_nist.c so that it will properly handle input BIGNUMs
+ outside the expected range.
+
+ - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
+ builds.
+
+ [Neel Mehta, Bodo Moeller]
+
+ *) Allow engines to be "soft loaded" - i.e. optionally don't die if
+ the load fails. Useful for distros.
+ [Ben Laurie and the FreeBSD team]
+
+ *) Add support for Local Machine Keyset attribute in PKCS#12 files.
+ [Steve Henson]
+
+ *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
+ [Huang Ying]
+
+ *) Expand ENGINE to support engine supplied SSL client certificate functions.
+
+ This work was sponsored by Logica.
+ [Steve Henson]
+
+ *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
+ keystores. Support for SSL/TLS client authentication too.
+ Not compiled unless enable-capieng specified to Configure.
+
+ This work was sponsored by Logica.
+ [Steve Henson]
+
+ *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
+ ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
+ attribute creation routines such as certifcate requests and PKCS#12
+ files.
+ [Steve Henson]
+
+ Changes between 0.9.8g and 0.9.8h [28 May 2008]
+
+ *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
+ handshake which could lead to a cilent crash as found using the
+ Codenomicon TLS test suite (CVE-2008-1672)
+ [Steve Henson, Mark Cox]
+
+ *) Fix double free in TLS server name extensions which could lead to
+ a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
+ [Joe Orton]
+
+ *) Clear error queue in SSL_CTX_use_certificate_chain_file()
+
+ Clear the error queue to ensure that error entries left from
+ older function calls do not interfere with the correct operation.
+ [Lutz Jaenicke, Erik de Castro Lopo]
+
+ *) Remove root CA certificates of commercial CAs:
+
+ The OpenSSL project does not recommend any specific CA and does not
+ have any policy with respect to including or excluding any CA.
+ Therefore it does not make any sense to ship an arbitrary selection
+ of root CA certificates with the OpenSSL software.
+ [Lutz Jaenicke]
+
+ *) RSA OAEP patches to fix two separate invalid memory reads.
+ The first one involves inputs when 'lzero' is greater than
+ 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
+ before the beginning of from). The second one involves inputs where
+ the 'db' section contains nothing but zeroes (there is a one-byte
+ invalid read after the end of 'db').
+ [Ivan Nestlerode <inestlerode@us.ibm.com>]
+
+ *) Partial backport from 0.9.9-dev:
+
+ Introduce bn_mul_mont (dedicated Montgomery multiplication
+ procedure) as a candidate for BIGNUM assembler implementation.
+ While 0.9.9-dev uses assembler for various architectures, only
+ x86_64 is available by default here in the 0.9.8 branch, and
+ 32-bit x86 is available through a compile-time setting.
+
+ To try the 32-bit x86 assembler implementation, use Configure
+ option "enable-montasm" (which exists only for this backport).
+
+ As "enable-montasm" for 32-bit x86 disclaims code stability
+ anyway, in this constellation we activate additional code
+ backported from 0.9.9-dev for further performance improvements,
+ namely BN_from_montgomery_word. (To enable this otherwise,
+ e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
+
+ [Andy Polyakov (backport partially by Bodo Moeller)]
+
+ *) Add TLS session ticket callback. This allows an application to set
+ TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
+ values. This is useful for key rollover for example where several key
+ sets may exist with different names.
+ [Steve Henson]
+
+ *) Reverse ENGINE-internal logic for caching default ENGINE handles.
+ This was broken until now in 0.9.8 releases, such that the only way
+ a registered ENGINE could be used (assuming it initialises
+ successfully on the host) was to explicitly set it as the default
+ for the relevant algorithms. This is in contradiction with 0.9.7
+ behaviour and the documentation. With this fix, when an ENGINE is
+ registered into a given algorithm's table of implementations, the
+ 'uptodate' flag is reset so that auto-discovery will be used next
+ time a new context for that algorithm attempts to select an
+ implementation.
+ [Ian Lister (tweaked by Geoff Thorpe)]
+
+ *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
+ implemention in the following ways:
+
+ Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
+ hard coded.
+
+ Lack of BER streaming support means one pass streaming processing is
+ only supported if data is detached: setting the streaming flag is
+ ignored for embedded content.
+
+ CMS support is disabled by default and must be explicitly enabled
+ with the enable-cms configuration option.
+ [Steve Henson]
+
+ *) Update the GMP engine glue to do direct copies between BIGNUM and
+ mpz_t when openssl and GMP use the same limb size. Otherwise the
+ existing "conversion via a text string export" trick is still used.
+ [Paul Sheer <paulsheer@gmail.com>]
+
+ *) Zlib compression BIO. This is a filter BIO which compressed and
+ uncompresses any data passed through it.
+ [Steve Henson]
+
+ *) Add AES_wrap_key() and AES_unwrap_key() functions to implement
+ RFC3394 compatible AES key wrapping.
+ [Steve Henson]
+
+ *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
+ sets string data without copying. X509_ALGOR_set0() and
+ X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
+ data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
+ from an X509_ATTRIBUTE structure optionally checking it occurs only
+ once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
+ data.
+ [Steve Henson]
+
+ *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
+ to get the expected BN_FLG_CONSTTIME behavior.
+ [Bodo Moeller (Google)]
+
+ *) Netware support:
+
+ - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
+ - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
+ - added some more tests to do_tests.pl
+ - fixed RunningProcess usage so that it works with newer LIBC NDKs too
+ - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
+ - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
+ netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
+ - various changes to netware.pl to enable gcc-cross builds on Win32
+ platform
+ - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
+ - various changes to fix missing prototype warnings
+ - fixed x86nasm.pl to create correct asm files for NASM COFF output
+ - added AES, WHIRLPOOL and CPUID assembler code to build files
+ - added missing AES assembler make rules to mk1mf.pl
+ - fixed order of includes in apps/ocsp.c so that e_os.h settings apply
+ [Guenter Knauf <eflash@gmx.net>]
+
+ *) Implement certificate status request TLS extension defined in RFC3546.
+ A client can set the appropriate parameters and receive the encoded
+ OCSP response via a callback. A server can query the supplied parameters
+ and set the encoded OCSP response in the callback. Add simplified examples
+ to s_client and s_server.
+ [Steve Henson]
+
+ Changes between 0.9.8f and 0.9.8g [19 Oct 2007]
+
+ *) Fix various bugs:
+ + Binary incompatibility of ssl_ctx_st structure
+ + DTLS interoperation with non-compliant servers
+ + Don't call get_session_cb() without proposed session
+ + Fix ia64 assembler code
+ [Andy Polyakov, Steve Henson]
+
+ Changes between 0.9.8e and 0.9.8f [11 Oct 2007]
+
+ *) DTLS Handshake overhaul. There were longstanding issues with
+ OpenSSL DTLS implementation, which were making it impossible for
+ RFC 4347 compliant client to communicate with OpenSSL server.
+ Unfortunately just fixing these incompatibilities would "cut off"
+ pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
+ server keeps tolerating non RFC compliant syntax. The opposite is
+ not true, 0.9.8f client can not communicate with earlier server.
+ This update even addresses CVE-2007-4995.
+ [Andy Polyakov]
+
+ *) Changes to avoid need for function casts in OpenSSL: some compilers
+ (gcc 4.2 and later) reject their use.
+ [Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>,
+ Steve Henson]
+
+ *) Add RFC4507 support to OpenSSL. This includes the corrections in
+ RFC4507bis. The encrypted ticket format is an encrypted encoded
+ SSL_SESSION structure, that way new session features are automatically
+ supported.
+
+ If a client application caches session in an SSL_SESSION structure
+ support is transparent because tickets are now stored in the encoded
+ SSL_SESSION.
+
+ The SSL_CTX structure automatically generates keys for ticket
+ protection in servers so again support should be possible
+ with no application modification.
+
+ If a client or server wishes to disable RFC4507 support then the option
+ SSL_OP_NO_TICKET can be set.
+
+ Add a TLS extension debugging callback to allow the contents of any client
+ or server extensions to be examined.
+
+ This work was sponsored by Google.
+ [Steve Henson]
+
+ *) Add initial support for TLS extensions, specifically for the server_name
+ extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
+ have new members for a host name. The SSL data structure has an
+ additional member SSL_CTX *initial_ctx so that new sessions can be
+ stored in that context to allow for session resumption, even after the
+ SSL has been switched to a new SSL_CTX in reaction to a client's
+ server_name extension.
+
+ New functions (subject to change):
+
+ SSL_get_servername()
+ SSL_get_servername_type()
+ SSL_set_SSL_CTX()
+
+ New CTRL codes and macros (subject to change):
+
+ SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+ - SSL_CTX_set_tlsext_servername_callback()
+ SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
+ - SSL_CTX_set_tlsext_servername_arg()
+ SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
+
+ openssl s_client has a new '-servername ...' option.
+
+ openssl s_server has new options '-servername_host ...', '-cert2 ...',
+ '-key2 ...', '-servername_fatal' (subject to change). This allows
+ testing the HostName extension for a specific single host name ('-cert'
+ and '-key' remain fallbacks for handshakes without HostName
+ negotiation). If the unrecogninzed_name alert has to be sent, this by
+ default is a warning; it becomes fatal with the '-servername_fatal'
+ option.
+
+ [Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson]
+
+ *) Add AES and SSE2 assembly language support to VC++ build.
+ [Steve Henson]
+
+ *) Mitigate attack on final subtraction in Montgomery reduction.
+ [Andy Polyakov]
+
+ *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
+ (which previously caused an internal error).
+ [Bodo Moeller]
+
+ *) Squeeze another 10% out of IGE mode when in != out.
+ [Ben Laurie]
+
+ *) AES IGE mode speedup.
+ [Dean Gaudet (Google)]
+
+ *) Add the Korean symmetric 128-bit cipher SEED (see
+ http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
+ add SEED ciphersuites from RFC 4162:
+
+ TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
+ TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
+ TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
+ TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
+
+ To minimize changes between patchlevels in the OpenSSL 0.9.8
+ series, SEED remains excluded from compilation unless OpenSSL
+ is configured with 'enable-seed'.
+ [KISA, Bodo Moeller]
+
+ *) Mitigate branch prediction attacks, which can be practical if a
+ single processor is shared, allowing a spy process to extract
+ information. For detailed background information, see
+ http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
+ J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
+ and Necessary Software Countermeasures"). The core of the change
+ are new versions BN_div_no_branch() and
+ BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
+ respectively, which are slower, but avoid the security-relevant
+ conditional branches. These are automatically called by BN_div()
+ and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
+ of the input BIGNUMs. Also, BN_is_bit_set() has been changed to
+ remove a conditional branch.
+
+ BN_FLG_CONSTTIME is the new name for the previous
+ BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
+ modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag
+ in the exponent causes BN_mod_exp_mont() to use the alternative
+ implementation in BN_mod_exp_mont_consttime().) The old name
+ remains as a deprecated alias.
+
+ Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
+ RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
+ constant-time implementations for more than just exponentiation.
+ Here too the old name is kept as a deprecated alias.
+
+ BN_BLINDING_new() will now use BN_dup() for the modulus so that
+ the BN_BLINDING structure gets an independent copy of the
+ modulus. This means that the previous "BIGNUM *m" argument to
+ BN_BLINDING_new() and to BN_BLINDING_create_param() now
+ essentially becomes "const BIGNUM *m", although we can't actually
+ change this in the header file before 0.9.9. It allows
+ RSA_setup_blinding() to use BN_with_flags() on the modulus to
+ enable BN_FLG_CONSTTIME.
+
+ [Matthew D Wood (Intel Corp)]
+
+ *) In the SSL/TLS server implementation, be strict about session ID
+ context matching (which matters if an application uses a single
+ external cache for different purposes). Previously,
+ out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
+ set. This did ensure strict client verification, but meant that,
+ with applications using a single external cache for quite
+ different requirements, clients could circumvent ciphersuite
+ restrictions for a given session ID context by starting a session
+ in a different context.
+ [Bodo Moeller]
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
a ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
[Bodo Moeller]
+ *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
+ not complete and could lead to a possible single byte overflow
+ (CVE-2007-5135) [Ben Laurie]
+
+ Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
+
*) Since AES128 and AES256 (and similarly Camellia128 and
Camellia256) share a single mask bit in the logic of
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
@@ -1047,7 +1489,20 @@
differing sizes.
[Richard Levitte]
- Changes between 0.9.7l and 0.9.7m [xx XXX xxxx]
+ Changes between 0.9.7m and 0.9.7n [xx XXX xxxx]
+
+ *) In the SSL/TLS server implementation, be strict about session ID
+ context matching (which matters if an application uses a single
+ external cache for different purposes). Previously,
+ out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
+ set. This did ensure strict client verification, but meant that,
+ with applications using a single external cache for quite
+ different requirements, clients could circumvent ciphersuite
+ restrictions for a given session ID context by starting a session
+ in a different context.
+ [Bodo Moeller]
+
+ Changes between 0.9.7l and 0.9.7m [23 Feb 2007]
*) Cleanse PEM buffers before freeing them since they may contain
sensitive data.
@@ -1063,6 +1518,20 @@
kludge to work properly if AES128 is available and AES256 isn't.
[Victor Duchovni]
+ *) Expand security boundary to match 1.1.1 module.
+ [Steve Henson]
+
+ *) Remove redundant features: hash file source, editing of test vectors
+ modify fipsld to use external fips_premain.c signature.
+ [Steve Henson]
+
+ *) New perl script mkfipsscr.pl to create shell scripts or batch files to
+ run algorithm test programs.
+ [Steve Henson]
+
+ *) Make algorithm test programs more tolerant of whitespace.
+ [Steve Henson]
+
*) Have SSL/TLS server implementation tolerate "mismatched" record
protocol version while receiving ClientHello even if the
ClientHello is fragmented. (The server can't insist on the
diff --git a/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head b/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head
deleted file mode 100644
index 1203a22158a8..000000000000
--- a/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head
+++ /dev/null
@@ -1,163 +0,0 @@
-This file, together with ChangeLog.0_9_7-stable_not-in-head_FIPS,
-provides a collection of those CVS change log entries for the
-0.9.7 branch (OpenSSL_0_9_7-stable) that do not appear similarly in
-0.9.8-dev (CVS head).
-
-ChangeLog.0_9_7-stable_not-in-head_FIPS - "FIPS" related changes
-ChangeLog.0_9_7-stable_not-in-head - everything else
-
-Some obvious false positives have been eliminated: e.g., we do not
-care about a simple "make update"; and we don't care about changes
-identified to the 0.9.7 branch that were explicitly identified as
-backports from head.
-
-Eliminating all other entries (and finally this file and its
-compantion), either as false positives or as things that should go
-into 0.9.8, remains to be done. Any additional changes to 0.9.7 that
-are not immediately put into 0.9.8, but belong there as well, should
-be added to the end of this file.
-
-
-2002-11-04 17:33 levitte
-
- Changed:
- Configure (1.314.2.38), "Exp", lines: +4 -2
-
- Return my normal debug targets to something not so extreme, and
- make the extreme ones special (or 'extreme', if you will :-)).
-
-2002-12-16 19:17 appro
-
- Changed:
- crypto/bn/bn_lcl.h (1.23.2.3), "Exp", lines: +3 -0
- crypto/bn/bn_mul.c (1.28.2.4), "Exp", lines: +84 -445
-
- This is rollback to 0.9.6h bn_mul.c to address problem reported in
- RT#272.
-
-2003-07-27 15:46 ben
-
- Changed:
- crypto/aes/aes.h (1.1.2.5), "Exp", lines: +3 -0
- crypto/aes/aes_cfb.c (1.1.2.4), "Exp", lines: +57 -0
-
- Add untested CFB-r mode. Will be tested soon.
-
-2003-07-28 17:07 ben
-
- Changed:
- Makefile.org (1.154.2.69), "Exp", lines: +5 -1
- crypto/aes/aes.h (1.1.2.6), "Exp", lines: +3 -0
- crypto/aes/aes_cfb.c (1.1.2.5), "Exp", lines: +19 -0
- crypto/dsa/Makefile.ssl (1.49.2.6), "Exp", lines: +3 -2
- crypto/err/Makefile.ssl (1.48.2.4), "Exp", lines: +17 -16
- crypto/evp/e_aes.c (1.6.2.5), "Exp", lines: +8 -0
- crypto/evp/e_des.c (1.5.2.2), "Exp", lines: +1 -1
- crypto/evp/e_des3.c (1.8.2.3), "Exp", lines: +2 -2
- crypto/evp/evp.h (1.86.2.11), "Exp", lines: +28 -11
- crypto/evp/evp_locl.h (1.7.2.3), "Exp", lines: +2 -2
- crypto/objects/obj_dat.h (1.49.2.13), "Exp", lines: +10 -5
- crypto/objects/obj_mac.h (1.19.2.13), "Exp", lines: +5 -0
- crypto/objects/obj_mac.num (1.15.2.9), "Exp", lines: +1 -0
- crypto/objects/objects.txt (1.20.2.14), "Exp", lines: +4 -0
- fips/Makefile.ssl (1.1.2.3), "Exp", lines: +7 -0
- fips/aes/Makefile.ssl (1.1.2.2), "Exp", lines: +23 -1
- fips/aes/fips_aesavs.c (1.1.2.3), "Exp", lines: +9 -1
- test/Makefile.ssl (1.84.2.30), "Exp", lines: +101 -43
-
- Add support for partial CFB modes, make tests work, update
- dependencies.
-
-2003-07-29 12:56 ben
-
- Changed:
- crypto/aes/aes_cfb.c (1.1.2.6), "Exp", lines: +9 -6
- crypto/evp/c_allc.c (1.8.2.3), "Exp", lines: +1 -0
- crypto/evp/evp_test.c (1.14.2.11), "Exp", lines: +17 -8
- crypto/evp/evptests.txt (1.9.2.2), "Exp", lines: +48 -1
-
- Working CFB1 and test vectors.
-
-2003-07-29 15:24 ben
-
- Changed:
- crypto/evp/e_aes.c (1.6.2.6), "Exp", lines: +14 -0
- crypto/objects/obj_dat.h (1.49.2.14), "Exp", lines: +15 -5
- crypto/objects/obj_mac.h (1.19.2.14), "Exp", lines: +10 -0
- crypto/objects/obj_mac.num (1.15.2.10), "Exp", lines: +2 -0
- crypto/objects/objects.txt (1.20.2.15), "Exp", lines: +2 -0
- fips/aes/Makefile.ssl (1.1.2.3), "Exp", lines: +1 -1
- fips/aes/fips_aesavs.c (1.1.2.4), "Exp", lines: +34 -19
-
- The rest of the keysizes for CFB1, working AES AVS test for CFB1.
-
-2003-07-29 19:05 ben
-
- Changed:
- crypto/aes/aes.h (1.1.2.7), "Exp", lines: +3 -0
- crypto/aes/aes_cfb.c (1.1.2.7), "Exp", lines: +14 -0
- crypto/evp/c_allc.c (1.8.2.4), "Exp", lines: +1 -0
- crypto/evp/e_aes.c (1.6.2.7), "Exp", lines: +4 -9
- crypto/evp/evptests.txt (1.9.2.3), "Exp", lines: +48 -0
- crypto/objects/obj_dat.h (1.49.2.15), "Exp", lines: +20 -5
- crypto/objects/obj_mac.h (1.19.2.15), "Exp", lines: +15 -0
- crypto/objects/obj_mac.num (1.15.2.11), "Exp", lines: +3 -0
- crypto/objects/objects.txt (1.20.2.16), "Exp", lines: +3 -0
- fips/aes/fips_aesavs.c (1.1.2.7), "Exp", lines: +11 -0
-
- AES CFB8.
-
-2003-07-30 20:30 ben
-
- Changed:
- Makefile.org (1.154.2.70), "Exp", lines: +16 -5
- crypto/des/cfb_enc.c (1.7.2.1), "Exp", lines: +2 -1
- crypto/des/des_enc.c (1.11.2.2), "Exp", lines: +4 -0
- crypto/evp/e_aes.c (1.6.2.8), "Exp", lines: +7 -14
- crypto/evp/e_des.c (1.5.2.3), "Exp", lines: +37 -1
- crypto/evp/evp.h (1.86.2.12), "Exp", lines: +6 -0
- crypto/evp/evp_locl.h (1.7.2.4), "Exp", lines: +9 -0
- crypto/objects/obj_dat.h (1.49.2.16), "Exp", lines: +48 -23
- crypto/objects/obj_mac.h (1.19.2.16), "Exp", lines: +31 -6
- crypto/objects/obj_mac.num (1.15.2.12), "Exp", lines: +5 -0
- crypto/objects/objects.txt (1.20.2.17), "Exp", lines: +12 -6
- fips/Makefile.ssl (1.1.2.4), "Exp", lines: +8 -1
- fips/fips_make_sha1 (1.1.2.3), "Exp", lines: +3 -0
- fips/aes/Makefile.ssl (1.1.2.4), "Exp", lines: +1 -1
- fips/des/.cvsignore (1.1.2.1), "Exp", lines: +3 -0
- fips/des/Makefile.ssl (1.1.2.1), "Exp", lines: +96 -0
- fips/des/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
- fips/des/fips_des_enc.c (1.1.2.1), "Exp", lines: +288 -0
- fips/des/fips_des_locl.h (1.1.2.1), "Exp", lines: +428 -0
- fips/des/fips_desmovs.c (1.1.2.1), "Exp", lines: +659 -0
-
- Whoops, forgot FIPS DES, also add EVPs for DES CFB1 and 8.
-
-2003-08-01 12:25 ben
-
- Changed:
- crypto/des/cfb_enc.c (1.7.2.2), "Exp", lines: +45 -36
- crypto/evp/c_allc.c (1.8.2.5), "Exp", lines: +2 -0
- crypto/evp/e_des.c (1.5.2.4), "Exp", lines: +8 -3
- crypto/evp/evptests.txt (1.9.2.4), "Exp", lines: +6 -0
-
- Fix DES CFB-r.
-
-2003-08-01 12:31 ben
-
- Changed:
- crypto/evp/evptests.txt (1.9.2.5), "Exp", lines: +4 -0
-
- DES CFB8 test.
-
-2005-04-19 16:21 appro
-
- Changed:
- Configure (1.314.2.117), "Exp", lines: +24 -21
- Makefile.org (1.154.2.100), "Exp", lines: +1 -11
- TABLE (1.99.2.52), "Exp", lines: +20 -20
- apps/Makefile (1.1.4.15), "Exp", lines: +1 -1
- test/Makefile (1.1.4.12), "Exp", lines: +1 -1
-
- Enable shared link on HP-UX.
-
diff --git a/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head_FIPS b/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head_FIPS
deleted file mode 100644
index 1e6c88f77abf..000000000000
--- a/crypto/openssl/ChangeLog.0_9_7-stable_not-in-head_FIPS
+++ /dev/null
@@ -1,1494 +0,0 @@
-See file ChangeLog.0_9_7-stable_not-in-head for explanations.
-This is the "FIPS"-related part.
-
-
-
-2003-07-27 19:00 ben
-
- Changed:
- Configure (1.314.2.85), "Exp", lines: +2 -0
- Makefile.org (1.154.2.67), "Exp", lines: +12 -3
- crypto/cryptlib.c (1.32.2.9), "Exp", lines: +5 -0
- crypto/md32_common.h (1.22.2.4), "Exp", lines: +11 -0
- crypto/aes/Makefile.ssl (1.4.2.6), "Exp", lines: +2 -1
- crypto/aes/aes_core.c (1.1.2.4), "Exp", lines: +4 -0
- crypto/des/des.h (1.40.2.4), "Exp", lines: +1 -1
- crypto/des/des_old.c (1.11.2.4), "Exp", lines: +1 -1
- crypto/des/destest.c (1.30.2.6), "Exp", lines: +2 -2
- crypto/des/ecb3_enc.c (1.8.2.1), "Exp", lines: +1 -3
- crypto/dsa/Makefile.ssl (1.49.2.5), "Exp", lines: +7 -4
- crypto/dsa/dsa_ossl.c (1.12.2.4), "Exp", lines: +2 -0
- crypto/dsa/dsa_sign.c (1.10.2.3), "Exp", lines: +12 -0
- crypto/dsa/dsa_vrf.c (1.10.2.3), "Exp", lines: +8 -0
- crypto/engine/engine.h (1.36.2.6), "Exp", lines: +4 -0
- crypto/err/err.h (1.35.2.3), "Exp", lines: +2 -0
- crypto/err/err_all.c (1.17.2.2), "Exp", lines: +4 -0
- crypto/err/openssl.ec (1.11.2.1), "Exp", lines: +1 -0
- crypto/evp/Makefile.ssl (1.64.2.8), "Exp", lines: +8 -7
- crypto/evp/c_all.c (1.7.8.7), "Exp", lines: +1 -0
- crypto/evp/e_aes.c (1.6.2.4), "Exp", lines: +12 -4
- crypto/evp/e_des3.c (1.8.2.2), "Exp", lines: +1 -1
- crypto/evp/evp.h (1.86.2.10), "Exp", lines: +2 -0
- crypto/evp/evp_err.c (1.23.2.1), "Exp", lines: +3 -1
- crypto/md4/Makefile.ssl (1.6.2.4), "Exp", lines: +7 -4
- crypto/md5/Makefile.ssl (1.33.2.7), "Exp", lines: +7 -4
- crypto/rand/Makefile.ssl (1.56.2.4), "Exp", lines: +17 -15
- crypto/rand/md_rand.c (1.69.2.2), "Exp", lines: +9 -0
- crypto/rand/rand.h (1.26.2.5), "Exp", lines: +2 -0
- crypto/rand/rand_err.c (1.6.2.1), "Exp", lines: +3 -1
- crypto/rand/rand_lib.c (1.15.2.2), "Exp", lines: +11 -0
- crypto/ripemd/Makefile.ssl (1.25.2.5), "Exp", lines: +7 -2
- crypto/sha/Makefile.ssl (1.26.2.5), "Exp", lines: +16 -6
- fips/.cvsignore (1.1.2.1), "Exp", lines: +1 -0
- fips/Makefile.ssl (1.1.2.1), "Exp", lines: +155 -0
- fips/fingerprint.sha1 (1.1.2.1), "Exp", lines: +3 -0
- fips/fips.c (1.1.2.1), "Exp", lines: +74 -0
- fips/fips.h (1.1.2.1), "Exp", lines: +85 -0
- fips/fips_check_sha1 (1.1.2.1), "Exp", lines: +7 -0
- fips/fips_err.c (1.1.2.1), "Exp", lines: +96 -0
- fips/fips_make_sha1 (1.1.2.1), "Exp", lines: +21 -0
- fips/lib (1.1.2.1), "Exp", lines: +0 -0
- fips/aes/.cvsignore (1.1.2.1), "Exp", lines: +4 -0
- fips/aes/Makefile.ssl (1.1.2.1), "Exp", lines: +95 -0
- fips/aes/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
- fips/aes/fips_aes_core.c (1.1.2.1), "Exp", lines: +1260 -0
- fips/aes/fips_aes_locl.h (1.1.2.1), "Exp", lines: +85 -0
- fips/aes/fips_aesavs.c (1.1.2.1), "Exp", lines: +896 -0
- fips/dsa/.cvsignore (1.1.2.1), "Exp", lines: +2 -0
- fips/dsa/Makefile.ssl (1.1.2.1), "Exp", lines: +95 -0
- fips/dsa/fingerprint.sha1 (1.1.2.1), "Exp", lines: +1 -0
- fips/dsa/fips_dsa_ossl.c (1.1.2.1), "Exp", lines: +366 -0
- fips/dsa/fips_dsatest.c (1.1.2.1), "Exp", lines: +252 -0
- fips/rand/.cvsignore (1.1.2.1), "Exp", lines: +2 -0
- fips/rand/Makefile.ssl (1.1.2.1), "Exp", lines: +94 -0
- fips/rand/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
- fips/rand/fips_rand.c (1.1.2.1), "Exp", lines: +236 -0
- fips/rand/fips_rand.h (1.1.2.1), "Exp", lines: +55 -0
- fips/rand/fips_randtest.c (1.1.2.1), "Exp", lines: +348 -0
- fips/sha1/.cvsignore (1.1.2.1), "Exp", lines: +3 -0
- fips/sha1/Makefile.ssl (1.1.2.1), "Exp", lines: +94 -0
- fips/sha1/fingerprint.sha1 (1.1.2.1), "Exp", lines: +3 -0
- fips/sha1/fips_md32_common.h (1.1.2.1), "Exp", lines: +637 -0
- fips/sha1/fips_sha1dgst.c (1.1.2.1), "Exp", lines: +76 -0
- fips/sha1/fips_sha1test.c (1.1.2.1), "Exp", lines: +128 -0
- fips/sha1/fips_sha_locl.h (1.1.2.1), "Exp", lines: +472 -0
- fips/sha1/fips_standalone_sha1.c (1.1.2.1), "Exp", lines: +101 -0
- fips/sha1/standalone.sha1 (1.1.2.1), "Exp", lines: +4 -0
- test/Makefile.ssl (1.84.2.29), "Exp", lines: +81 -13
- util/mkerr.pl (1.18.2.4), "Exp", lines: +2 -1
-
- Unfinished FIPS stuff for review/improvement.
-
-2003-07-27 19:19 ben
-
- Changed:
- fips/fips_check_sha1 (1.1.2.2), "Exp", lines: +1 -1
-
- Use unified diff.
-
-2003-07-27 19:23 ben
-
- Changed:
- fips/Makefile.ssl (1.1.2.2), "Exp", lines: +3 -3
- fips/fingerprint.sha1 (1.1.2.2), "Exp", lines: +2 -1
- fips/fips_make_sha1 (1.1.2.2), "Exp", lines: +1 -1
-
- Build in non-FIPS mode.
-
-2003-07-27 23:13 ben
-
- Changed:
- Makefile.org (1.154.2.68), "Exp", lines: +1 -1
- fips/fips_check_sha1 (1.1.2.3), "Exp", lines: +2 -1
- fips/aes/fips_aesavs.c (1.1.2.2), "Exp", lines: +2 -0
- fips/dsa/fips_dsa_ossl.c (1.1.2.2), "Exp", lines: +8 -0
- fips/dsa/fips_dsatest.c (1.1.2.2), "Exp", lines: +2 -1
- fips/sha1/fingerprint.sha1 (1.1.2.2), "Exp", lines: +1 -1
- fips/sha1/fips_sha1dgst.c (1.1.2.2), "Exp", lines: +5 -1
- fips/sha1/fips_standalone_sha1.c (1.1.2.2), "Exp", lines: +2 -0
- fips/sha1/standalone.sha1 (1.1.2.2), "Exp", lines: +1 -1
-
- Build when not FIPS.
-
-2003-07-28 11:56 ben
-
- Changed:
- fips/dsa/fingerprint.sha1 (1.1.2.2), "Exp", lines: +1 -1
- fips/sha1/standalone.sha1 (1.1.2.3), "Exp", lines: +1 -1
-
- New fingerprints.
-
-2003-07-29 16:06 ben
-
- Changed:
- fips/aes/fips_aesavs.c (1.1.2.5), "Exp", lines: +295 -303
-
- Reformat.
-
-2003-07-29 16:34 ben
-
- Changed:
- fips/aes/fips_aesavs.c (1.1.2.6), "Exp", lines: +43 -17
-
- MMT for CFB1
-
-2003-07-29 17:17 ben
-
- Changed:
- fips/fips_err_wrapper.c (1.1.2.1), "Exp", lines: +5 -0
- fips/sha1/sha1hashes.txt (1.1.2.1), "Exp", lines: +342 -0
- fips/sha1/sha1vectors.txt (1.1.2.1), "Exp", lines: +2293 -0
-
- Missing files.
-
-2003-07-31 23:30 levitte
-
- Changed:
- Makefile.org (1.154.2.71), "Exp", lines: +2 -0
-
- If FDIRS is to be treated like SDIRS, let's not forget to
- initialize it in Makefile.org.
-
-2003-07-31 23:41 levitte
-
- Changed:
- fips/sha1/fips_sha1test.c (1.1.2.2), "Exp", lines: +3 -3
-
- No C++ comments in C programs!
-
-2003-08-01 15:07 steve
-
- Changed:
- fips/aes/fips_aesavs.c (1.1.2.8), "Exp", lines: +3 -3
-
- Replace C++ style comments.
-
-2003-08-03 14:22 ben
-
- Changed:
- fips/des/fips_desmovs.c (1.1.2.2), "Exp", lines: +55 -37
-
- Make tests work (CFB1 still doesn't produce the right answers,
- strangely).
-
-2003-08-08 12:08 levitte
-
- Changed:
- fips/des/fips_des_enc.c (1.1.2.2), "Exp", lines: +9 -0
-
- Avoid clashing with the regular DES functions when not compiling
- with -DFIPS. This is basically only visible when building with
- shared library supoort...
-
-2003-08-11 11:36 levitte
-
- Deleted:
- fips/sha1/.cvsignore (1.1.2.2)
- fips/sha1/Makefile.ssl (1.1.2.3)
- fips/sha1/fingerprint.sha1 (1.1.2.3)
- fips/sha1/fips_md32_common.h (1.1.2.2)
- fips/sha1/fips_sha1dgst.c (1.1.2.3)
- fips/sha1/fips_sha1test.c (1.1.2.3)
- fips/sha1/fips_sha_locl.h (1.1.2.2)
- fips/sha1/fips_standalone_sha1.c (1.1.2.3)
- fips/sha1/sha1hashes.txt (1.1.2.2)
- fips/sha1/sha1vectors.txt (1.1.2.2)
- fips/sha1/standalone.sha1 (1.1.2.4)
- fips/dsa/.cvsignore (1.1.2.2)
- fips/dsa/Makefile.ssl (1.1.2.2)
- fips/dsa/fingerprint.sha1 (1.1.2.3)
- fips/dsa/fips_dsa_ossl.c (1.1.2.3)
- fips/dsa/fips_dsatest.c (1.1.2.3)
- fips/rand/.cvsignore (1.1.2.2)
- fips/rand/Makefile.ssl (1.1.2.2)
- fips/rand/fingerprint.sha1 (1.1.2.2)
- fips/rand/fips_rand.c (1.1.2.2)
- fips/rand/fips_rand.h (1.1.2.2)
- fips/rand/fips_randtest.c (1.1.2.2)
- fips/des/.cvsignore (1.1.2.2)
- fips/des/Makefile.ssl (1.1.2.3)
- fips/des/fingerprint.sha1 (1.1.2.2)
- fips/des/fips_des_enc.c (1.1.2.3)
- fips/des/fips_des_locl.h (1.1.2.2)
- fips/des/fips_desmovs.c (1.1.2.3)
- fips/aes/.cvsignore (1.1.2.2)
- fips/aes/Makefile.ssl (1.1.2.5)
- fips/aes/fingerprint.sha1 (1.1.2.2)
- fips/aes/fips_aes_core.c (1.1.2.2)
- fips/aes/fips_aes_locl.h (1.1.2.2)
- fips/aes/fips_aesavs.c (1.1.2.9)
- fips/.cvsignore (1.1.2.2)
- fips/Makefile.ssl (1.1.2.6)
- fips/fingerprint.sha1 (1.1.2.3)
- fips/fips.c (1.1.2.2)
- fips/fips.h (1.1.2.2)
- fips/fips_check_sha1 (1.1.2.4)
- fips/fips_err.c (1.1.2.2)
- fips/fips_err_wrapper.c (1.1.2.2)
- fips/fips_make_sha1 (1.1.2.4)
- fips/lib (1.1.2.2)
- Changed:
- util/libeay.num (1.173.2.16), "Exp", lines: +11 -38
- util/mkerr.pl (1.18.2.5), "Exp", lines: +1 -2
- test/Makefile.ssl (1.84.2.31), "Exp", lines: +54 -180
- crypto/ripemd/Makefile.ssl (1.25.2.6), "Exp", lines: +2 -7
- crypto/sha/Makefile.ssl (1.26.2.6), "Exp", lines: +6 -16
- crypto/rand/Makefile.ssl (1.56.2.5), "Exp", lines: +15 -17
- crypto/rand/md_rand.c (1.69.2.3), "Exp", lines: +0 -9
- crypto/rand/rand.h (1.26.2.6), "Exp", lines: +0 -2
- crypto/rand/rand_err.c (1.6.2.2), "Exp", lines: +1 -3
- crypto/rand/rand_lib.c (1.15.2.3), "Exp", lines: +0 -11
- crypto/objects/obj_dat.h (1.49.2.18), "Exp", lines: +3 -27
- crypto/objects/obj_mac.h (1.19.2.18), "Exp", lines: +0 -32
- crypto/objects/obj_mac.num (1.15.2.14), "Exp", lines: +0 -8
- crypto/objects/objects.txt (1.20.2.19), "Exp", lines: +0 -11
- crypto/md4/Makefile.ssl (1.6.2.5), "Exp", lines: +4 -7
- crypto/md5/Makefile.ssl (1.33.2.8), "Exp", lines: +4 -7
- crypto/evp/Makefile.ssl (1.64.2.9), "Exp", lines: +7 -8
- crypto/evp/c_allc.c (1.8.2.6), "Exp", lines: +0 -4
- crypto/evp/e_aes.c (1.6.2.9), "Exp", lines: +4 -22
- crypto/evp/e_des.c (1.5.2.5), "Exp", lines: +2 -43
- crypto/evp/e_des3.c (1.8.2.4), "Exp", lines: +3 -3
- crypto/evp/evp.h (1.86.2.13), "Exp", lines: +11 -36
- crypto/evp/evp_err.c (1.23.2.2), "Exp", lines: +1 -3
- crypto/evp/evp_lib.c (1.6.8.3), "Exp", lines: +0 -24
- crypto/evp/evp_locl.h (1.7.2.5), "Exp", lines: +2 -11
- crypto/evp/evp_test.c (1.14.2.12), "Exp", lines: +8 -17
- crypto/evp/evptests.txt (1.9.2.6), "Exp", lines: +1 -106
- crypto/dsa/Makefile.ssl (1.49.2.7), "Exp", lines: +6 -10
- crypto/dsa/dsa_ossl.c (1.12.2.5), "Exp", lines: +0 -2
- crypto/dsa/dsa_sign.c (1.10.2.4), "Exp", lines: +0 -12
- crypto/dsa/dsa_vrf.c (1.10.2.4), "Exp", lines: +0 -8
- crypto/err/Makefile.ssl (1.48.2.5), "Exp", lines: +16 -17
- crypto/err/err.h (1.35.2.4), "Exp", lines: +0 -2
- crypto/err/err_all.c (1.17.2.3), "Exp", lines: +0 -4
- crypto/err/openssl.ec (1.11.2.2), "Exp", lines: +0 -1
- crypto/des/des.h (1.40.2.5), "Exp", lines: +1 -1
- crypto/des/des_enc.c (1.11.2.3), "Exp", lines: +0 -4
- crypto/des/des_old.c (1.11.2.5), "Exp", lines: +1 -1
- crypto/des/destest.c (1.30.2.7), "Exp", lines: +2 -2
- crypto/des/ecb3_enc.c (1.8.2.2), "Exp", lines: +3 -1
- crypto/aes/Makefile.ssl (1.4.2.7), "Exp", lines: +1 -2
- crypto/aes/aes.h (1.1.2.8), "Exp", lines: +0 -9
- crypto/aes/aes_cfb.c (1.1.2.8), "Exp", lines: +0 -93
- crypto/aes/aes_core.c (1.1.2.5), "Exp", lines: +0 -4
- crypto/cryptlib.c (1.32.2.10), "Exp", lines: +0 -5
- crypto/md32_common.h (1.22.2.5), "Exp", lines: +0 -11
- Configure (1.314.2.86), "Exp", lines: +0 -2
- Makefile.org (1.154.2.72), "Exp", lines: +8 -34
- TABLE (1.99.2.30), "Exp", lines: +0 -50
-
- A new branch for FIPS-related changes has been created with the
- name OpenSSL-fips-0_9_7-stable.
-
- Since the 0.9.7-stable branch is supposed to be in freeze
- and should only contain bug corrections, this change removes the
- FIPS changes from that branch.
-
-2004-05-11 14:44 ben
-
- Deleted:
- apps/Makefile.ssl (1.100.2.27)
- crypto/Makefile.ssl (1.84.2.12)
- crypto/aes/Makefile.ssl (1.4.2.9)
- crypto/asn1/Makefile.ssl (1.77.2.7)
- crypto/bf/Makefile.ssl (1.25.2.6)
- crypto/bio/Makefile.ssl (1.52.2.4)
- crypto/bn/Makefile.ssl (1.65.2.9)
- crypto/buffer/Makefile.ssl (1.32.2.4)
- crypto/cast/Makefile.ssl (1.31.2.6)
- crypto/comp/Makefile.ssl (1.32.2.4)
- crypto/conf/Makefile.ssl (1.38.2.8)
- crypto/des/Makefile.ssl (1.61.2.13)
- crypto/dh/Makefile.ssl (1.43.2.5)
- crypto/dsa/Makefile.ssl (1.49.2.9)
- crypto/dso/Makefile.ssl (1.11.2.4)
- crypto/ec/Makefile.ssl (1.7.2.4)
- crypto/engine/Makefile.ssl (1.30.2.13)
- crypto/err/Makefile.ssl (1.48.2.7)
- crypto/evp/Makefile.ssl (1.64.2.12)
- crypto/hmac/Makefile.ssl (1.33.2.6)
- crypto/idea/Makefile.ssl (1.20.2.4)
- crypto/krb5/Makefile.ssl (1.5.2.6)
- crypto/lhash/Makefile.ssl (1.28.2.4)
- crypto/md2/Makefile.ssl (1.29.2.5)
- crypto/md4/Makefile.ssl (1.6.2.7)
- crypto/md5/Makefile.ssl (1.33.2.10)
- crypto/mdc2/Makefile.ssl (1.30.2.4)
- crypto/objects/Makefile.ssl (1.46.2.6)
- crypto/ocsp/Makefile.ssl (1.19.2.7)
- crypto/pem/Makefile.ssl (1.51.2.5)
- crypto/pkcs12/Makefile.ssl (1.37.2.5)
- crypto/pkcs7/Makefile.ssl (1.47.2.5)
- crypto/rand/Makefile.ssl (1.56.2.8)
- crypto/rc2/Makefile.ssl (1.20.2.4)
- crypto/rc4/Makefile.ssl (1.25.2.6)
- crypto/rc5/Makefile.ssl (1.22.2.6)
- crypto/ripemd/Makefile.ssl (1.25.2.9)
- crypto/rsa/Makefile.ssl (1.53.2.6)
- crypto/sha/Makefile.ssl (1.26.2.9)
- crypto/stack/Makefile.ssl (1.28.2.4)
- crypto/txt_db/Makefile.ssl (1.26.2.4)
- crypto/ui/Makefile.ssl (1.10.2.6)
- crypto/x509/Makefile.ssl (1.56.2.5)
- crypto/x509v3/Makefile.ssl (1.62.2.5)
- ssl/Makefile.ssl (1.53.2.11)
- test/Makefile.ssl (1.84.2.36)
- tools/Makefile.ssl (1.9.2.4)
- Changed:
- .cvsignore (1.7.6.2), "Exp", lines: +2 -1
- Configure (1.314.2.92), "Exp", lines: +38 -8
- FAQ (1.61.2.31), "Exp", lines: +1 -1
- INSTALL (1.45.2.9), "Exp", lines: +2 -2
- INSTALL.W32 (1.30.2.14), "Exp", lines: +9 -4
- Makefile.org (1.154.2.78), "Exp", lines: +51 -19
- PROBLEMS (1.4.2.10), "Exp", lines: +2 -2
- e_os.h (1.56.2.17), "Exp", lines: +20 -1
- apps/.cvsignore (1.5.8.1), "Exp", lines: +1 -0
- apps/Makefile (1.1.4.1), "Exp", lines: +1147 -0
- apps/apps.c (1.49.2.27), "Exp", lines: +0 -10
- apps/ca.c (1.102.2.31), "Exp", lines: +0 -10
- apps/dgst.c (1.23.2.10), "Exp", lines: +39 -11
- apps/openssl.c (1.48.2.9), "Exp", lines: +19 -0
- crypto/Makefile (1.1.4.1), "Exp", lines: +217 -0
- crypto/cryptlib.c (1.32.2.11), "Exp", lines: +5 -0
- crypto/crypto-lib.com (1.53.2.12), "Exp", lines: +1 -1
- crypto/md32_common.h (1.22.2.6), "Exp", lines: +12 -0
- crypto/aes/Makefile (1.1.4.1), "Exp", lines: +102 -0
- crypto/aes/aes.h (1.1.2.9), "Exp", lines: +9 -0
- crypto/aes/aes_cfb.c (1.1.2.9), "Exp", lines: +93 -0
- crypto/aes/aes_core.c (1.1.2.6), "Exp", lines: +4 -0
- crypto/asn1/Makefile (1.1.4.1), "Exp", lines: +1150 -0
- crypto/bf/Makefile (1.1.4.1), "Exp", lines: +113 -0
- crypto/bio/Makefile (1.1.4.1), "Exp", lines: +214 -0
- crypto/bio/bio.h (1.56.2.6), "Exp", lines: +1 -0
- crypto/bn/Makefile (1.1.4.1), "Exp", lines: +324 -0
- crypto/bn/bntest.c (1.55.2.4), "Exp", lines: +1 -1
- crypto/buffer/Makefile (1.1.4.1), "Exp", lines: +92 -0
- crypto/cast/Makefile (1.1.4.1), "Exp", lines: +118 -0
- crypto/cast/asm/.cvsignore (1.2.8.1), "Exp", lines: +1 -0
- crypto/comp/Makefile (1.1.4.1), "Exp", lines: +112 -0
- crypto/conf/Makefile (1.1.4.1), "Exp", lines: +181 -0
- crypto/des/Makefile (1.1.4.1), "Exp", lines: +314 -0
- crypto/des/cfb64ede.c (1.6.2.4), "Exp", lines: +111 -0
- crypto/des/des.h (1.40.2.6), "Exp", lines: +5 -1
- crypto/des/des_enc.c (1.11.2.4), "Exp", lines: +8 -0
- crypto/des/des_old.c (1.11.2.6), "Exp", lines: +1 -1
- crypto/des/destest.c (1.30.2.8), "Exp", lines: +2 -2
- crypto/des/ecb3_enc.c (1.8.2.3), "Exp", lines: +1 -3
- crypto/des/set_key.c (1.18.2.2), "Exp", lines: +4 -0
- crypto/dh/Makefile (1.1.4.1), "Exp", lines: +131 -0
- crypto/dsa/Makefile (1.1.4.1), "Exp", lines: +173 -0
- crypto/dsa/dsa_gen.c (1.19.2.1), "Exp", lines: +4 -1
- crypto/dsa/dsa_key.c (1.9.2.1), "Exp", lines: +2 -0
- crypto/dsa/dsa_ossl.c (1.12.2.6), "Exp", lines: +2 -0
- crypto/dsa/dsa_sign.c (1.10.2.5), "Exp", lines: +12 -0
- crypto/dsa/dsa_vrf.c (1.10.2.5), "Exp", lines: +8 -0
- crypto/dso/Makefile (1.1.4.1), "Exp", lines: +140 -0
- crypto/ec/Makefile (1.1.4.1), "Exp", lines: +126 -0
- crypto/engine/Makefile (1.1.4.1), "Exp", lines: +536 -0
- crypto/engine/hw_cryptodev.c (1.1.2.6), "Exp", lines: +6 -2
- crypto/err/Makefile (1.1.4.1), "Exp", lines: +118 -0
- crypto/err/err.h (1.35.2.6), "Exp", lines: +2 -0
- crypto/err/err_all.c (1.17.2.4), "Exp", lines: +4 -0
- crypto/err/openssl.ec (1.11.2.3), "Exp", lines: +1 -0
- crypto/evp/Makefile (1.1.4.1), "Exp", lines: +1057 -0
- crypto/evp/bio_md.c (1.11.2.1), "Exp", lines: +6 -0
- crypto/evp/c_allc.c (1.8.2.7), "Exp", lines: +8 -0
- crypto/evp/e_aes.c (1.6.2.10), "Exp", lines: +22 -4
- crypto/evp/e_des.c (1.5.2.8), "Exp", lines: +36 -3
- crypto/evp/e_des3.c (1.8.2.7), "Exp", lines: +43 -4
- crypto/evp/evp.h (1.86.2.15), "Exp", lines: +39 -11
- crypto/evp/evp_err.c (1.23.2.3), "Exp", lines: +3 -1
- crypto/evp/evp_lib.c (1.6.8.4), "Exp", lines: +24 -0
- crypto/evp/evp_locl.h (1.7.2.6), "Exp", lines: +11 -2
- crypto/evp/evp_test.c (1.14.2.13), "Exp", lines: +17 -8
- crypto/evp/evptests.txt (1.9.2.7), "Exp", lines: +106 -1
- crypto/hmac/Makefile (1.1.4.1), "Exp", lines: +99 -0
- crypto/idea/Makefile (1.1.4.1), "Exp", lines: +89 -0
- crypto/krb5/Makefile (1.1.4.1), "Exp", lines: +88 -0
- crypto/lhash/Makefile (1.1.4.1), "Exp", lines: +91 -0
- crypto/md2/Makefile (1.1.4.1), "Exp", lines: +91 -0
- crypto/md4/Makefile (1.1.4.1), "Exp", lines: +93 -0
- crypto/md5/Makefile (1.1.4.1), "Exp", lines: +129 -0
- crypto/mdc2/Makefile (1.1.4.1), "Exp", lines: +96 -0
- crypto/objects/Makefile (1.1.4.1), "Exp", lines: +121 -0
- crypto/objects/obj_dat.h (1.49.2.19), "Exp", lines: +33 -3
- crypto/objects/obj_mac.h (1.19.2.19), "Exp", lines: +40 -0
- crypto/objects/obj_mac.num (1.15.2.15), "Exp", lines: +10 -0
- crypto/objects/objects.txt (1.20.2.20), "Exp", lines: +13 -0
- crypto/ocsp/Makefile (1.1.4.1), "Exp", lines: +291 -0
- crypto/pem/Makefile (1.1.4.1), "Exp", lines: +334 -0
- crypto/pkcs12/Makefile (1.1.4.1), "Exp", lines: +415 -0
- crypto/pkcs7/Makefile (1.1.4.1), "Exp", lines: +241 -0
- crypto/rand/Makefile (1.1.4.1), "Exp", lines: +196 -0
- crypto/rand/md_rand.c (1.69.2.4), "Exp", lines: +9 -0
- crypto/rand/rand.h (1.26.2.7), "Exp", lines: +3 -0
- crypto/rand/rand_err.c (1.6.2.3), "Exp", lines: +4 -1
- crypto/rand/rand_lib.c (1.15.2.4), "Exp", lines: +11 -0
- crypto/rc2/Makefile (1.1.4.1), "Exp", lines: +89 -0
- crypto/rc4/Makefile (1.1.4.1), "Exp", lines: +108 -0
- crypto/rc5/Makefile (1.1.4.1), "Exp", lines: +106 -0
- crypto/ripemd/Makefile (1.1.4.1), "Exp", lines: +111 -0
- crypto/rsa/Makefile (1.1.4.1), "Exp", lines: +239 -0
- crypto/rsa/rsa_eay.c (1.28.2.9), "Exp", lines: +1 -1
- crypto/rsa/rsa_gen.c (1.8.6.1), "Exp", lines: +3 -0
- crypto/sha/Makefile (1.1.4.1), "Exp", lines: +118 -0
- crypto/sha/sha1dgst.c (1.21.2.1), "Exp", lines: +8 -0
- crypto/stack/Makefile (1.1.4.1), "Exp", lines: +86 -0
- crypto/txt_db/Makefile (1.1.4.1), "Exp", lines: +86 -0
- crypto/ui/Makefile (1.1.4.1), "Exp", lines: +115 -0
- crypto/x509/Makefile (1.1.4.1), "Exp", lines: +592 -0
- crypto/x509v3/Makefile (1.1.4.1), "Exp", lines: +601 -0
- fips/Makefile (1.1.4.1), "Exp", lines: +202 -0
- fips/fingerprint.sha1 (1.1.2.4), "Exp", lines: +4 -4
- fips/fips.c (1.1.2.3), "Exp", lines: +120 -5
- fips/fips.h (1.1.2.3), "Exp", lines: +42 -2
- fips/fips_check_sha1 (1.1.2.5), "Exp", lines: +2 -2
- fips/fips_err.h (1.1.4.1), "Exp", lines: +117 -0
- fips/fips_err_wrapper.c (1.1.2.3), "Exp", lines: +4 -2
- fips/fips_locl.h (1.1.4.1), "Exp", lines: +62 -0
- fips/fips_make_sha1 (1.1.2.5), "Exp", lines: +9 -6
- fips/fips_test_suite.c (1.1.4.1), "Exp", lines: +302 -0
- fips/openssl_fips_fingerprint (1.1.4.1), "Exp", lines: +25 -0
- fips/aes/Makefile (1.1.4.1), "Exp", lines: +131 -0
- fips/aes/fingerprint.sha1 (1.1.2.3), "Exp", lines: +3 -2
- fips/aes/fips_aes_core.c (1.1.2.3), "Exp", lines: +5 -2
- fips/aes/fips_aes_locl.h (1.1.2.3), "Exp", lines: +0 -0
- fips/aes/fips_aes_selftest.c (1.1.4.1), "Exp", lines: +112 -0
- fips/aes/fips_aesavs.c (1.1.2.10), "Exp", lines: +12 -6
- fips/des/Makefile (1.1.4.1), "Exp", lines: +155 -0
- fips/des/fingerprint.sha1 (1.1.2.3), "Exp", lines: +5 -2
- fips/des/fips_des_enc.c (1.1.2.4), "Exp", lines: +16 -3
- fips/des/fips_des_locl.h (1.1.2.3), "Exp", lines: +1 -1
- fips/des/fips_des_selftest.c (1.1.4.1), "Exp", lines: +200 -0
- fips/des/fips_desmovs.c (1.1.2.4), "Exp", lines: +186 -79
- fips/des/fips_set_key.c (1.1.4.1), "Exp", lines: +415 -0
- fips/des/asm/fips-dx86-elf.s (1.1.4.1), "Exp", lines: +2697 -0
- fips/dsa/Makefile (1.1.4.1), "Exp", lines: +159 -0
- fips/dsa/fingerprint.sha1 (1.1.2.4), "Exp", lines: +3 -1
- fips/dsa/fips_dsa_gen.c (1.1.4.1), "Exp", lines: +373 -0
- fips/dsa/fips_dsa_ossl.c (1.1.2.4), "Exp", lines: +16 -3
- fips/dsa/fips_dsa_selftest.c (1.1.4.1), "Exp", lines: +168 -0
- fips/dsa/fips_dsatest.c (1.1.2.4), "Exp", lines: +10 -6
- fips/dsa/fips_dssvs.c (1.1.4.1), "Exp", lines: +306 -0
- fips/rand/Makefile (1.1.4.1), "Exp", lines: +104 -0
- fips/rand/fingerprint.sha1 (1.1.2.3), "Exp", lines: +2 -2
- fips/rand/fips_rand.c (1.1.2.3), "Exp", lines: +60 -10
- fips/rand/fips_rand.h (1.1.2.3), "Exp", lines: +19 -1
- fips/rand/fips_randtest.c (1.1.2.3), "Exp", lines: +31 -10
- fips/rsa/Makefile (1.1.4.1), "Exp", lines: +112 -0
- fips/rsa/fingerprint.sha1 (1.1.4.1), "Exp", lines: +3 -0
- fips/rsa/fips_rsa_eay.c (1.1.4.1), "Exp", lines: +735 -0
- fips/rsa/fips_rsa_gen.c (1.1.4.1), "Exp", lines: +249 -0
- fips/rsa/fips_rsa_selftest.c (1.1.4.1), "Exp", lines: +207 -0
- fips/sha1/.cvsignore (1.1.2.3), "Exp", lines: +1 -2
- fips/sha1/Makefile (1.1.4.1), "Exp", lines: +158 -0
- fips/sha1/fingerprint.sha1 (1.1.2.4), "Exp", lines: +5 -3
- fips/sha1/fips_md32_common.h (1.1.2.3), "Exp", lines: +0 -0
- fips/sha1/fips_sha1_selftest.c (1.1.4.1), "Exp", lines: +97 -0
- fips/sha1/fips_sha1dgst.c (1.1.2.4), "Exp", lines: +4 -4
- fips/sha1/fips_sha1test.c (1.1.2.4), "Exp", lines: +17 -0
- fips/sha1/fips_sha_locl.h (1.1.2.3), "Exp", lines: +7 -0
- fips/sha1/fips_standalone_sha1.c (1.1.2.4), "Exp", lines: +60 -7
- fips/sha1/sha1hashes.txt (1.1.2.3), "Exp", lines: +0 -0
- fips/sha1/sha1vectors.txt (1.1.2.3), "Exp", lines: +0 -0
- fips/sha1/standalone.sha1 (1.1.2.5), "Exp", lines: +6 -4
- fips/sha1/asm/sx86-elf.s (1.1.4.1), "Exp", lines: +1568 -0
- ms/do_masm.bat (1.1.8.2), "Exp", lines: +12 -10
- ms/do_ms.bat (1.4.8.2), "Exp", lines: +11 -11
- ms/do_nasm.bat (1.1.8.2), "Exp", lines: +12 -11
- ms/do_nt.bat (1.2.8.1), "Exp", lines: +4 -4
- shlib/hpux10-cc.sh (1.3.2.2), "Exp", lines: +3 -3
- ssl/Makefile (1.1.4.1), "Exp", lines: +1019 -0
- ssl/s3_clnt.c (1.53.2.16), "Exp", lines: +10 -0
- ssl/s3_srvr.c (1.85.2.21), "Exp", lines: +9 -0
- ssl/ssl_cert.c (1.48.2.7), "Exp", lines: +9 -0
- ssl/ssl_lib.c (1.110.2.12), "Exp", lines: +13 -1
- ssl/ssltest.c (1.53.2.23), "Exp", lines: +33 -1
- ssl/t1_enc.c (1.27.2.8), "Exp", lines: +19 -1
- test/.cvsignore (1.4.8.1), "Exp", lines: +4 -0
- test/Makefile (1.1.4.1), "Exp", lines: +941 -0
- test/bctest (1.14.2.1), "Exp", lines: +1 -1
- test/testenc (1.3.8.1), "Exp", lines: +1 -1
- test/testfipsssl (1.1.4.1), "Exp", lines: +113 -0
- tools/Makefile (1.1.4.1), "Exp", lines: +61 -0
- util/cygwin.sh (1.1.2.5), "Exp", lines: +3 -3
- util/domd (1.6.2.3), "Exp", lines: +5 -5
- util/fixNT.sh (1.1.1.2.8.1), "Exp", lines: +3 -3
- util/libeay.num (1.173.2.19), "Exp", lines: +55 -11
- util/mk1mf.pl (1.41.2.10), "Exp", lines: +6 -4
- util/mkdef.pl (1.67.2.7), "Exp", lines: +11 -4
- util/mkerr.pl (1.18.2.6), "Exp", lines: +2 -1
- util/mkfiles.pl (1.12.2.1), "Exp", lines: +8 -1
- util/pod2mantest (1.1.2.7), "Exp", lines: +1 -1
- util/selftest.pl (1.18.2.1), "Exp", lines: +2 -2
- util/pl/BC-16.pl (1.2.2.1), "Exp", lines: +1 -1
- util/pl/BC-32.pl (1.11.2.4), "Exp", lines: +1 -1
- util/pl/Mingw32.pl (1.12.6.5), "Exp", lines: +1 -1
- util/pl/OS2-EMX.pl (1.1.2.3), "Exp", lines: +1 -1
- util/pl/VC-16.pl (1.3.2.1), "Exp", lines: +2 -2
- util/pl/VC-32.pl (1.11.2.3), "Exp", lines: +2 -2
- util/pl/VC-CE.pl (1.1.2.5), "Exp", lines: +1 -1
- util/pl/ultrix.pl (1.2.8.1), "Exp", lines: +1 -1
-
- Pull FIPS back into stable.
-
-2004-05-12 10:27 levitte
-
- Changed:
- apps/Makefile (1.1.4.2), "Exp", lines: +3 -1
-
- Only check for FIPS signatures when FIPS is enabled.
-
-2004-05-12 10:28 levitte
-
- Changed:
- crypto/des/FILES0 (1.1.4.2), "Exp", lines: +1 -1
-
- Makefile.ssl changed name to Makefile.
-
-2004-05-12 10:28 levitte
-
- Changed:
- fips/rand/fips_rand.c (1.1.2.4), "Exp", lines: +5 -1
-
- Only really build this file when OPENSSL_FIPS is defined. And oh,
- let's keep internal variables static.
-
-2004-05-12 10:42 levitte
-
- Changed:
- fips/rand/fingerprint.sha1 (1.1.2.4), "Exp", lines: +1 -1
-
- I forgot to modify the signature for fips_rand.c...
-
-2004-05-12 10:46 levitte
-
- Changed:
- fips/rsa/.cvsignore (1.1.4.1), "Exp", lines: +1 -0
- fips/.cvsignore (1.1.2.3), "Exp", lines: +1 -1
- fips/aes/.cvsignore (1.1.2.3), "Exp", lines: +0 -3
- fips/des/.cvsignore (1.1.2.3), "Exp", lines: +0 -2
- fips/dsa/.cvsignore (1.1.2.3), "Exp", lines: +0 -1
- fips/rand/.cvsignore (1.1.2.3), "Exp", lines: +0 -1
-
- Ignore the 'lib' timestamp file.
-
-2004-05-12 12:07 levitte
-
- Changed:
- fips/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
- fips/aes/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
- fips/des/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
- fips/dsa/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
- fips/rand/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
- fips/rsa/.cvsignore (1.1.4.2), "Exp", lines: +1 -0
- fips/sha1/.cvsignore (1.1.2.4), "Exp", lines: +1 -0
-
- Ignore 'Makefile.save'
-
-2004-05-12 16:11 ben
-
- Changed:
- crypto/rand/rand.h (1.26.2.8), "Exp", lines: +2 -0
- crypto/rand/rand_err.c (1.6.2.4), "Exp", lines: +2 -0
- fips/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
- fips/fips.c (1.1.2.4), "Exp", lines: +5 -1
- fips/rand/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
- fips/rand/fips_rand.c (1.1.2.5), "Exp", lines: +29 -0
-
- Blow up in people's faces if they don't reseed.
-
-2004-05-15 19:51 ben
-
- Changed:
- crypto/dh/dh.h (1.23.2.6), "Exp", lines: +1 -0
- crypto/dh/dh_err.c (1.6.2.3), "Exp", lines: +2 -1
- crypto/dh/dh_gen.c (1.8.8.2), "Exp", lines: +9 -0
- fips/fips_test_suite.c (1.1.4.2), "Exp", lines: +4 -3
- fips/aes/fips_aesavs.c (1.1.2.11), "Exp", lines: +49 -1
- fips/des/fingerprint.sha1 (1.1.2.4), "Exp", lines: +1 -1
- fips/des/fips_desmovs.c (1.1.2.5), "Exp", lines: +49 -1
- fips/des/fips_set_key.c (1.1.4.2), "Exp", lines: +2 -0
- fips/sha1/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
- fips/sha1/fips_md32_common.h (1.1.2.4), "Exp", lines: +3 -0
- fips/sha1/standalone.sha1 (1.1.2.6), "Exp", lines: +1 -1
-
- Fix self-tests, ban some things in FIPS mode, fix copyrights.
-
-2004-05-17 06:28 levitte
-
- Changed:
- util/mk1mf.pl (1.41.2.11), "Exp", lines: +8 -2
- util/pl/BC-16.pl (1.2.2.2), "Exp", lines: +9 -4
- util/pl/BC-32.pl (1.11.2.5), "Exp", lines: +8 -3
- util/pl/Mingw32.pl (1.12.6.6), "Exp", lines: +7 -2
- util/pl/OS2-EMX.pl (1.1.2.4), "Exp", lines: +7 -2
- util/pl/VC-16.pl (1.3.2.2), "Exp", lines: +7 -2
- util/pl/VC-32.pl (1.11.2.4), "Exp", lines: +7 -2
- util/pl/VC-CE.pl (1.1.2.6), "Exp", lines: +7 -2
- util/pl/linux.pl (1.3.6.1), "Exp", lines: +7 -2
- util/pl/ultrix.pl (1.2.8.2), "Exp", lines: +7 -2
- util/pl/unix.pl (1.2.8.1), "Exp", lines: +7 -2
-
- Generate SHA1 files on Windows and other platforms supported by
- mk1mf.pl, when building in FIPS mode.
-
- Note: UNTESTED!
-
-2004-05-17 06:30 levitte
-
- Changed:
- apps/apps.h (1.44.2.14), "Exp", lines: +3 -0
- apps/openssl.c (1.48.2.10), "Exp", lines: +9 -5
-
- Make sure the applications know when we are running in FIPS mode.
- We can't use the variable in libcrypto, since it's supposedly
- unknown.
-
- Note: currently only supported in MONOLITH mode.
-
-2004-05-17 06:31 levitte
-
- Changed:
- apps/enc.c (1.35.2.9), "Exp", lines: +10 -1
-
- When in FIPS mode, use SHA1 to digest the key, rather than MD5, as
- MD5 isn't a FIPS-approved algorithm.
-
- Note: this means the user needs to keep track of this, and
- we need to add support for that...
-
-2004-05-19 16:16 levitte
-
- Changed:
- fips/rsa/fingerprint.sha1 (1.1.4.2), "Exp", lines: +2 -2
- fips/rsa/fips_rsa_eay.c (1.1.4.2), "Exp", lines: +8 -8
- fips/rsa/fips_rsa_gen.c (1.1.4.2), "Exp", lines: +1 -1
- fips/dsa/fingerprint.sha1 (1.1.2.5), "Exp", lines: +2 -2
- fips/dsa/fips_dsa_gen.c (1.1.4.2), "Exp", lines: +2 -2
- fips/dsa/fips_dsa_ossl.c (1.1.2.5), "Exp", lines: +4 -4
- fips/aes/fingerprint.sha1 (1.1.2.4), "Exp", lines: +1 -1
- fips/aes/fips_aes_core.c (1.1.2.4), "Exp", lines: +5 -5
- crypto/rsa/rsa.h (1.36.2.11), "Exp", lines: +4 -0
- crypto/aes/aes.h (1.1.2.10), "Exp", lines: +6 -0
- crypto/dsa/dsa.h (1.26.2.5), "Exp", lines: +4 -0
-
- Define FIPS_*_SIZE_T for AES, DSA and RSA as well, in preparation
- for size_t-ification of those algorithms in future version of
- OpenSSL...
-
-2004-05-27 11:33 levitte
-
- Changed:
- makevms.com (1.35.2.3), "Exp", lines: +27 -0
-
- Copy the FIPS files to the temporary openssl include directory.
-
-2004-05-27 12:04 levitte
-
- Changed:
- fips/fips-lib.com (1.1.2.1), "Exp", lines: +1179 -0
- makevms.com (1.35.2.4), "Exp", lines: +8 -0
-
- Compile the FIPS directory on VMS as well. fips-lib.com is
- essentially a copy of crypto-lib.com, with just a few edits.
-
-2004-05-27 12:07 levitte
-
- Changed:
- fips/install.com (1.1.2.1), "Exp", lines: +55 -0
- install.com (1.4.2.2), "Exp", lines: +6 -6
-
- Run an installation of FIPS stuff as well.
-
-2004-05-27 12:19 levitte
-
- Changed:
- test/maketests.com (1.13.2.5), "Exp", lines: +3 -3
- apps/makeapps.com (1.18.2.5), "Exp", lines: +3 -3
-
- Make sure o_str.h is reachable.
-
-2004-06-19 15:15 ben
-
- Changed:
- Makefile.org (1.154.2.80), "Exp", lines: +1 -1
- crypto/dh/dh.h (1.23.2.7), "Exp", lines: +0 -1
- crypto/dh/dh_check.c (1.6.2.1), "Exp", lines: +4 -0
- crypto/dh/dh_err.c (1.6.2.4), "Exp", lines: +0 -1
- crypto/dh/dh_gen.c (1.8.8.3), "Exp", lines: +5 -9
- crypto/dh/dh_key.c (1.16.2.3), "Exp", lines: +4 -0
- fips/Makefile (1.1.4.2), "Exp", lines: +13 -14
- fips/fingerprint.sha1 (1.1.2.6), "Exp", lines: +2 -2
- fips/fips.h (1.1.2.4), "Exp", lines: +1 -0
- fips/fips_err.h (1.1.4.2), "Exp", lines: +1 -0
- fips/fips_make_sha1 (1.1.2.6), "Exp", lines: +3 -0
- fips/fips_test_suite.c (1.1.4.3), "Exp", lines: +13 -9
- fips/openssl_fips_fingerprint (1.1.4.2), "Exp", lines: +1 -2
-
- The version that was actually submitted for FIPS testing.
-
-2004-06-19 15:16 ben
-
- Changed:
- fips/dh/Makefile (1.1.2.1), "Exp", lines: +92 -0
- fips/dh/fingerprint.sha1 (1.1.2.1), "Exp", lines: +3 -0
- fips/dh/fips_dh_check.c (1.1.2.1), "Exp", lines: +119 -0
- fips/dh/fips_dh_gen.c (1.1.2.1), "Exp", lines: +182 -0
- fips/dh/fips_dh_key.c (1.1.2.1), "Exp", lines: +222 -0
-
- Add Diffie-Hellman to FIPS.
-
-2004-06-19 15:18 ben
-
- Changed:
- fips/.cvsignore (1.1.2.5), "Exp", lines: +2 -0
- fips/dh/.cvsignore (1.1.2.1), "Exp", lines: +1 -0
-
- Update ignores.
-
-2004-06-21 11:07 levitte
-
- Changed:
- fips/aes/Makefile (1.1.4.2), "Exp", lines: +7 -5
- fips/des/Makefile (1.1.4.2), "Exp", lines: +7 -5
- fips/dh/Makefile (1.1.2.2), "Exp", lines: +7 -6
- fips/dsa/Makefile (1.1.4.2), "Exp", lines: +7 -6
- fips/rsa/Makefile (1.1.4.2), "Exp", lines: +7 -6
- fips/sha1/Makefile (1.1.4.2), "Exp", lines: +7 -5
-
- Make sure we don't try to loop over an empty EXHEADER. In the
- Makefiles where this was fixed by commenting away code, change it
- to check for an empty EXHEADER instead, so we have less hassle in a
- future where EXHEADER changes.
-
- PR: 900
-
-2004-06-21 20:05 levitte
-
- Changed:
- Makefile.org (1.154.2.82), "Exp", lines: +3 -1
-
- Standard sh doesn't tolerate ! as part of the conditional command.
-
- PR: 900
-
-2004-06-28 22:33 levitte
-
- Changed:
- fips/dh/fips_dh_check.c (1.1.2.2), "Exp", lines: +6 -0
- fips/dh/fips_dh_gen.c (1.1.2.2), "Exp", lines: +6 -2
- fips/dh/fips_dh_key.c (1.1.2.2), "Exp", lines: +8 -0
-
- Make sure the FIPS stuff is only really compiled when in FIPS mode.
-
-2004-07-12 19:59 ben
-
- Changed:
- fips/fips_test_suite.c (1.1.4.4), "Exp", lines: +39 -6
- fips/dh/fingerprint.sha1 (1.1.2.2), "Exp", lines: +3 -3
-
- Corrected test program.
-
-2004-07-17 14:48 appro
-
- Changed:
- fips/des/Makefile (1.1.4.3), "Exp", lines: +1 -1
-
- Eliminate enforced -g from CFLAGS. It switches off optimization
- with some compilers, e.g. DEC C.
-
-2004-07-21 19:41 steve
-
- Changed:
- crypto/pem/pem_all.c (1.20.2.1), "Exp", lines: +119 -0
-
- When in FIPS mode write private keys in PKCS#8 and PBES2 format to
- avoid use of prohibited MD5 algorithm.
-
-2004-07-23 15:20 ben
-
- Changed:
- fips/rand/fingerprint.sha1 (1.1.2.7), "Exp", lines: +1 -1
- fips/rand/fips_rand.c (1.1.2.7), "Exp", lines: +22 -7
- fips/rand/fips_randtest.c (1.1.2.5), "Exp", lines: +2 -2
-
- Convert to X9.31.
-
-2004-07-21 19:35 steve
-
- Changed:
- fips/fingerprint.sha1 (1.1.2.7), "Exp", lines: +1 -1
- fips/fips.c (1.1.2.5), "Exp", lines: +3 -3
- fips/rsa/fingerprint.sha1 (1.1.4.3), "Exp", lines: +1 -1
- fips/rsa/fips_rsa_selftest.c (1.1.4.2), "Exp", lines: +8 -8
-
- Avoid compiler warnings.
-
-2004-07-27 02:17 steve
-
- Changed:
- fips/fips_test_suite.c (1.1.4.5), "Exp", lines: +9 -8
-
- Stop compiler warnings.
-
-2004-07-27 02:20 steve
-
- Changed:
- crypto/err/err.c (1.51.2.6), "Exp", lines: +1 -0
-
- Add FIPS name to error library.
-
-2004-07-27 14:22 steve
-
- Changed:
- Makefile.org (1.154.2.84), "Exp", lines: +3 -3
- fips/fips_check_sha1 (1.1.2.6), "Exp", lines: +1 -1
- fips/openssl_fips_fingerprint (1.1.4.3), "Exp", lines: +1 -1
-
- Rename libcrypto.sha1 to libcrypto.a.sha1
-
-2004-07-27 20:28 steve
-
- Changed:
- ssl/s3_lib.c (1.57.2.11), "Exp", lines: +33 -33
- ssl/ssl.h (1.126.2.20), "Exp", lines: +1 -0
- ssl/ssl_ciph.c (1.33.2.9), "Exp", lines: +11 -0
- ssl/ssl_locl.h (1.47.2.3), "Exp", lines: +2 -1
-
- New cipher "strength" FIPS which specifies that a cipher suite is
- FIPS compatible.
-
- New cipherstring "FIPS" is all FIPS compatible ciphersuites
- except eNULL.
-
- Only allow FIPS ciphersuites in FIPS mode.
-
-2004-07-28 04:24 levitte
-
- Changed:
- makevms.com (1.35.2.6), "Exp", lines: +2 -2
-
- From the FIPS directory, darnit!
-
-2004-07-28 15:47 levitte
-
- Changed:
- makevms.com (1.35.2.7), "Exp", lines: +5 -1
-
- Define OPENSSL_FIPS in opensslconf.h if a logical name with the
- same name is defined.
-
- Go up one directory level before dealing with FIPS stuff.
-
-2004-07-30 00:26 levitte
-
- Changed:
- fips/fips-lib.com (1.1.2.2), "Exp", lines: +3 -3
-
- We're building crypto stuff, not ssl stuff. Additionally, we're in
- the fips subdirectory, not the crypto one...
-
-2004-07-30 16:37 levitte
-
- Changed:
- fips/sha1/fingerprint.sha1 (1.1.2.7), "Exp", lines: +2 -2
- fips/sha1/fips_md32_common.h (1.1.2.6), "Exp", lines: +1 -1
- fips/sha1/fips_sha_locl.h (1.1.2.5), "Exp", lines: +2 -2
- fips/sha1/fips_standalone_sha1.c (1.1.2.5), "Exp", lines: +1 -1
- fips/sha1/standalone.sha1 (1.1.2.8), "Exp", lines: +3 -3
- ssl/ssl_ciph.c (1.33.2.10), "Exp", lines: +2 -2
- fips/rsa/fingerprint.sha1 (1.1.4.4), "Exp", lines: +2 -2
- fips/rsa/fips_rsa_eay.c (1.1.4.3), "Exp", lines: +1 -1
- fips/rsa/fips_rsa_gen.c (1.1.4.3), "Exp", lines: +1 -1
- fips/dh/fingerprint.sha1 (1.1.2.3), "Exp", lines: +1 -1
- fips/dh/fips_dh_gen.c (1.1.2.3), "Exp", lines: +1 -1
- fips/dsa/fingerprint.sha1 (1.1.2.6), "Exp", lines: +2 -2
- fips/dsa/fips_dsa_gen.c (1.1.4.3), "Exp", lines: +4 -3
- fips/dsa/fips_dsa_ossl.c (1.1.2.6), "Exp", lines: +2 -2
- fips/des/fingerprint.sha1 (1.1.2.5), "Exp", lines: +2 -2
- fips/des/fips_des_enc.c (1.1.2.5), "Exp", lines: +2 -2
- fips/des/fips_set_key.c (1.1.4.3), "Exp", lines: +3 -3
- fips/fingerprint.sha1 (1.1.2.8), "Exp", lines: +2 -2
- fips/fips.c (1.1.2.6), "Exp", lines: +76 -23
- fips/fips.h (1.1.2.5), "Exp", lines: +2 -3
- fips/fips_locl.h (1.1.4.2), "Exp", lines: +7 -2
- fips/aes/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
- fips/aes/fips_aes_core.c (1.1.2.5), "Exp", lines: +1 -1
- crypto/rand/md_rand.c (1.69.2.5), "Exp", lines: +1 -1
- crypto/rand/rand_lib.c (1.15.2.5), "Exp", lines: +2 -1
- crypto/dsa/dsa_sign.c (1.10.2.6), "Exp", lines: +2 -2
- crypto/dsa/dsa_vrf.c (1.10.2.6), "Exp", lines: +1 -1
- crypto/pem/pem_all.c (1.20.2.2), "Exp", lines: +2 -2
- crypto/cryptlib.c (1.32.2.12), "Exp", lines: +122 -6
- crypto/crypto.h (1.62.2.8), "Exp", lines: +8 -1
- crypto/md32_common.h (1.22.2.7), "Exp", lines: +2 -2
-
- To protect FIPS-related global variables, add locking mechanisms
- around them.
-
- NOTE: because two new locks are added, this adds potential
- binary incompatibility with earlier versions in the 0.9.7 series.
- However, those locks will only ever be touched when FIPS_mode_set()
- is called and after, thanks to a variable that's only changed from
- 0 to 1 once (when FIPS_mode_set() is called). So basically, as
- long as FIPS mode hasn't been engaged explicitely by the calling
- application, the new locks are treated as if they didn't exist at
- all, thus not becoming a problem. Applications that are built or
- rebuilt to use FIPS functionality will need to be recompiled in any
- case, thus not being a problem either.
-
-2004-08-02 16:15 levitte
-
- Changed:
- crypto/cryptlib.c (1.32.2.13), "Exp", lines: +4 -4
-
- Let's lock a write lock when changing values, shall we?
-
- Thanks to Dr Stephen Henson <shenson@drh-consultancy.co.uk>
- for making me aware of this error.
-
-2004-08-05 20:11 steve
-
- Changed:
- fips/fingerprint.sha1 (1.1.2.9), "Exp", lines: +1 -1
- fips/fips.c (1.1.2.7), "Exp", lines: +1 -1
-
- Stop compiler giving bogus shadow warning.
-
-2004-08-09 14:13 levitte
-
- Changed:
- makevms.com (1.35.2.8), "Exp", lines: +1 -1
-
- In the fips directory, we use FIPS-LIB.COM, not CRYPTO-LIB.COM...
-
-2004-08-09 14:14 levitte
-
- Changed:
- fips/fips-lib.com (1.1.2.3), "Exp", lines: +4 -4
-
- Correct typos and include directory specifications.
-
-2004-08-10 11:11 levitte
-
- Changed:
- fips/fips-lib.com (1.1.2.4), "Exp", lines: +2 -1
-
- Update the VMS fips library builder with the DH library.
-
-2004-08-10 12:04 levitte
-
- Changed:
- fips/rand/fingerprint.sha1 (1.1.2.8), "Exp", lines: +1 -1
- fips/rand/fips_rand.c (1.1.2.8), "Exp", lines: +7 -1
-
- With DEC C in ANSI C mode, we need to define _XOPEN_SOURCE_EXTENDED
- to get struct timeval and gettimeofday().
-
-2004-09-06 16:19 levitte
-
- Changed:
- fips/fips.c (1.1.2.8), "Exp", lines: +5 -4
-
- Replace the bogus checks of n with proper uses of feof(), ferror()
- and clearerr().
-
-2004-09-06 16:21 levitte
-
- Changed:
- fips/sha1/fips_sha_locl.h (1.1.2.6), "Exp", lines: +2 -2
-
- num is an unsigned long, but since it was transfered from
- crypto/sha/sha_locl.h, where it is in fact an int, we need to check
- for less-than-zero as if it was an int...
-
-2004-10-08 12:03 ben
-
- Changed:
- fips/fingerprint.sha1 (1.1.2.10), "Exp", lines: +1 -1
- fips/sha1/fingerprint.sha1 (1.1.2.8), "Exp", lines: +1 -1
- fips/sha1/standalone.sha1 (1.1.2.9), "Exp", lines: +1 -1
-
- Update fingerprints.
-
-2004-10-14 07:51 levitte
-
- Changed:
- VMS/mkshared.com (1.3.2.1), "Exp", lines: +8 -0
-
- We need to check for OPENSSL_FIPS when building shared libraries,
- so we get correct transfer vectors for those functions when
- required.
-
-2004-10-26 13:47 steve
-
- Changed:
- util/mkfiles.pl (1.12.2.2), "Exp", lines: +1 -0
-
- Add fips/dh directory to mkfiles.pl
-
-2004-10-26 14:17 levitte
-
- Changed:
- fips/sha1/Makefile (1.1.4.4), "Exp", lines: +3 -1
- util/mkfiles.pl (1.12.2.3), "Exp", lines: +1 -0
- fips/Makefile (1.1.4.5), "Exp", lines: +7 -1
- crypto/sha/Makefile (1.1.4.4), "Exp", lines: +1 -7
-
- fips/dh was missing in mkfiles.pl. make update
-
-2004-10-26 15:01 steve
-
- Changed:
- util/mkfiles.pl (1.12.2.4), "Exp", lines: +0 -1
-
- Only add fips/dh once...
-
-2004-11-01 09:20 levitte
-
- Changed:
- fips/rand/fingerprint.sha1 (1.1.2.9), "Exp", lines: +1 -1
- fips/rand/fips_rand.c (1.1.2.9), "Exp", lines: +3 -1
-
- Make sure _XOPEN_SOURCE_EXTENDED is correctly defined, and only if
- not already defined.
-
-2004-12-09 19:03 appro
-
- vChanged:
- crypto/Makefile (1.1.4.4), "Exp", lines: +2 -0
-
- Postpone linking of shared libcrypto in FIPS build.
-
-2004-12-09 19:13 appro
-
- Changed:
- fips/fingerprint.sha1 (1.1.2.11), "Exp", lines: +1 -1
- fips/fips.c (1.1.2.9), "Exp", lines: +13 -1
- fips/openssl_fips_fingerprint (1.1.4.4), "Exp", lines: +4 -2
-
- Cygwin specific FIPS fix-ups.
-
-2004-12-09 23:43 appro
-
- Changed:
- Configure (1.314.2.100), "Exp", lines: +2 -3
- crypto/des/des_enc.c (1.11.2.5), "Exp", lines: +2 -2
-
- Eliminate false dependency on 386 config option is FIPS context.
- At the same time limit assembler support to ELF platforms [that's
- what is there, ELF modules].
-
-2004-12-10 12:37 appro
-
- Changed:
- Configure (1.314.2.101), "Exp", lines: +10 -3
- crypto/des/des_enc.c (1.11.2.6), "Exp", lines: +2 -2
-
- Respect no-asm with fips option and disable FIPS DES assembler in
- shared context [because it's not PIC].
-
-2004-12-10 14:15 appro
-
- Changed:
- fips/sha1/fingerprint.sha1 (1.1.2.10), "Exp", lines: +1 -1
- fips/sha1/standalone.sha1 (1.1.2.11), "Exp", lines: +1 -1
- fips/sha1/asm/sx86-elf.s (1.1.4.3), "Exp", lines: +32 -32
-
- Solaris x86 assembler update.
-
-2004-12-10 17:30 appro
-
- Changed:
- fips/fips_check_sha1 (1.1.2.7), "Exp", lines: +1 -1
- fips/openssl_fips_fingerprint (1.1.4.5), "Exp", lines: +1 -1
- fips/sha1/Makefile (1.1.4.6), "Exp", lines: +1 -1
-
- Adapt FIPS sub-tree for mingw.
-
-2005-01-03 18:46 steve
-
- Changed:
- fips/rsa/fingerprint.sha1 (1.1.4.5), "Exp", lines: +1 -1
- fips/rsa/fips_rsa_selftest.c (1.1.4.3), "Exp", lines: +55 -11
-
- RSA KAT.
-
-2005-01-11 17:54 levitte
-
- Changed:
- fips/rsa/fingerprint.sha1 (1.1.4.6), "Exp", lines: +1 -1
- fips/rsa/fips_rsa_selftest.c (1.1.4.4), "Exp", lines: +2 -2
-
- Clear signed vs. unsigned conflicts. Change the fingerprint
- accordingly.
-
-2005-01-11 19:25 levitte
-
- Changed:
- ssl/ssltest.c (1.53.2.24), "Exp", lines: +2 -2
- fips/rand/fips_randtest.c (1.1.2.6), "Exp", lines: +3 -3
- fips/sha1/fips_sha1test.c (1.1.2.5), "Exp", lines: +10 -4
- fips/des/fips_desmovs.c (1.1.2.6), "Exp", lines: +8 -7
- fips/dsa/fips_dsatest.c (1.1.2.5), "Exp", lines: +2 -2
- apps/openssl.c (1.48.2.12), "Exp", lines: +1 -1
- fips/aes/fips_aesavs.c (1.1.2.12), "Exp", lines: +8 -7
-
- Use EXIT() instead of exit().
-
-2005-01-26 21:00 steve
-
- Changed:
- apps/dgst.c (1.23.2.13), "Exp", lines: +10 -0
- apps/pkcs12.c (1.60.2.13), "Exp", lines: +8 -1
- crypto/crypto.h (1.62.2.9), "Exp", lines: +49 -0
- crypto/md32_common.h (1.22.2.9), "Exp", lines: +1 -1
- crypto/bf/bf_skey.c (1.6.2.1), "Exp", lines: +2 -1
- crypto/bf/blowfish.h (1.9.2.1), "Exp", lines: +4 -1
- crypto/cast/c_skey.c (1.5.6.1), "Exp", lines: +3 -1
- crypto/cast/cast.h (1.7.2.1), "Exp", lines: +4 -1
- crypto/evp/bio_md.c (1.11.2.3), "Exp", lines: +2 -7
- crypto/evp/digest.c (1.21.2.7), "Exp", lines: +11 -0
- crypto/evp/e_aes.c (1.6.2.11), "Exp", lines: +11 -11
- crypto/evp/e_des.c (1.5.2.9), "Exp", lines: +5 -3
- crypto/evp/e_des3.c (1.8.2.8), "Exp", lines: +6 -6
- crypto/evp/evp.h (1.86.2.16), "Exp", lines: +17 -0
- crypto/evp/evp_enc.c (1.28.2.11), "Exp", lines: +15 -1
- crypto/evp/evp_err.c (1.23.2.4), "Exp", lines: +6 -1
- crypto/evp/evp_locl.h (1.7.2.7), "Exp", lines: +17 -2
- crypto/evp/m_dss.c (1.8.2.1), "Exp", lines: +1 -1
- crypto/evp/m_md2.c (1.9.2.1), "Exp", lines: +1 -0
- crypto/evp/m_md4.c (1.8.2.1), "Exp", lines: +1 -0
- crypto/evp/m_md5.c (1.9.2.1), "Exp", lines: +1 -0
- crypto/evp/m_mdc2.c (1.9.2.1), "Exp", lines: +1 -0
- crypto/evp/m_sha.c (1.8.2.2), "Exp", lines: +1 -0
- crypto/evp/m_sha1.c (1.8.2.1), "Exp", lines: +1 -1
- crypto/evp/names.c (1.7.2.1), "Exp", lines: +3 -0
- crypto/hmac/hmac.c (1.12.2.3), "Exp", lines: +7 -0
- crypto/hmac/hmac.h (1.14.2.2), "Exp", lines: +1 -0
- crypto/idea/i_skey.c (1.5.6.1), "Exp", lines: +13 -0
- crypto/idea/idea.h (1.10.2.1), "Exp", lines: +4 -0
- crypto/md2/md2.h (1.11.2.1), "Exp", lines: +3 -0
- crypto/md2/md2_dgst.c (1.13.2.4), "Exp", lines: +3 -1
- crypto/md4/md4.h (1.3.2.1), "Exp", lines: +3 -0
- crypto/md4/md4_dgst.c (1.2.2.2), "Exp", lines: +1 -1
- crypto/md5/md5.h (1.10.2.3), "Exp", lines: +3 -0
- crypto/md5/md5_dgst.c (1.16.2.2), "Exp", lines: +1 -1
- crypto/mdc2/mdc2.h (1.9.2.1), "Exp", lines: +3 -1
- crypto/mdc2/mdc2dgst.c (1.13.2.1), "Exp", lines: +3 -1
- crypto/rc2/rc2.h (1.10.2.1), "Exp", lines: +4 -1
- crypto/rc2/rc2_skey.c (1.4.6.1), "Exp", lines: +13 -0
- crypto/rc4/rc4.h (1.10.2.2), "Exp", lines: +3 -0
- crypto/rc4/rc4_skey.c (1.10.8.2), "Exp", lines: +2 -1
- crypto/rc5/rc5.h (1.5.2.1), "Exp", lines: +4 -1
- crypto/rc5/rc5_skey.c (1.4.6.1), "Exp", lines: +14 -0
- crypto/ripemd/ripemd.h (1.8.2.1), "Exp", lines: +3 -0
- crypto/ripemd/rmd_dgst.c (1.13.2.2), "Exp", lines: +2 -1
- crypto/sha/sha.h (1.11.2.2), "Exp", lines: +3 -0
- crypto/sha/sha_locl.h (1.16.2.3), "Exp", lines: +4 -0
- crypto/x509/x509_cmp.c (1.22.2.4), "Exp", lines: +7 -1
- crypto/x509/x509_vfy.c (1.56.2.13), "Exp", lines: +1 -1
- ssl/s3_clnt.c (1.53.2.18), "Exp", lines: +2 -0
- ssl/s3_enc.c (1.31.2.9), "Exp", lines: +3 -0
- ssl/s3_srvr.c (1.85.2.23), "Exp", lines: +2 -0
- ssl/t1_enc.c (1.27.2.9), "Exp", lines: +2 -0
-
- FIPS algorithm blocking.
-
- Non FIPS algorithms are not normally allowed in FIPS mode.
-
- Any attempt to use them via high level functions will
- return an error.
-
- The low level non-FIPS algorithm functions cannot return
- errors so they produce assertion failures. HMAC also has to give an
- assertion error because it (erroneously) can't return an error
- either.
-
- There are exceptions (such as MD5 in TLS and non
- cryptographic use of algorithms) and applications can override the
- blocking and use non FIPS algorithms anyway.
-
- For low level functions the override is perfomed by
- prefixing the algorithm initalization function with "private_" for
- example private_MD5_Init().
-
- For high level functions an override is performed by
- setting a flag in the context.
-
-2005-01-27 02:49 steve
-
- Changed:
- apps/dgst.c (1.23.2.14), "Exp", lines: +9 -5
- crypto/crypto.h (1.62.2.10), "Exp", lines: +3 -0
- crypto/evp/digest.c (1.21.2.8), "Exp", lines: +34 -0
- crypto/hmac/hmac.c (1.12.2.4), "Exp", lines: +9 -0
-
- More FIPS algorithm blocking.
-
- Catch attempted use of non FIPS algorithms with HMAC.
-
- Give an assertion error for applications that ignore FIPS
- digest errors.
-
- Make -non-fips-allow work with dgst and HMAC.
-
-2005-01-28 15:03 steve
-
- Changed:
- apps/dgst.c (1.23.2.15), "Exp", lines: +2 -1
- apps/enc.c (1.35.2.13), "Exp", lines: +38 -4
- crypto/evp/e_rc4.c (1.11.2.2), "Exp", lines: +1 -0
- crypto/evp/evp.h (1.86.2.17), "Exp", lines: +3 -0
- crypto/evp/evp_enc.c (1.28.2.12), "Exp", lines: +60 -15
- crypto/evp/evp_locl.h (1.7.2.8), "Exp", lines: +1 -0
- test/testenc (1.3.8.2), "Exp", lines: +8 -8
-
- Further FIPS algorithm blocking.
-
- Fixes to cipher blocking and enabling code.
-
- Add option -non-fips-allow to 'enc' and update testenc.
-
-2005-01-31 02:33 steve
-
- Changed:
- ssl/s23_clnt.c (1.20.2.7), "Exp", lines: +16 -0
- ssl/s23_srvr.c (1.41.2.6), "Exp", lines: +9 -0
- ssl/s3_clnt.c (1.53.2.19), "Exp", lines: +0 -8
- ssl/s3_enc.c (1.31.2.10), "Exp", lines: +1 -0
- ssl/s3_srvr.c (1.85.2.24), "Exp", lines: +0 -8
- ssl/ssl.h (1.126.2.21), "Exp", lines: +1 -0
- ssl/ssl_cert.c (1.48.2.10), "Exp", lines: +0 -8
- ssl/ssl_err.c (1.41.2.4), "Exp", lines: +2 -1
- ssl/ssl_lib.c (1.110.2.13), "Exp", lines: +8 -9
- ssl/t1_enc.c (1.27.2.10), "Exp", lines: +0 -18
-
- Only allow TLS is FIPS mode.
-
- Remove old FIPS_allow_md5() calls.
-
-2005-02-05 19:24 steve
-
- Changed:
- apps/req.c (1.88.2.18), "Exp", lines: +8 -1
- apps/x509.c (1.67.2.20), "Exp", lines: +8 -1
-
- In FIPS mode use SHA1 as default digest in x509 and req utilities.
-
-2005-03-15 10:46 appro
-
- Changed:
- Makefile.org (1.154.2.96), "Exp", lines: +1 -1
- crypto/Makefile (1.1.4.6), "Exp", lines: +2 -3
- fips/Makefile (1.1.4.8), "Exp", lines: +4 -1
-
- Real Bourne shell doesn't accept ! as in "if ! grep ..." Fix this
- in crypto/Makefile and make Makefile.org and fips/Makefile more
- discreet.
-
-2005-03-22 18:29 steve
-
- Changed:
- fips/fingerprint.sha1 (1.1.2.12), "Exp", lines: +1 -1
- fips/fips.c (1.1.2.10), "Exp", lines: +1 -0
-
- Fix memory leak.
-
-2005-03-27 05:36 steve
-
- Changed:
- crypto/evp/e_null.c (1.9.2.1), "Exp", lines: +1 -1
- ssl/s3_lib.c (1.57.2.13), "Exp", lines: +3 -3
-
- Allow 'null' cipher and appropriate Kerberos ciphersuites in FIPS
- mode.
-
-2005-04-14 14:44 steve
-
- Changed:
- fips/fipshashes.sha1 (1.1.2.1), "Exp", lines: +29 -0
- util/checkhash.pl (1.1.2.1), "Exp", lines: +181 -0
-
- Perl script that checks or rebuilds FIPS hash files. This works on
- both Unix and Windows.
-
- Merge all FIPS hash files into a single hash file
- fips/fips.sha1
-
-2005-04-15 05:27 steve
-
- Changed:
- fips/Makefile (1.1.4.9), "Exp", lines: +1 -1
- fips/aes/Makefile (1.1.4.4), "Exp", lines: +1 -4
- fips/des/Makefile (1.1.4.6), "Exp", lines: +1 -4
- fips/dh/Makefile (1.1.2.5), "Exp", lines: +1 -4
- fips/dsa/Makefile (1.1.4.4), "Exp", lines: +1 -4
- fips/rand/Makefile (1.1.4.3), "Exp", lines: +1 -4
- fips/rsa/Makefile (1.1.4.5), "Exp", lines: +1 -4
- fips/sha1/Makefile (1.1.4.9), "Exp", lines: +1 -7
-
- Update hash checking in makefiles to use new perl script.
-
-2005-04-17 06:37 steve
-
- Changed:
- util/checkhash.pl (1.1.2.2), "Exp", lines: +163 -127
-
- Modify checkhash.pl so it can be run standalone or included as a
- funtion in another perl script.
-
-2005-04-17 16:00 appro
-
- Changed:
- fips/sha1/Makefile (1.1.4.10), "Exp", lines: +9 -5
-
- Bring back fips_standalone_sha1.
-
-2005-04-17 16:17 appro
-
- Deleted:
- fips/sha1/asm/sx86-elf.s (1.1.4.4)
- Changed:
- Configure (1.314.2.114), "Exp", lines: +1 -1
- fips/fipshashes.sha1 (1.1.2.2), "Exp", lines: +1 -1
- fips/sha1/Makefile (1.1.4.11), "Exp", lines: +1 -1
- fips/sha1/standalone.sha1 (1.1.2.13), "Exp", lines: +1 -1
- fips/sha1/asm/fips-sx86-elf.s (1.1.2.1), "Exp", lines: +1568 -0
-
- Rename fips/sha1/sx86-elf.s to fips/sha1/fips-sx86-elf.s.
-
-2005-04-17 16:21 steve
-
- Changed:
- util/checkhash.pl (1.1.2.3), "Exp", lines: +2 -0
-
- Return 0 for successful hash check.
-
-2005-04-17 16:54 appro
-
- Changed:
- Configure (1.314.2.116), "Exp", lines: +8 -1
- Makefile.org (1.154.2.99), "Exp", lines: +3 -2
- crypto/aes/aes_cbc.c (1.1.2.11), "Exp", lines: +2 -0
- fips/fipshashes.sha1 (1.1.2.4), "Exp", lines: +1 -0
- fips/aes/Makefile (1.1.4.5), "Exp", lines: +4 -2
- fips/aes/asm/fips-ax86-elf.s (1.1.2.1), "Exp", lines: +1822 -0
-
- Throw in fips/aes/asm/fips-ax86-elf.s.
-
-2005-04-17 16:35 appro
-
- Changed:
- Configure (1.314.2.115), "Exp", lines: +1 -1
- fips/fipshashes.sha1 (1.1.2.3), "Exp", lines: +1 -1
- fips/des/asm/fips-dx86-elf.s (1.1.4.2), "Exp", lines: +108 -98
-
- Regenerate fips/des/asm/fips-dx86-elf.s with -fPIC flag.
-
-2005-04-17 17:26 appro
-
- Changed:
- crypto/cryptlib.c (1.32.2.18), "Exp", lines: +6 -55
- crypto/crypto.h (1.62.2.11), "Exp", lines: +0 -3
- fips/fips.c (1.1.2.11), "Exp", lines: +62 -8
- fips/fips.h (1.1.2.7), "Exp", lines: +2 -3
- fips/fips_locl.h (1.1.4.3), "Exp", lines: +6 -3
- fips/fipshashes.sha1 (1.1.2.5), "Exp", lines: +4 -4
- fips/rand/fips_rand.c (1.1.2.10), "Exp", lines: +3 -1
- fips/rsa/fips_rsa_gen.c (1.1.4.4), "Exp", lines: +4 -2
-
- Resolve minor binary compatibility issues in fips.
-
-2005-04-17 18:22 appro
-
- Changed:
- fips/fipshashes.sha1 (1.1.2.6), "Exp", lines: +12 -12
- fips/des/fips_des_locl.h (1.1.2.4), "Exp", lines: +1 -1
- fips/des/fips_set_key.c (1.1.4.4), "Exp", lines: +2 -2
- fips/dh/fips_dh_key.c (1.1.2.3), "Exp", lines: +1 -1
- fips/dsa/fips_dsa_ossl.c (1.1.2.7), "Exp", lines: +1 -1
- fips/dsa/fips_dsa_selftest.c (1.1.4.2), "Exp", lines: +3 -3
- fips/rand/fips_rand.c (1.1.2.11), "Exp", lines: +2 -2
- fips/rand/fips_rand.h (1.1.2.5), "Exp", lines: +1 -1
- fips/rsa/fips_rsa_eay.c (1.1.4.4), "Exp", lines: +1 -1
- fips/rsa/fips_rsa_gen.c (1.1.4.5), "Exp", lines: +1 -1
- fips/rsa/fips_rsa_selftest.c (1.1.4.5), "Exp", lines: +11 -11
- fips/sha1/fips_sha1_selftest.c (1.1.4.2), "Exp", lines: +1 -1
- fips/sha1/fips_sha1dgst.c (1.1.2.5), "Exp", lines: +1 -1
- fips/sha1/standalone.sha1 (1.1.2.14), "Exp", lines: +2 -2
-
- Minor fips const-ification.
-
-2005-04-18 07:02 steve
-
- Changed:
- crypto/bf/bf_skey.c (1.6.2.2), "Exp", lines: +1 -0
- crypto/cast/c_skey.c (1.5.6.2), "Exp", lines: +1 -0
- crypto/idea/i_skey.c (1.5.6.2), "Exp", lines: +1 -0
- crypto/rc2/rc2_skey.c (1.4.6.2), "Exp", lines: +1 -0
- crypto/rc4/rc4_skey.c (1.10.8.3), "Exp", lines: +1 -0
- crypto/rc5/rc5_skey.c (1.4.6.2), "Exp", lines: +1 -0
-
- Pick up definition of FIPS_mode() in fips.h to avoid warnings.
-
-2005-04-18 10:34 steve
-
- Deleted:
- fips/fingerprint.sha1 (1.1.2.14)
- fips/fips_check_sha1 (1.1.2.8)
- fips/fips_make_sha1 (1.1.2.7)
- fips/aes/fingerprint.sha1 (1.1.2.7)
- fips/des/fingerprint.sha1 (1.1.2.6)
- fips/dh/fingerprint.sha1 (1.1.2.4)
- fips/dsa/fingerprint.sha1 (1.1.2.7)
- fips/rand/fingerprint.sha1 (1.1.2.10)
- fips/rsa/fingerprint.sha1 (1.1.4.7)
- fips/sha1/fingerprint.sha1 (1.1.2.12)
- Changed:
- fips/sha1/Makefile (1.1.4.12), "Exp", lines: +1 -4
-
- Remove obsolete fingerprint.sha1 files and associated scripts.
- Delete test in fips/sha1/Makefile: the top level test checks the
- same files.
-
-2005-04-19 09:11 appro
-
- Deleted:
- fips/fipshashes.sha1 (1.1.2.7)
- fips/sha1/standalone.sha1 (1.1.2.15)
- Changed:
- fips/fipshashes.c (1.1.2.1), "Exp", lines: +32 -0
- util/checkhash.pl (1.1.2.4), "Exp", lines: +7 -4
-
- Maintain fingerprint hashes as C source.
-
-2005-04-19 09:17 appro
-
- Changed:
- util/checkhash.pl (1.1.2.5), "Exp", lines: +1 -1
-
- Complete the transition C-code hashes.
-
-2005-04-21 19:06 steve
-
- Changed:
- apps/openssl.c (1.48.2.13), "Exp", lines: +0 -2
- fips/fips.c (1.1.2.12), "Exp", lines: +0 -27
- fips/fips.h (1.1.2.8), "Exp", lines: +0 -2
- fips/fipshashes.c (1.1.2.2), "Exp", lines: +2 -2
-
- Remove defunct FIPS_allow_md5() and related functions.
-
-2005-04-22 06:15 appro
-
- Changed:
- fips/fips.c (1.1.2.13), "Exp", lines: +3 -3
- fips/fips_err.h (1.1.4.4), "Exp", lines: +3 -3
- fips/fipshashes.c (1.1.2.4), "Exp", lines: +2 -2
-
- Move some variables to .bss.
-
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index 820be609c96d..c6dbfae4829d 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -6,11 +6,13 @@ eval 'exec perl -S $0 ${1+"$@"}'
##
require 5.000;
-use strict;
+eval 'use strict;';
+
+print STDERR "Warning: perl module strict not found.\n" if ($@);
# see INSTALL for instructions.
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
# Options:
#
@@ -54,6 +56,8 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
# [no-]zlib [don't] compile support for zlib compression.
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
# library and will be loaded in run-time by the OpenSSL library.
+# enable-montasm 0.9.8 branch only: enable Montgomery x86 assembler backport
+# from 0.9.9
# 386 generate 80386 code
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
@@ -97,6 +101,11 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
# SHA512_ASM sha512_block is implemented in assembler
# AES_ASM ASE_[en|de]crypt is implemented in assembler
+# Minimum warning options... any contributions to OpenSSL should at least get
+# past these.
+
+my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
+
my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
# MD2_CHAR slags pentium pros
@@ -114,12 +123,12 @@ my $tlib="-lnsl -lsocket";
my $bits1="THIRTY_TWO_BIT ";
my $bits2="SIXTY_FOUR_BIT ";
-my $x86_elf_asm="x86cpuid-elf.o:bn86-elf.o co86-elf.o:dx86-elf.o yx86-elf.o:ax86-elf.o:bx86-elf.o:mx86-elf.o:sx86-elf.o s512sse2-elf.o:cx86-elf.o:rx86-elf.o:rm86-elf.o:r586-elf.o";
-my $x86_coff_asm="x86cpuid-cof.o:bn86-cof.o co86-cof.o:dx86-cof.o yx86-cof.o:ax86-cof.o:bx86-cof.o:mx86-cof.o:sx86-cof.o s512sse2-cof.o:cx86-cof.o:rx86-cof.o:rm86-cof.o:r586-cof.o";
-my $x86_out_asm="x86cpuid-out.o:bn86-out.o co86-out.o:dx86-out.o yx86-out.o:ax86-out.o:bx86-out.o:mx86-out.o:sx86-out.o s512sse2-out.o:cx86-out.o:rx86-out.o:rm86-out.o:r586-out.o";
+my $x86_elf_asm="x86cpuid-elf.o:bn86-elf.o co86-elf.o MAYBE-MO86-elf.o:dx86-elf.o yx86-elf.o:ax86-elf.o:bx86-elf.o:mx86-elf.o:sx86-elf.o s512sse2-elf.o:cx86-elf.o:rx86-elf.o rc4_skey.o:rm86-elf.o:r586-elf.o";
+my $x86_coff_asm="x86cpuid-cof.o:bn86-cof.o co86-cof.o MAYBE-MO86-cof.o:dx86-cof.o yx86-cof.o:ax86-cof.o:bx86-cof.o:mx86-cof.o:sx86-cof.o s512sse2-cof.o:cx86-cof.o:rx86-cof.o rc4_skey.o:rm86-cof.o:r586-cof.o";
+my $x86_out_asm="x86cpuid-out.o:bn86-out.o co86-out.o MAYBE-MO86-out.o:dx86-out.o yx86-out.o:ax86-out.o:bx86-out.o:mx86-out.o:sx86-out.o s512sse2-out.o:cx86-out.o:rx86-out.o rc4_skey.o:rm86-out.o:r586-out.o";
-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o::::md5-x86_64.o:::rc4-x86_64.o::";
-my $ia64_asm=":bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o:::sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o::";
+my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o::";
+my $ia64_asm=":bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o:::sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o::";
my $no_asm="::::::::::";
@@ -150,12 +159,15 @@ my %table=(
"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::bn86-elf.o co86-elf.o",
"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
"debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
+"debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
-"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -march=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared",
+"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared",
"debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared",
"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -201,11 +213,11 @@ my %table=(
"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc
-"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
####
"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -O -g -mcpu=ultrasparc -pedantic -ansi -Wall -Wshadow -Wno-long-long -D__EXTENSIONS__ -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -O -g -mcpu=ultrasparc -pedantic -ansi -Wall -Wshadow -Wno-long-long -D__EXTENSIONS__ -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### SPARC Solaris with Sun C setups
# SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2.
@@ -213,11 +225,11 @@ my %table=(
# SC5.0 note: Compiler common patch 107357-01 or later is required!
"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
+"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
####
"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8.o::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8plus.o::::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8plus.o::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### SunOS configs, assuming sparc for the gcc one.
#"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
@@ -231,10 +243,10 @@ my %table=(
# Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke
# './Configure irix-cc -o32' manually.
"irix-mips3-gcc","gcc:-mabi=n32 -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT::bn-mips3.o::::::::::dlfcn:irix-shared::-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT::bn-mips3.o::::::::::dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -G0 -rdata_shared -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT::bn-mips3.o::::::::::dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# N64 ABI builds.
"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG::bn-mips3.o::::::::::dlfcn:irix-shared::-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG::bn-mips3.o::::::::::dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -G0 -rdata_shared -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG::bn-mips3.o::::::::::dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### Unified HP-UX ANSI C configs.
# Special notes:
@@ -321,8 +333,7 @@ my %table=(
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
####
"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# -bpowerpc64-linux is transient option, -m64 should be the one to use...
-"linux-ppc64", "gcc:-bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-bpowerpc64-linux:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -333,9 +344,9 @@ my %table=(
"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# it's a real mess with -mcpu=ultrasparc option under Linux, but
# -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# GCC 3.1 is a requirement
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
@@ -365,7 +376,7 @@ my %table=(
# -DMD32_REG_T=int doesn't actually belong in sparc64 target, it
# simply *happens* to work around a compiler bug in gcc 3.3.3,
# triggered by RIPEMD160 code.
-"BSD-sparc64", "gcc:-DB_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"BSD-sparc64", "gcc:-DB_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:::des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"BSD-ia64", "gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"BSD-x86_64", "gcc:-DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -403,12 +414,12 @@ my %table=(
#### IBM's AIX.
"aix3-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix-gcc", "gcc:-O -DB_ENDIAN::-D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:",
-"aix64-gcc","gcc:-O -DB_ENDIAN::-D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn::::::-X64",
+"aix-gcc", "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
+"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
# Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
# at build time. $OBJECT_MODE is respected at ./config stage!
-"aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-q32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
+"aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
+"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
#
# Cray T90 and similar (SDSC)
@@ -479,15 +490,20 @@ my %table=(
"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_coff_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
"debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
-# NetWare from David Ward (dsward@novell.com) - requires MetroWerks NLM development tools
+# NetWare from David Ward (dsward@novell.com)
+# requires either MetroWerks NLM development tools, or gcc / nlmconv
+# NetWare defaults socket bio to WinSock sockets. However,
+# the builds can be configured to use BSD sockets instead.
# netware-clib => legacy CLib c-runtime support
-"netware-clib", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
+"netware-clib", "mwccnlm::::::${x86_gcc_opts}::",
+"netware-clib-bsdsock", "mwccnlm::::::${x86_gcc_opts}::",
+"netware-clib-gcc", "i586-netware-gcc:-nostdinc -I/ndk/nwsdk/include/nlm -I/ndk/ws295sdk/include -DL_ENDIAN -DNETWARE_CLIB -DOPENSSL_SYSNAME_NETWARE -O2 -Wall:::::${x86_gcc_opts}::",
+"netware-clib-bsdsock-gcc", "i586-netware-gcc:-nostdinc -I/ndk/nwsdk/include/nlm -DNETWARE_BSDSOCK -DNETDB_USE_INTERNET -DL_ENDIAN -DNETWARE_CLIB -DOPENSSL_SYSNAME_NETWARE -O2 -Wall:::::${x86_gcc_opts}::",
# netware-libc => LibC/NKS support
-# NetWare defaults socket bio to WinSock sockets. However, the LibC build can be
-# configured to use BSD sockets instead.
"netware-libc", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
"netware-libc-bsdsock", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
"netware-libc-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -I/ndk/libc/include/winsock -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",
+"netware-libc-bsdsock-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -DNETWARE_BSDSOCK -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",
# DJGPP
"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:",
@@ -500,8 +516,11 @@ my %table=(
##### MacOS X (a.k.a. Rhapsody or Darwin) setup
"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::",
-"darwin-ppc-cc","cc:-O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-arch ppc -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc64.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -fomit-frame-pointer -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o::::::::::dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
##### A/UX
@@ -530,7 +549,9 @@ my %table=(
my @MK1MF_Builds=qw(VC-WIN64I VC-WIN64A
VC-NT VC-CE VC-WIN32
- BC-32 OS2-EMX netware-clib netware-libc netware-libc-bsdsock);
+ BC-32 OS2-EMX
+ netware-clib netware-clib-bsdsock
+ netware-libc netware-libc-bsdsock);
my $idx = 0;
my $idx_cc = $idx++;
@@ -563,12 +584,18 @@ my $prefix="";
my $openssldir="";
my $exe_ext="";
my $install_prefix="";
+my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
+my $nofipscanistercheck=0;
+my $fipsdso=0;
+my $fipscanisterinternal="n";
+my $baseaddr="0xFB00000";
my $no_threads=0;
my $threads=0;
my $no_shared=0; # but "no-shared" is default
my $zlib=1; # but "no-zlib" is default
my $no_krb5=0; # but "no-krb5" is implied unless "--with-krb5-..." is used
my $no_rfc3779=1; # but "no-rfc3779" is default
+my $montasm=1; # but "no-montasm" is default
my $no_asm=0;
my $no_dso=0;
my $no_gmp=0;
@@ -585,10 +612,11 @@ my $rc2 ="crypto/rc2/rc2.h";
my $bf ="crypto/bf/bf_locl.h";
my $bn_asm ="bn_asm.o";
my $des_enc="des_enc.o fcrypt_b.o";
+my $fips_des_enc="fips_des_enc.o";
my $aes_enc="aes_core.o aes_cbc.o";
my $bf_enc ="bf_enc.o";
my $cast_enc="c_enc.o";
-my $rc4_enc="rc4_enc.o";
+my $rc4_enc="rc4_enc.o rc4_skey.o";
my $rc5_enc="rc5_enc.o";
my $md5_obj="";
my $sha1_obj="";
@@ -596,27 +624,40 @@ my $rmd160_obj="";
my $processor="";
my $default_ranlib;
my $perl;
+my $fips=0;
# All of the following is disabled by default (RC5 was enabled before 0.9.8):
-my %disabled = ( # "what" => "comment"
- "camellia" => "default",
- "gmp" => "default",
+my %disabled = ( # "what" => "comment" [or special keyword "experimental"]
+ "camellia" => "default",
+ "capieng" => "default",
+ "cms" => "default",
+ "gmp" => "default",
+ "jpake" => "experimental",
"mdc2" => "default",
+ "montasm" => "default", # explicit option in 0.9.8 only (implicitly enabled in 0.9.9)
"rc5" => "default",
- "rfc3779" => "default",
+ "rfc3779" => "default",
+ "seed" => "default",
"shared" => "default",
"zlib" => "default",
"zlib-dynamic" => "default"
);
+my @experimental = ();
+
+# This is what $depflags will look like with the above defaults
+# (we need this to see if we should advise the user to run "make depend"):
+my $default_depflags = " -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED";
+
-# Additional "no-..." options will be collected in %disabled.
-# To remove something from %disabled, use e.g. "enable-rc5".
-# For symmetry, "disable-..." is a synonym for "no-...".
+# Explicit "no-..." options will be collected in %disabled along with the defaults.
+# To remove something from %disabled, use "enable-foo" (unless it's experimental).
+# For symmetry, "disable-foo" is a synonym for "no-foo".
-# This is what $depflags will look like with the above default:
-my $default_depflags = "-DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 ";
+# For features called "experimental" here, a more explicit "experimental-foo" is needed to enable.
+# We will collect such requests in @experimental.
+# To avoid accidental use of experimental features, applications will have to use -DOPENSSL_EXPERIMENTAL_FOO.
my $no_sse2=0;
@@ -625,6 +666,7 @@ my $no_sse2=0;
my $flags;
my $depflags;
+my $openssl_experimental_defines;
my $openssl_algorithm_defines;
my $openssl_thread_defines;
my $openssl_sys_defines="";
@@ -645,6 +687,7 @@ while($argv_unprocessed)
{
$flags="";
$depflags="";
+ $openssl_experimental_defines="";
$openssl_algorithm_defines="";
$openssl_thread_defines="";
$openssl_sys_defines="";
@@ -670,25 +713,35 @@ PROCESS_ARGS:
if (/^no-(.+)$/ || /^disable-(.+)$/)
{
- if ($1 eq "ssl")
+ if (!($disabled{$1} eq "experimental"))
{
- $disabled{"ssl2"} = "option(ssl)";
- $disabled{"ssl3"} = "option(ssl)";
- }
- elsif ($1 eq "tls")
- {
- $disabled{"tls1"} = "option(tls)"
- }
- else
- {
- $disabled{$1} = "option";
+ if ($1 eq "ssl")
+ {
+ $disabled{"ssl2"} = "option(ssl)";
+ $disabled{"ssl3"} = "option(ssl)";
+ }
+ elsif ($1 eq "tls")
+ {
+ $disabled{"tls1"} = "option(tls)"
+ }
+ else
+ {
+ $disabled{$1} = "option";
+ }
}
}
- elsif (/^enable-(.+)$/)
+ elsif (/^enable-(.+)$/ || /^experimental-(.+)$/)
{
- delete $disabled{$1};
+ my $algo = $1;
+ if ($disabled{$algo} eq "experimental")
+ {
+ die "You are requesting an experimental feature; please say 'experimental-$algo' if you are sure\n"
+ unless (/^experimental-/);
+ push @experimental, $algo;
+ }
+ delete $disabled{$algo};
- $threads = 1 if ($1 eq "threads");
+ $threads = 1 if ($algo eq "threads");
}
elsif (/^--test-sanity$/)
{
@@ -719,12 +772,36 @@ PROCESS_ARGS:
}
elsif (/^386$/)
{ $processor=386; }
+ elsif (/^fips$/)
+ {
+ $fips=1;
+ }
elsif (/^rsaref$/)
{
# No RSAref support any more since it's not needed.
# The check for the option is there so scripts aren't
# broken
}
+ elsif (/^nofipscanistercheck$/)
+ {
+ $fips = 1;
+ $nofipscanistercheck = 1;
+ }
+ elsif (/^fipscanisterbuild$/)
+ {
+ $fips = 1;
+ $nofipscanistercheck = 1;
+ $fipslibdir="";
+ $fipscanisterinternal="y";
+ }
+ elsif (/^fipsdso$/)
+ {
+ $fips = 1;
+ $nofipscanistercheck = 1;
+ $fipslibdir="";
+ $fipscanisterinternal="y";
+ $fipsdso = 1;
+ }
elsif (/^[-+]/)
{
if (/^-[lL](.*)$/)
@@ -759,6 +836,14 @@ PROCESS_ARGS:
{
$withargs{"zlib-include"}="-I$1";
}
+ elsif (/^--with-fipslibdir=(.*)$/)
+ {
+ $fipslibdir="$1/";
+ }
+ elsif (/^--with-baseaddr=(.*)$/)
+ {
+ $baseaddr="$1";
+ }
else
{
print STDERR $usage;
@@ -838,6 +923,10 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
$disabled{"tls1"} = "forced";
}
+if (defined($disabled{"tls1"}))
+ {
+ $disabled{"tlsext"} = "forced";
+ }
if ($target eq "TABLE") {
foreach $target (sort keys %table) {
@@ -862,6 +951,54 @@ print "Configuring for $target\n";
&usage if (!defined($table{$target}));
+my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
+my $cc = $fields[$idx_cc];
+# Allow environment CC to override compiler...
+if($ENV{CC}) {
+ $cc = $ENV{CC};
+}
+my $cflags = $fields[$idx_cflags];
+my $unistd = $fields[$idx_unistd];
+my $thread_cflag = $fields[$idx_thread_cflag];
+my $sys_id = $fields[$idx_sys_id];
+my $lflags = $fields[$idx_lflags];
+my $bn_ops = $fields[$idx_bn_ops];
+my $cpuid_obj = $fields[$idx_cpuid_obj];
+my $bn_obj = $fields[$idx_bn_obj];
+my $des_obj = $fields[$idx_des_obj];
+my $aes_obj = $fields[$idx_aes_obj];
+my $bf_obj = $fields[$idx_bf_obj];
+my $md5_obj = $fields[$idx_md5_obj];
+my $sha1_obj = $fields[$idx_sha1_obj];
+my $cast_obj = $fields[$idx_cast_obj];
+my $rc4_obj = $fields[$idx_rc4_obj];
+my $rmd160_obj = $fields[$idx_rmd160_obj];
+my $rc5_obj = $fields[$idx_rc5_obj];
+my $dso_scheme = $fields[$idx_dso_scheme];
+my $shared_target = $fields[$idx_shared_target];
+my $shared_cflag = $fields[$idx_shared_cflag];
+my $shared_ldflag = $fields[$idx_shared_ldflag];
+my $shared_extension = $fields[$idx_shared_extension];
+my $ranlib = $fields[$idx_ranlib];
+my $arflags = $fields[$idx_arflags];
+
+if ($fips)
+ {
+ delete $disabled{"shared"} if ($disabled{"shared"} eq "default");
+ $disabled{"asm"}="forced"
+ if ($target !~ "VC\-.*" &&
+ "$cpuid_obj:$bn_obj:$aes_obj:$des_obj:$sha1_obj" eq "::::");
+ }
+
+foreach (sort @experimental)
+ {
+ my $ALGO;
+ ($ALGO = $_) =~ tr/[a-z]/[A-Z]/;
+
+ # opensslconf.h will set OPENSSL_NO_... unless OPENSSL_EXPERIMENTAL_... is defined
+ $openssl_experimental_defines .= "#define OPENSSL_NO_$ALGO\n";
+ $cflags .= " -DOPENSSL_EXPERIMENTAL_$ALGO";
+ }
foreach (sort (keys %disabled))
{
@@ -877,6 +1014,8 @@ foreach (sort (keys %disabled))
{ $no_shared = 1; }
elsif (/^zlib$/)
{ $zlib = 0; }
+ elsif (/^montasm$/)
+ { $montasm = 0; }
elsif (/^static-engine$/)
{ }
elsif (/^zlib-dynamic$/)
@@ -910,7 +1049,7 @@ foreach (sort (keys %disabled))
push @skip, $algo;
print " (skip dir)";
- $depflags .="-DOPENSSL_NO_$ALGO ";
+ $depflags .= " -DOPENSSL_NO_$ALGO";
}
}
}
@@ -918,14 +1057,26 @@ foreach (sort (keys %disabled))
print "\n";
}
-
my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
$IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
+$no_shared = 0 if ($fipsdso && !$IsMK1MF);
+
$exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq "mingw");
+$exe_ext=".nlm" if ($target =~ /netware/);
$exe_ext=".pm" if ($target =~ /vos/);
-$openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
+if ($openssldir eq "" and $prefix eq "")
+ {
+ if ($fips)
+ {
+ $openssldir="/usr/local/ssl/fips";
+ }
+ else
+ {
+ $openssldir="/usr/local/ssl";
+ }
+ }
$prefix=$openssldir if $prefix eq "";
$default_ranlib= &which("ranlib") or $default_ranlib="true";
@@ -933,7 +1084,7 @@ $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
or $perl="perl";
chop $openssldir if $openssldir =~ /\/$/;
-chop $prefix if $prefix =~ /\/$/;
+chop $prefix if $prefix =~ /.\/$/;
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
@@ -941,32 +1092,10 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/]
print "IsMK1MF=$IsMK1MF\n";
-my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
-my $cc = $fields[$idx_cc];
-my $cflags = $fields[$idx_cflags];
-my $unistd = $fields[$idx_unistd];
-my $thread_cflag = $fields[$idx_thread_cflag];
-my $sys_id = $fields[$idx_sys_id];
-my $lflags = $fields[$idx_lflags];
-my $bn_ops = $fields[$idx_bn_ops];
-my $cpuid_obj = $fields[$idx_cpuid_obj];
-my $bn_obj = $fields[$idx_bn_obj];
-my $des_obj = $fields[$idx_des_obj];
-my $aes_obj = $fields[$idx_aes_obj];
-my $bf_obj = $fields[$idx_bf_obj];
-my $md5_obj = $fields[$idx_md5_obj];
-my $sha1_obj = $fields[$idx_sha1_obj];
-my $cast_obj = $fields[$idx_cast_obj];
-my $rc4_obj = $fields[$idx_rc4_obj];
-my $rmd160_obj = $fields[$idx_rmd160_obj];
-my $rc5_obj = $fields[$idx_rc5_obj];
-my $dso_scheme = $fields[$idx_dso_scheme];
-my $shared_target = $fields[$idx_shared_target];
-my $shared_cflag = $fields[$idx_shared_cflag];
-my $shared_ldflag = $fields[$idx_shared_ldflag];
-my $shared_extension = $fields[$idx_shared_extension];
-my $ranlib = $fields[$idx_ranlib];
-my $arflags = $fields[$idx_arflags];
+# '%' in $lflags is used to split flags to "pre-" and post-flags
+my ($prelflags,$postlflags)=split('%',$lflags);
+if (defined($postlflags)) { $lflags=$postlflags; }
+else { $lflags=$prelflags; undef $prelflags; }
my $no_shared_warn=0;
my $no_user_cflags=0;
@@ -1096,6 +1225,16 @@ if ($no_asm)
{
$cpuid_obj=$bn_obj=$des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj="";
$sha1_obj=$md5_obj=$rmd160_obj="";
+ $cflags=~s/\-D[BL]_ENDIAN// if ($fips);
+ $thread_cflags=~s/\-D[BL]_ENDIAN// if ($fips);
+ }
+if ($montasm)
+ {
+ $bn_obj =~ s/MAYBE-MO86-/mo86-/;
+ }
+else
+ {
+ $bn_obj =~ s/MAYBE-MO86-[a-z.]*//;
}
if (!$no_shared)
@@ -1126,7 +1265,7 @@ if ($zlib)
my $shared_mark = "";
if ($shared_target eq "")
{
- $no_shared_warn = 1 if !$no_shared;
+ $no_shared_warn = 1 if !$no_shared && !$fips;
$no_shared = 1;
}
if (!$no_shared)
@@ -1150,12 +1289,18 @@ if (!$IsMK1MF)
}
$cpuid_obj.=" uplink.o uplink-cof.o" if ($cflags =~ /\-DOPENSSL_USE_APPLINK/);
-# Compiler fix-ups
-if ($target =~ /icc$/)
+
+#
+# Platform fix-ups
+#
+if ($target =~ /\-icc$/) # Intel C compiler
{
- my($iccver)=`$cc -V 2>&1`;
- if ($iccver =~ /Version ([0-9]+)\./) { $iccver=$1; }
- else { $iccver=0; }
+ my $iccver=0;
+ if (open(FD,"$cc -V 2>&1 |"))
+ {
+ while(<FD>) { $iccver=$1 if (/Version ([0-9]+)\./); }
+ close(FD);
+ }
if ($iccver>=8)
{
# Eliminate unnecessary dependency from libirc.a. This is
@@ -1163,6 +1308,28 @@ if ($target =~ /icc$/)
# apps/openssl can end up in endless loop upon startup...
$cflags.=" -Dmemcpy=__builtin_memcpy -Dmemset=__builtin_memset";
}
+ if ($iccver>=9)
+ {
+ $cflags.=" -i-static";
+ $cflags=~s/\-no_cpprt/-no-cpprt/;
+ }
+ if ($iccver>=10)
+ {
+ $cflags=~s/\-i\-static/-static-intel/;
+ }
+ }
+
+# Unlike other OSes (like Solaris, Linux, Tru64, IRIX) BSD run-time
+# linkers (tested OpenBSD, NetBSD and FreeBSD) "demand" RPATH set on
+# .so objects. Apparently application RPATH is not global and does
+# not apply to .so linked with other .so. Problem manifests itself
+# when libssl.so fails to load libcrypto.so. One can argue that we
+# should engrave this into Makefile.shared rules or into BSD-* config
+# lines above. Meanwhile let's try to be cautious and pass -rpath to
+# linker only when --prefix is not /usr.
+if ($target =~ /^BSD\-/)
+ {
+ $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
}
if ($sys_id ne "")
@@ -1188,6 +1355,13 @@ $bn_obj = $bn_asm unless $bn_obj ne "";
$cflags.=" -DOPENSSL_BN_ASM_PART_WORDS" if ($bn_obj =~ /bn86/);
$cflags.=" -DOPENSSL_IA32_SSE2" if (!$no_sse2 && $bn_obj =~ /bn86/);
+$cflags.=" -DOPENSSL_BN_ASM_MONT" if ($bn_obj =~ /\-mont|mo86\-/);
+
+if ($fips)
+ {
+ $openssl_other_defines.="#define OPENSSL_FIPS\n";
+ }
+
$des_obj=$des_enc unless ($des_obj =~ /\.o$/);
$bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/);
$cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/);
@@ -1199,7 +1373,7 @@ if ($sha1_obj =~ /\.o$/)
$cflags.=" -DSHA1_ASM" if ($sha1_obj =~ /sx86/ || $sha1_obj =~ /sha1/);
$cflags.=" -DSHA256_ASM" if ($sha1_obj =~ /sha256/);
$cflags.=" -DSHA512_ASM" if ($sha1_obj =~ /sha512/);
- if ($sha1_obj =~ /x86/)
+ if ($sha1_obj =~ /sse2/)
{ if ($no_sse2)
{ $sha1_obj =~ s/\S*sse2\S+//; }
elsif ($cflags !~ /OPENSSL_IA32_SSE2/)
@@ -1272,10 +1446,13 @@ while (<IN>)
if ($sdirs) {
my $dir;
foreach $dir (@skip) {
- s/([ ])$dir /\1/;
+ s/(\s)$dir\s/$1/;
+ s/\s$dir$//;
}
}
$sdirs = 0 unless /\\$/;
+ s/fips // if (/^DIRS=/ && !$fips);
+ s/engines // if (/^DIRS=/ && $disabled{"engine"});
s/^VERSION=.*/VERSION=$version/;
s/^MAJOR=.*/MAJOR=$major/;
s/^MINOR=.*/MINOR=$minor/;
@@ -1293,7 +1470,8 @@ while (<IN>)
s/^CC=.*$/CC= $cc/;
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
s/^CFLAG=.*$/CFLAG= $cflags/;
- s/^DEPFLAG=.*$/DEPFLAG= $depflags/;
+ s/^DEPFLAG=.*$/DEPFLAG=$depflags/;
+ s/^PEX_LIBS=.*$/PEX_LIBS= $prelflags/;
s/^EX_LIBS=.*$/EX_LIBS= $lflags/;
s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/;
@@ -1315,9 +1493,24 @@ while (<IN>)
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
+ s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+ if ($fipsdso)
+ {
+ s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/;
+ s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/;
+ s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl fips/;
+ }
+ else
+ {
+ s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
+ s/^SHARED_FIPS=.*/SHARED_FIPS=/;
+ s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/;
+ }
+ s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/;
+ s/^BASEADDR=.*/BASEADDR=$baseaddr/;
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
- s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
+ s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_FIPS) \$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
{
my $sotmp = $1;
@@ -1421,6 +1614,7 @@ print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configur
print OUT "/* OpenSSL was configured with the following options: */\n";
my $openssl_algorithm_defines_trans = $openssl_algorithm_defines;
+$openssl_experimental_defines =~ s/^\s*#\s*define\s+OPENSSL_NO_(.*)/#ifndef OPENSSL_EXPERIMENTAL_$1\n# ifndef OPENSSL_NO_$1\n# define OPENSSL_NO_$1\n# endif\n#endif/mg;
$openssl_algorithm_defines_trans =~ s/^\s*#\s*define\s+OPENSSL_(.*)/# if defined(OPENSSL_$1) \&\& !defined($1)\n# define $1\n# endif/mg;
$openssl_algorithm_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg;
$openssl_algorithm_defines = " /* no ciphers excluded */\n" if $openssl_algorithm_defines eq "";
@@ -1429,8 +1623,10 @@ $openssl_sys_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/
$openssl_other_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg;
print OUT $openssl_sys_defines;
print OUT "#ifndef OPENSSL_DOING_MAKEDEPEND\n\n";
+print OUT $openssl_experimental_defines;
+print OUT "\n";
print OUT $openssl_algorithm_defines;
-print OUT "\n#endif /* OPENSSL_DOING_MAKEDEPEND */\n";
+print OUT "\n#endif /* OPENSSL_DOING_MAKEDEPEND */\n\n";
print OUT $openssl_thread_defines;
print OUT $openssl_other_defines,"\n";
@@ -1581,7 +1777,7 @@ EOF
}
# create the ms/version32.rc file if needed
-if ($IsMK1MF) {
+if ($IsMK1MF && ($target !~ /^netware/)) {
my ($v1, $v2, $v3, $v4);
if ($version_num =~ /(^[0-9a-f]{1})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})/i) {
$v1=hex $1;
@@ -1612,9 +1808,16 @@ BEGIN
BEGIN
BLOCK "040904b0"
BEGIN
+#if defined(FIPS)
+ VALUE "Comments", "WARNING: TEST VERSION ONLY ***NOT*** FIPS 140-2 VALIDATED.\\0"
+#endif
// Required:
VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0"
+#if defined(FIPS)
+ VALUE "FileDescription", "TEST UNVALIDATED FIPS140-2 DLL\\0"
+#else
VALUE "FileDescription", "OpenSSL Shared Library\\0"
+#endif
VALUE "FileVersion", "$version\\0"
#if defined(CRYPTO)
VALUE "InternalName", "libeay32\\0"
@@ -1622,12 +1825,15 @@ BEGIN
#elif defined(SSL)
VALUE "InternalName", "ssleay32\\0"
VALUE "OriginalFilename", "ssleay32.dll\\0"
+#elif defined(FIPS)
+ VALUE "InternalName", "libosslfips\\0"
+ VALUE "OriginalFilename", "libosslfips.dll\\0"
#endif
VALUE "ProductName", "The OpenSSL Toolkit\\0"
VALUE "ProductVersion", "$version\\0"
// Optional:
//VALUE "Comments", "\\0"
- VALUE "LegalCopyright", "Copyright 1998-2005 The OpenSSL Project. Copyright 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
+ VALUE "LegalCopyright", "Copyright 1998-2007 The OpenSSL Project. Copyright 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
//VALUE "LegalTrademarks", "\\0"
//VALUE "PrivateBuild", "\\0"
//VALUE "SpecialBuild", "\\0"
@@ -1664,6 +1870,21 @@ libraries on this platform, they will at least look at it and try their best
(but please first make sure you have tried with a current version of OpenSSL).
EOF
+print <<\EOF if ($fipscanisterinternal eq "y");
+
+WARNING: OpenSSL has been configured using unsupported option(s) to internally
+generate a fipscanister.o object module for TESTING PURPOSES ONLY; that
+compiled module is NOT FIPS 140-2 validated and CANNOT be used to replace the
+OpenSSL FIPS Object Module as identified by the CMVP
+(http://csrc.nist.gov/cryptval/) in any application requiring the use of FIPS
+140-2 validated software.
+
+This is an OpenSSL 0.9.8 test version.
+
+See the file README.FIPS for details of how to build a test library.
+
+EOF
+
exit(0);
sub usage
diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ
index 74bf952ddcd5..942a671f2c35 100644
--- a/crypto/openssl/FAQ
+++ b/crypto/openssl/FAQ
@@ -32,6 +32,8 @@ OpenSSL - Frequently Asked Questions
* How do I install a CA certificate into a browser?
* Why is OpenSSL x509 DN output not conformant to RFC2253?
* What is a "128 bit certificate"? Can I create one with OpenSSL?
+* Why does OpenSSL set the authority key identifier extension incorrectly?
+* How can I set up a bundle of commercial root CA certificates?
[BUILD] Questions about building and testing OpenSSL
@@ -66,6 +68,8 @@ OpenSSL - Frequently Asked Questions
* Why doesn't my server application receive a client certificate?
* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
* I think I've detected a memory leak, is this a bug?
+* Why does Valgrind complain about the use of uninitialized data?
+* Why doesn't a memory BIO work when a file does?
===============================================================================
@@ -74,7 +78,7 @@ OpenSSL - Frequently Asked Questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8e was released on February 23rd, 2007.
+OpenSSL 0.9.8k was released on Mar 25th, 2009.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
@@ -401,10 +405,10 @@ You can't generally create such a certificate using OpenSSL but there is no
need to any more. Nowadays web browsers using unrestricted strong encryption
are generally available.
-When there were tight export restrictions on the export of strong encryption
+When there were tight restrictions on the export of strong encryption
software from the US only weak encryption algorithms could be freely exported
(initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation the rules allowed the use of strong encryption but
+inadequate. A relaxation of the rules allowed the use of strong encryption but
only to an authorised server.
Two slighly different techniques were developed to support this, one used by
@@ -425,6 +429,39 @@ The export laws were later changed to allow almost unrestricted use of strong
encryption so these certificates are now obsolete.
+* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
+
+It doesn't: this extension is often the cause of confusion.
+
+Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
+certificate C contains AKID.
+
+The purpose of this extension is to identify the authority certificate B. This
+can be done either by including the subject key identifier of B or its issuer
+name and serial number.
+
+In this latter case because it is identifying certifcate B it must contain the
+issuer name and serial number of B.
+
+It is often wrongly assumed that it should contain the subject name of B. If it
+did this would be redundant information because it would duplicate the issuer
+name of C.
+
+
+* How can I set up a bundle of commercial root CA certificates?
+
+The OpenSSL software is shipped without any root CA certificate as the
+OpenSSL project does not have any policy on including or excluding
+any specific CA and does not intend to set up such a policy. Deciding
+about which CAs to support is up to application developers or
+administrators.
+
+Other projects do have other policies so you can for example extract the CA
+bundle used by Mozilla and/or modssl as described in this article:
+
+ http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
+
+
[BUILD] =======================================================================
* Why does the linker complain about undefined symbols?
@@ -822,11 +859,11 @@ code itself (the hex digits after the second colon).
* Why do I get errors about unknown algorithms?
-This can happen under several circumstances such as reading in an
-encrypted private key or attempting to decrypt a PKCS#12 file. The cause
-is forgetting to load OpenSSL's table of algorithms with
-OpenSSL_add_all_algorithms(). See the manual page for more information.
-
+The cause is forgetting to load OpenSSL's table of algorithms with
+OpenSSL_add_all_algorithms(). See the manual page for more information. This
+can cause several problems such as being unable to read in an encrypted
+PEM file, unable to decrypt a PKCS#12 file or signature failure when
+verifying certificates.
* Why can't the OpenSSH configure script detect OpenSSL?
@@ -894,5 +931,35 @@ thread-safe):
ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
-===============================================================================
+* Why does Valgrind complain about the use of uninitialized data?
+
+When OpenSSL's PRNG routines are called to generate random numbers the supplied
+buffer contents are mixed into the entropy pool: so it technically does not
+matter whether the buffer is initialized at this point or not. Valgrind (and
+other test tools) will complain about this. When using Valgrind, make sure the
+OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
+to get rid of these warnings.
+
+
+* Why doesn't a memory BIO work when a file does?
+
+This can occur in several cases for example reading an S/MIME email message.
+The reason is that a memory BIO can do one of two things when all the data
+has been read from it.
+
+The default behaviour is to indicate that no more data is available and that
+the call should be retried, this is to allow the application to fill up the BIO
+again if necessary.
+Alternatively it can indicate that no more data is available and that EOF has
+been reached.
+
+If a memory BIO is to behave in the same way as a file this second behaviour
+is needed. This must be done by calling:
+
+ BIO_set_mem_eof_return(bio, 0);
+
+See the manual pages for more details.
+
+
+===============================================================================
diff --git a/crypto/openssl/INSTALL b/crypto/openssl/INSTALL
index 83439f1aa4f6..c72cc1dcee42 100644
--- a/crypto/openssl/INSTALL
+++ b/crypto/openssl/INSTALL
@@ -158,7 +158,7 @@
standard headers). If it is a problem with OpenSSL itself, please
report the problem to <openssl-bugs@openssl.org> (note that your
message will be recorded in the request tracker publicly readable
- via http://www.openssl.org/support/rt2.html and will be forwarded to a
+ via http://www.openssl.org/support/rt.html and will be forwarded to a
public mailing list). Include the output of "make report" in your message.
Please check out the request tracker. Maybe the bug was already
reported or has already been fixed.
@@ -180,7 +180,7 @@
in Makefile.ssl and run "make clean; make". Please send a bug
report to <openssl-bugs@openssl.org>, including the output of
"make report" in order to be added to the request tracker at
- http://www.openssl.org/support/rt2.html.
+ http://www.openssl.org/support/rt.html.
4. If everything tests ok, install OpenSSL with
diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE
index ff99d9724177..a2c4adcbe6a5 100644
--- a/crypto/openssl/LICENSE
+++ b/crypto/openssl/LICENSE
@@ -12,7 +12,7 @@
---------------
/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/crypto/openssl/Makefile b/crypto/openssl/Makefile
index e2223b7dbd47..57d742e4d404 100644
--- a/crypto/openssl/Makefile
+++ b/crypto/openssl/Makefile
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=0.9.8e
+VERSION=0.9.8k
MAJOR=0
MINOR=9.8
SHLIB_VERSION_NUMBER=0.9.8
@@ -13,7 +13,7 @@ SHLIB_MAJOR=0
SHLIB_MINOR=9.8
SHLIB_EXT=
PLATFORM=dist
-OPTIONS= no-camellia no-gmp no-krb5 no-mdc2 no-rc5 no-rfc3779 no-shared no-zlib no-zlib-dynamic
+OPTIONS= no-camellia no-capieng no-cms no-gmp no-jpake no-krb5 no-mdc2 no-montasm no-rc5 no-rfc3779 no-seed no-shared no-zlib no-zlib-dynamic
CONFIGURE_ARGS=dist
SHLIB_TARGET=
@@ -61,12 +61,13 @@ OPENSSLDIR=/usr/local/ssl
CC= cc
CFLAG= -O
-DEPFLAG= -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779
+DEPFLAG= -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED
PEX_LIBS=
EX_LIBS=
EXE_EXT=
ARFLAGS=
AR=ar $(ARFLAGS) r
+ARD=ar $(ARFLAGS) d
RANLIB= /usr/bin/ranlib
PERL= /usr/bin/perl
TAR= tar
@@ -92,7 +93,7 @@ DES_ENC= des_enc.o fcrypt_b.o
AES_ASM_OBJ= aes_core.o aes_cbc.o
BF_ENC= bf_enc.o
CAST_ENC= c_enc.o
-RC4_ENC= rc4_enc.o
+RC4_ENC= rc4_enc.o rc4_skey.o
RC5_ENC= rc5_enc.o
MD5_ASM_OBJ=
SHA1_ASM_OBJ=
@@ -106,6 +107,32 @@ LIBKRB5=
ZLIB_INCLUDE=
LIBZLIB=
+# This is the location of fipscanister.o and friends.
+# The FIPS module build will place it $(INSTALLTOP)/lib
+# but since $(INSTALLTOP) can only take the default value
+# when the module is built it will be in /usr/local/ssl/lib
+# $(INSTALLTOP) for this build make be different so hard
+# code the path.
+
+FIPSLIBDIR=/usr/local/ssl/fips-1.0/lib/
+
+# This is set to "y" if fipscanister.o is compiled internally as
+# opposed to coming from an external validated location.
+
+FIPSCANISTERINTERNAL=n
+
+# The location of the library which contains fipscanister.o
+# normally it will be libcrypto unless fipsdso is set in which
+# case it will be libfips. If not compiling in FIPS mode at all
+# this is empty making it a useful test for a FIPS compile.
+
+FIPSCANLIB=
+
+# Shared library base address. Currently only used on Windows.
+#
+
+BASEADDR=0xFB00000
+
DIRS= crypto ssl engines apps test tools
SHLIBDIRS= crypto ssl
@@ -140,6 +167,7 @@ WDIRS= windows
LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
SHARED_SSL=libssl$(SHLIB_EXT)
+SHARED_FIPS=
SHARED_LIBS=
SHARED_LIBS_LINK_EXTS=
SHARED_LDFLAGS=
@@ -193,6 +221,10 @@ BUILDENV= PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \
SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' \
MD5_ASM_OBJ='${MD5_ASM_OBJ}' \
RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' \
+ FIPSLIBDIR='${FIPSLIBDIR}' \
+ FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
+ FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' \
+ FIPS_EX_OBJ='${FIPS_EX_OBJ}' \
THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
# which in turn eliminates ambiguities in variable treatment with -e.
@@ -211,7 +243,8 @@ BUILDENV= PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \
# subdirectories defined in $(DIRS). It requires that the target
# is given through the shell variable `target'.
BUILD_CMD= if [ -d "$$dir" ]; then \
- ( cd $$dir && echo "making $$target in $$dir..." && \
+ ( [ $$target != all -a -z "$(FIPSCANLIB)" ] && FIPSCANLIB=/dev/null; \
+ cd $$dir && echo "making $$target in $$dir..." && \
$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
) || exit 1; \
fi
@@ -224,13 +257,84 @@ BUILD_ONE_CMD=\
reflect:
@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
+FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
+ ../crypto/aes/aes_ecb.o \
+ ../crypto/aes/aes_ofb.o \
+ ../crypto/bn/bn_add.o \
+ ../crypto/bn/bn_blind.o \
+ ../crypto/bn/bn_ctx.o \
+ ../crypto/bn/bn_div.o \
+ ../crypto/bn/bn_exp2.o \
+ ../crypto/bn/bn_exp.o \
+ ../crypto/bn/bn_gcd.o \
+ ../crypto/bn/bn_lib.o \
+ ../crypto/bn/bn_mod.o \
+ ../crypto/bn/bn_mont.o \
+ ../crypto/bn/bn_mul.o \
+ ../crypto/bn/bn_prime.o \
+ ../crypto/bn/bn_rand.o \
+ ../crypto/bn/bn_recp.o \
+ ../crypto/bn/bn_shift.o \
+ ../crypto/bn/bn_sqr.o \
+ ../crypto/bn/bn_word.o \
+ ../crypto/bn/bn_x931p.o \
+ ../crypto/buffer/buf_str.o \
+ ../crypto/cryptlib.o \
+ ../crypto/des/cfb64ede.o \
+ ../crypto/des/cfb64enc.o \
+ ../crypto/des/cfb_enc.o \
+ ../crypto/des/ecb3_enc.o \
+ ../crypto/des/ecb_enc.o \
+ ../crypto/des/ofb64ede.o \
+ ../crypto/des/ofb64enc.o \
+ ../crypto/des/fcrypt.o \
+ ../crypto/des/set_key.o \
+ ../crypto/dsa/dsa_utl.o \
+ ../crypto/dsa/dsa_sign.o \
+ ../crypto/dsa/dsa_vrf.o \
+ ../crypto/err/err.o \
+ ../crypto/evp/digest.o \
+ ../crypto/evp/enc_min.o \
+ ../crypto/evp/e_aes.o \
+ ../crypto/evp/e_des3.o \
+ ../crypto/evp/p_sign.o \
+ ../crypto/evp/p_verify.o \
+ ../crypto/mem_clr.o \
+ ../crypto/mem.o \
+ ../crypto/rand/md_rand.o \
+ ../crypto/rand/rand_egd.o \
+ ../crypto/rand/randfile.o \
+ ../crypto/rand/rand_lib.o \
+ ../crypto/rand/rand_os2.o \
+ ../crypto/rand/rand_unix.o \
+ ../crypto/rand/rand_win.o \
+ ../crypto/rsa/rsa_lib.o \
+ ../crypto/rsa/rsa_none.o \
+ ../crypto/rsa/rsa_oaep.o \
+ ../crypto/rsa/rsa_pk1.o \
+ ../crypto/rsa/rsa_pss.o \
+ ../crypto/rsa/rsa_ssl.o \
+ ../crypto/rsa/rsa_x931.o \
+ ../crypto/sha/sha1dgst.o \
+ ../crypto/sha/sha256.o \
+ ../crypto/sha/sha512.o \
+ ../crypto/uid.o
+
sub_all: build_all
build_all: build_libs build_apps build_tests build_tools
-build_libs: build_crypto build_ssl build_engines
+build_libs: build_crypto build_fips build_ssl build_shared build_engines
build_crypto:
- @dir=crypto; target=all; $(BUILD_ONE_CMD)
+ if [ -n "$(FIPSCANLIB)" ]; then \
+ EXCL_OBJ='$(AES_ASM_OBJ) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
+ ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
+ else \
+ ARX='${AR}' ; \
+ fi ; export ARX ; \
+ dir=crypto; target=all; $(BUILD_ONE_CMD)
+build_fips:
+ @dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
build_ssl:
@dir=ssl; target=all; $(BUILD_ONE_CMD)
build_engines:
@@ -246,9 +350,20 @@ all_testapps: build_libs build_testapps
build_testapps:
@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
-libcrypto$(SHLIB_EXT): libcrypto.a
+build_shared: $(SHARED_LIBS)
+libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS)
@if [ "$(SHLIB_TARGET)" != "" ]; then \
- $(MAKE) SHLIBDIRS=crypto build-shared; \
+ if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+ $(ARD) libcrypto.a fipscanister.o ; \
+ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
+ $(AR) libcrypto.a fips/fipscanister.o ; \
+ else \
+ if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
+ FIPSLD_CC=$(CC); CC=fips/fipsld; \
+ export CC FIPSLD_CC; \
+ fi; \
+ $(MAKE) -e SHLIBDIRS='crypto' build-shared; \
+ fi \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
@@ -256,12 +371,32 @@ libcrypto$(SHLIB_EXT): libcrypto.a
libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
@if [ "$(SHLIB_TARGET)" != "" ]; then \
- $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
+ shlibdeps=-lcrypto; \
+ [ "$(FIPSCANLIB)" = "libfips" ] && shlibdeps="$$shlibdeps -lfips"; \
+ $(MAKE) SHLIBDIRS=ssl SHLIBDEPS="$$shlibdeps" build-shared; \
+ else \
+ echo "There's no support for shared libraries on this platform" >&2 ; \
+ exit 1; \
+ fi
+
+fips/fipscanister.o: build_fips
+libfips$(SHLIB_EXT): fips/fipscanister.o
+ @if [ "$(SHLIB_TARGET)" != "" ]; then \
+ FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
+ $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+ CC=$${CC} LIBNAME=fips THIS=$@ \
+ LIBEXTRAS=fips/fipscanister.o \
+ LIBDEPS="$(EX_LIBS)" \
+ LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ link_o.$(SHLIB_TARGET) || { rm -f $@; exit 1; } \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
fi
+libfips.a:
+ dir=fips; target=all; $(BUILD_ONE_CMD)
+
clean-shared:
@set -e; for i in $(SHLIBDIRS); do \
if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
@@ -371,6 +506,9 @@ links:
@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
@set -e; target=links; $(RECURSIVE_BUILD_CMD)
+ @if [ -z "$(FIPSCANLIB)" ]; then \
+ set -e; target=links; dir=fips ; $(BUILD_CMD) ; \
+ fi
gentests:
@(cd test && echo "generating dummy tests (if needed)..." && \
diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org
index c1334c6e1e9f..d1b56b2f580f 100644
--- a/crypto/openssl/Makefile.org
+++ b/crypto/openssl/Makefile.org
@@ -65,6 +65,7 @@ EX_LIBS=
EXE_EXT=
ARFLAGS=
AR=ar $(ARFLAGS) r
+ARD=ar $(ARFLAGS) d
RANLIB= ranlib
PERL= perl
TAR= tar
@@ -104,18 +105,44 @@ LIBKRB5=
ZLIB_INCLUDE=
LIBZLIB=
-DIRS= crypto ssl engines apps test tools
-SHLIBDIRS= crypto ssl
+# This is the location of fipscanister.o and friends.
+# The FIPS module build will place it $(INSTALLTOP)/lib
+# but since $(INSTALLTOP) can only take the default value
+# when the module is built it will be in /usr/local/ssl/lib
+# $(INSTALLTOP) for this build make be different so hard
+# code the path.
+
+FIPSLIBDIR=/usr/local/ssl/lib/
+
+# This is set to "y" if fipscanister.o is compiled internally as
+# opposed to coming from an external validated location.
+
+FIPSCANISTERINTERNAL=n
+
+# The location of the library which contains fipscanister.o
+# normally it will be libcrypto unless fipsdso is set in which
+# case it will be libfips. If not compiling in FIPS mode at all
+# this is empty making it a useful test for a FIPS compile.
+
+FIPSCANLIB=
+
+# Shared library base address. Currently only used on Windows.
+#
+
+BASEADDR=
+
+DIRS= crypto fips ssl engines apps test tools
+SHLIBDIRS= crypto ssl fips
# dirs in crypto to build
SDIRS= \
objects \
md2 md4 md5 sha mdc2 hmac ripemd \
- des aes rc2 rc4 rc5 idea bf cast camellia \
+ des aes rc2 rc4 rc5 idea bf cast camellia seed \
bn ec rsa dsa ecdsa dh ecdh dso engine \
buffer bio stack lhash rand err \
evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
- store pqueue
+ store cms pqueue jpake
# keep in mind that the above list is adjusted by ./Configure
# according to no-xxx arguments...
@@ -138,6 +165,7 @@ WDIRS= windows
LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
SHARED_SSL=libssl$(SHLIB_EXT)
+SHARED_FIPS=
SHARED_LIBS=
SHARED_LIBS_LINK_EXTS=
SHARED_LDFLAGS=
@@ -191,6 +219,10 @@ BUILDENV= PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \
SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' \
MD5_ASM_OBJ='${MD5_ASM_OBJ}' \
RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' \
+ FIPSLIBDIR='${FIPSLIBDIR}' \
+ FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
+ FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' \
+ FIPS_EX_OBJ='${FIPS_EX_OBJ}' \
THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
# which in turn eliminates ambiguities in variable treatment with -e.
@@ -209,7 +241,8 @@ BUILDENV= PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \
# subdirectories defined in $(DIRS). It requires that the target
# is given through the shell variable `target'.
BUILD_CMD= if [ -d "$$dir" ]; then \
- ( cd $$dir && echo "making $$target in $$dir..." && \
+ ( [ $$target != all -a -z "$(FIPSCANLIB)" ] && FIPSCANLIB=/dev/null; \
+ cd $$dir && echo "making $$target in $$dir..." && \
$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
) || exit 1; \
fi
@@ -222,13 +255,84 @@ BUILD_ONE_CMD=\
reflect:
@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
+FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
+ ../crypto/aes/aes_ecb.o \
+ ../crypto/aes/aes_ofb.o \
+ ../crypto/bn/bn_add.o \
+ ../crypto/bn/bn_blind.o \
+ ../crypto/bn/bn_ctx.o \
+ ../crypto/bn/bn_div.o \
+ ../crypto/bn/bn_exp2.o \
+ ../crypto/bn/bn_exp.o \
+ ../crypto/bn/bn_gcd.o \
+ ../crypto/bn/bn_lib.o \
+ ../crypto/bn/bn_mod.o \
+ ../crypto/bn/bn_mont.o \
+ ../crypto/bn/bn_mul.o \
+ ../crypto/bn/bn_prime.o \
+ ../crypto/bn/bn_rand.o \
+ ../crypto/bn/bn_recp.o \
+ ../crypto/bn/bn_shift.o \
+ ../crypto/bn/bn_sqr.o \
+ ../crypto/bn/bn_word.o \
+ ../crypto/bn/bn_x931p.o \
+ ../crypto/buffer/buf_str.o \
+ ../crypto/cryptlib.o \
+ ../crypto/des/cfb64ede.o \
+ ../crypto/des/cfb64enc.o \
+ ../crypto/des/cfb_enc.o \
+ ../crypto/des/ecb3_enc.o \
+ ../crypto/des/ecb_enc.o \
+ ../crypto/des/ofb64ede.o \
+ ../crypto/des/ofb64enc.o \
+ ../crypto/des/fcrypt.o \
+ ../crypto/des/set_key.o \
+ ../crypto/dsa/dsa_utl.o \
+ ../crypto/dsa/dsa_sign.o \
+ ../crypto/dsa/dsa_vrf.o \
+ ../crypto/err/err.o \
+ ../crypto/evp/digest.o \
+ ../crypto/evp/enc_min.o \
+ ../crypto/evp/e_aes.o \
+ ../crypto/evp/e_des3.o \
+ ../crypto/evp/p_sign.o \
+ ../crypto/evp/p_verify.o \
+ ../crypto/mem_clr.o \
+ ../crypto/mem.o \
+ ../crypto/rand/md_rand.o \
+ ../crypto/rand/rand_egd.o \
+ ../crypto/rand/randfile.o \
+ ../crypto/rand/rand_lib.o \
+ ../crypto/rand/rand_os2.o \
+ ../crypto/rand/rand_unix.o \
+ ../crypto/rand/rand_win.o \
+ ../crypto/rsa/rsa_lib.o \
+ ../crypto/rsa/rsa_none.o \
+ ../crypto/rsa/rsa_oaep.o \
+ ../crypto/rsa/rsa_pk1.o \
+ ../crypto/rsa/rsa_pss.o \
+ ../crypto/rsa/rsa_ssl.o \
+ ../crypto/rsa/rsa_x931.o \
+ ../crypto/sha/sha1dgst.o \
+ ../crypto/sha/sha256.o \
+ ../crypto/sha/sha512.o \
+ ../crypto/uid.o
+
sub_all: build_all
build_all: build_libs build_apps build_tests build_tools
-build_libs: build_crypto build_ssl build_engines
+build_libs: build_crypto build_fips build_ssl build_shared build_engines
build_crypto:
- @dir=crypto; target=all; $(BUILD_ONE_CMD)
+ if [ -n "$(FIPSCANLIB)" ]; then \
+ EXCL_OBJ='$(AES_ASM_OBJ) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
+ ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
+ else \
+ ARX='${AR}' ; \
+ fi ; export ARX ; \
+ dir=crypto; target=all; $(BUILD_ONE_CMD)
+build_fips:
+ @dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
build_ssl:
@dir=ssl; target=all; $(BUILD_ONE_CMD)
build_engines:
@@ -244,9 +348,20 @@ all_testapps: build_libs build_testapps
build_testapps:
@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
-libcrypto$(SHLIB_EXT): libcrypto.a
+build_shared: $(SHARED_LIBS)
+libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS)
@if [ "$(SHLIB_TARGET)" != "" ]; then \
- $(MAKE) SHLIBDIRS=crypto build-shared; \
+ if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+ $(ARD) libcrypto.a fipscanister.o ; \
+ $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
+ $(AR) libcrypto.a fips/fipscanister.o ; \
+ else \
+ if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
+ FIPSLD_CC=$(CC); CC=fips/fipsld; \
+ export CC FIPSLD_CC; \
+ fi; \
+ $(MAKE) -e SHLIBDIRS='crypto' build-shared; \
+ fi \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
@@ -254,12 +369,32 @@ libcrypto$(SHLIB_EXT): libcrypto.a
libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
@if [ "$(SHLIB_TARGET)" != "" ]; then \
- $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
+ shlibdeps=-lcrypto; \
+ [ "$(FIPSCANLIB)" = "libfips" ] && shlibdeps="$$shlibdeps -lfips"; \
+ $(MAKE) SHLIBDIRS=ssl SHLIBDEPS="$$shlibdeps" build-shared; \
+ else \
+ echo "There's no support for shared libraries on this platform" >&2 ; \
+ exit 1; \
+ fi
+
+fips/fipscanister.o: build_fips
+libfips$(SHLIB_EXT): fips/fipscanister.o
+ @if [ "$(SHLIB_TARGET)" != "" ]; then \
+ FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
+ $(MAKE) -f Makefile.shared -e $(BUILDENV) \
+ CC=$${CC} LIBNAME=fips THIS=$@ \
+ LIBEXTRAS=fips/fipscanister.o \
+ LIBDEPS="$(EX_LIBS)" \
+ LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ link_o.$(SHLIB_TARGET) || { rm -f $@; exit 1; } \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
fi
+libfips.a:
+ dir=fips; target=all; $(BUILD_ONE_CMD)
+
clean-shared:
@set -e; for i in $(SHLIBDIRS); do \
if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
@@ -369,6 +504,9 @@ links:
@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
@set -e; target=links; $(RECURSIVE_BUILD_CMD)
+ @if [ -z "$(FIPSCANLIB)" ]; then \
+ set -e; target=links; dir=fips ; $(BUILD_CMD) ; \
+ fi
gentests:
@(cd test && echo "generating dummy tests (if needed)..." && \
diff --git a/crypto/openssl/Makefile.shared b/crypto/openssl/Makefile.shared
index 1b94aa18bcb3..3183436ac631 100644
--- a/crypto/openssl/Makefile.shared
+++ b/crypto/openssl/Makefile.shared
@@ -101,15 +101,13 @@ LINK_SO= \
LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \
SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
- nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \
LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${SHAREDCMD} $${SHAREDFLAGS} \
-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
- ) && $(SYMLINK_SO); \
- ( $(SET_X); rm -f lib$(LIBNAME).exp )
+ ) && $(SYMLINK_SO)
SYMLINK_SO= \
if [ -n "$$INHIBIT_SYMLINKS" ]; then :; else \
@@ -202,8 +200,10 @@ link_app.bsd:
# to use native NSModule(3) API and refers to dlfcn as termporary hack.
link_o.darwin:
@ $(CALC_VERSIONS); \
- SHLIB=lib$(LIBNAME); \
- SHLIB_SUFFIX=.so; \
+ SHLIB=`expr "$$THIS" : '.*/\([^/\.]*\)\.'`; \
+ SHLIB=$${SHLIB:-lib$(LIBNAME)}; \
+ SHLIB_SUFFIX=`expr "$$THIS" : '.*\(\.[^\.]*\)$$'`; \
+ SHLIB_SUFFIX=$${SHLIB_SUFFIX:-.so}; \
ALLSYMSFLAGS='-all_load'; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS)"; \
@@ -236,24 +236,30 @@ link_o.cygwin:
@ $(CALC_VERSIONS); \
INHIBIT_SYMLINKS=yes; \
SHLIB=cyg$(LIBNAME); \
- expr $(PLATFORM) : 'mingw' > /dev/null && SHLIB=$(LIBNAME)eay32; \
+ base=-Wl,--enable-auto-image-base; \
+ if expr $(PLATFORM) : 'mingw' > /dev/null; then \
+ SHLIB=$(LIBNAME)eay32; base=; \
+ fi; \
SHLIB_SUFFIX=.dll; \
LIBVERSION="$(LIBVERSION)"; \
SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
$(LINK_SO_O)
link_a.cygwin:
@ $(CALC_VERSIONS); \
INHIBIT_SYMLINKS=yes; \
SHLIB=cyg$(LIBNAME); \
- expr $(PLATFORM) : 'mingw' > /dev/null && SHLIB=$(LIBNAME)eay32; \
+ base=-Wl,--enable-auto-image-base; \
+ if expr $(PLATFORM) : 'mingw' > /dev/null; then \
+ SHLIB=$(LIBNAME)eay32; \
+ base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
+ fi; \
SHLIB_SUFFIX=.dll; \
SHLIB_SOVER=-$(LIBVERSION); \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
[ -f apps/$$SHLIB$$SHLIB_SUFFIX ] && rm apps/$$SHLIB$$SHLIB_SUFFIX; \
[ -f test/$$SHLIB$$SHLIB_SUFFIX ] && rm test/$$SHLIB$$SHLIB_SUFFIX; \
@@ -278,7 +284,7 @@ link_o.alpha-osf1:
SHLIB_SOVER=; \
ALLSYMSFLAGS='-all'; \
NOALLSYMSFLAGS='-none'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared"; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic"; \
if [ -n "$$SHLIB_HIST" ]; then \
SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
fi; \
@@ -299,7 +305,7 @@ link_a.alpha-osf1:
SHLIB_SOVER=; \
ALLSYMSFLAGS='-all'; \
NOALLSYMSFLAGS='-none'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared"; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic"; \
if [ -n "$$SHLIB_HIST" ]; then \
SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
fi; \
@@ -422,7 +428,7 @@ link_o.irix:
($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
ALLSYMSFLAGS="$${MINUSWL}-all"; \
NOALLSYMSFLAGS="$${MINUSWL}-none"; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,-B,symbolic"; \
fi; \
$(LINK_SO_O)
link_a.irix:
@@ -436,7 +442,7 @@ link_a.irix:
($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
ALLSYMSFLAGS="$${MINUSWL}-all"; \
NOALLSYMSFLAGS="$${MINUSWL}-none"; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,-B,symbolic"; \
fi; \
$(LINK_SO_A)
link_app.irix:
@@ -460,7 +466,7 @@ link_o.hpux:
ALLSYMSFLAGS='-Wl,-Fl'; \
NOALLSYMSFLAGS=''; \
expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
fi; \
rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
$(LINK_SO_O) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
@@ -473,7 +479,7 @@ link_a.hpux:
ALLSYMSFLAGS='-Wl,-Fl'; \
NOALLSYMSFLAGS=''; \
expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
fi; \
rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
$(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
@@ -485,26 +491,26 @@ link_app.hpux:
link_o.aix:
@ $(CALC_VERSIONS); \
- OBJECT_MODE=`expr x$(SHARED_LDFLAGS) : 'x\-[a-z]\([0-9]*\)'`; \
+ OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || :; \
OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
- ALLSYMSFLAGS='-bnogc'; \
+ ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
- SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE'; \
- $(LINK_SO_O); rm -rf lib$(LIBNAME).exp
+ SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
+ $(LINK_SO_O);
link_a.aix:
@ $(CALC_VERSIONS); \
- OBJECT_MODE=`expr x$(SHARED_LDFLAGS) : 'x\-[a-z]\([0-9]*\)'`; \
+ OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || : ; \
OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS='-bnogc'; \
NOALLSYMSFLAGS=''; \
- SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE'; \
+ SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
$(LINK_SO_A_VIA_O)
link_app.aix:
- LDFLAGS="$(CFLAGS) -blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
+ LDFLAGS="$(CFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
$(LINK_APP)
link_o.reliantunix:
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index c808a76ccf58..37156fc59350 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -5,6 +5,39 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
+
+ o Fix various build issues.
+ o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
+
+ Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
+
+ o Fix security issue (CVE-2008-5077)
+ o Merge FIPS 140-2 branch code.
+
+ Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+
+ o CryptoAPI ENGINE support.
+ o Various precautionary measures.
+ o Fix for bugs affecting certificate request creation.
+ o Support for local machine keyset attribute in PKCS#12 files.
+
+ Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
+
+ o Backport of CMS functionality to 0.9.8.
+ o Fixes for bugs introduced with 0.9.8f.
+
+ Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
+
+ o Add gcc 4.2 support.
+ o Add support for AES and SSE2 assembly lanugauge optimization
+ for VC++ build.
+ o Support for RFC4507bis and server name extensions if explicitly
+ selected at compile time.
+ o DTLS improvements.
+ o RFC4507bis support.
+ o TLS Extensions support.
+
Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e:
o Various ciphersuite selection fixes.
diff --git a/crypto/openssl/README b/crypto/openssl/README
index 907e2354bf6a..99a6a7b4bf6b 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,7 +1,7 @@
- OpenSSL 0.9.8e 23 Feb 2007
+ OpenSSL 0.9.8k
- Copyright (c) 1998-2007 The OpenSSL Project
+ Copyright (c) 1998-2008 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
@@ -36,12 +36,13 @@
actually logically part of it. It includes routines for the following:
Ciphers
- libdes - EAY's libdes DES encryption package which has been floating
- around the net for a few years. It includes 15
- 'modes/variations' of DES (1, 2 and 3 key versions of ecb,
- cbc, cfb and ofb; pcbc and a more general form of cfb and
- ofb) including desx in cbc mode, a fast crypt(3), and
- routines to read passwords from the keyboard.
+ libdes - EAY's libdes DES encryption package which was floating
+ around the net for a few years, and was then relicensed by
+ him as part of SSLeay. It includes 15 'modes/variations'
+ of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb;
+ pcbc and a more general form of cfb and ofb) including desx
+ in cbc mode, a fast crypt(3), and routines to read
+ passwords from the keyboard.
RC4 encryption,
RC2 encryption - 4 different modes, ecb, cbc, cfb and ofb.
Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb.
@@ -160,7 +161,7 @@
- Stack Traceback (if the application dumps core)
Report the bug to the OpenSSL project via the Request Tracker
- (http://www.openssl.org/support/rt2.html) by mail to:
+ (http://www.openssl.org/support/rt.html) by mail to:
openssl-bugs@openssl.org
diff --git a/crypto/openssl/apps/Makefile b/crypto/openssl/apps/Makefile
index 41cd3ca016bd..402981aedeab 100644
--- a/crypto/openssl/apps/Makefile
+++ b/crypto/openssl/apps/Makefile
@@ -38,7 +38,7 @@ EXE= $(PROGRAM)$(EXE_EXT)
E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \
ca crl rsa rsautl dsa dsaparam ec ecparam \
x509 genrsa gendsa s_server s_client speed \
- s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \
+ s_time version pkcs7 cms crl2pkcs7 sess_id ciphers nseq pkcs12 \
pkcs8 spkac smime rand engine ocsp prime
PROGS= $(PROGRAM).c
@@ -56,7 +56,7 @@ E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o er
x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \
s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \
ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o \
- ocsp.o prime.o
+ ocsp.o prime.o cms.o
E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \
pkcs7.c crl2p7.c crl.c \
@@ -64,7 +64,7 @@ E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.
x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \
s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \
ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c \
- ocsp.c prime.c
+ ocsp.c prime.c cms.c
SRC=$(E_SRC)
@@ -152,14 +152,13 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
$(RM) $(EXE)
shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
shlib_target="$(SHLIB_TARGET)"; \
+ elif [ -n "$(FIPSCANLIB)" ]; then \
+ FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
fi; \
- if [ "$${shlib_target}" = "darwin-shared" ] ; then \
- LIBRARIES="$(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO)" ; \
- else \
- LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
- fi; \
+ LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
+ [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
$(MAKE) -f $(TOP)/Makefile.shared -e \
- APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
+ CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
link_app.$${shlib_target}
-(cd ..; \
@@ -177,23 +176,25 @@ app_rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h
app_rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
app_rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
app_rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-app_rand.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-app_rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+app_rand.o: ../include/openssl/evp.h ../include/openssl/fips.h
+app_rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+app_rand.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
app_rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
app_rand.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
app_rand.o: ../include/openssl/rand.h ../include/openssl/safestack.h
app_rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
app_rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-app_rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h app_rand.c
-app_rand.o: apps.h
+app_rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+app_rand.o: ../include/openssl/x509v3.h app_rand.c apps.h
apps.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h
apps.o: ../include/openssl/conf.h ../include/openssl/crypto.h
apps.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
apps.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
apps.o: ../include/openssl/engine.h ../include/openssl/err.h
-apps.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-apps.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+apps.o: ../include/openssl/evp.h ../include/openssl/fips.h
+apps.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+apps.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
apps.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
apps.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
apps.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
@@ -209,31 +210,32 @@ asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
asn1pars.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
asn1pars.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
asn1pars.o: ../include/openssl/err.h ../include/openssl/evp.h
-asn1pars.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-asn1pars.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+asn1pars.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+asn1pars.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+asn1pars.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
asn1pars.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
asn1pars.o: ../include/openssl/pem.h ../include/openssl/pem2.h
asn1pars.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
asn1pars.o: ../include/openssl/sha.h ../include/openssl/stack.h
asn1pars.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-asn1pars.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-asn1pars.o: asn1pars.c
+asn1pars.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+asn1pars.o: ../include/openssl/x509v3.h apps.h asn1pars.c
ca.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h
ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h
ca.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
ca.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
ca.o: ../include/openssl/engine.h ../include/openssl/err.h
-ca.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-ca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ca.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-ca.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ca.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-ca.o: ../include/openssl/sha.h ../include/openssl/stack.h
-ca.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ca.o: ../include/openssl/x509v3.h apps.h ca.c
+ca.o: ../include/openssl/evp.h ../include/openssl/fips.h
+ca.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ca.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+ca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ca.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ca.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ca.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ca.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ca.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+ca.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ca.c
ciphers.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
ciphers.o: ../include/openssl/bn.h ../include/openssl/buffer.h
ciphers.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -241,27 +243,44 @@ ciphers.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
ciphers.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
ciphers.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
ciphers.o: ../include/openssl/engine.h ../include/openssl/err.h
-ciphers.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ciphers.o: ../include/openssl/evp.h ../include/openssl/fips.h
+ciphers.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
ciphers.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ciphers.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ciphers.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-ciphers.o: ../include/openssl/x509_vfy.h apps.h ciphers.c
+ciphers.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ciphers.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ciphers.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ciphers.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c
+cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+cms.o: ../include/openssl/buffer.h ../include/openssl/conf.h
+cms.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+cms.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+cms.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+cms.o: ../include/openssl/evp.h ../include/openssl/fips.h
+cms.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+cms.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+cms.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+cms.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+cms.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+cms.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+cms.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+cms.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h cms.c
crl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
crl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
crl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
crl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
crl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
crl.o: ../include/openssl/err.h ../include/openssl/evp.h
-crl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-crl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+crl.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+crl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+crl.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
crl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
crl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
crl.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
@@ -275,30 +294,32 @@ crl2p7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
crl2p7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
crl2p7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
crl2p7.o: ../include/openssl/err.h ../include/openssl/evp.h
-crl2p7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-crl2p7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+crl2p7.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+crl2p7.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+crl2p7.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
crl2p7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
crl2p7.o: ../include/openssl/pem.h ../include/openssl/pem2.h
crl2p7.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
crl2p7.o: ../include/openssl/sha.h ../include/openssl/stack.h
crl2p7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-crl2p7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-crl2p7.o: crl2p7.c
+crl2p7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+crl2p7.o: ../include/openssl/x509v3.h apps.h crl2p7.c
dgst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
dgst.o: ../include/openssl/buffer.h ../include/openssl/conf.h
dgst.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
dgst.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
dgst.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
dgst.o: ../include/openssl/err.h ../include/openssl/evp.h
-dgst.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dgst.o: ../include/openssl/fips.h ../include/openssl/hmac.h
+dgst.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+dgst.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
dgst.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
dgst.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
dgst.o: ../include/openssl/safestack.h ../include/openssl/sha.h
dgst.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
dgst.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-dgst.o: ../include/openssl/x509_vfy.h apps.h dgst.c
+dgst.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dgst.c
dh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -306,14 +327,16 @@ dh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h
dh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
dh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
dh.o: ../include/openssl/err.h ../include/openssl/evp.h
-dh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-dh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dh.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+dh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dh.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
dh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
dh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
dh.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
dh.o: ../include/openssl/sha.h ../include/openssl/stack.h
dh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dh.c
+dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+dh.o: ../include/openssl/x509v3.h apps.h dh.c
dsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -321,14 +344,16 @@ dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
dsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
dsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
dsa.o: ../include/openssl/err.h ../include/openssl/evp.h
-dsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-dsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dsa.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+dsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
dsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
dsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
dsa.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
dsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
dsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-dsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dsa.c
+dsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+dsa.o: ../include/openssl/x509v3.h apps.h dsa.c
dsaparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -336,8 +361,9 @@ dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h
dsaparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
dsaparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h
-dsaparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-dsaparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dsaparam.o: ../include/openssl/evp.h ../include/openssl/fips.h
+dsaparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+dsaparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
dsaparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
dsaparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
@@ -346,51 +372,57 @@ dsaparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h
dsaparam.o: ../include/openssl/stack.h ../include/openssl/store.h
dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
dsaparam.o: ../include/openssl/ui.h ../include/openssl/x509.h
-dsaparam.o: ../include/openssl/x509_vfy.h apps.h dsaparam.c
+dsaparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+dsaparam.o: dsaparam.c
ec.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
ec.o: ../include/openssl/buffer.h ../include/openssl/conf.h
ec.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
ec.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
ec.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
ec.o: ../include/openssl/err.h ../include/openssl/evp.h
-ec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ec.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ec.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+ec.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ec.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
ec.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
ec.o: ../include/openssl/pem.h ../include/openssl/pem2.h
ec.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
ec.o: ../include/openssl/sha.h ../include/openssl/stack.h
ec.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-ec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h ec.c
+ec.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ec.o: ../include/openssl/x509v3.h apps.h ec.c
ecparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
ecparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
ecparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
ecparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
ecparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
ecparam.o: ../include/openssl/engine.h ../include/openssl/err.h
-ecparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-ecparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ecparam.o: ../include/openssl/evp.h ../include/openssl/fips.h
+ecparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ecparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
ecparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
ecparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
ecparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
ecparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h
ecparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
ecparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-ecparam.o: ../include/openssl/x509_vfy.h apps.h ecparam.c
+ecparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+ecparam.o: ecparam.c
enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
enc.o: ../include/openssl/buffer.h ../include/openssl/conf.h
enc.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
enc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
enc.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
enc.o: ../include/openssl/err.h ../include/openssl/evp.h
-enc.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+enc.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+enc.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
enc.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
enc.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-enc.o: ../include/openssl/x509_vfy.h apps.h enc.c
+enc.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h enc.c
engine.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
engine.o: ../include/openssl/bn.h ../include/openssl/buffer.h
engine.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -398,19 +430,21 @@ engine.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
engine.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
engine.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
engine.o: ../include/openssl/engine.h ../include/openssl/err.h
-engine.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+engine.o: ../include/openssl/evp.h ../include/openssl/fips.h
+engine.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
engine.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-engine.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-engine.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-engine.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-engine.o: ../include/openssl/x509_vfy.h apps.h engine.c
+engine.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+engine.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+engine.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+engine.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+engine.o: ../include/openssl/x509v3.h apps.h engine.c
errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
errstr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
errstr.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -418,19 +452,21 @@ errstr.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
errstr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
errstr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
errstr.o: ../include/openssl/engine.h ../include/openssl/err.h
-errstr.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+errstr.o: ../include/openssl/evp.h ../include/openssl/fips.h
+errstr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
errstr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-errstr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-errstr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-errstr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-errstr.o: ../include/openssl/x509_vfy.h apps.h errstr.c
+errstr.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+errstr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+errstr.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+errstr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+errstr.o: ../include/openssl/x509v3.h apps.h errstr.c
gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -438,8 +474,9 @@ gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h
gendh.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
gendh.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
gendh.o: ../include/openssl/engine.h ../include/openssl/err.h
-gendh.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-gendh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+gendh.o: ../include/openssl/evp.h ../include/openssl/fips.h
+gendh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+gendh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
gendh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
gendh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
@@ -448,7 +485,8 @@ gendh.o: ../include/openssl/safestack.h ../include/openssl/sha.h
gendh.o: ../include/openssl/stack.h ../include/openssl/store.h
gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
gendh.o: ../include/openssl/ui.h ../include/openssl/x509.h
-gendh.o: ../include/openssl/x509_vfy.h apps.h gendh.c
+gendh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+gendh.o: gendh.c
gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -456,15 +494,16 @@ gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
gendsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
gendsa.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h
-gendsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-gendsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+gendsa.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+gendsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+gendsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
gendsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
gendsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
gendsa.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
gendsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
gendsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-gendsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-gendsa.o: gendsa.c
+gendsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+gendsa.o: ../include/openssl/x509v3.h apps.h gendsa.c
genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -472,8 +511,9 @@ genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
genrsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
genrsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h
-genrsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-genrsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+genrsa.o: ../include/openssl/evp.h ../include/openssl/fips.h
+genrsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+genrsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
genrsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
genrsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
genrsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
@@ -482,21 +522,24 @@ genrsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
genrsa.o: ../include/openssl/stack.h ../include/openssl/store.h
genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
genrsa.o: ../include/openssl/ui.h ../include/openssl/x509.h
-genrsa.o: ../include/openssl/x509_vfy.h apps.h genrsa.c
+genrsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+genrsa.o: genrsa.c
nseq.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
nseq.o: ../include/openssl/buffer.h ../include/openssl/conf.h
nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
nseq.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
nseq.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
nseq.o: ../include/openssl/err.h ../include/openssl/evp.h
-nseq.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-nseq.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+nseq.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+nseq.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+nseq.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
nseq.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
nseq.o: ../include/openssl/pem.h ../include/openssl/pem2.h
nseq.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
nseq.o: ../include/openssl/sha.h ../include/openssl/stack.h
nseq.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-nseq.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h nseq.c
+nseq.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+nseq.o: ../include/openssl/x509v3.h apps.h nseq.c
ocsp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
ocsp.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -504,7 +547,8 @@ ocsp.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
ocsp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
ocsp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
ocsp.o: ../include/openssl/engine.h ../include/openssl/err.h
-ocsp.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ocsp.o: ../include/openssl/evp.h ../include/openssl/fips.h
+ocsp.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
ocsp.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
ocsp.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
ocsp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
@@ -525,19 +569,21 @@ openssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
openssl.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
openssl.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
openssl.o: ../include/openssl/engine.h ../include/openssl/err.h
-openssl.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+openssl.o: ../include/openssl/evp.h ../include/openssl/fips.h
+openssl.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
openssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-openssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-openssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-openssl.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-openssl.o: ../include/openssl/x509_vfy.h apps.h openssl.c progs.h s_apps.h
+openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+openssl.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h
passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h
passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
@@ -545,87 +591,97 @@ passwd.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
passwd.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
passwd.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
passwd.o: ../include/openssl/err.h ../include/openssl/evp.h
-passwd.o: ../include/openssl/lhash.h ../include/openssl/md5.h
-passwd.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+passwd.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+passwd.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+passwd.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
passwd.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
passwd.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
passwd.o: ../include/openssl/rand.h ../include/openssl/safestack.h
passwd.o: ../include/openssl/sha.h ../include/openssl/stack.h
passwd.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
passwd.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-passwd.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-passwd.o: passwd.c
+passwd.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+passwd.o: ../include/openssl/x509v3.h apps.h passwd.c
pkcs12.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
pkcs12.o: ../include/openssl/buffer.h ../include/openssl/conf.h
pkcs12.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
pkcs12.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
pkcs12.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h
-pkcs12.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-pkcs12.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+pkcs12.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+pkcs12.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+pkcs12.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
pkcs12.o: ../include/openssl/pem.h ../include/openssl/pem2.h
pkcs12.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
pkcs12.o: ../include/openssl/safestack.h ../include/openssl/sha.h
pkcs12.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
pkcs12.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-pkcs12.o: ../include/openssl/x509_vfy.h apps.h pkcs12.c
+pkcs12.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+pkcs12.o: pkcs12.c
pkcs7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
pkcs7.o: ../include/openssl/buffer.h ../include/openssl/conf.h
pkcs7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
pkcs7.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
pkcs7.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h
-pkcs7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-pkcs7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+pkcs7.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+pkcs7.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+pkcs7.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
pkcs7.o: ../include/openssl/pem.h ../include/openssl/pem2.h
pkcs7.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
pkcs7.o: ../include/openssl/sha.h ../include/openssl/stack.h
pkcs7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-pkcs7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h pkcs7.c
+pkcs7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+pkcs7.o: ../include/openssl/x509v3.h apps.h pkcs7.c
pkcs8.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
pkcs8.o: ../include/openssl/buffer.h ../include/openssl/conf.h
pkcs8.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
pkcs8.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
pkcs8.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h
-pkcs8.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-pkcs8.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+pkcs8.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+pkcs8.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+pkcs8.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
pkcs8.o: ../include/openssl/pem.h ../include/openssl/pem2.h
pkcs8.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h
pkcs8.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-pkcs8.o: ../include/openssl/x509_vfy.h apps.h pkcs8.c
+pkcs8.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+pkcs8.o: pkcs8.c
prime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h
prime.o: ../include/openssl/conf.h ../include/openssl/crypto.h
prime.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
prime.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
prime.o: ../include/openssl/engine.h ../include/openssl/evp.h
-prime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-prime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+prime.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+prime.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+prime.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
prime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
prime.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
prime.o: ../include/openssl/sha.h ../include/openssl/stack.h
prime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-prime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h prime.c
+prime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+prime.o: ../include/openssl/x509v3.h apps.h prime.c
rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h
rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
rand.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
rand.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
rand.o: ../include/openssl/err.h ../include/openssl/evp.h
-rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+rand.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rand.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h
rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-rand.o: ../include/openssl/x509_vfy.h apps.h rand.c
+rand.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h rand.c
req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
req.o: ../include/openssl/bn.h ../include/openssl/buffer.h
req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -633,8 +689,9 @@ req.o: ../include/openssl/dh.h ../include/openssl/dsa.h
req.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
req.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
req.o: ../include/openssl/engine.h ../include/openssl/err.h
-req.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+req.o: ../include/openssl/evp.h ../include/openssl/fips.h
+req.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+req.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
@@ -650,30 +707,34 @@ rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
rsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
rsa.o: ../include/openssl/engine.h ../include/openssl/err.h
-rsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rsa.o: ../include/openssl/evp.h ../include/openssl/fips.h
+rsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+rsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
rsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
rsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
rsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
rsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h rsa.c
+rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+rsa.o: ../include/openssl/x509v3.h apps.h rsa.c
rsautl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
rsautl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
rsautl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
rsautl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
rsautl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
rsautl.o: ../include/openssl/err.h ../include/openssl/evp.h
-rsautl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-rsautl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+rsautl.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+rsautl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rsautl.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
rsautl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
rsautl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
rsautl.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
rsautl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
rsautl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
rsautl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-rsautl.o: ../include/openssl/x509_vfy.h apps.h rsautl.c
+rsautl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+rsautl.o: rsautl.c
s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h
s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -681,19 +742,21 @@ s_cb.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
s_cb.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
s_cb.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
s_cb.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_cb.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_cb.o: ../include/openssl/evp.h ../include/openssl/fips.h
+s_cb.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
s_cb.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_cb.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s_cb.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-s_cb.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_cb.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_cb.c
+s_cb.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_cb.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_cb.o: ../include/openssl/x509v3.h apps.h s_apps.h s_cb.c
s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h
s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -701,19 +764,21 @@ s_client.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
s_client.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
s_client.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
s_client.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_client.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_client.o: ../include/openssl/evp.h ../include/openssl/fips.h
+s_client.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
s_client.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_client.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-s_client.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_client.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_client.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_client.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_client.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_client.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s_client.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_client.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_client.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
s_client.o: s_apps.h s_client.c timeouts.h
s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h
@@ -723,21 +788,23 @@ s_server.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
s_server.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
s_server.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_server.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_server.o: ../include/openssl/evp.h ../include/openssl/fips.h
+s_server.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
s_server.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_server.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-s_server.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_server.o: ../include/openssl/store.h ../include/openssl/symhacks.h
-s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h
-s_server.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_server.c timeouts.h
+s_server.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_server.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_server.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_server.o: ../include/openssl/stack.h ../include/openssl/store.h
+s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_server.o: ../include/openssl/x509v3.h apps.h s_apps.h s_server.c timeouts.h
s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h
s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -745,18 +812,20 @@ s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h
+s_socket.o: ../include/openssl/fips.h ../include/openssl/hmac.h
s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s_socket.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
-s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
s_socket.o: s_apps.h s_socket.c
s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h
@@ -765,19 +834,21 @@ s_time.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
s_time.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
s_time.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
s_time.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_time.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_time.o: ../include/openssl/evp.h ../include/openssl/fips.h
+s_time.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
s_time.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_time.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s_time.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_time.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_time.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_time.c
+s_time.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_time.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_time.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+s_time.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_time.o: ../include/openssl/x509v3.h apps.h s_apps.h s_time.c
sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
sess_id.o: ../include/openssl/bn.h ../include/openssl/buffer.h
sess_id.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -785,27 +856,30 @@ sess_id.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
sess_id.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
sess_id.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
sess_id.o: ../include/openssl/engine.h ../include/openssl/err.h
-sess_id.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+sess_id.o: ../include/openssl/evp.h ../include/openssl/fips.h
+sess_id.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
sess_id.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-sess_id.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-sess_id.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
-sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-sess_id.o: ../include/openssl/x509_vfy.h apps.h sess_id.c
+sess_id.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+sess_id.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+sess_id.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+sess_id.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+sess_id.o: ../include/openssl/x509v3.h apps.h sess_id.c
smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h
smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
smime.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
smime.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
smime.o: ../include/openssl/err.h ../include/openssl/evp.h
-smime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-smime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+smime.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+smime.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+smime.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
smime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
smime.o: ../include/openssl/pem.h ../include/openssl/pem2.h
smime.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
@@ -822,11 +896,12 @@ speed.o: ../include/openssl/des_old.h ../include/openssl/dsa.h
speed.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
speed.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
speed.o: ../include/openssl/engine.h ../include/openssl/err.h
-speed.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-speed.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-speed.o: ../include/openssl/md2.h ../include/openssl/md4.h
-speed.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
-speed.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+speed.o: ../include/openssl/evp.h ../include/openssl/fips.h
+speed.o: ../include/openssl/hmac.h ../include/openssl/idea.h
+speed.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+speed.o: ../include/openssl/md4.h ../include/openssl/md5.h
+speed.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+speed.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
speed.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
@@ -835,29 +910,33 @@ speed.o: ../include/openssl/safestack.h ../include/openssl/sha.h
speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
speed.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-speed.o: ../include/openssl/x509_vfy.h apps.h speed.c testdsa.h testrsa.h
+speed.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+speed.o: speed.c testdsa.h testrsa.h
spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
spkac.o: ../include/openssl/buffer.h ../include/openssl/conf.h
spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
spkac.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
spkac.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
spkac.o: ../include/openssl/err.h ../include/openssl/evp.h
-spkac.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-spkac.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+spkac.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+spkac.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+spkac.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
spkac.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
spkac.o: ../include/openssl/pem.h ../include/openssl/pem2.h
spkac.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
spkac.o: ../include/openssl/sha.h ../include/openssl/stack.h
spkac.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-spkac.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h spkac.c
+spkac.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+spkac.o: ../include/openssl/x509v3.h apps.h spkac.c
verify.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
verify.o: ../include/openssl/buffer.h ../include/openssl/conf.h
verify.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
verify.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
verify.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
verify.o: ../include/openssl/err.h ../include/openssl/evp.h
-verify.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-verify.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+verify.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+verify.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+verify.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
verify.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
verify.o: ../include/openssl/pem.h ../include/openssl/pem2.h
verify.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
@@ -872,17 +951,18 @@ version.o: ../include/openssl/crypto.h ../include/openssl/des.h
version.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
version.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
version.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-version.o: ../include/openssl/evp.h ../include/openssl/idea.h
-version.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-version.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+version.o: ../include/openssl/evp.h ../include/openssl/fips.h
+version.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+version.o: ../include/openssl/md2.h ../include/openssl/obj_mac.h
+version.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
version.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
version.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
version.o: ../include/openssl/rc4.h ../include/openssl/safestack.h
version.o: ../include/openssl/sha.h ../include/openssl/stack.h
version.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
version.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-version.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-version.o: version.c
+version.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+version.o: ../include/openssl/x509v3.h apps.h version.c
x509.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
x509.o: ../include/openssl/bn.h ../include/openssl/buffer.h
x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -890,8 +970,9 @@ x509.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
x509.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
x509.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
x509.o: ../include/openssl/err.h ../include/openssl/evp.h
-x509.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-x509.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+x509.o: ../include/openssl/fips.h ../include/openssl/lhash.h
+x509.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+x509.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
x509.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
x509.o: ../include/openssl/pem.h ../include/openssl/pem2.h
x509.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index 613c3ba4955c..498722a5a258 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c
@@ -115,6 +115,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <ctype.h>
+#include <assert.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -129,6 +130,9 @@
#include <openssl/rsa.h>
#endif
#include <openssl/bn.h>
+#ifndef OPENSSL_NO_JPAKE
+#include <openssl/jpake.h>
+#endif
#define NON_MAIN
#include "apps.h"
@@ -2010,7 +2014,7 @@ int parse_yesno(const char *str, int def)
case 'y': /* yes */
case 'Y': /* YES */
case '1': /* 1 */
- ret = 0;
+ ret = 1;
break;
default:
ret = def;
@@ -2333,3 +2337,233 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx)
if (free_out)
BIO_free(out);
}
+
+#ifndef OPENSSL_NO_JPAKE
+
+static JPAKE_CTX *jpake_init(const char *us, const char *them,
+ const char *secret)
+ {
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
+ BIGNUM *q = NULL;
+ BIGNUM *bnsecret = BN_new();
+ JPAKE_CTX *ctx;
+
+ /* Use a safe prime for p (that we found earlier) */
+ BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
+ g = BN_new();
+ BN_set_word(g, 2);
+ q = BN_new();
+ BN_rshift1(q, p);
+
+ BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
+
+ ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
+ BN_free(bnsecret);
+ BN_free(q);
+ BN_free(g);
+ BN_free(p);
+
+ return ctx;
+ }
+
+static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p)
+ {
+ BN_print(conn, p->gx);
+ BIO_puts(conn, "\n");
+ BN_print(conn, p->zkpx.gr);
+ BIO_puts(conn, "\n");
+ BN_print(conn, p->zkpx.b);
+ BIO_puts(conn, "\n");
+ }
+
+static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP1 s1;
+
+ JPAKE_STEP1_init(&s1);
+ JPAKE_STEP1_generate(&s1, ctx);
+ jpake_send_part(bconn, &s1.p1);
+ jpake_send_part(bconn, &s1.p2);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP1_release(&s1);
+ }
+
+static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP2 s2;
+
+ JPAKE_STEP2_init(&s2);
+ JPAKE_STEP2_generate(&s2, ctx);
+ jpake_send_part(bconn, &s2);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP2_release(&s2);
+ }
+
+static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP3A s3a;
+
+ JPAKE_STEP3A_init(&s3a);
+ JPAKE_STEP3A_generate(&s3a, ctx);
+ BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP3A_release(&s3a);
+ }
+
+static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
+ {
+ JPAKE_STEP3B s3b;
+
+ JPAKE_STEP3B_init(&s3b);
+ JPAKE_STEP3B_generate(&s3b, ctx);
+ BIO_write(bconn, s3b.hk, sizeof s3b.hk);
+ (void)BIO_flush(bconn);
+ JPAKE_STEP3B_release(&s3b);
+ }
+
+static void readbn(BIGNUM **bn, BIO *bconn)
+ {
+ char buf[10240];
+ int l;
+
+ l = BIO_gets(bconn, buf, sizeof buf);
+ assert(l > 0);
+ assert(buf[l-1] == '\n');
+ buf[l-1] = '\0';
+ BN_hex2bn(bn, buf);
+ }
+
+static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn)
+ {
+ readbn(&p->gx, bconn);
+ readbn(&p->zkpx.gr, bconn);
+ readbn(&p->zkpx.b, bconn);
+ }
+
+static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP1 s1;
+
+ JPAKE_STEP1_init(&s1);
+ jpake_receive_part(&s1.p1, bconn);
+ jpake_receive_part(&s1.p2, bconn);
+ if(!JPAKE_STEP1_process(ctx, &s1))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP1_release(&s1);
+ }
+
+static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP2 s2;
+
+ JPAKE_STEP2_init(&s2);
+ jpake_receive_part(&s2, bconn);
+ if(!JPAKE_STEP2_process(ctx, &s2))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP2_release(&s2);
+ }
+
+static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP3A s3a;
+ int l;
+
+ JPAKE_STEP3A_init(&s3a);
+ l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
+ assert(l == sizeof s3a.hhk);
+ if(!JPAKE_STEP3A_process(ctx, &s3a))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP3A_release(&s3a);
+ }
+
+static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
+ {
+ JPAKE_STEP3B s3b;
+ int l;
+
+ JPAKE_STEP3B_init(&s3b);
+ l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
+ assert(l == sizeof s3b.hk);
+ if(!JPAKE_STEP3B_process(ctx, &s3b))
+ {
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
+ JPAKE_STEP3B_release(&s3b);
+ }
+
+void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
+ {
+ JPAKE_CTX *ctx;
+ BIO *bconn;
+
+ BIO_puts(out, "Authenticating with JPAKE\n");
+
+ ctx = jpake_init("client", "server", secret);
+
+ bconn = BIO_new(BIO_f_buffer());
+ BIO_push(bconn, conn);
+
+ jpake_send_step1(bconn, ctx);
+ jpake_receive_step1(ctx, bconn);
+ jpake_send_step2(bconn, ctx);
+ jpake_receive_step2(ctx, bconn);
+ jpake_send_step3a(bconn, ctx);
+ jpake_receive_step3b(ctx, bconn);
+
+ /*
+ * The problem is that you must use the derived key in the
+ * session key or you are subject to man-in-the-middle
+ * attacks.
+ */
+ BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+ " be MitMed. See the version in HEAD for how to do it"
+ " properly)\n");
+
+ BIO_pop(bconn);
+ BIO_free(bconn);
+ }
+
+void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
+ {
+ JPAKE_CTX *ctx;
+ BIO *bconn;
+
+ BIO_puts(out, "Authenticating with JPAKE\n");
+
+ ctx = jpake_init("server", "client", secret);
+
+ bconn = BIO_new(BIO_f_buffer());
+ BIO_push(bconn, conn);
+
+ jpake_receive_step1(ctx, bconn);
+ jpake_send_step1(bconn, ctx);
+ jpake_receive_step2(ctx, bconn);
+ jpake_send_step2(bconn, ctx);
+ jpake_receive_step3a(ctx, bconn);
+ jpake_send_step3b(bconn, ctx);
+
+ /*
+ * The problem is that you must use the derived key in the
+ * session key or you are subject to man-in-the-middle
+ * attacks.
+ */
+ BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+ " be MitMed. See the version in HEAD for how to do it"
+ " properly)\n");
+
+ BIO_pop(bconn);
+ BIO_free(bconn);
+ }
+
+#endif
diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h
index 26dcbc5771d5..88579094b1c8 100644
--- a/crypto/openssl/apps/apps.h
+++ b/crypto/openssl/apps/apps.h
@@ -122,6 +122,9 @@
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
+#ifndef OPENSSL_NO_OCSP
+#include <openssl/ocsp.h>
+#endif
#include <openssl/ossl_typ.h>
int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
@@ -146,9 +149,11 @@ int WIN32_rename(const char *oldname,const char *newname);
#ifndef NON_MAIN
CONF *config=NULL;
BIO *bio_err=NULL;
+int in_FIPS_mode=0;
#else
extern CONF *config;
extern BIO *bio_err;
+extern int in_FIPS_mode;
#endif
#else
@@ -157,6 +162,7 @@ extern BIO *bio_err;
extern CONF *config;
extern char *default_config_file;
extern BIO *bio_err;
+extern int in_FIPS_mode;
#endif
@@ -228,6 +234,12 @@ extern BIO *bio_err;
# endif
#endif
+#ifdef OPENSSL_SYSNAME_WIN32
+# define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
+#else
+# define openssl_fdset(a,b) FD_SET(a, b)
+#endif
+
typedef struct args_st
{
char **data;
@@ -275,6 +287,12 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
ENGINE *setup_engine(BIO *err, const char *engine, int debug);
#endif
+#ifndef OPENSSL_NO_OCSP
+OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
+ char *host, char *path, char *port, int use_ssl,
+ int req_timeout);
+#endif
+
int load_config(BIO *err, CONF *cnf);
char *make_config_name(void);
@@ -320,6 +338,10 @@ X509_NAME *parse_name(char *str, long chtype, int multirdn);
int args_verify(char ***pargs, int *pargc,
int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
void policies_print(BIO *out, X509_STORE_CTX *ctx);
+#ifndef OPENSSL_NO_JPAKE
+void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
+void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
+#endif
#define FORMAT_UNDEF 0
#define FORMAT_ASN1 1
diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c
index b1a7c8e5dbf8..bde61d02d12c 100644
--- a/crypto/openssl/apps/asn1pars.c
+++ b/crypto/openssl/apps/asn1pars.c
@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
-/* A nice addition from Dr Stephen Henson <shenson@bigfoot.com> to
+/* A nice addition from Dr Stephen Henson <steve@openssl.org> to
* add the -strparse option which parses nested binary structures
*/
diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c
index e9d79def61d7..68516ee9bd9e 100644
--- a/crypto/openssl/apps/ca.c
+++ b/crypto/openssl/apps/ca.c
@@ -83,7 +83,7 @@
# else
# include <unixlib.h>
# endif
-# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
+# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM)
# include <sys/file.h>
# endif
#endif
@@ -2882,13 +2882,22 @@ int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
p=(char *)str->data;
for (j=str->length; j>0; j--)
{
+#ifdef CHARSET_EBCDIC
+ if ((*p >= 0x20) && (*p <= 0x7e))
+ BIO_printf(bp,"%c",os_toebcdic[*p]);
+#else
if ((*p >= ' ') && (*p <= '~'))
BIO_printf(bp,"%c",*p);
+#endif
else if (*p & 0x80)
BIO_printf(bp,"\\0x%02X",*p);
else if ((unsigned char)*p == 0xf7)
BIO_printf(bp,"^?");
+#ifdef CHARSET_EBCDIC
+ else BIO_printf(bp,"^%c",os_toebcdic[*p+0x40]);
+#else
else BIO_printf(bp,"^%c",*p+'@');
+#endif
p++;
}
BIO_printf(bp,"'\n");
diff --git a/crypto/openssl/apps/cms.c b/crypto/openssl/apps/cms.c
new file mode 100644
index 000000000000..6d227acabe82
--- /dev/null
+++ b/crypto/openssl/apps/cms.c
@@ -0,0 +1,1347 @@
+/* apps/cms.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+/* CMS utility function */
+
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+
+#ifndef OPENSSL_NO_CMS
+
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/x509v3.h>
+#include <openssl/cms.h>
+
+#undef PROG
+#define PROG cms_main
+static int save_certs(char *signerfile, STACK_OF(X509) *signers);
+static int cms_cb(int ok, X509_STORE_CTX *ctx);
+static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
+static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst,
+ STACK *rr_from);
+
+#define SMIME_OP 0x10
+#define SMIME_IP 0x20
+#define SMIME_SIGNERS 0x40
+#define SMIME_ENCRYPT (1 | SMIME_OP)
+#define SMIME_DECRYPT (2 | SMIME_IP)
+#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
+#define SMIME_VERIFY (4 | SMIME_IP)
+#define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP)
+#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
+#define SMIME_DATAOUT (7 | SMIME_IP)
+#define SMIME_DATA_CREATE (8 | SMIME_OP)
+#define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
+#define SMIME_DIGEST_CREATE (10 | SMIME_OP)
+#define SMIME_UNCOMPRESS (11 | SMIME_IP)
+#define SMIME_COMPRESS (12 | SMIME_OP)
+#define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
+#define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
+#define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP)
+#define SMIME_VERIFY_RECEIPT (16 | SMIME_IP)
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+ {
+ ENGINE *e = NULL;
+ int operation = 0;
+ int ret = 0;
+ char **args;
+ const char *inmode = "r", *outmode = "w";
+ char *infile = NULL, *outfile = NULL, *rctfile = NULL;
+ char *signerfile = NULL, *recipfile = NULL;
+ STACK *sksigners = NULL, *skkeys = NULL;
+ char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
+ char *certsoutfile = NULL;
+ const EVP_CIPHER *cipher = NULL;
+ CMS_ContentInfo *cms = NULL, *rcms = NULL;
+ X509_STORE *store = NULL;
+ X509 *cert = NULL, *recip = NULL, *signer = NULL;
+ EVP_PKEY *key = NULL;
+ STACK_OF(X509) *encerts = NULL, *other = NULL;
+ BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
+ int badarg = 0;
+ int flags = CMS_DETACHED;
+ int rr_print = 0, rr_allorfirst = -1;
+ STACK *rr_to = NULL, *rr_from = NULL;
+ CMS_ReceiptRequest *rr = NULL;
+ char *to = NULL, *from = NULL, *subject = NULL;
+ char *CAfile = NULL, *CApath = NULL;
+ char *passargin = NULL, *passin = NULL;
+ char *inrand = NULL;
+ int need_rand = 0;
+ const EVP_MD *sign_md = NULL;
+ int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
+ int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
+#ifndef OPENSSL_NO_ENGINE
+ char *engine=NULL;
+#endif
+ unsigned char *secret_key = NULL, *secret_keyid = NULL;
+ size_t secret_keylen = 0, secret_keyidlen = 0;
+
+ ASN1_OBJECT *econtent_type = NULL;
+
+ X509_VERIFY_PARAM *vpm = NULL;
+
+ args = argv + 1;
+ ret = 1;
+
+ apps_startup();
+
+ if (bio_err == NULL)
+ {
+ if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+ BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
+ }
+
+ if (!load_config(bio_err, NULL))
+ goto end;
+
+ while (!badarg && *args && *args[0] == '-')
+ {
+ if (!strcmp (*args, "-encrypt"))
+ operation = SMIME_ENCRYPT;
+ else if (!strcmp (*args, "-decrypt"))
+ operation = SMIME_DECRYPT;
+ else if (!strcmp (*args, "-sign"))
+ operation = SMIME_SIGN;
+ else if (!strcmp (*args, "-sign_receipt"))
+ operation = SMIME_SIGN_RECEIPT;
+ else if (!strcmp (*args, "-resign"))
+ operation = SMIME_RESIGN;
+ else if (!strcmp (*args, "-verify"))
+ operation = SMIME_VERIFY;
+ else if (!strcmp(*args,"-verify_receipt"))
+ {
+ operation = SMIME_VERIFY_RECEIPT;
+ if (!args[1])
+ goto argerr;
+ args++;
+ rctfile = *args;
+ }
+ else if (!strcmp (*args, "-cmsout"))
+ operation = SMIME_CMSOUT;
+ else if (!strcmp (*args, "-data_out"))
+ operation = SMIME_DATAOUT;
+ else if (!strcmp (*args, "-data_create"))
+ operation = SMIME_DATA_CREATE;
+ else if (!strcmp (*args, "-digest_verify"))
+ operation = SMIME_DIGEST_VERIFY;
+ else if (!strcmp (*args, "-digest_create"))
+ operation = SMIME_DIGEST_CREATE;
+ else if (!strcmp (*args, "-compress"))
+ operation = SMIME_COMPRESS;
+ else if (!strcmp (*args, "-uncompress"))
+ operation = SMIME_UNCOMPRESS;
+ else if (!strcmp (*args, "-EncryptedData_decrypt"))
+ operation = SMIME_ENCRYPTED_DECRYPT;
+ else if (!strcmp (*args, "-EncryptedData_encrypt"))
+ operation = SMIME_ENCRYPTED_ENCRYPT;
+#ifndef OPENSSL_NO_DES
+ else if (!strcmp (*args, "-des3"))
+ cipher = EVP_des_ede3_cbc();
+ else if (!strcmp (*args, "-des"))
+ cipher = EVP_des_cbc();
+#endif
+#ifndef OPENSSL_NO_SEED
+ else if (!strcmp (*args, "-seed"))
+ cipher = EVP_seed_cbc();
+#endif
+#ifndef OPENSSL_NO_RC2
+ else if (!strcmp (*args, "-rc2-40"))
+ cipher = EVP_rc2_40_cbc();
+ else if (!strcmp (*args, "-rc2-128"))
+ cipher = EVP_rc2_cbc();
+ else if (!strcmp (*args, "-rc2-64"))
+ cipher = EVP_rc2_64_cbc();
+#endif
+#ifndef OPENSSL_NO_AES
+ else if (!strcmp(*args,"-aes128"))
+ cipher = EVP_aes_128_cbc();
+ else if (!strcmp(*args,"-aes192"))
+ cipher = EVP_aes_192_cbc();
+ else if (!strcmp(*args,"-aes256"))
+ cipher = EVP_aes_256_cbc();
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+ else if (!strcmp(*args,"-camellia128"))
+ cipher = EVP_camellia_128_cbc();
+ else if (!strcmp(*args,"-camellia192"))
+ cipher = EVP_camellia_192_cbc();
+ else if (!strcmp(*args,"-camellia256"))
+ cipher = EVP_camellia_256_cbc();
+#endif
+ else if (!strcmp (*args, "-text"))
+ flags |= CMS_TEXT;
+ else if (!strcmp (*args, "-nointern"))
+ flags |= CMS_NOINTERN;
+ else if (!strcmp (*args, "-noverify")
+ || !strcmp (*args, "-no_signer_cert_verify"))
+ flags |= CMS_NO_SIGNER_CERT_VERIFY;
+ else if (!strcmp (*args, "-nocerts"))
+ flags |= CMS_NOCERTS;
+ else if (!strcmp (*args, "-noattr"))
+ flags |= CMS_NOATTR;
+ else if (!strcmp (*args, "-nodetach"))
+ flags &= ~CMS_DETACHED;
+ else if (!strcmp (*args, "-nosmimecap"))
+ flags |= CMS_NOSMIMECAP;
+ else if (!strcmp (*args, "-binary"))
+ flags |= CMS_BINARY;
+ else if (!strcmp (*args, "-keyid"))
+ flags |= CMS_USE_KEYID;
+ else if (!strcmp (*args, "-nosigs"))
+ flags |= CMS_NOSIGS;
+ else if (!strcmp (*args, "-no_content_verify"))
+ flags |= CMS_NO_CONTENT_VERIFY;
+ else if (!strcmp (*args, "-no_attr_verify"))
+ flags |= CMS_NO_ATTR_VERIFY;
+ else if (!strcmp (*args, "-stream"))
+ {
+ args++;
+ continue;
+ }
+ else if (!strcmp (*args, "-indef"))
+ {
+ args++;
+ continue;
+ }
+ else if (!strcmp (*args, "-noindef"))
+ flags &= ~CMS_STREAM;
+ else if (!strcmp (*args, "-nooldmime"))
+ flags |= CMS_NOOLDMIMETYPE;
+ else if (!strcmp (*args, "-crlfeol"))
+ flags |= CMS_CRLFEOL;
+ else if (!strcmp (*args, "-receipt_request_print"))
+ rr_print = 1;
+ else if (!strcmp (*args, "-receipt_request_all"))
+ rr_allorfirst = 0;
+ else if (!strcmp (*args, "-receipt_request_first"))
+ rr_allorfirst = 1;
+ else if (!strcmp(*args,"-receipt_request_from"))
+ {
+ if (!args[1])
+ goto argerr;
+ args++;
+ if (!rr_from)
+ rr_from = sk_new_null();
+ sk_push(rr_from, *args);
+ }
+ else if (!strcmp(*args,"-receipt_request_to"))
+ {
+ if (!args[1])
+ goto argerr;
+ args++;
+ if (!rr_to)
+ rr_to = sk_new_null();
+ sk_push(rr_to, *args);
+ }
+ else if (!strcmp(*args,"-secretkey"))
+ {
+ long ltmp;
+ if (!args[1])
+ goto argerr;
+ args++;
+ secret_key = string_to_hex(*args, &ltmp);
+ if (!secret_key)
+ {
+ BIO_printf(bio_err, "Invalid key %s\n", *args);
+ goto argerr;
+ }
+ secret_keylen = (size_t)ltmp;
+ }
+ else if (!strcmp(*args,"-secretkeyid"))
+ {
+ long ltmp;
+ if (!args[1])
+ goto argerr;
+ args++;
+ secret_keyid = string_to_hex(*args, &ltmp);
+ if (!secret_keyid)
+ {
+ BIO_printf(bio_err, "Invalid id %s\n", *args);
+ goto argerr;
+ }
+ secret_keyidlen = (size_t)ltmp;
+ }
+ else if (!strcmp(*args,"-econtent_type"))
+ {
+ if (!args[1])
+ goto argerr;
+ args++;
+ econtent_type = OBJ_txt2obj(*args, 0);
+ if (!econtent_type)
+ {
+ BIO_printf(bio_err, "Invalid OID %s\n", *args);
+ goto argerr;
+ }
+ }
+ else if (!strcmp(*args,"-rand"))
+ {
+ if (!args[1])
+ goto argerr;
+ args++;
+ inrand = *args;
+ need_rand = 1;
+ }
+#ifndef OPENSSL_NO_ENGINE
+ else if (!strcmp(*args,"-engine"))
+ {
+ if (!args[1])
+ goto argerr;
+ engine = *++args;
+ }
+#endif
+ else if (!strcmp(*args,"-passin"))
+ {
+ if (!args[1])
+ goto argerr;
+ passargin = *++args;
+ }
+ else if (!strcmp (*args, "-to"))
+ {
+ if (!args[1])
+ goto argerr;
+ to = *++args;
+ }
+ else if (!strcmp (*args, "-from"))
+ {
+ if (!args[1])
+ goto argerr;
+ from = *++args;
+ }
+ else if (!strcmp (*args, "-subject"))
+ {
+ if (!args[1])
+ goto argerr;
+ subject = *++args;
+ }
+ else if (!strcmp (*args, "-signer"))
+ {
+ if (!args[1])
+ goto argerr;
+ /* If previous -signer argument add signer to list */
+
+ if (signerfile)
+ {
+ if (!sksigners)
+ sksigners = sk_new_null();
+ sk_push(sksigners, signerfile);
+ if (!keyfile)
+ keyfile = signerfile;
+ if (!skkeys)
+ skkeys = sk_new_null();
+ sk_push(skkeys, keyfile);
+ keyfile = NULL;
+ }
+ signerfile = *++args;
+ }
+ else if (!strcmp (*args, "-recip"))
+ {
+ if (!args[1])
+ goto argerr;
+ recipfile = *++args;
+ }
+ else if (!strcmp (*args, "-certsout"))
+ {
+ if (!args[1])
+ goto argerr;
+ certsoutfile = *++args;
+ }
+ else if (!strcmp (*args, "-md"))
+ {
+ if (!args[1])
+ goto argerr;
+ sign_md = EVP_get_digestbyname(*++args);
+ if (sign_md == NULL)
+ {
+ BIO_printf(bio_err, "Unknown digest %s\n",
+ *args);
+ goto argerr;
+ }
+ }
+ else if (!strcmp (*args, "-inkey"))
+ {
+ if (!args[1])
+ goto argerr;
+ /* If previous -inkey arument add signer to list */
+ if (keyfile)
+ {
+ if (!signerfile)
+ {
+ BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+ goto argerr;
+ }
+ if (!sksigners)
+ sksigners = sk_new_null();
+ sk_push(sksigners, signerfile);
+ signerfile = NULL;
+ if (!skkeys)
+ skkeys = sk_new_null();
+ sk_push(skkeys, keyfile);
+ }
+ keyfile = *++args;
+ }
+ else if (!strcmp (*args, "-keyform"))
+ {
+ if (!args[1])
+ goto argerr;
+ keyform = str2fmt(*++args);
+ }
+ else if (!strcmp (*args, "-rctform"))
+ {
+ if (!args[1])
+ goto argerr;
+ rctformat = str2fmt(*++args);
+ }
+ else if (!strcmp (*args, "-certfile"))
+ {
+ if (!args[1])
+ goto argerr;
+ certfile = *++args;
+ }
+ else if (!strcmp (*args, "-CAfile"))
+ {
+ if (!args[1])
+ goto argerr;
+ CAfile = *++args;
+ }
+ else if (!strcmp (*args, "-CApath"))
+ {
+ if (!args[1])
+ goto argerr;
+ CApath = *++args;
+ }
+ else if (!strcmp (*args, "-in"))
+ {
+ if (!args[1])
+ goto argerr;
+ infile = *++args;
+ }
+ else if (!strcmp (*args, "-inform"))
+ {
+ if (!args[1])
+ goto argerr;
+ informat = str2fmt(*++args);
+ }
+ else if (!strcmp (*args, "-outform"))
+ {
+ if (!args[1])
+ goto argerr;
+ outformat = str2fmt(*++args);
+ }
+ else if (!strcmp (*args, "-out"))
+ {
+ if (!args[1])
+ goto argerr;
+ outfile = *++args;
+ }
+ else if (!strcmp (*args, "-content"))
+ {
+ if (!args[1])
+ goto argerr;
+ contfile = *++args;
+ }
+ else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
+ continue;
+ else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
+ badarg = 1;
+ args++;
+ }
+
+ if (((rr_allorfirst != -1) || rr_from) && !rr_to)
+ {
+ BIO_puts(bio_err, "No Signed Receipts Recipients\n");
+ goto argerr;
+ }
+
+ if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from))
+ {
+ BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
+ goto argerr;
+ }
+ if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners))
+ {
+ BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
+ goto argerr;
+ }
+
+ if (operation & SMIME_SIGNERS)
+ {
+ if (keyfile && !signerfile)
+ {
+ BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+ goto argerr;
+ }
+ /* Check to see if any final signer needs to be appended */
+ if (signerfile)
+ {
+ if (!sksigners)
+ sksigners = sk_new_null();
+ sk_push(sksigners, signerfile);
+ if (!skkeys)
+ skkeys = sk_new_null();
+ if (!keyfile)
+ keyfile = signerfile;
+ sk_push(skkeys, keyfile);
+ }
+ if (!sksigners)
+ {
+ BIO_printf(bio_err, "No signer certificate specified\n");
+ badarg = 1;
+ }
+ signerfile = NULL;
+ keyfile = NULL;
+ need_rand = 1;
+ }
+
+ else if (operation == SMIME_DECRYPT)
+ {
+ if (!recipfile && !keyfile && !secret_key)
+ {
+ BIO_printf(bio_err, "No recipient certificate or key specified\n");
+ badarg = 1;
+ }
+ }
+ else if (operation == SMIME_ENCRYPT)
+ {
+ if (!*args && !secret_key)
+ {
+ BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
+ badarg = 1;
+ }
+ need_rand = 1;
+ }
+ else if (!operation)
+ badarg = 1;
+
+ if (badarg)
+ {
+ argerr:
+ BIO_printf (bio_err, "Usage cms [options] cert.pem ...\n");
+ BIO_printf (bio_err, "where options are\n");
+ BIO_printf (bio_err, "-encrypt encrypt message\n");
+ BIO_printf (bio_err, "-decrypt decrypt encrypted message\n");
+ BIO_printf (bio_err, "-sign sign message\n");
+ BIO_printf (bio_err, "-verify verify signed message\n");
+ BIO_printf (bio_err, "-cmsout output CMS structure\n");
+#ifndef OPENSSL_NO_DES
+ BIO_printf (bio_err, "-des3 encrypt with triple DES\n");
+ BIO_printf (bio_err, "-des encrypt with DES\n");
+#endif
+#ifndef OPENSSL_NO_SEED
+ BIO_printf (bio_err, "-seed encrypt with SEED\n");
+#endif
+#ifndef OPENSSL_NO_RC2
+ BIO_printf (bio_err, "-rc2-40 encrypt with RC2-40 (default)\n");
+ BIO_printf (bio_err, "-rc2-64 encrypt with RC2-64\n");
+ BIO_printf (bio_err, "-rc2-128 encrypt with RC2-128\n");
+#endif
+#ifndef OPENSSL_NO_AES
+ BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
+ BIO_printf (bio_err, " encrypt PEM output with cbc aes\n");
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+ BIO_printf (bio_err, "-camellia128, -camellia192, -camellia256\n");
+ BIO_printf (bio_err, " encrypt PEM output with cbc camellia\n");
+#endif
+ BIO_printf (bio_err, "-nointern don't search certificates in message for signer\n");
+ BIO_printf (bio_err, "-nosigs don't verify message signature\n");
+ BIO_printf (bio_err, "-noverify don't verify signers certificate\n");
+ BIO_printf (bio_err, "-nocerts don't include signers certificate when signing\n");
+ BIO_printf (bio_err, "-nodetach use opaque signing\n");
+ BIO_printf (bio_err, "-noattr don't include any signed attributes\n");
+ BIO_printf (bio_err, "-binary don't translate message to text\n");
+ BIO_printf (bio_err, "-certfile file other certificates file\n");
+ BIO_printf (bio_err, "-certsout file certificate output file\n");
+ BIO_printf (bio_err, "-signer file signer certificate file\n");
+ BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");
+ BIO_printf (bio_err, "-skeyid use subject key identifier\n");
+ BIO_printf (bio_err, "-in file input file\n");
+ BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
+ BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");
+ BIO_printf (bio_err, "-keyform arg input private key format (PEM or ENGINE)\n");
+ BIO_printf (bio_err, "-out file output file\n");
+ BIO_printf (bio_err, "-outform arg output format SMIME (default), PEM or DER\n");
+ BIO_printf (bio_err, "-content file supply or override content for detached signature\n");
+ BIO_printf (bio_err, "-to addr to address\n");
+ BIO_printf (bio_err, "-from ad from address\n");
+ BIO_printf (bio_err, "-subject s subject\n");
+ BIO_printf (bio_err, "-text include or delete text MIME headers\n");
+ BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
+ BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
+ BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
+#ifndef OPENSSL_NO_ENGINE
+ BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n");
+#endif
+ BIO_printf (bio_err, "-passin arg input file pass phrase source\n");
+ BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+ BIO_printf(bio_err, " load the file (or the files in the directory) into\n");
+ BIO_printf(bio_err, " the random number generator\n");
+ BIO_printf (bio_err, "cert.pem recipient certificate(s) for encryption\n");
+ goto end;
+ }
+
+#ifndef OPENSSL_NO_ENGINE
+ e = setup_engine(bio_err, engine, 0);
+#endif
+
+ if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
+ {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
+
+ if (need_rand)
+ {
+ app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+ if (inrand != NULL)
+ BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+ app_RAND_load_files(inrand));
+ }
+
+ ret = 2;
+
+ if (!(operation & SMIME_SIGNERS))
+ flags &= ~CMS_DETACHED;
+
+ if (operation & SMIME_OP)
+ {
+ if (outformat == FORMAT_ASN1)
+ outmode = "wb";
+ }
+ else
+ {
+ if (flags & CMS_BINARY)
+ outmode = "wb";
+ }
+
+ if (operation & SMIME_IP)
+ {
+ if (informat == FORMAT_ASN1)
+ inmode = "rb";
+ }
+ else
+ {
+ if (flags & CMS_BINARY)
+ inmode = "rb";
+ }
+
+ if (operation == SMIME_ENCRYPT)
+ {
+ if (!cipher)
+ {
+#ifndef OPENSSL_NO_DES
+ cipher = EVP_des_ede3_cbc();
+#else
+ BIO_printf(bio_err, "No cipher selected\n");
+ goto end;
+#endif
+ }
+
+ if (secret_key && !secret_keyid)
+ {
+ BIO_printf(bio_err, "No sectre key id\n");
+ goto end;
+ }
+
+ if (*args)
+ encerts = sk_X509_new_null();
+ while (*args)
+ {
+ if (!(cert = load_cert(bio_err,*args,FORMAT_PEM,
+ NULL, e, "recipient certificate file")))
+ goto end;
+ sk_X509_push(encerts, cert);
+ cert = NULL;
+ args++;
+ }
+ }
+
+ if (certfile)
+ {
+ if (!(other = load_certs(bio_err,certfile,FORMAT_PEM, NULL,
+ e, "certificate file")))
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
+ if (recipfile && (operation == SMIME_DECRYPT))
+ {
+ if (!(recip = load_cert(bio_err,recipfile,FORMAT_PEM,NULL,
+ e, "recipient certificate file")))
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
+ if (operation == SMIME_SIGN_RECEIPT)
+ {
+ if (!(signer = load_cert(bio_err,signerfile,FORMAT_PEM,NULL,
+ e, "receipt signer certificate file")))
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
+ if (operation == SMIME_DECRYPT)
+ {
+ if (!keyfile)
+ keyfile = recipfile;
+ }
+ else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT))
+ {
+ if (!keyfile)
+ keyfile = signerfile;
+ }
+ else keyfile = NULL;
+
+ if (keyfile)
+ {
+ key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+ "signing key file");
+ if (!key)
+ goto end;
+ }
+
+ if (infile)
+ {
+ if (!(in = BIO_new_file(infile, inmode)))
+ {
+ BIO_printf (bio_err,
+ "Can't open input file %s\n", infile);
+ goto end;
+ }
+ }
+ else
+ in = BIO_new_fp(stdin, BIO_NOCLOSE);
+
+ if (operation & SMIME_IP)
+ {
+ if (informat == FORMAT_SMIME)
+ cms = SMIME_read_CMS(in, &indata);
+ else if (informat == FORMAT_PEM)
+ cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
+ else if (informat == FORMAT_ASN1)
+ cms = d2i_CMS_bio(in, NULL);
+ else
+ {
+ BIO_printf(bio_err, "Bad input format for CMS file\n");
+ goto end;
+ }
+
+ if (!cms)
+ {
+ BIO_printf(bio_err, "Error reading S/MIME message\n");
+ goto end;
+ }
+ if (contfile)
+ {
+ BIO_free(indata);
+ if (!(indata = BIO_new_file(contfile, "rb")))
+ {
+ BIO_printf(bio_err, "Can't read content file %s\n", contfile);
+ goto end;
+ }
+ }
+ if (certsoutfile)
+ {
+ STACK_OF(X509) *allcerts;
+ allcerts = CMS_get1_certs(cms);
+ if (!save_certs(certsoutfile, allcerts))
+ {
+ BIO_printf(bio_err,
+ "Error writing certs to %s\n",
+ certsoutfile);
+ ret = 5;
+ goto end;
+ }
+ sk_X509_pop_free(allcerts, X509_free);
+ }
+ }
+
+ if (rctfile)
+ {
+ char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
+ if (!(rctin = BIO_new_file(rctfile, rctmode)))
+ {
+ BIO_printf (bio_err,
+ "Can't open receipt file %s\n", rctfile);
+ goto end;
+ }
+
+ if (rctformat == FORMAT_SMIME)
+ rcms = SMIME_read_CMS(rctin, NULL);
+ else if (rctformat == FORMAT_PEM)
+ rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
+ else if (rctformat == FORMAT_ASN1)
+ rcms = d2i_CMS_bio(rctin, NULL);
+ else
+ {
+ BIO_printf(bio_err, "Bad input format for receipt\n");
+ goto end;
+ }
+
+ if (!rcms)
+ {
+ BIO_printf(bio_err, "Error reading receipt\n");
+ goto end;
+ }
+ }
+
+ if (outfile)
+ {
+ if (!(out = BIO_new_file(outfile, outmode)))
+ {
+ BIO_printf (bio_err,
+ "Can't open output file %s\n", outfile);
+ goto end;
+ }
+ }
+ else
+ {
+ out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+ {
+ BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+ out = BIO_push(tmpbio, out);
+ }
+#endif
+ }
+
+ if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT))
+ {
+ if (!(store = setup_verify(bio_err, CAfile, CApath)))
+ goto end;
+ X509_STORE_set_verify_cb_func(store, cms_cb);
+ if (vpm)
+ X509_STORE_set1_param(store, vpm);
+ }
+
+
+ ret = 3;
+
+ if (operation == SMIME_DATA_CREATE)
+ {
+ cms = CMS_data_create(in, flags);
+ }
+ else if (operation == SMIME_DIGEST_CREATE)
+ {
+ cms = CMS_digest_create(in, sign_md, flags);
+ }
+ else if (operation == SMIME_COMPRESS)
+ {
+ cms = CMS_compress(in, -1, flags);
+ }
+ else if (operation == SMIME_ENCRYPT)
+ {
+ flags |= CMS_PARTIAL;
+ cms = CMS_encrypt(encerts, in, cipher, flags);
+ if (!cms)
+ goto end;
+ if (secret_key)
+ {
+ if (!CMS_add0_recipient_key(cms, NID_undef,
+ secret_key, secret_keylen,
+ secret_keyid, secret_keyidlen,
+ NULL, NULL, NULL))
+ goto end;
+ /* NULL these because call absorbs them */
+ secret_key = NULL;
+ secret_keyid = NULL;
+ }
+ if (!(flags & CMS_STREAM))
+ {
+ if (!CMS_final(cms, in, NULL, flags))
+ goto end;
+ }
+ }
+ else if (operation == SMIME_ENCRYPTED_ENCRYPT)
+ {
+ cms = CMS_EncryptedData_encrypt(in, cipher,
+ secret_key, secret_keylen,
+ flags);
+
+ }
+ else if (operation == SMIME_SIGN_RECEIPT)
+ {
+ CMS_ContentInfo *srcms = NULL;
+ STACK_OF(CMS_SignerInfo) *sis;
+ CMS_SignerInfo *si;
+ sis = CMS_get0_SignerInfos(cms);
+ if (!sis)
+ goto end;
+ si = sk_CMS_SignerInfo_value(sis, 0);
+ srcms = CMS_sign_receipt(si, signer, key, other, flags);
+ if (!srcms)
+ goto end;
+ CMS_ContentInfo_free(cms);
+ cms = srcms;
+ }
+ else if (operation & SMIME_SIGNERS)
+ {
+ int i;
+ /* If detached data content we enable streaming if
+ * S/MIME output format.
+ */
+ if (operation == SMIME_SIGN)
+ {
+
+ if (flags & CMS_DETACHED)
+ {
+ if (outformat == FORMAT_SMIME)
+ flags |= CMS_STREAM;
+ }
+ flags |= CMS_PARTIAL;
+ cms = CMS_sign(NULL, NULL, other, in, flags);
+ if (!cms)
+ goto end;
+ if (econtent_type)
+ CMS_set1_eContentType(cms, econtent_type);
+
+ if (rr_to)
+ {
+ rr = make_receipt_request(rr_to, rr_allorfirst,
+ rr_from);
+ if (!rr)
+ {
+ BIO_puts(bio_err,
+ "Signed Receipt Request Creation Error\n");
+ goto end;
+ }
+ }
+ }
+ else
+ flags |= CMS_REUSE_DIGEST;
+ for (i = 0; i < sk_num(sksigners); i++)
+ {
+ CMS_SignerInfo *si;
+ signerfile = sk_value(sksigners, i);
+ keyfile = sk_value(skkeys, i);
+ signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL,
+ e, "signer certificate");
+ if (!signer)
+ goto end;
+ key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+ "signing key file");
+ if (!key)
+ goto end;
+ si = CMS_add1_signer(cms, signer, key, sign_md, flags);
+ if (!si)
+ goto end;
+ if (rr && !CMS_add1_ReceiptRequest(si, rr))
+ goto end;
+ X509_free(signer);
+ signer = NULL;
+ EVP_PKEY_free(key);
+ key = NULL;
+ }
+ /* If not streaming or resigning finalize structure */
+ if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM))
+ {
+ if (!CMS_final(cms, in, NULL, flags))
+ goto end;
+ }
+ }
+
+ if (!cms)
+ {
+ BIO_printf(bio_err, "Error creating CMS structure\n");
+ goto end;
+ }
+
+ ret = 4;
+ if (operation == SMIME_DECRYPT)
+ {
+
+ if (secret_key)
+ {
+ if (!CMS_decrypt_set1_key(cms,
+ secret_key, secret_keylen,
+ secret_keyid, secret_keyidlen))
+ {
+ BIO_puts(bio_err,
+ "Error decrypting CMS using secret key\n");
+ goto end;
+ }
+ }
+
+ if (key)
+ {
+ if (!CMS_decrypt_set1_pkey(cms, key, recip))
+ {
+ BIO_puts(bio_err,
+ "Error decrypting CMS using private key\n");
+ goto end;
+ }
+ }
+
+ if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags))
+ {
+ BIO_printf(bio_err, "Error decrypting CMS structure\n");
+ goto end;
+ }
+ }
+ else if (operation == SMIME_DATAOUT)
+ {
+ if (!CMS_data(cms, out, flags))
+ goto end;
+ }
+ else if (operation == SMIME_UNCOMPRESS)
+ {
+ if (!CMS_uncompress(cms, indata, out, flags))
+ goto end;
+ }
+ else if (operation == SMIME_DIGEST_VERIFY)
+ {
+ if (CMS_digest_verify(cms, indata, out, flags) > 0)
+ BIO_printf(bio_err, "Verification successful\n");
+ else
+ {
+ BIO_printf(bio_err, "Verification failure\n");
+ goto end;
+ }
+ }
+ else if (operation == SMIME_ENCRYPTED_DECRYPT)
+ {
+ if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
+ indata, out, flags))
+ goto end;
+ }
+ else if (operation == SMIME_VERIFY)
+ {
+ if (CMS_verify(cms, other, store, indata, out, flags) > 0)
+ BIO_printf(bio_err, "Verification successful\n");
+ else
+ {
+ BIO_printf(bio_err, "Verification failure\n");
+ goto end;
+ }
+ if (signerfile)
+ {
+ STACK_OF(X509) *signers;
+ signers = CMS_get0_signers(cms);
+ if (!save_certs(signerfile, signers))
+ {
+ BIO_printf(bio_err,
+ "Error writing signers to %s\n",
+ signerfile);
+ ret = 5;
+ goto end;
+ }
+ sk_X509_free(signers);
+ }
+ if (rr_print)
+ receipt_request_print(bio_err, cms);
+
+ }
+ else if (operation == SMIME_VERIFY_RECEIPT)
+ {
+ if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0)
+ BIO_printf(bio_err, "Verification successful\n");
+ else
+ {
+ BIO_printf(bio_err, "Verification failure\n");
+ goto end;
+ }
+ }
+ else
+ {
+ if (outformat == FORMAT_SMIME)
+ {
+ if (to)
+ BIO_printf(out, "To: %s\n", to);
+ if (from)
+ BIO_printf(out, "From: %s\n", from);
+ if (subject)
+ BIO_printf(out, "Subject: %s\n", subject);
+ if (operation == SMIME_RESIGN)
+ ret = SMIME_write_CMS(out, cms, indata, flags);
+ else
+ ret = SMIME_write_CMS(out, cms, in, flags);
+ }
+ else if (outformat == FORMAT_PEM)
+ ret = PEM_write_bio_CMS(out, cms);
+ else if (outformat == FORMAT_ASN1)
+ ret = i2d_CMS_bio(out,cms);
+ else
+ {
+ BIO_printf(bio_err, "Bad output format for CMS file\n");
+ goto end;
+ }
+ if (ret <= 0)
+ {
+ ret = 6;
+ goto end;
+ }
+ }
+ ret = 0;
+end:
+ if (ret)
+ ERR_print_errors(bio_err);
+ if (need_rand)
+ app_RAND_write_file(NULL, bio_err);
+ sk_X509_pop_free(encerts, X509_free);
+ sk_X509_pop_free(other, X509_free);
+ if (vpm)
+ X509_VERIFY_PARAM_free(vpm);
+ if (sksigners)
+ sk_free(sksigners);
+ if (skkeys)
+ sk_free(skkeys);
+ if (secret_key)
+ OPENSSL_free(secret_key);
+ if (secret_keyid)
+ OPENSSL_free(secret_keyid);
+ if (econtent_type)
+ ASN1_OBJECT_free(econtent_type);
+ if (rr)
+ CMS_ReceiptRequest_free(rr);
+ if (rr_to)
+ sk_free(rr_to);
+ if (rr_from)
+ sk_free(rr_from);
+ X509_STORE_free(store);
+ X509_free(cert);
+ X509_free(recip);
+ X509_free(signer);
+ EVP_PKEY_free(key);
+ CMS_ContentInfo_free(cms);
+ CMS_ContentInfo_free(rcms);
+ BIO_free(rctin);
+ BIO_free(in);
+ BIO_free(indata);
+ BIO_free_all(out);
+ if (passin) OPENSSL_free(passin);
+ return (ret);
+}
+
+static int save_certs(char *signerfile, STACK_OF(X509) *signers)
+ {
+ int i;
+ BIO *tmp;
+ if (!signerfile)
+ return 1;
+ tmp = BIO_new_file(signerfile, "w");
+ if (!tmp) return 0;
+ for(i = 0; i < sk_X509_num(signers); i++)
+ PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
+ BIO_free(tmp);
+ return 1;
+ }
+
+
+/* Minimal callback just to output policy info (if any) */
+
+static int cms_cb(int ok, X509_STORE_CTX *ctx)
+ {
+ int error;
+
+ error = X509_STORE_CTX_get_error(ctx);
+
+ if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
+ && ((error != X509_V_OK) || (ok != 2)))
+ return ok;
+
+ policies_print(NULL, ctx);
+
+ return ok;
+
+ }
+
+static void gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns)
+ {
+ STACK_OF(GENERAL_NAME) *gens;
+ GENERAL_NAME *gen;
+ int i, j;
+ for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++)
+ {
+ gens = sk_GENERAL_NAMES_value(gns, i);
+ for (j = 0; j < sk_GENERAL_NAME_num(gens); j++)
+ {
+ gen = sk_GENERAL_NAME_value(gens, j);
+ BIO_puts(out, " ");
+ GENERAL_NAME_print(out, gen);
+ BIO_puts(out, "\n");
+ }
+ }
+ return;
+ }
+
+static void receipt_request_print(BIO *out, CMS_ContentInfo *cms)
+ {
+ STACK_OF(CMS_SignerInfo) *sis;
+ CMS_SignerInfo *si;
+ CMS_ReceiptRequest *rr;
+ int allorfirst;
+ STACK_OF(GENERAL_NAMES) *rto, *rlist;
+ ASN1_STRING *scid;
+ int i, rv;
+ sis = CMS_get0_SignerInfos(cms);
+ for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++)
+ {
+ si = sk_CMS_SignerInfo_value(sis, i);
+ rv = CMS_get1_ReceiptRequest(si, &rr);
+ BIO_printf(bio_err, "Signer %d:\n", i + 1);
+ if (rv == 0)
+ BIO_puts(bio_err, " No Receipt Request\n");
+ else if (rv < 0)
+ {
+ BIO_puts(bio_err, " Receipt Request Parse Error\n");
+ ERR_print_errors(bio_err);
+ }
+ else
+ {
+ char *id;
+ int idlen;
+ CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
+ &rlist, &rto);
+ BIO_puts(out, " Signed Content ID:\n");
+ idlen = ASN1_STRING_length(scid);
+ id = (char *)ASN1_STRING_data(scid);
+ BIO_dump_indent(out, id, idlen, 4);
+ BIO_puts(out, " Receipts From");
+ if (rlist)
+ {
+ BIO_puts(out, " List:\n");
+ gnames_stack_print(out, rlist);
+ }
+ else if (allorfirst == 1)
+ BIO_puts(out, ": First Tier\n");
+ else if (allorfirst == 0)
+ BIO_puts(out, ": All\n");
+ else
+ BIO_printf(out, " Unknown (%d)\n", allorfirst);
+ BIO_puts(out, " Receipts To:\n");
+ gnames_stack_print(out, rto);
+ }
+ if (rr)
+ CMS_ReceiptRequest_free(rr);
+ }
+ }
+
+static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns)
+ {
+ int i;
+ STACK_OF(GENERAL_NAMES) *ret;
+ GENERAL_NAMES *gens = NULL;
+ GENERAL_NAME *gen = NULL;
+ ret = sk_GENERAL_NAMES_new_null();
+ if (!ret)
+ goto err;
+ for (i = 0; i < sk_num(ns); i++)
+ {
+ CONF_VALUE cnf;
+ cnf.name = "email";
+ cnf.value = sk_value(ns, i);
+ gen = v2i_GENERAL_NAME(NULL, NULL, &cnf);
+ if (!gen)
+ goto err;
+ gens = GENERAL_NAMES_new();
+ if (!gens)
+ goto err;
+ if (!sk_GENERAL_NAME_push(gens, gen))
+ goto err;
+ gen = NULL;
+ if (!sk_GENERAL_NAMES_push(ret, gens))
+ goto err;
+ gens = NULL;
+ }
+
+ return ret;
+
+ err:
+ if (ret)
+ sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
+ if (gens)
+ GENERAL_NAMES_free(gens);
+ if (gen)
+ GENERAL_NAME_free(gen);
+ return NULL;
+ }
+
+
+static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst,
+ STACK *rr_from)
+ {
+ STACK_OF(GENERAL_NAMES) *rct_to, *rct_from;
+ CMS_ReceiptRequest *rr;
+ rct_to = make_names_stack(rr_to);
+ if (!rct_to)
+ goto err;
+ if (rr_from)
+ {
+ rct_from = make_names_stack(rr_from);
+ if (!rct_from)
+ goto err;
+ }
+ else
+ rct_from = NULL;
+ rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from,
+ rct_to);
+ return rr;
+ err:
+ return NULL;
+ }
+
+#endif
diff --git a/crypto/openssl/apps/crl.c b/crypto/openssl/apps/crl.c
index a0040fba1194..c395b2afd5d4 100644
--- a/crypto/openssl/apps/crl.c
+++ b/crypto/openssl/apps/crl.c
@@ -85,6 +85,7 @@ static const char *crl_usage[]={
" -issuer - print issuer DN\n",
" -lastupdate - lastUpdate field\n",
" -nextupdate - nextUpdate field\n",
+" -crlnumber - print CRL number\n",
" -noout - no CRL output\n",
" -CAfile name - verify CRL using certificates in file \"name\"\n",
" -CApath dir - verify CRL using certificates in \"dir\"\n",
@@ -107,7 +108,7 @@ int MAIN(int argc, char **argv)
int informat,outformat;
char *infile=NULL,*outfile=NULL;
int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
- int fingerprint = 0;
+ int fingerprint = 0, crlnumber = 0;
const char **pp;
X509_STORE *store = NULL;
X509_STORE_CTX ctx;
@@ -206,6 +207,8 @@ int MAIN(int argc, char **argv)
noout= ++num;
else if (strcmp(*argv,"-fingerprint") == 0)
fingerprint= ++num;
+ else if (strcmp(*argv,"-crlnumber") == 0)
+ crlnumber= ++num;
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
@@ -281,7 +284,21 @@ bad:
{
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), nmflag);
}
-
+ if (crlnumber == i)
+ {
+ ASN1_INTEGER *crlnum;
+ crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number,
+ NULL, NULL);
+ BIO_printf(bio_out,"crlNumber=");
+ if (crlnum)
+ {
+ i2a_ASN1_INTEGER(bio_out, crlnum);
+ ASN1_INTEGER_free(crlnum);
+ }
+ else
+ BIO_puts(bio_out, "<NONE>");
+ BIO_printf(bio_out,"\n");
+ }
if (hash == i)
{
BIO_printf(bio_out,"%08lx\n",
diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c
index 09d093451938..9ebfc22e7969 100644
--- a/crypto/openssl/apps/dgst.c
+++ b/crypto/openssl/apps/dgst.c
@@ -76,7 +76,7 @@
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
- const char *file,BIO *bmd,const char *hmac_key);
+ const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow);
int MAIN(int, char **);
@@ -84,7 +84,7 @@ int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
unsigned char *buf=NULL;
- int i,err=0;
+ int i,err=1;
const EVP_MD *md=NULL,*m;
BIO *in=NULL,*inp;
BIO *bmd=NULL;
@@ -101,14 +101,16 @@ int MAIN(int argc, char **argv)
EVP_PKEY *sigkey = NULL;
unsigned char *sigbuf = NULL;
int siglen = 0;
+ unsigned int sig_flags = 0;
char *passargin = NULL, *passin = NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
#endif
char *hmac_key=NULL;
+ int non_fips_allow = 0;
apps_startup();
-
+ERR_load_crypto_strings();
if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL)
{
BIO_printf(bio_err,"out of memory\n");
@@ -167,6 +169,27 @@ int MAIN(int argc, char **argv)
keyfile=*(++argv);
do_verify = 1;
}
+ else if (strcmp(*argv,"-x931") == 0)
+ sig_flags = EVP_MD_CTX_FLAG_PAD_X931;
+ else if (strcmp(*argv,"-pss_saltlen") == 0)
+ {
+ int saltlen;
+ if (--argc < 1) break;
+ saltlen=atoi(*(++argv));
+ if (saltlen == -1)
+ sig_flags = EVP_MD_CTX_FLAG_PSS_MREC;
+ else if (saltlen == -2)
+ sig_flags = EVP_MD_CTX_FLAG_PSS_MDLEN;
+ else if (saltlen < -2 || saltlen >= 0xFFFE)
+ {
+ BIO_printf(bio_err, "Invalid PSS salt length %d\n", saltlen);
+ goto end;
+ }
+ else
+ sig_flags = saltlen;
+ sig_flags <<= 16;
+ sig_flags |= EVP_MD_CTX_FLAG_PAD_PSS;
+ }
else if (strcmp(*argv,"-signature") == 0)
{
if (--argc < 1) break;
@@ -190,6 +213,10 @@ int MAIN(int argc, char **argv)
out_bin = 1;
else if (strcmp(*argv,"-d") == 0)
debug=1;
+ else if (strcmp(*argv,"-non-fips-allow") == 0)
+ non_fips_allow=1;
+ else if (!strcmp(*argv,"-fips-fingerprint"))
+ hmac_key = "etaonrishdlcupfm";
else if (!strcmp(*argv,"-hmac"))
{
if (--argc < 1)
@@ -227,33 +254,38 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n");
BIO_printf(bio_err,"-signature file signature to verify\n");
BIO_printf(bio_err,"-binary output in binary form\n");
+ BIO_printf(bio_err,"-hmac key create hashed MAC with key\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n");
#endif
- BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n",
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm (default)\n",
LN_md5,LN_md5);
- BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
LN_md4,LN_md4);
- BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
LN_md2,LN_md2);
#ifndef OPENSSL_NO_SHA
- BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
LN_sha1,LN_sha1);
- BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
LN_sha,LN_sha);
#ifndef OPENSSL_NO_SHA256
- BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
+ LN_sha224,LN_sha224);
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
LN_sha256,LN_sha256);
#endif
#ifndef OPENSSL_NO_SHA512
- BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
+ LN_sha384,LN_sha384);
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
LN_sha512,LN_sha512);
#endif
#endif
- BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
LN_mdc2,LN_mdc2);
- BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
+ BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
LN_ripemd160,LN_ripemd160);
err=1;
goto end;
@@ -349,8 +381,20 @@ int MAIN(int argc, char **argv)
goto end;
}
}
-
+ if (non_fips_allow)
+ {
+ EVP_MD_CTX *md_ctx;
+ BIO_get_md_ctx(bmd,&md_ctx);
+ EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ }
+
+ if (sig_flags)
+ {
+ EVP_MD_CTX *md_ctx;
+ BIO_get_md_ctx(bmd,&md_ctx);
+ EVP_MD_CTX_set_flags(md_ctx, sig_flags);
+ }
/* we use md as a filter, reading from 'in' */
if (!BIO_set_md(bmd,md))
@@ -366,11 +410,12 @@ int MAIN(int argc, char **argv)
{
BIO_set_fp(in,stdin,BIO_NOCLOSE);
err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
- siglen,"","(stdin)",bmd,hmac_key);
+ siglen,"","(stdin)",bmd,hmac_key,non_fips_allow);
}
else
{
name=OBJ_nid2sn(md->type);
+ err = 0;
for (i=0; i<argc; i++)
{
char *tmp,*tofree=NULL;
@@ -392,7 +437,7 @@ int MAIN(int argc, char **argv)
else
tmp="";
r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
- siglen,tmp,argv[i],bmd,hmac_key);
+ siglen,tmp,argv[i],bmd,hmac_key,non_fips_allow);
if(r)
err=r;
if(tofree)
@@ -419,7 +464,7 @@ end:
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
- const char *file,BIO *bmd,const char *hmac_key)
+ const char *file,BIO *bmd,const char *hmac_key,int non_fips_allow)
{
unsigned int len;
int i;
diff --git a/crypto/openssl/apps/dsa.c b/crypto/openssl/apps/dsa.c
index d503031ec385..cbc1fe3f8197 100644
--- a/crypto/openssl/apps/dsa.c
+++ b/crypto/openssl/apps/dsa.c
@@ -87,6 +87,7 @@
* -camellia128 - encrypt output if PEM format
* -camellia192 - encrypt output if PEM format
* -camellia256 - encrypt output if PEM format
+ * -seed - encrypt output if PEM format
* -text - print a text version
* -modulus - print the DSA public key
*/
@@ -95,9 +96,7 @@ int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
-#ifndef OPENSSL_NO_ENGINE
ENGINE *e = NULL;
-#endif
int ret=1;
DSA *dsa=NULL;
int i,badops=0;
@@ -219,6 +218,9 @@ bad:
BIO_printf(bio_err," -camellia128, -camellia192, -camellia256\n");
BIO_printf(bio_err," encrypt PEM output with cbc camellia\n");
#endif
+#ifndef OPENSSL_NO_SEED
+ BIO_printf(bio_err," -seed encrypt PEM output with cbc seed\n");
+#endif
BIO_printf(bio_err," -text print the key in text\n");
BIO_printf(bio_err," -noout don't print key out\n");
BIO_printf(bio_err," -modulus print the DSA public value\n");
@@ -236,37 +238,27 @@ bad:
goto end;
}
- in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
- if ((in == NULL) || (out == NULL))
+ if (out == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
- if (infile == NULL)
- BIO_set_fp(in,stdin,BIO_NOCLOSE);
- else
- {
- if (BIO_read_filename(in,infile) <= 0)
- {
- perror(infile);
- goto end;
- }
- }
-
BIO_printf(bio_err,"read DSA key\n");
- if (informat == FORMAT_ASN1) {
- if(pubin) dsa=d2i_DSA_PUBKEY_bio(in,NULL);
- else dsa=d2i_DSAPrivateKey_bio(in,NULL);
- } else if (informat == FORMAT_PEM) {
- if(pubin) dsa=PEM_read_bio_DSA_PUBKEY(in,NULL, NULL, NULL);
- else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,NULL,passin);
- } else
- {
- BIO_printf(bio_err,"bad input format specified for key\n");
- goto end;
- }
+ {
+ EVP_PKEY *pkey;
+ if (pubin)
+ pkey = load_pubkey(bio_err, infile, informat, 1,
+ passin, e, "Public Key");
+ else
+ pkey = load_key(bio_err, infile, informat, 1,
+ passin, e, "Private Key");
+
+ if (pkey != NULL)
+ dsa = pkey == NULL ? NULL : EVP_PKEY_get1_DSA(pkey);
+ EVP_PKEY_free(pkey);
+ }
if (dsa == NULL)
{
BIO_printf(bio_err,"unable to load Key\n");
diff --git a/crypto/openssl/apps/ec.c b/crypto/openssl/apps/ec.c
index c63437fe2acd..771e15f3577c 100644
--- a/crypto/openssl/apps/ec.c
+++ b/crypto/openssl/apps/ec.c
@@ -244,7 +244,7 @@ bad:
" the ec parameters are encoded\n");
BIO_printf(bio_err, " in the asn1 der "
"encoding\n");
- BIO_printf(bio_err, " possilbe values:"
+ BIO_printf(bio_err, " possible values:"
" named_curve (default)\n");
BIO_printf(bio_err," "
"explicit\n");
diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c
index a41ea800ac18..f4f9a4c4a4e5 100644
--- a/crypto/openssl/apps/enc.c
+++ b/crypto/openssl/apps/enc.c
@@ -127,6 +127,7 @@ int MAIN(int argc, char **argv)
char *engine = NULL;
#endif
const EVP_MD *dgst=NULL;
+ int non_fips_allow = 0;
apps_startup();
@@ -261,6 +262,8 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad;
md= *(++argv);
}
+ else if (strcmp(*argv,"-non-fips-allow") == 0)
+ non_fips_allow = 1;
else if ((argv[0][0] == '-') &&
((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
{
@@ -314,7 +317,10 @@ bad:
if (dgst == NULL)
{
- dgst = EVP_md5();
+ if (in_FIPS_mode)
+ dgst = EVP_sha1();
+ else
+ dgst = EVP_md5();
}
if (bufsize != NULL)
@@ -527,7 +533,8 @@ bad:
BIO_printf(bio_err,"invalid hex iv value\n");
goto end;
}
- if ((hiv == NULL) && (str == NULL))
+ if ((hiv == NULL) && (str == NULL)
+ && EVP_CIPHER_iv_length(cipher) != 0)
{
/* No IV was explicitly set and no IV was generated
* during EVP_BytesToKey. Hence the IV is undefined,
@@ -549,6 +556,11 @@ bad:
*/
BIO_get_cipher_ctx(benc, &ctx);
+
+ if (non_fips_allow)
+ EVP_CIPHER_CTX_set_flags(ctx,
+ EVP_CIPH_FLAG_NON_FIPS_ALLOW);
+
if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
{
BIO_printf(bio_err, "Error setting cipher %s\n",
diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c
index 25c861710799..17bd81fb79bf 100644
--- a/crypto/openssl/apps/engine.c
+++ b/crypto/openssl/apps/engine.c
@@ -56,7 +56,6 @@
*
*/
-#ifndef OPENSSL_NO_ENGINE
#include <stdio.h>
#include <stdlib.h>
@@ -66,6 +65,7 @@
#endif
#include "apps.h"
#include <openssl/err.h>
+#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#include <openssl/ssl.h>
@@ -252,7 +252,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent
/* Now decide on the output */
if(xpos == 0)
/* Do an indent */
- xpos = BIO_printf(bio_out, indent);
+ xpos = BIO_puts(bio_out, indent);
else
/* Otherwise prepend a ", " */
xpos += BIO_printf(bio_out, ", ");
@@ -263,7 +263,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent
(xpos + (int)strlen(name) > line_wrap))
{
BIO_printf(bio_out, "\n");
- xpos = BIO_printf(bio_out, indent);
+ xpos = BIO_puts(bio_out, indent);
}
xpos += BIO_printf(bio_out, "%s", name);
}
diff --git a/crypto/openssl/apps/gendsa.c b/crypto/openssl/apps/gendsa.c
index 936a42b810fc..8a296c66e570 100644
--- a/crypto/openssl/apps/gendsa.c
+++ b/crypto/openssl/apps/gendsa.c
@@ -140,6 +140,10 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-idea") == 0)
enc=EVP_idea_cbc();
#endif
+#ifndef OPENSSL_NO_SEED
+ else if (strcmp(*argv,"-seed") == 0)
+ enc=EVP_seed_cbc();
+#endif
#ifndef OPENSSL_NO_AES
else if (strcmp(*argv,"-aes128") == 0)
enc=EVP_aes_128_cbc();
@@ -178,6 +182,10 @@ bad:
#ifndef OPENSSL_NO_IDEA
BIO_printf(bio_err," -idea - encrypt the generated key with IDEA in cbc mode\n");
#endif
+#ifndef OPENSSL_NO_SEED
+ BIO_printf(bio_err," -seed\n");
+ BIO_printf(bio_err," encrypt PEM output with cbc seed\n");
+#endif
#ifndef OPENSSL_NO_AES
BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
BIO_printf(bio_err," encrypt PEM output with cbc aes\n");
diff --git a/crypto/openssl/apps/genpkey.c b/crypto/openssl/apps/genpkey.c
new file mode 100644
index 000000000000..6dfda08b9e09
--- /dev/null
+++ b/crypto/openssl/apps/genpkey.c
@@ -0,0 +1,440 @@
+/* apps/genpkey.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2006
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+
+static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
+ const char *file, ENGINE *e);
+static int genpkey_cb(EVP_PKEY_CTX *ctx);
+
+#define PROG genpkey_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+ {
+ ENGINE *e = NULL;
+ char **args, *outfile = NULL;
+ char *passarg = NULL;
+ BIO *in = NULL, *out = NULL;
+ const EVP_CIPHER *cipher = NULL;
+ int outformat;
+ int text = 0;
+ EVP_PKEY *pkey=NULL;
+ EVP_PKEY_CTX *ctx = NULL;
+ char *pass = NULL;
+ int badarg = 0;
+ int ret = 1, rv;
+
+ int do_param = 0;
+
+ if (bio_err == NULL)
+ bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+
+ if (!load_config(bio_err, NULL))
+ goto end;
+
+ outformat=FORMAT_PEM;
+
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_algorithms();
+ args = argv + 1;
+ while (!badarg && *args && *args[0] == '-')
+ {
+ if (!strcmp(*args,"-outform"))
+ {
+ if (args[1])
+ {
+ args++;
+ outformat=str2fmt(*args);
+ }
+ else badarg = 1;
+ }
+ else if (!strcmp(*args,"-pass"))
+ {
+ if (!args[1]) goto bad;
+ passarg= *(++args);
+ }
+#ifndef OPENSSL_NO_ENGINE
+ else if (strcmp(*args,"-engine") == 0)
+ {
+ if (!args[1])
+ goto bad;
+ e = setup_engine(bio_err, *(++args), 0);
+ }
+#endif
+ else if (!strcmp (*args, "-paramfile"))
+ {
+ if (!args[1])
+ goto bad;
+ args++;
+ if (do_param == 1)
+ goto bad;
+ if (!init_keygen_file(bio_err, &ctx, *args, e))
+ goto end;
+ }
+ else if (!strcmp (*args, "-out"))
+ {
+ if (args[1])
+ {
+ args++;
+ outfile = *args;
+ }
+ else badarg = 1;
+ }
+ else if (strcmp(*args,"-algorithm") == 0)
+ {
+ if (!args[1])
+ goto bad;
+ if (!init_gen_str(bio_err, &ctx, *(++args),e, do_param))
+ goto end;
+ }
+ else if (strcmp(*args,"-pkeyopt") == 0)
+ {
+ if (!args[1])
+ goto bad;
+ if (!ctx)
+ {
+ BIO_puts(bio_err, "No keytype specified\n");
+ goto bad;
+ }
+ else if (pkey_ctrl_string(ctx, *(++args)) <= 0)
+ {
+ BIO_puts(bio_err, "parameter setting error\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ else if (strcmp(*args,"-genparam") == 0)
+ {
+ if (ctx)
+ goto bad;
+ do_param = 1;
+ }
+ else if (strcmp(*args,"-text") == 0)
+ text=1;
+ else
+ {
+ cipher = EVP_get_cipherbyname(*args + 1);
+ if (!cipher)
+ {
+ BIO_printf(bio_err, "Unknown cipher %s\n",
+ *args + 1);
+ badarg = 1;
+ }
+ if (do_param == 1)
+ badarg = 1;
+ }
+ args++;
+ }
+
+ if (!ctx)
+ badarg = 1;
+
+ if (badarg)
+ {
+ bad:
+ BIO_printf(bio_err, "Usage: genpkey [options]\n");
+ BIO_printf(bio_err, "where options may be\n");
+ BIO_printf(bio_err, "-out file output file\n");
+ BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
+ BIO_printf(bio_err, "-pass arg output file pass phrase source\n");
+ BIO_printf(bio_err, "-<cipher> use cipher <cipher> to encrypt the key\n");
+#ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
+#endif
+ BIO_printf(bio_err, "-paramfile file parameters file\n");
+ BIO_printf(bio_err, "-algorithm alg the public key algorithm\n");
+ BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option <opt>\n"
+ " to value <value>\n");
+ BIO_printf(bio_err, "-genparam generate parameters, not key\n");
+ BIO_printf(bio_err, "-text print the in text\n");
+ BIO_printf(bio_err, "NB: options order may be important! See the manual page.\n");
+ goto end;
+ }
+
+ if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
+ {
+ BIO_puts(bio_err, "Error getting password\n");
+ goto end;
+ }
+
+ if (outfile)
+ {
+ if (!(out = BIO_new_file (outfile, "wb")))
+ {
+ BIO_printf(bio_err,
+ "Can't open output file %s\n", outfile);
+ goto end;
+ }
+ }
+ else
+ {
+ out = BIO_new_fp (stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+ {
+ BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+ out = BIO_push(tmpbio, out);
+ }
+#endif
+ }
+
+ EVP_PKEY_CTX_set_cb(ctx, genpkey_cb);
+ EVP_PKEY_CTX_set_app_data(ctx, bio_err);
+
+ if (do_param)
+ {
+ if (EVP_PKEY_paramgen(ctx, &pkey) <= 0)
+ {
+ BIO_puts(bio_err, "Error generating parameters\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ else
+ {
+ if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
+ {
+ BIO_puts(bio_err, "Error generating key\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
+ if (do_param)
+ rv = PEM_write_bio_Parameters(out, pkey);
+ else if (outformat == FORMAT_PEM)
+ rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0,
+ NULL, pass);
+ else if (outformat == FORMAT_ASN1)
+ rv = i2d_PrivateKey_bio(out, pkey);
+ else
+ {
+ BIO_printf(bio_err, "Bad format specified for key\n");
+ goto end;
+ }
+
+ if (rv <= 0)
+ {
+ BIO_puts(bio_err, "Error writing key\n");
+ ERR_print_errors(bio_err);
+ }
+
+ if (text)
+ {
+ if (do_param)
+ rv = EVP_PKEY_print_params(out, pkey, 0, NULL);
+ else
+ rv = EVP_PKEY_print_private(out, pkey, 0, NULL);
+
+ if (rv <= 0)
+ {
+ BIO_puts(bio_err, "Error printing key\n");
+ ERR_print_errors(bio_err);
+ }
+ }
+
+ ret = 0;
+
+ end:
+ if (pkey)
+ EVP_PKEY_free(pkey);
+ if (ctx)
+ EVP_PKEY_CTX_free(ctx);
+ if (out)
+ BIO_free_all(out);
+ BIO_free(in);
+ if (pass)
+ OPENSSL_free(pass);
+
+ return ret;
+ }
+
+static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
+ const char *file, ENGINE *e)
+ {
+ BIO *pbio;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
+ if (*pctx)
+ {
+ BIO_puts(err, "Parameters already set!\n");
+ return 0;
+ }
+
+ pbio = BIO_new_file(file, "r");
+ if (!pbio)
+ {
+ BIO_printf(err, "Can't open parameter file %s\n", file);
+ return 0;
+ }
+
+ pkey = PEM_read_bio_Parameters(pbio, NULL);
+ BIO_free(pbio);
+
+ if (!pkey)
+ {
+ BIO_printf(bio_err, "Error reading parameter file %s\n", file);
+ return 0;
+ }
+
+ ctx = EVP_PKEY_CTX_new(pkey, e);
+ if (!ctx)
+ goto err;
+ if (EVP_PKEY_keygen_init(ctx) <= 0)
+ goto err;
+ EVP_PKEY_free(pkey);
+ *pctx = ctx;
+ return 1;
+
+ err:
+ BIO_puts(err, "Error initializing context\n");
+ ERR_print_errors(err);
+ if (ctx)
+ EVP_PKEY_CTX_free(ctx);
+ if (pkey)
+ EVP_PKEY_free(pkey);
+ return 0;
+
+ }
+
+int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
+ const char *algname, ENGINE *e, int do_param)
+ {
+ EVP_PKEY_CTX *ctx = NULL;
+ const EVP_PKEY_ASN1_METHOD *ameth;
+ ENGINE *tmpeng = NULL;
+ int pkey_id;
+
+ if (*pctx)
+ {
+ BIO_puts(err, "Algorithm already set!\n");
+ return 0;
+ }
+
+ ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
+
+#ifndef OPENSSL_NO_ENGINE
+ if (!ameth && e)
+ ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
+#endif
+
+ if (!ameth)
+ {
+ BIO_printf(bio_err, "Algorithm %s not found\n", algname);
+ return 0;
+ }
+
+ ERR_clear_error();
+
+ EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
+#ifndef OPENSSL_NO_ENGINE
+ if (tmpeng)
+ ENGINE_finish(tmpeng);
+#endif
+ ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
+
+ if (!ctx)
+ goto err;
+ if (do_param)
+ {
+ if (EVP_PKEY_paramgen_init(ctx) <= 0)
+ goto err;
+ }
+ else
+ {
+ if (EVP_PKEY_keygen_init(ctx) <= 0)
+ goto err;
+ }
+
+ *pctx = ctx;
+ return 1;
+
+ err:
+ BIO_printf(err, "Error initializing %s context\n", algname);
+ ERR_print_errors(err);
+ if (ctx)
+ EVP_PKEY_CTX_free(ctx);
+ return 0;
+
+ }
+
+static int genpkey_cb(EVP_PKEY_CTX *ctx)
+ {
+ char c='*';
+ BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
+ int p;
+ p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+ if (p == 0) c='.';
+ if (p == 1) c='+';
+ if (p == 2) c='*';
+ if (p == 3) c='\n';
+ BIO_write(b,&c,1);
+ (void)BIO_flush(b);
+#ifdef LINT
+ p=n;
+#endif
+ return 1;
+ }
diff --git a/crypto/openssl/apps/genrsa.c b/crypto/openssl/apps/genrsa.c
index d716a3cde353..fdc0d4a07dfe 100644
--- a/crypto/openssl/apps/genrsa.c
+++ b/crypto/openssl/apps/genrsa.c
@@ -95,6 +95,7 @@ int MAIN(int argc, char **argv)
int ret=1;
int i,num=DEFBITS;
long l;
+ int use_x931 = 0;
const EVP_CIPHER *enc=NULL;
unsigned long f4=RSA_F4;
char *outfile=NULL;
@@ -138,6 +139,8 @@ int MAIN(int argc, char **argv)
f4=3;
else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
f4=RSA_F4;
+ else if (strcmp(*argv,"-x931") == 0)
+ use_x931 = 1;
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
@@ -160,6 +163,10 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-idea") == 0)
enc=EVP_idea_cbc();
#endif
+#ifndef OPENSSL_NO_SEED
+ else if (strcmp(*argv,"-seed") == 0)
+ enc=EVP_seed_cbc();
+#endif
#ifndef OPENSSL_NO_AES
else if (strcmp(*argv,"-aes128") == 0)
enc=EVP_aes_128_cbc();
@@ -195,6 +202,10 @@ bad:
#ifndef OPENSSL_NO_IDEA
BIO_printf(bio_err," -idea encrypt the generated key with IDEA in cbc mode\n");
#endif
+#ifndef OPENSSL_NO_SEED
+ BIO_printf(bio_err," -seed\n");
+ BIO_printf(bio_err," encrypt PEM output with cbc seed\n");
+#endif
#ifndef OPENSSL_NO_AES
BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
BIO_printf(bio_err," encrypt PEM output with cbc aes\n");
@@ -258,7 +269,17 @@ bad:
BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n",
num);
- if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
+ if (use_x931)
+ {
+ BIGNUM *pubexp;
+ pubexp = BN_new();
+ if (!BN_set_word(pubexp, f4))
+ goto err;
+ if (!RSA_X931_generate_key_ex(rsa, num, pubexp, &cb))
+ goto err;
+ BN_free(pubexp);
+ }
+ else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
goto err;
app_RAND_write_file(NULL, bio_err);
diff --git a/crypto/openssl/apps/md4.c b/crypto/openssl/apps/md4.c
new file mode 120000
index 000000000000..7f457b2ab1e1
--- /dev/null
+++ b/crypto/openssl/apps/md4.c
@@ -0,0 +1 @@
+../crypto/md4/md4.c \ No newline at end of file
diff --git a/crypto/openssl/apps/nseq.c b/crypto/openssl/apps/nseq.c
index dc71d45012f8..e3c4dba54733 100644
--- a/crypto/openssl/apps/nseq.c
+++ b/crypto/openssl/apps/nseq.c
@@ -1,5 +1,5 @@
/* nseq.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999.
*/
/* ====================================================================
diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c
index 3ee6dfb5ed33..251044d77fcb 100644
--- a/crypto/openssl/apps/ocsp.c
+++ b/crypto/openssl/apps/ocsp.c
@@ -1,5 +1,5 @@
/* ocsp.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2000.
*/
/* ====================================================================
@@ -56,15 +56,14 @@
*
*/
#ifndef OPENSSL_NO_OCSP
-
+#define USE_SOCKETS
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
-#include "apps.h"
-#include <openssl/pem.h>
-#include <openssl/ocsp.h>
-#include <openssl/err.h>
+#include "apps.h" /* needs to be included before the openssl headers! */
+#include <openssl/e_os2.h>
#include <openssl/ssl.h>
-#include <openssl/bn.h>
+#include <openssl/err.h>
/* Maximum leeway in validity period: default 5 minutes */
#define MAX_VALIDITY_PERIOD (5 * 60)
@@ -86,6 +85,8 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
static BIO *init_responder(char *port);
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+ OCSP_REQUEST *req, int req_timeout);
#undef PROG
#define PROG ocsp_main
@@ -112,11 +113,11 @@ int MAIN(int argc, char **argv)
BIO *acbio = NULL, *cbio = NULL;
BIO *derbio = NULL;
BIO *out = NULL;
+ int req_timeout = -1;
int req_text = 0, resp_text = 0;
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
char *CAfile = NULL, *CApath = NULL;
X509_STORE *store = NULL;
- SSL_CTX *ctx = NULL;
STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
@@ -154,6 +155,22 @@ int MAIN(int argc, char **argv)
}
else badarg = 1;
}
+ else if (!strcmp(*args, "-timeout"))
+ {
+ if (args[1])
+ {
+ args++;
+ req_timeout = atol(*args);
+ if (req_timeout < 0)
+ {
+ BIO_printf(bio_err,
+ "Illegal timeout value %s\n",
+ *args);
+ badarg = 1;
+ }
+ }
+ else badarg = 1;
+ }
else if (!strcmp(*args, "-url"))
{
if (args[1])
@@ -703,52 +720,14 @@ int MAIN(int argc, char **argv)
else if (host)
{
#ifndef OPENSSL_NO_SOCK
- cbio = BIO_new_connect(host);
+ resp = process_responder(bio_err, req, host, path,
+ port, use_ssl, req_timeout);
+ if (!resp)
+ goto end;
#else
BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
goto end;
#endif
- if (!cbio)
- {
- BIO_printf(bio_err, "Error creating connect BIO\n");
- goto end;
- }
- if (port) BIO_set_conn_port(cbio, port);
- if (use_ssl == 1)
- {
- BIO *sbio;
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
- ctx = SSL_CTX_new(SSLv23_client_method());
-#elif !defined(OPENSSL_NO_SSL3)
- ctx = SSL_CTX_new(SSLv3_client_method());
-#elif !defined(OPENSSL_NO_SSL2)
- ctx = SSL_CTX_new(SSLv2_client_method());
-#else
- BIO_printf(bio_err, "SSL is disabled\n");
- goto end;
-#endif
- if (ctx == NULL)
- {
- BIO_printf(bio_err, "Error creating SSL context.\n");
- goto end;
- }
- SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
- sbio = BIO_new_ssl(ctx, 1);
- cbio = BIO_push(sbio, cbio);
- }
- if (BIO_do_connect(cbio) <= 0)
- {
- BIO_printf(bio_err, "Error connecting BIO\n");
- goto end;
- }
- resp = OCSP_sendreq_bio(cbio, path, req);
- BIO_free_all(cbio);
- cbio = NULL;
- if (!resp)
- {
- BIO_printf(bio_err, "Error querying OCSP responsder\n");
- goto end;
- }
}
else if (respin)
{
@@ -897,7 +876,6 @@ end:
OPENSSL_free(host);
OPENSSL_free(port);
OPENSSL_free(path);
- SSL_CTX_free(ctx);
}
OPENSSL_EXIT(ret);
@@ -1121,6 +1099,7 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
char *itmp, *row[DB_NUMBER],**rrow;
for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
bn = ASN1_INTEGER_to_BN(ser,NULL);
+ OPENSSL_assert(bn); /* FIXME: should report an error at this point and abort */
if (BN_is_zero(bn))
itmp = BUF_strdup("00");
else
@@ -1227,8 +1206,141 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
return 0;
BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
i2d_OCSP_RESPONSE_bio(cbio, resp);
- BIO_flush(cbio);
+ (void)BIO_flush(cbio);
return 1;
}
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+ OCSP_REQUEST *req, int req_timeout)
+ {
+ int fd;
+ int rv;
+ OCSP_REQ_CTX *ctx = NULL;
+ OCSP_RESPONSE *rsp = NULL;
+ fd_set confds;
+ struct timeval tv;
+
+ if (req_timeout != -1)
+ BIO_set_nbio(cbio, 1);
+
+ rv = BIO_do_connect(cbio);
+
+ if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio)))
+ {
+ BIO_puts(err, "Error connecting BIO\n");
+ return NULL;
+ }
+
+ if (req_timeout == -1)
+ return OCSP_sendreq_bio(cbio, path, req);
+
+ if (BIO_get_fd(cbio, &fd) <= 0)
+ {
+ BIO_puts(err, "Can't get connection fd\n");
+ goto err;
+ }
+
+ if (rv <= 0)
+ {
+ FD_ZERO(&confds);
+ openssl_fdset(fd, &confds);
+ tv.tv_usec = 0;
+ tv.tv_sec = req_timeout;
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+ if (rv == 0)
+ {
+ BIO_puts(err, "Timeout on connect\n");
+ return NULL;
+ }
+ }
+
+
+ ctx = OCSP_sendreq_new(cbio, path, req, -1);
+ if (!ctx)
+ return NULL;
+
+ for (;;)
+ {
+ rv = OCSP_sendreq_nbio(&rsp, ctx);
+ if (rv != -1)
+ break;
+ FD_ZERO(&confds);
+ openssl_fdset(fd, &confds);
+ tv.tv_usec = 0;
+ tv.tv_sec = req_timeout;
+ if (BIO_should_read(cbio))
+ rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
+ else if (BIO_should_write(cbio))
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+ else
+ {
+ BIO_puts(err, "Unexpected retry condition\n");
+ goto err;
+ }
+ if (rv == 0)
+ {
+ BIO_puts(err, "Timeout on request\n");
+ break;
+ }
+ if (rv == -1)
+ {
+ BIO_puts(err, "Select error\n");
+ break;
+ }
+
+ }
+ err:
+ if (ctx)
+ OCSP_REQ_CTX_free(ctx);
+
+ return rsp;
+ }
+
+OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
+ char *host, char *path, char *port, int use_ssl,
+ int req_timeout)
+ {
+ BIO *cbio = NULL;
+ SSL_CTX *ctx = NULL;
+ OCSP_RESPONSE *resp = NULL;
+ cbio = BIO_new_connect(host);
+ if (!cbio)
+ {
+ BIO_printf(err, "Error creating connect BIO\n");
+ goto end;
+ }
+ if (port) BIO_set_conn_port(cbio, port);
+ if (use_ssl == 1)
+ {
+ BIO *sbio;
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+ ctx = SSL_CTX_new(SSLv23_client_method());
+#elif !defined(OPENSSL_NO_SSL3)
+ ctx = SSL_CTX_new(SSLv3_client_method());
+#elif !defined(OPENSSL_NO_SSL2)
+ ctx = SSL_CTX_new(SSLv2_client_method());
+#else
+ BIO_printf(err, "SSL is disabled\n");
+ goto end;
+#endif
+ if (ctx == NULL)
+ {
+ BIO_printf(err, "Error creating SSL context.\n");
+ goto end;
+ }
+ SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+ sbio = BIO_new_ssl(ctx, 1);
+ cbio = BIO_push(sbio, cbio);
+ }
+ resp = query_responder(err, cbio, path, req, req_timeout);
+ if (!resp)
+ BIO_printf(bio_err, "Error querying OCSP responsder\n");
+ end:
+ if (ctx)
+ SSL_CTX_free(ctx);
+ if (cbio)
+ BIO_free_all(cbio);
+ return resp;
+ }
+
#endif
diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c
index 47aee5b71262..7d2b476cf048 100644
--- a/crypto/openssl/apps/openssl.c
+++ b/crypto/openssl/apps/openssl.c
@@ -147,6 +147,7 @@ char *default_config_file=NULL;
#ifdef MONOLITH
CONF *config=NULL;
BIO *bio_err=NULL;
+int in_FIPS_mode=0;
#endif
@@ -232,6 +233,19 @@ int main(int Argc, char *Argv[])
arg.data=NULL;
arg.count=0;
+ in_FIPS_mode = 0;
+
+#ifdef OPENSSL_FIPS
+ if(getenv("OPENSSL_FIPS")) {
+ if (!FIPS_mode_set(1)) {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+ in_FIPS_mode = 1;
+ }
+#endif
+
if (bio_err == NULL)
if ((bio_err=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c
index d5873e93d498..248bc1154d3c 100644
--- a/crypto/openssl/apps/pkcs12.c
+++ b/crypto/openssl/apps/pkcs12.c
@@ -1,5 +1,5 @@
/* pkcs12.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
*/
/* ====================================================================
@@ -100,6 +100,7 @@ int MAIN(int argc, char **argv)
char **args;
char *name = NULL;
char *csp_name = NULL;
+ int add_lmk = 0;
PKCS12 *p12 = NULL;
char pass[50], macpass[50];
int export_cert = 0;
@@ -110,7 +111,7 @@ int MAIN(int argc, char **argv)
int maciter = PKCS12_DEFAULT_ITER;
int twopass = 0;
int keytype = 0;
- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+ int cert_pbe;
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
int ret = 1;
int macver = 1;
@@ -127,6 +128,13 @@ int MAIN(int argc, char **argv)
apps_startup();
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+ else
+#endif
+ cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
enc = EVP_des_ede3_cbc();
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
@@ -153,10 +161,13 @@ int MAIN(int argc, char **argv)
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
else if (!strcmp (*args, "-export")) export_cert = 1;
else if (!strcmp (*args, "-des")) enc=EVP_des_cbc();
+ else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
#ifndef OPENSSL_NO_IDEA
else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
#endif
- else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
+#ifndef OPENSSL_NO_SEED
+ else if (!strcmp(*args, "-seed")) enc=EVP_seed_cbc();
+#endif
#ifndef OPENSSL_NO_AES
else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc();
else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc();
@@ -221,7 +232,9 @@ int MAIN(int argc, char **argv)
args++;
name = *args;
} else badarg = 1;
- } else if (!strcmp (*args, "-CSP")) {
+ } else if (!strcmp (*args, "-LMK"))
+ add_lmk = 1;
+ else if (!strcmp (*args, "-CSP")) {
if (args[1]) {
args++;
csp_name = *args;
@@ -306,6 +319,9 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_IDEA
BIO_printf (bio_err, "-idea encrypt private keys with idea\n");
#endif
+#ifndef OPENSSL_NO_SEED
+ BIO_printf (bio_err, "-seed encrypt private keys with seed\n");
+#endif
#ifndef OPENSSL_NO_AES
BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
BIO_printf (bio_err, " encrypt PEM output with cbc aes\n");
@@ -332,6 +348,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
BIO_printf(bio_err, " load the file (or the files in the directory) into\n");
BIO_printf(bio_err, " the random number generator\n");
+ BIO_printf(bio_err, "-CSP name Microsoft CSP name\n");
+ BIO_printf(bio_err, "-LMK Add local machine keyset attribute to private key\n");
goto end;
}
@@ -471,7 +489,7 @@ int MAIN(int argc, char **argv)
X509_keyid_set1(ucert, NULL, 0);
X509_alias_set1(ucert, NULL, 0);
/* Remove from list */
- sk_X509_delete(certs, i);
+ (void)sk_X509_delete(certs, i);
break;
}
}
@@ -556,7 +574,9 @@ int MAIN(int argc, char **argv)
if (csp_name && key)
EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
MBSTRING_ASC, (unsigned char *)csp_name, -1);
-
+
+ if (add_lmk && key)
+ EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
diff --git a/crypto/openssl/apps/pkcs8.c b/crypto/openssl/apps/pkcs8.c
index d5085444e27f..9633a149bcfa 100644
--- a/crypto/openssl/apps/pkcs8.c
+++ b/crypto/openssl/apps/pkcs8.c
@@ -1,5 +1,5 @@
/* pkcs8.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999-2004.
*/
/* ====================================================================
diff --git a/crypto/openssl/apps/pkey.c b/crypto/openssl/apps/pkey.c
new file mode 100644
index 000000000000..17e6702fb17c
--- /dev/null
+++ b/crypto/openssl/apps/pkey.c
@@ -0,0 +1,284 @@
+/* apps/pkey.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2006
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+#define PROG pkey_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+ {
+ ENGINE *e = NULL;
+ char **args, *infile = NULL, *outfile = NULL;
+ char *passargin = NULL, *passargout = NULL;
+ BIO *in = NULL, *out = NULL;
+ const EVP_CIPHER *cipher = NULL;
+ int informat, outformat;
+ int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0;
+ EVP_PKEY *pkey=NULL;
+ char *passin = NULL, *passout = NULL;
+ int badarg = 0;
+#ifndef OPENSSL_NO_ENGINE
+ char *engine=NULL;
+#endif
+ int ret = 1;
+
+ if (bio_err == NULL)
+ bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+
+ if (!load_config(bio_err, NULL))
+ goto end;
+
+ informat=FORMAT_PEM;
+ outformat=FORMAT_PEM;
+
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_algorithms();
+ args = argv + 1;
+ while (!badarg && *args && *args[0] == '-')
+ {
+ if (!strcmp(*args,"-inform"))
+ {
+ if (args[1])
+ {
+ args++;
+ informat=str2fmt(*args);
+ }
+ else badarg = 1;
+ }
+ else if (!strcmp(*args,"-outform"))
+ {
+ if (args[1])
+ {
+ args++;
+ outformat=str2fmt(*args);
+ }
+ else badarg = 1;
+ }
+ else if (!strcmp(*args,"-passin"))
+ {
+ if (!args[1]) goto bad;
+ passargin= *(++args);
+ }
+ else if (!strcmp(*args,"-passout"))
+ {
+ if (!args[1]) goto bad;
+ passargout= *(++args);
+ }
+#ifndef OPENSSL_NO_ENGINE
+ else if (strcmp(*args,"-engine") == 0)
+ {
+ if (!args[1]) goto bad;
+ engine= *(++args);
+ }
+#endif
+ else if (!strcmp (*args, "-in"))
+ {
+ if (args[1])
+ {
+ args++;
+ infile = *args;
+ }
+ else badarg = 1;
+ }
+ else if (!strcmp (*args, "-out"))
+ {
+ if (args[1])
+ {
+ args++;
+ outfile = *args;
+ }
+ else badarg = 1;
+ }
+ else if (strcmp(*args,"-pubin") == 0)
+ {
+ pubin=1;
+ pubout=1;
+ pubtext=1;
+ }
+ else if (strcmp(*args,"-pubout") == 0)
+ pubout=1;
+ else if (strcmp(*args,"-text_pub") == 0)
+ {
+ pubtext=1;
+ text=1;
+ }
+ else if (strcmp(*args,"-text") == 0)
+ text=1;
+ else if (strcmp(*args,"-noout") == 0)
+ noout=1;
+ else
+ {
+ cipher = EVP_get_cipherbyname(*args + 1);
+ if (!cipher)
+ {
+ BIO_printf(bio_err, "Unknown cipher %s\n",
+ *args + 1);
+ badarg = 1;
+ }
+ }
+ args++;
+ }
+
+ if (badarg)
+ {
+ bad:
+ BIO_printf(bio_err, "Usage pkey [options]\n");
+ BIO_printf(bio_err, "where options are\n");
+ BIO_printf(bio_err, "-in file input file\n");
+ BIO_printf(bio_err, "-inform X input format (DER or PEM)\n");
+ BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
+ BIO_printf(bio_err, "-outform X output format (DER or PEM)\n");
+ BIO_printf(bio_err, "-out file output file\n");
+ BIO_printf(bio_err, "-passout arg output file pass phrase source\n");
+#ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
+#endif
+ return 1;
+ }
+
+#ifndef OPENSSL_NO_ENGINE
+ e = setup_engine(bio_err, engine, 0);
+#endif
+
+ if (!app_passwd(bio_err, passargin, passargout, &passin, &passout))
+ {
+ BIO_printf(bio_err, "Error getting passwords\n");
+ goto end;
+ }
+
+ if (outfile)
+ {
+ if (!(out = BIO_new_file (outfile, "wb")))
+ {
+ BIO_printf(bio_err,
+ "Can't open output file %s\n", outfile);
+ goto end;
+ }
+ }
+ else
+ {
+ out = BIO_new_fp (stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+ {
+ BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+ out = BIO_push(tmpbio, out);
+ }
+#endif
+ }
+
+ if (pubin)
+ pkey = load_pubkey(bio_err, infile, informat, 1,
+ passin, e, "Public Key");
+ else
+ pkey = load_key(bio_err, infile, informat, 1,
+ passin, e, "key");
+ if (!pkey)
+ goto end;
+
+ if (!noout)
+ {
+ if (outformat == FORMAT_PEM)
+ {
+ if (pubout)
+ PEM_write_bio_PUBKEY(out,pkey);
+ else
+ PEM_write_bio_PrivateKey(out, pkey, cipher,
+ NULL, 0, NULL, passout);
+ }
+ else if (outformat == FORMAT_ASN1)
+ {
+ if (pubout)
+ i2d_PUBKEY_bio(out, pkey);
+ else
+ i2d_PrivateKey_bio(out, pkey);
+ }
+ else
+ {
+ BIO_printf(bio_err, "Bad format specified for key\n");
+ goto end;
+ }
+
+ }
+
+ if (text)
+ {
+ if (pubtext)
+ EVP_PKEY_print_public(out, pkey, 0, NULL);
+ else
+ EVP_PKEY_print_private(out, pkey, 0, NULL);
+ }
+
+ ret = 0;
+
+ end:
+ EVP_PKEY_free(pkey);
+ BIO_free_all(out);
+ BIO_free(in);
+ if (passin)
+ OPENSSL_free(passin);
+ if (passout)
+ OPENSSL_free(passout);
+
+ return ret;
+ }
diff --git a/crypto/openssl/apps/pkeyparam.c b/crypto/openssl/apps/pkeyparam.c
new file mode 100644
index 000000000000..4319eb4de516
--- /dev/null
+++ b/crypto/openssl/apps/pkeyparam.c
@@ -0,0 +1,201 @@
+/* apps/pkeyparam.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2006
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+#define PROG pkeyparam_main
+
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+ {
+ char **args, *infile = NULL, *outfile = NULL;
+ BIO *in = NULL, *out = NULL;
+ int text = 0, noout = 0;
+ EVP_PKEY *pkey=NULL;
+ int badarg = 0;
+#ifndef OPENSSL_NO_ENGINE
+ ENGINE *e = NULL;
+ char *engine=NULL;
+#endif
+ int ret = 1;
+
+ if (bio_err == NULL)
+ bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+
+ if (!load_config(bio_err, NULL))
+ goto end;
+
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_algorithms();
+ args = argv + 1;
+ while (!badarg && *args && *args[0] == '-')
+ {
+ if (!strcmp (*args, "-in"))
+ {
+ if (args[1])
+ {
+ args++;
+ infile = *args;
+ }
+ else badarg = 1;
+ }
+ else if (!strcmp (*args, "-out"))
+ {
+ if (args[1])
+ {
+ args++;
+ outfile = *args;
+ }
+ else badarg = 1;
+ }
+#ifndef OPENSSL_NO_ENGINE
+ else if (strcmp(*args,"-engine") == 0)
+ {
+ if (!args[1]) goto bad;
+ engine= *(++args);
+ }
+#endif
+
+ else if (strcmp(*args,"-text") == 0)
+ text=1;
+ else if (strcmp(*args,"-noout") == 0)
+ noout=1;
+ args++;
+ }
+
+ if (badarg)
+ {
+#ifndef OPENSSL_NO_ENGINE
+ bad:
+#endif
+ BIO_printf(bio_err, "Usage pkeyparam [options]\n");
+ BIO_printf(bio_err, "where options are\n");
+ BIO_printf(bio_err, "-in file input file\n");
+ BIO_printf(bio_err, "-out file output file\n");
+ BIO_printf(bio_err, "-text print parameters as text\n");
+ BIO_printf(bio_err, "-noout don't output encoded parameters\n");
+#ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
+#endif
+ return 1;
+ }
+
+#ifndef OPENSSL_NO_ENGINE
+ e = setup_engine(bio_err, engine, 0);
+#endif
+
+ if (infile)
+ {
+ if (!(in = BIO_new_file (infile, "r")))
+ {
+ BIO_printf(bio_err,
+ "Can't open input file %s\n", infile);
+ goto end;
+ }
+ }
+ else
+ in = BIO_new_fp (stdin, BIO_NOCLOSE);
+
+ if (outfile)
+ {
+ if (!(out = BIO_new_file (outfile, "w")))
+ {
+ BIO_printf(bio_err,
+ "Can't open output file %s\n", outfile);
+ goto end;
+ }
+ }
+ else
+ {
+ out = BIO_new_fp (stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+ {
+ BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+ out = BIO_push(tmpbio, out);
+ }
+#endif
+ }
+
+ pkey = PEM_read_bio_Parameters(in, NULL);
+ if (!pkey)
+ {
+ BIO_printf(bio_err, "Error reading paramters\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ if (!noout)
+ PEM_write_bio_Parameters(out,pkey);
+
+ if (text)
+ EVP_PKEY_print_params(out, pkey, 0, NULL);
+
+ ret = 0;
+
+ end:
+ EVP_PKEY_free(pkey);
+ BIO_free_all(out);
+ BIO_free(in);
+
+ return ret;
+ }
diff --git a/crypto/openssl/apps/pkeyutl.c b/crypto/openssl/apps/pkeyutl.c
new file mode 100644
index 000000000000..b808e1ef499c
--- /dev/null
+++ b/crypto/openssl/apps/pkeyutl.c
@@ -0,0 +1,570 @@
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include "apps.h"
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+
+#define KEY_PRIVKEY 1
+#define KEY_PUBKEY 2
+#define KEY_CERT 3
+
+static void usage(void);
+
+#undef PROG
+
+#define PROG pkeyutl_main
+
+static EVP_PKEY_CTX *init_ctx(int *pkeysize,
+ char *keyfile, int keyform, int key_type,
+ char *passargin, int pkey_op, ENGINE *e);
+
+static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
+ const char *file);
+
+static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
+ unsigned char *out, size_t *poutlen,
+ unsigned char *in, size_t inlen);
+
+int MAIN(int argc, char **);
+
+int MAIN(int argc, char **argv)
+{
+ BIO *in = NULL, *out = NULL;
+ char *infile = NULL, *outfile = NULL, *sigfile = NULL;
+ ENGINE *e = NULL;
+ int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
+ int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
+ char badarg = 0, rev = 0;
+ char hexdump = 0, asn1parse = 0;
+ EVP_PKEY_CTX *ctx = NULL;
+ char *passargin = NULL;
+ int keysize = -1;
+
+ unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
+ size_t buf_outlen;
+ int buf_inlen = 0, siglen = -1;
+
+ int ret = 1, rv = -1;
+
+ argc--;
+ argv++;
+
+ if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+ if (!load_config(bio_err, NULL))
+ goto end;
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_algorithms();
+
+ while(argc >= 1)
+ {
+ if (!strcmp(*argv,"-in"))
+ {
+ if (--argc < 1) badarg = 1;
+ infile= *(++argv);
+ }
+ else if (!strcmp(*argv,"-out"))
+ {
+ if (--argc < 1) badarg = 1;
+ outfile= *(++argv);
+ }
+ else if (!strcmp(*argv,"-sigfile"))
+ {
+ if (--argc < 1) badarg = 1;
+ sigfile= *(++argv);
+ }
+ else if(!strcmp(*argv, "-inkey"))
+ {
+ if (--argc < 1)
+ badarg = 1;
+ else
+ {
+ ctx = init_ctx(&keysize,
+ *(++argv), keyform, key_type,
+ passargin, pkey_op, e);
+ if (!ctx)
+ {
+ BIO_puts(bio_err,
+ "Error initializing context\n");
+ ERR_print_errors(bio_err);
+ badarg = 1;
+ }
+ }
+ }
+ else if (!strcmp(*argv,"-peerkey"))
+ {
+ if (--argc < 1)
+ badarg = 1;
+ else if (!setup_peer(bio_err, ctx, peerform, *(++argv)))
+ badarg = 1;
+ }
+ else if (!strcmp(*argv,"-passin"))
+ {
+ if (--argc < 1) badarg = 1;
+ passargin= *(++argv);
+ }
+ else if (strcmp(*argv,"-peerform") == 0)
+ {
+ if (--argc < 1) badarg = 1;
+ peerform=str2fmt(*(++argv));
+ }
+ else if (strcmp(*argv,"-keyform") == 0)
+ {
+ if (--argc < 1) badarg = 1;
+ keyform=str2fmt(*(++argv));
+ }
+#ifndef OPENSSL_NO_ENGINE
+ else if(!strcmp(*argv, "-engine"))
+ {
+ if (--argc < 1)
+ badarg = 1;
+ else
+ e = setup_engine(bio_err, *(++argv), 0);
+ }
+#endif
+ else if(!strcmp(*argv, "-pubin"))
+ key_type = KEY_PUBKEY;
+ else if(!strcmp(*argv, "-certin"))
+ key_type = KEY_CERT;
+ else if(!strcmp(*argv, "-asn1parse"))
+ asn1parse = 1;
+ else if(!strcmp(*argv, "-hexdump"))
+ hexdump = 1;
+ else if(!strcmp(*argv, "-sign"))
+ pkey_op = EVP_PKEY_OP_SIGN;
+ else if(!strcmp(*argv, "-verify"))
+ pkey_op = EVP_PKEY_OP_VERIFY;
+ else if(!strcmp(*argv, "-verifyrecover"))
+ pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
+ else if(!strcmp(*argv, "-rev"))
+ rev = 1;
+ else if(!strcmp(*argv, "-encrypt"))
+ pkey_op = EVP_PKEY_OP_ENCRYPT;
+ else if(!strcmp(*argv, "-decrypt"))
+ pkey_op = EVP_PKEY_OP_DECRYPT;
+ else if(!strcmp(*argv, "-derive"))
+ pkey_op = EVP_PKEY_OP_DERIVE;
+ else if (strcmp(*argv,"-pkeyopt") == 0)
+ {
+ if (--argc < 1)
+ badarg = 1;
+ else if (!ctx)
+ {
+ BIO_puts(bio_err,
+ "-pkeyopt command before -inkey\n");
+ badarg = 1;
+ }
+ else if (pkey_ctrl_string(ctx, *(++argv)) <= 0)
+ {
+ BIO_puts(bio_err, "parameter setting error\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ else badarg = 1;
+ if(badarg)
+ {
+ usage();
+ goto end;
+ }
+ argc--;
+ argv++;
+ }
+
+ if (!ctx)
+ {
+ usage();
+ goto end;
+ }
+
+ if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY))
+ {
+ BIO_puts(bio_err, "Signature file specified for non verify\n");
+ goto end;
+ }
+
+ if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY))
+ {
+ BIO_puts(bio_err, "No signature file specified for verify\n");
+ goto end;
+ }
+
+/* FIXME: seed PRNG only if needed */
+ app_RAND_load_file(NULL, bio_err, 0);
+
+ if (pkey_op != EVP_PKEY_OP_DERIVE)
+ {
+ if(infile)
+ {
+ if(!(in = BIO_new_file(infile, "rb")))
+ {
+ BIO_puts(bio_err,
+ "Error Opening Input File\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ else
+ in = BIO_new_fp(stdin, BIO_NOCLOSE);
+ }
+
+ if(outfile)
+ {
+ if(!(out = BIO_new_file(outfile, "wb")))
+ {
+ BIO_printf(bio_err, "Error Creating Output File\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ else
+ {
+ out = BIO_new_fp(stdout, BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+ {
+ BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+ out = BIO_push(tmpbio, out);
+ }
+#endif
+ }
+
+ if (sigfile)
+ {
+ BIO *sigbio = BIO_new_file(sigfile, "rb");
+ if (!sigbio)
+ {
+ BIO_printf(bio_err, "Can't open signature file %s\n",
+ sigfile);
+ goto end;
+ }
+ siglen = bio_to_mem(&sig, keysize * 10, sigbio);
+ BIO_free(sigbio);
+ if (siglen <= 0)
+ {
+ BIO_printf(bio_err, "Error reading signature data\n");
+ goto end;
+ }
+ }
+
+ if (in)
+ {
+ /* Read the input data */
+ buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
+ if(buf_inlen <= 0)
+ {
+ BIO_printf(bio_err, "Error reading input Data\n");
+ exit(1);
+ }
+ if(rev)
+ {
+ size_t i;
+ unsigned char ctmp;
+ size_t l = (size_t)buf_inlen;
+ for(i = 0; i < l/2; i++)
+ {
+ ctmp = buf_in[i];
+ buf_in[i] = buf_in[l - 1 - i];
+ buf_in[l - 1 - i] = ctmp;
+ }
+ }
+ }
+
+ if(pkey_op == EVP_PKEY_OP_VERIFY)
+ {
+ rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
+ buf_in, (size_t)buf_inlen);
+ if (rv == 0)
+ BIO_puts(out, "Signature Verification Failure\n");
+ else if (rv == 1)
+ BIO_puts(out, "Signature Verified Successfully\n");
+ if (rv >= 0)
+ goto end;
+ }
+ else
+ {
+ rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
+ buf_in, (size_t)buf_inlen);
+ if (rv > 0)
+ {
+ buf_out = OPENSSL_malloc(buf_outlen);
+ if (!buf_out)
+ rv = -1;
+ else
+ rv = do_keyop(ctx, pkey_op,
+ buf_out, (size_t *)&buf_outlen,
+ buf_in, (size_t)buf_inlen);
+ }
+ }
+
+ if(rv <= 0)
+ {
+ BIO_printf(bio_err, "Public Key operation error\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ ret = 0;
+ if(asn1parse)
+ {
+ if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
+ ERR_print_errors(bio_err);
+ }
+ else if(hexdump)
+ BIO_dump(out, (char *)buf_out, buf_outlen);
+ else
+ BIO_write(out, buf_out, buf_outlen);
+
+ end:
+ if (ctx)
+ EVP_PKEY_CTX_free(ctx);
+ BIO_free(in);
+ BIO_free_all(out);
+ if (buf_in)
+ OPENSSL_free(buf_in);
+ if (buf_out)
+ OPENSSL_free(buf_out);
+ if (sig)
+ OPENSSL_free(sig);
+ return ret;
+}
+
+static void usage()
+{
+ BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
+ BIO_printf(bio_err, "-in file input file\n");
+ BIO_printf(bio_err, "-out file output file\n");
+ BIO_printf(bio_err, "-signature file signature file (verify operation only)\n");
+ BIO_printf(bio_err, "-inkey file input key\n");
+ BIO_printf(bio_err, "-keyform arg private key format - default PEM\n");
+ BIO_printf(bio_err, "-pubin input is a public key\n");
+ BIO_printf(bio_err, "-certin input is a certificate carrying a public key\n");
+ BIO_printf(bio_err, "-pkeyopt X:Y public key options\n");
+ BIO_printf(bio_err, "-sign sign with private key\n");
+ BIO_printf(bio_err, "-verify verify with public key\n");
+ BIO_printf(bio_err, "-verifyrecover verify with public key, recover original data\n");
+ BIO_printf(bio_err, "-encrypt encrypt with public key\n");
+ BIO_printf(bio_err, "-decrypt decrypt with private key\n");
+ BIO_printf(bio_err, "-derive derive shared secret\n");
+ BIO_printf(bio_err, "-hexdump hex dump output\n");
+#ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
+#endif
+ BIO_printf(bio_err, "-passin arg pass phrase source\n");
+
+}
+
+static EVP_PKEY_CTX *init_ctx(int *pkeysize,
+ char *keyfile, int keyform, int key_type,
+ char *passargin, int pkey_op, ENGINE *e)
+ {
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
+ char *passin = NULL;
+ int rv = -1;
+ X509 *x;
+ if(((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
+ || (pkey_op == EVP_PKEY_OP_DERIVE))
+ && (key_type != KEY_PRIVKEY))
+ {
+ BIO_printf(bio_err, "A private key is needed for this operation\n");
+ goto end;
+ }
+ if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
+ {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
+ switch(key_type)
+ {
+ case KEY_PRIVKEY:
+ pkey = load_key(bio_err, keyfile, keyform, 0,
+ passin, e, "Private Key");
+ break;
+
+ case KEY_PUBKEY:
+ pkey = load_pubkey(bio_err, keyfile, keyform, 0,
+ NULL, e, "Public Key");
+ break;
+
+ case KEY_CERT:
+ x = load_cert(bio_err, keyfile, keyform,
+ NULL, e, "Certificate");
+ if(x)
+ {
+ pkey = X509_get_pubkey(x);
+ X509_free(x);
+ }
+ break;
+
+ }
+
+ *pkeysize = EVP_PKEY_size(pkey);
+
+ if (!pkey)
+ goto end;
+
+ ctx = EVP_PKEY_CTX_new(pkey, e);
+
+ EVP_PKEY_free(pkey);
+
+ if (!ctx)
+ goto end;
+
+ switch(pkey_op)
+ {
+ case EVP_PKEY_OP_SIGN:
+ rv = EVP_PKEY_sign_init(ctx);
+ break;
+
+ case EVP_PKEY_OP_VERIFY:
+ rv = EVP_PKEY_verify_init(ctx);
+ break;
+
+ case EVP_PKEY_OP_VERIFYRECOVER:
+ rv = EVP_PKEY_verify_recover_init(ctx);
+ break;
+
+ case EVP_PKEY_OP_ENCRYPT:
+ rv = EVP_PKEY_encrypt_init(ctx);
+ break;
+
+ case EVP_PKEY_OP_DECRYPT:
+ rv = EVP_PKEY_decrypt_init(ctx);
+ break;
+
+ case EVP_PKEY_OP_DERIVE:
+ rv = EVP_PKEY_derive_init(ctx);
+ break;
+ }
+
+ if (rv <= 0)
+ {
+ EVP_PKEY_CTX_free(ctx);
+ ctx = NULL;
+ }
+
+ end:
+
+ if (passin)
+ OPENSSL_free(passin);
+
+ return ctx;
+
+
+ }
+
+static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
+ const char *file)
+ {
+ EVP_PKEY *peer = NULL;
+ int ret;
+ if (!ctx)
+ {
+ BIO_puts(err, "-peerkey command before -inkey\n");
+ return 0;
+ }
+
+ peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
+
+ if (!peer)
+ {
+ BIO_printf(bio_err, "Error reading peer key %s\n", file);
+ ERR_print_errors(err);
+ return 0;
+ }
+
+ ret = EVP_PKEY_derive_set_peer(ctx, peer);
+
+ EVP_PKEY_free(peer);
+ if (ret <= 0)
+ ERR_print_errors(err);
+ return ret;
+ }
+
+static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
+ unsigned char *out, size_t *poutlen,
+ unsigned char *in, size_t inlen)
+ {
+ int rv = 0;
+ switch(pkey_op)
+ {
+ case EVP_PKEY_OP_VERIFYRECOVER:
+ rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
+ break;
+
+ case EVP_PKEY_OP_SIGN:
+ rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen);
+ break;
+
+ case EVP_PKEY_OP_ENCRYPT:
+ rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen);
+ break;
+
+ case EVP_PKEY_OP_DECRYPT:
+ rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen);
+ break;
+
+ case EVP_PKEY_OP_DERIVE:
+ rv = EVP_PKEY_derive(ctx, out, poutlen);
+ break;
+
+ }
+ return rv;
+ }
diff --git a/crypto/openssl/apps/progs.h b/crypto/openssl/apps/progs.h
index 011974b216e0..aafd800bdfb4 100644
--- a/crypto/openssl/apps/progs.h
+++ b/crypto/openssl/apps/progs.h
@@ -28,6 +28,7 @@ extern int speed_main(int argc,char *argv[]);
extern int s_time_main(int argc,char *argv[]);
extern int version_main(int argc,char *argv[]);
extern int pkcs7_main(int argc,char *argv[]);
+extern int cms_main(int argc,char *argv[]);
extern int crl2pkcs7_main(int argc,char *argv[]);
extern int sess_id_main(int argc,char *argv[]);
extern int ciphers_main(int argc,char *argv[]);
@@ -109,6 +110,9 @@ FUNCTION functions[] = {
#endif
{FUNC_TYPE_GENERAL,"version",version_main},
{FUNC_TYPE_GENERAL,"pkcs7",pkcs7_main},
+#ifndef OPENSSL_NO_CMS
+ {FUNC_TYPE_GENERAL,"cms",cms_main},
+#endif
{FUNC_TYPE_GENERAL,"crl2pkcs7",crl2pkcs7_main},
{FUNC_TYPE_GENERAL,"sess_id",sess_id_main},
#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
@@ -197,6 +201,9 @@ FUNCTION functions[] = {
#ifndef OPENSSL_NO_IDEA
{FUNC_TYPE_CIPHER,"idea",enc_main},
#endif
+#ifndef OPENSSL_NO_SEED
+ {FUNC_TYPE_CIPHER,"seed",enc_main},
+#endif
#ifndef OPENSSL_NO_RC4
{FUNC_TYPE_CIPHER,"rc4",enc_main},
#endif
@@ -263,6 +270,18 @@ FUNCTION functions[] = {
#ifndef OPENSSL_NO_IDEA
{FUNC_TYPE_CIPHER,"idea-ofb",enc_main},
#endif
+#ifndef OPENSSL_NO_SEED
+ {FUNC_TYPE_CIPHER,"seed-cbc",enc_main},
+#endif
+#ifndef OPENSSL_NO_SEED
+ {FUNC_TYPE_CIPHER,"seed-ecb",enc_main},
+#endif
+#ifndef OPENSSL_NO_SEED
+ {FUNC_TYPE_CIPHER,"seed-cfb",enc_main},
+#endif
+#ifndef OPENSSL_NO_SEED
+ {FUNC_TYPE_CIPHER,"seed-ofb",enc_main},
+#endif
#ifndef OPENSSL_NO_RC2
{FUNC_TYPE_CIPHER,"rc2-cbc",enc_main},
#endif
diff --git a/crypto/openssl/apps/progs.pl b/crypto/openssl/apps/progs.pl
index 7b1de74bef8d..645432cfcc23 100644
--- a/crypto/openssl/apps/progs.pl
+++ b/crypto/openssl/apps/progs.pl
@@ -43,6 +43,8 @@ foreach (@ARGV)
{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
elsif ( ($_ =~ /^pkcs12$/))
{ print "#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)\n${str}#endif\n"; }
+ elsif ( ($_ =~ /^cms$/))
+ { print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; }
else
{ print $str; }
}
@@ -61,13 +63,14 @@ foreach (
"camellia-192-cbc", "camellia-192-ecb",
"camellia-256-cbc", "camellia-256-ecb",
"base64",
- "des", "des3", "desx", "idea", "rc4", "rc4-40",
+ "des", "des3", "desx", "idea", "seed", "rc4", "rc4-40",
"rc2", "bf", "cast", "rc5",
"des-ecb", "des-ede", "des-ede3",
"des-cbc", "des-ede-cbc","des-ede3-cbc",
"des-cfb", "des-ede-cfb","des-ede3-cfb",
"des-ofb", "des-ede-ofb","des-ede3-ofb",
- "idea-cbc","idea-ecb", "idea-cfb", "idea-ofb",
+ "idea-cbc","idea-ecb", "idea-cfb", "idea-ofb",
+ "seed-cbc","seed-ecb", "seed-cfb", "seed-ofb",
"rc2-cbc", "rc2-ecb", "rc2-cfb","rc2-ofb", "rc2-64-cbc", "rc2-40-cbc",
"bf-cbc", "bf-ecb", "bf-cfb", "bf-ofb",
"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
@@ -80,6 +83,7 @@ foreach (
elsif ($_ =~ /aes/) { $t="#ifndef OPENSSL_NO_AES\n${t}#endif\n"; }
elsif ($_ =~ /camellia/) { $t="#ifndef OPENSSL_NO_CAMELLIA\n${t}#endif\n"; }
elsif ($_ =~ /idea/) { $t="#ifndef OPENSSL_NO_IDEA\n${t}#endif\n"; }
+ elsif ($_ =~ /seed/) { $t="#ifndef OPENSSL_NO_SEED\n${t}#endif\n"; }
elsif ($_ =~ /rc4/) { $t="#ifndef OPENSSL_NO_RC4\n${t}#endif\n"; }
elsif ($_ =~ /rc2/) { $t="#ifndef OPENSSL_NO_RC2\n${t}#endif\n"; }
elsif ($_ =~ /bf/) { $t="#ifndef OPENSSL_NO_BF\n${t}#endif\n"; }
diff --git a/crypto/openssl/apps/rand.c b/crypto/openssl/apps/rand.c
index a893896033a8..44a1d46a03cd 100644
--- a/crypto/openssl/apps/rand.c
+++ b/crypto/openssl/apps/rand.c
@@ -68,7 +68,8 @@
/* -out file - write to file
* -rand file:file - PRNG seed files
- * -base64 - encode output
+ * -base64 - base64 encode output
+ * -hex - hex encode output
* num - write 'num' bytes
*/
@@ -84,6 +85,7 @@ int MAIN(int argc, char **argv)
char *outfile = NULL;
char *inrand = NULL;
int base64 = 0;
+ int hex = 0;
BIO *out = NULL;
int num = -1;
#ifndef OPENSSL_NO_ENGINE
@@ -133,6 +135,13 @@ int MAIN(int argc, char **argv)
else
badopt = 1;
}
+ else if (strcmp(argv[i], "-hex") == 0)
+ {
+ if (!hex)
+ hex = 1;
+ else
+ badopt = 1;
+ }
else if (isdigit((unsigned char)argv[i][0]))
{
if (num < 0)
@@ -148,6 +157,9 @@ int MAIN(int argc, char **argv)
badopt = 1;
}
+ if (hex && base64)
+ badopt = 1;
+
if (num < 0)
badopt = 1;
@@ -160,7 +172,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "-engine e - use engine e, possibly a hardware device.\n");
#endif
BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
- BIO_printf(bio_err, "-base64 - encode output\n");
+ BIO_printf(bio_err, "-base64 - base64 encode output\n");
+ BIO_printf(bio_err, "-hex - hex encode output\n");
goto err;
}
@@ -210,10 +223,18 @@ int MAIN(int argc, char **argv)
r = RAND_bytes(buf, chunk);
if (r <= 0)
goto err;
- BIO_write(out, buf, chunk);
+ if (!hex)
+ BIO_write(out, buf, chunk);
+ else
+ {
+ for (i = 0; i < chunk; i++)
+ BIO_printf(out, "%02x", buf[i]);
+ }
num -= chunk;
}
- BIO_flush(out);
+ if (hex)
+ BIO_puts(out, "\n");
+ (void)BIO_flush(out);
app_RAND_write_file(NULL, bio_err);
ret = 0;
diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c
index f58e65ec852f..5ed08960c1dc 100644
--- a/crypto/openssl/apps/req.c
+++ b/crypto/openssl/apps/req.c
@@ -719,8 +719,7 @@ bad:
message */
goto end;
}
- if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA ||
- EVP_PKEY_type(pkey->type) == EVP_PKEY_EC)
+ else
{
char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
if (randfile == NULL)
diff --git a/crypto/openssl/apps/rsa.c b/crypto/openssl/apps/rsa.c
index cf09a190cab3..930f1f038aba 100644
--- a/crypto/openssl/apps/rsa.c
+++ b/crypto/openssl/apps/rsa.c
@@ -81,6 +81,7 @@
* -des - encrypt output if PEM format with DES in cbc mode
* -des3 - encrypt output if PEM format
* -idea - encrypt output if PEM format
+ * -seed - encrypt output if PEM format
* -aes128 - encrypt output if PEM format
* -aes192 - encrypt output if PEM format
* -aes256 - encrypt output if PEM format
@@ -211,6 +212,9 @@ bad:
#ifndef OPENSSL_NO_IDEA
BIO_printf(bio_err," -idea encrypt PEM output with cbc idea\n");
#endif
+#ifndef OPENSSL_NO_SEED
+ BIO_printf(bio_err," -seed encrypt PEM output with cbc seed\n");
+#endif
#ifndef OPENSSL_NO_AES
BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
BIO_printf(bio_err," encrypt PEM output with cbc aes\n");
diff --git a/crypto/openssl/apps/rsautl.c b/crypto/openssl/apps/rsautl.c
index 463890950e1f..923e2b682f96 100644
--- a/crypto/openssl/apps/rsautl.c
+++ b/crypto/openssl/apps/rsautl.c
@@ -1,5 +1,5 @@
/* rsautl.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2000.
*/
/* ====================================================================
@@ -119,24 +119,36 @@ int MAIN(int argc, char **argv)
while(argc >= 1)
{
if (!strcmp(*argv,"-in")) {
- if (--argc < 1) badarg = 1;
- infile= *(++argv);
+ if (--argc < 1)
+ badarg = 1;
+ else
+ infile= *(++argv);
} else if (!strcmp(*argv,"-out")) {
- if (--argc < 1) badarg = 1;
- outfile= *(++argv);
+ if (--argc < 1)
+ badarg = 1;
+ else
+ outfile= *(++argv);
} else if(!strcmp(*argv, "-inkey")) {
- if (--argc < 1) badarg = 1;
- keyfile = *(++argv);
+ if (--argc < 1)
+ badarg = 1;
+ else
+ keyfile = *(++argv);
} else if (!strcmp(*argv,"-passin")) {
- if (--argc < 1) badarg = 1;
- passargin= *(++argv);
+ if (--argc < 1)
+ badarg = 1;
+ else
+ passargin= *(++argv);
} else if (strcmp(*argv,"-keyform") == 0) {
- if (--argc < 1) badarg = 1;
- keyform=str2fmt(*(++argv));
+ if (--argc < 1)
+ badarg = 1;
+ else
+ keyform=str2fmt(*(++argv));
#ifndef OPENSSL_NO_ENGINE
} else if(!strcmp(*argv, "-engine")) {
- if (--argc < 1) badarg = 1;
- engine = *(++argv);
+ if (--argc < 1)
+ badarg = 1;
+ else
+ engine = *(++argv);
#endif
} else if(!strcmp(*argv, "-pubin")) {
key_type = KEY_PUBKEY;
diff --git a/crypto/openssl/apps/s_apps.h b/crypto/openssl/apps/s_apps.h
index 886a95a2b8ce..08fbbc222964 100644
--- a/crypto/openssl/apps/s_apps.h
+++ b/crypto/openssl/apps/s_apps.h
@@ -167,4 +167,7 @@ long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
#ifdef HEADER_SSL_H
void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret);
void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
+void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
+ unsigned char *data, int len,
+ void *arg);
#endif
diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c
index 9a35d46adc28..a512589e8c87 100644
--- a/crypto/openssl/apps/s_cb.c
+++ b/crypto/openssl/apps/s_cb.c
@@ -573,5 +573,64 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
BIO_printf(bio, " ...");
BIO_printf(bio, "\n");
}
- BIO_flush(bio);
+ (void)BIO_flush(bio);
+ }
+
+void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
+ unsigned char *data, int len,
+ void *arg)
+ {
+ BIO *bio = arg;
+ char *extname;
+
+ switch(type)
+ {
+ case TLSEXT_TYPE_server_name:
+ extname = "server name";
+ break;
+
+ case TLSEXT_TYPE_max_fragment_length:
+ extname = "max fragment length";
+ break;
+
+ case TLSEXT_TYPE_client_certificate_url:
+ extname = "client certificate URL";
+ break;
+
+ case TLSEXT_TYPE_trusted_ca_keys:
+ extname = "trusted CA keys";
+ break;
+
+ case TLSEXT_TYPE_truncated_hmac:
+ extname = "truncated HMAC";
+ break;
+
+ case TLSEXT_TYPE_status_request:
+ extname = "status request";
+ break;
+
+ case TLSEXT_TYPE_elliptic_curves:
+ extname = "elliptic curves";
+ break;
+
+ case TLSEXT_TYPE_ec_point_formats:
+ extname = "EC point formats";
+ break;
+
+ case TLSEXT_TYPE_session_ticket:
+ extname = "server ticket";
+ break;
+
+
+ default:
+ extname = "unknown";
+ break;
+
+ }
+
+ BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
+ client_server ? "server": "client",
+ extname, type, len);
+ BIO_dump(bio, (char *)data, len);
+ (void)BIO_flush(bio);
}
diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
index 3f302c5f140d..4974f5fc935b 100644
--- a/crypto/openssl/apps/s_client.c
+++ b/crypto/openssl/apps/s_client.c
@@ -134,6 +134,7 @@ typedef unsigned int u_int;
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
+#include <openssl/ocsp.h>
#include "s_apps.h"
#include "timeouts.h"
@@ -171,11 +172,18 @@ static int c_nbio=0;
#endif
static int c_Pause=0;
static int c_debug=0;
+#ifndef OPENSSL_NO_TLSEXT
+static int c_tlsextdebug=0;
+static int c_status_req=0;
+#endif
static int c_msg=0;
static int c_showcerts=0;
static void sc_usage(void);
static void print_stuff(BIO *berr,SSL *con,int full);
+#ifndef OPENSSL_NO_TLSEXT
+static int ocsp_resp_cb(SSL *s, void *arg);
+#endif
static BIO *bio_c_out=NULL;
static int c_quiet=0;
static int c_ign_eof=0;
@@ -213,6 +221,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
BIO_printf(bio_err," -quiet - no s_client output\n");
BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
+ BIO_printf(bio_err," -no_ign_eof - don't ignore input eof\n");
BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
@@ -226,21 +235,51 @@ static void sc_usage(void)
BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
BIO_printf(bio_err," for those protocols that support it, where\n");
BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
- BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", and \"ftp\" are supported.\n");
+ BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+ BIO_printf(bio_err," are supported.\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
#endif
BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-
+ BIO_printf(bio_err," -sess_out arg - file to write SSL session to\n");
+ BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n");
+#ifndef OPENSSL_NO_TLSEXT
+ BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n");
+ BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
+ BIO_printf(bio_err," -status - request certificate status from server\n");
+ BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
+#endif
}
+#ifndef OPENSSL_NO_TLSEXT
+
+/* This is a context that we pass to callbacks */
+typedef struct tlsextctx_st {
+ BIO * biodebug;
+ int ack;
+} tlsextctx;
+
+
+static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
+ {
+ tlsextctx * p = (tlsextctx *) arg;
+ const char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+ if (SSL_get_servername_type(s) != -1)
+ p->ack = !SSL_session_reused(s) && hn != NULL;
+ else
+ BIO_printf(bio_err,"Can't use SSL_get_servername\n");
+
+ return SSL_TLSEXT_ERR_OK;
+ }
+#endif
enum
{
PROTO_OFF = 0,
PROTO_SMTP,
PROTO_POP3,
PROTO_IMAP,
- PROTO_FTP
+ PROTO_FTP,
+ PROTO_XMPP
};
int MAIN(int, char **);
@@ -281,16 +320,28 @@ int MAIN(int argc, char **argv)
int mbuf_len=0;
#ifndef OPENSSL_NO_ENGINE
char *engine_id=NULL;
- ENGINE *e=NULL;
+ char *ssl_client_engine_id=NULL;
+ ENGINE *ssl_client_engine=NULL;
#endif
+ ENGINE *e=NULL;
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
struct timeval tv;
#endif
+#ifndef OPENSSL_NO_TLSEXT
+ char *servername = NULL;
+ tlsextctx tlsextcbp =
+ {NULL,0};
+#endif
+ char *sess_in = NULL;
+ char *sess_out = NULL;
struct sockaddr peer;
int peerlen = sizeof(peer);
int enable_timeouts = 0 ;
long mtu = 0;
+#ifndef OPENSSL_NO_JPAKE
+ char *jpake_secret = NULL;
+#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_client_method();
@@ -361,6 +412,16 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad;
cert_file= *(++argv);
}
+ else if (strcmp(*argv,"-sess_out") == 0)
+ {
+ if (--argc < 1) goto bad;
+ sess_out = *(++argv);
+ }
+ else if (strcmp(*argv,"-sess_in") == 0)
+ {
+ if (--argc < 1) goto bad;
+ sess_in = *(++argv);
+ }
else if (strcmp(*argv,"-certform") == 0)
{
if (--argc < 1) goto bad;
@@ -381,10 +442,18 @@ int MAIN(int argc, char **argv)
}
else if (strcmp(*argv,"-ign_eof") == 0)
c_ign_eof=1;
+ else if (strcmp(*argv,"-no_ign_eof") == 0)
+ c_ign_eof=0;
else if (strcmp(*argv,"-pause") == 0)
c_Pause=1;
else if (strcmp(*argv,"-debug") == 0)
c_debug=1;
+#ifndef OPENSSL_NO_TLSEXT
+ else if (strcmp(*argv,"-tlsextdebug") == 0)
+ c_tlsextdebug=1;
+ else if (strcmp(*argv,"-status") == 0)
+ c_status_req=1;
+#endif
#ifdef WATT32
else if (strcmp(*argv,"-wdebug") == 0)
dbug_init();
@@ -460,6 +529,10 @@ int MAIN(int argc, char **argv)
off|=SSL_OP_NO_SSLv3;
else if (strcmp(*argv,"-no_ssl2") == 0)
off|=SSL_OP_NO_SSLv2;
+#ifndef OPENSSL_NO_TLSEXT
+ else if (strcmp(*argv,"-no_ticket") == 0)
+ { off|=SSL_OP_NO_TICKET; }
+#endif
else if (strcmp(*argv,"-serverpref") == 0)
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv,"-cipher") == 0)
@@ -483,6 +556,8 @@ int MAIN(int argc, char **argv)
starttls_proto = PROTO_IMAP;
else if (strcmp(*argv,"ftp") == 0)
starttls_proto = PROTO_FTP;
+ else if (strcmp(*argv, "xmpp") == 0)
+ starttls_proto = PROTO_XMPP;
else
goto bad;
}
@@ -492,12 +567,32 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad;
engine_id = *(++argv);
}
+ else if (strcmp(*argv,"-ssl_client_engine") == 0)
+ {
+ if (--argc < 1) goto bad;
+ ssl_client_engine_id = *(++argv);
+ }
#endif
else if (strcmp(*argv,"-rand") == 0)
{
if (--argc < 1) goto bad;
inrand= *(++argv);
}
+#ifndef OPENSSL_NO_TLSEXT
+ else if (strcmp(*argv,"-servername") == 0)
+ {
+ if (--argc < 1) goto bad;
+ servername= *(++argv);
+ /* meth=TLSv1_client_method(); */
+ }
+#endif
+#ifndef OPENSSL_NO_JPAKE
+ else if (strcmp(*argv,"-jpake") == 0)
+ {
+ if (--argc < 1) goto bad;
+ jpake_secret = *++argv;
+ }
+#endif
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -519,6 +614,16 @@ bad:
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine_id, 1);
+ if (ssl_client_engine_id)
+ {
+ ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
+ if (!ssl_client_engine)
+ {
+ BIO_printf(bio_err,
+ "Error getting client auth engine\n");
+ goto end;
+ }
+ }
#endif
if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
{
@@ -586,6 +691,20 @@ bad:
goto end;
}
+#ifndef OPENSSL_NO_ENGINE
+ if (ssl_client_engine)
+ {
+ if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
+ {
+ BIO_puts(bio_err, "Error setting client auth engine\n");
+ ERR_print_errors(bio_err);
+ ENGINE_free(ssl_client_engine);
+ goto end;
+ }
+ ENGINE_free(ssl_client_engine);
+ }
+#endif
+
if (bugs)
SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
else
@@ -621,8 +740,51 @@ bad:
store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_flags(store, vflags);
+#ifndef OPENSSL_NO_TLSEXT
+ if (servername != NULL)
+ {
+ tlsextcbp.biodebug = bio_err;
+ SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
+ }
+#endif
con=SSL_new(ctx);
+ if (sess_in)
+ {
+ SSL_SESSION *sess;
+ BIO *stmp = BIO_new_file(sess_in, "r");
+ if (!stmp)
+ {
+ BIO_printf(bio_err, "Can't open session file %s\n",
+ sess_in);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
+ BIO_free(stmp);
+ if (!sess)
+ {
+ BIO_printf(bio_err, "Can't open session file %s\n",
+ sess_in);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ SSL_set_session(con, sess);
+ SSL_SESSION_free(sess);
+ }
+#ifndef OPENSSL_NO_TLSEXT
+ if (servername != NULL)
+ {
+ if (!SSL_set_tlsext_host_name(con,servername))
+ {
+ BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+#endif
+
#ifndef OPENSSL_NO_KRB5
if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL)
{
@@ -668,7 +830,7 @@ re_start:
goto end;
}
- BIO_ctrl_set_connected(sbio, 1, &peer);
+ (void)BIO_ctrl_set_connected(sbio, 1, &peer);
if ( enable_timeouts)
{
@@ -693,8 +855,6 @@ re_start:
else
sbio=BIO_new_socket(s,BIO_NOCLOSE);
-
-
if (nbio_test)
{
BIO *test;
@@ -714,6 +874,34 @@ re_start:
SSL_set_msg_callback(con, msg_cb);
SSL_set_msg_callback_arg(con, bio_c_out);
}
+#ifndef OPENSSL_NO_TLSEXT
+ if (c_tlsextdebug)
+ {
+ SSL_set_tlsext_debug_callback(con, tlsext_cb);
+ SSL_set_tlsext_debug_arg(con, bio_c_out);
+ }
+ if (c_status_req)
+ {
+ SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
+ SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
+ SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
+#if 0
+{
+STACK_OF(OCSP_RESPID) *ids = sk_OCSP_RESPID_new_null();
+OCSP_RESPID *id = OCSP_RESPID_new();
+id->value.byKey = ASN1_OCTET_STRING_new();
+id->type = V_OCSP_RESPID_KEY;
+ASN1_STRING_set(id->value.byKey, "Hello World", -1);
+sk_OCSP_RESPID_push(ids, id);
+SSL_set_tlsext_status_ids(con, ids);
+}
+#endif
+ }
+#endif
+#ifndef OPENSSL_NO_JPAKE
+ if (jpake_secret)
+ jpake_client_auth(bio_c_out, sbio, jpake_secret);
+#endif
SSL_set_bio(con,sbio,sbio);
SSL_set_connect_state(con);
@@ -752,7 +940,7 @@ re_start:
while (mbuf_len>3 && mbuf[3]=='-');
/* STARTTLS command requires EHLO... */
BIO_printf(fbio,"EHLO openssl.client.net\r\n");
- BIO_flush(fbio);
+ (void)BIO_flush(fbio);
/* wait for multi-line response to end EHLO SMTP response */
do
{
@@ -761,7 +949,7 @@ re_start:
foundit=1;
}
while (mbuf_len>3 && mbuf[3]=='-');
- BIO_flush(fbio);
+ (void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
@@ -785,7 +973,7 @@ re_start:
BIO_gets(fbio,mbuf,BUFSIZZ);
/* STARTTLS command requires CAPABILITY... */
BIO_printf(fbio,". CAPABILITY\r\n");
- BIO_flush(fbio);
+ (void)BIO_flush(fbio);
/* wait for multi-line CAPABILITY response */
do
{
@@ -794,7 +982,7 @@ re_start:
foundit=1;
}
while (mbuf_len>3 && mbuf[0]!='.');
- BIO_flush(fbio);
+ (void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
@@ -814,12 +1002,34 @@ re_start:
mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
}
while (mbuf_len>3 && mbuf[3]=='-');
- BIO_flush(fbio);
+ (void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
BIO_printf(sbio,"AUTH TLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
+ if (starttls_proto == PROTO_XMPP)
+ {
+ int seen = 0;
+ BIO_printf(sbio,"<stream:stream "
+ "xmlns:stream='http://etherx.jabber.org/streams' "
+ "xmlns='jabber:client' to='%s' version='1.0'>", host);
+ seen = BIO_read(sbio,mbuf,BUFSIZZ);
+ mbuf[seen] = 0;
+ while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
+ {
+ if (strstr(mbuf, "/stream:features>"))
+ goto shut;
+ seen = BIO_read(sbio,mbuf,BUFSIZZ);
+ mbuf[seen] = 0;
+ }
+ BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
+ seen = BIO_read(sbio,sbuf,BUFSIZZ);
+ sbuf[seen] = 0;
+ if (!strstr(sbuf, "<proceed"))
+ goto shut;
+ mbuf[0] = 0;
+ }
for (;;)
{
@@ -837,6 +1047,17 @@ re_start:
if (in_init)
{
in_init=0;
+ if (sess_out)
+ {
+ BIO *stmp = BIO_new_file(sess_out, "w");
+ if (stmp)
+ {
+ PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con));
+ BIO_free(stmp);
+ }
+ else
+ BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
+ }
print_stuff(bio_c_out,con,full_log);
if (full_log > 0) full_log--;
@@ -1303,6 +1524,34 @@ static void print_stuff(BIO *bio, SSL *s, int full)
if (peer != NULL)
X509_free(peer);
/* flush, or debugging output gets mixed with http response */
- BIO_flush(bio);
+ (void)BIO_flush(bio);
}
+#ifndef OPENSSL_NO_TLSEXT
+
+static int ocsp_resp_cb(SSL *s, void *arg)
+ {
+ const unsigned char *p;
+ int len;
+ OCSP_RESPONSE *rsp;
+ len = SSL_get_tlsext_status_ocsp_resp(s, &p);
+ BIO_puts(arg, "OCSP response: ");
+ if (!p)
+ {
+ BIO_puts(arg, "no response sent\n");
+ return 1;
+ }
+ rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
+ if (!rsp)
+ {
+ BIO_puts(arg, "response parse error\n");
+ BIO_dump_indent(arg, (char *)p, len, 4);
+ return 0;
+ }
+ BIO_puts(arg, "\n======================================\n");
+ OCSP_RESPONSE_print(arg, rsp, 0);
+ BIO_puts(arg, "======================================\n");
+ OCSP_RESPONSE_free(rsp);
+ return 1;
+ }
+#endif /* ndef OPENSSL_NO_TLSEXT */
diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c
index 6c433e63fd64..84b1b284613f 100644
--- a/crypto/openssl/apps/s_server.c
+++ b/crypto/openssl/apps/s_server.c
@@ -153,6 +153,7 @@ typedef unsigned int u_int;
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/rand.h>
+#include <openssl/ocsp.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
@@ -238,6 +239,9 @@ static int bufsize=BUFSIZZ;
static int accept_socket= -1;
#define TEST_CERT "server.pem"
+#ifndef OPENSSL_NO_TLSEXT
+#define TEST_CERT2 "server2.pem"
+#endif
#undef PROG
#define PROG s_server_main
@@ -247,6 +251,9 @@ static char *cipher=NULL;
static int s_server_verify=SSL_VERIFY_NONE;
static int s_server_session_id_context = 1; /* anything will do */
static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
+#ifndef OPENSSL_NO_TLSEXT
+static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
+#endif
static char *s_dcert_file=NULL,*s_dkey_file=NULL;
#ifdef FIONBIO
static int s_nbio=0;
@@ -254,10 +261,18 @@ static int s_nbio=0;
static int s_nbio_test=0;
int s_crlf=0;
static SSL_CTX *ctx=NULL;
+#ifndef OPENSSL_NO_TLSEXT
+static SSL_CTX *ctx2=NULL;
+#endif
static int www=0;
static BIO *bio_s_out=NULL;
static int s_debug=0;
+#ifndef OPENSSL_NO_TLSEXT
+static int s_tlsextdebug=0;
+static int s_tlsextstatus=0;
+static int cert_status_cb(SSL *s, void *arg);
+#endif
static int s_msg=0;
static int s_quiet=0;
@@ -285,6 +300,11 @@ static void s_server_init(void)
s_dkey_file=NULL;
s_cert_file=TEST_CERT;
s_key_file=NULL;
+#ifndef OPENSSL_NO_TLSEXT
+ s_cert_file2=TEST_CERT2;
+ s_key_file2=NULL;
+ ctx2=NULL;
+#endif
#ifdef FIONBIO
s_nbio=0;
#endif
@@ -313,6 +333,11 @@ static void sv_usage(void)
BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n");
BIO_printf(bio_err," -cert arg - certificate file to use\n");
BIO_printf(bio_err," (default is %s)\n",TEST_CERT);
+ BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \
+ " The CRL(s) are appended to the certificate file\n");
+ BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
+ " or any other CRL in the CA chain. CRL(s) are appened to the\n" \
+ " the certificate file.\n");
BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n");
BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT);
@@ -371,6 +396,16 @@ static void sv_usage(void)
#endif
BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+#ifndef OPENSSL_NO_TLSEXT
+ BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n");
+ BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
+ BIO_printf(bio_err," -cert2 arg - certificate file to use for servername\n");
+ BIO_printf(bio_err," (default is %s)\n",TEST_CERT2);
+ BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n");
+ BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2);
+ BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
+ BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
+#endif
}
static int local_argc=0;
@@ -526,8 +561,191 @@ static int ebcdic_puts(BIO *bp, const char *str)
}
#endif
+#ifndef OPENSSL_NO_TLSEXT
+
+/* This is a context that we pass to callbacks */
+typedef struct tlsextctx_st {
+ char * servername;
+ BIO * biodebug;
+ int extension_error;
+} tlsextctx;
+
+
+static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
+ {
+ tlsextctx * p = (tlsextctx *) arg;
+ const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+ if (servername && p->biodebug)
+ BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername);
+
+ if (!p->servername)
+ return SSL_TLSEXT_ERR_NOACK;
+
+ if (servername)
+ {
+ if (strcmp(servername,p->servername))
+ return p->extension_error;
+ if (ctx2)
+ {
+ BIO_printf(p->biodebug,"Swiching server context.\n");
+ SSL_set_SSL_CTX(s,ctx2);
+ }
+ }
+ return SSL_TLSEXT_ERR_OK;
+}
+
+/* Structure passed to cert status callback */
+
+typedef struct tlsextstatusctx_st {
+ /* Default responder to use */
+ char *host, *path, *port;
+ int use_ssl;
+ int timeout;
+ BIO *err;
+ int verbose;
+} tlsextstatusctx;
+
+static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0};
+
+/* Certificate Status callback. This is called when a client includes a
+ * certificate status request extension.
+ *
+ * This is a simplified version. It examines certificates each time and
+ * makes one OCSP responder query for each request.
+ *
+ * A full version would store details such as the OCSP certificate IDs and
+ * minimise the number of OCSP responses by caching them until they were
+ * considered "expired".
+ */
+
+static int cert_status_cb(SSL *s, void *arg)
+ {
+ tlsextstatusctx *srctx = arg;
+ BIO *err = srctx->err;
+ char *host, *port, *path;
+ int use_ssl;
+ unsigned char *rspder = NULL;
+ int rspderlen;
+ STACK *aia = NULL;
+ X509 *x = NULL;
+ X509_STORE_CTX inctx;
+ X509_OBJECT obj;
+ OCSP_REQUEST *req = NULL;
+ OCSP_RESPONSE *resp = NULL;
+ OCSP_CERTID *id = NULL;
+ STACK_OF(X509_EXTENSION) *exts;
+ int ret = SSL_TLSEXT_ERR_NOACK;
+ int i;
+#if 0
+STACK_OF(OCSP_RESPID) *ids;
+SSL_get_tlsext_status_ids(s, &ids);
+BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
+#endif
+ if (srctx->verbose)
+ BIO_puts(err, "cert_status: callback called\n");
+ /* Build up OCSP query from server certificate */
+ x = SSL_get_certificate(s);
+ aia = X509_get1_ocsp(x);
+ if (aia)
+ {
+ if (!OCSP_parse_url(sk_value(aia, 0),
+ &host, &port, &path, &use_ssl))
+ {
+ BIO_puts(err, "cert_status: can't parse AIA URL\n");
+ goto err;
+ }
+ if (srctx->verbose)
+ BIO_printf(err, "cert_status: AIA URL: %s\n",
+ sk_value(aia, 0));
+ }
+ else
+ {
+ if (!srctx->host)
+ {
+ BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n");
+ goto done;
+ }
+ host = srctx->host;
+ path = srctx->path;
+ port = srctx->port;
+ use_ssl = srctx->use_ssl;
+ }
+
+ if (!X509_STORE_CTX_init(&inctx,
+ SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
+ NULL, NULL))
+ goto err;
+ if (X509_STORE_get_by_subject(&inctx,X509_LU_X509,
+ X509_get_issuer_name(x),&obj) <= 0)
+ {
+ BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n");
+ X509_STORE_CTX_cleanup(&inctx);
+ goto done;
+ }
+ req = OCSP_REQUEST_new();
+ if (!req)
+ goto err;
+ id = OCSP_cert_to_id(NULL, x, obj.data.x509);
+ X509_free(obj.data.x509);
+ X509_STORE_CTX_cleanup(&inctx);
+ if (!id)
+ goto err;
+ if (!OCSP_request_add0_id(req, id))
+ goto err;
+ id = NULL;
+ /* Add any extensions to the request */
+ SSL_get_tlsext_status_exts(s, &exts);
+ for (i = 0; i < sk_X509_EXTENSION_num(exts); i++)
+ {
+ X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
+ if (!OCSP_REQUEST_add_ext(req, ext, -1))
+ goto err;
+ }
+ resp = process_responder(err, req, host, path, port, use_ssl,
+ srctx->timeout);
+ if (!resp)
+ {
+ BIO_puts(err, "cert_status: error querying responder\n");
+ goto done;
+ }
+ rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
+ if (rspderlen <= 0)
+ goto err;
+ SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
+ if (srctx->verbose)
+ {
+ BIO_puts(err, "cert_status: ocsp response sent:\n");
+ OCSP_RESPONSE_print(err, resp, 2);
+ }
+ ret = SSL_TLSEXT_ERR_OK;
+ done:
+ if (ret != SSL_TLSEXT_ERR_OK)
+ ERR_print_errors(err);
+ if (aia)
+ {
+ OPENSSL_free(host);
+ OPENSSL_free(path);
+ OPENSSL_free(port);
+ X509_email_free(aia);
+ }
+ if (id)
+ OCSP_CERTID_free(id);
+ if (req)
+ OCSP_REQUEST_free(req);
+ if (resp)
+ OCSP_RESPONSE_free(resp);
+ return ret;
+ err:
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ goto done;
+ }
+#endif
int MAIN(int, char **);
+#ifndef OPENSSL_NO_JPAKE
+static char *jpake_secret = NULL;
+#endif
+
int MAIN(int argc, char *argv[])
{
X509_STORE *store = NULL;
@@ -545,13 +763,8 @@ int MAIN(int argc, char *argv[])
int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
int state=0;
SSL_METHOD *meth=NULL;
-#ifdef sock_type
-#undef sock_type
-#endif
- int sock_type=SOCK_STREAM;
-#ifndef OPENSSL_NO_ENGINE
+ int socket_type=SOCK_STREAM;
ENGINE *e=NULL;
-#endif
char *inrand=NULL;
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
char *passarg = NULL, *pass = NULL;
@@ -559,6 +772,13 @@ int MAIN(int argc, char *argv[])
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
X509 *s_cert = NULL, *s_dcert = NULL;
EVP_PKEY *s_key = NULL, *s_dkey = NULL;
+#ifndef OPENSSL_NO_TLSEXT
+ EVP_PKEY *s_key2 = NULL;
+ X509 *s_cert2 = NULL;
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+ tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
+#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_server_method();
@@ -695,7 +915,7 @@ int MAIN(int argc, char *argv[])
{
vflags |= X509_V_FLAG_CRL_CHECK;
}
- else if (strcmp(*argv,"-crl_check") == 0)
+ else if (strcmp(*argv,"-crl_check_all") == 0)
{
vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
}
@@ -724,6 +944,37 @@ int MAIN(int argc, char *argv[])
}
else if (strcmp(*argv,"-debug") == 0)
{ s_debug=1; }
+#ifndef OPENSSL_NO_TLSEXT
+ else if (strcmp(*argv,"-tlsextdebug") == 0)
+ s_tlsextdebug=1;
+ else if (strcmp(*argv,"-status") == 0)
+ s_tlsextstatus=1;
+ else if (strcmp(*argv,"-status_verbose") == 0)
+ {
+ s_tlsextstatus=1;
+ tlscstatp.verbose = 1;
+ }
+ else if (!strcmp(*argv, "-status_timeout"))
+ {
+ s_tlsextstatus=1;
+ if (--argc < 1) goto bad;
+ tlscstatp.timeout = atoi(*(++argv));
+ }
+ else if (!strcmp(*argv, "-status_url"))
+ {
+ s_tlsextstatus=1;
+ if (--argc < 1) goto bad;
+ if (!OCSP_parse_url(*(++argv),
+ &tlscstatp.host,
+ &tlscstatp.port,
+ &tlscstatp.path,
+ &tlscstatp.use_ssl))
+ {
+ BIO_printf(bio_err, "Error parsing URL\n");
+ goto bad;
+ }
+ }
+#endif
else if (strcmp(*argv,"-msg") == 0)
{ s_msg=1; }
else if (strcmp(*argv,"-hack") == 0)
@@ -754,6 +1005,10 @@ int MAIN(int argc, char *argv[])
{ off|=SSL_OP_NO_SSLv3; }
else if (strcmp(*argv,"-no_tls1") == 0)
{ off|=SSL_OP_NO_TLSv1; }
+#ifndef OPENSSL_NO_TLSEXT
+ else if (strcmp(*argv,"-no_ticket") == 0)
+ { off|=SSL_OP_NO_TICKET; }
+#endif
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv,"-ssl2") == 0)
{ meth=SSLv2_server_method(); }
@@ -770,7 +1025,7 @@ int MAIN(int argc, char *argv[])
else if (strcmp(*argv,"-dtls1") == 0)
{
meth=DTLSv1_server_method();
- sock_type = SOCK_DGRAM;
+ socket_type = SOCK_DGRAM;
}
else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts = 1;
@@ -799,6 +1054,33 @@ int MAIN(int argc, char *argv[])
if (--argc < 1) goto bad;
inrand= *(++argv);
}
+#ifndef OPENSSL_NO_TLSEXT
+ else if (strcmp(*argv,"-servername") == 0)
+ {
+ if (--argc < 1) goto bad;
+ tlsextcbp.servername= *(++argv);
+ }
+ else if (strcmp(*argv,"-servername_fatal") == 0)
+ { tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; }
+ else if (strcmp(*argv,"-cert2") == 0)
+ {
+ if (--argc < 1) goto bad;
+ s_cert_file2= *(++argv);
+ }
+ else if (strcmp(*argv,"-key2") == 0)
+ {
+ if (--argc < 1) goto bad;
+ s_key_file2= *(++argv);
+ }
+
+#endif
+#ifndef OPENSSL_NO_JPAKE
+ else if (strcmp(*argv,"-jpake") == 0)
+ {
+ if (--argc < 1) goto bad;
+ jpake_secret = *(++argv);
+ }
+#endif
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -831,6 +1113,10 @@ bad:
if (s_key_file == NULL)
s_key_file = s_cert_file;
+#ifndef OPENSSL_NO_TLSEXT
+ if (s_key_file2 == NULL)
+ s_key_file2 = s_cert_file2;
+#endif
if (nocert == 0)
{
@@ -850,8 +1136,29 @@ bad:
ERR_print_errors(bio_err);
goto end;
}
- }
+#ifndef OPENSSL_NO_TLSEXT
+ if (tlsextcbp.servername)
+ {
+ s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
+ "second server certificate private key file");
+ if (!s_key2)
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ s_cert2 = load_cert(bio_err,s_cert_file2,s_cert_format,
+ NULL, e, "second server certificate file");
+
+ if (!s_cert2)
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+#endif
+ }
if (s_dcert_file)
{
@@ -908,6 +1215,10 @@ bad:
s_key_file=NULL;
s_dcert_file=NULL;
s_dkey_file=NULL;
+#ifndef OPENSSL_NO_TLSEXT
+ s_cert_file2=NULL;
+ s_key_file2=NULL;
+#endif
}
ctx=SSL_CTX_new(meth);
@@ -939,7 +1250,7 @@ bad:
/* DTLS: partial reads end up discarding unread UDP bytes :-(
* Setting read ahead solves this problem.
*/
- if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
+ if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
@@ -966,6 +1277,62 @@ bad:
}
store = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_flags(store, vflags);
+#ifndef OPENSSL_NO_TLSEXT
+ if (s_cert2)
+ {
+ ctx2=SSL_CTX_new(meth);
+ if (ctx2 == NULL)
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
+ if (ctx2)
+ {
+ BIO_printf(bio_s_out,"Setting secondary ctx parameters\n");
+
+ if (session_id_prefix)
+ {
+ if(strlen(session_id_prefix) >= 32)
+ BIO_printf(bio_err,
+ "warning: id_prefix is too long, only one new session will be possible\n");
+ else if(strlen(session_id_prefix) >= 16)
+ BIO_printf(bio_err,
+ "warning: id_prefix is too long if you use SSLv2\n");
+ if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id))
+ {
+ BIO_printf(bio_err,"error setting 'id_prefix'\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix);
+ }
+ SSL_CTX_set_quiet_shutdown(ctx2,1);
+ if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL);
+ if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
+ SSL_CTX_set_options(ctx2,off);
+
+ /* DTLS: partial reads end up discarding unread UDP bytes :-(
+ * Setting read ahead solves this problem.
+ */
+ if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1);
+
+
+ if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
+
+ SSL_CTX_sess_set_cache_size(ctx2,128);
+
+ if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
+ (!SSL_CTX_set_default_verify_paths(ctx2)))
+ {
+ ERR_print_errors(bio_err);
+ }
+ store = SSL_CTX_get_cert_store(ctx2);
+ X509_STORE_set_flags(store, vflags);
+ }
+#endif
+
#ifndef OPENSSL_NO_DH
if (!no_dhe)
@@ -989,6 +1356,24 @@ bad:
(void)BIO_flush(bio_s_out);
SSL_CTX_set_tmp_dh(ctx,dh);
+#ifndef OPENSSL_NO_TLSEXT
+ if (ctx2)
+ {
+ if (!dhfile)
+ {
+ DH *dh2=load_dh_param(s_cert_file2);
+ if (dh2 != NULL)
+ {
+ BIO_printf(bio_s_out,"Setting temp DH parameters\n");
+ (void)BIO_flush(bio_s_out);
+
+ DH_free(dh);
+ dh = dh2;
+ }
+ }
+ SSL_CTX_set_tmp_dh(ctx2,dh);
+ }
+#endif
DH_free(dh);
}
#endif
@@ -1034,12 +1419,20 @@ bad:
(void)BIO_flush(bio_s_out);
SSL_CTX_set_tmp_ecdh(ctx,ecdh);
+#ifndef OPENSSL_NO_TLSEXT
+ if (ctx2)
+ SSL_CTX_set_tmp_ecdh(ctx2,ecdh);
+#endif
EC_KEY_free(ecdh);
}
#endif
if (!set_cert_key_stuff(ctx,s_cert,s_key))
goto end;
+#ifndef OPENSSL_NO_TLSEXT
+ if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
+ goto end;
+#endif
if (s_dcert != NULL)
{
if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
@@ -1049,7 +1442,13 @@ bad:
#ifndef OPENSSL_NO_RSA
#if 1
if (!no_tmp_rsa)
+ {
SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
+#ifndef OPENSSL_NO_TLSEXT
+ if (ctx2)
+ SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb);
+#endif
+ }
#else
if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
{
@@ -1065,6 +1464,16 @@ bad:
ERR_print_errors(bio_err);
goto end;
}
+#ifndef OPENSSL_NO_TLSEXT
+ if (ctx2)
+ {
+ if (!SSL_CTX_set_tmp_rsa(ctx2,rsa))
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+#endif
RSA_free(rsa);
BIO_printf(bio_s_out,"\n");
}
@@ -1076,19 +1485,46 @@ bad:
BIO_printf(bio_err,"error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
+#ifndef OPENSSL_NO_TLSEXT
+ if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))
+ {
+ BIO_printf(bio_err,"error setting cipher list\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+#endif
}
SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
sizeof s_server_session_id_context);
+#ifndef OPENSSL_NO_TLSEXT
+ if (ctx2)
+ {
+ SSL_CTX_set_verify(ctx2,s_server_verify,verify_callback);
+ SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context,
+ sizeof s_server_session_id_context);
+
+ tlsextcbp.biodebug = bio_s_out;
+ SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
+ SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
+ }
+#endif
if (CAfile != NULL)
- SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
-
+ {
+ SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
+#ifndef OPENSSL_NO_TLSEXT
+ if (ctx2)
+ SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile));
+#endif
+ }
BIO_printf(bio_s_out,"ACCEPT\n");
if (www)
- do_server(port,sock_type,&accept_socket,www_body, context);
+ do_server(port,socket_type,&accept_socket,www_body, context);
else
- do_server(port,sock_type,&accept_socket,sv_body, context);
+ do_server(port,socket_type,&accept_socket,sv_body, context);
print_stats(bio_s_out,ctx);
ret=0;
end:
@@ -1105,6 +1541,13 @@ end:
OPENSSL_free(pass);
if (dpass)
OPENSSL_free(dpass);
+#ifndef OPENSSL_NO_TLSEXT
+ if (ctx2 != NULL) SSL_CTX_free(ctx2);
+ if (s_cert2)
+ X509_free(s_cert2);
+ if (s_key2)
+ EVP_PKEY_free(s_key2);
+#endif
if (bio_s_out != NULL)
{
BIO_free(bio_s_out);
@@ -1171,6 +1614,19 @@ static int sv_body(char *hostname, int s, unsigned char *context)
if (con == NULL) {
con=SSL_new(ctx);
+#ifndef OPENSSL_NO_TLSEXT
+ if (s_tlsextdebug)
+ {
+ SSL_set_tlsext_debug_callback(con, tlsext_cb);
+ SSL_set_tlsext_debug_arg(con, bio_s_out);
+ }
+ if (s_tlsextstatus)
+ {
+ SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
+ tlscstatp.err = bio_err;
+ SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
+ }
+#endif
#ifndef OPENSSL_NO_KRB5
if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
{
@@ -1226,6 +1682,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)
test=BIO_new(BIO_f_nbio_test());
sbio=BIO_push(test,sbio);
}
+#ifndef OPENSSL_NO_JPAKE
+ if(jpake_secret)
+ jpake_server_auth(bio_s_out, sbio, jpake_secret);
+#endif
+
SSL_set_bio(con,sbio,sbio);
SSL_set_accept_state(con);
/* SSL_set_fd(con,s); */
@@ -1241,6 +1702,13 @@ static int sv_body(char *hostname, int s, unsigned char *context)
SSL_set_msg_callback(con, msg_cb);
SSL_set_msg_callback_arg(con, bio_s_out);
}
+#ifndef OPENSSL_NO_TLSEXT
+ if (s_tlsextdebug)
+ {
+ SSL_set_tlsext_debug_callback(con, tlsext_cb);
+ SSL_set_tlsext_debug_arg(con, bio_s_out);
+ }
+#endif
width=s+1;
for (;;)
@@ -1606,6 +2074,13 @@ static int www_body(char *hostname, int s, unsigned char *context)
if (!BIO_set_write_buffer_size(io,bufsize)) goto err;
if ((con=SSL_new(ctx)) == NULL) goto err;
+#ifndef OPENSSL_NO_TLSEXT
+ if (s_tlsextdebug)
+ {
+ SSL_set_tlsext_debug_callback(con, tlsext_cb);
+ SSL_set_tlsext_debug_arg(con, bio_s_out);
+ }
+#endif
#ifndef OPENSSL_NO_KRB5
if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
{
diff --git a/crypto/openssl/apps/smime.c b/crypto/openssl/apps/smime.c
index 830f18cd8479..75804b8d7b77 100644
--- a/crypto/openssl/apps/smime.c
+++ b/crypto/openssl/apps/smime.c
@@ -1,5 +1,5 @@
/* smime.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
*/
/* ====================================================================
@@ -145,6 +145,10 @@ int MAIN(int argc, char **argv)
else if (!strcmp (*args, "-des"))
cipher = EVP_des_cbc();
#endif
+#ifndef OPENSSL_NO_SEED
+ else if (!strcmp (*args, "-seed"))
+ cipher = EVP_seed_cbc();
+#endif
#ifndef OPENSSL_NO_RC2
else if (!strcmp (*args, "-rc2-40"))
cipher = EVP_rc2_40_cbc();
@@ -423,6 +427,9 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-des3 encrypt with triple DES\n");
BIO_printf (bio_err, "-des encrypt with DES\n");
#endif
+#ifndef OPENSSL_NO_SEED
+ BIO_printf (bio_err, "-seed encrypt with SEED\n");
+#endif
#ifndef OPENSSL_NO_RC2
BIO_printf (bio_err, "-rc2-40 encrypt with RC2-40 (default)\n");
BIO_printf (bio_err, "-rc2-64 encrypt with RC2-64\n");
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index 4af171d5f888..af077b54a86b 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c
@@ -201,6 +201,9 @@
#ifndef OPENSSL_NO_IDEA
#include <openssl/idea.h>
#endif
+#ifndef OPENSSL_NO_SEED
+#include <openssl/seed.h>
+#endif
#ifndef OPENSSL_NO_BF
#include <openssl/blowfish.h>
#endif
@@ -272,7 +275,7 @@ static void print_result(int alg,int run_no,int count,double time_used);
static int do_multi(int multi);
#endif
-#define ALGOR_NUM 24
+#define ALGOR_NUM 28
#define SIZE_NUM 5
#define RSA_NUM 4
#define DSA_NUM 3
@@ -282,11 +285,12 @@ static int do_multi(int multi);
static const char *names[ALGOR_NUM]={
"md2","mdc2","md4","md5","hmac(md5)","sha1","rmd160","rc4",
- "des cbc","des ede3","idea cbc",
+ "des cbc","des ede3","idea cbc","seed cbc",
"rc2 cbc","rc5-32/12 cbc","blowfish cbc","cast cbc",
"aes-128 cbc","aes-192 cbc","aes-256 cbc",
"camellia-128 cbc","camellia-192 cbc","camellia-256 cbc",
- "evp","sha256","sha512"};
+ "evp","sha256","sha512",
+ "aes-128 ige","aes-192 ige","aes-256 ige"};
static double results[ALGOR_NUM][SIZE_NUM];
static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
static double rsa_results[RSA_NUM][2];
@@ -533,6 +537,9 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_IDEA
IDEA_KEY_SCHEDULE idea_ks;
#endif
+#ifndef OPENSSL_NO_SEED
+ SEED_KEY_SCHEDULE seed_ks;
+#endif
#ifndef OPENSSL_NO_BF
BF_KEY bf_ks;
#endif
@@ -570,7 +577,7 @@ int MAIN(int argc, char **argv)
#define MAX_BLOCK_SIZE 64
#endif
unsigned char DES_iv[8];
- unsigned char iv[MAX_BLOCK_SIZE/8];
+ unsigned char iv[2*MAX_BLOCK_SIZE/8];
#ifndef OPENSSL_NO_DES
DES_cblock *buf_as_des_cblock = NULL;
static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
@@ -597,19 +604,23 @@ int MAIN(int argc, char **argv)
#define D_CBC_DES 8
#define D_EDE3_DES 9
#define D_CBC_IDEA 10
-#define D_CBC_RC2 11
-#define D_CBC_RC5 12
-#define D_CBC_BF 13
-#define D_CBC_CAST 14
-#define D_CBC_128_AES 15
-#define D_CBC_192_AES 16
-#define D_CBC_256_AES 17
-#define D_CBC_128_CML 18
-#define D_CBC_192_CML 19
-#define D_CBC_256_CML 20
-#define D_EVP 21
-#define D_SHA256 22
-#define D_SHA512 23
+#define D_CBC_SEED 11
+#define D_CBC_RC2 12
+#define D_CBC_RC5 13
+#define D_CBC_BF 14
+#define D_CBC_CAST 15
+#define D_CBC_128_AES 16
+#define D_CBC_192_AES 17
+#define D_CBC_256_AES 18
+#define D_CBC_128_CML 19
+#define D_CBC_192_CML 20
+#define D_CBC_256_CML 21
+#define D_EVP 22
+#define D_SHA256 23
+#define D_SHA512 24
+#define D_IGE_128_AES 25
+#define D_IGE_192_AES 26
+#define D_IGE_256_AES 27
double d=0.0;
long c[ALGOR_NUM][SIZE_NUM];
#define R_DSA_512 0
@@ -950,7 +961,10 @@ int MAIN(int argc, char **argv)
if (strcmp(*argv,"aes-128-cbc") == 0) doit[D_CBC_128_AES]=1;
else if (strcmp(*argv,"aes-192-cbc") == 0) doit[D_CBC_192_AES]=1;
else if (strcmp(*argv,"aes-256-cbc") == 0) doit[D_CBC_256_AES]=1;
- else
+ else if (strcmp(*argv,"aes-128-ige") == 0) doit[D_IGE_128_AES]=1;
+ else if (strcmp(*argv,"aes-192-ige") == 0) doit[D_IGE_192_AES]=1;
+ else if (strcmp(*argv,"aes-256-ige") == 0) doit[D_IGE_256_AES]=1;
+ else
#endif
#ifndef OPENSSL_NO_CAMELLIA
if (strcmp(*argv,"camellia-128-cbc") == 0) doit[D_CBC_128_CML]=1;
@@ -999,6 +1013,11 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"idea") == 0) doit[D_CBC_IDEA]=1;
else
#endif
+#ifndef OPENSSL_NO_SEED
+ if (strcmp(*argv,"seed-cbc") == 0) doit[D_CBC_SEED]=1;
+ else if (strcmp(*argv,"seed") == 0) doit[D_CBC_SEED]=1;
+ else
+#endif
#ifndef OPENSSL_NO_BF
if (strcmp(*argv,"bf-cbc") == 0) doit[D_CBC_BF]=1;
else if (strcmp(*argv,"blowfish") == 0) doit[D_CBC_BF]=1;
@@ -1144,6 +1163,9 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_IDEA
BIO_printf(bio_err,"idea-cbc ");
#endif
+#ifndef OPENSSL_NO_SEED
+ BIO_printf(bio_err,"seed-cbc ");
+#endif
#ifndef OPENSSL_NO_RC2
BIO_printf(bio_err,"rc2-cbc ");
#endif
@@ -1153,7 +1175,7 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_BF
BIO_printf(bio_err,"bf-cbc");
#endif
-#if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_RC2) || \
+#if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_SEED) || !defined(OPENSSL_NO_RC2) || \
!defined(OPENSSL_NO_BF) || !defined(OPENSSL_NO_RC5)
BIO_printf(bio_err,"\n");
#endif
@@ -1162,6 +1184,7 @@ int MAIN(int argc, char **argv)
#endif
#ifndef OPENSSL_NO_AES
BIO_printf(bio_err,"aes-128-cbc aes-192-cbc aes-256-cbc ");
+ BIO_printf(bio_err,"aes-128-ige aes-192-ige aes-256-ige ");
#endif
#ifndef OPENSSL_NO_CAMELLIA
BIO_printf(bio_err,"\n");
@@ -1195,6 +1218,9 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_IDEA
BIO_printf(bio_err,"idea ");
#endif
+#ifndef OPENSSL_NO_SEED
+ BIO_printf(bio_err,"seed ");
+#endif
#ifndef OPENSSL_NO_RC2
BIO_printf(bio_err,"rc2 ");
#endif
@@ -1213,10 +1239,10 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_BF
BIO_printf(bio_err,"blowfish");
#endif
-#if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_RC2) || \
- !defined(OPENSSL_NO_DES) || !defined(OPENSSL_NO_RSA) || \
- !defined(OPENSSL_NO_BF) || !defined(OPENSSL_NO_AES) || \
- !defined(OPENSSL_NO_CAMELLIA)
+#if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_SEED) || \
+ !defined(OPENSSL_NO_RC2) || !defined(OPENSSL_NO_DES) || \
+ !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_BF) || \
+ !defined(OPENSSL_NO_AES) || !defined(OPENSSL_NO_CAMELLIA)
BIO_printf(bio_err,"\n");
#endif
@@ -1318,6 +1344,9 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_IDEA
idea_set_encrypt_key(key16,&idea_ks);
#endif
+#ifndef OPENSSL_NO_SEED
+ SEED_set_key(key16,&seed_ks);
+#endif
#ifndef OPENSSL_NO_RC4
RC4_set_key(&rc4_ks,16,key16);
#endif
@@ -1361,6 +1390,7 @@ int MAIN(int argc, char **argv)
c[D_CBC_DES][0]=count;
c[D_EDE3_DES][0]=count/3;
c[D_CBC_IDEA][0]=count;
+ c[D_CBC_SEED][0]=count;
c[D_CBC_RC2][0]=count;
c[D_CBC_RC5][0]=count;
c[D_CBC_BF][0]=count;
@@ -1373,6 +1403,9 @@ int MAIN(int argc, char **argv)
c[D_CBC_256_CML][0]=count;
c[D_SHA256][0]=count;
c[D_SHA512][0]=count;
+ c[D_IGE_128_AES][0]=count;
+ c[D_IGE_192_AES][0]=count;
+ c[D_IGE_256_AES][0]=count;
for (i=1; i<SIZE_NUM; i++)
{
@@ -1396,6 +1429,7 @@ int MAIN(int argc, char **argv)
c[D_CBC_DES][i]=c[D_CBC_DES][i-1]*l0/l1;
c[D_EDE3_DES][i]=c[D_EDE3_DES][i-1]*l0/l1;
c[D_CBC_IDEA][i]=c[D_CBC_IDEA][i-1]*l0/l1;
+ c[D_CBC_SEED][i]=c[D_CBC_SEED][i-1]*l0/l1;
c[D_CBC_RC2][i]=c[D_CBC_RC2][i-1]*l0/l1;
c[D_CBC_RC5][i]=c[D_CBC_RC5][i-1]*l0/l1;
c[D_CBC_BF][i]=c[D_CBC_BF][i-1]*l0/l1;
@@ -1406,6 +1440,9 @@ int MAIN(int argc, char **argv)
c[D_CBC_128_CML][i]=c[D_CBC_128_CML][i-1]*l0/l1;
c[D_CBC_192_CML][i]=c[D_CBC_192_CML][i-1]*l0/l1;
c[D_CBC_256_CML][i]=c[D_CBC_256_CML][i-1]*l0/l1;
+ c[D_IGE_128_AES][i]=c[D_IGE_128_AES][i-1]*l0/l1;
+ c[D_IGE_192_AES][i]=c[D_IGE_192_AES][i-1]*l0/l1;
+ c[D_IGE_256_AES][i]=c[D_IGE_256_AES][i-1]*l0/l1;
}
#ifndef OPENSSL_NO_RSA
rsa_c[R_RSA_512][0]=count/2000;
@@ -1799,6 +1836,48 @@ int MAIN(int argc, char **argv)
}
}
+ if (doit[D_IGE_128_AES])
+ {
+ for (j=0; j<SIZE_NUM; j++)
+ {
+ print_message(names[D_IGE_128_AES],c[D_IGE_128_AES][j],lengths[j]);
+ Time_F(START);
+ for (count=0,run=1; COND(c[D_IGE_128_AES][j]); count++)
+ AES_ige_encrypt(buf,buf2,
+ (unsigned long)lengths[j],&aes_ks1,
+ iv,AES_ENCRYPT);
+ d=Time_F(STOP);
+ print_result(D_IGE_128_AES,j,count,d);
+ }
+ }
+ if (doit[D_IGE_192_AES])
+ {
+ for (j=0; j<SIZE_NUM; j++)
+ {
+ print_message(names[D_IGE_192_AES],c[D_IGE_192_AES][j],lengths[j]);
+ Time_F(START);
+ for (count=0,run=1; COND(c[D_IGE_192_AES][j]); count++)
+ AES_ige_encrypt(buf,buf2,
+ (unsigned long)lengths[j],&aes_ks2,
+ iv,AES_ENCRYPT);
+ d=Time_F(STOP);
+ print_result(D_IGE_192_AES,j,count,d);
+ }
+ }
+ if (doit[D_IGE_256_AES])
+ {
+ for (j=0; j<SIZE_NUM; j++)
+ {
+ print_message(names[D_IGE_256_AES],c[D_IGE_256_AES][j],lengths[j]);
+ Time_F(START);
+ for (count=0,run=1; COND(c[D_IGE_256_AES][j]); count++)
+ AES_ige_encrypt(buf,buf2,
+ (unsigned long)lengths[j],&aes_ks3,
+ iv,AES_ENCRYPT);
+ d=Time_F(STOP);
+ print_result(D_IGE_256_AES,j,count,d);
+ }
+ }
#endif
#ifndef OPENSSL_NO_CAMELLIA
if (doit[D_CBC_128_CML])
@@ -1861,6 +1940,21 @@ int MAIN(int argc, char **argv)
}
}
#endif
+#ifndef OPENSSL_NO_SEED
+ if (doit[D_CBC_SEED])
+ {
+ for (j=0; j<SIZE_NUM; j++)
+ {
+ print_message(names[D_CBC_SEED],c[D_CBC_SEED][j],lengths[j]);
+ Time_F(START);
+ for (count=0,run=1; COND(c[D_CBC_SEED][j]); count++)
+ SEED_cbc_encrypt(buf,buf,
+ (unsigned long)lengths[j],&seed_ks,iv,1);
+ d=Time_F(STOP);
+ print_result(D_CBC_SEED,j,count,d);
+ }
+ }
+#endif
#ifndef OPENSSL_NO_RC2
if (doit[D_CBC_RC2])
{
@@ -2666,6 +2760,8 @@ static int do_multi(int multi)
for(n=0 ; n < multi ; ++n)
{
pipe(fd);
+ fflush(stdout);
+ fflush(stderr);
if(fork())
{
close(fd[1]);
diff --git a/crypto/openssl/apps/spkac.c b/crypto/openssl/apps/spkac.c
index 01fe4062521a..0e01ea9947da 100644
--- a/crypto/openssl/apps/spkac.c
+++ b/crypto/openssl/apps/spkac.c
@@ -1,6 +1,6 @@
/* apps/spkac.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 1999. Based on an original idea by Massimiliano Pala
* (madwolf@openca.org).
*/
diff --git a/crypto/openssl/apps/ts.c b/crypto/openssl/apps/ts.c
new file mode 100644
index 000000000000..74e7e932b3ab
--- /dev/null
+++ b/crypto/openssl/apps/ts.c
@@ -0,0 +1,1144 @@
+/* apps/ts.c */
+/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
+ * project 2002.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/ts.h>
+#include <openssl/bn.h>
+
+#undef PROG
+#define PROG ts_main
+
+/* Length of the nonce of the request in bits (must be a multiple of 8). */
+#define NONCE_LENGTH 64
+
+/* Macro definitions for the configuration file. */
+#define ENV_OID_FILE "oid_file"
+
+/* Local function declarations. */
+
+static ASN1_OBJECT *txt2obj(const char *oid);
+static CONF *load_config_file(const char *configfile);
+
+/* Query related functions. */
+static int query_command(const char *data, char *digest,
+ const EVP_MD *md, const char *policy, int no_nonce,
+ int cert, const char *in, const char *out, int text);
+static BIO *BIO_open_with_default(const char *file, const char *mode,
+ FILE *default_fp);
+static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
+ const char *policy, int no_nonce, int cert);
+static int create_digest(BIO *input, char *digest,
+ const EVP_MD *md, unsigned char **md_value);
+static ASN1_INTEGER *create_nonce(int bits);
+
+/* Reply related functions. */
+static int reply_command(CONF *conf, char *section, char *engine,
+ char *queryfile, char *passin, char *inkey,
+ char *signer, char *chain, const char *policy,
+ char *in, int token_in, char *out, int token_out,
+ int text);
+static TS_RESP *read_PKCS7(BIO *in_bio);
+static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
+ char *queryfile, char *passin, char *inkey,
+ char *signer, char *chain, const char *policy);
+static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data);
+static ASN1_INTEGER *next_serial(const char *serialfile);
+static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
+
+/* Verify related functions. */
+static int verify_command(char *data, char *digest, char *queryfile,
+ char *in, int token_in,
+ char *ca_path, char *ca_file, char *untrusted);
+static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
+ char *queryfile,
+ char *ca_path, char *ca_file,
+ char *untrusted);
+static X509_STORE *create_cert_store(char *ca_path, char *ca_file);
+static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx);
+
+/* Main function definition. */
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
+ {
+ int ret = 1;
+ char *configfile = NULL;
+ char *section = NULL;
+ CONF *conf = NULL;
+ enum mode {
+ CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY
+ } mode = CMD_NONE;
+ char *data = NULL;
+ char *digest = NULL;
+ const EVP_MD *md = NULL;
+ char *rnd = NULL;
+ char *policy = NULL;
+ int no_nonce = 0;
+ int cert = 0;
+ char *in = NULL;
+ char *out = NULL;
+ int text = 0;
+ char *queryfile = NULL;
+ char *passin = NULL; /* Password source. */
+ char *password =NULL; /* Password itself. */
+ char *inkey = NULL;
+ char *signer = NULL;
+ char *chain = NULL;
+ char *ca_path = NULL;
+ char *ca_file = NULL;
+ char *untrusted = NULL;
+ char *engine = NULL;
+ /* Input is ContentInfo instead of TimeStampResp. */
+ int token_in = 0;
+ /* Output is ContentInfo instead of TimeStampResp. */
+ int token_out = 0;
+ int free_bio_err = 0;
+
+ ERR_load_crypto_strings();
+ apps_startup();
+
+ if (bio_err == NULL && (bio_err = BIO_new(BIO_s_file())) != NULL)
+ {
+ free_bio_err = 1;
+ BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+ }
+
+ for (argc--, argv++; argc > 0; argc--, argv++)
+ {
+ if (strcmp(*argv, "-config") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ configfile = *++argv;
+ }
+ else if (strcmp(*argv, "-section") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ section = *++argv;
+ }
+ else if (strcmp(*argv, "-query") == 0)
+ {
+ if (mode != CMD_NONE) goto usage;
+ mode = CMD_QUERY;
+ }
+ else if (strcmp(*argv, "-data") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ data = *++argv;
+ }
+ else if (strcmp(*argv, "-digest") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ digest = *++argv;
+ }
+ else if (strcmp(*argv, "-rand") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ rnd = *++argv;
+ }
+ else if (strcmp(*argv, "-policy") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ policy = *++argv;
+ }
+ else if (strcmp(*argv, "-no_nonce") == 0)
+ {
+ no_nonce = 1;
+ }
+ else if (strcmp(*argv, "-cert") == 0)
+ {
+ cert = 1;
+ }
+ else if (strcmp(*argv, "-in") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ in = *++argv;
+ }
+ else if (strcmp(*argv, "-token_in") == 0)
+ {
+ token_in = 1;
+ }
+ else if (strcmp(*argv, "-out") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ out = *++argv;
+ }
+ else if (strcmp(*argv, "-token_out") == 0)
+ {
+ token_out = 1;
+ }
+ else if (strcmp(*argv, "-text") == 0)
+ {
+ text = 1;
+ }
+ else if (strcmp(*argv, "-reply") == 0)
+ {
+ if (mode != CMD_NONE) goto usage;
+ mode = CMD_REPLY;
+ }
+ else if (strcmp(*argv, "-queryfile") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ queryfile = *++argv;
+ }
+ else if (strcmp(*argv, "-passin") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ passin = *++argv;
+ }
+ else if (strcmp(*argv, "-inkey") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ inkey = *++argv;
+ }
+ else if (strcmp(*argv, "-signer") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ signer = *++argv;
+ }
+ else if (strcmp(*argv, "-chain") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ chain = *++argv;
+ }
+ else if (strcmp(*argv, "-verify") == 0)
+ {
+ if (mode != CMD_NONE) goto usage;
+ mode = CMD_VERIFY;
+ }
+ else if (strcmp(*argv, "-CApath") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ ca_path = *++argv;
+ }
+ else if (strcmp(*argv, "-CAfile") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ ca_file = *++argv;
+ }
+ else if (strcmp(*argv, "-untrusted") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ untrusted = *++argv;
+ }
+ else if (strcmp(*argv, "-engine") == 0)
+ {
+ if (argc-- < 1) goto usage;
+ engine = *++argv;
+ }
+ else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL)
+ {
+ /* empty. */
+ }
+ else
+ goto usage;
+ }
+
+ /* Seed the random number generator if it is going to be used. */
+ if (mode == CMD_QUERY && !no_nonce)
+ {
+ if (!app_RAND_load_file(NULL, bio_err, 1) && rnd == NULL)
+ BIO_printf(bio_err, "warning, not much extra random "
+ "data, consider using the -rand option\n");
+ if (rnd != NULL)
+ BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
+ app_RAND_load_files(rnd));
+ }
+
+ /* Get the password if required. */
+ if(mode == CMD_REPLY && passin &&
+ !app_passwd(bio_err, passin, NULL, &password, NULL))
+ {
+ BIO_printf(bio_err,"Error getting password.\n");
+ goto cleanup;
+ }
+
+ /* Check consistency of parameters and execute
+ the appropriate function. */
+ switch (mode)
+ {
+ case CMD_NONE:
+ goto usage;
+ case CMD_QUERY:
+ /* Data file and message imprint cannot be specified
+ at the same time. */
+ ret = data != NULL && digest != NULL;
+ if (ret) goto usage;
+ /* Load the config file for possible policy OIDs. */
+ conf = load_config_file(configfile);
+ ret = !query_command(data, digest, md, policy, no_nonce, cert,
+ in, out, text);
+ break;
+ case CMD_REPLY:
+ conf = load_config_file(configfile);
+ if (in == NULL)
+ {
+ ret = !(queryfile != NULL && conf != NULL && !token_in);
+ if (ret) goto usage;
+ }
+ else
+ {
+ /* 'in' and 'queryfile' are exclusive. */
+ ret = !(queryfile == NULL);
+ if (ret) goto usage;
+ }
+
+ ret = !reply_command(conf, section, engine, queryfile,
+ password, inkey, signer, chain, policy,
+ in, token_in, out, token_out, text);
+ break;
+ case CMD_VERIFY:
+ ret = !(((queryfile && !data && !digest)
+ || (!queryfile && data && !digest)
+ || (!queryfile && !data && digest))
+ && in != NULL);
+ if (ret) goto usage;
+
+ ret = !verify_command(data, digest, queryfile, in, token_in,
+ ca_path, ca_file, untrusted);
+ }
+
+ goto cleanup;
+
+ usage:
+ BIO_printf(bio_err, "usage:\n"
+ "ts -query [-rand file%cfile%c...] [-config configfile] "
+ "[-data file_to_hash] [-digest digest_bytes]"
+ "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
+ "[-policy