aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJacques Vidrine <nectar@FreeBSD.org>2003-10-01 12:32:41 +0000
committerJacques Vidrine <nectar@FreeBSD.org>2003-10-01 12:32:41 +0000
commit50ef0093530d9eae8741fb66ae7161ad1d68dcca (patch)
tree69b3ffc611270d72c473248fe700c2942eb5e6b5
parent5b877a2d56a3b37c8b2e8cedf0532a8fb82e3c70 (diff)
downloadsrc-50ef0093530d9eae8741fb66ae7161ad1d68dcca.tar.gz
src-50ef0093530d9eae8741fb66ae7161ad1d68dcca.zip
Vendor import of OpenSSL 0.9.7c
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=120631
-rw-r--r--crypto/openssl/CHANGES140
-rwxr-xr-xcrypto/openssl/Configure11
-rw-r--r--crypto/openssl/FAQ3
-rw-r--r--crypto/openssl/LICENSE2
-rw-r--r--crypto/openssl/Makefile.org56
-rw-r--r--crypto/openssl/Makefile.ssl68
-rw-r--r--crypto/openssl/NEWS30
-rw-r--r--crypto/openssl/PROBLEMS31
-rw-r--r--crypto/openssl/README2
-rwxr-xr-xcrypto/openssl/apps/CA.pl2
-rw-r--r--crypto/openssl/apps/Makefile.ssl7
-rw-r--r--crypto/openssl/apps/apps.c4
-rw-r--r--crypto/openssl/apps/ca.c2
-rw-r--r--crypto/openssl/apps/crl.c1
-rw-r--r--crypto/openssl/apps/der_chop2
-rw-r--r--crypto/openssl/apps/engine.c6
-rw-r--r--crypto/openssl/apps/ocsp.c11
-rw-r--r--crypto/openssl/apps/openssl.c2
-rw-r--r--crypto/openssl/apps/pkcs8.c11
-rw-r--r--crypto/openssl/apps/s_apps.h8
-rw-r--r--crypto/openssl/apps/s_client.c38
-rw-r--r--crypto/openssl/apps/s_server.c20
-rw-r--r--crypto/openssl/apps/smime.c4
-rw-r--r--crypto/openssl/apps/x509.c8
-rw-r--r--crypto/openssl/bugs/SSLv32
-rwxr-xr-xcrypto/openssl/config8
-rw-r--r--crypto/openssl/crypto/aes/aes.h2
-rw-r--r--crypto/openssl/crypto/aes/aes_cbc.c12
-rw-r--r--crypto/openssl/crypto/aes/aes_ctr.c54
-rw-r--r--crypto/openssl/crypto/asn1/a_mbstr.c2
-rw-r--r--crypto/openssl/crypto/asn1/a_strex.c2
-rw-r--r--crypto/openssl/crypto/asn1/a_strnid.c40
-rw-r--r--crypto/openssl/crypto/asn1/asn1.h2
-rw-r--r--crypto/openssl/crypto/asn1/asn1_lib.c2
-rw-r--r--crypto/openssl/crypto/asn1/tasn_dec.c9
-rw-r--r--crypto/openssl/crypto/bio/b_print.c21
-rw-r--r--crypto/openssl/crypto/bio/bf_buff.c1
-rw-r--r--crypto/openssl/crypto/bio/bss_bio.c55
-rw-r--r--crypto/openssl/crypto/bio/bss_file.c21
-rw-r--r--crypto/openssl/crypto/bn/Makefile.ssl1
-rw-r--r--crypto/openssl/crypto/bn/bn.h2
-rw-r--r--crypto/openssl/crypto/bn/bn_mul.c4
-rw-r--r--crypto/openssl/crypto/bn/bntest.c9
-rw-r--r--crypto/openssl/crypto/bn/exptest.c3
-rw-r--r--crypto/openssl/crypto/des/cfb_enc.c84
-rw-r--r--crypto/openssl/crypto/des/destest.c2
-rw-r--r--crypto/openssl/crypto/dh/Makefile.ssl17
-rw-r--r--crypto/openssl/crypto/dh/dh_key.c3
-rw-r--r--crypto/openssl/crypto/dh/dhtest.c7
-rw-r--r--crypto/openssl/crypto/dsa/Makefile.ssl30
-rw-r--r--crypto/openssl/crypto/dsa/dsa_ossl.c3
-rw-r--r--crypto/openssl/crypto/dsa/dsa_sign.c3
-rw-r--r--crypto/openssl/crypto/dsa/dsa_vrf.c3
-rw-r--r--crypto/openssl/crypto/dsa/dsatest.c6
-rw-r--r--crypto/openssl/crypto/dso/dso_dlfcn.c6
-rw-r--r--crypto/openssl/crypto/ec/ec_mult.c13
-rw-r--r--crypto/openssl/crypto/engine/eng_fat.c8
-rw-r--r--crypto/openssl/crypto/engine/engine.h8
-rw-r--r--crypto/openssl/crypto/engine/hw_ubsec.c1
-rw-r--r--crypto/openssl/crypto/err/err.c42
-rw-r--r--crypto/openssl/crypto/err/err.h1
-rw-r--r--crypto/openssl/crypto/evp/Makefile.ssl43
-rw-r--r--crypto/openssl/crypto/evp/bio_b64.c38
-rw-r--r--crypto/openssl/crypto/evp/bio_enc.c7
-rw-r--r--crypto/openssl/crypto/evp/c_all.c7
-rw-r--r--crypto/openssl/crypto/evp/digest.c2
-rw-r--r--crypto/openssl/crypto/evp/evp_acnf.c3
-rw-r--r--crypto/openssl/crypto/md2/md2test.c2
-rw-r--r--crypto/openssl/crypto/md5/Makefile.ssl3
-rw-r--r--crypto/openssl/crypto/md5/asm/md5-586.pl2
-rw-r--r--crypto/openssl/crypto/md5/asm/md5-sparcv9.S4
-rw-r--r--crypto/openssl/crypto/o_time.c8
-rw-r--r--crypto/openssl/crypto/ocsp/ocsp_ht.c14
-rw-r--r--crypto/openssl/crypto/opensslconf.h11
-rw-r--r--crypto/openssl/crypto/opensslv.h4
-rw-r--r--crypto/openssl/crypto/perlasm/x86ms.pl3
-rw-r--r--crypto/openssl/crypto/perlasm/x86nasm.pl3
-rw-r--r--crypto/openssl/crypto/perlasm/x86unix.pl3
-rw-r--r--crypto/openssl/crypto/pkcs12/p12_npas.c2
-rw-r--r--crypto/openssl/crypto/pkcs7/pk7_doit.c5
-rw-r--r--crypto/openssl/crypto/pkcs7/pk7_mime.c105
-rw-r--r--crypto/openssl/crypto/pkcs7/pk7_smime.c2
-rw-r--r--crypto/openssl/crypto/pkcs7/pkcs7.h2
-rw-r--r--crypto/openssl/crypto/rand/rand_win.c14
-rw-r--r--crypto/openssl/crypto/rsa/Makefile.ssl42
-rw-r--r--crypto/openssl/crypto/rsa/rsa.h6
-rw-r--r--crypto/openssl/crypto/rsa/rsa_eay.c127
-rw-r--r--crypto/openssl/crypto/rsa/rsa_lib.c41
-rw-r--r--crypto/openssl/crypto/rsa/rsa_sign.c25
-rw-r--r--crypto/openssl/crypto/rsa/rsa_test.c3
-rw-r--r--crypto/openssl/crypto/threads/mttest.c5
-rw-r--r--crypto/openssl/crypto/x509/by_file.c3
-rw-r--r--crypto/openssl/crypto/x509/x509_trs.c1
-rw-r--r--crypto/openssl/crypto/x509/x509_vfy.c6
-rw-r--r--crypto/openssl/crypto/x509/x509type.c5
-rw-r--r--crypto/openssl/crypto/x509v3/v3_conf.c2
-rw-r--r--crypto/openssl/crypto/x509v3/v3_cpols.c24
-rw-r--r--crypto/openssl/crypto/x509v3/v3_lib.c1
-rw-r--r--crypto/openssl/crypto/x509v3/v3_prn.c4
-rw-r--r--crypto/openssl/demos/engines/zencod/hw_zencod.h2
-rw-r--r--crypto/openssl/doc/HOWTO/certificates.txt12
-rw-r--r--crypto/openssl/doc/HOWTO/keys.txt73
-rw-r--r--crypto/openssl/doc/apps/ca.pod8
-rw-r--r--crypto/openssl/doc/apps/ocsp.pod37
-rw-r--r--crypto/openssl/doc/apps/s_client.pod7
-rw-r--r--crypto/openssl/doc/apps/s_server.pod8
-rw-r--r--crypto/openssl/doc/crypto/BIO_f_base64.pod5
-rw-r--r--crypto/openssl/doc/crypto/BIO_f_cipher.pod2
-rw-r--r--crypto/openssl/doc/openssl-shared.txt32
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_free.pod12
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod12
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_options.pod2
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod6
-rw-r--r--crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod4
-rw-r--r--crypto/openssl/doc/ssl/SSL_accept.pod3
-rw-r--r--crypto/openssl/doc/ssl/SSL_connect.pod3
-rw-r--r--crypto/openssl/e_os.h15
-rw-r--r--crypto/openssl/openssl.spec20
-rw-r--r--crypto/openssl/ssl/kssl.c36
-rw-r--r--crypto/openssl/ssl/kssl.h2
-rw-r--r--crypto/openssl/ssl/s3_clnt.c1
-rw-r--r--crypto/openssl/ssl/s3_srvr.c15
-rw-r--r--crypto/openssl/ssl/ssl_ciph.c7
-rw-r--r--crypto/openssl/ssl/ssl_lib.c5
-rw-r--r--crypto/openssl/ssl/ssl_rsa.c4
-rw-r--r--crypto/openssl/ssl/ssl_sess.c4
-rw-r--r--crypto/openssl/ssl/ssltest.c3
-rw-r--r--crypto/openssl/test/Makefile.ssl60
-rw-r--r--crypto/openssl/test/evptests.txt183
-rw-r--r--crypto/openssl/tools/c_rehash2
-rw-r--r--crypto/openssl/util/extract-names.pl4
-rwxr-xr-xcrypto/openssl/util/libeay.num2
-rwxr-xr-xcrypto/openssl/util/mk1mf.pl1
-rwxr-xr-xcrypto/openssl/util/mkdef.pl15
-rw-r--r--crypto/openssl/util/mkerr.pl16
-rw-r--r--crypto/openssl/util/pl/Mingw32.pl36
-rwxr-xr-xcrypto/openssl/util/point.sh6
137 files changed, 1616 insertions, 589 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index 0ef0122b5d7f..b8630792adf1 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -2,6 +2,92 @@
OpenSSL CHANGES
_______________
+ Changes between 0.9.7b and 0.9.7c [30 Sep 2003]
+
+ *) Fix various bugs revealed by running the NISCC test suite:
+
+ Stop out of bounds reads in the ASN1 code when presented with
+ invalid tags (CAN-2003-0543 and CAN-2003-0544).
+
+ Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+
+ If verify callback ignores invalid public key errors don't try to check
+ certificate signature with the NULL public key.
+
+ [Steve Henson]
+
+ *) New -ignore_err option in ocsp application to stop the server
+ exiting on the first error in a request.
+ [Steve Henson]
+
+ *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+ if the server requested one: as stated in TLS 1.0 and SSL 3.0
+ specifications.
+ [Steve Henson]
+
+ *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+ extra data after the compression methods not only for TLS 1.0
+ but also for SSL 3.0 (as required by the specification).
+ [Bodo Moeller; problem pointed out by Matthias Loepfe]
+
+ *) Change X509_certificate_type() to mark the key as exported/exportable
+ when it's 512 *bits* long, not 512 bytes.
+ [Richard Levitte]
+
+ *) Change AES_cbc_encrypt() so it outputs exact multiple of
+ blocks during encryption.
+ [Richard Levitte]
+
+ *) Various fixes to base64 BIO and non blocking I/O. On write
+ flushes were not handled properly if the BIO retried. On read
+ data was not being buffered properly and had various logic bugs.
+ This also affects blocking I/O when the data being decoded is a
+ certain size.
+ [Steve Henson]
+
+ *) Various S/MIME bugfixes and compatibility changes:
+ output correct application/pkcs7 MIME type if
+ PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
+ Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
+ of files as .eml work). Correctly handle very long lines in MIME
+ parser.
+ [Steve Henson]
+
+ Changes between 0.9.7a and 0.9.7b [10 Apr 2003]
+
+ *) Countermeasure against the Klima-Pokorny-Rosa extension of
+ Bleichbacher's attack on PKCS #1 v1.5 padding: treat
+ a protocol version number mismatch like a decryption error
+ in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
+ [Bodo Moeller]
+
+ *) Turn on RSA blinding by default in the default implementation
+ to avoid a timing attack. Applications that don't want it can call
+ RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
+ They would be ill-advised to do so in most cases.
+ [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
+
+ *) Change RSA blinding code so that it works when the PRNG is not
+ seeded (in this case, the secret RSA exponent is abused as
+ an unpredictable seed -- if it is not unpredictable, there
+ is no point in blinding anyway). Make RSA blinding thread-safe
+ by remembering the creator's thread ID in rsa->blinding and
+ having all other threads use local one-time blinding factors
+ (this requires more computation than sharing rsa->blinding, but
+ avoids excessive locking; and if an RSA object is not shared
+ between threads, blinding will still be very fast).
+ [Bodo Moeller]
+
+ *) Fixed a typo bug that would cause ENGINE_set_default() to set an
+ ENGINE as defaults for all supported algorithms irrespective of
+ the 'flags' parameter. 'flags' is now honoured, so applications
+ should make sure they are passing it correctly.
+ [Geoff Thorpe]
+
+ *) Target "mingw" now allows native Windows code to be generated in
+ the Cygwin environment as well as with the MinGW compiler.
+ [Ulf Moeller]
+
Changes between 0.9.7 and 0.9.7a [19 Feb 2003]
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
@@ -85,6 +171,9 @@
Changes between 0.9.6h and 0.9.7 [31 Dec 2002]
+ [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
+ OpenSSL 0.9.7.]
+
*) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
code (06) was taken as the first octet of the session ID and the last
octet was ignored consequently. As a result SSLv2 client side session
@@ -1903,6 +1992,57 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Clean old EAY MD5 hack from e_os.h.
[Richard Levitte]
+ Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
+
+ *) Fix various bugs revealed by running the NISCC test suite:
+
+ Stop out of bounds reads in the ASN1 code when presented with
+ invalid tags (CAN-2003-0543 and CAN-2003-0544).
+
+ If verify callback ignores invalid public key errors don't try to check
+ certificate signature with the NULL public key.
+
+ [Steve Henson]
+
+ *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+ if the server requested one: as stated in TLS 1.0 and SSL 3.0
+ specifications.
+ [Steve Henson]
+
+ *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+ extra data after the compression methods not only for TLS 1.0
+ but also for SSL 3.0 (as required by the specification).
+ [Bodo Moeller; problem pointed out by Matthias Loepfe]
+
+ *) Change X509_certificate_type() to mark the key as exported/exportable
+ when it's 512 *bits* long, not 512 bytes.
+ [Richard Levitte]
+
+ Changes between 0.9.6i and 0.9.6j [10 Apr 2003]
+
+ *) Countermeasure against the Klima-Pokorny-Rosa extension of
+ Bleichbacher's attack on PKCS #1 v1.5 padding: treat
+ a protocol version number mismatch like a decryption error
+ in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
+ [Bodo Moeller]
+
+ *) Turn on RSA blinding by default in the default implementation
+ to avoid a timing attack. Applications that don't want it can call
+ RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
+ They would be ill-advised to do so in most cases.
+ [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
+
+ *) Change RSA blinding code so that it works when the PRNG is not
+ seeded (in this case, the secret RSA exponent is abused as
+ an unpredictable seed -- if it is not unpredictable, there
+ is no point in blinding anyway). Make RSA blinding thread-safe
+ by remembering the creator's thread ID in rsa->blinding and
+ having all other threads use local one-time blinding factors
+ (this requires more computation than sharing rsa->blinding, but
+ avoids excessive locking; and if an RSA object is not shared
+ between threads, blinding will still be very fast).
+ [Bodo Moeller]
+
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index 768651f03cd0..61331dbb517f 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -219,7 +219,7 @@ my %table=(
# './Configure irix-[g]cc' manually.
# -mips4 flag is added by ./config when appropriate.
"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# N64 ABI builds.
"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -390,6 +390,7 @@ my %table=(
"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-ecc", "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -506,10 +507,8 @@ my %table=(
"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN::::::::::win32",
"BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
-# Mingw32
-# (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl
-# and its library files in util/pl/*)
-"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+# MinGW
+"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll",
# UWIN
"UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
@@ -561,6 +560,8 @@ my %table=(
"vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
"vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
"vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
+"vxworks-ppc860","ccppc:-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
+"vxworks-mipsle","ccmips:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r::::::::::::::::ranlibmips:",
##### Compaq Non-Stop Kernel (Tandem)
"tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ
index 389d786dab4d..ca5683def779 100644
--- a/crypto/openssl/FAQ
+++ b/crypto/openssl/FAQ
@@ -68,7 +68,7 @@ OpenSSL - Frequently Asked Questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7a was released on February 19, 2003.
+OpenSSL 0.9.7c was released on September 30, 2003.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
@@ -732,6 +732,7 @@ The general answer is to check the config.log file generated when running
the OpenSSH configure script. It should contain the detailed information
on why the OpenSSL library was not detected or considered incompatible.
+
* Can I use OpenSSL's SSL library with non-blocking I/O?
Yes; make sure to read the SSL_get_error(3) manual page!
diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE
index 7b93e0dbcea5..dddb07842bb3 100644
--- a/crypto/openssl/LICENSE
+++ b/crypto/openssl/LICENSE
@@ -12,7 +12,7 @@
---------------
/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org
index 860901908395..e80b22a32a18 100644
--- a/crypto/openssl/Makefile.org
+++ b/crypto/openssl/Makefile.org
@@ -78,7 +78,7 @@ MAKEDEPPROG=makedepend
# gcc, then the driver will automatically translate it to -xarch=v8plus
# and pass it down to assembler.
AS=$(CC) -c
-ASFLAGS=$(CFLAG)
+ASFLAG=$(CFLAG)
# Set BN_ASM to bn_asm.o if you want to use the C version
BN_ASM= bn_asm.o
@@ -194,6 +194,7 @@ MAKE= make -f Makefile.ssl
MANDIR=$(OPENSSLDIR)/man
MAN1=1
MAN3=3
+MANSUFFIX=
SHELL=/bin/sh
TOP= .
@@ -225,7 +226,7 @@ sub_all:
do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making all in $$i..." && \
- $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAGS='${ASFLAGS}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
else \
$(MAKE) $$i; \
fi; \
@@ -410,9 +411,10 @@ do_svr3-shared:
find . -name "*.o" -print > allobjs ; \
OBJS= ; export OBJS ; \
for obj in `ar t lib$$i.a` ; do \
- OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+ OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
done ; \
- set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ set -x; ${CC} ${SHARED_LDFLAGS} \
+ -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
libs="-l$$i $$libs"; \
@@ -429,13 +431,16 @@ do_svr5-shared:
libs="$(LIBKRB5) $$libs"; \
fi; \
( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
+ SHARE_FLAG='-G'; \
+ (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
find . -name "*.o" -print > allobjs ; \
OBJS= ; export OBJS ; \
for obj in `ar t lib$$i.a` ; do \
- OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+ OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
done ; \
- set -x; ${CC} ${SHARED_LDFLAGS} \
- -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \
+ ${CC} ${SHARED_LDFLAGS} \
+ $${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
libs="-l$$i $$libs"; \
@@ -589,10 +594,10 @@ Makefile.ssl: Makefile.org
@false
libclean:
- rm -f *.a */lib */*/lib
+ rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
-clean:
- rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c
+clean: libclean
+ rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
@for i in $(DIRS) ;\
do \
if [ -d "$$i" ]; then \
@@ -602,7 +607,7 @@ clean:
fi; \
done;
rm -f openssl.pc
- rm -f *.a *.o speed.* *.map *.so .pure core
+ rm -f speed.* .pure
rm -f $(TARFILE)
@for i in $(ONEDIRS) ;\
do \
@@ -652,7 +657,10 @@ rehash: rehash.time
rehash.time: certs
@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
export OPENSSL OPENSSL_DEBUG_MEMORY; \
- LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+ LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+ LIBPATH="`pwd`:$$LIBPATH"; \
if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
$(PERL) tools/c_rehash certs)
@@ -663,10 +671,13 @@ test: tests
tests: rehash
@(cd test && echo "testing..." && \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
- @LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
- if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
- export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
- apps/openssl version -a
+ @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+ LIBPATH="`pwd`:$$LIBPATH"; \
+ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
+ apps/openssl version -a
report:
@$(PERL) util/selftest.pl
@@ -821,6 +832,7 @@ install: all install_docs
fi; \
fi
cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
install_docs:
@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -837,33 +849,33 @@ install_docs:
for i in doc/apps/*.pod; do \
fn=`basename $$i .pod`; \
if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
- echo "installing man$$sec/$$fn.$$sec"; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
- > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
grep -v $$filecase "^$$fn\$$" | \
(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
while read n; do \
- $$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
done); \
done; \
for i in doc/crypto/*.pod doc/ssl/*.pod; do \
fn=`basename $$i .pod`; \
if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
- echo "installing man$$sec/$$fn.$$sec"; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
- > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
grep -v $$filecase "^$$fn\$$" | \
(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
while read n; do \
- $$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
done); \
done
diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl
index 04de989fabd2..2a74a3db04f4 100644
--- a/crypto/openssl/Makefile.ssl
+++ b/crypto/openssl/Makefile.ssl
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=0.9.7a
+VERSION=0.9.7c
MAJOR=0
MINOR=9.7
SHLIB_VERSION_NUMBER=0.9.7
@@ -12,9 +12,9 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=0
SHLIB_MINOR=9.7
SHLIB_EXT=
-PLATFORM=dist
+PLATFORM=VC-WIN16
OPTIONS= no-krb5
-CONFIGURE_ARGS=dist
+CONFIGURE_ARGS=VC-WIN16
SHLIB_TARGET=
# HERE indicates where this Makefile lives. This can be used to indicate
@@ -59,9 +59,9 @@ OPENSSLDIR=/usr/local/ssl
# equal 4.
# PKCS1_CHECK - pkcs1 tests.
-CC= cc
+CC= cl
#CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-CFLAG= -DOPENSSL_NO_KRB5 -O
+CFLAG= -DOPENSSL_SYSNAME_WIN16 -DOPENSSL_NO_KRB5
DEPFLAG=
PEX_LIBS=
EX_LIBS=
@@ -69,7 +69,7 @@ EXE_EXT=
ARFLAGS=
AR=ar $(ARFLAGS) r
RANLIB= /usr/bin/ranlib
-PERL= /usr/local/bin/perl
+PERL= /usr/local/bin/perl5
TAR= tar
TARFLAGS= --no-recursion
MAKEDEPPROG=makedepend
@@ -80,7 +80,7 @@ MAKEDEPPROG=makedepend
# gcc, then the driver will automatically translate it to -xarch=v8plus
# and pass it down to assembler.
AS=$(CC) -c
-ASFLAGS=$(CFLAG)
+ASFLAG=$(CFLAG)
# Set BN_ASM to bn_asm.o if you want to use the C version
BN_ASM= bn_asm.o
@@ -196,6 +196,7 @@ MAKE= make -f Makefile.ssl
MANDIR=$(OPENSSLDIR)/man
MAN1=1
MAN3=3
+MANSUFFIX=
SHELL=/bin/sh
TOP= .
@@ -227,7 +228,7 @@ sub_all:
do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making all in $$i..." && \
- $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAGS='${ASFLAGS}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
else \
$(MAKE) $$i; \
fi; \
@@ -412,9 +413,10 @@ do_svr3-shared:
find . -name "*.o" -print > allobjs ; \
OBJS= ; export OBJS ; \
for obj in `ar t lib$$i.a` ; do \
- OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+ OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
done ; \
- set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ set -x; ${CC} ${SHARED_LDFLAGS} \
+ -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
libs="-l$$i $$libs"; \
@@ -431,13 +433,16 @@ do_svr5-shared:
libs="$(LIBKRB5) $$libs"; \
fi; \
( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
+ SHARE_FLAG='-G'; \
+ (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
find . -name "*.o" -print > allobjs ; \
OBJS= ; export OBJS ; \
for obj in `ar t lib$$i.a` ; do \
- OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+ OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
done ; \
- set -x; ${CC} ${SHARED_LDFLAGS} \
- -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \
+ ${CC} ${SHARED_LDFLAGS} \
+ $${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
libs="-l$$i $$libs"; \
@@ -591,10 +596,10 @@ Makefile.ssl: Makefile.org
@false
libclean:
- rm -f *.a */lib */*/lib
+ rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
-clean:
- rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c
+clean: libclean
+ rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
@for i in $(DIRS) ;\
do \
if [ -d "$$i" ]; then \
@@ -604,7 +609,7 @@ clean:
fi; \
done;
rm -f openssl.pc
- rm -f *.a *.o speed.* *.map *.so .pure core
+ rm -f speed.* .pure
rm -f $(TARFILE)
@for i in $(ONEDIRS) ;\
do \
@@ -654,7 +659,10 @@ rehash: rehash.time
rehash.time: certs
@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
export OPENSSL OPENSSL_DEBUG_MEMORY; \
- LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+ LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+ LIBPATH="`pwd`:$$LIBPATH"; \
if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
$(PERL) tools/c_rehash certs)
@@ -665,10 +673,13 @@ test: tests
tests: rehash
@(cd test && echo "testing..." && \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
- @LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
- if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
- export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
- apps/openssl version -a
+ @LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+ LIBPATH="`pwd`:$$LIBPATH"; \
+ if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+ export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
+ apps/openssl version -a
report:
@$(PERL) util/selftest.pl
@@ -823,6 +834,7 @@ install: all install_docs
fi; \
fi
cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
install_docs:
@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -839,33 +851,33 @@ install_docs:
for i in doc/apps/*.pod; do \
fn=`basename $$i .pod`; \
if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
- echo "installing man$$sec/$$fn.$$sec"; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
- > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
grep -v $$filecase "^$$fn\$$" | \
(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
while read n; do \
- $$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
done); \
done; \
for i in doc/crypto/*.pod doc/ssl/*.pod; do \
fn=`basename $$i .pod`; \
if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
- echo "installing man$$sec/$$fn.$$sec"; \
+ echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
- > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
grep -v $$filecase "^$$fn\$$" | \
(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
while read n; do \
- $$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+ $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
done); \
done
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index 3cf173ebae23..f0282ebb8755 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -5,6 +5,24 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+
+ o Security: fix various ASN1 parsing bugs.
+ o New -ignore_err option to OCSP utility.
+ o Various interop and bug fixes in S/MIME code.
+ o SSL/TLS protocol fix for unrequested client certificates.
+
+ Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
+
+ o Security: counter the Klima-Pokorny-Rosa extension of
+ Bleichbacher's attack
+ o Security: make RSA blinding default.
+ o Configuration: Irix fixes, AIX fixes, better mingw support.
+ o Support for new platforms: linux-ia64-ecc.
+ o Build: shared library support fixes.
+ o ASN.1: treat domainComponent correctly.
+ o Documentation: fixes and additions.
+
Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
o Security: Important security related bugfixes.
@@ -62,6 +80,18 @@
o SSL/TLS: add callback to retrieve SSL/TLS messages.
o SSL/TLS: support AES cipher suites (RFC3268).
+ Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+
+ o Security: fix various ASN1 parsing bugs.
+ o SSL/TLS protocol fix for unrequested client certificates.
+
+ Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
+
+ o Security: counter the Klima-Pokorny-Rosa extension of
+ Bleichbacher's attack
+ o Security: make RSA blinding default.
+ o Build: shared library support fixes.
+
Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
o Important security related bugfixes.
diff --git a/crypto/openssl/PROBLEMS b/crypto/openssl/PROBLEMS
index 1a956b54815c..85e96a5ebebc 100644
--- a/crypto/openssl/PROBLEMS
+++ b/crypto/openssl/PROBLEMS
@@ -98,3 +98,34 @@ config-line. './Configure aix43-cc shared' is working, but not
libraries. It's possible to build 64-bit shared libraries by running
'env OBJECT_MODE=64 make', but we need more elegant solution. Preferably one
supporting even gcc shared builds. See RT#463 for background information.
+
+* Problems building shared libraries on SCO OpenServer Release 5.0.6
+ with gcc 2.95.3
+
+The symptoms appear when running the test suite, more specifically
+test/ectest, with the following result:
+
+OSSL_LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$OSSL_LIBPATH:$LD_LIBRARY_PATH"; DYLD_LIBRARY_PATH="$OSSL_LIBPATH:$DYLD_LIBRARY_PATH"; SHLIB_PATH="$OSSL_LIBPATH:$SHLIB_PATH"; LIBPATH="$OSSL_LIBPATH:$LIBPATH"; if [ "debug-sco5-gcc" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./ectest
+ectest.c:186: ABORT
+
+The cause of the problem seems to be that isxdigit(), called from
+BN_hex2bn(), returns 0 on a perfectly legitimate hex digit. Further
+investigation shows that any of the isxxx() macros return 0 on any
+input. A direct look in the information array that the isxxx() use,
+called __ctype, shows that it contains all zeroes...
+
+Taking a look at the newly created libcrypto.so with nm, one can see
+that the variable __ctype is defined in libcrypto's .bss (which
+explains why it is filled with zeroes):
+
+$ nm -Pg libcrypto.so | grep __ctype
+__ctype B 0011659c
+__ctype2 U
+
+Curiously, __ctype2 is undefined, in spite of being declared in
+/usr/include/ctype.h in exactly the same way as __ctype.
+
+Any information helping to solve this issue would be deeply
+appreciated.
+
+NOTE: building non-shared doesn't come with this problem.
diff --git a/crypto/openssl/README b/crypto/openssl/README
index 35bedc08ebe2..65e3a124263b 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,5 +1,5 @@
- OpenSSL 0.9.7a Feb 19 2003
+ OpenSSL 0.9.7c 30 Sep 2003
Copyright (c) 1998-2003 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl
index 8b2ce7ea4248..669a016b8432 100755
--- a/crypto/openssl/apps/CA.pl
+++ b/crypto/openssl/apps/CA.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl
index ff433d6a80d5..90e71dee7666 100644
--- a/crypto/openssl/apps/Makefile.ssl
+++ b/crypto/openssl/apps/Makefile.ssl
@@ -87,6 +87,7 @@ all: exe
exe: $(PROGRAM)
req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
sreq.o: req.c
@@ -147,10 +148,14 @@ $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
-(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; \
- LIBPATH="`pwd`"; LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; \
+ LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+ DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+ SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+ LIBPATH="`pwd`:$$LIBPATH"; \
if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
$(PERL) tools/c_rehash certs)
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index ec3e391b66ab..007e3e06c3e0 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c
@@ -140,10 +140,6 @@
#include "apps.h"
#undef NON_MAIN
-#ifdef OPENSSL_SYS_WINDOWS
-# include "bss_file.c"
-#endif
-
typedef struct {
char *name;
unsigned long flag;
diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c
index 1d4e4aa7d3db..7ed60c7a9ac1 100644
--- a/crypto/openssl/apps/ca.c
+++ b/crypto/openssl/apps/ca.c
@@ -2193,7 +2193,7 @@ again2:
#ifdef X509_V3
/* Make it an X509 v3 certificate. */
- if (!X509_set_version(x509,2)) goto err;
+ if (!X509_set_version(ret,2)) goto err;
#endif
if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
diff --git a/crypto/openssl/apps/crl.c b/crypto/openssl/apps/crl.c
index c6089ace5261..81d66587c140 100644
--- a/crypto/openssl/apps/crl.c
+++ b/crypto/openssl/apps/crl.c
@@ -81,6 +81,7 @@ static char *crl_usage[]={
" -in arg - input file - default stdin\n",
" -out arg - output file - default stdout\n",
" -hash - print hash value\n",
+" -fingerprint - print the crl fingerprint\n",
" -issuer - print issuer DN\n",
" -lastupdate - lastUpdate field\n",
" -nextupdate - nextUpdate field\n",
diff --git a/crypto/openssl/apps/der_chop b/crypto/openssl/apps/der_chop
index 9070b032fc38..2ee9d6bfd44b 100644
--- a/crypto/openssl/apps/der_chop
+++ b/crypto/openssl/apps/der_chop
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
#
# der_chop ... this is one total hack that Eric is really not proud of
# so don't look at it and don't ask for support
diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c
index 456f80a70621..c3e1e8de1c38 100644
--- a/crypto/openssl/apps/engine.c
+++ b/crypto/openssl/apps/engine.c
@@ -520,4 +520,10 @@ end:
apps_shutdown();
OPENSSL_EXIT(ret);
}
+#else
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
#endif
diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c
index f05ec0e65540..e5f186fd5ea8 100644
--- a/crypto/openssl/apps/ocsp.c
+++ b/crypto/openssl/apps/ocsp.c
@@ -136,6 +136,7 @@ int MAIN(int argc, char **argv)
int accept_count = -1;
int badarg = 0;
int i;
+ int ignore_err = 0;
STACK *reqnames = NULL;
STACK_OF(OCSP_CERTID) *ids = NULL;
@@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
}
else badarg = 1;
}
+ else if (!strcmp(*args, "-ignore_err"))
+ ignore_err = 1;
else if (!strcmp(*args, "-noverify"))
noverify = 1;
else if (!strcmp(*args, "-nonce"))
@@ -524,7 +527,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-serial n serial number to check\n");
BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
- BIO_printf (bio_err, "-sign_certs file additional certificates to include in signed request\n");
+ BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n");
BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n");
BIO_printf (bio_err, "-req_text print text form of request\n");
BIO_printf (bio_err, "-resp_text print text form of response\n");
@@ -544,10 +547,10 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
BIO_printf (bio_err, "-noverify don't verify response at all\n");
- BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n");
+ BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
BIO_printf (bio_err, "-trust_other don't verify additional certificates\n");
BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n");
- BIO_printf (bio_err, "-no_sig_verify don't check signature on response\n");
+ BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n");
BIO_printf (bio_err, "-no_chain don't chain verify response\n");
BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
@@ -809,6 +812,8 @@ int MAIN(int argc, char **argv)
{
BIO_printf(out, "Responder Error: %s (%ld)\n",
OCSP_response_status_str(i), i);
+ if (ignore_err)
+ goto redo_accept;
ret = 0;
goto end;
}
diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c
index 45af2ba7f9a8..e0d89d4ab413 100644
--- a/crypto/openssl/apps/openssl.c
+++ b/crypto/openssl/apps/openssl.c
@@ -163,7 +163,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
goto err;
}
- if (type < 0 || type > CRYPTO_NUM_LOCKS)
+ if (type < 0 || type >= CRYPTO_NUM_LOCKS)
{
errstr = "type out of bounds";
goto err;
diff --git a/crypto/openssl/apps/pkcs8.c b/crypto/openssl/apps/pkcs8.c
index 6be27e7f442f..ee8cf028138d 100644
--- a/crypto/openssl/apps/pkcs8.c
+++ b/crypto/openssl/apps/pkcs8.c
@@ -235,7 +235,7 @@ int MAIN(int argc, char **argv)
return (1);
}
if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
- BIO_printf(bio_err, "Error converting key\n", outfile);
+ BIO_printf(bio_err, "Error converting key\n");
ERR_print_errors(bio_err);
return (1);
}
@@ -259,8 +259,7 @@ int MAIN(int argc, char **argv)
if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
p8pass, strlen(p8pass),
NULL, 0, iter, p8inf))) {
- BIO_printf(bio_err, "Error encrypting key\n",
- outfile);
+ BIO_printf(bio_err, "Error encrypting key\n");
ERR_print_errors(bio_err);
return (1);
}
@@ -303,7 +302,7 @@ int MAIN(int argc, char **argv)
}
if (!p8) {
- BIO_printf (bio_err, "Error reading key\n", outfile);
+ BIO_printf (bio_err, "Error reading key\n");
ERR_print_errors(bio_err);
return (1);
}
@@ -317,13 +316,13 @@ int MAIN(int argc, char **argv)
}
if (!p8inf) {
- BIO_printf(bio_err, "Error decrypting key\n", outfile);
+ BIO_printf(bio_err, "Error decrypting key\n");
ERR_print_errors(bio_err);
return (1);
}
if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
- BIO_printf(bio_err, "Error converting key\n", outfile);
+ BIO_printf(bio_err, "Error converting key\n");
ERR_print_errors(bio_err);
return (1);
}
diff --git a/crypto/openssl/apps/s_apps.h b/crypto/openssl/apps/s_apps.h
index ff18a72fe078..66b6edd442be 100644
--- a/crypto/openssl/apps/s_apps.h
+++ b/crypto/openssl/apps/s_apps.h
@@ -112,6 +112,14 @@
#include <sys/types.h>
#include <openssl/opensslconf.h>
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#include <conio.h>
+#endif
+
+#ifdef OPENSSL_SYS_MSDOS
+#define _kbhit kbhit
+#endif
+
#if defined(OPENSSL_SYS_VMS) && !defined(FD_SET)
/* VAX C does not defined fd_set and friends, but it's actually quite simple */
/* These definitions are borrowed from SOCKETSHR. /Richard Levitte */
diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
index 2e73f34676ff..eb6fd7c1c342 100644
--- a/crypto/openssl/apps/s_client.c
+++ b/crypto/openssl/apps/s_client.c
@@ -136,10 +136,6 @@ typedef unsigned int u_int;
#include <openssl/rand.h>
#include "s_apps.h"
-#ifdef OPENSSL_SYS_WINDOWS
-#include <conio.h>
-#endif
-
#ifdef OPENSSL_SYS_WINCE
/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
#ifdef fileno
@@ -221,7 +217,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
BIO_printf(bio_err," for those protocols that support it, where\n");
BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
- BIO_printf(bio_err," only \"smtp\" is supported.\n");
+ BIO_printf(bio_err," only \"smtp\" and \"pop3\" are supported.\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
#endif
@@ -251,7 +247,7 @@ int MAIN(int argc, char **argv)
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
SSL_CTX *ctx=NULL;
int ret=1,in_init=1,i,nbio_test=0;
- int smtp_starttls = 0;
+ int starttls_proto = 0;
int prexit = 0, vflags = 0;
SSL_METHOD *meth=NULL;
BIO *sbio;
@@ -260,7 +256,7 @@ int MAIN(int argc, char **argv)
char *engine_id=NULL;
ENGINE *e=NULL;
#endif
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
struct timeval tv;
#endif
@@ -415,7 +411,9 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad;
++argv;
if (strcmp(*argv,"smtp") == 0)
- smtp_starttls = 1;
+ starttls_proto = 1;
+ else if (strcmp(*argv,"pop3") == 0)
+ starttls_proto = 2;
else
goto bad;
}
@@ -587,12 +585,18 @@ re_start:
sbuf_off=0;
/* This is an ugly hack that does a lot of assumptions */
- if (smtp_starttls)
+ if (starttls_proto == 1)
{
BIO_read(sbio,mbuf,BUFSIZZ);
BIO_printf(sbio,"STARTTLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
+ if (starttls_proto == 2)
+ {
+ BIO_read(sbio,mbuf,BUFSIZZ);
+ BIO_printf(sbio,"STLS\r\n");
+ BIO_read(sbio,sbuf,BUFSIZZ);
+ }
for (;;)
{
@@ -613,11 +617,11 @@ re_start:
print_stuff(bio_c_out,con,full_log);
if (full_log > 0) full_log--;
- if (smtp_starttls)
+ if (starttls_proto)
{
BIO_printf(bio_err,"%s",mbuf);
/* We don't need to know any more */
- smtp_starttls = 0;
+ starttls_proto = 0;
}
if (reconnect)
@@ -636,7 +640,7 @@ re_start:
if (!ssl_pending)
{
-#ifndef OPENSSL_SYS_WINDOWS
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
if (tty_on)
{
if (read_tty) FD_SET(fileno(stdin),&readfds);
@@ -663,8 +667,8 @@ re_start:
* will choke the compiler: if you do have a cast then
* you can either go for (int *) or (void *).
*/
-#ifdef OPENSSL_SYS_WINDOWS
- /* Under Windows we make the assumption that we can
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+ /* Under Windows/DOS we make the assumption that we can
* always write to the tty: therefore if we need to
* write to the tty we just fall through. Otherwise
* we timeout the select every second and see if there
@@ -678,7 +682,7 @@ re_start:
tv.tv_usec = 0;
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,&tv);
-#ifdef OPENSSL_SYS_WINCE
+#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
if(!i && (!_kbhit() || !read_tty) ) continue;
#else
if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
@@ -847,8 +851,8 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
}
}
-#ifdef OPENSSL_SYS_WINDOWS
-#ifdef OPENSSL_SYS_WINCE
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
else if (_kbhit())
#else
else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c
index 5157aae4d19c..ff4ab6ef28b9 100644
--- a/crypto/openssl/apps/s_server.c
+++ b/crypto/openssl/apps/s_server.c
@@ -140,10 +140,6 @@ typedef unsigned int u_int;
#include <openssl/rand.h>
#include "s_apps.h"
-#ifdef OPENSSL_SYS_WINDOWS
-#include <conio.h>
-#endif
-
#ifdef OPENSSL_SYS_WINCE
/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
#ifdef fileno
@@ -917,7 +913,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
unsigned long l;
SSL *con=NULL;
BIO *sbio;
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
struct timeval tv;
#endif
@@ -991,7 +987,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
if (!read_from_sslcon)
{
FD_ZERO(&readfds);
-#ifndef OPENSSL_SYS_WINDOWS
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
FD_SET(fileno(stdin),&readfds);
#endif
FD_SET(s,&readfds);
@@ -1001,8 +997,8 @@ static int sv_body(char *hostname, int s, unsigned char *context)
* the compiler: if you do have a cast then you can either
* go for (int *) or (void *).
*/
-#ifdef OPENSSL_SYS_WINDOWS
- /* Under Windows we can't select on stdin: only
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+ /* Under DOS (non-djgpp) and Windows we can't select on stdin: only
* on sockets. As a workaround we timeout the select every
* second and check for any keypress. In a proper Windows
* application we wouldn't do this because it is inefficient.
@@ -1263,7 +1259,13 @@ static int init_ssl_connection(SSL *con)
if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
TLS1_FLAGS_TLS_PADDING_BUG)
BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
-
+#ifndef OPENSSL_NO_KRB5
+ if (con->kssl_ctx->client_princ != NULL)
+ {
+ BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
+ con->kssl_ctx->client_princ);
+ }
+#endif /* OPENSSL_NO_KRB5 */
return(1);
}
diff --git a/crypto/openssl/apps/smime.c b/crypto/openssl/apps/smime.c
index cc248d377bb4..51bc893ffa8a 100644
--- a/crypto/openssl/apps/smime.c
+++ b/crypto/openssl/apps/smime.c
@@ -168,6 +168,10 @@ int MAIN(int argc, char **argv)
flags |= PKCS7_BINARY;
else if (!strcmp (*args, "-nosigs"))
flags |= PKCS7_NOSIGS;
+ else if (!strcmp (*args, "-nooldmime"))
+ flags |= PKCS7_NOOLDMIMETYPE;
+ else if (!strcmp (*args, "-crlfeol"))
+ flags |= PKCS7_CRLFEOL;
else if (!strcmp (*args, "-crl_check"))
store_flags |= X509_V_FLAG_CRL_CHECK;
else if (!strcmp (*args, "-crl_check_all"))
diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c
index 1ac6452bdb4c..2020b51de064 100644
--- a/crypto/openssl/apps/x509.c
+++ b/crypto/openssl/apps/x509.c
@@ -358,12 +358,6 @@ int MAIN(int argc, char **argv)
if (--argc < 1) goto bad;
if (!set_name_ex(&nmflag, *(++argv))) goto bad;
}
- else if (strcmp(*argv,"-setalias") == 0)
- {
- if (--argc < 1) goto bad;
- alias= *(++argv);
- trustout = 1;
- }
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
@@ -1151,7 +1145,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
else if (!(bs = load_serial(CAfile, serialfile, create)))
goto end;
- if (!X509_STORE_add_cert(ctx,x)) goto end;
+/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/
/* NOTE: this certificate can/should be self signed, unless it was
* a certificate request in which case it is not. */
diff --git a/crypto/openssl/bugs/SSLv3 b/crypto/openssl/bugs/SSLv3
index db53e1343a0e..a75a1652d953 100644
--- a/crypto/openssl/bugs/SSLv3
+++ b/crypto/openssl/bugs/SSLv3
@@ -29,7 +29,7 @@ RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when
doing a re-connect, always takes the first cipher in the cipher list.
If we accept a netscape connection, demand a client cert, have a
-non-self-sighed CA which does not have it's CA in netscape, and the
+non-self-signed CA which does not have it's CA in netscape, and the
browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
Netscape browsers do not really notice the server sending a
diff --git a/crypto/openssl/config b/crypto/openssl/config
index 88d28735cdf2..b3bd96bbfcb6 100755
--- a/crypto/openssl/config
+++ b/crypto/openssl/config
@@ -458,7 +458,7 @@ if [ "${SYSTEM}-${MACHINE}" = "Linux-alpha" ]; then
fi
if [ "${SYSTEM}" = "AIX" ]; then # favor vendor cc over gcc
- (cc) 2>&1 | grep -iv "command not found" > /dev/null && CC=cc
+ (cc) 2>&1 | grep -iv "not found" > /dev/null && CC=cc
fi
CCVER=${CCVER:-0}
@@ -473,7 +473,7 @@ echo Operating system: $GUESSOS
# more time that I want to waste at the moment
case "$GUESSOS" in
mips2-sgi-irix)
- CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+ CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
CPU=${CPU:-0}
if [ $CPU -ge 4000 ]; then
options="$options -mips2"
@@ -481,7 +481,7 @@ case "$GUESSOS" in
OUT="irix-$CC"
;;
mips3-sgi-irix)
- CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+ CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
CPU=${CPU:-0}
if [ $CPU -ge 5000 ]; then
options="$options -mips4"
@@ -497,7 +497,7 @@ case "$GUESSOS" in
echo " You have about 5 seconds to press Ctrl-C to abort."
(stty -icanon min 0 time 50; read waste) < /dev/tty
fi
- CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+ CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
CPU=${CPU:-0}
if [ $CPU -ge 5000 ]; then
options="$options -mips4"
diff --git a/crypto/openssl/crypto/aes/aes.h b/crypto/openssl/crypto/aes/aes.h
index 8294a41a3ad6..da067f4a8fa5 100644
--- a/crypto/openssl/crypto/aes/aes.h
+++ b/crypto/openssl/crypto/aes/aes.h
@@ -100,7 +100,7 @@ void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
unsigned char *ivec, int *num);
void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
const unsigned long length, const AES_KEY *key,
- unsigned char counter[AES_BLOCK_SIZE],
+ unsigned char ivec[AES_BLOCK_SIZE],
unsigned char ecount_buf[AES_BLOCK_SIZE],
unsigned int *num);
diff --git a/crypto/openssl/crypto/aes/aes_cbc.c b/crypto/openssl/crypto/aes/aes_cbc.c
index de438306b15a..86b27b10d612 100644
--- a/crypto/openssl/crypto/aes/aes_cbc.c
+++ b/crypto/openssl/crypto/aes/aes_cbc.c
@@ -72,7 +72,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
if (AES_ENCRYPT == enc) {
while (len >= AES_BLOCK_SIZE) {
- for(n=0; n < sizeof tmp; ++n)
+ for(n=0; n < AES_BLOCK_SIZE; ++n)
tmp[n] = in[n] ^ ivec[n];
AES_encrypt(tmp, out, key);
memcpy(ivec, out, AES_BLOCK_SIZE);
@@ -86,12 +86,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
for(n=len; n < AES_BLOCK_SIZE; ++n)
tmp[n] = ivec[n];
AES_encrypt(tmp, tmp, key);
- memcpy(out, tmp, len);
- memcpy(ivec, tmp, sizeof tmp);
+ memcpy(out, tmp, AES_BLOCK_SIZE);
+ memcpy(ivec, tmp, AES_BLOCK_SIZE);
}
} else {
while (len >= AES_BLOCK_SIZE) {
- memcpy(tmp, in, sizeof tmp);
+ memcpy(tmp, in, AES_BLOCK_SIZE);
AES_decrypt(in, out, key);
for(n=0; n < AES_BLOCK_SIZE; ++n)
out[n] ^= ivec[n];
@@ -101,11 +101,11 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
out += AES_BLOCK_SIZE;
}
if (len) {
- memcpy(tmp, in, sizeof tmp);
+ memcpy(tmp, in, AES_BLOCK_SIZE);
AES_decrypt(tmp, tmp, key);
for(n=0; n < len; ++n)
out[n] ^= ivec[n];
- memcpy(ivec, tmp, sizeof tmp);
+ memcpy(ivec, tmp, AES_BLOCK_SIZE);
}
}
}
diff --git a/crypto/openssl/crypto/aes/aes_ctr.c b/crypto/openssl/crypto/aes/aes_ctr.c
index 59088499a0a9..79e1c18f193c 100644
--- a/crypto/openssl/crypto/aes/aes_ctr.c
+++ b/crypto/openssl/crypto/aes/aes_ctr.c
@@ -62,19 +62,49 @@
/* NOTE: CTR mode is big-endian. The rest of the AES code
* is endian-neutral. */
-/* increment counter (128-bit int) by 2^64 */
+/* increment counter (128-bit int) by 1 */
static void AES_ctr128_inc(unsigned char *counter) {
unsigned long c;
- /* Grab 3rd dword of counter and increment */
+ /* Grab bottom dword of counter and increment */
#ifdef L_ENDIAN
- c = GETU32(counter + 8);
+ c = GETU32(counter + 0);
c++;
- PUTU32(counter + 8, c);
+ PUTU32(counter + 0, c);
#else
- c = GETU32(counter + 4);
+ c = GETU32(counter + 12);
c++;
- PUTU32(counter + 4, c);
+ PUTU32(counter + 12, c);
+#endif
+
+ /* if no overflow, we're done */
+ if (c)
+ return;
+
+ /* Grab 1st dword of counter and increment */
+#ifdef L_ENDIAN
+ c = GETU32(counter + 4);
+ c++;
+ PUTU32(counter + 4, c);
+#else
+ c = GETU32(counter + 8);
+ c++;
+ PUTU32(counter + 8, c);
+#endif
+
+ /* if no overflow, we're done */
+ if (c)
+ return;
+
+ /* Grab 2nd dword of counter and increment */
+#ifdef L_ENDIAN
+ c = GETU32(counter + 8);
+ c++;
+ PUTU32(counter + 8, c);
+#else
+ c = GETU32(counter + 4);
+ c++;
+ PUTU32(counter + 4, c);
#endif
/* if no overflow, we're done */
@@ -100,10 +130,16 @@ static void AES_ctr128_inc(unsigned char *counter) {
* encrypted counter is kept in ecount_buf. Both *num and
* ecount_buf must be initialised with zeros before the first
* call to AES_ctr128_encrypt().
+ *
+ * This algorithm assumes that the counter is in the x lower bits
+ * of the IV (ivec), and that the application has full control over
+ * overflow and the rest of the IV. This implementation takes NO
+ * responsability for checking that the counter doesn't overflow
+ * into the rest of the IV when incremented.
*/
void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
const unsigned long length, const AES_KEY *key,
- unsigned char counter[AES_BLOCK_SIZE],
+ unsigned char ivec[AES_BLOCK_SIZE],
unsigned char ecount_buf[AES_BLOCK_SIZE],
unsigned int *num) {
@@ -117,8 +153,8 @@ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
while (l--) {
if (n == 0) {
- AES_encrypt(counter, ecount_buf, key);
- AES_ctr128_inc(counter);
+ AES_encrypt(ivec, ecount_buf, key);
+ AES_ctr128_inc(ivec);
}
*(out++) = *(in++) ^ ecount_buf[n];
n = (n+1) % AES_BLOCK_SIZE;
diff --git a/crypto/openssl/crypto/asn1/a_mbstr.c b/crypto/openssl/crypto/asn1/a_mbstr.c
index 5d981c655387..e8a26af521f2 100644
--- a/crypto/openssl/crypto/asn1/a_mbstr.c
+++ b/crypto/openssl/crypto/asn1/a_mbstr.c
@@ -296,7 +296,7 @@ static int in_utf8(unsigned long value, void *arg)
static int out_utf8(unsigned long value, void *arg)
{
- long *outlen;
+ int *outlen;
outlen = arg;
*outlen += UTF8_putc(NULL, -1, value);
return 1;
diff --git a/crypto/openssl/crypto/asn1/a_strex.c b/crypto/openssl/crypto/asn1/a_strex.c
index 1def6c654943..8abfdfe59804 100644
--- a/crypto/openssl/crypto/asn1/a_strex.c
+++ b/crypto/openssl/crypto/asn1/a_strex.c
@@ -279,7 +279,7 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING
* otherwise it is the number of bytes per character
*/
-const static char tag2nbyte[] = {
+const static signed char tag2nbyte[] = {
-1, -1, -1, -1, -1, /* 0-4 */
-1, -1, -1, -1, -1, /* 5-9 */
-1, -1, 0, -1, /* 10-13 */
diff --git a/crypto/openssl/crypto/asn1/a_strnid.c b/crypto/openssl/crypto/asn1/a_strnid.c
index 04789d1c63fa..613bbc4a7da9 100644
--- a/crypto/openssl/crypto/asn1/a_strnid.c
+++ b/crypto/openssl/crypto/asn1/a_strnid.c
@@ -143,7 +143,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
/* Now the tables and helper functions for the string table:
*/
-/* size limits: this stuff is taken straight from RFC2459 */
+/* size limits: this stuff is taken straight from RFC3280 */
#define ub_name 32768
#define ub_common_name 64
@@ -153,6 +153,8 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
#define ub_organization_unit_name 64
#define ub_title 64
#define ub_email_address 128
+#define ub_serial_number 64
+
/* This table must be kept in NID order */
@@ -170,9 +172,11 @@ static ASN1_STRING_TABLE tbl_standard[] = {
{NID_givenName, 1, ub_name, DIRSTRING_TYPE, 0},
{NID_surname, 1, ub_name, DIRSTRING_TYPE, 0},
{NID_initials, 1, ub_name, DIRSTRING_TYPE, 0},
+{NID_serialNumber, 1, ub_serial_number, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
{NID_friendlyName, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
{NID_name, 1, ub_name, DIRSTRING_TYPE, 0},
{NID_dnQualifier, -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
+{NID_domainComponent, 1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK},
{NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}
};
@@ -249,4 +253,38 @@ static void st_free(ASN1_STRING_TABLE *tbl)
if(tbl->flags & STABLE_FLAGS_MALLOC) OPENSSL_free(tbl);
}
+
IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)
+
+#ifdef STRING_TABLE_TEST
+
+main()
+{
+ ASN1_STRING_TABLE *tmp;
+ int i, last_nid = -1;
+
+ for (tmp = tbl_standard, i = 0;
+ i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++)
+ {
+ if (tmp->nid < last_nid)
+ {
+ last_nid = 0;
+ break;
+ }
+ last_nid = tmp->nid;
+ }
+
+ if (last_nid != 0)
+ {
+ printf("Table order OK\n");
+ exit(0);
+ }
+
+ for (tmp = tbl_standard, i = 0;
+ i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++)
+ printf("Index %d, NID %d, Name=%s\n", i, tmp->nid,
+ OBJ_nid2ln(tmp->nid));
+
+}
+
+#endif
diff --git a/crypto/openssl/crypto/asn1/asn1.h b/crypto/openssl/crypto/asn1/asn1.h
index 99ba920eca1f..3414509f1b74 100644
--- a/crypto/openssl/crypto/asn1/asn1.h
+++ b/crypto/openssl/crypto/asn1/asn1.h
@@ -132,7 +132,7 @@ extern "C" {
#define B_ASN1_NUMERICSTRING 0x0001
#define B_ASN1_PRINTABLESTRING 0x0002
#define B_ASN1_T61STRING 0x0004
-#define B_ASN1_TELETEXSTRING 0x0008
+#define B_ASN1_TELETEXSTRING 0x0004
#define B_ASN1_VIDEOTEXSTRING 0x0008
#define B_ASN1_IA5STRING 0x0010
#define B_ASN1_GRAPHICSTRING 0x0020
diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c
index 0638870ab78f..e30d5dd303c9 100644
--- a/crypto/openssl/crypto/asn1/asn1_lib.c
+++ b/crypto/openssl/crypto/asn1/asn1_lib.c
@@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
l<<=7L;
l|= *(p++)&0x7f;
if (--max == 0) goto err;
+ if (l > (INT_MAX >> 7L)) goto err;
}
l<<=7L;
l|= *(p++)&0x7f;
tag=(int)l;
+ if (--max == 0) goto err;
}
else
{
diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c
index 76fc023230a8..2426cb6253a3 100644
--- a/crypto/openssl/crypto/asn1/tasn_dec.c
+++ b/crypto/openssl/crypto/asn1/tasn_dec.c
@@ -691,6 +691,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl
int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
{
+ ASN1_VALUE **opval = NULL;
ASN1_STRING *stmp;
ASN1_TYPE *typ = NULL;
int ret = 0;
@@ -705,6 +706,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char
*pval = (ASN1_VALUE *)typ;
} else typ = (ASN1_TYPE *)*pval;
if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL);
+ opval = pval;
pval = (ASN1_VALUE **)&typ->value.ptr;
}
switch(utype) {
@@ -796,7 +798,12 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char
ret = 1;
err:
- if(!ret) ASN1_TYPE_free(typ);
+ if(!ret)
+ {
+ ASN1_TYPE_free(typ);
+ if (opval)
+ *opval = NULL;
+ }
return ret;
}
diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c
index 3f5d6a74bf0c..2cfc689dd6b4 100644
--- a/crypto/openssl/crypto/bio/b_print.c
+++ b/crypto/openssl/crypto/bio/b_print.c
@@ -378,7 +378,7 @@ _dopr(
case 'p':
value = (long)va_arg(args, void *);
fmtint(sbuffer, buffer, &currlen, maxlen,
- value, 16, min, max, flags);
+ value, 16, min, max, flags|DP_F_NUM);
break;
case 'n': /* XXX */
if (cflags == DP_C_SHORT) {
@@ -482,8 +482,9 @@ fmtint(
int flags)
{
int signvalue = 0;
+ char *prefix = "";
unsigned LLONG uvalue;
- char convert[DECIMAL_SIZE(value)+1];
+ char convert[DECIMAL_SIZE(value)+3];
int place = 0;
int spadlen = 0;
int zpadlen = 0;
@@ -501,6 +502,10 @@ fmtint(
else if (flags & DP_F_SPACE)
signvalue = ' ';
}
+ if (flags & DP_F_NUM) {
+ if (base == 8) prefix = "0";
+ if (base == 16) prefix = "0x";
+ }
if (flags & DP_F_UP)
caps = 1;
do {
@@ -514,7 +519,7 @@ fmtint(
convert[place] = 0;
zpadlen = max - place;
- spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0);
+ spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix);
if (zpadlen < 0)
zpadlen = 0;
if (spadlen < 0)
@@ -536,6 +541,12 @@ fmtint(
if (signvalue)
doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
+ /* prefix */
+ while (*prefix) {
+ doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
+ prefix++;
+ }
+
/* zeros */
if (zpadlen > 0) {
while (zpadlen > 0) {
@@ -692,7 +703,7 @@ fmtfp(
* Decimal point. This should probably use locale to find the correct
* char to print out.
*/
- if (max > 0) {
+ if (max > 0 || (flags & DP_F_NUM)) {
doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
while (fplace > 0)
@@ -825,5 +836,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
* had the buffer been large enough.) */
return -1;
else
- return (retlen <= INT_MAX) ? retlen : -1;
+ return (retlen <= INT_MAX) ? (int)retlen : -1;
}
diff --git a/crypto/openssl/crypto/bio/bf_buff.c b/crypto/openssl/crypto/bio/bf_buff.c
index 1cecd7057956..c1fd75aaad80 100644
--- a/crypto/openssl/crypto/bio/bf_buff.c
+++ b/crypto/openssl/crypto/bio/bf_buff.c
@@ -494,6 +494,7 @@ static int buffer_gets(BIO *b, char *buf, int size)
if (i <= 0)
{
BIO_copy_next_retry(b);
+ *buf='\0';
if (i < 0) return((num > 0)?num:i);
if (i == 0) return(num);
}
diff --git a/crypto/openssl/crypto/bio/bss_bio.c b/crypto/openssl/crypto/bio/bss_bio.c
index aa58dab046b2..0f9f0955b411 100644
--- a/crypto/openssl/crypto/bio/bss_bio.c
+++ b/crypto/openssl/crypto/bio/bss_bio.c
@@ -1,4 +1,57 @@
/* crypto/bio/bss_bio.c -*- Mode: C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
/* Special method for a BIO where the other endpoint is also a BIO
* of this kind, handled by the same thread (i.e. the "peer" is actually
@@ -502,7 +555,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
break;
case BIO_C_DESTROY_BIO_PAIR:
- /* Effects both BIOs in the pair -- call just once!
+ /* Affects both BIOs in the pair -- call just once!
* Or let BIO_free(bio1); BIO_free(bio2); do the job. */
bio_destroy_pair(bio);
ret = 1;
diff --git a/crypto/openssl/crypto/bio/bss_file.c b/crypto/openssl/crypto/bio/bss_file.c
index a66600c1a34c..6904b5c081c4 100644
--- a/crypto/openssl/crypto/bio/bss_file.c
+++ b/crypto/openssl/crypto/bio/bss_file.c
@@ -213,12 +213,29 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
b->shutdown=(int)num&BIO_CLOSE;
b->ptr=(char *)ptr;
b->init=1;
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
- /* Set correct text/binary mode */
+#if defined(OPENSSL_SYS_WINDOWS)
if (num & BIO_FP_TEXT)
_setmode(fileno((FILE *)ptr),_O_TEXT);
else
_setmode(fileno((FILE *)ptr),_O_BINARY);
+#elif defined(OPENSSL_SYS_MSDOS)
+ {
+ int fd = fileno((FILE*)ptr);
+ /* Set correct text/binary mode */
+ if (num & BIO_FP_TEXT)
+ _setmode(fd,_O_TEXT);
+ /* Dangerous to set stdin/stdout to raw (unless redirected) */
+ else
+ {
+ if (fd == STDIN_FILENO || fd == STDOUT_FILENO)
+ {
+ if (isatty(fd) <= 0)
+ _setmode(fd,_O_BINARY);
+ }
+ else
+ _setmode(fd,_O_BINARY);
+ }
+ }
#elif defined(OPENSSL_SYS_OS2)
if (num & BIO_FP_TEXT)
setmode(fileno((FILE *)ptr), O_TEXT);
diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl
index c1547a8e6d06..090fccdf7d29 100644
--- a/crypto/openssl/crypto/bn/Makefile.ssl
+++ b/crypto/openssl/crypto/bn/Makefile.ssl
@@ -22,6 +22,7 @@ BN_ASM= bn_asm.o
#BN_ASM= bn86-elf.o
CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)
GENERAL=Makefile
TEST=bntest.c exptest.c
diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h
index b40682f83182..3da6d8ced90b 100644
--- a/crypto/openssl/crypto/bn/bn.h
+++ b/crypto/openssl/crypto/bn/bn.h
@@ -248,6 +248,8 @@ typedef struct bn_blinding_st
BIGNUM *A;
BIGNUM *Ai;
BIGNUM *mod; /* just a reference */
+ unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
+ * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
} BN_BLINDING;
/* Used for montgomery multiplication */
diff --git a/crypto/openssl/crypto/bn/bn_mul.c b/crypto/openssl/crypto/bn/bn_mul.c
index cb93ac335692..3ae3822bc2af 100644
--- a/crypto/openssl/crypto/bn/bn_mul.c
+++ b/crypto/openssl/crypto/bn/bn_mul.c
@@ -224,7 +224,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
int n, BN_ULONG *t)
{
int i,j,n2=n*2;
- unsigned int c1,c2,neg,zero;
+ int c1,c2,neg,zero;
BN_ULONG ln,lo,*p;
# ifdef BN_COUNT
@@ -376,7 +376,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
/* The overflow will stop before we over write
* words we should not overwrite */
- if (ln < c1)
+ if (ln < (BN_ULONG)c1)
{
do {
p++;
diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c
index 3aae9451deaf..3c8c540387a4 100644
--- a/crypto/openssl/crypto/bn/bntest.c
+++ b/crypto/openssl/crypto/bn/bntest.c
@@ -68,10 +68,6 @@
#include <openssl/x509.h>
#include <openssl/err.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
-
const int num0 = 100; /* number of tests */
const int num1 = 50; /* additional tests for some functions */
const int num2 = 5; /* number of tests for slow functions */
@@ -96,11 +92,6 @@ int test_sqrt(BIO *bp,BN_CTX *ctx);
int rand_neg(void);
static int results=0;
-#ifdef OPENSSL_NO_STDIO
-#define APPS_WIN16
-#include "bss_file.c"
-#endif
-
static unsigned char lst[]="\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
"\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
diff --git a/crypto/openssl/crypto/bn/exptest.c b/crypto/openssl/crypto/bn/exptest.c
index 621e6a9eeeb5..b09cf8870550 100644
--- a/crypto/openssl/crypto/bn/exptest.c
+++ b/crypto/openssl/crypto/bn/exptest.c
@@ -66,9 +66,6 @@
#include <openssl/bn.h>
#include <openssl/rand.h>
#include <openssl/err.h>
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
#define NUM_BITS (BN_BITS*2)
diff --git a/crypto/openssl/crypto/des/cfb_enc.c b/crypto/openssl/crypto/des/cfb_enc.c
index 17bf77ca9e38..2600bdfc93a9 100644
--- a/crypto/openssl/crypto/des/cfb_enc.c
+++ b/crypto/openssl/crypto/des/cfb_enc.c
@@ -64,32 +64,22 @@
* the second. The second 12 bits will come from the 3rd and half the 4th
* byte.
*/
+/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of
+ * length */
+/* Until Aug 1 2003 this function did not correctly implement CFB-r, so it
+ * will not be compatible with any encryption prior to that date. Ben. */
void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
- long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc)
+ long length, DES_key_schedule *schedule, DES_cblock *ivec,
+ int enc)
{
register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
- register DES_LONG mask0,mask1;
register unsigned long l=length;
register int num=numbits;
DES_LONG ti[2];
unsigned char *iv;
+ unsigned char ovec[16];
if (num > 64) return;
- if (num > 32)
- {
- mask0=0xffffffffL;
- if (num == 64)
- mask1=mask0;
- else mask1=(1L<<(num-32))-1;
- }
- else
- {
- if (num == 32)
- mask0=0xffffffffL;
- else mask0=(1L<<num)-1;
- mask1=0x00000000L;
- }
-
iv = &(*ivec)[0];
c2l(iv,v0);
c2l(iv,v1);
@@ -103,8 +93,8 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
c2ln(in,d0,d1,n);
in+=n;
- d0=(d0^ti[0])&mask0;
- d1=(d1^ti[1])&mask1;
+ d0^=ti[0];
+ d1^=ti[1];
l2cn(d0,d1,out,n);
out+=n;
/* 30-08-94 - eay - changed because l>>32 and
@@ -113,15 +103,25 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
{ v0=v1; v1=d0; }
else if (num == 64)
{ v0=d0; v1=d1; }
- else if (num > 32) /* && num != 64 */
- {
- v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
- v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
- }
- else /* num < 32 */
+ else
{
- v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
- v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
+ iv=&ovec[0];
+ l2c(v0,iv);
+ l2c(v1,iv);
+ l2c(d0,iv);
+ l2c(d1,iv);
+ /* shift ovec left most of the bits... */
+ memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+ /* now the remaining bits */
+ if(num%8 != 0)
+ for(n=0 ; n < 8 ; ++n)
+ {
+ ovec[n]<<=num%8;
+ ovec[n]|=ovec[n+1]>>(8-num%8);
+ }
+ iv=&ovec[0];
+ c2l(iv,v0);
+ c2l(iv,v1);
}
}
}
@@ -141,18 +141,28 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
{ v0=v1; v1=d0; }
else if (num == 64)
{ v0=d0; v1=d1; }
- else if (num > 32) /* && num != 64 */
- {
- v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
- v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
- }
- else /* num < 32 */
+ else
{
- v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
- v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
+ iv=&ovec[0];
+ l2c(v0,iv);
+ l2c(v1,iv);
+ l2c(d0,iv);
+ l2c(d1,iv);
+ /* shift ovec left most of the bits... */
+ memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+ /* now the remaining bits */
+ if(num%8 != 0)
+ for(n=0 ; n < 8 ; ++n)
+ {
+ ovec[n]<<=num%8;
+ ovec[n]|=ovec[n+1]>>(8-num%8);
+ }
+ iv=&ovec[0];
+ c2l(iv,v0);
+ c2l(iv,v1);
}
- d0=(d0^ti[0])&mask0;
- d1=(d1^ti[1])&mask1;
+ d0^=ti[0];
+ d1^=ti[1];
l2cn(d0,d1,out,n);
out+=n;
}
diff --git a/crypto/openssl/crypto/des/destest.c b/crypto/openssl/crypto/des/destest.c
index 687c00c79229..3983ac8e5f1a 100644
--- a/crypto/openssl/crypto/des/destest.c
+++ b/crypto/openssl/crypto/des/destest.c
@@ -431,7 +431,7 @@ int main(int argc, char *argv[])
#ifndef LIBDES_LIT
printf("Doing ede ecb\n");
- for (i=0; i<(NUM_TESTS-1); i++)
+ for (i=0; i<(NUM_TESTS-2); i++)
{
DES_set_key_unchecked(&key_data[i],&ks);
DES_set_key_unchecked(&key_data[i+1],&ks2);
diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl
index ed47f85d0773..1c447e971f87 100644
--- a/crypto/openssl/crypto/dh/Makefile.ssl
+++ b/crypto/openssl/crypto/dh/Makefile.ssl
@@ -112,17 +112,14 @@ dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
dh_gen.o: ../cryptlib.h dh_gen.c
-dh_key.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dh_key.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dh_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dh_key.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dh_key.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dh_key.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dh_key.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_key.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dh_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dh_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-dh_key.o: ../cryptlib.h dh_key.c
+dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_key.c
dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
diff --git a/crypto/openssl/crypto/dh/dh_key.c b/crypto/openssl/crypto/dh/dh_key.c
index 6ce65ed5f37c..77f2f50b5166 100644
--- a/crypto/openssl/crypto/dh/dh_key.c
+++ b/crypto/openssl/crypto/dh/dh_key.c
@@ -61,9 +61,6 @@
#include <openssl/bn.h>
#include <openssl/rand.h>
#include <openssl/dh.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
static int generate_key(DH *dh);
static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
diff --git a/crypto/openssl/crypto/dh/dhtest.c b/crypto/openssl/crypto/dh/dhtest.c
index 27237741da06..d75077f9fa08 100644
--- a/crypto/openssl/crypto/dh/dhtest.c
+++ b/crypto/openssl/crypto/dh/dhtest.c
@@ -62,9 +62,6 @@
#include "../e_os.h"
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
#include <openssl/crypto.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
@@ -87,10 +84,6 @@ int main(int argc, char *argv[])
#endif
static void MS_CALLBACK cb(int p, int n, void *arg);
-#ifdef OPENSSL_NO_STDIO
-#define APPS_WIN16
-#include "bss_file.c"
-#endif
static const char rnd_seed[] = "string to make the random number generator think it has entropy";
diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl
index 08e692dc2ddf..014d0063477e 100644
--- a/crypto/openssl/crypto/dsa/Makefile.ssl
+++ b/crypto/openssl/crypto/dsa/Makefile.ssl
@@ -143,35 +143,29 @@ dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
dsa_ossl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_ossl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dsa_ossl.o: ../../include/openssl/opensslconf.h
+dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-dsa_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_ossl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_ossl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
dsa_ossl.o: ../cryptlib.h dsa_ossl.c
dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h
dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dsa_sign.o: ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+dsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
dsa_sign.o: ../cryptlib.h dsa_sign.c
dsa_vrf.o: ../../e_os.h ../../include/openssl/asn1.h
dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dsa_vrf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dsa_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dsa_vrf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-dsa_vrf.o: ../cryptlib.h dsa_vrf.c
+dsa_vrf.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_vrf.c
diff --git a/crypto/openssl/crypto/dsa/dsa_ossl.c b/crypto/openssl/crypto/dsa/dsa_ossl.c
index 68d91dbe23bc..b9e7f3ea5c66 100644
--- a/crypto/openssl/crypto/dsa/dsa_ossl.c
+++ b/crypto/openssl/crypto/dsa/dsa_ossl.c
@@ -64,9 +64,6 @@
#include <openssl/dsa.h>
#include <openssl/rand.h>
#include <openssl/asn1.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
diff --git a/crypto/openssl/crypto/dsa/dsa_sign.c b/crypto/openssl/crypto/dsa/dsa_sign.c
index 5cdc8ed8511b..89205026f01b 100644
--- a/crypto/openssl/crypto/dsa/dsa_sign.c
+++ b/crypto/openssl/crypto/dsa/dsa_sign.c
@@ -64,9 +64,6 @@
#include <openssl/dsa.h>
#include <openssl/rand.h>
#include <openssl/asn1.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
{
diff --git a/crypto/openssl/crypto/dsa/dsa_vrf.c b/crypto/openssl/crypto/dsa/dsa_vrf.c
index fffb129f8f3b..c4aeddd05604 100644
--- a/crypto/openssl/crypto/dsa/dsa_vrf.c
+++ b/crypto/openssl/crypto/dsa/dsa_vrf.c
@@ -65,9 +65,6 @@
#include <openssl/rand.h>
#include <openssl/asn1.h>
#include <openssl/asn1_mac.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
DSA *dsa)
diff --git a/crypto/openssl/crypto/dsa/dsatest.c b/crypto/openssl/crypto/dsa/dsatest.c
index d4d038ae6f1b..4734ce4af851 100644
--- a/crypto/openssl/crypto/dsa/dsatest.c
+++ b/crypto/openssl/crypto/dsa/dsatest.c
@@ -68,12 +68,6 @@
#include <openssl/rand.h>
#include <openssl/bio.h>
#include <openssl/err.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-#ifdef OPENSSL_SYS_WINDOWS
-#include "../bio/bss_file.c"
-#endif
#ifdef OPENSSL_NO_DSA
int main(int argc, char *argv[])
diff --git a/crypto/openssl/crypto/dso/dso_dlfcn.c b/crypto/openssl/crypto/dso/dso_dlfcn.c
index 906b4703de71..9d49ebc25373 100644
--- a/crypto/openssl/crypto/dso/dso_dlfcn.c
+++ b/crypto/openssl/crypto/dso/dso_dlfcn.c
@@ -125,7 +125,11 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
# endif
# endif
#else
-# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+# ifdef OPENSSL_SYS_SUNOS
+# define DLOPEN_FLAG 1
+# else
+# define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+# endif
#endif
/* For this DSO_METHOD, our meth_data STACK will contain;
diff --git a/crypto/openssl/crypto/ec/ec_mult.c b/crypto/openssl/crypto/ec/ec_mult.c
index 4dbc93112062..16822a73cf51 100644
--- a/crypto/openssl/crypto/ec/ec_mult.c
+++ b/crypto/openssl/crypto/ec/ec_mult.c
@@ -175,12 +175,13 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, B
* (thus the boundaries should be increased)
*/
#define EC_window_bits_for_scalar_size(b) \
- ((b) >= 2000 ? 6 : \
- (b) >= 800 ? 5 : \
- (b) >= 300 ? 4 : \
- (b) >= 70 ? 3 : \
- (b) >= 20 ? 2 : \
- 1)
+ ((size_t) \
+ ((b) >= 2000 ? 6 : \
+ (b) >= 800 ? 5 : \
+ (b) >= 300 ? 4 : \
+ (b) >= 70 ? 3 : \
+ (b) >= 20 ? 2 : \
+ 1))
/* Compute
* \sum scalars[i]*points[i],
diff --git a/crypto/openssl/crypto/engine/eng_fat.c b/crypto/openssl/crypto/engine/eng_fat.c
index f7edb5ad32f0..0d7dae00b243 100644
--- a/crypto/openssl/crypto/engine/eng_fat.c
+++ b/crypto/openssl/crypto/engine/eng_fat.c
@@ -66,18 +66,18 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags)
if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e))
return 0;
#ifndef OPENSSL_NO_RSA
- if((flags & ENGINE_METHOD_RSA) & !ENGINE_set_default_RSA(e))
+ if((flags & ENGINE_METHOD_RSA) && !ENGINE_set_default_RSA(e))
return 0;
#endif
#ifndef OPENSSL_NO_DSA
- if((flags & ENGINE_METHOD_DSA) & !ENGINE_set_default_DSA(e))
+ if((flags & ENGINE_METHOD_DSA) && !ENGINE_set_default_DSA(e))
return 0;
#endif
#ifndef OPENSSL_NO_DH
- if((flags & ENGINE_METHOD_DH) & !ENGINE_set_default_DH(e))
+ if((flags & ENGINE_METHOD_DH) && !ENGINE_set_default_DH(e))
return 0;
#endif
- if((flags & ENGINE_METHOD_RAND) & !ENGINE_set_default_RAND(e))
+ if((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e))
return 0;
return 1;
}
diff --git a/crypto/openssl/crypto/engine/engine.h b/crypto/openssl/crypto/engine/engine.h
index 8686879e1a33..9c3ab182d379 100644
--- a/crypto/openssl/crypto/engine/engine.h
+++ b/crypto/openssl/crypto/engine/engine.h
@@ -538,10 +538,10 @@ void ENGINE_add_conf_module(void);
/**************************/
/* Binary/behaviour compatibility levels */
-#define OSSL_DYNAMIC_VERSION (unsigned long)0x00010100
+#define OSSL_DYNAMIC_VERSION (unsigned long)0x00010200
/* Binary versions older than this are too old for us (whether we're a loader or
* a loadee) */
-#define OSSL_DYNAMIC_OLDEST (unsigned long)0x00010100
+#define OSSL_DYNAMIC_OLDEST (unsigned long)0x00010200
/* When compiling an ENGINE entirely as an external shared library, loadable by
* the "dynamic" ENGINE, these types are needed. The 'dynamic_fns' structure
@@ -630,6 +630,10 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
if(!fn(e,id)) return 0; \
return 1; }
+#if defined(__OpenBSD__) || defined(__FreeBSD__)
+void ENGINE_setup_bsd_cryptodev(void);
+#endif
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
diff --git a/crypto/openssl/crypto/engine/hw_ubsec.c b/crypto/openssl/crypto/engine/hw_ubsec.c
index 6286dd851c61..5234a08a07bd 100644
--- a/crypto/openssl/crypto/engine/hw_ubsec.c
+++ b/crypto/openssl/crypto/engine/hw_ubsec.c
@@ -561,7 +561,6 @@ static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
return 0;
}
- memset(r->d, 0, BN_num_bytes(m));
if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
fd = 0;
diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c
index b873270c049a..633a1addfe8c 100644
--- a/crypto/openssl/crypto/err/err.c
+++ b/crypto/openssl/crypto/err/err.c
@@ -225,6 +225,7 @@ struct st_ERR_FNS
ERR_STRING_DATA *(*cb_err_del_item)(ERR_STRING_DATA *);
/* Works on the "thread_hash" error-state table */
LHASH *(*cb_thread_get)(int create);
+ void (*cb_thread_release)(LHASH **hash);
ERR_STATE *(*cb_thread_get_item)(const ERR_STATE *);
ERR_STATE *(*cb_thread_set_item)(ERR_STATE *);
void (*cb_thread_del_item)(const ERR_STATE *);
@@ -239,6 +240,7 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *);
static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *);
static LHASH *int_thread_get(int create);
+static void int_thread_release(LHASH **hash);
static ERR_STATE *int_thread_get_item(const ERR_STATE *);
static ERR_STATE *int_thread_set_item(ERR_STATE *);
static void int_thread_del_item(const ERR_STATE *);
@@ -252,6 +254,7 @@ static const ERR_FNS err_defaults =
int_err_set_item,
int_err_del_item,
int_thread_get,
+ int_thread_release,
int_thread_get_item,
int_thread_set_item,
int_thread_del_item,
@@ -271,6 +274,7 @@ static const ERR_FNS *err_fns = NULL;
* and state in the loading application. */
static LHASH *int_error_hash = NULL;
static LHASH *int_thread_hash = NULL;
+static int int_thread_hash_references = 0;
static int int_err_library_number= ERR_LIB_USER;
/* Internal function that checks whether "err_fns" is set and if not, sets it to
@@ -417,11 +421,37 @@ static LHASH *int_thread_get(int create)
CRYPTO_pop_info();
}
if (int_thread_hash)
+ {
+ int_thread_hash_references++;
ret = int_thread_hash;
+ }
CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
return ret;
}
+static void int_thread_release(LHASH **hash)
+ {
+ int i;
+
+ if (hash == NULL || *hash == NULL)
+ return;
+
+ i = CRYPTO_add(&int_thread_hash_references, -1, CRYPTO_LOCK_ERR);
+
+#ifdef REF_PRINT
+ fprintf(stderr,"%4d:%s\n",int_thread_hash_references,"ERR");
+#endif
+ if (i > 0) return;
+#ifdef REF_CHECK
+ if (i < 0)
+ {
+ fprintf(stderr,"int_thread_release, bad reference count\n");
+ abort(); /* ok */
+ }
+#endif
+ *hash = NULL;
+ }
+
static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
{
ERR_STATE *p;
@@ -436,6 +466,7 @@ static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
p = (ERR_STATE *)lh_retrieve(hash, d);
CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+ ERRFN(thread_release)(&hash);
return p;
}
@@ -453,6 +484,7 @@ static ERR_STATE *int_thread_set_item(ERR_STATE *d)
p = (ERR_STATE *)lh_insert(hash, d);
CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+ ERRFN(thread_release)(&hash);
return p;
}
@@ -469,13 +501,15 @@ static void int_thread_del_item(const ERR_STATE *d)
CRYPTO_w_lock(CRYPTO_LOCK_ERR);
p = (ERR_STATE *)lh_delete(hash, d);
/* make sure we don't leak memory */
- if (int_thread_hash && (lh_num_items(int_thread_hash) == 0))
+ if (int_thread_hash_references == 1
+ && int_thread_hash && (lh_num_items(int_thread_hash) == 0))
{
lh_free(int_thread_hash);
int_thread_hash = NULL;
}
CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+ ERRFN(thread_release)(&hash);
if (p)
ERR_STATE_free(p);
}
@@ -845,6 +879,12 @@ LHASH *ERR_get_err_state_table(void)
return ERRFN(thread_get)(0);
}
+void ERR_release_err_state_table(LHASH **hash)
+ {
+ err_fns_check();
+ ERRFN(thread_release)(hash);
+ }
+
const char *ERR_lib_error_string(unsigned long e)
{
ERR_STRING_DATA d,*p;
diff --git a/crypto/openssl/crypto/err/err.h b/crypto/openssl/crypto/err/err.h
index 988ef81aa0dc..8faa3a7b4f55 100644
--- a/crypto/openssl/crypto/err/err.h
+++ b/crypto/openssl/crypto/err/err.h
@@ -278,6 +278,7 @@ ERR_STATE *ERR_get_state(void);
#ifndef OPENSSL_NO_LHASH
LHASH *ERR_get_string_table(void);
LHASH *ERR_get_err_state_table(void);
+void ERR_release_err_state_table(LHASH **hash);
#endif
int ERR_get_next_error_library(void);
diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl
index 94f61b38ec1d..772afd71f5a0 100644
--- a/crypto/openssl/crypto/evp/Makefile.ssl
+++ b/crypto/openssl/crypto/evp/Makefile.ssl
@@ -70,7 +70,7 @@ links:
@$(TOP)/util/point.sh Makefile.ssl Makefile
@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
- @$(PERL) $(TOP)/util/mklink.pl ../../test $(TESTDATA)
+ cp $(TESTDATA) ../../test
@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
install:
@@ -185,13 +185,14 @@ c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
c_all.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
c_all.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-c_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-c_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-c_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-c_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+c_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+c_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
c_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
c_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
c_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
@@ -496,21 +497,19 @@ evp_acnf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
evp_acnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
evp_acnf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
evp_acnf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-evp_acnf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_acnf.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_acnf.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_acnf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-evp_acnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_acnf.o: ../../include/openssl/opensslconf.h
+evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+evp_acnf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+evp_acnf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+evp_acnf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+evp_acnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-evp_acnf.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-evp_acnf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_acnf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_acnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_acnf.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-evp_acnf.o: ../cryptlib.h evp_acnf.c
+evp_acnf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+evp_acnf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+evp_acnf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_acnf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_acnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+evp_acnf.o: ../../include/openssl/ui_compat.h ../cryptlib.h evp_acnf.c
evp_enc.o: ../../e_os.h ../../include/openssl/aes.h
evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
diff --git a/crypto/openssl/crypto/evp/bio_b64.c b/crypto/openssl/crypto/evp/bio_b64.c
index 6e550f6a430e..33349c2f9892 100644
--- a/crypto/openssl/crypto/evp/bio_b64.c
+++ b/crypto/openssl/crypto/evp/bio_b64.c
@@ -184,7 +184,9 @@ static int b64_read(BIO *b, char *out, int outl)
ret_code=0;
while (outl > 0)
{
- if (ctx->cont <= 0) break;
+
+ if (ctx->cont <= 0)
+ break;
i=BIO_read(b->next_bio,&(ctx->tmp[ctx->tmp_len]),
B64_BLOCK_SIZE-ctx->tmp_len);
@@ -195,11 +197,21 @@ static int b64_read(BIO *b, char *out, int outl)
/* Should be continue next time we are called? */
if (!BIO_should_retry(b->next_bio))
+ {
ctx->cont=i;
- /* else we should continue when called again */
- break;
+ /* If buffer empty break */
+ if(ctx->tmp_len == 0)
+ break;
+ /* Fall through and process what we have */
+ else
+ i = 0;
+ }
+ /* else we retry and add more data to buffer */
+ else
+ break;
}
i+=ctx->tmp_len;
+ ctx->tmp_len = i;
/* We need to scan, a line at a time until we
* have a valid line if we are starting. */
@@ -255,8 +267,12 @@ static int b64_read(BIO *b, char *out, int outl)
* reading until a new line. */
if (p == (unsigned char *)&(ctx->tmp[0]))
{
- ctx->tmp_nl=1;
- ctx->tmp_len=0;
+ /* Check buffer full */
+ if (i == B64_BLOCK_SIZE)
+ {
+ ctx->tmp_nl=1;
+ ctx->tmp_len=0;
+ }
}
else if (p != q) /* finished on a '\n' */
{
@@ -271,6 +287,11 @@ static int b64_read(BIO *b, char *out, int outl)
else
ctx->tmp_len=0;
}
+ /* If buffer isn't full and we can retry then
+ * restart to read in more data.
+ */
+ else if ((i < B64_BLOCK_SIZE) && (ctx->cont > 0))
+ continue;
if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
{
@@ -310,8 +331,8 @@ static int b64_read(BIO *b, char *out, int outl)
i=EVP_DecodeUpdate(&(ctx->base64),
(unsigned char *)ctx->buf,&ctx->buf_len,
(unsigned char *)ctx->tmp,i);
+ ctx->tmp_len = 0;
}
- ctx->cont=i;
ctx->buf_off=0;
if (i < 0)
{
@@ -484,10 +505,7 @@ again:
{
i=b64_write(b,NULL,0);
if (i < 0)
- {
- ret=i;
- break;
- }
+ return i;
}
if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL)
{
diff --git a/crypto/openssl/crypto/evp/bio_enc.c b/crypto/openssl/crypto/evp/bio_enc.c
index 510e1bc8a4c2..ab8185150344 100644
--- a/crypto/openssl/crypto/evp/bio_enc.c
+++ b/crypto/openssl/crypto/evp/bio_enc.c
@@ -271,7 +271,7 @@ static int enc_write(BIO *b, const char *in, int inl)
if (i <= 0)
{
BIO_copy_next_retry(b);
- return(i);
+ return (ret == inl) ? i : ret - inl;
}
n-=i;
ctx->buf_off+=i;
@@ -325,10 +325,7 @@ again:
{
i=enc_write(b,NULL,0);
if (i < 0)
- {
- ret=i;
- break;
- }
+ return i;
}
if (!ctx->finished)
diff --git a/crypto/openssl/crypto/evp/c_all.c b/crypto/openssl/crypto/evp/c_all.c
index af3dd261629a..fa60a73ead13 100644
--- a/crypto/openssl/crypto/evp/c_all.c
+++ b/crypto/openssl/crypto/evp/c_all.c
@@ -59,6 +59,9 @@
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
#if 0
#undef OpenSSL_add_all_algorithms
@@ -73,7 +76,9 @@ void OPENSSL_add_all_algorithms_noconf(void)
{
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
-#if defined(__OpenBSD__) || defined(__FreeBSD__)
+#ifndef OPENSSL_NO_ENGINE
+# if defined(__OpenBSD__) || defined(__FreeBSD__)
ENGINE_setup_bsd_cryptodev();
+# endif
#endif
}
diff --git a/crypto/openssl/crypto/evp/digest.c b/crypto/openssl/crypto/evp/digest.c
index 5b2104ac120f..b22eed442115 100644
--- a/crypto/openssl/crypto/evp/digest.c
+++ b/crypto/openssl/crypto/evp/digest.c
@@ -187,12 +187,12 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
ctx->engine = NULL;
}
else
-#endif
if(!ctx->digest)
{
EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_NO_DIGEST_SET);
return 0;
}
+#endif
if (ctx->digest != type)
{
if (ctx->digest && ctx->digest->ctx_size)
diff --git a/crypto/openssl/crypto/evp/evp_acnf.c b/crypto/openssl/crypto/evp/evp_acnf.c
index 54c073ca444c..ff3e311cc527 100644
--- a/crypto/openssl/crypto/evp/evp_acnf.c
+++ b/crypto/openssl/crypto/evp/evp_acnf.c
@@ -59,9 +59,6 @@
#include "cryptlib.h"
#include <openssl/evp.h>
#include <openssl/conf.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
/* Load all algorithms and configure OpenSSL.
diff --git a/crypto/openssl/crypto/md2/md2test.c b/crypto/openssl/crypto/md2/md2test.c
index 901d0a7d8ea6..9c1e28b6ce80 100644
--- a/crypto/openssl/crypto/md2/md2test.c
+++ b/crypto/openssl/crypto/md2/md2test.c
@@ -59,7 +59,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <openssl/md2.h>
#include "../e_os.h"
@@ -71,6 +70,7 @@ int main(int argc, char *argv[])
}
#else
#include <openssl/evp.h>
+#include <openssl/md2.h>
#ifdef CHARSET_EBCDIC
#include <openssl/ebcdic.h>
diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl
index 56cab5d882ba..2d4df972ffb6 100644
--- a/crypto/openssl/crypto/md5/Makefile.ssl
+++ b/crypto/openssl/crypto/md5/Makefile.ssl
@@ -6,7 +6,7 @@ DIR= md5
TOP= ../..
CC= cc
CPP= $(CC) -E
-INCLUDES=
+INCLUDES=-I.. -I$(TOP) -I../../include
CFLAG=-g
INSTALL_PREFIX=
OPENSSLDIR= /usr/local/ssl
@@ -20,6 +20,7 @@ AR= ar r
MD5_ASM_OBJ=
CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)
GENERAL=Makefile
TEST=md5test.c
diff --git a/crypto/openssl/crypto/md5/asm/md5-586.pl b/crypto/openssl/crypto/md5/asm/md5-586.pl
index 5fc6a205ce00..fa3fa3bed59c 100644
--- a/crypto/openssl/crypto/md5/asm/md5-586.pl
+++ b/crypto/openssl/crypto/md5/asm/md5-586.pl
@@ -293,7 +293,7 @@ sub md5_block
&mov(&DWP(12,$tmp2,"",0),$D);
&cmp($tmp1,$X) unless $normal; # check count
- &jge(&label("start")) unless $normal;
+ &jae(&label("start")) unless $normal;
&pop("eax"); # pop the temp variable off the stack
&pop("ebx");
diff --git a/crypto/openssl/crypto/md5/asm/md5-sparcv9.S b/crypto/openssl/crypto/md5/asm/md5-sparcv9.S
index a599ed5660bc..db45aa4c9774 100644
--- a/crypto/openssl/crypto/md5/asm/md5-sparcv9.S
+++ b/crypto/openssl/crypto/md5/asm/md5-sparcv9.S
@@ -34,10 +34,12 @@
*
* or if above fails (it does if you have gas):
*
- * gcc -E -DULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \
+ * gcc -E -DOPENSSL_SYSNAMEULTRASPARC -DMD5_BLOCK_DATA_ORDER md5_block.sparc.S | \
* as -xarch=v8plus /dev/fd/0 -o md5-sparcv9.o
*/
+#include <openssl/e_os2.h>
+
#define A %o0
#define B %o1
#define C %o2
diff --git a/crypto/openssl/crypto/o_time.c b/crypto/openssl/crypto/o_time.c
index ca5f3ea48e0a..785468131e10 100644
--- a/crypto/openssl/crypto/o_time.c
+++ b/crypto/openssl/crypto/o_time.c
@@ -73,15 +73,17 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
{
struct tm *ts = NULL;
-#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX)
+#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_SUNOS)
/* should return &data, but doesn't on some systems,
so we don't even look at the return value */
gmtime_r(timer,result);
ts = result;
#elif !defined(OPENSSL_SYS_VMS)
ts = gmtime(timer);
- if (ts != NULL)
- memcpy(result, ts, sizeof(struct tm));
+ if (ts == NULL)
+ return NULL;
+
+ memcpy(result, ts, sizeof(struct tm));
ts = result;
#endif
#ifdef OPENSSL_SYS_VMS
diff --git a/crypto/openssl/crypto/ocsp/ocsp_ht.c b/crypto/openssl/crypto/ocsp/ocsp_ht.c
index 357709a843c2..9213e58ae49c 100644
--- a/crypto/openssl/crypto/ocsp/ocsp_ht.c
+++ b/crypto/openssl/crypto/ocsp/ocsp_ht.c
@@ -110,7 +110,7 @@ Content-Length: %d\r\n\r\n";
}
/* Parse the HTTP response. This will look like this:
* "HTTP/1.0 200 OK". We need to obtain the numeric code and
- * informational message.
+ * (optional) informational message.
*/
/* Skip to first white space (passed protocol info) */
@@ -138,13 +138,19 @@ Content-Length: %d\r\n\r\n";
if(*r) goto err;
/* Skip over any leading white space in message */
while(*q && isspace((unsigned char)*q)) q++;
- if(!*q) goto err;
+ if(*q) {
/* Finally zap any trailing white space in message (include CRLF) */
/* We know q has a non white space character so this is OK */
- for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
+ for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
+ }
if(retcode != 200) {
OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR);
- ERR_add_error_data(4, "Code=", p, ",Reason=", q);
+ if(!*q) {
+ ERR_add_error_data(2, "Code=", p);
+ }
+ else {
+ ERR_add_error_data(4, "Code=", p, ",Reason=", q);
+ }
goto err;
}
/* Find blank line marking beginning of content */
diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h
index 492041bc7cb5..fe6ff88bdc6a 100644
--- a/crypto/openssl/crypto/opensslconf.h
+++ b/crypto/openssl/crypto/opensslconf.h
@@ -2,6 +2,9 @@
/* WARNING: Generated automatically from opensslconf.h.in by Configure. */
/* OpenSSL was configured with the following options: */
+#ifndef OPENSSL_SYSNAME_WIN16
+# define OPENSSL_SYSNAME_WIN16
+#endif
#ifndef OPENSSL_DOING_MAKEDEPEND
#ifndef OPENSSL_NO_KRB5
@@ -41,7 +44,7 @@
#endif
#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
+#define MD2_INT unsigned char
#endif
#if defined(HEADER_RC2_H) && !defined(RC2_INT)
@@ -98,7 +101,7 @@
#define CONFIG_HEADER_RC4_LOCL_H
/* if this is defined data[i] is used instead of *data, this is a %20
* speedup on x86 */
-#undef RC4_INDEX
+#define RC4_INDEX
#endif
#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
@@ -112,7 +115,7 @@
/* the following is tweaked from a config script, that is why it is a
* protected undef/define */
#ifndef DES_PTR
-#undef DES_PTR
+#define DES_PTR
#endif
/* This helps C compiler generate the correct code for multiple functional
@@ -133,7 +136,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
/* Unroll the inner loop, this sometimes helps, sometimes hinders.
* Very mucy CPU dependant */
#ifndef DES_UNROLL
-#undef DES_UNROLL
+#define DES_UNROLL
#endif
/* These default values were supplied by
diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h
index 396ae7b3dced..e226d9de7969 100644
--- a/crypto/openssl/crypto/opensslv.h
+++ b/crypto/openssl/crypto/opensslv.h
@@ -25,8 +25,8 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x0090701fL
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7a Feb 19 2003"
+#define OPENSSL_VERSION_NUMBER 0x0090703fL
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7c 30 Sep 2003"
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/openssl/crypto/perlasm/x86ms.pl b/crypto/openssl/crypto/perlasm/x86ms.pl
index 35f1a4ddb931..fbb4afb9bda4 100644
--- a/crypto/openssl/crypto/perlasm/x86ms.pl
+++ b/crypto/openssl/crypto/perlasm/x86ms.pl
@@ -144,7 +144,10 @@ sub main'jle { &out1("jle",@_); }
sub main'jz { &out1("jz",@_); }
sub main'jge { &out1("jge",@_); }
sub main'jl { &out1("jl",@_); }
+sub main'ja { &out1("ja",@_); }
+sub main'jae { &out1("jae",@_); }
sub main'jb { &out1("jb",@_); }
+sub main'jbe { &out1("jbe",@_); }
sub main'jc { &out1("jc",@_); }
sub main'jnc { &out1("jnc",@_); }
sub main'jnz { &out1("jnz",@_); }
diff --git a/crypto/openssl/crypto/perlasm/x86nasm.pl b/crypto/openssl/crypto/perlasm/x86nasm.pl
index f30b7466d45d..30346af4eac7 100644
--- a/crypto/openssl/crypto/perlasm/x86nasm.pl
+++ b/crypto/openssl/crypto/perlasm/x86nasm.pl
@@ -152,7 +152,10 @@ sub main'jle { &out1("jle NEAR",@_); }
sub main'jz { &out1("jz NEAR",@_); }
sub main'jge { &out1("jge NEAR",@_); }
sub main'jl { &out1("jl NEAR",@_); }
+sub main'ja { &out1("ja NEAR",@_); }
+sub main'jae { &out1("jae NEAR",@_); }
sub main'jb { &out1("jb NEAR",@_); }
+sub main'jbe { &out1("jbe NEAR",@_); }
sub main'jc { &out1("jc NEAR",@_); }
sub main'jnc { &out1("jnc NEAR",@_); }
sub main'jnz { &out1("jnz NEAR",@_); }
diff --git a/crypto/openssl/crypto/perlasm/x86unix.pl b/crypto/openssl/crypto/perlasm/x86unix.pl
index 72bde061c563..10b669bf049e 100644
--- a/crypto/openssl/crypto/perlasm/x86unix.pl
+++ b/crypto/openssl/crypto/perlasm/x86unix.pl
@@ -156,7 +156,10 @@ sub main'jnz { &out1("jnz",@_); }
sub main'jz { &out1("jz",@_); }
sub main'jge { &out1("jge",@_); }
sub main'jl { &out1("jl",@_); }
+sub main'ja { &out1("ja",@_); }
+sub main'jae { &out1("jae",@_); }
sub main'jb { &out1("jb",@_); }
+sub main'jbe { &out1("jbe",@_); }
sub main'jc { &out1("jc",@_); }
sub main'jnc { &out1("jnc",@_); }
sub main'jno { &out1("jno",@_); }
diff --git a/crypto/openssl/crypto/pkcs12/p12_npas.c b/crypto/openssl/crypto/pkcs12/p12_npas.c
index a549433eebb9..af708a27436e 100644
--- a/crypto/openssl/crypto/pkcs12/p12_npas.c
+++ b/crypto/openssl/crypto/pkcs12/p12_npas.c
@@ -107,7 +107,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
{
STACK_OF(PKCS7) *asafes, *newsafes;
STACK_OF(PKCS12_SAFEBAG) *bags;
- int i, bagnid, pbe_nid, pbe_iter, pbe_saltlen;
+ int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;
PKCS7 *p7, *p7new;
ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
unsigned char mac[EVP_MAX_MD_SIZE];
diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c
index 0060a2ea3df2..190ca0e9bf57 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_doit.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c
@@ -767,6 +767,11 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
}
if (EVP_MD_CTX_type(mdc) == md_type)
break;
+ /* Workaround for some broken clients that put the signature
+ * OID instead of the digest OID in digest_alg->algorithm
+ */
+ if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type)
+ break;
btmp=BIO_next(btmp);
}
diff --git a/crypto/openssl/crypto/pkcs7/pk7_mime.c b/crypto/openssl/crypto/pkcs7/pk7_mime.c
index 086d39427012..5d2a97839d2b 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_mime.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_mime.c
@@ -3,7 +3,7 @@
* project 1999.
*/
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -101,7 +101,7 @@ static int mime_param_cmp(const MIME_PARAM * const *a,
static void mime_param_free(MIME_PARAM *param);
static int mime_bound_check(char *line, int linelen, char *bound, int blen);
static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret);
-static int iscrlf(char c);
+static int strip_eol(char *linebuf, int *plen);
static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, char *name);
static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name);
static void mime_hdr_free(MIME_HEADER *hdr);
@@ -150,9 +150,17 @@ static PKCS7 *B64_read_PKCS7(BIO *bio)
int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
{
- char linebuf[MAX_SMLEN];
char bound[33], c;
int i;
+ char *mime_prefix, *mime_eol;
+ if (flags & PKCS7_NOOLDMIMETYPE)
+ mime_prefix = "application/pkcs7-";
+ else
+ mime_prefix = "application/x-pkcs7-";
+ if (flags & PKCS7_CRLFEOL)
+ mime_eol = "\r\n";
+ else
+ mime_eol = "\n";
if((flags & PKCS7_DETACHED) && data) {
/* We want multipart/signed */
/* Generate a random boundary */
@@ -164,34 +172,42 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
bound[i] = c;
}
bound[32] = 0;
- BIO_printf(bio, "MIME-Version: 1.0\n");
+ BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
BIO_printf(bio, "Content-Type: multipart/signed;");
- BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";");
- BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound);
- BIO_printf(bio, "This is an S/MIME signed message\n\n");
+ BIO_printf(bio, " protocol=\"%ssignature\";", mime_prefix);
+ BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"%s%s",
+ bound, mime_eol, mime_eol);
+ BIO_printf(bio, "This is an S/MIME signed message%s%s",
+ mime_eol, mime_eol);
/* Now write out the first part */
- BIO_printf(bio, "------%s\n", bound);
- if(flags & PKCS7_TEXT) BIO_printf(bio, "Content-Type: text/plain\n\n");
- while((i = BIO_read(data, linebuf, MAX_SMLEN)) > 0)
- BIO_write(bio, linebuf, i);
- BIO_printf(bio, "\n------%s\n", bound);
+ BIO_printf(bio, "------%s%s", bound, mime_eol);
+ SMIME_crlf_copy(data, bio, flags);
+ BIO_printf(bio, "%s------%s%s", mime_eol, bound, mime_eol);
/* Headers for signature */
- BIO_printf(bio, "Content-Type: application/x-pkcs7-signature; name=\"smime.p7s\"\n");
- BIO_printf(bio, "Content-Transfer-Encoding: base64\n");
- BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7s\"\n\n");
+ BIO_printf(bio, "Content-Type: %ssignature;", mime_prefix);
+ BIO_printf(bio, " name=\"smime.p7s\"%s", mime_eol);
+ BIO_printf(bio, "Content-Transfer-Encoding: base64%s",
+ mime_eol);
+ BIO_printf(bio, "Content-Disposition: attachment;");
+ BIO_printf(bio, " filename=\"smime.p7s\"%s%s",
+ mime_eol, mime_eol);
B64_write_PKCS7(bio, p7);
- BIO_printf(bio,"\n------%s--\n\n", bound);
+ BIO_printf(bio,"%s------%s--%s%s", mime_eol, bound,
+ mime_eol, mime_eol);
return 1;
}
/* MIME headers */
- BIO_printf(bio, "MIME-Version: 1.0\n");
- BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7m\"\n");
- BIO_printf(bio, "Content-Type: application/x-pkcs7-mime; name=\"smime.p7m\"\n");
- BIO_printf(bio, "Content-Transfer-Encoding: base64\n\n");
+ BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
+ BIO_printf(bio, "Content-Disposition: attachment;");
+ BIO_printf(bio, " filename=\"smime.p7m\"%s", mime_eol);
+ BIO_printf(bio, "Content-Type: %smime;", mime_prefix);
+ BIO_printf(bio, " name=\"smime.p7m\"%s", mime_eol);
+ BIO_printf(bio, "Content-Transfer-Encoding: base64%s%s",
+ mime_eol, mime_eol);
B64_write_PKCS7(bio, p7);
- BIO_printf(bio, "\n");
+ BIO_printf(bio, "%s", mime_eol);
return 1;
}
@@ -316,12 +332,9 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags)
}
if(flags & PKCS7_TEXT) BIO_printf(out, "Content-Type: text/plain\r\n\r\n");
while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) {
- eol = 0;
- while(iscrlf(linebuf[len - 1])) {
- len--;
- eol = 1;
- }
- BIO_write(out, linebuf, len);
+ eol = strip_eol(linebuf, &len);
+ if (len)
+ BIO_write(out, linebuf, len);
if(eol) BIO_write(out, "\r\n", 2);
}
return 1;
@@ -364,6 +377,7 @@ static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret)
{
char linebuf[MAX_SMLEN];
int len, blen;
+ int eol = 0, next_eol = 0;
BIO *bpart = NULL;
STACK_OF(BIO) *parts;
char state, part, first;
@@ -383,26 +397,23 @@ static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret)
sk_BIO_push(parts, bpart);
return 1;
} else if(part) {
+ /* Strip CR+LF from linebuf */
+ next_eol = strip_eol(linebuf, &len);
if(first) {
first = 0;
if(bpart) sk_BIO_push(parts, bpart);
bpart = BIO_new(BIO_s_mem());
-
- } else BIO_write(bpart, "\r\n", 2);
- /* Strip CR+LF from linebuf */
- while(iscrlf(linebuf[len - 1])) len--;
- BIO_write(bpart, linebuf, len);
+ BIO_set_mem_eof_return(bpart, 0);
+ } else if (eol)
+ BIO_write(bpart, "\r\n", 2);
+ eol = next_eol;
+ if (len)
+ BIO_write(bpart, linebuf, len);
}
}
return 0;
}
-static int iscrlf(char c)
-{
- if(c == '\r' || c == '\n') return 1;
- return 0;
-}
-
/* This is the big one: parse MIME header lines up to message body */
#define MIME_INVALID 0
@@ -683,3 +694,21 @@ static int mime_bound_check(char *line, int linelen, char *bound, int blen)
}
return 0;
}
+
+static int strip_eol(char *linebuf, int *plen)
+ {
+ int len = *plen;
+ char *p, c;
+ int is_eol = 0;
+ p = linebuf + len - 1;
+ for (p = linebuf + len - 1; len > 0; len--, p--)
+ {
+ c = *p;
+ if (c == '\n')
+ is_eol = 1;
+ else if (c != '\r')
+ break;
+ }
+ *plen = len;
+ return is_eol;
+ }
diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c
index f0d071e2824a..6e5735de1187 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_smime.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c
@@ -3,7 +3,7 @@
* project 1999.
*/
/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/crypto/openssl/crypto/pkcs7/pkcs7.h b/crypto/openssl/crypto/pkcs7/pkcs7.h
index 5819700a8502..15372e18f8c0 100644
--- a/crypto/openssl/crypto/pkcs7/pkcs7.h
+++ b/crypto/openssl/crypto/pkcs7/pkcs7.h
@@ -260,6 +260,8 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
#define PKCS7_BINARY 0x80
#define PKCS7_NOATTR 0x100
#define PKCS7_NOSMIMECAP 0x200
+#define PKCS7_NOOLDMIMETYPE 0x400
+#define PKCS7_CRLFEOL 0x800
/* Flags: for compatibility with older code */
diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c
index 113b58678f38..263068d25699 100644
--- a/crypto/openssl/crypto/rand/rand_win.c
+++ b/crypto/openssl/crypto/rand/rand_win.c
@@ -162,6 +162,7 @@ typedef BOOL (WINAPI *GETCURSORINFO)(PCURSORINFO);
typedef DWORD (WINAPI *GETQUEUESTATUS)(UINT);
typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD);
+typedef BOOL (WINAPI *CLOSETOOLHELP32SNAPSHOT)(HANDLE);
typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, DWORD);
typedef BOOL (WINAPI *HEAP32NEXT)(LPHEAPENTRY32);
typedef BOOL (WINAPI *HEAP32LIST)(HANDLE, LPHEAPLIST32);
@@ -431,7 +432,7 @@ int RAND_poll(void)
* This seeding method was proposed in Peter Gutmann, Software
* Generation of Practically Strong Random Numbers,
* http://www.usenix.org/publications/library/proceedings/sec98/gutmann.html
- * revised version at http://www.cryptoengines.com/~peter/06_random.pdf
+ * revised version at http://www.cryptoengines.com/~peter/06_random.pdf
* (The assignment of entropy estimates below is arbitrary, but based
* on Peter's analysis the full poll appears to be safe. Additional
* interactive seeding is encouraged.)
@@ -440,6 +441,7 @@ int RAND_poll(void)
if (kernel)
{
CREATETOOLHELP32SNAPSHOT snap;
+ CLOSETOOLHELP32SNAPSHOT close_snap;
HANDLE handle;
HEAP32FIRST heap_first;
@@ -457,6 +459,8 @@ int RAND_poll(void)
snap = (CREATETOOLHELP32SNAPSHOT)
GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot"));
+ close_snap = (CLOSETOOLHELP32SNAPSHOT)
+ GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot"));
heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First"));
heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next"));
heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst"));
@@ -472,7 +476,7 @@ int RAND_poll(void)
heaplist_next && process_first && process_next &&
thread_first && thread_next && module_first &&
module_next && (handle = snap(TH32CS_SNAPALL,0))
- != NULL)
+ != INVALID_HANDLE_VALUE)
{
/* heap list and heap walking */
/* HEAPLIST32 contains 3 fields that will change with
@@ -534,8 +538,10 @@ int RAND_poll(void)
do
RAND_add(&m, m.dwSize, 9);
while (module_next(handle, &m));
-
- CloseHandle(handle);
+ if (close_snap)
+ close_snap(handle);
+ else
+ CloseHandle(handle);
}
FreeLibrary(kernel);
diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl
index 605d48800572..ce3f818e5b62 100644
--- a/crypto/openssl/crypto/rsa/Makefile.ssl
+++ b/crypto/openssl/crypto/rsa/Makefile.ssl
@@ -104,14 +104,12 @@ rsa_chk.o: rsa_chk.c
rsa_eay.o: ../../e_os.h ../../include/openssl/asn1.h
rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_eay.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-rsa_eay.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rsa_eay.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rsa_eay.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_eay.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_eay.o: ../../include/openssl/ui.h ../cryptlib.h rsa_eay.c
+rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c
rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
rsa_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -217,21 +215,21 @@ rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
rsa_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
rsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-rsa_sign.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-rsa_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-rsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-rsa_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-rsa_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-rsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+rsa_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rsa_sign.o: ../../include/openssl/opensslconf.h
rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-rsa_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-rsa_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-rsa_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-rsa_sign.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-rsa_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h rsa_sign.c
+rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+rsa_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+rsa_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+rsa_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+rsa_sign.o: ../cryptlib.h rsa_sign.c
rsa_ssl.o: ../../e_os.h ../../include/openssl/asn1.h
rsa_ssl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
rsa_ssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/crypto/openssl/crypto/rsa/rsa.h b/crypto/openssl/crypto/rsa/rsa.h
index b2e25e4e7c71..62fa745f79e3 100644
--- a/crypto/openssl/crypto/rsa/rsa.h
+++ b/crypto/openssl/crypto/rsa/rsa.h
@@ -170,6 +170,12 @@ struct rsa_st
*/
#define RSA_FLAG_SIGN_VER 0x40
+#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in
+ * RSA implementation now uses blinding by
+ * default (ignoring RSA_FLAG_BLINDING),
+ * but other engines might not need it
+ */
+
#define RSA_PKCS1_PADDING 1
#define RSA_SSLV23_PADDING 2
#define RSA_NO_PADDING 3
diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c
index e4bcf499d064..e0d286266e0c 100644
--- a/crypto/openssl/crypto/rsa/rsa_eay.c
+++ b/crypto/openssl/crypto/rsa/rsa_eay.c
@@ -61,9 +61,6 @@
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
#ifndef RSA_NULL
@@ -208,12 +205,46 @@ static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
#define BLINDING_HELPER(rsa, ctx, err_instr) \
do { \
- if(((rsa)->flags & RSA_FLAG_BLINDING) && \
- ((rsa)->blinding == NULL) && \
- !rsa_eay_blinding(rsa, ctx)) \
- err_instr \
+ if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
+ ((rsa)->blinding == NULL) && \
+ !rsa_eay_blinding(rsa, ctx)) \
+ err_instr \
} while(0)
+static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
+ {
+ BIGNUM *A, *Ai;
+ BN_BLINDING *ret = NULL;
+
+ /* added in OpenSSL 0.9.6j and 0.9.7b */
+
+ /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
+ * this should be placed in a new function of its own, but for reasons
+ * of binary compatibility can't */
+
+ BN_CTX_start(ctx);
+ A = BN_CTX_get(ctx);
+ if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+ {
+ /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+ RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+ if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+ }
+ else
+ {
+ if (!BN_rand_range(A,rsa->n)) goto err;
+ }
+ if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
+
+ if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+ goto err;
+ ret = BN_BLINDING_new(A,Ai,rsa->n);
+ BN_free(Ai);
+err:
+ BN_CTX_end(ctx);
+ return ret;
+ }
+
/* signing */
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
@@ -222,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
int i,j,k,num=0,r= -1;
unsigned char *buf=NULL;
BN_CTX *ctx=NULL;
+ int local_blinding = 0;
+ BN_BLINDING *blinding = NULL;
BN_init(&f);
BN_init(&ret);
@@ -259,9 +292,38 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
}
BLINDING_HELPER(rsa, ctx, goto err;);
+ blinding = rsa->blinding;
+
+ /* Now unless blinding is disabled, 'blinding' is non-NULL.
+ * But the BN_BLINDING object may be owned by some other thread
+ * (we don't want to keep it constant and we don't want to use
+ * lots of locking to avoid race conditions, so only a single
+ * thread can use it; other threads have to use local blinding
+ * factors) */
+ if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+ {
+ if (blinding == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ }
+
+ if (blinding != NULL)
+ {
+ if (blinding->thread_id != CRYPTO_thread_id())
+ {
+ /* we need a local one-time blinding factor */
- if (rsa->flags & RSA_FLAG_BLINDING)
- if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+ blinding = setup_blinding(rsa, ctx);
+ if (blinding == NULL)
+ goto err;
+ local_blinding = 1;
+ }
+ }
+
+ if (blinding)
+ if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
((rsa->p != NULL) &&
@@ -275,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
}
- if (rsa->flags & RSA_FLAG_BLINDING)
- if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+ if (blinding)
+ if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
/* put in leading 0 bytes if the number is less than the
* length of the modulus */
@@ -290,6 +352,8 @@ err:
if (ctx != NULL) BN_CTX_free(ctx);
BN_clear_free(&ret);
BN_clear_free(&f);
+ if (local_blinding)
+ BN_BLINDING_free(blinding);
if (buf != NULL)
{
OPENSSL_cleanse(buf,num);
@@ -306,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
unsigned char *p;
unsigned char *buf=NULL;
BN_CTX *ctx=NULL;
+ int local_blinding = 0;
+ BN_BLINDING *blinding = NULL;
BN_init(&f);
BN_init(&ret);
@@ -338,9 +404,38 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
}
BLINDING_HELPER(rsa, ctx, goto err;);
+ blinding = rsa->blinding;
+
+ /* Now unless blinding is disabled, 'blinding' is non-NULL.
+ * But the BN_BLINDING object may be owned by some other thread
+ * (we don't want to keep it constant and we don't want to use
+ * lots of locking to avoid race conditions, so only a single
+ * thread can use it; other threads have to use local blinding
+ * factors) */
+ if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+ {
+ if (blinding == NULL)
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ }
+
+ if (blinding != NULL)
+ {
+ if (blinding->thread_id != CRYPTO_thread_id())
+ {
+ /* we need a local one-time blinding factor */
+
+ blinding = setup_blinding(rsa, ctx);
+ if (blinding == NULL)
+ goto err;
+ local_blinding = 1;
+ }
+ }
- if (rsa->flags & RSA_FLAG_BLINDING)
- if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+ if (blinding)
+ if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
/* do the decrypt */
if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -356,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
goto err;
}
- if (rsa->flags & RSA_FLAG_BLINDING)
- if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+ if (blinding)
+ if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
p=buf;
j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -389,6 +484,8 @@ err:
if (ctx != NULL) BN_CTX_free(ctx);
BN_clear_free(&f);
BN_clear_free(&ret);
+ if (local_blinding)
+ BN_BLINDING_free(blinding);
if (buf != NULL)
{
OPENSSL_cleanse(buf,num);
diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c
index f234ae0748ca..e4d622851eed 100644
--- a/crypto/openssl/crypto/rsa/rsa_lib.c
+++ b/crypto/openssl/crypto/rsa/rsa_lib.c
@@ -62,6 +62,7 @@
#include <openssl/lhash.h>
#include <openssl/bn.h>
#include <openssl/rsa.h>
+#include <openssl/rand.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
@@ -74,10 +75,6 @@ RSA *RSA_new(void)
{
RSA *r=RSA_new_method(NULL);
-#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
- r->flags|=RSA_FLAG_BLINDING;
-#endif
-
return r;
}
@@ -313,12 +310,13 @@ void RSA_blinding_off(RSA *rsa)
BN_BLINDING_free(rsa->blinding);
rsa->blinding=NULL;
}
- rsa->flags&= ~RSA_FLAG_BLINDING;
+ rsa->flags &= ~RSA_FLAG_BLINDING;
+ rsa->flags |= RSA_FLAG_NO_BLINDING;
}
int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
{
- BIGNUM *A,*Ai;
+ BIGNUM *A,*Ai = NULL;
BN_CTX *ctx;
int ret=0;
@@ -329,21 +327,42 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
else
ctx=p_ctx;
+ /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */
if (rsa->blinding != NULL)
+ {
BN_BLINDING_free(rsa->blinding);
+ rsa->blinding = NULL;
+ }
+
+ /* NB: similar code appears in setup_blinding (rsa_eay.c);
+ * this should be placed in a new function of its own, but for reasons
+ * of binary compatibility can't */
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
- if (!BN_rand_range(A,rsa->n)) goto err;
+ if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+ {
+ /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+ RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+ if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+ }
+ else
+ {
+ if (!BN_rand_range(A,rsa->n)) goto err;
+ }
if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
- goto err;
- rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
- rsa->flags|=RSA_FLAG_BLINDING;
- BN_free(Ai);
+ goto err;
+ if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
+ /* to make things thread-safe without excessive locking,
+ * rsa->blinding will be used just by the current thread: */
+ rsa->blinding->thread_id = CRYPTO_thread_id();
+ rsa->flags |= RSA_FLAG_BLINDING;
+ rsa->flags &= ~RSA_FLAG_NO_BLINDING;
ret=1;
err:
+ if (Ai != NULL) BN_free(Ai);
BN_CTX_end(ctx);
if (ctx != p_ctx) BN_CTX_free(ctx);
return(ret);
diff --git a/crypto/openssl/crypto/rsa/rsa_sign.c b/crypto/openssl/crypto/rsa/rsa_sign.c
index 9dd62ac956ba..8a1e642183c4 100644
--- a/crypto/openssl/crypto/rsa/rsa_sign.c
+++ b/crypto/openssl/crypto/rsa/rsa_sign.c
@@ -62,9 +62,6 @@
#include <openssl/rsa.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
/* Size of an SSL signature: MD5+SHA1 */
#define SSL_SIG_LENGTH 36
@@ -79,12 +76,11 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
const unsigned char *s = NULL;
X509_ALGOR algor;
ASN1_OCTET_STRING digest;
-#ifndef OPENSSL_NO_ENGINE
- if((rsa->flags & RSA_FLAG_SIGN_VER)
- && ENGINE_get_RSA(rsa->engine)->rsa_sign)
- return ENGINE_get_RSA(rsa->engine)->rsa_sign(type,
- m, m_len, sigret, siglen, rsa);
-#endif
+ if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
+ {
+ return rsa->meth->rsa_sign(type, m, m_len,
+ sigret, siglen, rsa);
+ }
/* Special case: SSL signature, just check the length */
if(type == NID_md5_sha1) {
if(m_len != SSL_SIG_LENGTH) {
@@ -159,12 +155,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
return(0);
}
-#ifndef OPENSSL_NO_ENGINE
- if((rsa->flags & RSA_FLAG_SIGN_VER)
- && ENGINE_get_RSA(rsa->engine)->rsa_verify)
- return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype,
- m, m_len, sigbuf, siglen, rsa);
-#endif
+ if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
+ {
+ return rsa->meth->rsa_verify(dtype, m, m_len,
+ sigbuf, siglen, rsa);
+ }
s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen);
if (s == NULL)
diff --git a/crypto/openssl/crypto/rsa/rsa_test.c b/crypto/openssl/crypto/rsa/rsa_test.c
index 99abb1fde782..924e9ad1f6c0 100644
--- a/crypto/openssl/crypto/rsa/rsa_test.c
+++ b/crypto/openssl/crypto/rsa/rsa_test.c
@@ -16,9 +16,6 @@ int main(int argc, char *argv[])
}
#else
#include <openssl/rsa.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
#define SetKey \
key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
diff --git a/crypto/openssl/crypto/threads/mttest.c b/crypto/openssl/crypto/threads/mttest.c
index 7142e4edc77c..54d598565d53 100644
--- a/crypto/openssl/crypto/threads/mttest.c
+++ b/crypto/openssl/crypto/threads/mttest.c
@@ -86,11 +86,6 @@
#include <openssl/err.h>
#include <openssl/rand.h>
-#ifdef OPENSSL_NO_FP_API
-#define APPS_WIN16
-#include "../buffer/bss_file.c"
-#endif
-
#define TEST_SERVER_CERT "../../apps/server.pem"
#define TEST_CLIENT_CERT "../../apps/client.pem"
diff --git a/crypto/openssl/crypto/x509/by_file.c b/crypto/openssl/crypto/x509/by_file.c
index 22be90cdcd91..b4b04183d071 100644
--- a/crypto/openssl/crypto/x509/by_file.c
+++ b/crypto/openssl/crypto/x509/by_file.c
@@ -285,7 +285,8 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
if(itmp->x509) {
X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
count++;
- } else if(itmp->crl) {
+ }
+ if(itmp->crl) {
X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
count++;
}
diff --git a/crypto/openssl/crypto/x509/x509_trs.c b/crypto/openssl/crypto/x509/x509_trs.c
index 17d69ac005b1..881252608d1f 100644
--- a/crypto/openssl/crypto/x509/x509_trs.c
+++ b/crypto/openssl/crypto/x509/x509_trs.c
@@ -82,6 +82,7 @@ static X509_TRUST trstandard[] = {
{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}
};
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c
index 552d1e72516e..2bb21b443ec0 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/crypto/openssl/crypto/x509/x509_vfy.c
@@ -453,9 +453,9 @@ static int check_revocation(X509_STORE_CTX *ctx)
if (!(ctx->flags & X509_V_FLAG_CRL_CHECK))
return 1;
if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL)
- last = 0;
- else
last = sk_X509_num(ctx->chain) - 1;
+ else
+ last = 0;
for(i = 0; i <= last; i++)
{
ctx->error_depth = i;
@@ -674,7 +674,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
ok=(*cb)(0,ctx);
if (!ok) goto end;
}
- if (X509_verify(xs,pkey) <= 0)
+ else if (X509_verify(xs,pkey) <= 0)
/* XXX For the final trusted self-signed cert,
* this is a waste of time. That check should
* optional so that e.g. 'openssl x509' can be
diff --git a/crypto/openssl/crypto/x509/x509type.c b/crypto/openssl/crypto/x509/x509type.c
index 8e78b344581e..f78c2a6b4380 100644
--- a/crypto/openssl/crypto/x509/x509type.c
+++ b/crypto/openssl/crypto/x509/x509type.c
@@ -99,14 +99,15 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
case EVP_PKEY_RSA:
ret|=EVP_PKS_RSA;
break;
- case EVP_PKS_DSA:
+ case EVP_PKEY_DSA:
ret|=EVP_PKS_DSA;
break;
default:
break;
}
- if (EVP_PKEY_size(pk) <= 512)
+ if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look
+ for, not bytes */
ret|=EVP_PKT_EXP;
if(pkey==NULL) EVP_PKEY_free(pk);
return(ret);
diff --git a/crypto/openssl/crypto/x509v3/v3_conf.c b/crypto/openssl/crypto/x509v3/v3_conf.c
index 1a3448e12172..1284d5aaa54f 100644
--- a/crypto/openssl/crypto/x509v3/v3_conf.c
+++ b/crypto/openssl/crypto/x509v3/v3_conf.c
@@ -236,7 +236,7 @@ static int v3_check_critical(char **value)
static int v3_check_generic(char **value)
{
char *p = *value;
- if ((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0;
+ if ((strlen(p) < 4) || strncmp(p, "DER:", 4)) return 0;
p+=4;
while (isspace((unsigned char)*p)) p++;
*value = p;
diff --git a/crypto/openssl/crypto/x509v3/v3_cpols.c b/crypto/openssl/crypto/x509v3/v3_cpols.c
index 0d4ab1f68031..0d554f3a2c97 100644
--- a/crypto/openssl/crypto/x509v3/v3_cpols.c
+++ b/crypto/openssl/crypto/x509v3/v3_cpols.c
@@ -73,7 +73,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *polstrs, int ia5org);
static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *unot, int ia5org);
-static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos);
+static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
X509V3_EXT_METHOD v3_cpols = {
NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES),
@@ -226,6 +226,8 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
qual = notice_section(ctx, unot, ia5org);
X509V3_section_free(ctx, unot);
if(!qual) goto err;
+ if(!pol->qualifiers) pol->qualifiers =
+ sk_POLICYQUALINFO_new_null();
if(!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
goto merr;
} else {
@@ -255,7 +257,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *unot, int ia5org)
{
- int i;
+ int i, ret;
CONF_VALUE *cnf;
USERNOTICE *not;
POLICYQUALINFO *qual;
@@ -275,8 +277,8 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
if(!(nref = NOTICEREF_new())) goto merr;
not->noticeref = nref;
} else nref = not->noticeref;
- if(ia5org) nref->organization = M_ASN1_IA5STRING_new();
- else nref->organization = M_ASN1_VISIBLESTRING_new();
+ if(ia5org) nref->organization->type = V_ASN1_IA5STRING;
+ else nref->organization->type = V_ASN1_VISIBLESTRING;
if(!ASN1_STRING_set(nref->organization, cnf->value,
strlen(cnf->value))) goto merr;
} else if(!strcmp(cnf->name, "noticeNumbers")) {
@@ -292,12 +294,12 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
X509V3_conf_err(cnf);
goto err;
}
- nref->noticenos = nref_nos(nos);
+ ret = nref_nos(nref->noticenos, nos);
sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
- if(!nref->noticenos) goto err;
+ if (!ret)
+ goto err;
} else {
X509V3err(X509V3_F_NOTICE_SECTION,X509V3_R_INVALID_OPTION);
-
X509V3_conf_err(cnf);
goto err;
}
@@ -319,15 +321,13 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
return NULL;
}
-static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos)
+static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
{
- STACK_OF(ASN1_INTEGER) *nnums;
CONF_VALUE *cnf;
ASN1_INTEGER *aint;
int i;
- if(!(nnums = sk_ASN1_INTEGER_new_null())) goto merr;
for(i = 0; i < sk_CONF_VALUE_num(nos); i++) {
cnf = sk_CONF_VALUE_value(nos, i);
if(!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
@@ -336,14 +336,14 @@ static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos)
}
if(!sk_ASN1_INTEGER_push(nnums, aint)) goto merr;
}
- return nnums;
+ return 1;
merr:
X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
err:
sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
- return NULL;
+ return 0;
}
diff --git a/crypto/openssl/crypto/x509v3/v3_lib.c b/crypto/openssl/crypto/x509v3/v3_lib.c
index 482ca8ccf5d5..ca5a4a4a5709 100644
--- a/crypto/openssl/crypto/x509v3/v3_lib.c
+++ b/crypto/openssl/crypto/x509v3/v3_lib.c
@@ -202,6 +202,7 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
if(OBJ_obj2nid(ex->object) == nid) {
if(idx) {
*idx = i;
+ found_ex = ex;
break;
} else if(found_ex) {
/* Found more than one */
diff --git a/crypto/openssl/crypto/x509v3/v3_prn.c b/crypto/openssl/crypto/x509v3/v3_prn.c
index aeaf6170fe44..5d268eb7682c 100644
--- a/crypto/openssl/crypto/x509v3/v3_prn.c
+++ b/crypto/openssl/crypto/x509v3/v3_prn.c
@@ -178,13 +178,13 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
ex=sk_X509_EXTENSION_value(exts, i);
- if (BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
+ if (indent && BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
obj=X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bp,obj);
j=X509_EXTENSION_get_critical(ex);
if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
return 0;
- if(!X509V3_EXT_print(bp, ex, flag, 12))
+ if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
{
BIO_printf(bp, "%*s", indent + 4, "");
M_ASN1_OCTET_STRING_print(bp,ex->value);
diff --git a/crypto/openssl/demos/engines/zencod/hw_zencod.h b/crypto/openssl/demos/engines/zencod/hw_zencod.h
index 195345d8c6c2..415c9a6be8b2 100644
--- a/crypto/openssl/demos/engines/zencod/hw_zencod.h
+++ b/crypto/openssl/demos/engines/zencod/hw_zencod.h
@@ -46,7 +46,7 @@ typedef int t_zencod_dump_key (FILE *stream, char *msg, KEY *key);
/*
- * Key managment tools
+ * Key management tools
*/
typedef KEY *t_zencod_new_number (unsigned long len, unsigned char *data);
typedef int t_zencod_init_number (KEY *n, unsigned long len, unsigned char *data);
diff --git a/crypto/openssl/doc/HOWTO/certificates.txt b/crypto/openssl/doc/HOWTO/certificates.txt
index 82166e0dc23e..d3a62545adf3 100644
--- a/crypto/openssl/doc/HOWTO/certificates.txt
+++ b/crypto/openssl/doc/HOWTO/certificates.txt
@@ -48,7 +48,7 @@ you have your own certificate authority, you may sign it yourself, or
if you need a self-signed certificate (because you just want a test
certificate or because you are setting up your own CA).
-The certificate is created like this:
+The certificate request is created like this:
openssl req -new -key privkey.pem -out cert.csr
@@ -71,13 +71,11 @@ received.
If you don't want to deal with another certificate authority, or just
want to create a test certificate for yourself, or are setting up a
certificate authority of your own, you may want to make the requested
-certificate a self-signed one. If you have created a certificate
-request as shown above, you can sign it using the 'openssl x509'
-command, for example like this (to create a self-signed CA
-certificate):
+certificate a self-signed one. This is similar to creating a
+certificate request, but creates a certificate instead of a
+certificate request (1095 is 3 years):
- openssl x509 -req -in cert.csr -extfile openssl.cnf -extensions v3_ca \
- -signkey privkey.pem -out cacert.pem -trustout
+ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
5. What to do with the certificate
diff --git a/crypto/openssl/doc/HOWTO/keys.txt b/crypto/openssl/doc/HOWTO/keys.txt
new file mode 100644
index 000000000000..45f42eaaf1b7
--- /dev/null
+++ b/crypto/openssl/doc/HOWTO/keys.txt
@@ -0,0 +1,73 @@
+<DRAFT!>
+ HOWTO keys
+
+1. Introduction
+
+Keys are the basis of public key algorithms and PKI. Keys usually
+come in pairs, with one half being the public key and the other half
+being the private key. With OpenSSL, the private key contains the
+public key information as well, so a public key doesn't need to be
+generated separately.
+
+Public keys come in several flavors, using different cryptographic
+algorithms. The most popular ones associated with certificates are
+RSA and DSA, and this HOWTO will show how to generate each of them.
+
+
+2. To generate a RSA key
+
+A RSA key can be used both for encryption and for signing.
+
+Generating a key for the RSA algorithm is quite easy, all you have to
+do is the following:
+
+ openssl genrsa -des3 -out privkey.pem 2048
+
+With this variant, you will be prompted for a protecting password. If
+you don't want your key to be protected by a password, remove the flag
+'-des3' from the command line above.
+
+ NOTE: if you intend to use the key together with a server
+ certificate, it may be a good thing to avoid protecting it
+ with a password, since that would mean someone would have to
+ type in the password every time the server needs to access
+ the key.
+
+The number 2048 is the size of the key, in bits. Today, 2048 or
+higher is recommended for RSA keys, as fewer amount of bits is
+consider insecure or to be insecure pretty soon.
+
+
+3. To generate a DSA key
+
+A DSA key can be used both for signing only. This is important to
+keep in mind to know what kind of purposes a certificate request with
+a DSA key can really be used for.
+
+Generating a key for the DSA algorithm is a two-step process. First,
+you have to generate parameters from which to generate the key:
+
+ openssl dsaparam -out dsaparam.pem 2048
+
+The number 2048 is the size of the key, in bits. Today, 2048 or
+higher is recommended for DSA keys, as fewer amount of bits is
+consider insecure or to be insecure pretty soon.
+
+When that is done, you can generate a key using the parameters in
+question (actually, several keys can be generated from the same
+parameters):
+
+ openssl gendsa -des3 -out privkey.pem dsaparam.pem
+
+With this variant, you will be prompted for a protecting password. If
+you don't want your key to be protected by a password, remove the flag
+'-des3' from the command line above.
+
+ NOTE: if you intend to use the key together with a server
+ certificate, it may be a good thing to avoid protecting it
+ with a password, since that would mean someone would have to
+ type in the password every time the server needs to access
+ the key.
+
+--
+Richard Levitte
diff --git a/crypto/openssl/doc/apps/ca.pod b/crypto/openssl/doc/apps/ca.pod
index de66c534b5cc..74f45ca2f90e 100644
--- a/crypto/openssl/doc/apps/ca.pod
+++ b/crypto/openssl/doc/apps/ca.pod
@@ -359,7 +359,7 @@ the same as the B<-md> option. The message digest to use. Mandatory.
the text database file to use. Mandatory. This file must be present
though initially it will be empty.
-=item B<serialfile>
+=item B<serial>
a text file containing the next serial number to use in hex. Mandatory.
This file must be present and contain a valid serial number.
@@ -400,7 +400,7 @@ here, except the B<no_signame> and B<no_sigdump> are permanently set
and cannot be disabled (this is because the certificate signature cannot
be displayed because the certificate has not been signed at this point).
-For convenience the values B<default_ca> are accepted by both to produce
+For convenience the values B<ca_default> are accepted by both to produce
a reasonable output.
If neither option is present the format used in earlier versions of
@@ -513,8 +513,8 @@ A sample configuration file with the relevant sections for B<ca>:
policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN
- nameopt = default_ca # Subject name display option
- certopt = default_ca # Certificate display option
+ nameopt = ca_default # Subject name display option
+ certopt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
[ policy_any ]
diff --git a/crypto/openssl/doc/apps/ocsp.pod b/crypto/openssl/doc/apps/ocsp.pod
index da201b95e64f..4f266058e536 100644
--- a/crypto/openssl/doc/apps/ocsp.pod
+++ b/crypto/openssl/doc/apps/ocsp.pod
@@ -11,6 +11,10 @@ B<openssl> B<ocsp>
[B<-issuer file>]
[B<-cert file>]
[B<-serial n>]
+[B<-signer file>]
+[B<-signkey file>]
+[B<-sign_other file>]
+[B<-no_certs>]
[B<-req_text>]
[B<-resp_text>]
[B<-text>]
@@ -20,27 +24,36 @@ B<openssl> B<ocsp>
[B<-respin file>]
[B<-nonce>]
[B<-no_nonce>]
-[B<-url responder_url>]
+[B<-url URL>]
[B<-host host:n>]
[B<-path>]
-[B<-CApath file>]
+[B<-CApath dir>]
[B<-CAfile file>]
[B<-VAfile file>]
-[B<-verify_certs file>]
+[B<-validity_period n>]
+[B<-status_age n>]
[B<-noverify>]
+[B<-verify_other file>]
[B<-trust_other>]
[B<-no_intern>]
-[B<-no_sig_verify>]
+[B<-no_signature_verify>]
[B<-no_cert_verify>]
[B<-no_chain>]
[B<-no_cert_checks>]
-[B<-validity_period nsec>]
-[B<-status_age nsec>]
+[B<-port num>]
+[B<-index file>]
+[B<-CA file>]
+[B<-rsigner file>]
+[B<-rkey file>]
+[B<-rother file>]
+[B<-resp_no_certs>]
+[B<-nmin n>]
+[B<-ndays n>]
+[B<-resp_key_id>]
+[B<-nrequest n>]
=head1 DESCRIPTION
-B<WARNING: this documentation is preliminary and subject to change.>
-
The Online Certificate Status Protocol (OCSP) enables applications to
determine the (revocation) state of an identified certificate (RFC 2560).
@@ -83,6 +96,10 @@ the B<signkey> option is not present then the private key is read
from the same file as the certificate. If neither option is specified then
the OCSP request is not signed.
+=item B<-sign_other filename>
+
+Additional certificates to include in the signed request.
+
=item B<-nonce>, B<-no_nonce>
Add an OCSP nonce extension to a request or disable OCSP nonce addition.
@@ -120,7 +137,7 @@ or "/" by default.
file or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response.
-=item B<-verify_certs file>
+=item B<-verify_other file>
file containing additional certificates to search when attempting to locate
the OCSP response signing certificate. Some responders omit the actual signer's
@@ -151,7 +168,7 @@ ignore certificates contained in the OCSP response when searching for the
signers certificate. With this option the signers certificate must be specified
with either the B<-verify_certs> or B<-VAfile> options.
-=item B<-no_sig_verify>
+=item B<-no_signature_verify>
don't check the signature on the OCSP response. Since this option tolerates invalid
signatures on OCSP responses it will normally only be used for testing purposes.
diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod
index 7fca9cbdbd68..d061326c1fca 100644
--- a/crypto/openssl/doc/apps/s_client.pod
+++ b/crypto/openssl/doc/apps/s_client.pod
@@ -33,6 +33,7 @@ B<openssl> B<s_client>
[B<-no_tls1>]
[B<-bugs>]
[B<-cipher cipherlist>]
+[B<-starttls protocol>]
[B<-engine id>]
[B<-rand file(s)>]
@@ -163,6 +164,12 @@ the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
+=item B<-starttls protocol>
+
+send the protocol-specific message(s) to switch to TLS for communication.
+B<protocol> is a keyword for the intended protocol. Currently, the only
+supported keywords are "smtp" and "pop3".
+
=item B<-engine id>
specifying an engine (by it's unique B<id> string) will cause B<s_client>
diff --git a/crypto/openssl/doc/apps/s_server.pod b/crypto/openssl/doc/apps/s_server.pod
index 4b1e4260ef1e..1d21921e47d1 100644
--- a/crypto/openssl/doc/apps/s_server.pod
+++ b/crypto/openssl/doc/apps/s_server.pod
@@ -42,6 +42,7 @@ B<openssl> B<s_server>
[B<-WWW>]
[B<-HTTP>]
[B<-engine id>]
+[B<-id_prefix arg>]
[B<-rand file(s)>]
=head1 DESCRIPTION
@@ -209,6 +210,13 @@ to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
+=item B<-id_prefix arg>
+
+generate SSL/TLS session IDs prefixed by B<arg>. This is mostly useful
+for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
+servers, when each of which might be generating a unique range of session
+IDs (eg. with a certain prefix).
+
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
diff --git a/crypto/openssl/doc/crypto/BIO_f_base64.pod b/crypto/openssl/doc/crypto/BIO_f_base64.pod
index fdb603b38e30..929557d22f02 100644
--- a/crypto/openssl/doc/crypto/BIO_f_base64.pod
+++ b/crypto/openssl/doc/crypto/BIO_f_base64.pod
@@ -55,16 +55,15 @@ to standard output:
Read Base64 encoded data from standard input and write the decoded
data to standard output:
- BIO *bio, *b64, bio_out;
+ BIO *bio, *b64, *bio_out;
char inbuf[512];
int inlen;
- char message[] = "Hello World \n";
b64 = BIO_new(BIO_f_base64());
bio = BIO_new_fp(stdin, BIO_NOCLOSE);
bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
bio = BIO_push(b64, bio);
- while((inlen = BIO_read(bio, inbuf, strlen(message))) > 0)
+ while((inlen = BIO_read(bio, inbuf, 512) > 0)
BIO_write(bio_out, inbuf, inlen);
BIO_free_all(bio);
diff --git a/crypto/openssl/doc/crypto/BIO_f_cipher.pod b/crypto/openssl/doc/crypto/BIO_f_cipher.pod
index 4182f2c30903..02439cea94a0 100644
--- a/crypto/openssl/doc/crypto/BIO_f_cipher.pod
+++ b/crypto/openssl/doc/crypto/BIO_f_cipher.pod
@@ -28,7 +28,7 @@ BIO_flush() on an encryption BIO that is being written through is
used to signal that no more data is to be encrypted: this is used
to flush and possibly pad the final block through the BIO.
-BIO_set_cipher() sets the cipher of BIO <b> to B<cipher> using key B<key>
+BIO_set_cipher() sets the cipher of BIO B<b> to B<cipher> using key B<key>
and IV B<iv>. B<enc> should be set to 1 for encryption and zero for
decryption.
diff --git a/crypto/openssl/doc/openssl-shared.txt b/crypto/openssl/doc/openssl-shared.txt
new file mode 100644
index 000000000000..5cf84a054ff3
--- /dev/null
+++ b/crypto/openssl/doc/openssl-shared.txt
@@ -0,0 +1,32 @@
+The OpenSSL shared libraries are often installed in a directory like
+/usr/local/ssl/lib.
+
+If this directory is not in a standard system path for dynamic/shared
+libraries, then you will have problems linking and executing
+applications that use OpenSSL libraries UNLESS:
+
+* you link with static (archive) libraries. If you are truly
+ paranoid about security, you should use static libraries.
+* you use the GNU libtool code during linking
+ (http://www.gnu.org/software/libtool/libtool.html)
+* you use pkg-config during linking (this requires that
+ PKG_CONFIG_PATH includes the path to the OpenSSL shared
+ library directory), and make use of -R or -rpath.
+ (http://www.freedesktop.org/software/pkgconfig/)
+* you specify the system-wide link path via a command such
+ as crle(1) on Solaris systems.
+* you add the OpenSSL shared library directory to /etc/ld.so.conf
+ and run ldconfig(8) on Linux systems.
+* you define the LD_LIBRARY_PATH, LIBPATH, SHLIB_PATH (HP),
+ DYLD_LIBRARY_PATH (MacOS X) or PATH (Cygwin and DJGPP)
+ environment variable and add the OpenSSL shared library
+ directory to it.
+
+One common tool to check the dynamic dependencies of an executable
+or dynamic library is ldd(1) on most UNIX systems.
+
+See any operating system documentation and manpages about shared
+libraries for your version of UNIX. The following manpages may be
+helpful: ld(1), ld.so(1), ld.so.1(1) [Solaris], dld.sl(1) [HP],
+ldd(1), crle(1) [Solaris], pldd(1) [Solaris], ldconfig(8) [Linux],
+chatr(1) [HP].
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_free.pod b/crypto/openssl/doc/ssl/SSL_CTX_free.pod
index 55e592f5f826..51d86769682f 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_free.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_free.pod
@@ -20,12 +20,22 @@ It also calls the free()ing procedures for indirectly affected items, if
applicable: the session cache, the list of ciphers, the list of Client CAs,
the certificates and keys.
+=head1 WARNINGS
+
+If a session-remove callback is set (SSL_CTX_sess_set_remove_cb()), this
+callback will be called for each session being freed from B<ctx>'s
+session cache. This implies, that all corresponding sessions from an
+external session cache are removed as well. If this is not desired, the user
+should explicitly unset the callback by calling
+SSL_CTX_sess_set_remove_cb(B<ctx>, NULL) prior to calling SSL_CTX_free().
+
=head1 RETURN VALUES
SSL_CTX_free() does not provide diagnostic information.
=head1 SEE ALSO
-L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>
+L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod
index 7c0b2baf6c5e..b9d54a40a193 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod
@@ -60,10 +60,11 @@ B<sess>. If the callback returns B<0>, the session will be immediately
removed again.
The remove_session_cb() is called, whenever the SSL engine removes a session
-from the internal cache. This happens if the session is removed because
-it is expired or when a connection was not shutdown cleanly. The
-remove_session_cb() is passed the B<ctx> and the ssl session B<sess>.
-It does not provide any feedback.
+from the internal cache. This happens when the session is removed because
+it is expired or when a connection was not shutdown cleanly. It also happens
+for all sessions in the internal session cache when
+L<SSL_CTX_free(3)|SSL_CTX_free(3)> is called. The remove_session_cb() is passed
+the B<ctx> and the ssl session B<sess>. It does not provide any feedback.
The get_session_cb() is only called on SSL/TLS servers with the session id
proposed by the client. The get_session_cb() is always called, also when
@@ -80,6 +81,7 @@ L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>.
L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
+L<SSL_CTX_free(3)|SSL_CTX_free(3)>
=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
index f5e2ec355508..766f0c920070 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -176,7 +176,7 @@ will send his list of preferences to the client and the client chooses.
=item SSL_OP_NETSCAPE_CA_DN_BUG
If we accept a netscape connection, demand a client cert, have a
-non-self-sighed CA which does not have it's CA in netscape, and the
+non-self-signed CA which does not have its CA in netscape, and the
browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
index d15b2a3a1a5b..ca8d81b82c81 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
@@ -135,9 +135,9 @@ process is immediately stopped with "verification failed" state. If
SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and
the TLS/SSL handshake is terminated. If B<verify_callback> returns 1,
the verification process is continued. If B<verify_callback> always returns
-1, the TLS/SSL handshake will never be terminated because of this application
-experiencing a verification failure. The calling process can however
-retrieve the error code of the last verification error using
+1, the TLS/SSL handshake will not be terminated with respect to verification
+failures and the connection will be established. The calling process can
+however retrieve the error code of the last verification error using
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> or by maintaining its
own error storage managed by B<verify_callback>.
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
index b8868f18bfc1..ea2faba3ecca 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
@@ -68,7 +68,9 @@ should be preferred.
SSL_CTX_use_certificate_chain_file() loads a certificate chain from
B<file> into B<ctx>. The certificates must be in PEM format and must
-be sorted starting with the certificate to the highest level (root CA).
+be sorted starting with the subject's certificate (actual client or server
+certificate), followed by intermediate CA certificates if applicable, and
+ending at the highest level (root) CA.
There is no corresponding function working on a single SSL object.
SSL_CTX_use_PrivateKey() adds B<pkey> as private key to B<ctx>.
diff --git a/crypto/openssl/doc/ssl/SSL_accept.pod b/crypto/openssl/doc/ssl/SSL_accept.pod
index a673edba8532..cc724c0d561a 100644
--- a/crypto/openssl/doc/ssl/SSL_accept.pod
+++ b/crypto/openssl/doc/ssl/SSL_accept.pod
@@ -28,7 +28,8 @@ should be called again.
If the underlying BIO is B<non-blocking>, SSL_accept() will also return
when the underlying BIO could not satisfy the needs of SSL_accept()
-to continue the handshake. In this case a call to SSL_get_error() with the
+to continue the handshake, indicating the problem by the return value -1.
+In this case a call to SSL_get_error() with the
return value of SSL_accept() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of SSL_accept().
diff --git a/crypto/openssl/doc/ssl/SSL_connect.pod b/crypto/openssl/doc/ssl/SSL_connect.pod
index 8426310c0d26..cc56ebb75f3f 100644
--- a/crypto/openssl/doc/ssl/SSL_connect.pod
+++ b/crypto/openssl/doc/ssl/SSL_connect.pod
@@ -25,7 +25,8 @@ handshake has been finished or an error occurred.
If the underlying BIO is B<non-blocking>, SSL_connect() will also return
when the underlying BIO could not satisfy the needs of SSL_connect()
-to continue the handshake. In this case a call to SSL_get_error() with the
+to continue the handshake, indicating the problem by the return value -1.
+In this case a call to SSL_get_error() with the
return value of SSL_connect() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of SSL_connect().
diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h
index f7d09c529545..096eabe09a53 100644
--- a/crypto/openssl/e_os.h
+++ b/crypto/openssl/e_os.h
@@ -174,6 +174,13 @@ extern "C" {
#define closesocket(s) close(s)
#define readsocket(s,b,n) recv((s),(b),(n),0)
#define writesocket(s,b,n) send((s),(b),(n),0)
+#elif defined(OPENSSL_SYS_VXWORKS)
+#define get_last_socket_error() errno
+#define clear_socket_error() errno=0
+#define ioctlsocket(a,b,c) ioctl((a),(b),(int)(c))
+#define closesocket(s) close(s)
+#define readsocket(s,b,n) read((s),(b),(n))
+#define writesocket(s,b,n) write((s),(char *)(b),(n))
#else
#define get_last_socket_error() errno
#define clear_socket_error() errno=0
@@ -250,7 +257,7 @@ extern "C" {
# define EXIT(n) _wsetexit(_WINEXITNOPERSIST)
# define OPENSSL_EXIT(n) do { if (n == 0) EXIT(n); return(n); } while(0)
# else
-# define EXIT(n) return(n)
+# define EXIT(n) exit(n)
# endif
# define LIST_SEPARATOR_CHAR ';'
# ifndef X_OK
@@ -331,6 +338,8 @@ extern "C" {
# define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP
* (unless when compiling with -D_POSIX_SOURCE,
* which doesn't work for us) */
+# endif
+# if defined(NeXT) || defined(OPENSSL_SYS_NEWS4) || defined(OPENSSL_SYS_SUNOS)
# define ssize_t int /* ditto */
# endif
# ifdef OPENSSL_SYS_NEWS4 /* setvbuf is missing on mips-sony-bsd */
@@ -517,10 +526,6 @@ extern char *sys_errlist[]; extern int sys_nerr;
#define TTY_STRUCT int
#define sleep(a) taskDelay((a) * sysClkRateGet())
-#if defined(ioctlsocket)
-#undef ioctlsocket
-#endif
-#define ioctlsocket(a,b,c) ioctl((a),(b),*(c))
#include <vxWorks.h>
#include <sockLib.h>
diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec
index e3ec71adf723..9ce236e0d21e 100644
--- a/crypto/openssl/openssl.spec
+++ b/crypto/openssl/openssl.spec
@@ -1,7 +1,7 @@
%define libmaj 0
%define libmin 9
%define librel 7
-%define librev a
+%define librev c
Release: 1
%define openssldir /var/ssl
@@ -83,18 +83,18 @@ documentation and POD files from which the man pages were produced.
%build
-%define CONFIG_FLAGS -DSSL_ALLOW_ADH --prefix=/usr
+%define CONFIG_FLAGS -DSSL_ALLOW_ADH --prefix=/usr --openssldir=%{openssldir}
perl util/perlpath.pl /usr/bin/perl
%ifarch i386 i486 i586 i686
-./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-elf shared
+./Configure %{CONFIG_FLAGS} linux-elf shared
%endif
%ifarch ppc
-./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc shared
+./Configure %{CONFIG_FLAGS} linux-ppc shared
%endif
%ifarch alpha
-./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha shared
+./Configure %{CONFIG_FLAGS} linux-alpha shared
%endif
LD_LIBRARY_PATH=`pwd` make
LD_LIBRARY_PATH=`pwd` make rehash
@@ -102,12 +102,7 @@ LD_LIBRARY_PATH=`pwd` make test
%install
rm -rf $RPM_BUILD_ROOT
-make MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT" install
-
-# Rename manpages
-for x in $RPM_BUILD_ROOT/usr/man/man*/*
- do mv ${x} ${x}ssl
-done
+make MANDIR=/usr/man MANSUFFIX=ssl INSTALL_PREFIX="$RPM_BUILD_ROOT" install
# Make backwards-compatibility symlink to ssleay
ln -sf /usr/bin/openssl $RPM_BUILD_ROOT/usr/bin/ssleay
@@ -135,6 +130,7 @@ rm -rf $RPM_BUILD_ROOT
%doc CHANGES CHANGES.SSLeay LICENSE NEWS README
%attr(0644,root,root) /usr/lib/*.a
+%attr(0644,root,root) /usr/lib/pkgconfig/openssl.pc
%attr(0644,root,root) /usr/include/openssl/*
%attr(0644,root,root) /usr/man/man[3]/*
@@ -150,6 +146,8 @@ ldconfig
ldconfig
%changelog
+* Wed May 7 2003 Richard Levitte <richard@levitte.org>
+- Add /usr/lib/pkgconfig/openssl.pc to the development section.
* Thu Mar 22 2001 Richard Levitte <richard@levitte.org>
- Removed redundant subsection that re-installed libcrypto.a and libssl.a
as well. Also remove RSAref stuff completely, since it's not needed
diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c
index 327b92f33b06..7c45f8ff4e6d 100644
--- a/crypto/openssl/ssl/kssl.c
+++ b/crypto/openssl/ssl/kssl.c
@@ -70,6 +70,7 @@
#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
#include <time.h>
+#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
#include <string.h>
#include <openssl/ssl.h>
@@ -1495,8 +1496,9 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
"bad ticket from krb5_rd_req.\n");
}
else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
- &krb5ticket->enc_part2->client->realm,
- krb5ticket->enc_part2->client->data))
+ &krb5ticket->enc_part2->client->realm,
+ krb5ticket->enc_part2->client->data,
+ krb5ticket->enc_part2->client->length))
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
"kssl_ctx_setprinc() fails.\n");
@@ -1563,16 +1565,17 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
}
-/* Given a (krb5_data *) entity (and optional realm),
+/* Given an array of (krb5_data *) entity (and optional realm),
** set the plain (char *) client_princ or service_host member
** of the kssl_ctx struct.
*/
krb5_error_code
kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
- krb5_data *realm, krb5_data *entity)
+ krb5_data *realm, krb5_data *entity, int nentities)
{
char **princ;
int length;
+ int i;
if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR;
@@ -1584,18 +1587,33 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
}
if (*princ) free(*princ);
- length = entity->length + ((realm)? realm->length + 2: 1);
+ /* Add up all the entity->lengths */
+ length = 0;
+ for (i=0; i < nentities; i++)
+ {
+ length += entity[i].length;
+ }
+ /* Add in space for the '/' character(s) (if any) */
+ length += nentities-1;
+ /* Space for the ('@'+realm+NULL | NULL) */
+ length += ((realm)? realm->length + 2: 1);
+
if ((*princ = calloc(1, length)) == NULL)
return KSSL_CTX_ERR;
else
- {
- strncpy(*princ, entity->data, entity->length);
- (*princ)[entity->length]='\0';
+ {
+ for (i = 0; i < nentities; i++)
+ {
+ strncat(*princ, entity[i].data, entity[i].length);
+ if (i < nentities-1)
+ {
+ strcat (*princ, "/");
+ }
+ }
if (realm)
{
strcat (*princ, "@");
(void) strncat(*princ, realm->data, realm->length);
- (*princ)[entity->length+1+realm->length]='\0';
}
}
diff --git a/crypto/openssl/ssl/kssl.h b/crypto/openssl/ssl/kssl.h
index cf7ebdd168ed..19a689b089b7 100644
--- a/crypto/openssl/ssl/kssl.h
+++ b/crypto/openssl/ssl/kssl.h
@@ -149,7 +149,7 @@ KSSL_CTX *kssl_ctx_new(void);
KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
void kssl_ctx_show(KSSL_CTX *kssl_ctx);
krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
- krb5_data *realm, krb5_data *entity);
+ krb5_data *realm, krb5_data *entity, int nentities);
krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp,
krb5_data *authenp, KSSL_ERR *kssl_err);
krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata,
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index fae8eadadaea..eb7daebfdfb3 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -1769,6 +1769,7 @@ static int ssl3_send_client_verify(SSL *s)
*(d++)=SSL3_MT_CERTIFICATE_VERIFY;
l2n3(n,d);
+ s->state=SSL3_ST_CW_CERT_VRFY_B;
s->init_num=(int)n+4;
s->init_off=0;
}
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index df4003237298..881f68b99891 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -431,10 +431,11 @@ int ssl3_accept(SSL *s)
if (ret == 2)
s->state = SSL3_ST_SR_CLNT_HELLO_C;
else {
- /* could be sent for a DH cert, even if we
- * have not asked for it :-) */
- ret=ssl3_get_client_certificate(s);
- if (ret <= 0) goto end;
+ if (s->s3->tmp.cert_request)
+ {
+ ret=ssl3_get_client_certificate(s);
+ if (ret <= 0) goto end;
+ }
s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A;
}
@@ -844,6 +845,9 @@ static int ssl3_get_client_hello(SSL *s)
}
/* TLS does not mind if there is extra stuff */
+#if 0 /* SSL 3.0 does not mind either, so we should disable this test
+ * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
+ * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
if (s->version == SSL3_VERSION)
{
if (p < (d+n))
@@ -855,6 +859,7 @@ static int ssl3_get_client_hello(SSL *s)
goto f_err;
}
}
+#endif
/* Given s->session->ciphers and SSL_get_ciphers, we must
* pick a cipher */
@@ -1352,6 +1357,7 @@ static int ssl3_send_certificate_request(SSL *s)
s->init_num += 4;
#endif
+ s->state = SSL3_ST_SW_CERT_REQ_B;
}
/* SSL3_ST_SW_CERT_REQ_B */
@@ -1472,7 +1478,6 @@ static int ssl3_get_client_key_exchange(SSL *s)
* made up by the adversary is properly formatted except
* that the version number is wrong. To avoid such attacks,
* we should treat this just like any other decryption error. */
- p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
}
}
diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c
index c72be89e9ae3..888b667fa12c 100644
--- a/crypto/openssl/ssl/ssl_ciph.c
+++ b/crypto/openssl/ssl/ssl_ciph.c
@@ -668,13 +668,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
* So additionally check whether the cipher name found
* has the correct length. We can save a strlen() call:
* just checking for the '\0' at the right place is
- * sufficient, we have to strncmp() anyway.
+ * sufficient, we have to strncmp() anyway. (We cannot
+ * use strcmp(), because buf is not '\0' terminated.)
*/
j = found = 0;
while (ca_list[j])
{
- if ((ca_list[j]->name[buflen] == '\0') &&
- !strncmp(buf, ca_list[j]->name, buflen))
+ if (!strncmp(buf, ca_list[j]->name, buflen) &&
+ (ca_list[j]->name[buflen] == '\0'))
{
found = 1;
break;
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index ddd811458779..6d698906884a 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -473,6 +473,11 @@ void SSL_free(SSL *s)
if (s->method != NULL) s->method->ssl_free(s);
+#ifndef OPENSSL_NO_KRB5
+ if (s->kssl_ctx != NULL)
+ kssl_ctx_free(s->kssl_ctx);
+#endif /* OPENSSL_NO_KRB5 */
+
OPENSSL_free(s);
}
diff --git a/crypto/openssl/ssl/ssl_rsa.c b/crypto/openssl/ssl/ssl_rsa.c
index 03828b663262..330390519bb6 100644
--- a/crypto/openssl/ssl/ssl_rsa.c
+++ b/crypto/openssl/ssl/ssl_rsa.c
@@ -207,7 +207,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
ok=1;
else
#endif
- if (!X509_check_private_key(c->pkeys[i].x509,pkey))
+ if (!X509_check_private_key(c->pkeys[i].x509,pkey))
{
if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
{
@@ -241,6 +241,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
return(0);
}
+ ERR_clear_error(); /* make sure no error from X509_check_private_key()
+ * is left if we have chosen to ignore it */
if (c->pkeys[i].privatekey != NULL)
EVP_PKEY_free(c->pkeys[i].privatekey);
CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
index fbc30b94e63b..fabcdefa6ed6 100644
--- a/crypto/openssl/ssl/ssl_sess.c
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -79,11 +79,11 @@ SSL_SESSION *SSL_get1_session(SSL *ssl)
/* Need to lock this all up rather than just use CRYPTO_add so that
* somebody doesn't free ssl->session between when we check it's
* non-null and when we up the reference count. */
- CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
sess = ssl->session;
if(sess)
sess->references++;
- CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
return(sess);
}
diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c
index 42b6f1fc8b14..42289c255b27 100644
--- a/crypto/openssl/ssl/ssltest.c
+++ b/crypto/openssl/ssl/ssltest.c
@@ -142,7 +142,6 @@
#ifdef OPENSSL_SYS_WINDOWS
#include <winsock.h>
-#include "../crypto/bio/bss_file.c"
#else
#include OPENSSL_UNISTD
#endif
@@ -291,7 +290,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
goto err;
}
- if (type < 0 || type > CRYPTO_NUM_LOCKS)
+ if (type < 0 || type >= CRYPTO_NUM_LOCKS)
{
errstr = "type out of bounds";
goto err;
diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl
index 21ec82dd595f..a3339ca5d5b1 100644
--- a/crypto/openssl/test/Makefile.ssl
+++ b/crypto/openssl/test/Makefile.ssl
@@ -121,7 +121,11 @@ tests: exe apps $(TESTS)
apps:
@(cd ..; $(MAKE) DIRS=apps all)
-SET_SO_PATHS=LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$$LIBPATH"; DYLD_LIBRARY_PATH="$$LIBPATH"; SHLIB_PATH="$$LIBPATH"; \
+SET_SO_PATHS=OSSL_LIBPATH="`cd ..; pwd`"; \
+ LD_LIBRARY_PATH="$$OSSL_LIBPATH:$$LD_LIBRARY_PATH"; \
+ DYLD_LIBRARY_PATH="$$OSSL_LIBPATH:$$DYLD_LIBRARY_PATH"; \
+ SHLIB_PATH="$$OSSL_LIBPATH:$$SHLIB_PATH"; \
+ LIBPATH="$$OSSL_LIBPATH:$$LIBPATH"; \
if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="$${LIBPATH}:$$PATH"; fi; \
export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH
@@ -289,6 +293,7 @@ $(RSATEST): $(RSATEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -296,6 +301,7 @@ $(BNTEST): $(BNTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(BNTEST) $(CFLAGS) $(BNTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -303,6 +309,7 @@ $(ECTEST): $(ECTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(ECTEST) $(CFLAGS) $(ECTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -310,6 +317,7 @@ $(EXPTEST): $(EXPTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(EXPTEST) $(CFLAGS) $(EXPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -317,6 +325,7 @@ $(IDEATEST): $(IDEATEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(IDEATEST) $(CFLAGS) $(IDEATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -324,6 +333,7 @@ $(MD2TEST): $(MD2TEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(MD2TEST) $(CFLAGS) $(MD2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -331,6 +341,7 @@ $(SHATEST): $(SHATEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(SHATEST) $(CFLAGS) $(SHATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -338,6 +349,7 @@ $(SHA1TEST): $(SHA1TEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(SHA1TEST) $(CFLAGS) $(SHA1TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -345,6 +357,7 @@ $(RMDTEST): $(RMDTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(RMDTEST) $(CFLAGS) $(RMDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -352,6 +365,7 @@ $(MDC2TEST): $(MDC2TEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(MDC2TEST) $(CFLAGS) $(MDC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -359,6 +373,7 @@ $(MD4TEST): $(MD4TEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(MD4TEST) $(CFLAGS) $(MD4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -366,6 +381,7 @@ $(MD5TEST): $(MD5TEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(MD5TEST) $(CFLAGS) $(MD5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -373,6 +389,7 @@ $(HMACTEST): $(HMACTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(HMACTEST) $(CFLAGS) $(HMACTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -380,6 +397,7 @@ $(RC2TEST): $(RC2TEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(RC2TEST) $(CFLAGS) $(RC2TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -387,6 +405,7 @@ $(BFTEST): $(BFTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(BFTEST) $(CFLAGS) $(BFTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -394,6 +413,7 @@ $(CASTTEST): $(CASTTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(CASTTEST) $(CFLAGS) $(CASTTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -401,6 +421,7 @@ $(RC4TEST): $(RC4TEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(RC4TEST) $(CFLAGS) $(RC4TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -408,6 +429,7 @@ $(RC5TEST): $(RC5TEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(RC5TEST) $(CFLAGS) $(RC5TEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -415,6 +437,7 @@ $(DESTEST): $(DESTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(DESTEST) $(CFLAGS) $(DESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -422,6 +445,7 @@ $(RANDTEST): $(RANDTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(RANDTEST) $(CFLAGS) $(RANDTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -429,6 +453,7 @@ $(DHTEST): $(DHTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(DHTEST) $(CFLAGS) $(DHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -436,6 +461,7 @@ $(DSATEST): $(DSATEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(DSATEST) $(CFLAGS) $(DSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -443,6 +469,7 @@ $(METHTEST): $(METHTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -450,6 +477,7 @@ $(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -457,6 +485,7 @@ $(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -464,6 +493,7 @@ $(EVPTEST): $(EVPTEST).o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -474,6 +504,7 @@ $(EVPTEST): $(EVPTEST).o $(DLIBCRYPTO)
# if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
# $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
# else \
+# LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
# $(CC) -o $(AESTEST) $(CFLAGS) $(AESTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
# fi
@@ -481,6 +512,7 @@ dummytest: dummytest.o $(DLIBCRYPTO)
if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
$(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(DLIBCRYPTO) $(EX_LIBS) ; \
else \
+ LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
$(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \
fi
@@ -524,16 +556,14 @@ dhtest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
dhtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
dhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dhtest.c
-dsatest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-dsatest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-dsatest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-dsatest.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+dsatest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
+dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+dsatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
dsatest.o: ../include/openssl/err.h ../include/openssl/lhash.h
dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
dsatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-dsatest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-dsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dsatest.o: ../include/openssl/ui.h dsatest.c
+dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+dsatest.o: ../include/openssl/symhacks.h dsatest.c
ectest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
ectest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
ectest.o: ../include/openssl/dh.h ../include/openssl/dsa.h
@@ -698,14 +728,12 @@ rmdtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
rmdtest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h rmdtest.c
rsa_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h
-rsa_test.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
-rsa_test.o: ../include/openssl/err.h ../include/openssl/lhash.h
-rsa_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-rsa_test.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-rsa_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rsa_test.o: ../include/openssl/ui.h rsa_test.c
+rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+rsa_test.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+rsa_test.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+rsa_test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+rsa_test.o: ../include/openssl/symhacks.h rsa_test.c
sha1test.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
sha1test.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
sha1test.o: ../include/openssl/bn.h ../include/openssl/cast.h
diff --git a/crypto/openssl/test/evptests.txt b/crypto/openssl/test/evptests.txt
new file mode 100644
index 000000000000..80bd9c7765cb
--- /dev/null
+++ b/crypto/openssl/test/evptests.txt
@@ -0,0 +1,183 @@
+#cipher:key:iv:plaintext:ciphertext:0/1(decrypt/encrypt)
+#digest:::input:output
+
+# SHA(1) tests (from shatest.c)
+SHA1:::616263:a9993e364706816aba3e25717850c26c9cd0d89d
+
+# MD5 tests (from md5test.c)
+MD5::::d41d8cd98f00b204e9800998ecf8427e
+MD5:::61:0cc175b9c0f1b6a831c399e269772661
+MD5:::616263:900150983cd24fb0d6963f7d28e17f72
+MD5:::6d65737361676520646967657374:f96b697d7cb7938d525a2f31aaf161d0
+MD5:::6162636465666768696a6b6c6d6e6f707172737475767778797a:c3fcd3d76192e4007dfb496cca67e13b
+MD5:::4142434445464748494a4b4c4d4e4f505152535455565758595a6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839:d174ab98d277d9f5a5611c2c9f419d9f
+MD5:::3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930:57edf4a22be3c955ac49da2e2107b67a
+
+# AES 128 ECB tests (from FIPS-197 test vectors, encrypt)
+
+AES-128-ECB:000102030405060708090A0B0C0D0E0F::00112233445566778899AABBCCDDEEFF:69C4E0D86A7B0430D8CDB78070B4C55A:1
+
+# AES 192 ECB tests (from FIPS-197 test vectors, encrypt)
+
+AES-192-ECB:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF:DDA97CA4864CDFE06EAF70A0EC0D7191:1
+
+# AES 256 ECB tests (from FIPS-197 test vectors, encrypt)
+
+AES-256-ECB:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF:8EA2B7CA516745BFEAFC49904B496089:1
+
+# AES 128 ECB tests (from NIST test vectors, encrypt)
+
+#AES-128-ECB:00000000000000000000000000000000::00000000000000000000000000000000:C34C052CC0DA8D73451AFE5F03BE297F:1
+
+# AES 128 ECB tests (from NIST test vectors, decrypt)
+
+#AES-128-ECB:00000000000000000000000000000000::44416AC2D1F53C583303917E6BE9EBE0:00000000000000000000000000000000:0
+
+# AES 192 ECB tests (from NIST test vectors, decrypt)
+
+#AES-192-ECB:000000000000000000000000000000000000000000000000::48E31E9E256718F29229319C19F15BA4:00000000000000000000000000000000:0
+
+# AES 256 ECB tests (from NIST test vectors, decrypt)
+
+#AES-256-ECB:0000000000000000000000000000000000000000000000000000000000000000::058CCFFDBBCB382D1F6F56585D8A4ADE:00000000000000000000000000000000:0
+
+# AES 128 CBC tests (from NIST test vectors, encrypt)
+
+#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:8A05FC5E095AF4848A08D328D3688E3D:1
+
+# AES 192 CBC tests (from NIST test vectors, encrypt)
+
+#AES-192-CBC:000000000000000000000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:7BD966D53AD8C1BB85D2ADFAE87BB104:1
+
+# AES 256 CBC tests (from NIST test vectors, encrypt)
+
+#AES-256-CBC:0000000000000000000000000000000000000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:FE3C53653E2F45B56FCD88B2CC898FF0:1
+
+# AES 128 CBC tests (from NIST test vectors, decrypt)
+
+#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:FACA37E0B0C85373DF706E73F7C9AF86:00000000000000000000000000000000:0
+
+# AES tests from NIST document SP800-38A
+# For all ECB encrypts and decrypts, the transformed sequence is
+# AES-bits-ECB:key::plaintext:ciphertext:encdec
+# ECB-AES128.Encrypt and ECB-AES128.Decrypt
+AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::6BC1BEE22E409F96E93D7E117393172A:3AD77BB40D7A3660A89ECAF32466EF97
+AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::AE2D8A571E03AC9C9EB76FAC45AF8E51:F5D3D58503B9699DE785895A96FDBAAF
+AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::30C81C46A35CE411E5FBC1191A0A52EF:43B1CD7F598ECE23881B00E3ED030688
+AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::F69F2445DF4F9B17AD2B417BE66C3710:7B0C785E27E8AD3F8223207104725DD4
+# ECB-AES192.Encrypt and ECB-AES192.Decrypt
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::6BC1BEE22E409F96E93D7E117393172A:BD334F1D6E45F25FF712A214571FA5CC
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::AE2D8A571E03AC9C9EB76FAC45AF8E51:974104846D0AD3AD7734ECB3ECEE4EEF
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::30C81C46A35CE411E5FBC1191A0A52EF:EF7AFD2270E2E60ADCE0BA2FACE6444E
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::F69F2445DF4F9B17AD2B417BE66C3710:9A4B41BA738D6C72FB16691603C18E0E
+# ECB-AES256.Encrypt and ECB-AES256.Decrypt
+AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::6BC1BEE22E409F96E93D7E117393172A:F3EED1BDB5D2A03C064B5A7E3DB181F8
+AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::AE2D8A571E03AC9C9EB76FAC45AF8E51:591CCB10D410ED26DC5BA74A31362870
+AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::30C81C46A35CE411E5FBC1191A0A52EF:B6ED21B99CA6F4F9F153E7B1BEAFED1D
+AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::F69F2445DF4F9B17AD2B417BE66C3710:23304B7A39F9F3FF067D8D8F9E24ECC7
+# For all CBC encrypts and decrypts, the transformed sequence is
+# AES-bits-CBC:key:IV/ciphertext':plaintext:ciphertext:encdec
+# CBC-AES128.Encrypt and CBC-AES128.Decrypt
+AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:7649ABAC8119B246CEE98E9B12E9197D
+AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:7649ABAC8119B246CEE98E9B12E9197D:AE2D8A571E03AC9C9EB76FAC45AF8E51:5086CB9B507219EE95DB113A917678B2
+AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:5086CB9B507219EE95DB113A917678B2:30C81C46A35CE411E5FBC1191A0A52EF:73BED6B8E3C1743B7116E69E22229516
+AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:73BED6B8E3C1743B7116E69E22229516:F69F2445DF4F9B17AD2B417BE66C3710:3FF1CAA1681FAC09120ECA307586E1A7
+# CBC-AES192.Encrypt and CBC-AES192.Decrypt
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:4F021DB243BC633D7178183A9FA071E8
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:4F021DB243BC633D7178183A9FA071E8:AE2D8A571E03AC9C9EB76FAC45AF8E51:B4D9ADA9AD7DEDF4E5E738763F69145A
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:B4D9ADA9AD7DEDF4E5E738763F69145A:30C81C46A35CE411E5FBC1191A0A52EF:571B242012FB7AE07FA9BAAC3DF102E0
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:571B242012FB7AE07FA9BAAC3DF102E0:F69F2445DF4F9B17AD2B417BE66C3710:08B0E27988598881D920A9E64F5615CD
+# CBC-AES256.Encrypt and CBC-AES256.Decrypt
+AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:F58C4C04D6E5F1BA779EABFB5F7BFBD6
+AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D
+AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461
+AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B
+# We don't support CFB{1,8}-AESxxx.{En,De}crypt
+# For all CFB128 encrypts and decrypts, the transformed sequence is
+# AES-bits-CFB:key:IV/ciphertext':plaintext:ciphertext:encdec
+# CFB128-AES128.Encrypt
+AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:1
+AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:3B3FD92EB72DAD20333449F8E83CFB4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:C8A64537A0B3A93FCDE3CDAD9F1CE58B:1
+AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:C8A64537A0B3A93FCDE3CDAD9F1CE58B:30C81C46A35CE411E5FBC1191A0A52EF:26751F67A3CBB140B1808CF187A4F4DF:1
+AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:26751F67A3CBB140B1808CF187A4F4DF:F69F2445DF4F9B17AD2B417BE66C3710:C04B05357C5D1C0EEAC4C66F9FF7F2E6:1
+# CFB128-AES128.Decrypt
+AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:0
+AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:3B3FD92EB72DAD20333449F8E83CFB4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:C8A64537A0B3A93FCDE3CDAD9F1CE58B:0
+AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:C8A64537A0B3A93FCDE3CDAD9F1CE58B:30C81C46A35CE411E5FBC1191A0A52EF:26751F67A3CBB140B1808CF187A4F4DF:0
+AES-128-CFB:2B7E151628AED2A6ABF7158809CF4F3C:26751F67A3CBB140B1808CF187A4F4DF:F69F2445DF4F9B17AD2B417BE66C3710:C04B05357C5D1C0EEAC4C66F9FF7F2E6:0
+# CFB128-AES192.Encrypt
+AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:CDC80D6FDDF18CAB34C25909C99A4174:1
+AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:CDC80D6FDDF18CAB34C25909C99A4174:AE2D8A571E03AC9C9EB76FAC45AF8E51:67CE7F7F81173621961A2B70171D3D7A:1
+AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:67CE7F7F81173621961A2B70171D3D7A:30C81C46A35CE411E5FBC1191A0A52EF:2E1E8A1DD59B88B1C8E60FED1EFAC4C9:1
+AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:2E1E8A1DD59B88B1C8E60FED1EFAC4C9:F69F2445DF4F9B17AD2B417BE66C3710:C05F9F9CA9834FA042AE8FBA584B09FF:1
+# CFB128-AES192.Decrypt
+AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:CDC80D6FDDF18CAB34C25909C99A4174:0
+AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:CDC80D6FDDF18CAB34C25909C99A4174:AE2D8A571E03AC9C9EB76FAC45AF8E51:67CE7F7F81173621961A2B70171D3D7A:0
+AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:67CE7F7F81173621961A2B70171D3D7A:30C81C46A35CE411E5FBC1191A0A52EF:2E1E8A1DD59B88B1C8E60FED1EFAC4C9:0
+AES-192-CFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:2E1E8A1DD59B88B1C8E60FED1EFAC4C9:F69F2445DF4F9B17AD2B417BE66C3710:C05F9F9CA9834FA042AE8FBA584B09FF:0
+# CFB128-AES256.Encrypt
+AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:1
+AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:DC7E84BFDA79164B7ECD8486985D3860:AE2D8A571E03AC9C9EB76FAC45AF8E51:39FFED143B28B1C832113C6331E5407B:1
+AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39FFED143B28B1C832113C6331E5407B:30C81C46A35CE411E5FBC1191A0A52EF:DF10132415E54B92A13ED0A8267AE2F9:1
+AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:DF10132415E54B92A13ED0A8267AE2F9:F69F2445DF4F9B17AD2B417BE66C3710:75A385741AB9CEF82031623D55B1E471:1
+# CFB128-AES256.Decrypt
+AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:0
+AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:DC7E84BFDA79164B7ECD8486985D3860:AE2D8A571E03AC9C9EB76FAC45AF8E51:39FFED143B28B1C832113C6331E5407B:0
+AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39FFED143B28B1C832113C6331E5407B:30C81C46A35CE411E5FBC1191A0A52EF:DF10132415E54B92A13ED0A8267AE2F9:0
+AES-256-CFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:DF10132415E54B92A13ED0A8267AE2F9:F69F2445DF4F9B17AD2B417BE66C3710:75A385741AB9CEF82031623D55B1E471:0
+# For all OFB encrypts and decrypts, the transformed sequence is
+# AES-bits-CFB:key:IV/output':plaintext:ciphertext:encdec
+# OFB-AES128.Encrypt
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:1
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:1
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:1
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:1
+# OFB-AES128.Decrypt
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:0
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:0
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:0
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:0
+# OFB-AES192.Encrypt
+AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:CDC80D6FDDF18CAB34C25909C99A4174:1
+AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:A609B38DF3B1133DDDFF2718BA09565E:AE2D8A571E03AC9C9EB76FAC45AF8E51:FCC28B8D4C63837C09E81700C1100401:1
+AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:52EF01DA52602FE0975F78AC84BF8A50:30C81C46A35CE411E5FBC1191A0A52EF:8D9A9AEAC0F6596F559C6D4DAF59A5F2:1
+AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:BD5286AC63AABD7EB067AC54B553F71D:F69F2445DF4F9B17AD2B417BE66C3710:6D9F200857CA6C3E9CAC524BD9ACC92A:1
+# OFB-AES192.Decrypt
+AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:CDC80D6FDDF18CAB34C25909C99A4174:0
+AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:A609B38DF3B1133DDDFF2718BA09565E:AE2D8A571E03AC9C9EB76FAC45AF8E51:FCC28B8D4C63837C09E81700C1100401:0
+AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:52EF01DA52602FE0975F78AC84BF8A50:30C81C46A35CE411E5FBC1191A0A52EF:8D9A9AEAC0F6596F559C6D4DAF59A5F2:0
+AES-192-OFB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:BD5286AC63AABD7EB067AC54B553F71D:F69F2445DF4F9B17AD2B417BE66C3710:6D9F200857CA6C3E9CAC524BD9ACC92A:0
+# OFB-AES256.Encrypt
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:1
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:1
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:1
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:1
+# OFB-AES256.Decrypt
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:0
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:0
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:0
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:0
+
+# DES ECB tests (from destest)
+
+DES-ECB:0000000000000000::0000000000000000:8CA64DE9C1B123A7
+DES-ECB:FFFFFFFFFFFFFFFF::FFFFFFFFFFFFFFFF:7359B2163E4EDC58
+DES-ECB:3000000000000000::1000000000000001:958E6E627A05557B
+DES-ECB:1111111111111111::1111111111111111:F40379AB9E0EC533
+DES-ECB:0123456789ABCDEF::1111111111111111:17668DFC7292532D
+DES-ECB:1111111111111111::0123456789ABCDEF:8A5AE1F81AB8F2DD
+DES-ECB:FEDCBA9876543210::0123456789ABCDEF:ED39D950FA74BCC4
+
+# DESX-CBC tests (from destest)
+DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:846B2914851E9A2954732F8AA0A611C115CDC2D7951B1053A63C5E03B21AA3C4
+
+# DES EDE3 CBC tests (from destest)
+DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+
+# RC4 tests (from rc4test)
+RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596
+RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879
+RC4:00000000000000000000000000000000::0000000000000000:de188941a3375d3a
+RC4:ef012345ef012345ef012345ef012345::0000000000000000000000000000000000000000:d6a141a7ec3c38dfbd615a1162e1c7ba36b67858
+RC4:0123456789abcdef0123456789abcdef::123456789ABCDEF0123456789ABCDEF0123456789ABCDEF012345678:66a0949f8af7d6891f7f832ba833c00c892ebe30143ce28740011ecf
+RC4:ef012345ef012345ef012345ef012345::00000000000000000000:d6a141a7ec3c38dfbd61
diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash
index 3e9ba1efe490..e614fb546667 100644
--- a/crypto/openssl/tools/c_rehash
+++ b/crypto/openssl/tools/c_rehash
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
# Perl c_rehash script, scan all files in a directory
diff --git a/crypto/openssl/util/extract-names.pl b/crypto/openssl/util/extract-names.pl
index d413a045cc45..9f2ad5ef166c 100644
--- a/crypto/openssl/util/extract-names.pl
+++ b/crypto/openssl/util/extract-names.pl
@@ -9,8 +9,8 @@ while(<STDIN>) {
} elsif ($name) {
if (/ - /) {
s/ - .*//;
- s/[ \t,]+/ /g;
- push @words, split ' ';
+ s/,[ \t]+/,/g;
+ push @words, split ',';
}
}
if (/^=head1 *NAME *$/) {
diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num
index f5c8c0be8a0b..203c7713e72e 100755
--- a/crypto/openssl/util/libeay.num
+++ b/crypto/openssl/util/libeay.num
@@ -2801,3 +2801,5 @@ BIO_indent 3242 EXIST::FUNCTION:
BUF_strlcpy 3243 EXIST::FUNCTION:
OpenSSLDie 3244 EXIST::FUNCTION:
OPENSSL_cleanse 3245 EXIST::FUNCTION:
+ENGINE_setup_bsd_cryptodev 3246 EXIST:__FreeBSD__:FUNCTION:ENGINE
+ERR_release_err_state_table 3247 EXIST::FUNCTION:LHASH
diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl
index 936b063ca495..c538f9dffb1d 100755
--- a/crypto/openssl/util/mk1mf.pl
+++ b/crypto/openssl/util/mk1mf.pl
@@ -663,6 +663,7 @@ sub var_add
return("") if $no_rsa && $dir =~ /^rsaref/;
return("") if $no_dsa && $dir =~ /\/dsa/;
return("") if $no_dh && $dir =~ /\/dh/;
+ return("") if $no_ec && $dir =~ /\/ec/;
if ($no_des && $dir =~ /\/des/)
{
if ($val =~ /read_pwd/)
diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl
index dacb9565ef8c..cdd2164c4e25 100755
--- a/crypto/openssl/util/mkdef.pl
+++ b/crypto/openssl/util/mkdef.pl
@@ -440,7 +440,12 @@ sub do_defs
}
s/\/\*.*?\*\///gs; # ignore comments
+ if (/\/\*/) { # if we have part
+ $line = $_; # of a comment,
+ next; # continue reading
+ }
s/{[^{}]*}//gs; # ignore {} blocks
+ print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne "";
print STDERR "DEBUG: \$_=\"$_\"\n" if $debug;
if (/^\#\s*ifndef\s+(.*)/) {
push(@tag,"-");
@@ -814,14 +819,14 @@ sub do_defs
} elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) {
$s = $1;
print STDERR "DEBUG: found ANSI C function $s\n" if $debug;
- } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s) {
+ } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s) {
# K&R C
print STDERR "DEBUG: found K&R C function $s\n" if $debug;
next;
- } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)$/s) {
- while (not /\(\)$/s) {
- s/[^\(\)]*\)$/\)/s;
- s/\([^\(\)]*\)\)$/\)/s;
+ } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
+ while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
+ s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
+ s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
}
s/\(void\)//;
/(\w+(\{[0-9]+\})?)\W*\(\)/s;
diff --git a/crypto/openssl/util/mkerr.pl b/crypto/openssl/util/mkerr.pl
index 4105047b217d..1b2915c76779 100644
--- a/crypto/openssl/util/mkerr.pl
+++ b/crypto/openssl/util/mkerr.pl
@@ -132,16 +132,16 @@ while (($hdr, $lib) = each %libinc)
my $name = $1;
$name =~ tr/[a-z]/[A-Z]/;
$ftrans{$name} = $1;
- } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s){
+ } elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s){
# K&R C
next ;
- } elsif (/\w+\W+\w+\W*\(.*\)$/s) {
- while (not /\(\)$/s) {
- s/[^\(\)]*\)$/\)/s;
- s/\([^\(\)]*\)\)$/\)/s;
+ } elsif (/\w+\W+\w+\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
+ while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
+ s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
+ s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
}
s/\(void\)//;
- /(\w+)\W*\(\)/s;
+ /(\w+(\{[0-9]+\})?)\W*\(\)/s;
my $name = $1;
$name =~ tr/[a-z]/[A-Z]/;
$ftrans{$name} = $1;
@@ -262,7 +262,7 @@ foreach $lib (keys %csrc)
} else {
push @out,
"/* ====================================================================\n",
-" * Copyright (c) 2001-2002 The OpenSSL Project. All rights reserved.\n",
+" * Copyright (c) 2001-2003 The OpenSSL Project. All rights reserved.\n",
" *\n",
" * Redistribution and use in source and binary forms, with or without\n",
" * modification, are permitted provided that the following conditions\n",
@@ -404,7 +404,7 @@ EOF
print OUT <<"EOF";
/* $cfile */
/* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
diff --git a/crypto/openssl/util/pl/Mingw32.pl b/crypto/openssl/util/pl/Mingw32.pl
index 45ab685974e0..4bee638c4a6a 100644
--- a/crypto/openssl/util/pl/Mingw32.pl
+++ b/crypto/openssl/util/pl/Mingw32.pl
@@ -1,17 +1,17 @@
#!/usr/local/bin/perl
#
-# Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools)
+# Mingw32.pl -- Mingw
#
$o='/';
$cp='cp';
-$rm='rem'; # use 'rm -f' if using GNU file utilities
+$rm='rm -f';
$mkdir='gmkdir';
-# gcc wouldn't accept backslashes in paths
-#$o='\\';
-#$cp='copy';
-#$rm='del';
+$o='\\';
+$cp='copy';
+$rm='del';
+$mkdir='mkdir';
# C compiler stuff
@@ -19,29 +19,29 @@ $cc='gcc';
if ($debug)
{ $cflags="-DL_ENDIAN -DDSO_WIN32 -g2 -ggdb"; }
else
- { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -m486 -Wall"; }
+ { $cflags="-DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -mcpu=i486 -Wall"; }
if ($gaswin and !$no_asm)
{
- $bn_asm_obj='$(OBJ_D)/bn-win32.o';
+ $bn_asm_obj='$(OBJ_D)\bn-win32.o';
$bn_asm_src='crypto/bn/asm/bn-win32.s';
- $bnco_asm_obj='$(OBJ_D)/co-win32.o';
+ $bnco_asm_obj='$(OBJ_D)\co-win32.o';
$bnco_asm_src='crypto/bn/asm/co-win32.s';
- $des_enc_obj='$(OBJ_D)/d-win32.o $(OBJ_D)/y-win32.o';
+ $des_enc_obj='$(OBJ_D)\d-win32.o $(OBJ_D)\y-win32.o';
$des_enc_src='crypto/des/asm/d-win32.s crypto/des/asm/y-win32.s';
- $bf_enc_obj='$(OBJ_D)/b-win32.o';
+ $bf_enc_obj='$(OBJ_D)\b-win32.o';
$bf_enc_src='crypto/bf/asm/b-win32.s';
-# $cast_enc_obj='$(OBJ_D)/c-win32.o';
+# $cast_enc_obj='$(OBJ_D)\c-win32.o';
# $cast_enc_src='crypto/cast/asm/c-win32.s';
- $rc4_enc_obj='$(OBJ_D)/r4-win32.o';
+ $rc4_enc_obj='$(OBJ_D)\r4-win32.o';
$rc4_enc_src='crypto/rc4/asm/r4-win32.s';
- $rc5_enc_obj='$(OBJ_D)/r5-win32.o';
+ $rc5_enc_obj='$(OBJ_D)\r5-win32.o';
$rc5_enc_src='crypto/rc5/asm/r5-win32.s';
- $md5_asm_obj='$(OBJ_D)/m5-win32.o';
+ $md5_asm_obj='$(OBJ_D)\m5-win32.o';
$md5_asm_src='crypto/md5/asm/m5-win32.s';
- $rmd160_asm_obj='$(OBJ_D)/rm-win32.o';
+ $rmd160_asm_obj='$(OBJ_D)\rm-win32.o';
$rmd160_asm_src='crypto/ripemd/asm/rm-win32.s';
- $sha1_asm_obj='$(OBJ_D)/s1-win32.o';
+ $sha1_asm_obj='$(OBJ_D)\s1-win32.o';
$sha1_asm_src='crypto/sha/asm/s1-win32.s';
$cflags.=" -DBN_ASM -DMD5_ASM -DSHA1_ASM";
}
@@ -85,7 +85,7 @@ sub do_lib_rule
($Name=$name) =~ tr/a-z/A-Z/;
$ret.="$target: \$(${Name}OBJ)\n";
- $ret.="\t\$(RM) $target\n";
+ $ret.="\tif exist $target \$(RM) $target\n";
$ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
$ret.="\t\$(RANLIB) $target\n\n";
}
diff --git a/crypto/openssl/util/point.sh b/crypto/openssl/util/point.sh
index ce7dcc56dfa7..4790e08f8a61 100755
--- a/crypto/openssl/util/point.sh
+++ b/crypto/openssl/util/point.sh
@@ -1,10 +1,10 @@
#!/bin/sh
-rm -f $2
+rm -f "$2"
if test "$OSTYPE" = msdosdjgpp; then
- cp $1 $2
+ cp "$1" "$2"
else
- ln -s $1 $2
+ ln -s "$1" "$2"
fi
echo "$2 => $1"