diff options
| author | Kris Kennaway <kris@FreeBSD.org> | 2001-02-18 03:17:36 +0000 |
|---|---|---|
| committer | Kris Kennaway <kris@FreeBSD.org> | 2001-02-18 03:17:36 +0000 |
| commit | de7cdddab120ecc07d412749bfb3f191c4e0afe3 (patch) | |
| tree | 5058ee297163944bfec8dbad8c8cad174f437d82 | |
| parent | ddd58736f08d9acef3606719eba2e38ed611705b (diff) | |
| download | src-test2-de7cdddab120ecc07d412749bfb3f191c4e0afe3.tar.gz src-test2-de7cdddab120ecc07d412749bfb3f191c4e0afe3.zip | |
Notes
154 files changed, 5666 insertions, 359 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 87853c3b29d0..5f3556cc7fb7 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,142 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6 and 0.9.6a [xx XXX 2001] + + *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent + Bleichenbacher's DSA attack. + [Ulf Moeller] + + *) In the NCONF_...-based implementations for CONF_... queries + (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using + a temporary CONF structure with the data component set to NULL + (which gives segmentation faults in lh_retrieve). + Instead, use NULL for the CONF pointer in CONF_get_string and + CONF_get_number (which may use environment variables) and directly + return NULL from CONF_get_section. + [Bodo Moeller] + + *) Fix potential buffer overrun for EBCDIC. + [Ulf Moeller] + + *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign + keyUsage if basicConstraints absent for a CA. + [Steve Henson] + + *) Make SMIME_write_PKCS7() write mail header values with a format that + is more generally accepted (no spaces before the semicolon), since + some programs can't parse those values properly otherwise. Also make + sure BIO's that break lines after each write do not create invalid + headers. + [Richard Levitte] + + *) Make the CRL encoding routines work with empty SEQUENCE OF. The + macros previously used would not encode an empty SEQUENCE OF + and break the signature. + [Steve Henson] + + *) Zero the premaster secret after deriving the master secret in + DH ciphersuites. + [Steve Henson] + + *) Add some EVP_add_digest_alias registrations (as found in + OpenSSL_add_all_digests()) to SSL_library_init() + aka OpenSSL_add_ssl_algorithms(). This provides improved + compatibility with peers using X.509 certificates + with unconventional AlgorithmIdentifier OIDs. + [Bodo Moeller] + + *) Fix for Irix with NO_ASM. + ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] + + *) ./config script fixes. + [Ulf Moeller, Richard Levitte] + + *) Fix 'openssl passwd -1'. + [Bodo Moeller] + + *) Change PKCS12_key_gen_asc() so it can cope with non null + terminated strings whose length is passed in the passlen + parameter, for example from PEM callbacks. This was done + by adding an extra length parameter to asc2uni(). + [Steve Henson, reported by <oddissey@samsung.co.kr>] + + *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn + call failed, free the DSA structure. + [Bodo Moeller] + + *) Fix to uni2asc() to cope with zero length Unicode strings. + These are present in some PKCS#12 files. + [Steve Henson] + + *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). + Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits + when writing a 32767 byte record. + [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>] + + *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), + obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. + + (RSA objects have a reference count access to which is protected + by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], + so they are meant to be shared between threads.) + [Bodo Moeller, Geoff Thorpe; original patch submitted by + "Reddie, Steven" <Steven.Reddie@ca.com>] + + *) Fix a deadlock in CRYPTO_mem_leaks(). + [Bodo Moeller] + + *) rand_win.c fix for Borland C. + [Ulf Möller] + + *) BN_rshift bugfix for n == 0. + [Bodo Moeller] + + *) Store verify_result within SSL_SESSION also for client side to + avoid potential security hole. (Re-used sessions on the client side + always resulted in verify_result==X509_V_OK, not using the original + result of the server certificate verification.) + [Lutz Jaenicke] + + *) Fix ssl3_pending: If the record in s->s3->rrec is not of type + SSL3_RT_APPLICATION_DATA, return 0. + Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. + [Bodo Moeller] + + *) Fix SSL_peek: + Both ssl2_peek and ssl3_peek, which were totally broken in earlier + releases, have been re-implemented by renaming the previous + implementations of ssl2_read and ssl3_read to ssl2_read_internal + and ssl3_read_internal, respectively, and adding 'peek' parameters + to them. The new ssl[23]_{read,peek} functions are calls to + ssl[23]_read_internal with the 'peek' flag set appropriately. + A 'peek' parameter has also been added to ssl3_read_bytes, which + does the actual work for ssl3_read_internal. + [Bodo Moeller] + + *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. + The previous value, 12, was not always sufficient for BN_mod_exp(). + [Bodo Moeller] + + *) Fix typo in get_cert_by_subject() in by_dir.c + [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>] + + *) Fix SSL_CTX_set_read_ahead macro to actually use its argument. + + Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new + and not in SSL_clear because the latter is also used by the + accept/connect functions; previously, the settings made by + SSL_set_read_ahead would be lost during the handshake. + [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>] + + *) Correct util/mkdef.pl to be selective about disabled algorithms. + Previously, it would create entries for disableed algorithms no + matter what. + [Richard Levitte] + + *) Added several new manual pages for SSL_* function. + [Lutz Jaenicke] + Changes between 0.9.5a and 0.9.6 [24 Sep 2000] *) In ssl23_get_client_hello, generate an error message when faced diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 340077873d0b..27981d4494a4 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -280,8 +280,8 @@ my %table=( # # <appro@fy.chalmers.se> # -"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::", -"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::", +"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC", +"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC", "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", @@ -297,6 +297,7 @@ my %table=( "linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::", "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", +"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::", "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", "NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", @@ -719,6 +720,10 @@ if ($shared_cflag ne "") $shared_mark2 = ".shlib."; } } +else + { + $no_shared = 1; + } #my ($bn1)=split(/\s+/,$bn_obj); #$bn1 = "" unless defined $bn1; diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE index bdd5f7bdd09b..3fd259ac323d 100644 --- a/crypto/openssl/LICENSE +++ b/crypto/openssl/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org index c6f660954ba2..7c68e29086f4 100644 --- a/crypto/openssl/Makefile.org +++ b/crypto/openssl/Makefile.org @@ -462,7 +462,8 @@ install: all install_docs if [ -f "$$i" ]; then \ ( echo installing $$i; \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + (echo $$i | grep '\\.a$$' > /dev/null 2>&1) \ + && $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done diff --git a/crypto/openssl/STATUS b/crypto/openssl/STATUS new file mode 100644 index 000000000000..028abb85abea --- /dev/null +++ b/crypto/openssl/STATUS @@ -0,0 +1,92 @@ + + OpenSSL STATUS Last modified at + ______________ $Date: 2000/09/24 15:42:34 $ + + DEVELOPMENT STATE + + o OpenSSL 0.9.6: Released on September 24th, 2000 + o OpenSSL 0.9.5a: Released on April 1st, 2000 + o OpenSSL 0.9.5: Released on February 28th, 2000 + o OpenSSL 0.9.4: Released on August 09th, 1999 + o OpenSSL 0.9.3a: Released on May 29th, 1999 + o OpenSSL 0.9.3: Released on May 25th, 1999 + o OpenSSL 0.9.2b: Released on March 22th, 1999 + o OpenSSL 0.9.1c: Released on December 23th, 1998 + + RELEASE SHOWSTOPPERS + + AVAILABLE PATCHES + + o CA.pl patch (Damien Miller) + + IN PROGRESS + + o Steve is currently working on (in no particular order): + ASN1 code redesign, butchery, replacement. + EVP cipher enhancement. + Proper (or at least usable) certificate chain verification. + Private key, certificate and CRL API and implementation. + Developing and bugfixing PKCS#7 (S/MIME code). + Various X509 issues: character sets, certificate request extensions. + o Geoff and Richard are currently working on: + ENGINE (the new code that gives hardware support among others). + o Richard is currently working on: + UTIL (a new set of library functions to support some higher level + functionality that is currently missing). + Dynamic thread-lock support. + Shared library support for VMS. + + NEEDS PATCH + + o non-blocking socket on AIX + o $(PERL) in */Makefile.ssl + o "Sign the certificate?" - "n" creates empty certificate file + + OPEN ISSUES + + o internal_verify doesn't know about X509.v3 (basicConstraints + CA flag ...) + + o The Makefile hierarchy and build mechanism is still not a round thing: + + 1. The config vs. Configure scripts + It's the same nasty situation as for Apache with APACI vs. + src/Configure. It confuses. + Suggestion: Merge Configure and config into a single configure + script with a Autoconf style interface ;-) and remove + Configure and config. Or even let us use GNU Autoconf + itself. Then we can avoid a lot of those platform checks + which are currently in Configure. + + o Support for Shared Libraries has to be added at least + for the major Unix platforms. The details we can rip from the stuff + Ralf has done for the Apache src/Configure script. Ben wants the + solution to be really simple. + + Status: Ralf will look how we can easily incorporate the + compiler PIC and linker DSO flags from Apache + into the OpenSSL Configure script. + + Ulf: +1 for using GNU autoconf and libtool (but not automake, + which apparently is not flexible enough to generate + libcrypto) + + + o The perl/ stuff needs a major overhaul. Currently it's + totally obsolete. Either we clean it up and enhance it to be up-to-date + with the C code or we also could replace it with the really nice + Net::SSLeay package we can find under + http://www.neuronio.pt/SSLeay.pm.html. Ralf uses this package for a + longer time and it works fine and is a nice Perl module. Best would be + to convince the author to work for the OpenSSL project and create a + Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for + us. + + Status: Ralf thinks we should both contact the author of Net::SSLeay + and look how much effort it is to bring Eric's perl/ stuff up + to date. + Paul +1 + + WISHES + + o diff --git a/crypto/openssl/TABLE b/crypto/openssl/TABLE new file mode 100644 index 000000000000..35421ceed48f --- /dev/null +++ b/crypto/openssl/TABLE @@ -0,0 +1,2301 @@ +Output of `Configure TABLE': + +*** BC-16 +$cc = bcc +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** BC-32 +$cc = bcc32 +$cflags = +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG DES_PTR RC4_INDEX +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** BS2000-OSD +$cc = c89 +$cflags = -O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** CygWin32 +$cc = gcc +$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** FreeBSD +$cc = gcc +$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-out.o asm/co86-out.o +$des_obj = asm/dx86-out.o asm/yx86-out.o +$bf_obj = asm/bx86-out.o +$md5_obj = asm/mx86-out.o +$sha1_obj = asm/sx86-out.o +$cast_obj = asm/cx86-out.o +$rc4_obj = asm/rx86-out.o +$rmd160_obj = asm/rm86-out.o +$rc5_obj = asm/r586-out.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** FreeBSD-alpha +$cc = gcc +$cflags = -DTERMIOS -O -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** FreeBSD-elf +$cc = gcc +$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** MPE/iX-gcc +$cc = gcc +$cflags = -D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB +$unistd = +$thread_cflag = (unknown) +$lflags = -L/SYSLOG/PUB -lsyslog -lsocket -lcurses +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** Mingw32 +$cc = gcc +$cflags = -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** NetBSD-m68 +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** NetBSD-sparc +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** NetBSD-x86 +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** OpenBSD +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** OpenBSD-alpha +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** OpenBSD-mips +$cc = gcc +$cflags = -O2 -DL_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** OpenBSD-x86 +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-out.o asm/co86-out.o +$des_obj = asm/dx86-out.o asm/yx86-out.o +$bf_obj = asm/bx86-out.o +$md5_obj = asm/mx86-out.o +$sha1_obj = asm/sx86-out.o +$cast_obj = asm/cx86-out.o +$rc4_obj = asm/rx86-out.o +$rmd160_obj = asm/rm86-out.o +$rc5_obj = asm/r586-out.o +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** ReliantUNIX +$cc = cc +$cflags = -KPIC -g -DSNI -DTERMIOS -DB_ENDIAN +$unistd = +$thread_cflag = -Kthread +$lflags = -lsocket -lnsl -lc -L/usr/ucblib -lucb +$bn_ops = BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** SINIX +$cc = cc +$cflags = -O -DSNI +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl -lc -L/usr/ucblib -lucb +$bn_ops = RC4_INDEX RC4_CHAR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** SINIX-N +$cc = /usr/ucb/cc +$cflags = -O2 -misaligned +$unistd = +$thread_cflag = (unknown) +$lflags = -lucb +$bn_ops = RC4_INDEX RC4_CHAR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-MSDOS +$cc = cl +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-NT +$cc = cl +$cflags = +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG RC4_INDEX RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** VC-W31-16 +$cc = cl +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-W31-32 +$cc = cl +$cflags = +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-WIN16 +$cc = cl +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-WIN32 +$cc = cl +$cflags = +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG RC4_INDEX RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** aix-cc +$cc = cc +$cflags = -O -DAIX -DB_ENDIAN -qmaxmem=16384 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** aix-gcc +$cc = gcc +$cflags = -O3 -DAIX -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** alpha-cc +$cc = cc +$cflags = -std1 -tune host -O4 -readonly_strings +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= true64-shared +$shared_cflag = + +*** alpha-gcc +$cc = gcc +$cflags = -O3 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1 +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= true64-shared +$shared_cflag = + +*** alpha164-cc +$cc = cc +$cflags = -std1 -tune host -fast -readonly_strings +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= true64-shared +$shared_cflag = + +*** bsdi-elf-gcc +$cc = gcc +$cflags = -DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** bsdi-gcc +$cc = gcc +$cflags = -O3 -ffast-math -DL_ENDIAN -DPERL5 -m486 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = RSA_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86bsdi.o asm/co86bsdi.o +$des_obj = asm/dx86bsdi.o asm/yx86bsdi.o +$bf_obj = asm/bx86bsdi.o +$md5_obj = asm/mx86bsdi.o +$sha1_obj = asm/sx86bsdi.o +$cast_obj = asm/cx86bsdi.o +$rc4_obj = asm/rx86bsdi.o +$rmd160_obj = asm/rm86bsdi.o +$rc5_obj = asm/r586bsdi.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** cc +$cc = cc +$cflags = -O +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** cray-t3e +$cc = cc +$cflags = -DBIT_FIELD_LIMITS -DTERMIOS +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** cray-t90-cc +$cc = cc +$cflags = -DBIT_FIELD_LIMITS -DTERMIOS +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror +$unistd = +$thread_cflag = (unknown) +$lflags = -lefence +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-ben +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-ben-debug +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-ben-strict +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-bodo +$cc = gcc +$cflags = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-levitte-linux-elf +$cc = gcc +$cflags = -DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** debug-linux-elf +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lefence -ldl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** debug-linux-elf-noefence +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** debug-rse +$cc = cc +$cflags = -DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-solaris-sparcv8-cc +$cc = cc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** debug-solaris-sparcv8-gcc +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** debug-solaris-sparcv9-cc +$cc = cc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** debug-solaris-sparcv9-gcc +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** debug-steve +$cc = gcc +$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-ulf +$cc = gcc +$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** dgux-R3-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = RC4_INDEX DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** dgux-R4-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = -lnsl -lsocket +$bn_ops = RC4_INDEX +$bn_obj = RC4_INDEX DES_UNROLL +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** dgux-R4-x86-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer -DL_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = -lnsl -lsocket +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** dist +$cc = cc +$cflags = -O +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** gcc +$cc = gcc +$cflags = -O3 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** hpux-brokencc +$cc = cc +$cflags = -DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z +$unistd = +$thread_cflag = (unknown) +$lflags = -ldld +$bn_ops = DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-brokengcc +$cc = gcc +$cflags = -DB_ENDIAN -DBN_DIV2W -O3 +$unistd = +$thread_cflag = (unknown) +$lflags = -ldld +$bn_ops = DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-cc +$cc = cc +$cflags = -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z +$unistd = +$thread_cflag = (unknown) +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-gcc +$cc = gcc +$cflags = -DB_ENDIAN -DBN_DIV2W -O3 +$unistd = +$thread_cflag = (unknown) +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc-cc +$cc = cc +$cflags = +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc-cc-o4 +$cc = cc +$cflags = -Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY +$unistd = +$thread_cflag = +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc-gcc +$cc = gcc +$cflags = -O3 -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc1_1-cc +$cc = cc +$cflags = +DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc2-cc +$cc = cc +$cflags = +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = asm/pa-risc2.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux10-brokencc +$cc = cc +$cflags = -DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux10-brokengcc +$cc = gcc +$cflags = -DB_ENDIAN -DBN_DIV2W -O3 +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux10-cc +$cc = cc +$cflags = -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux10-gcc +$cc = gcc +$cflags = -DB_ENDIAN -DBN_DIV2W -O3 +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux64-parisc-cc +$cc = cc +$cflags = -Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** hpux64-parisc2-cc +$cc = cc +$cflags = +DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = asm/pa-risc2W.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** irix-cc +$cc = cc +$cflags = -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix-gcc +$cc = gcc +$cflags = -O3 -DTERMIOS -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix-mips3-cc +$cc = cc +$cflags = -n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W +$unistd = +$thread_cflag = -D_SGI_MP_SOURCE +$lflags = +$bn_ops = DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT +$bn_obj = asm/mips3.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix-mips3-gcc +$cc = gcc +$cflags = -mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W +$unistd = +$thread_cflag = -D_SGI_MP_SOURCE +$lflags = +$bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT +$bn_obj = asm/mips3.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix64-mips4-cc +$cc = cc +$cflags = -64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W +$unistd = +$thread_cflag = -D_SGI_MP_SOURCE +$lflags = +$bn_ops = RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG +$bn_obj = asm/mips3.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix64-mips4-gcc +$cc = gcc +$cflags = -mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W +$unistd = +$thread_cflag = -D_SGI_MP_SOURCE +$lflags = +$bn_ops = RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG +$bn_obj = asm/mips3.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-alpha+bwx-ccc +$cc = ccc +$cflags = -fast -readonly_strings -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-alpha+bwx-gcc +$cc = gcc +$cflags = -O3 -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC + +*** linux-alpha-ccc +$cc = ccc +$cflags = -fast -readonly_strings -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-alpha-gcc +$cc = gcc +$cflags = -O3 -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC + +*** linux-aout +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-out.o asm/co86-out.o +$des_obj = asm/dx86-out.o asm/yx86-out.o +$bf_obj = asm/bx86-out.o +$md5_obj = asm/mx86-out.o +$sha1_obj = asm/sx86-out.o +$cast_obj = asm/cx86-out.o +$rc4_obj = asm/rx86-out.o +$rmd160_obj = asm/rm86-out.o +$rc5_obj = asm/r586-out.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-elf +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC + +*** linux-elf-arm +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC + +*** linux-ia64 +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-m68k +$cc = gcc +$cflags = -DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-mips +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-ppc +$cc = gcc +$cflags = -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-sparcv7 +$cc = gcc +$cflags = -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-sparcv8 +$cc = gcc +$cflags = -mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-sparcv9 +$cc = gcc +$cflags = -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** ncr-scde +$cc = cc +$cflags = -O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** newsos4-gcc +$cc = gcc +$cflags = -O -DB_ENDIAN -DNEWS4 +$unistd = +$thread_cflag = (unknown) +$lflags = -lmld -liberty +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** nextstep +$cc = cc +$cflags = -O -Wall +$unistd = <libc.h> +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** nextstep3.3 +$cc = cc +$cflags = -O3 -Wall +$unistd = <libc.h> +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** purify +$cc = purify gcc +$cflags = -g -DPURIFY -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** qnx4 +$cc = cc +$cflags = -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** rhapsody-ppc-cc +$cc = cc +$cflags = -O3 -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** sco5-cc +$cc = cc +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** sco5-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** solaris-sparc-sc3 +$cc = cc +$cflags = -fast -O -Xa -DB_ENDIAN +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** solaris-sparcv7-cc +$cc = cc +$cflags = -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** solaris-sparcv7-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris-sparcv8-cc +$cc = cc +$cflags = -xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** solaris-sparcv8-gcc +$cc = gcc +$cflags = -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris-sparcv9-cc +$cc = cc +$cflags = -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** solaris-sparcv9-gcc +$cc = gcc +$cflags = -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris-sparcv9-gcc27 +$cc = gcc +$cflags = -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus-gcc27.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus-gcc27.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris-x86-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-sol.o asm/co86-sol.o +$des_obj = asm/dx86-sol.o asm/yx86-sol.o +$bf_obj = asm/bx86-sol.o +$md5_obj = asm/mx86-sol.o +$sha1_obj = asm/sx86-sol.o +$cast_obj = asm/cx86-sol.o +$rc4_obj = asm/rx86-sol.o +$rmd160_obj = asm/rm86-sol.o +$rc5_obj = asm/r586-sol.o +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris64-sparcv9-cc +$cc = cc +$cflags = -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv9.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** sunos-gcc +$cc = gcc +$cflags = -O3 -mv8 -Dssize_t=int +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** ultrix-cc +$cc = cc +$cflags = -std1 -O -Olimit 1000 -DL_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** ultrix-gcc +$cc = gcc +$cflags = -O3 -DL_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** unixware-2.0 +$cc = cc +$cflags = -O -DFILIO_H +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** unixware-2.0-pentium +$cc = cc +$cflags = -O -DFILIO_H -Kpentium -Kthread +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** unixware-7 +$cc = cc +$cflags = -O -DFILIO_H -Kalloca +$unistd = +$thread_cflag = -Kthread +$lflags = -lsocket -lnsl +$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = diff --git a/crypto/openssl/apps/app_rand.c b/crypto/openssl/apps/app_rand.c index 1146f9f7f38a..8a78e12eb732 100644 --- a/crypto/openssl/apps/app_rand.c +++ b/crypto/openssl/apps/app_rand.c @@ -177,8 +177,10 @@ long app_RAND_load_files(char *name) if (*n == '\0') break; egd=RAND_egd(n); - if (egd > 0) tot+=egd; - tot+=RAND_load_file(n,-1); + if (egd > 0) + tot+=egd; + else + tot+=RAND_load_file(n,-1); if (last) break; } if (tot > 512) diff --git a/crypto/openssl/apps/ca-cert.srl b/crypto/openssl/apps/ca-cert.srl index eeee65ec419f..2c7456e3eb66 100644 --- a/crypto/openssl/apps/ca-cert.srl +++ b/crypto/openssl/apps/ca-cert.srl @@ -1 +1 @@ -05 +07 diff --git a/crypto/openssl/apps/dsaparam.c b/crypto/openssl/apps/dsaparam.c index f861ec7b1ad8..4e8dcd3a68fd 100644 --- a/crypto/openssl/apps/dsaparam.c +++ b/crypto/openssl/apps/dsaparam.c @@ -311,7 +311,7 @@ bad: printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n", bits_p,bits_p); printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n"); - printf("\t\treturn(NULL);\n"); + printf("\t\t{ DSA_free(dsa); return(NULL); }\n"); printf("\treturn(dsa);\n\t}\n"); } diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c index 6851a9927d31..533b4692d053 100644 --- a/crypto/openssl/apps/passwd.c +++ b/crypto/openssl/apps/passwd.c @@ -315,7 +315,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt) strncat(out_buf, "$", 1); strncat(out_buf, salt, 8); assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */ - salt_out = out_buf + 6; + salt_out = out_buf + 2 + strlen(magic); salt_len = strlen(salt_out); assert(salt_len <= 8); diff --git a/crypto/openssl/apps/pca-cert.srl b/crypto/openssl/apps/pca-cert.srl index 8a0f05e166aa..2c7456e3eb66 100644 --- a/crypto/openssl/apps/pca-cert.srl +++ b/crypto/openssl/apps/pca-cert.srl @@ -1 +1 @@ -01 +07 diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c index 1aab38d9d7aa..b123236beb4c 100644 --- a/crypto/openssl/apps/req.c +++ b/crypto/openssl/apps/req.c @@ -685,16 +685,15 @@ loop: if (newreq || x509) { -#ifndef NO_DSA - if (pkey->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif - if (pkey == NULL) { BIO_printf(bio_err,"you need to specify a private key\n"); goto end; } +#ifndef NO_DSA + if (pkey->type == EVP_PKEY_DSA) + digest=EVP_dss1(); +#endif if (req == NULL) { req=X509_REQ_new(); diff --git a/crypto/openssl/apps/rsautl.c b/crypto/openssl/apps/rsautl.c index bcb94c3d8104..de231b045654 100644 --- a/crypto/openssl/apps/rsautl.c +++ b/crypto/openssl/apps/rsautl.c @@ -55,6 +55,9 @@ * Hudson (tjh@cryptsoft.com). * */ + +#ifndef NO_RSA + #include "apps.h" #include <string.h> #include <openssl/err.h> @@ -288,3 +291,4 @@ static void usage() BIO_printf(bio_err, "-hexdump hex dump output\n"); } +#endif diff --git a/crypto/openssl/apps/server.pem b/crypto/openssl/apps/server.pem index c57b32507d0a..56248e57a3f4 100644 --- a/crypto/openssl/apps/server.pem +++ b/crypto/openssl/apps/server.pem @@ -1,17 +1,17 @@ issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) +subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) -----BEGIN CERTIFICATE----- -MIIB6TCCAVICAQQwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV +MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD -VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTgwNjI5MjM1MjQwWhcNMDAwNjI4 -MjM1MjQwWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG +VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0 +MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2// -Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCVvvfkGSe2GHgDFfmOua4Isjb9 -JVhImWMASiOClkZlMESDJjsszg/6+d/W+8TrbObhazpl95FivXBVucbj9dudh7AO -IZu1h1MAPlyknc9Ud816vz3FejB4qqUoaXjnlkrIgEbr/un7jSS86WOe0hRhwHkJ -FUGcPZf9ND22Etc+AQ== +Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4 +GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM +k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz +itAE+OjGF+PFKbwX8Q== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD diff --git a/crypto/openssl/certs/expired/rsa-ssca.pem b/crypto/openssl/certs/expired/rsa-ssca.pem new file mode 100644 index 000000000000..c9403212d183 --- /dev/null +++ b/crypto/openssl/certs/expired/rsa-ssca.pem @@ -0,0 +1,19 @@ +subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority +issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority +notBefore=941109235417Z +notAfter =991231235417Z +-----BEGIN X509 CERTIFICATE----- + +MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw +HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl +IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda +Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0 +YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB +roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12 +aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc +HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A +iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7 +suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h +cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk= +-----END X509 CERTIFICATE----- diff --git a/crypto/openssl/config b/crypto/openssl/config index 6a2625308efb..1f4fef13dbc1 100755 --- a/crypto/openssl/config +++ b/crypto/openssl/config @@ -168,7 +168,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in ;; NetBSD:*:*:*386*) - echo "`/usr/sbin/sysctl -n hw.model | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 + echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 ;; NetBSD:*) @@ -394,7 +394,7 @@ case "$GUESSOS" in mips4-sgi-irix64) echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configre irix64-mips4-$CC' *manually*." - echo " Type Ctrl-C if you don't want to continue." + echo " Type return if you want to continue, Ctrl-C to abort." read waste < /dev/tty options="$options -mips4" OUT="irix-mips3-$CC" @@ -423,11 +423,11 @@ case "$GUESSOS" in #till 64-bit glibc for SPARC is operational:-( #echo "WARNING! If you wish to build 64-bit library, then you have to" #echo " invoke './Configure linux64-sparcv9' *manually*." - #echo " Type Ctrl-C if you don't want to continue." + #echo " Type return if you want to continue, Ctrl-C to abort." #read waste < /dev/tty OUT="linux-sparcv9" ;; sparc-*-linux2) - KARCH=`awk '/type/{print$3}' /proc/cpuinfo` + KARCH=`awk '/^type/{print$3}' /proc/cpuinfo` case ${KARCH:-sun4} in sun4u*) OUT="linux-sparcv9" ;; sun4m) OUT="linux-sparcv8" ;; @@ -435,6 +435,7 @@ case "$GUESSOS" in *) OUT="linux-sparcv7" ;; esac ;; arm*-*-linux2) OUT="linux-elf-arm" ;; + s390-*-linux2) OUT="linux-s390" ;; *-*-linux2) OUT="linux-elf" ;; *-*-linux1) OUT="linux-aout" ;; sun4u*-*-solaris2) @@ -442,7 +443,7 @@ case "$GUESSOS" in if [ "$ISA64" != "" -a "$CC" = "cc" -a $CCVER -ge 50 ]; then echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-cc' *manually*." - echo " Type Ctrl-C if you don't want to continue." + echo " Type return if you want to continue, Ctrl-C to abort." read waste < /dev/tty fi OUT="solaris-sparcv9-$CC" ;; @@ -557,7 +558,7 @@ OUT="$PREFIX$OUT" $PERL ./Configure LIST | grep "$OUT" > /dev/null if [ $? = "0" ]; then - #echo Configuring for $OUT + echo Configuring for $OUT if [ "$TEST" = "true" ]; then echo $PERL ./Configure $OUT $options diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl index 8c399bbff14a..ae761da79f84 100644 --- a/crypto/openssl/crypto/Makefile.ssl +++ b/crypto/openssl/crypto/Makefile.ssl @@ -90,7 +90,8 @@ links: lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib libs: diff --git a/crypto/openssl/crypto/asn1/Makefile.ssl b/crypto/openssl/crypto/asn1/Makefile.ssl index eae97f321d92..269af4459323 100644 --- a/crypto/openssl/crypto/asn1/Makefile.ssl +++ b/crypto/openssl/crypto/asn1/Makefile.ssl @@ -75,7 +75,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/asn1/a_strnid.c b/crypto/openssl/crypto/asn1/a_strnid.c index 6b10cff99449..732e68fe462a 100644 --- a/crypto/openssl/crypto/asn1/a_strnid.c +++ b/crypto/openssl/crypto/asn1/a_strnid.c @@ -133,7 +133,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, if(tbl) { mask = tbl->mask; if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask; - ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask, + ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask, tbl->minsize, tbl->maxsize); } else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask); if(ret <= 0) return NULL; diff --git a/crypto/openssl/crypto/asn1/asn1_mac.h b/crypto/openssl/crypto/asn1/asn1_mac.h index 4512ba6cc604..af0e664b2de0 100644 --- a/crypto/openssl/crypto/asn1/asn1_mac.h +++ b/crypto/openssl/crypto/asn1/asn1_mac.h @@ -196,6 +196,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_put_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_put_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_put_SEQUENCE_type(type,a,f); + #define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \ if ((c.slen != 0) && \ (M_ASN1_next == \ @@ -389,6 +392,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_len_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_len_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_len_SEQUENCE_type(type,a,f); + #define M_ASN1_I2D_len_IMP_SET(a,f,x) \ ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET); @@ -452,6 +458,15 @@ err:\ ret+=ASN1_object_size(1,v,mtag); \ } +#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a)\ + { \ + v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \ + V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + ret+=ASN1_object_size(1,v,mtag); \ + } + /* Put Macros */ #define M_ASN1_I2D_put(a,f) f(a,&p) @@ -536,6 +551,14 @@ err:\ IS_SEQUENCE); \ } +#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a) \ + { \ + ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \ + i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + } + #define M_ASN1_I2D_seq_total() \ r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \ if (pp == NULL) return(r); \ diff --git a/crypto/openssl/crypto/asn1/x_crl.c b/crypto/openssl/crypto/asn1/x_crl.c index 1f302d0e01eb..51518cdf3502 100644 --- a/crypto/openssl/crypto/asn1/x_crl.c +++ b/crypto/openssl/crypto/asn1/x_crl.c @@ -71,14 +71,14 @@ int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **pp) M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_len_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_seq_total(); M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_put_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_finish(); @@ -121,7 +121,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_len_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -138,7 +138,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -260,7 +260,7 @@ X509_CRL_INFO *X509_CRL_INFO_new(void) M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new); ret->nextUpdate=NULL; M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null); - M_ASN1_New(ret->extensions,sk_X509_EXTENSION_new_null); + ret->extensions = NULL; sk_X509_REVOKED_set_cmp_func(ret->revoked,X509_REVOKED_cmp); return(ret); M_ASN1_New_Error(ASN1_F_X509_CRL_INFO_NEW); diff --git a/crypto/openssl/crypto/bf/Makefile.ssl b/crypto/openssl/crypto/bf/Makefile.ssl index adc9eec3c6ab..2d61ec50f422 100644 --- a/crypto/openssl/crypto/bf/Makefile.ssl +++ b/crypto/openssl/crypto/bf/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/bio/Makefile.ssl b/crypto/openssl/crypto/bio/Makefile.ssl index af5998b102c4..00caa9f7eb17 100644 --- a/crypto/openssl/crypto/bio/Makefile.ssl +++ b/crypto/openssl/crypto/bio/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/bio/b_sock.c b/crypto/openssl/crypto/bio/b_sock.c index 64310058b45f..62cc3f1a0c81 100644 --- a/crypto/openssl/crypto/bio/b_sock.c +++ b/crypto/openssl/crypto/bio/b_sock.c @@ -113,8 +113,8 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) /* At this point, we have something that is most probably correct in some way, so let's init the socket. */ - if (!BIO_sock_init()) - return(0); /* don't generate another error code here */ + if (BIO_sock_init() != 1) + return 0; /* don't generate another error code here */ /* If the string actually contained an IP address, we need not do anything more */ @@ -519,15 +519,15 @@ int BIO_get_accept_socket(char *host, int bind_mode) { int ret=0; struct sockaddr_in server,client; - int s= -1,cs; + int s=INVALID_SOCKET,cs; unsigned char ip[4]; unsigned short port; - char *str,*e; + char *str=NULL,*e; const char *h,*p; unsigned long l; int err_num; - if (!BIO_sock_init()) return(INVALID_SOCKET); + if (BIO_sock_init() != 1) return(INVALID_SOCKET); if ((str=BUF_strdup(host)) == NULL) return(INVALID_SOCKET); @@ -553,7 +553,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) h="*"; } - if (!BIO_get_port(p,&port)) return(INVALID_SOCKET); + if (!BIO_get_port(p,&port)) goto err; memset((char *)&server,0,sizeof(server)); server.sin_family=AF_INET; @@ -563,7 +563,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) server.sin_addr.s_addr=INADDR_ANY; else { - if (!BIO_get_host_ip(h,&(ip[0]))) return(INVALID_SOCKET); + if (!BIO_get_host_ip(h,&(ip[0]))) goto err; l=(unsigned long) ((unsigned long)ip[0]<<24L)| ((unsigned long)ip[1]<<16L)| diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl index 85be16a5b64c..ad36267e2698 100644 --- a/crypto/openssl/crypto/bn/Makefile.ssl +++ b/crypto/openssl/crypto/bn/Makefile.ssl @@ -68,7 +68,8 @@ bnbug: bnbug.c ../../libcrypto.a top lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/bn/asm/pa-risc2.s b/crypto/openssl/crypto/bn/asm/pa-risc2.s index 7239aa2c7629..af9730d06215 100644 --- a/crypto/openssl/crypto/bn/asm/pa-risc2.s +++ b/crypto/openssl/crypto/bn/asm/pa-risc2.s @@ -1611,7 +1611,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$7 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/crypto/openssl/crypto/bn/asm/pa-risc2W.s b/crypto/openssl/crypto/bn/asm/pa-risc2W.s index 54b6606252ea..a99545754d18 100644 --- a/crypto/openssl/crypto/bn/asm/pa-risc2W.s +++ b/crypto/openssl/crypto/bn/asm/pa-risc2W.s @@ -1598,7 +1598,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$4 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h index 1eb8395b25c3..ef1cfb0259b9 100644 --- a/crypto/openssl/crypto/bn/bn.h +++ b/crypto/openssl/crypto/bn/bn.h @@ -239,7 +239,7 @@ typedef struct bignum_st } BIGNUM; /* Used for temp variables */ -#define BN_CTX_NUM 12 +#define BN_CTX_NUM 16 #define BN_CTX_NUM_POS 12 typedef struct bignum_ctx { @@ -328,6 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx); void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); +int BN_rand_range(BIGNUM *rnd, BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); @@ -493,16 +494,19 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num); #define BN_F_BN_MPI2BN 112 #define BN_F_BN_NEW 113 #define BN_F_BN_RAND 114 +#define BN_F_BN_RAND_RANGE 122 #define BN_F_BN_USUB 115 /* Reason codes. */ #define BN_R_ARG2_LT_ARG3 100 #define BN_R_BAD_RECIPROCAL 101 +#define BN_R_BIGNUM_TOO_LONG 114 #define BN_R_CALLED_WITH_EVEN_MODULUS 102 #define BN_R_DIV_BY_ZERO 103 #define BN_R_ENCODING_ERROR 104 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105 #define BN_R_INVALID_LENGTH 106 +#define BN_R_INVALID_RANGE 115 #define BN_R_NOT_INITIALIZED 107 #define BN_R_NO_INVERSE 108 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c index c3772c243be5..891b6026311c 100644 --- a/crypto/openssl/crypto/bn/bn_div.c +++ b/crypto/openssl/crypto/bn/bn_div.c @@ -180,13 +180,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, BN_CTX_start(ctx); tmp=BN_CTX_get(ctx); - tmp->neg=0; snum=BN_CTX_get(ctx); sdiv=BN_CTX_get(ctx); if (dv == NULL) res=BN_CTX_get(ctx); else res=dv; - if (res == NULL) goto err; + if (sdiv==NULL || res == NULL) goto err; + tmp->neg=0; /* First we normalise the numbers */ norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2); @@ -237,7 +237,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, for (i=0; i<loop-1; i++) { BN_ULONG q,l0; -#ifdef BN_DIV3W +#if defined(BN_DIV3W) && !defined(NO_ASM) q=bn_div_3_words(wnump,d1,d0); #else BN_ULONG n0,n1,rem=0; diff --git a/crypto/openssl/crypto/bn/bn_err.c b/crypto/openssl/crypto/bn/bn_err.c index 86550c4c21d5..adc6a214fc6e 100644 --- a/crypto/openssl/crypto/bn/bn_err.c +++ b/crypto/openssl/crypto/bn/bn_err.c @@ -84,6 +84,7 @@ static ERR_STRING_DATA BN_str_functs[]= {ERR_PACK(0,BN_F_BN_MPI2BN,0), "BN_mpi2bn"}, {ERR_PACK(0,BN_F_BN_NEW,0), "BN_new"}, {ERR_PACK(0,BN_F_BN_RAND,0), "BN_rand"}, +{ERR_PACK(0,BN_F_BN_RAND_RANGE,0), "BN_rand_range"}, {ERR_PACK(0,BN_F_BN_USUB,0), "BN_usub"}, {0,NULL} }; @@ -92,11 +93,13 @@ static ERR_STRING_DATA BN_str_reasons[]= { {BN_R_ARG2_LT_ARG3 ,"arg2 lt arg3"}, {BN_R_BAD_RECIPROCAL ,"bad reciprocal"}, +{BN_R_BIGNUM_TOO_LONG ,"bignum too long"}, {BN_R_CALLED_WITH_EVEN_MODULUS ,"called with even modulus"}, {BN_R_DIV_BY_ZERO ,"div by zero"}, {BN_R_ENCODING_ERROR ,"encoding error"}, {BN_R_EXPAND_ON_STATIC_BIGNUM_DATA ,"expand on static bignum data"}, {BN_R_INVALID_LENGTH ,"invalid length"}, +{BN_R_INVALID_RANGE ,"invalid range"}, {BN_R_NOT_INITIALIZED ,"not initialized"}, {BN_R_NO_INVERSE ,"no inverse"}, {BN_R_TOO_MANY_TEMPORARY_VARIABLES ,"too many temporary variables"}, diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c index b6b0ce4b3c9f..7767d6517022 100644 --- a/crypto/openssl/crypto/bn/bn_lib.c +++ b/crypto/openssl/crypto/bn/bn_lib.c @@ -62,6 +62,7 @@ #endif #include <assert.h> +#include <limits.h> #include <stdio.h> #include "cryptlib.h" #include "bn_lcl.h" @@ -319,6 +320,12 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) if (words > b->dmax) { + if (words > (INT_MAX/(4*BN_BITS2))) + { + BNerr(BN_F_BN_EXPAND2,BN_R_BIGNUM_TOO_LONG); + return NULL; + } + bn_check_top(b); if (BN_get_flags(b,BN_FLG_STATIC_DATA)) { diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c index 21ecbc04ed0a..224a0ff7a2c3 100644 --- a/crypto/openssl/crypto/bn/bn_rand.c +++ b/crypto/openssl/crypto/bn/bn_rand.c @@ -140,3 +140,55 @@ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(1, rnd, bits, top, bottom); } + +/* random number r: 0 <= r < range */ +int BN_rand_range(BIGNUM *r, BIGNUM *range) + { + int n; + + if (range->neg || BN_is_zero(range)) + { + BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); + return 0; + } + + n = BN_num_bits(range); /* n > 0 */ + + if (n == 1) + { + if (!BN_zero(r)) return 0; + } + else if (BN_is_bit_set(range, n - 2)) + { + do + { + /* range = 11..._2, so each iteration succeeds with probability >= .75 */ + if (!BN_rand(r, n, 0, 0)) return 0; + } + while (BN_cmp(r, range) >= 0); + } + else + { + /* range = 10..._2, + * so 3*range (= 11..._2) is exactly one bit longer than range */ + do + { + if (!BN_rand(r, n + 1, 0, 0)) return 0; + /* If r < 3*range, use r := r MOD range + * (which is either r, r - range, or r - 2*range). + * Otherwise, iterate once more. + * Since 3*range = 11..._2, each iteration succeeds with + * probability >= .75. */ + if (BN_cmp(r ,range) >= 0) + { + if (!BN_sub(r, r, range)) return 0; + if (BN_cmp(r, range) >= 0) + if (!BN_sub(r, r, range)) return 0; + } + } + while (BN_cmp(r, range) >= 0); + } + + return 1; + } + diff --git a/crypto/openssl/crypto/bn/bn_shift.c b/crypto/openssl/crypto/bn/bn_shift.c index 0883247384e9..c2608f9f4a90 100644 --- a/crypto/openssl/crypto/bn/bn_shift.c +++ b/crypto/openssl/crypto/bn/bn_shift.c @@ -172,6 +172,11 @@ int BN_rshift(BIGNUM *r, BIGNUM *a, int n) r->neg=a->neg; if (bn_wexpand(r,a->top-nw+1) == NULL) return(0); } + else + { + if (n == 0) + return 1; /* or the copying loop will go berserk */ + } f= &(a->d[nw]); t=r->d; diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c index 0a97af69c586..c9801dc01614 100644 --- a/crypto/openssl/crypto/bn/bntest.c +++ b/crypto/openssl/crypto/bn/bntest.c @@ -107,11 +107,9 @@ static const char rnd_seed[] = "string to make the random number generator think static void message(BIO *out, char *m) { fprintf(stderr, "test %s\n", m); -#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */ BIO_puts(out, "print \"test "); BIO_puts(out, m); BIO_puts(out, "\\n\"\n"); -#endif } int main(int argc, char *argv[]) diff --git a/crypto/openssl/crypto/buffer/Makefile.ssl b/crypto/openssl/crypto/buffer/Makefile.ssl index 4e11038c8b12..c088ec6b3c76 100644 --- a/crypto/openssl/crypto/buffer/Makefile.ssl +++ b/crypto/openssl/crypto/buffer/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/cast/Makefile.ssl b/crypto/openssl/crypto/cast/Makefile.ssl index afba084e8bbf..0aa1cbc55a29 100644 --- a/crypto/openssl/crypto/cast/Makefile.ssl +++ b/crypto/openssl/crypto/cast/Makefile.ssl @@ -47,7 +47,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/comp/Makefile.ssl b/crypto/openssl/crypto/comp/Makefile.ssl index 3064df244798..ba705c2a1c3c 100644 --- a/crypto/openssl/crypto/comp/Makefile.ssl +++ b/crypto/openssl/crypto/comp/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/conf/Makefile.ssl b/crypto/openssl/crypto/conf/Makefile.ssl index ea82d467270e..a96212252a0b 100644 --- a/crypto/openssl/crypto/conf/Makefile.ssl +++ b/crypto/openssl/crypto/conf/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/conf/conf.h b/crypto/openssl/crypto/conf/conf.h index 2f70634455b9..cd40a0db215a 100644 --- a/crypto/openssl/crypto/conf/conf.h +++ b/crypto/openssl/crypto/conf/conf.h @@ -167,6 +167,8 @@ int NCONF_dump_bio(CONF *conf, BIO *out); #define CONF_R_MISSING_EQUAL_SIGN 101 #define CONF_R_NO_CLOSE_BRACE 102 #define CONF_R_NO_CONF 105 +#define CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE 106 +#define CONF_R_NO_SECTION 107 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103 #define CONF_R_VARIABLE_HAS_NO_VALUE 104 diff --git a/crypto/openssl/crypto/conf/conf_err.c b/crypto/openssl/crypto/conf/conf_err.c index 06d3163573c2..8c2bc6f1c4cb 100644 --- a/crypto/openssl/crypto/conf/conf_err.c +++ b/crypto/openssl/crypto/conf/conf_err.c @@ -87,6 +87,8 @@ static ERR_STRING_DATA CONF_str_reasons[]= {CONF_R_MISSING_EQUAL_SIGN ,"missing equal sign"}, {CONF_R_NO_CLOSE_BRACE ,"no close brace"}, {CONF_R_NO_CONF ,"no conf"}, +{CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE ,"no conf or environment variable"}, +{CONF_R_NO_SECTION ,"no section"}, {CONF_R_UNABLE_TO_CREATE_NEW_SECTION ,"unable to create new section"}, {CONF_R_VARIABLE_HAS_NO_VALUE ,"variable has no value"}, {0,NULL} diff --git a/crypto/openssl/crypto/conf/conf_lib.c b/crypto/openssl/crypto/conf/conf_lib.c index 4c8ca9e9ae4f..11ec6397324d 100644 --- a/crypto/openssl/crypto/conf/conf_lib.c +++ b/crypto/openssl/crypto/conf/conf_lib.c @@ -131,38 +131,59 @@ LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline) STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section) { - CONF ctmp; + if (conf == NULL) + { + return NULL; + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_section(&ctmp, section); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_section(&ctmp, section); + } } char *CONF_get_string(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_string(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_string(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_string(&ctmp, group, name); + } } long CONF_get_number(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_number(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_number(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_number(&ctmp, group, name); + } } void CONF_free(LHASH *conf) @@ -299,27 +320,46 @@ STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section) return NULL; } + if (section == NULL) + { + CONFerr(CONF_F_NCONF_GET_SECTION,CONF_R_NO_SECTION); + return NULL; + } + return _CONF_get_section_values(conf, section); } char *NCONF_get_string(CONF *conf,char *group,char *name) { + char *s = _CONF_get_string(conf, group, name); + + /* Since we may get a value from an environment variable even + if conf is NULL, let's check the value first */ + if (s) return s; + if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_STRING,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_STRING, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return NULL; } - - return _CONF_get_string(conf, group, name); + return NULL; } long NCONF_get_number(CONF *conf,char *group,char *name) { +#if 0 /* As with _CONF_get_string(), we rely on the possibility of finding + an environment variable with a suitable name. Unfortunately, there's + no way with the current API to see if we found one or not... + The meaning of this is that if a number is not found anywhere, it + will always default to 0. */ if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_NUMBER,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_NUMBER, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return 0; } +#endif return _CONF_get_number(conf, group, name); } diff --git a/crypto/openssl/crypto/des/Makefile.ssl b/crypto/openssl/crypto/des/Makefile.ssl index b3cfe3dab6ba..28e58f4207ff 100644 --- a/crypto/openssl/crypto/des/Makefile.ssl +++ b/crypto/openssl/crypto/des/Makefile.ssl @@ -57,7 +57,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib des: des.o cbc3_enc.o lib diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl index 30f1b8029030..ccee00eeca2c 100644 --- a/crypto/openssl/crypto/dh/Makefile.ssl +++ b/crypto/openssl/crypto/dh/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl index 5df3b1cc43b8..1dfdb2d76922 100644 --- a/crypto/openssl/crypto/dsa/Makefile.ssl +++ b/crypto/openssl/crypto/dsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/dsa/dsa_ossl.c b/crypto/openssl/crypto/dsa/dsa_ossl.c index 094356518f2e..428357233057 100644 --- a/crypto/openssl/crypto/dsa/dsa_ossl.c +++ b/crypto/openssl/crypto/dsa/dsa_ossl.c @@ -179,13 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) kinv=NULL; /* Get random k */ - for (;;) - { - if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err; - if (BN_cmp(&k,dsa->q) >= 0) - BN_sub(&k,&k,dsa->q); - if (!BN_is_zero(&k)) break; - } + do + if (!BN_rand_range(&k, dsa->q)) goto err; + while (BN_is_zero(&k)); if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) { diff --git a/crypto/openssl/crypto/dso/Makefile.ssl b/crypto/openssl/crypto/dso/Makefile.ssl index effc46d2dc94..33630e0bbb25 100644 --- a/crypto/openssl/crypto/dso/Makefile.ssl +++ b/crypto/openssl/crypto/dso/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/dso/dso_dl.c b/crypto/openssl/crypto/dso/dso_dl.c index 69810fc3bb93..f661ec5bfb39 100644 --- a/crypto/openssl/crypto/dso/dso_dl.c +++ b/crypto/openssl/crypto/dso/dso_dl.c @@ -187,7 +187,7 @@ static void *dl_bind_var(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_VAR,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_VAR,DSO_R_SYM_FAILURE); return(NULL); @@ -216,7 +216,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_SYM_FAILURE); return(NULL); diff --git a/crypto/openssl/crypto/err/Makefile.ssl b/crypto/openssl/crypto/err/Makefile.ssl index d001895cb676..42b9faa559f1 100644 --- a/crypto/openssl/crypto/err/Makefile.ssl +++ b/crypto/openssl/crypto/err/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl index 747051e4f13b..fb9945db1684 100644 --- a/crypto/openssl/crypto/evp/Makefile.ssl +++ b/crypto/openssl/crypto/evp/Makefile.ssl @@ -58,7 +58,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h index f5b938d2f848..cdf5f3cf8942 100644 --- a/crypto/openssl/crypto/evp/evp.h +++ b/crypto/openssl/crypto/evp/evp.h @@ -463,12 +463,20 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md, int en_de); +#ifndef NO_RSA #define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) +#endif + +#ifndef NO_DSA #define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ (char *)(dsa)) +#endif + +#ifndef NO_DH #define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\ (char *)(dh)) +#endif /* Add some extra combinations */ #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) @@ -612,17 +620,29 @@ void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k, #endif EVP_MD *EVP_md_null(void); +#ifndef NO_MD2 EVP_MD *EVP_md2(void); +#endif +#ifndef NO_MD4 EVP_MD *EVP_md4(void); +#endif +#ifndef NO_MD5 EVP_MD *EVP_md5(void); +#endif +#ifndef NO_SHA EVP_MD *EVP_sha(void); EVP_MD *EVP_sha1(void); EVP_MD *EVP_dss(void); EVP_MD *EVP_dss1(void); +#endif +#ifndef NO_MDC2 EVP_MD *EVP_mdc2(void); +#endif +#ifndef NO_RIPEMD EVP_MD *EVP_ripemd160(void); - +#endif EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */ +#ifndef NO_DES EVP_CIPHER *EVP_des_ecb(void); EVP_CIPHER *EVP_des_ede(void); EVP_CIPHER *EVP_des_ede3(void); @@ -636,31 +656,43 @@ EVP_CIPHER *EVP_des_cbc(void); EVP_CIPHER *EVP_des_ede_cbc(void); EVP_CIPHER *EVP_des_ede3_cbc(void); EVP_CIPHER *EVP_desx_cbc(void); +#endif +#ifndef NO_RC4 EVP_CIPHER *EVP_rc4(void); EVP_CIPHER *EVP_rc4_40(void); +#endif +#ifndef NO_IDEA EVP_CIPHER *EVP_idea_ecb(void); EVP_CIPHER *EVP_idea_cfb(void); EVP_CIPHER *EVP_idea_ofb(void); EVP_CIPHER *EVP_idea_cbc(void); +#endif +#ifndef NO_RC2 EVP_CIPHER *EVP_rc2_ecb(void); EVP_CIPHER *EVP_rc2_cbc(void); EVP_CIPHER *EVP_rc2_40_cbc(void); EVP_CIPHER *EVP_rc2_64_cbc(void); EVP_CIPHER *EVP_rc2_cfb(void); EVP_CIPHER *EVP_rc2_ofb(void); +#endif +#ifndef NO_BF EVP_CIPHER *EVP_bf_ecb(void); EVP_CIPHER *EVP_bf_cbc(void); EVP_CIPHER *EVP_bf_cfb(void); EVP_CIPHER *EVP_bf_ofb(void); +#endif +#ifndef NO_CAST EVP_CIPHER *EVP_cast5_ecb(void); EVP_CIPHER *EVP_cast5_cbc(void); EVP_CIPHER *EVP_cast5_cfb(void); EVP_CIPHER *EVP_cast5_ofb(void); +#endif +#ifndef NO_RC5 EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); - +#endif void OpenSSL_add_all_algorithms(void); void OpenSSL_add_all_ciphers(void); void OpenSSL_add_all_digests(void); diff --git a/crypto/openssl/crypto/ex_data.c b/crypto/openssl/crypto/ex_data.c index 1ee88da2a83b..739e543d782c 100644 --- a/crypto/openssl/crypto/ex_data.c +++ b/crypto/openssl/crypto/ex_data.c @@ -101,7 +101,7 @@ int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long ret=idx; err: MemCheck_on(); - return(idx); + return(ret); } int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val) diff --git a/crypto/openssl/crypto/hmac/Makefile.ssl b/crypto/openssl/crypto/hmac/Makefile.ssl index 430eab4c9a15..ed3c8c64d1ca 100644 --- a/crypto/openssl/crypto/hmac/Makefile.ssl +++ b/crypto/openssl/crypto/hmac/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/idea/Makefile.ssl b/crypto/openssl/crypto/idea/Makefile.ssl index 3bd3e53ef4f4..d29bcd687460 100644 --- a/crypto/openssl/crypto/idea/Makefile.ssl +++ b/crypto/openssl/crypto/idea/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/lhash/Makefile.ssl b/crypto/openssl/crypto/lhash/Makefile.ssl index d7a51db3ee6c..60bb6b12e406 100644 --- a/crypto/openssl/crypto/lhash/Makefile.ssl +++ b/crypto/openssl/crypto/lhash/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/md2/Makefile.ssl b/crypto/openssl/crypto/md2/Makefile.ssl index c25ab74a3816..8b382c35ff44 100644 --- a/crypto/openssl/crypto/md2/Makefile.ssl +++ b/crypto/openssl/crypto/md2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/md4/Makefile.ssl b/crypto/openssl/crypto/md4/Makefile.ssl index 5341bf5b4632..bc38badb0a2b 100644 --- a/crypto/openssl/crypto/md4/Makefile.ssl +++ b/crypto/openssl/crypto/md4/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl index 92ffc0b502d5..e5ec4a21ae33 100644 --- a/crypto/openssl/crypto/md5/Makefile.ssl +++ b/crypto/openssl/crypto/md5/Makefile.ssl @@ -50,7 +50,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/mdc2/Makefile.ssl b/crypto/openssl/crypto/mdc2/Makefile.ssl index a50de0f42a67..4b1b3e36961a 100644 --- a/crypto/openssl/crypto/mdc2/Makefile.ssl +++ b/crypto/openssl/crypto/mdc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c index 866c53e73a92..ddf4be28caa8 100644 --- a/crypto/openssl/crypto/mem_dbg.c +++ b/crypto/openssl/crypto/mem_dbg.c @@ -671,7 +671,15 @@ void CRYPTO_mem_leaks(BIO *b) * void_fn_to_char kludge in CRYPTO_mem_leaks_cb. * Otherwise the code police will come and get us.) */ + int old_mh_mode; + CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + + /* avoid deadlock when lh_free() uses CRYPTO_dbg_free(), + * which uses CRYPTO_is_mem_check_on */ + old_mh_mode = mh_mode; + mh_mode = CRYPTO_MEM_CHECK_OFF; + if (mh != NULL) { lh_free(mh); @@ -685,6 +693,8 @@ void CRYPTO_mem_leaks(BIO *b) amih = NULL; } } + + mh_mode = old_mh_mode; CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); } MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ diff --git a/crypto/openssl/crypto/objects/Makefile.ssl b/crypto/openssl/crypto/objects/Makefile.ssl index 47fdc34eec53..1b43d8027b84 100644 --- a/crypto/openssl/crypto/objects/Makefile.ssl +++ b/crypto/openssl/crypto/objects/Makefile.ssl @@ -39,7 +39,8 @@ all: obj_dat.h lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index 71b53efd5187..4c644abe4400 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090600fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6 24 Sep 2000" +#define OPENSSL_VERSION_NUMBER 0x00906010L +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a-dev XX xxx XXXX" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pem/Makefile.ssl b/crypto/openssl/crypto/pem/Makefile.ssl index ed8910921883..111dbc1ae460 100644 --- a/crypto/openssl/crypto/pem/Makefile.ssl +++ b/crypto/openssl/crypto/pem/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/pem/pem_info.c b/crypto/openssl/crypto/pem/pem_info.c index 1c5c6dea000e..f1694f112531 100644 --- a/crypto/openssl/crypto/pem/pem_info.c +++ b/crypto/openssl/crypto/pem/pem_info.c @@ -305,7 +305,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, { if ( (xi->enc_data!=NULL) && (xi->enc_len>0) ) { - /* copy from wierdo names into more normal things */ + /* copy from weirdo names into more normal things */ iv=xi->enc_cipher.iv; data=(unsigned char *)xi->enc_data; i=xi->enc_len; diff --git a/crypto/openssl/crypto/pkcs12/Makefile.ssl b/crypto/openssl/crypto/pkcs12/Makefile.ssl index 8f42d3044dfb..c92dd276398c 100644 --- a/crypto/openssl/crypto/pkcs12/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs12/Makefile.ssl @@ -45,7 +45,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/pkcs12/p12_attr.c b/crypto/openssl/crypto/pkcs12/p12_attr.c index f1a210b5d274..a16a97d03dff 100644 --- a/crypto/openssl/crypto/pkcs12/p12_attr.c +++ b/crypto/openssl/crypto/pkcs12/p12_attr.c @@ -151,7 +151,7 @@ int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name, { unsigned char *uniname; int ret, unilen; - if (!asc2uni(name, &uniname, &unilen)) { + if (!asc2uni(name, namelen, &uniname, &unilen)) { PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC, ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/openssl/crypto/pkcs12/p12_key.c b/crypto/openssl/crypto/pkcs12/p12_key.c index b042dcf05c95..a9b4b8c9721e 100644 --- a/crypto/openssl/crypto/pkcs12/p12_key.c +++ b/crypto/openssl/crypto/pkcs12/p12_key.c @@ -84,7 +84,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, if(!pass) { unipass = NULL; uniplen = 0; - } else if (!asc2uni(pass, &unipass, &uniplen)) { + } else if (!asc2uni(pass, passlen, &unipass, &uniplen)) { PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE); return 0; } diff --git a/crypto/openssl/crypto/pkcs12/p12_utl.c b/crypto/openssl/crypto/pkcs12/p12_utl.c index 17f41b45496b..2f1d1e534fc8 100644 --- a/crypto/openssl/crypto/pkcs12/p12_utl.c +++ b/crypto/openssl/crypto/pkcs12/p12_utl.c @@ -62,30 +62,34 @@ /* Cheap and nasty Unicode stuff */ -unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen) +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) { int ulen, i; unsigned char *unitmp; - ulen = strlen(asc)*2 + 2; - if (!(unitmp = OPENSSL_malloc (ulen))) return NULL; - for (i = 0; i < ulen; i+=2) { + if (asclen == -1) asclen = strlen(asc); + ulen = asclen*2 + 2; + if (!(unitmp = OPENSSL_malloc(ulen))) return NULL; + for (i = 0; i < ulen - 2; i+=2) { unitmp[i] = 0; unitmp[i + 1] = asc[i>>1]; } + /* Make result double null terminated */ + unitmp[ulen - 2] = 0; + unitmp[ulen - 1] = 0; if (unilen) *unilen = ulen; if (uni) *uni = unitmp; return unitmp; } -char *uni2asc (unsigned char *uni, int unilen) +char *uni2asc(unsigned char *uni, int unilen) { int asclen, i; char *asctmp; asclen = unilen / 2; /* If no terminating zero allow for one */ - if (uni[unilen - 1]) asclen++; + if (!unilen || uni[unilen - 1]) asclen++; uni++; - if (!(asctmp = OPENSSL_malloc (asclen))) return NULL; + if (!(asctmp = OPENSSL_malloc(asclen))) return NULL; for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i]; asctmp[asclen - 1] = 0; return asctmp; diff --git a/crypto/openssl/crypto/pkcs12/pkcs12.h b/crypto/openssl/crypto/pkcs12/pkcs12.h index 502fceff954a..e529154f2634 100644 --- a/crypto/openssl/crypto/pkcs12/pkcs12.h +++ b/crypto/openssl/crypto/pkcs12/pkcs12.h @@ -247,7 +247,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, EVP_MD *md_type); int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, EVP_MD *md_type); -unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen); +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen); char *uni2asc(unsigned char *uni, int unilen); int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp); PKCS12_BAGS *PKCS12_BAGS_new(void); diff --git a/crypto/openssl/crypto/pkcs7/Makefile.ssl b/crypto/openssl/crypto/pkcs7/Makefile.ssl index 1757fc39ac78..5e8a6808d357 100644 --- a/crypto/openssl/crypto/pkcs7/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs7/Makefile.ssl @@ -58,7 +58,8 @@ verify: verify.o example.o lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/pkcs7/pk7_mime.c b/crypto/openssl/crypto/pkcs7/pk7_mime.c index 994473c0bd3d..086d39427012 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_mime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_mime.c @@ -165,9 +165,9 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) } bound[32] = 0; BIO_printf(bio, "MIME-Version: 1.0\n"); - BIO_printf(bio, "Content-Type: multipart/signed ; "); - BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; "); - BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound); + BIO_printf(bio, "Content-Type: multipart/signed;"); + BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";"); + BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound); BIO_printf(bio, "This is an S/MIME signed message\n\n"); /* Now write out the first part */ BIO_printf(bio, "------%s\n", bound); diff --git a/crypto/openssl/crypto/rand/Makefile.ssl b/crypto/openssl/crypto/rand/Makefile.ssl index b3054dc166c9..e9a6876b5a74 100644 --- a/crypto/openssl/crypto/rand/Makefile.ssl +++ b/crypto/openssl/crypto/rand/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c index 9f2dcff9a92b..8850b9ae916c 100644 --- a/crypto/openssl/crypto/rand/rand_win.c +++ b/crypto/openssl/crypto/rand/rand_win.c @@ -570,7 +570,7 @@ static void readtimer(void) DWORD w; LARGE_INTEGER l; static int have_perfc = 1; -#ifndef __GNUC__ +#ifdef _MSC_VER static int have_tsc = 1; DWORD cyclecount; diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c index 528e410f7400..02f16aa81032 100644 --- a/crypto/openssl/crypto/rand/randfile.c +++ b/crypto/openssl/crypto/rand/randfile.c @@ -83,6 +83,9 @@ /* #define RFILE ".rnd" - defined in ../../e_os.h */ +/* Note that these functions are intended for seed files only. + * Entropy devices and EGD sockets are handled in rand_unix.c */ + int RAND_load_file(const char *file, long bytes) { /* If bytes >= 0, read up to 'bytes' bytes. @@ -117,7 +120,7 @@ int RAND_load_file(const char *file, long bytes) if (bytes > 0) { bytes-=n; - if (bytes == 0) break; + if (bytes <= 0) break; } } fclose(in); diff --git a/crypto/openssl/crypto/rc2/Makefile.ssl b/crypto/openssl/crypto/rc2/Makefile.ssl index 542397d69aa6..6966e01b6f27 100644 --- a/crypto/openssl/crypto/rc2/Makefile.ssl +++ b/crypto/openssl/crypto/rc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/rc4/Makefile.ssl b/crypto/openssl/crypto/rc4/Makefile.ssl index 53eac2064a4c..8ffff0a74e3d 100644 --- a/crypto/openssl/crypto/rc4/Makefile.ssl +++ b/crypto/openssl/crypto/rc4/Makefile.ssl @@ -47,7 +47,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/rc5/Makefile.ssl b/crypto/openssl/crypto/rc5/Makefile.ssl index 3d1685602969..cf5d176859ba 100644 --- a/crypto/openssl/crypto/rc5/Makefile.ssl +++ b/crypto/openssl/crypto/rc5/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/ripemd/Makefile.ssl b/crypto/openssl/crypto/ripemd/Makefile.ssl index 4bd78dd6fd2f..0b1cd7394132 100644 --- a/crypto/openssl/crypto/ripemd/Makefile.ssl +++ b/crypto/openssl/crypto/ripemd/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl index 22a42b4e1b74..1be9a1cd2397 100644 --- a/crypto/openssl/crypto/rsa/Makefile.ssl +++ b/crypto/openssl/crypto/rsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c index 618b5bd59565..62618fe5a999 100644 --- a/crypto/openssl/crypto/rsa/rsa_eay.c +++ b/crypto/openssl/crypto/rsa/rsa_eay.c @@ -138,11 +138,28 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from, if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } - + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; @@ -369,11 +386,28 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from, /* do the decrypt */ if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } - + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; @@ -421,20 +455,53 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) { if (rsa->_method_mod_p == NULL) { - if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_p == NULL) + { + rsa->_method_mod_p = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } + if (rsa->_method_mod_q == NULL) { - if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_q == NULL) + { + rsa->_method_mod_q = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } } - + if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, rsa->_method_mod_q)) goto err; diff --git a/crypto/openssl/crypto/sha/Makefile.ssl b/crypto/openssl/crypto/sha/Makefile.ssl index 0e6e7b8940c6..75d3e0bf4ff3 100644 --- a/crypto/openssl/crypto/sha/Makefile.ssl +++ b/crypto/openssl/crypto/sha/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/sha/asm/sha1-586.pl b/crypto/openssl/crypto/sha/asm/sha1-586.pl index 09df993ecd4e..fe51fd079457 100644 --- a/crypto/openssl/crypto/sha/asm/sha1-586.pl +++ b/crypto/openssl/crypto/sha/asm/sha1-586.pl @@ -317,7 +317,7 @@ sub BODY_60_79 sub sha1_block_host { - local($name)=@_; + local($name, $sclabel)=@_; &function_begin_B($name,""); @@ -352,7 +352,7 @@ sub sha1_block_host &mov(&swtmp($i+0),$A); &mov(&swtmp($i+1),$B); } - &jmp(&label("shortcut")); + &jmp($sclabel); &function_end_B($name); } @@ -529,10 +529,12 @@ sub sha1_block_data &pop("esi"); &ret(); - # it has to reside within sha1_block_asm_host_order body - # because it calls &jmp(&label("shortcut")); - &sha1_block_host("sha1_block_asm_host_order"); + # keep a note of shortcut label so it can be used outside + # block. + my $sclabel = &label("shortcut"); &function_end_B($name); + # Putting this here avoids problems with MASM in debugging mode + &sha1_block_host("sha1_block_asm_host_order", $sclabel); } diff --git a/crypto/openssl/crypto/stack/Makefile.ssl b/crypto/openssl/crypto/stack/Makefile.ssl index 69d0a1cf6884..2027d3946ce1 100644 --- a/crypto/openssl/crypto/stack/Makefile.ssl +++ b/crypto/openssl/crypto/stack/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/txt_db/Makefile.ssl b/crypto/openssl/crypto/txt_db/Makefile.ssl index 0e900ce7485b..567202abb771 100644 --- a/crypto/openssl/crypto/txt_db/Makefile.ssl +++ b/crypto/openssl/crypto/txt_db/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl index f8e59666c99f..55356c680b20 100644 --- a/crypto/openssl/crypto/x509/Makefile.ssl +++ b/crypto/openssl/crypto/x509/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c index cac64a6f4045..448bd7e69cca 100644 --- a/crypto/openssl/crypto/x509/by_dir.c +++ b/crypto/openssl/crypto/x509/by_dir.c @@ -327,7 +327,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, * it out again */ CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp); - if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i); + if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j); else tmp = NULL; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); diff --git a/crypto/openssl/crypto/x509v3/Makefile.ssl b/crypto/openssl/crypto/x509v3/Makefile.ssl index 483df46fd416..8ed366504940 100644 --- a/crypto/openssl/crypto/x509v3/Makefile.ssl +++ b/crypto/openssl/crypto/x509v3/Makefile.ssl @@ -43,7 +43,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/x509v3/v3_prn.c b/crypto/openssl/crypto/x509v3/v3_prn.c index dbc4fb1f1600..14b804c4ad33 100644 --- a/crypto/openssl/crypto/x509v3/v3_prn.c +++ b/crypto/openssl/crypto/x509v3/v3_prn.c @@ -85,9 +85,16 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) else BIO_printf(out, "%s:%s", nval->name, nval->value); #else else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1); - BIO_printf(out, "%s:%s", nval->name, tmp); + int len; + char *tmp; + len = strlen(nval->value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, nval->value, len); + BIO_printf(out, "%s:%s", nval->name, tmp); + OPENSSL_free(tmp); + } } #endif if(ml) BIO_puts(out, "\n"); @@ -115,9 +122,16 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent) BIO_printf(out, "%*s%s", indent, "", value); #else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, value, strlen(value)+1); - BIO_printf(out, "%*s%s", indent, "", tmp); + int len; + char *tmp; + len = strlen(value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, value, len); + BIO_printf(out, "%*s%s", indent, "", tmp); + OPENSSL_free(tmp); + } } #endif } else if(method->i2v) { diff --git a/crypto/openssl/crypto/x509v3/v3_purp.c b/crypto/openssl/crypto/x509v3/v3_purp.c index 867699b26f3a..8aecd00e6325 100644 --- a/crypto/openssl/crypto/x509v3/v3_purp.c +++ b/crypto/openssl/crypto/x509v3/v3_purp.c @@ -362,6 +362,8 @@ static int ca_check(const X509 *x) else return 0; } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; + /* If key usage present it must have certSign so tolerate it */ + else if (x->ex_flags & EXFLAG_KUSAGE) return 3; else return 2; } } @@ -380,7 +382,7 @@ static int check_ssl_ca(const X509 *x) if(ca_ret != 2) return ca_ret; else return 0; } - + static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { @@ -446,7 +448,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c int ret; ret = purpose_smime(x, ca); if(!ret || ca) return ret; - if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0; + if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; return ret; } diff --git a/crypto/openssl/doc/crypto/BN_rand.pod b/crypto/openssl/doc/crypto/BN_rand.pod index 33363c981f60..2a8bed5fed8f 100644 --- a/crypto/openssl/doc/crypto/BN_rand.pod +++ b/crypto/openssl/doc/crypto/BN_rand.pod @@ -12,6 +12,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *range); + =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of @@ -25,11 +27,14 @@ this function are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc. -The PRNG must be seeded prior to calling BN_rand(). +BN_rand_range() generates a cryptographically strong pseudo-random +number B<rnd> in the range 0 <lt>= B<rnd> E<lt> B<range>. + +The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). =head1 RETURN VALUES -BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error. +The functions return 1 on success, 0 on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO @@ -40,6 +45,7 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)> =head1 HISTORY BN_rand() is available in all versions of SSLeay and OpenSSL. -BN_pseudo_rand() was added in OpenSSL 0.9.5. +BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range() +in OpenSSL 0.9.6a. =cut diff --git a/crypto/openssl/doc/crypto/RAND_egd.pod b/crypto/openssl/doc/crypto/RAND_egd.pod index 40241e2df8ee..71cab3ca04a4 100644 --- a/crypto/openssl/doc/crypto/RAND_egd.pod +++ b/crypto/openssl/doc/crypto/RAND_egd.pod @@ -9,10 +9,30 @@ RAND_egd - query entropy gathering daemon #include <openssl/rand.h> int RAND_egd(const char *path); + int RAND_egd_bytes(const char *path, int bytes); =head1 DESCRIPTION RAND_egd() queries the entropy gathering daemon EGD on socket B<path>. +It queries 255 bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the +OpenSSL built-in PRNG. RAND_egd(path) is a wrapper for +RAND_egd_bytes(path, 255); + +RAND_egd_bytes() queries the entropy gathering daemon EGD on socket B<path>. +It queries B<bytes> bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the +OpenSSL built-in PRNG. +This function is more flexible than RAND_egd(). +When only one secret key must +be generated, it is not necessary to request the full amount 255 bytes from +the EGD socket. This can be advantageous, since the amount of entropy +that can be retrieved from EGD over time is limited. + +=head1 NOTES + +On systems without /dev/*random devices providing entropy from the kernel, +the EGD entropy gathering daemon can be used to collect entropy. It provides +a socket interface through which entropy can be gathered in chunks up to +255 bytes. Several chunks can be queried during one connection. EGD is available from http://www.lothar.com/tech/crypto/ (C<perl Makefile.PL; make; make install> to install). It is run as B<egd> @@ -21,22 +41,27 @@ RAND_egd() is called with that path as an argument, it tries to read random bytes that EGD has collected. The read is performed in non-blocking mode. -Alternatively, the EGD-compatible daemon PRNGD can be used. It is +Alternatively, the EGD-interface compatible daemon PRNGD can be used. It is available from http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html . +PRNGD does employ an internal PRNG itself and can therefore never run +out of entropy. =head1 RETURN VALUE -RAND_egd() returns the number of bytes read from the daemon on -success, and -1 if the connection failed or the daemon did not return -enough data to fully seed the PRNG. +RAND_egd() and RAND_egd_bytes() return the number of bytes read from the +daemon on success, and -1 if the connection failed or the daemon did not +return enough data to fully seed the PRNG. =head1 SEE ALSO -L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)> +L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, +L<RAND_cleanup(3)|RAND_cleanup(3)> =head1 HISTORY RAND_egd() is available since OpenSSL 0.9.5. +RAND_egd_bytes() is available since OpenSSL 0.9.6. + =cut diff --git a/crypto/openssl/doc/crypto/bn.pod b/crypto/openssl/doc/crypto/bn.pod index 1504a1c92dfd..d183028d6127 100644 --- a/crypto/openssl/doc/crypto/bn.pod +++ b/crypto/openssl/doc/crypto/bn.pod @@ -60,6 +60,7 @@ bn - multiprecision integer arithmetics int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *range); BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); diff --git a/crypto/openssl/doc/crypto/des.pod b/crypto/openssl/doc/crypto/des.pod index ab3e26e9ecd8..99080391b176 100644 --- a/crypto/openssl/doc/crypto/des.pod +++ b/crypto/openssl/doc/crypto/des.pod @@ -345,7 +345,7 @@ the MIT Kerberos library. =head1 SEE ALSO -crypt(3), L<des_modes(3)|des_modes(3)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)> +crypt(3), L<des_modes(7)|des_modes(7)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/evp.pod b/crypto/openssl/doc/crypto/evp.pod index f089dd49a219..edf47dbde664 100644 --- a/crypto/openssl/doc/crypto/evp.pod +++ b/crypto/openssl/doc/crypto/evp.pod @@ -10,7 +10,7 @@ evp - high-level cryptographic functions =head1 DESCRIPTION -The EVP library provided a high-level interface to cryptographic +The EVP library provides a high-level interface to cryptographic functions. B<EVP_Seal>I<...> and B<EVP_Open>I<...> provide public key encryption diff --git a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod index 7fea14ee6867..bf851dcea5a0 100644 --- a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod +++ b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod @@ -2,8 +2,7 @@ =head1 NAME -SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, -SSL_CIPHER_description - get SSL_CIPHER properties +SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description - get SSL_CIPHER properties =head1 SYNOPSIS @@ -29,9 +28,10 @@ SSL_CIPHER_get_version() returns the protocol version for B<cipher>, currently SSL_CIPHER_description() returns a textual description of the cipher used into the buffer B<buf> of length B<len> provided. B<len> must be at least -128 bytes, otherwise the string "Buffer too small" is returned. If B<buf> -is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the -allocation fails, the string "OPENSSL_malloc Error" is returned. +128 bytes, otherwise a pointer to the the string "Buffer too small" is +returned. If B<buf> is NULL, a buffer of 128 bytes is allocated using +OPENSSL_malloc(). If the allocation fails, a pointer to the string +"OPENSSL_malloc Error" is returned. =head1 NOTES @@ -40,11 +40,66 @@ export cipher like e.g. EXP-RC4-MD5 has only 40 secret bits. The algorithm does use the full 128 bits (which would be returned for B<alg_bits>), of which however 88bits are fixed. The search space is hence only 40 bits. +The string returned by SSL_CIPHER_description() in case of success consists +of cleartext information seperated by one or more blanks in the following +sequence: + +=over 4 + +=item <ciphername> + +Textual representation of the cipher name. + +=item <protocol version> + +Protocol version: B<SSLv2>, B<SSLv3>. The TLSv1 ciphers are flagged with SSLv3. + +=item Kx=<key exchange> + +Key exchange method: B<RSA> (for export ciphers as B<RSA(512)> or +B<RSA(1024)>), B<DH> (for export ciphers as B<DH(512)> or B<DH(1024)>), +B<DH/RSA>, B<DH/DSS>, B<Fortezza>. + +=item Au=<authentication> + +Authentication method: B<RSA>, B<DSS>, B<DH>, B<None>. None is the +representation of anonymous ciphers. + +=item Enc=<symmectric encryption method> + +Encryption method with number of secret bits: B<DES(40)>, B<DES(56)>, +B<3DES(168)>, B<RC4(40)>, B<RC4(56)>, B<RC4(64)>, B<RC4(128)>, +B<RC2(40)>, B<RC2(56)>, B<RC2(128)>, B<IDEA(128)>, B<Fortezza>, B<None>. + +=item Mac=<message authentication code> + +Message digest: B<MD5>, B<SHA1>. + +=item <export flag> + +If the cipher is flagged exportable with respect to old US crypto +regulations, the word "B<export>" is printed. + +=back + +=head1 EXAMPLES + +Some examples for the output of SSL_CIPHER_description(): + + EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 + EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 + RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 + EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export + =head1 BUGS If SSL_CIPHER_description() is called with B<cipher> being NULL, the library crashes. +If SSL_CIPHER_description() cannot handle a built-in cipher, the according +description of the cipher property is B<unknown>. This case should not +occur. + =head1 RETURN VALUES See DESCRIPTION @@ -52,6 +107,6 @@ See DESCRIPTION =head1 SEE ALSO L<ssl(3)|ssl(3)>, L<SSL_get_current_cipher(3)|SSL_get_current_cipher(3)>, -L<SSL_get_ciphers(3)|SSL_get_ciphers(3)> +L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod new file mode 100644 index 000000000000..21a9db0e2a40 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod @@ -0,0 +1,38 @@ +=pod + +=head1 NAME + +SSL_CTX_add_extra_chain_cert - add certificate to chain + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509) + +=head1 DESCRIPTION + +SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the certificate +chain presented together with the certificate. Several certificates +can be added one after the other. + +=head1 NOTES + +When constructing the certificate chain, the chain will be formed from +these certificates explicitly specified. If no chain is specified, +the library will try to complete the chain from the available CA +certificates in the trusted CA storage, see +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>. + +=head1 RETURN VALUES + +SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the +error stack to find out the reason for failure otherwise. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod new file mode 100644 index 000000000000..af326c2f7340 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod @@ -0,0 +1,65 @@ +=pod + +=head1 NAME + +SSL_CTX_add_session, SSL_add_session, SSL_CTX_remove_session, SSL_remove_session - manipulate session cache + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c); + int SSL_add_session(SSL_CTX *ctx, SSL_SESSION *c); + + int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c); + int SSL_remove_session(SSL_CTX *ctx, SSL_SESSION *c); + +=head1 DESCRIPTION + +SSL_CTX_add_session() adds the session B<c> to the context B<ctx>. The +reference count for session B<c> is incremented by 1. If a session with +the same session id already exists, the old session is removed by calling +L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>. + +SSL_CTX_remove_session() removes the session B<c> from the context B<ctx>. +L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> is called once for B<c>. + +SSL_add_session() and SSL_remove_session() are synonyms for their +SSL_CTX_*() counterparts. + +=head1 NOTES + +When adding a new session to the internal session cache, it is examined +whether a session with the same session id already exists. In this case +it is assumed that both sessions are identical. If the same session is +stored in a different SSL_SESSION object, The old session is +removed and replaced by the new session. If the session is actually +identical (the SSL_SESSION object is identical), SSL_CTX_add_session() +is a no-op, and the return value is 0. + + +=head1 RETURN VALUES + +The following values are returned by all functions: + +=over 4 + +=item 0 + + The operation failed. In case of the add operation, it was tried to add + the same (identical) session twice. In case of the remove operation, the + session was not found in the cache. + +=item 1 + + The operation succeeded. + +=back + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, +L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod b/crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod new file mode 100644 index 000000000000..148c36c87151 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod @@ -0,0 +1,49 @@ +=pod + +=head1 NAME + +SSL_CTX_flush_sessions, SSL_flush_sessions - remove expired sessions + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm); + void SSL_flush_sessions(SSL_CTX *ctx, long tm); + +=head1 DESCRIPTION + +SSL_CTX_flush_sessions() causes a run through the session cache of +B<ctx> to remove sessions expired at time B<tm>. + +SSL_flush_sessions() is a synonym for SSL_CTX_flush_sessions(). + +=head1 NOTES + +If enabled, the internal session cache will collect all sessions established +up to the specified maximum number (see SSL_CTX_sess_set_cache_size()). +As sessions will not be reused ones they are expired, they should be +removed from the cache to save resources. This can either be done + automatically whenever 255 new sessions were established (see +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>) +or manually by calling SSL_CTX_flush_sessions(). + +The parameter B<tm> specifies the time which should be used for the +expiration test, in most cases the actual time given by time(0) +will be used. + +SSL_CTX_flush_sessions() will only check sessions stored in the internal +cache. When a session is found and removed, the remove_session_cb is however +called to synchronize with the external cache (see +L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>). + +=head1 RETURN VALUES + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, +L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, +L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod new file mode 100644 index 000000000000..15067438c82d --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod @@ -0,0 +1,53 @@ +=pod + +=head1 NAME + +SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg); + + void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_CTX_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_CTX_set_ex_data() is used to store application data at B<arg> for B<idx> +into the B<ctx> object. + +SSL_CTX_get_ex_data() is used to retrieve the information for B<idx> from +B<ctx>. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, +L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod new file mode 100644 index 000000000000..7f10c6e94509 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod @@ -0,0 +1,50 @@ +=pod + +=head1 NAME + +SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_verify_depth, SSL_get_verify_callback, SSL_CTX_get_verify_callback - get currently set verification parameters + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_get_verify_mode(SSL_CTX *ctx); + int SSL_get_verify_mode(SSL *ssl); + int SSL_CTX_get_verify_depth(SSL_CTX *ctx); + int SSL_get_verify_depth(SSL *ssl); + int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int, X509_STORE_CTX *); + int (*SSL_get_verify_callback(SSL *ssl))(int, X509_STORE_CTX *); + +=head1 DESCRIPTION + +SSL_CTX_get_verify_mode() returns the verification mode currently set in +B<ctx>. + +SSL_get_verify_mode() returns the verification mode currently set in +B<ssl>. + +SSL_CTX_get_verify_depth() returns the verification depth limit currently set +in B<ctx>. If no limit has been explicitly set, -1 is returned and the +default value will be used. + +SSL_get_verify_depth() returns the verification depth limit currently set +in B<ssl>. If no limit has been explicitly set, -1 is returned and the +default value will be used. + +SSL_CTX_get_verify_callback() returns a function pointer to the verification +callback currently set in B<ctx>. If no callback was explicitly set, the +NULL pointer is returned and the default callback will be used. + +SSL_get_verify_callback() returns a function pointer to the verification +callback currently set in B<ssl>. If no callback was explicitly set, the +NULL pointer is returned and the default callback will be used. + +=head1 RETURN VALUES + +See DESCRIPTION + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod new file mode 100644 index 000000000000..0e2d2179c8c1 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod @@ -0,0 +1,124 @@ +=pod + +=head1 NAME + +SSL_CTX_load_verify_locations - set default locations for trusted CA +certificates + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, + const char *CApath); + +=head1 DESCRIPTION + +SSL_CTX_load_verify_locations() specifies the locations for B<ctx>, at +which CA certificates for verification purposes are located. The certificates +available via B<CAfile> and B<CApath> are trusted. + +=head1 NOTES + +If B<CAfile> is not NULL, it points to a file of CA certificates in PEM +format. The file can contain several CA certificates identified by + + -----BEGIN CERTIFICATE----- + ... (CA certificate in base64 encoding) ... + -----END CERTIFICATE----- + +sequences. Before, between, and after the certificates text is allowed +which can be used e.g. for descriptions of the certificates. + +The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations() +function. + +If on an TLS/SSL server no special setting is perfomed using *client_CA_list() +functions, the certificates contained in B<CAfile> are listed to the client +as available CAs during the TLS/SSL handshake. + +If B<CApath> is not NULL, it points to a directory containing CA certificates +in PEM format. The files each contain one CA certificate. The files are +looked up by the CA subject name hash value, which must hence be available. +If more than one CA certificate with the same name hash value exist, the +extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search +is performed in the ordering of the extension number, regardless of other +properties of the certificates. +Use the B<c_rehash> utility to create the necessary links. + +The certificates in B<CApath> are only looked up when required, e.g. when +building the certificate chain or when actually performing the verification +of a peer certificate. + +On a server, the certificates in B<CApath> are not listed as available +CA certificates to a client during a TLS/SSL handshake. + +When looking up CA certificates, the OpenSSL library will first search the +certificates in B<CAfile>, then those in B<CApath>. Certificate matching +is done based on the subject name, the key identifier (if present), and the +serial number as taken from the certificate to be verified. If these data +do not match, the next certificate will be tried. If a first certificate +matching the parameters is found, the verification process will be performed; +no other certificates for the same parameters will be searched in case of +failure. + +When building its own certificate chain, an OpenSSL client/server will +try to fill in missing certificates from B<CAfile>/B<CApath>, if the +certificate chain was not explicitely specified (see +L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>, +L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>. + +=head1 WARNINGS + +If several CA certificates matching the name, key identifier, and serial +number condition are available, only the first one will be examined. This +may lead to unexpected results if the same CA certificate is available +with different expiration dates. If a "certificate expired" verification +error occurs, no other certificate will be searched. Make sure to not +have expired certificates mixed with valid ones. + +=head1 EXAMPLES + +Generate a CA certificate file with descriptive text from the CA certificates +ca1.pem ca2.pem ca3.pem: + + #!/bin/sh + rm CAfile.pem + for i in ca1.pem ca2.pem ca3.pem ; do + openssl x509 -in $i -text >> CAfile.pem + done + +Prepare the directory /some/where/certs containing several CA certificates +for use as B<CApath>: + + cd /some/where/certs + c_rehash . + +=head1 RETURN VALUES + +The following return values can occur: + +=over 4 + +=item 0 + +The operation failed because B<CAfile> and B<CApath> are NULL or the +processing at one of the locations specified failed. Check the error +stack to find out the reason. + +=item 1 + +The operation succeeded. + +=back + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, +L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, +L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, +L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)> + + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_new.pod b/crypto/openssl/doc/ssl/SSL_CTX_new.pod index e166c692c355..8b16ea3c903d 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_new.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_new.pod @@ -33,9 +33,9 @@ understand SSLv2 client hello messages. =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) A TLS/SSL connection established with these methods will only understand the -SSLv3 and TLSv1 protocol. A client will send out SSLv3 client hello messages -and will indicate that it also understands TLSv1. A server will only understand -SSLv3 and TLSv1 client hello messages. This especially means, that it will +SSLv3 protocol. A client will send out SSLv3 client hello messages +and will indicate that it only understands SSLv3. A server will only understand +SSLv3 client hello messages. This especially means, that it will not understand SSLv2 client hello messages which are widely used for compatibility reasons, see SSLv23_*_method(). @@ -46,7 +46,8 @@ TLSv1 protocol. A client will send out TLSv1 client hello messages and will indicate that it only understands TLSv1. A server will only understand TLSv1 client hello messages. This especially means, that it will not understand SSLv2 client hello messages which are widely used for -compatibility reasons, see SSLv23_*_method(). +compatibility reasons, see SSLv23_*_method(). It will also not understand +SSLv3 client hello messages. =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod new file mode 100644 index 000000000000..469933baf35b --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod @@ -0,0 +1,50 @@ +=pod + +=head1 NAME + +SSL_CTX_sess_set_cache_size, SSL_CTX_sess_get_cache_size - manipulate session cache size + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, long t); + long SSL_CTX_sess_get_cache_size(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_sess_set_cache_size() sets the size of the internal session cache +of context B<ctx> to B<t>. + +SSL_CTX_sess_get_cache_size() returns the currently valid session cache size. + +=head1 NOTES + +The internal session cache size is SSL_SESSION_CACHE_MAX_SIZE_DEFAULT, +currently 1024*20, so that up to 20000 sessions can be held. This size +can be modified using the SSL_CTX_sess_set_cache_size() call. A special +case is the size 0, which is used for unlimited size. + +When the maximum number of sessions is reached, no more new sessions are +added to the cache. New space may be added by calling +L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)> to remove +expired sessions. + +If the size of the session cache is reduced and more sessions are already +in the session cache, old session will be removed at the next time a +session shall be added. This removal is not synchronized with the +expiration of sessions. + +=head1 RETURN VALUES + +SSL_CTX_sess_set_cache_size() returns the previously valid size. + +SSL_CTX_sess_get_cache_size() returns the currently valid size. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, +L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod new file mode 100644 index 000000000000..b6f15b440425 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -0,0 +1,81 @@ +=pod + +=head1 NAME + +SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb - provide callback functions for server side external session caching + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, + int (*new_session_cb)(SSL *, SSL_SESSION *)); + void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, + void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); + void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, + SSL_SESSION (*get_session_cb)(SSL *, unsigned char *, int, int *)); + + int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); + void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); + SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *data, int len, int *copy); + + int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); + void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); + SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data, + int len, int *copy); + +=head1 DESCRIPTION + +SSL_CTX_sess_set_new_cb() sets the callback function, which is automatically +called whenever a new session was negotiated. + +SSL_CTX_sess_set_remove_cb() sets the callback function, which is +automatically called whenever a session is removed by the SSL engine, +because it is considered faulty or the session has become obsolete because +of exceeding the timeout value. + +SSL_CTX_sess_set_get_cb() sets the callback function which is called, +whenever a SSL/TLS client proposed to resume a session but the session +could not be found in the internal session cache (see +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>). +(SSL/TLS server only.) + +SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb(), and +SSL_CTX_sess_get_get_cb() allow to retrieve the function pointers of the +provided callback functions. If a callback function has not been set, +the NULL pointer is returned. + +=head1 NOTES + +In order to allow external session caching, synchronization with the internal +session cache is realized via callback functions. Inside these callback +functions, session can be saved to disk or put into a database using the +L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)> interface. + +The new_session_cb() is called, whenever a new session has been negotiated +and session caching is enabled (see +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>). +The new_session_cb() is passed the B<ssl> connection and the ssl session +B<sess>. If the callback returns B<0>, the session will be immediately +removed again. + +The remove_session_cb() is called, whenever the SSL engine removes a session +from the internal cache. This happens if the session is removed because +it is expired or when a connection was not shutdown cleanly. The +remove_session_cb() is passed the B<ctx> and the ssl session B<sess>. +It does not provide any feedback. + +The get_session_cb() is only called on SSL/TLS servers with the session id +proposed by the client. The get_session_cb() is always called, also when +session caching was disabled. The get_session_cb() is passed the +B<ssl> connection, the session id of length B<length> at the memory location +B<data>. With the parameter B<copy> the callback can require the +SSL engine to increment the reference count of the SSL_SESSION object. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, +L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod new file mode 100644 index 000000000000..ad92a8c5d23e --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod @@ -0,0 +1,34 @@ +=pod + +=head1 NAME + +SSL_CTX_sessions - access internal session cache + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_sessions() returns a pointer to the lhash databases containing the +internal session cache for B<ctx>. + +=head1 NOTES + +The sessions in the internal session cache are kept in an +L<lhash(3)|lhash(3)> type database. It is possible to directly +access this database e.g. for searching. In parallel, the sessions +form a linked list which is maintained seperatly from the +L<lhash(3)|lhash(3)> operations, so that the database must not be +modified directly but by using the +L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)> family of functions. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<lhash(3)|lhash(3)>, +L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod index 272d6b3de282..9a29eeeb9558 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod @@ -2,8 +2,7 @@ =head1 NAME -SSL_CTX_set_cipher_list, SSL_set_cipher_list -- choose list of available SSL_CIPHERs +SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs =head1 SYNOPSIS @@ -47,6 +46,7 @@ could be selected and 0 on complete failure. =head1 SEE ALSO L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, +L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, L<ciphers(1)|ciphers(1)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod new file mode 100644 index 000000000000..f27a291cb654 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -0,0 +1,90 @@ +=pod + +=head1 NAME + +SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, +SSL_add_client_CA - set list of CAs sent to the client when requesting a +client certificate + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); + void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); + int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); + int SSL_add_client_CA(SSL *ssl, X509 *cacert); + +=head1 DESCRIPTION + +SSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when +requesting a client certificate for B<ctx>. + +SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when +requesting a client certificate for the chosen B<ssl>, overriding the +setting valid for B<ssl>'s SSL_CTX object. + +SSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the +list of CAs sent to the client when requesting a client certificate for +B<ctx>. + +SSL_add_client_CA() adds the CA name extracted from B<cacert> to the +list of CAs sent to the client when requesting a client certificate for +the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object. + +=head1 NOTES + +When a TLS/SSL server requests a client certificate (see +B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which +it will accept certificates, to the client. If no special list is provided, +the CAs available using the B<CAfile> option in +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> +are sent. + +This list can be explicitely set using the SSL_CTX_set_client_CA_list() for +B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list +specified overrides the previous setting. The CAs listed do not become +trusted (B<list> only contains the names, not the complete certificates); use +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> +to additionally load them for verification. + +SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional +items the list of client CAs. If no list was specified before using +SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client +CA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly +specified using +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> +are no longer used automatically. + +These functions are only useful for TLS/SSL servers. + +=head1 RETURN VALUES + +SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return +diagnostic information. + +SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return +values: + +=over 4 + +=item 1 + +The operation succeeded. + +=item 0 + +A failure while manipulating the STACK_OF(X509_NAME) object occured or +the X509_NAME could not be extracted from B<cacert>. Check the error stack +to find out the reason. + +=back + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, +L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)> +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod new file mode 100644 index 000000000000..a5343a1cf398 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod @@ -0,0 +1,70 @@ +=pod + +=head1 NAME + +SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); + void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); + + int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata); + +=head1 DESCRIPTION + +SSL_CTX_set_default_passwd_cb() sets the default password callback called +when loading/storing a PEM certificate with encryption. + +SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which +will be provided to the password callback on invocation. + +The pem_passwd_cb(), which must be provided by the application, hands back the +password to be used during decryption. On invocation a pointer to B<userdata> +is provided. The pem_passwd_cb must write the password into the provided buffer +B<buf> which is of size B<size>. The actual length of the password must +be returned to the calling function. B<rwflag> indicates whether the +callback is used for reading/decryption (rwflag=0) or writing/encryption +(rwflag=1). + +=head1 NOTES + +When loading or storing private keys, a password might be supplied to +protect the private key. The way this password can be supplied may depend +on the application. If only one private key is handled, it can be practical +to have pem_passwd_cb() handle the password dialog interactively. If several +keys have to be handled, it can be practical to ask for the password once, +then keep it in memory and use it several times. In the last case, the +password could be stored into the B<userdata> storage and the +pem_passwd_cb() only returns the password already stored. + +Other items in PEM formatting (certificates) can also be encrypted, it is +however not usual, as certificate information is considered public. + +=head1 RETURN VALUES + +SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata() +do not provide diagnostic information. + +=head1 EXAMPLES + +The following example returns the password provided as B<userdata> to the +calling function. The password is considered to be a '\0' terminated +string. If the password does not fit into the buffer, the password is +truncated. + + int pem_passwd_cb(char *buf, int size, int rwflag, void *password) + { + strncpy(buf, (char *)(password), size); + buf[size - 1] = '\0'; + return(strlen(buf)); + } + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod new file mode 100644 index 000000000000..bd5b0cbf9629 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod @@ -0,0 +1,183 @@ +=pod + +=head1 NAME + +SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + long SSL_CTX_set_options(SSL_CTX *ctx, long options); + long SSL_set_options(SSL *ssl, long options); + + long SSL_CTX_get_options(SSL_CTX *ctx); + long SSL_get_options(SSL *ssl); + +=head1 DESCRIPTION + +SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>. +Options already set before are not cleared. + +SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>. +Options already set before are not cleared. + +SSL_CTX_get_options() returns the options set for B<ctx>. + +SSL_get_options() returns the options set for B<ssl>. + +=head1 NOTES + +The behaviour of the SSL library can be changed by setting several options. +The options are coded as bitmasks and can be combined by a logical B<or> +operation (|). Options can only be added but can never be reset. + +During a handshake, the option settings of the SSL object used. When +a new SSL object is created from a context using SSL_new(), the current +option setting is copied. Changes to B<ctx> do not affect already created +SSL objects. SSL_clear() does not affect the settings. + +The following B<bug workaround> options are available: + +=over 4 + +=item SSL_OP_MICROSOFT_SESS_ID_BUG + +www.microsoft.com - when talking SSLv2, if session-id reuse is +performed, the session-id passed back in the server-finished message +is different from the one decided upon. + +=item SSL_OP_NETSCAPE_CHALLENGE_BUG + +Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte +challenge but then appears to only use 16 bytes when generating the +encryption keys. Using 16 bytes is ok but it should be ok to use 32. +According to the SSLv3 spec, one should use 32 bytes for the challenge +when opperating in SSLv2/v3 compatablity mode, but as mentioned above, +this breaks this server so 16 bytes is the way to go. + +=item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + +ssl3.netscape.com:443, first a connection is established with RC4-MD5. +If it is then resumed, we end up using DES-CBC3-SHA. It should be +RC4-MD5 according to 7.6.1.3, 'cipher_suite'. + +Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. +It only really shows up when connecting via SSLv2/v3 then reconnecting +via SSLv3. The cipher list changes.... + +NEW INFORMATION. Try connecting with a cipher list of just +DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses +RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when +doing a re-connect, always takes the first cipher in the cipher list. + +=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + +... + +=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + +... + +=item SSL_OP_MSIE_SSLV2_RSA_PADDING + +... + +=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG + +... + +=item SSL_OP_TLS_D5_BUG + +... + +=item SSL_OP_TLS_BLOCK_PADDING_BUG + +... + +=item SSL_OP_TLS_ROLLBACK_BUG + +Disable version rollback attack detection. + +During the client key exchange, the client must send the same information +about acceptable SSL/TLS protocol levels as during the first hello. Some +clients violate this rule by adapting to the server's answer. (Example: +the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server +only understands up to SSLv3. In this case the client must still use the +same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect +to the server's answer and violate the version rollback protection.) + +=item SSL_OP_ALL + +All of the above bug workarounds. + +=back + +It is save and recommended to use SSL_OP_ALL to enable the bug workaround +options. + +The following B<modifying> options are available: + +=over 4 + +=item SSL_OP_SINGLE_DH_USE + +Always create a new key when using temporary DH parameters. + +=item SSL_OP_EPHEMERAL_RSA + +Also use the temporary RSA key when doing RSA operations. + +=item SSL_OP_PKCS1_CHECK_1 + +... + +=item SSL_OP_PKCS1_CHECK_2 + +... + +=item SSL_OP_NETSCAPE_CA_DN_BUG + +If we accept a netscape connection, demand a client cert, have a +non-self-sighed CA which does not have it's CA in netscape, and the +browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta + +=item SSL_OP_NON_EXPORT_FIRST + +On servers try to use non-export (stronger) ciphers first. This option does +not work under all circumstances (in the code it is declared "broken"). + +=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + +... + +=item SSL_OP_NO_SSLv2 + +Do not use the SSLv2 protocol. + +=item SSL_OP_NO_SSLv3 + +Do not use the SSLv3 protocol. + +=item SSL_OP_NO_TLSv1 + +Do not use the TLSv1 protocol. + +=back + +=head1 RETURN VALUES + +SSL_CTX_set_options() and SSL_set_options() return the new options bitmask +after adding B<options>. + +SSL_CTX_get_options() and SSL_get_options() return the current bitmask. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)> + +=head1 HISTORY + +SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod new file mode 100644 index 000000000000..ba3502a0a423 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod @@ -0,0 +1,106 @@ +=pod + +=head1 NAME + +SSL_CTX_set_session_cache_mode, SSL_CTX_get_session_cache_mode - enable/disable session caching + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + long SSL_CTX_set_session_cache_mode(SSL_CTX ctx, long mode); + long SSL_CTX_get_session_cache_mode(SSL_CTX ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_session_cache_mode() enables/disables session caching +by setting the operational mode for B<ctx> to <mode>. + +SSL_CTX_get_session_cache_mode() returns the currently used cache mode. + +=head1 NOTES + +The OpenSSL library can store/retrieve SSL/TLS sessions for later reuse. +The sessions can be held in memory for each B<ctx>, if more than one +SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX +object. + +In order to reuse a session, a client must send the session's id to the +server. It can only send exactly one id. The server then decides whether it +agrees in reusing the session or starts the handshake for a new session. + +A server will lookup up the session in its internal session storage. If +the session is not found in internal storage or internal storage is +deactivated, the server will try the external storage if available. + +Since a client may try to reuse a session intended for use in a different +context, the session id context must be set by the server (see +L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>). + +The following session cache modes and modifiers are available: + +=over 4 + +=item SSL_SESS_CACHE_OFF + +No session caching for client or server takes place. + +=item SSL_SESS_CACHE_CLIENT + +Client sessions are added to the session cache. As there is no reliable way +for the OpenSSL library to know whether a session should be reused or which +session to choose (due to the abstract BIO layer the SSL engine does not +have details about the connection), the application must select the session +to be reused by using the L<SSL_set_session(3)|SSL_set_session(3)> +function. This option is not activated by default. + +=item SSL_SESS_CACHE_SERVER + +Server sessions are added to the session cache. When a client proposes a +session to be reused, the session is looked up in the internal session cache. +If the session is found, the server will try to reuse the session. +This is the default. + +=item SSL_SESS_CACHE_BOTH + +Enable both SSL_SESS_CACHE_CLIENT and SSL_SESS_CACHE_SERVER at the same time. + +=item SSL_SESS_CACHE_NO_AUTO_CLEAR + +Normally the session cache is checked for expired sessions every +255 connections using the +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> function. Since +this may lead to a delay which cannot be controlled, the automatic +flushing may be disabled and +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> can be called +explicitly by the application. + +=item SSL_SESS_CACHE_NO_INTERNAL_LOOKUP + +By setting this flag sessions are cached in the internal storage but +they are not looked up automatically. If an external session cache +is enabled, sessions are looked up in the external cache. As automatic +lookup only applies for SSL/TLS servers, the flag has no effect on +clients. + +=back + +The default mode is SSL_SESS_CACHE_SERVER. + +=head1 RETURN VALUES + +SSL_CTX_set_session_cache_mode() returns the previously set cache mode. + +SSL_CTX_get_session_cache_mode() returns the currently set cache mode. + + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>, +L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>, +L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>, +L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>, +L<SSL_CTX_set_timeout.pod(3)|SSL_CTX_set_timeout.pod(3)>, +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod new file mode 100644 index 000000000000..5949395159e7 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod @@ -0,0 +1,82 @@ +=pod + +=head1 NAME + +SSL_CTX_set_session_id_context, SSL_set_session_id_context - set context within which session can be reused (server side only) + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, + unsigned int sid_ctx_len); + int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, + unsigned int sid_ctx_len); + +=head1 DESCRIPTION + +SSL_CTX_set_session_id_context() sets the context B<sid_ctx> of length +B<sid_ctx_len> within which a session can be reused for the B<ctx> object. + +SSL_set_session_id_context() sets the context B<sid_ctx> of length +B<sid_ctx_len> within which a session can be reused for the B<ssl> object. + +=head1 NOTES + +Sessions are generated within a certain context. When exporting/importing +sessions with B<i2d_SSL_SESSION>/B<d2i_SSL_SESSION> it would be possible, +to re-import a session generated from another context (e.g. another +application), which might lead to malfunctions. Therefore each application +must set its own session id context B<sid_ctx> which is used to distinguish +the contexts and is stored in exported sessions. The B<sid_ctx> can be +any kind of binary data with a given length, it is therefore possible +to use e.g. the name of the application and/or the hostname and/or service +name ... + +The session id context becomes part of the session. The session id context +is set by the SSL/TLS server. The SSL_CTX_set_session_id_context() and +SSL_set_session_id_context() functions are therefore only useful on the +server side. + +OpenSSL clients will check the session id context returned by the server +when reusing a session. + +The maximum length of the B<sid_ctx> is limited to +B<SSL_MAX_SSL_SESSION_ID_LENGTH>. + +=head1 WARNINGS + +If the session id context is not set on an SSL/TLS server, stored sessions +will not be reused but a fatal error will be flagged and the handshake +will fail. + +If a server returns a different session id context to an OpenSSL client +when reusing a session, an error will be flagged and the handshake will +fail. OpenSSL servers will always return the correct session id context, +as an OpenSSL server checks the session id context itself before reusing +a session as described above. + +=head1 RETURN VALUES + +SSL_CTX_set_session_id_context() and SSL_set_session_id_context() +return the following values: + +=over 4 + +=item 0 + +The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded +the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error +is logged to the error stack. + +=item 1 + +The operation succeeded. + +=back + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod new file mode 100644 index 000000000000..21faed12d425 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod @@ -0,0 +1,55 @@ +=pod + +=head1 NAME + +SSL_CTX_set_timeout, SSL_CTX_get_timeout - manipulate timeout values for session caching + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + long SSL_CTX_set_timeout(SSL_CTX *ctx, long t); + long SSL_CTX_get_timeout(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_timeout() sets the timeout for newly created sessions for +B<ctx> to B<t>. The timeout value B<t> must be given in seconds. + +SSL_CTX_get_timeout() returns the currently set timeout value for B<ctx>. + +=head1 NOTES + +Whenever a new session is created, it is assigned a maximum lifetime. This +lifetime is specified by storing the creation time of the session and the +timeout value valid at this time. If the actual time is later than creation +time plus timeout, the session is not reused. + +Due to this realization, all sessions behave according to the timeout value +valid at the time of the session negotiation. Changes of the timeout value +do not affect already established sessions. + +The expiration time of a single session can be modified using the +L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)> family of functions. + +Expired sessions are removed from the internal session cache, whenever +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> is called, either +directly by the application or automatically (see +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>) + +The default value for session timeout is 300 seconds. + +=head1 RETURN VALUES + +SSL_CTX_set_timeout() returns the previously set timeout value. + +SSL_CTX_get_timeout() returns the currently set timeout value. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, +L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>, +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod new file mode 100644 index 000000000000..fc0b76118fd1 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod @@ -0,0 +1,284 @@ +=pod + +=head1 NAME + +SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth - set peer certificate verification parameters + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, + int (*verify_callback)(int, X509_STORE_CTX *)); + void SSL_set_verify(SSL *s, int mode, + int (*verify_callback)(int, X509_STORE_CTX *)); + void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); + void SSL_set_verify_depth(SSL *s, int depth); + + int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_verify() sets the verification flags for B<ctx> to be B<mode> and +specifies the B<verify_callback> function to be used. If no callback function +shall be specified, the NULL pointer can be used for B<verify_callback>. + +SSL_set_verify() sets the verification flags for B<ssl> to be B<mode> and +specifies the B<verify_callback> function to be used. If no callback function +shall be specified, the NULL pointer can be used for B<verify_callback>. In +this case last B<verify_callback> set specifically for this B<ssl> remains. If +no special B<callback> was set before, the default callback for the underlying +B<ctx> is used, that was valid at the the time B<ssl> was created with +L<SSL_new(3)|SSL_new(3)>. + +SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain +verification that shall be allowed for B<ctx>. (See the BUGS section.) + +SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain +verification that shall be allowed for B<ssl>. (See the BUGS section.) + +=head1 NOTES + +The verification of certificates can be controlled by a set of logically +or'ed B<mode> flags: + +=over 4 + +=item SSL_VERIFY_NONE + +B<Server mode:> the server will not send a client certificate request to the +client, so the client will not send a certificate. + +B<Client mode:> if not using an anonymous cipher (by default disabled), the +server will send a certificate which will be checked. The result of the +certificate verification process can be checked after the TLS/SSL handshake +using the L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> function. +The handshake will be continued regardless of the verification result. + +=item SSL_VERIFY_PEER + +B<Server mode:> the server sends a client certificate request to the client. +The certificate returned (if any) is checked. If the verification process +fails as indicated by B<verify_callback>, the TLS/SSL handshake is +immediately terminated with an alert message containing the reason for +the verification failure. +The behaviour can be controlled by the additional +SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. + +B<Client mode:> the server certificate is verified. If the verification process +fails as indicated by B<verify_callback>, the TLS/SSL handshake is +immediately terminated with an alert message containing the reason for +the verification failure. If no server certificate is sent, because an +anonymous cipher is used, SSL_VERIFY_PEER is ignored. + +=item SSL_VERIFY_FAIL_IF_NO_PEER_CERT + +B<Server mode:> if the client did not return a certificate, the TLS/SSL +handshake is immediately terminated with a "handshake failure" alert. +This flag must be used together with SSL_VERIFY_PEER. + +B<Client mode:> ignored + +=item SSL_VERIFY_CLIENT_ONCE + +B<Server mode:> only request a client certificate on the initial TLS/SSL +handshake. Do not ask for a client certificate again in case of a +renegotiation. This flag must be used together with SSL_VERIFY_PEER. + +B<Client mode:> ignored + +=back + +Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be +set at any time. + +SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up +to which depth certificates in a chain are used during the verification +procedure. If the certificate chain is longer than allowed, the certificates +above the limit are ignored. Error messages are generated as if these +certificates would not be present, most likely a +X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. +The depth count is "level 0:peer certificate", "level 1: CA certificate", +"level 2: higher level CA certificate", and so on. Setting the maximum +depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9, +allowing for the peer certificate and additional 9 CA certificates. + +The B<verify_callback> function is used to control the behaviour when the +SSL_VERIFY_PEER flag is set. It must be supplied by the application and +receives two arguments: B<preverify_ok> indicates, whether the verification of +the certificate in question was passed (preverify_ok=1) or not +(preverify_ok=0). B<x509_ctx> is a pointer to the complete context used +for the certificate chain verification. + +The certificate chain is checked starting with the deepest nesting level +(the root CA certificate) and worked upward to the peer's certificate. +At each level signatures and issuer attributes are checked. Whenever +a verification error is found, the error number is stored in B<x509_ctx> +and B<verify_callback> is called with B<preverify_ok>=0. By applying +X509_CTX_store_* functions B<verify_callback> can locate the certificate +in question and perform additional steps (see EXAMPLES). If no error is +found for a certificate, B<verify_callback> is called with B<preverify_ok>=1 +before advancing to the next level. + +The return value of B<verify_callback> controls the strategy of the further +verification process. If B<verify_callback> returns 0, the verification +process is immediately stopped with "verification failed" state. If +SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and +the TLS/SSL handshake is terminated. If B<verify_callback> returns 1, +the verification process is continued. If B<verify_callback> always returns +1, the TLS/SSL handshake will never be terminated because of this application +experiencing a verification failure. The calling process can however +retrieve the error code of the last verification error using +L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> or by maintaining its +own error storage managed by B<verify_callback>. + +If no B<verify_callback> is specified, the default callback will be used. +Its return value is identical to B<preverify_ok>, so that any verification +failure will lead to a termination of the TLS/SSL handshake with an +alert message, if SSL_VERIFY_PEER is set. + +=head1 BUGS + +In client mode, it is not checked whether the SSL_VERIFY_PEER flag +is set, but whether SSL_VERIFY_NONE is not set. This can lead to +unexpected behaviour, if the SSL_VERIFY_PEER and SSL_VERIFY_NONE are not +used as required (exactly one must be set at any time). + +The certificate verification depth set with SSL[_CTX]_verify_depth() +stops the verification at a certain depth. The error message produced +will be that of an incomplete certificate chain and not +X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected. + +=head1 RETURN VALUES + +The SSL*_set_verify*() functions do not provide diagnostic information. + +=head1 EXAMPLES + +The following code sequence realizes an example B<verify_callback> function +that will always continue the TLS/SSL handshake regardless of verification +failure, if wished. The callback realizes a verification depth limit with +more informational output. + +All verification errors are printed, informations about the certificate chain +are printed on request. +The example is realized for a server that does allow but not require client +certificates. + +The example makes use of the ex_data technique to store application data +into/retrieve application data from the SSL structure +(see L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>, +L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>). + + ... + typedef struct { + int verbose_mode; + int verify_depth; + int always_continue; + } mydata_t; + int mydata_index; + ... + static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) + { + char buf[256]; + X509 *err_cert; + int err, depth; + SSL *ssl; + mydata_t *mydata; + + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + + /* + * Retrieve the pointer to the SSL of the connection currently treated + * and the application specific data stored into the SSL object. + */ + ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + mydata = SSL_get_ex_data(ssl, mydata_index); + + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); + + /* + * Catch a too long certificate chain. The depth limit set using + * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so + * that whenever the "depth>verify_depth" condition is met, we + * have violated the limit and want to log this error condition. + * We must do it here, because the CHAIN_TOO_LONG error would not + * be found explicitly; only errors introduced by cutting off the + * additional certificates would be logged. + */ + if (depth > mydata->verify_depth) { + preverify_ok = 0; + err = X509_V_ERR_CERT_CHAIN_TOO_LONG; + X509_STORE_CTX_set_error(ctx, err); + } + if (!preverify_ok) { + printf("verify error:num=%d:%s:depth=%d:%s\n", err, + X509_verify_cert_error_string(err), depth, buf); + } + else if (mydata->verbose_mode) + { + printf("depth=%d:%s\n", depth, buf); + } + + /* + * At this point, err contains the last verification error. We can use + * it for something special + */ + if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) + { + X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); + printf("issuer= %s\n", buf); + } + + if (mydata->always_continue) + return 1; + else + return preverify_ok; + } + ... + + mydata_t mydata; + + ... + mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); + + ... + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, + verify_callback); + + /* + * Let the verify_callback catch the verify_depth error so that we get + * an appropriate error in the logfile. + */ + SSL_CTX_set_verify_depth(verify_depth + 1); + + /* + * Set up the SSL specific data into "mydata" and store it into th SSL + * structure. + */ + mydata.verify_depth = verify_depth; ... + SSL_set_ex_data(ssl, mydata_index, &mydata); + + ... + SSL_accept(ssl); /* check of success left out for clarity */ + if (peer = SSL_get_peer_certificate(ssl)) + { + if (SSL_get_verify_result(ssl) == X509_V_OK) + { + /* The client sent a certificate which verified OK */ + } + } + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, +L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>, +L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>, +L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>, +L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>, +L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod new file mode 100644 index 000000000000..58fa3e6a84f6 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod @@ -0,0 +1,154 @@ +=pod + +=head1 NAME + +SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_file, SSL_use_certificate, SSL_use_certificate_ASN1, SSL_use_certificate_file, SSL_CTX_use_certificate_chain_file, SSL_CTX_use_PrivateKey, SSL_CTX_use_PrivateKey_ASN1, SSL_CTX_use_PrivateKey_file, SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1, SSL_CTX_use_RSAPrivateKey_file, SSL_use_PrivateKey_file, SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey, SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file, SSL_CTX_check_private_key, SSL_check_private_key - load certificate and key data + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); + int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d); + int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); + int SSL_use_certificate(SSL *ssl, X509 *x); + int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len); + int SSL_use_certificate_file(SSL *ssl, const char *file, int type); + + int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); + + int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); + int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, + long len); + int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); + int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); + int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); + int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type); + int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); + int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len); + int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); + int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); + int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); + int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); + + int SSL_CTX_check_private_key(SSL_CTX *ctx); + int SSL_check_private_key(SSL *ssl); + +=head1 DESCRIPTION + +These functions load the certificates and private keys into the SSL_CTX +or SSL object, respectively. + +The SSL_CTX_* class of functions loads the certificates and keys into the +SSL_CTX object B<ctx>. The information is passed to SSL objects B<ssl> +created from B<ctx> with L<SSL_new(3)|SSL_new(3)> by copying, so that +changes applied to B<ctx> do not propagate to already existing SSL objects. + +The SSL_* class of functions only loads certificates and keys into a +specific SSL object. The specific information is kept, when +L<SSL_clear(3)|SSL_clear(3)> is called for this SSL object. + +SSL_CTX_use_certificate() loads the certificate B<x> into B<ctx>, +SSL_use_certificate() loads B<x> into B<ssl>. The rest of the +certificates needed to form the complete certificate chain can be +specified using the +L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)> +function. + +SSL_CTX_use_certificate_ASN1() loads the ASN1 encoded certificate from +the memory location B<d> (with length B<len>) into B<ctx>, +SSL_use_certificate_ASN1() loads the ASN1 encoded certificate into B<ssl>. + +SSL_CTX_use_certificate_file() loads the first certificate stored in B<file> +into B<ctx>. The formatting B<type> of the certificate must be specified +from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1. +SSL_use_certificate_file() loads the certificate from B<file> into B<ssl>. +See the NOTES section on why SSL_CTX_use_certificate_chain_file() +should be preferred. + +SSL_CTX_use_certificate_chain_file() loads a certificate chain from +B<file> into B<ctx>. The certificates must be in PEM format and must +be sorted starting with the certificate to the highest level (root CA). +There is no corresponding function working on a single SSL object. + +SSL_CTX_use_PrivateKey() adds B<pkey> as private key to B<ctx>. +SSL_CTX_use_RSAPrivateKey() adds the private key B<rsa> of type RSA +to B<ctx>. SSL_use_PrivateKey() adds B<pkey> as private key to B<ssl>; +SSL_use_RSAPrivateKey() adds B<rsa> as private key of type RSA to B<ssl>. + +SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk> +stored at memory location B<d> (length B<len>) to B<ctx>. +SSL_CTX_use_RSAPrivateKey_ASN1() adds the private key of type RSA +stored at memory location B<d> (length B<len>) to B<ctx>. +SSL_use_PrivateKey_ASN1() and SSL_use_RSAPrivateKey_ASN1() add the private +key to B<ssl>. + +SSL_CTX_use_PrivateKey_file() adds the first private key found in +B<file> to B<ctx>. The formatting B<type> of the certificate must be specified +from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1. +SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found in +B<file> to B<ctx>. SSL_use_PrivateKey_file() adds the first private key found +in B<file> to B<ssl>; SSL_use_RSAPrivateKey_file() adds the first private +RSA key found to B<ssl>. + +SSL_CTX_check_private_key() checks the consistency of a private key with +the corresponding certificate loaded into B<ctx>. If more than one +key/certificate pair (RSA/DSA) is installed, the last item installed will +be checked. If e.g. the last item was a RSA certificate or key, the RSA +key/certificate pair will be checked. SSL_check_private_key() performs +the same check for B<ssl>. If no key/certificate was explicitly added for +this B<ssl>, the last item added into B<ctx> will be checked. + +=head1 NOTES + +The internal certificate store of OpenSSL can hold two private key/certificate +pairs at a time: one key/certificate of type RSA and one key/certificate +of type DSA. The certificate used depends on the cipher select, see +also L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>. + +When reading certificates and private keys from file, files of type +SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain +one certificate or private key, consequently +SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting. +Files of type SSL_FILETYPE_PEM can contain more than one item. + +SSL_CTX_use_certificate_chain_file() adds the first certificate found +in the file to the certificate store. The other certificates are added +to the store of chain certificates using +L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>. +There exists only one extra chain store, so that the same chain is appended +to both types of certificates, RSA and DSA! If it is not intented to use +both type of certificate at the same time, it is recommended to use the +SSL_CTX_use_certificate_chain_file() instead of the +SSL_CTX_use_certificate_file() function in order to allow the use of +complete certificate chains even when no trusted CA storage is used or +when the CA issuing the certificate shall not be added to the trusted +CA storage. + +If additional certificates are needed to complete the chain during the +TLS negotiation, CA certificates are additionally looked up in the +locations of trusted CA certificates, see +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>. + +The private keys loaded from file can be encrypted. In order to successfully +load encrypted keys, a function returning the passphrase must have been +supplied, see +L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>. +(Certificate files might be encrypted as well from the technical point +of view, it however does not make sense as the data in the certificate +is considered public anyway.) + +=head1 RETURN VALUES + +On success, the functions return 1. +Otherwise check out the error stack to find out the reason. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>, +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>, +L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>, +L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>, +L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod new file mode 100644 index 000000000000..dd5cb4f04bba --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod @@ -0,0 +1,61 @@ +=pod + +=head1 NAME + +SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_SESSION_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg); + + void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_SESSION_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_SESSION_set_ex_data() is used to store application data at B<arg> for B<idx> +into the B<session> object. + +SSL_SESSION_get_ex_data() is used to retrieve the information for B<idx> from +B<session>. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>. + +=head1 WARNINGS + +The application data is only maintained for sessions held in memory. The +application data is not included when dumping the session with +i2d_SSL_SESSION() (and all functions indirectly calling the dump functions +like PEM_write_SSL_SESSION() and PEM_write_bio_SSL_SESSION()) and can +therefore not be restored. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, +L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod new file mode 100644 index 000000000000..cd33b73aa359 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod @@ -0,0 +1,63 @@ +=pod + +=head1 NAME + +SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_get_timeout - retrieve and manipulate session time and timeout settings + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + long SSL_SESSION_get_time(SSL_SESSION *s); + long SSL_SESSION_set_time(SSL_SESSION *s, long tm); + long SSL_SESSION_get_timeout(SSL_SESSION *s); + long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm); + + long SSL_get_time(SSL_SESSION *s); + long SSL_set_time(SSL_SESSION *s, long tm); + long SSL_get_timeout(SSL_SESSION *s); + long SSL_set_timeout(SSL_SESSION *s, long tm); + +=head1 DESCRIPTION + +SSL_SESSION_get_time() returns the time at which the session B<s> was +established. The time is given in seconds since the Epoch and therefore +compatible to the time delivered by the time() call. + +SSL_SESSION_set_time() replaces the creation time of the session B<s> with +the chosen value B<tm>. + +SSL_SESSION_get_timeout() returns the timeout value set for session B<s> +in seconds. + +SSL_SESSION_set_timeout() sets the timeout value for session B<s> in seconds +to B<tm>. + +The SSL_get_time(), SSL_set_time(), SSL_get_timeout(), and SSL_set_timeout() +functions are synonyms for the SSL_SESSION_*() counterparts. + +=head1 NOTES + +Sessions are expired by examining the creation time and the timeout value. +Both are set at creation time of the session to the actual time and the +default timeout value at creation, respectively, as set by +L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>. +Using these functions it is possible to extend or shorten the lifetime +of the session. + +=head1 RETURN VALUES + +SSL_SESSION_get_time() and SSL_SESSION_get_timeout() return the currently +valid values. + +SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success. + +If any of the function is passed the NULL pointer for the session B<s>, +0 is returned. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_accept.pod b/crypto/openssl/doc/ssl/SSL_accept.pod index 0c79ac515e1d..46f95abb2f22 100644 --- a/crypto/openssl/doc/ssl/SSL_accept.pod +++ b/crypto/openssl/doc/ssl/SSL_accept.pod @@ -54,7 +54,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B<ret> to find out the reason. -=item -1 +=item E<lt>0 The TLS/SSL handshake was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. The shutdown was diff --git a/crypto/openssl/doc/ssl/SSL_clear.pod b/crypto/openssl/doc/ssl/SSL_clear.pod index 862fd8291df1..aeb0b5c7a230 100644 --- a/crypto/openssl/doc/ssl/SSL_clear.pod +++ b/crypto/openssl/doc/ssl/SSL_clear.pod @@ -34,6 +34,6 @@ The SSL_clear() operation was successful. =back L<SSL_new(3)|SSL_new(3)>, L<SSL_free(3)|SSL_free(3)>, -L<ssl(3)|ssl(3)> +L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<ssl(3)|ssl(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_connect.pod b/crypto/openssl/doc/ssl/SSL_connect.pod index debe41744f0a..00813ecfff6f 100644 --- a/crypto/openssl/doc/ssl/SSL_connect.pod +++ b/crypto/openssl/doc/ssl/SSL_connect.pod @@ -51,7 +51,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B<ret> to find out the reason. -=item -1 +=item E<lt>0 The TLS/SSL handshake was not successful, because a fatal error occurred either at the protocol level or a connection failure occurred. The shutdown was @@ -64,6 +64,6 @@ to find out the reason. =head1 SEE ALSO L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_accept(3)|SSL_accept(3)>, -L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)> +L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod new file mode 100644 index 000000000000..d358bc352e69 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod @@ -0,0 +1,52 @@ +=pod + +=head1 NAME + +SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); + STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_get_client_CA_list() returns the list of client CAs explicitely set for +B<ctx> using L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>. + +SSL_get_client_CA_list() returns the list of client CAs explicitely +set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with +L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, when in +server mode. In client mode, SSL_get_client_CA_list returns the list of +client CAs sent from the server, if any. + +=head1 RETURN VALUES + +SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return +diagnostic information. + +SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return +values: + +=over 4 + +=item STACK_OF(X509_NAMES) + +List of CA names explicitely set (for B<ctx> or in server mode) or send +by the server (client mode). + +=item NULL + +No client CA list was explicitely set (for B<ctx> or in server mode) or +the server did not send a list of CAs (client mode). + +=back + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_get_error.pod b/crypto/openssl/doc/ssl/SSL_get_error.pod index d85b56425828..fefaf619369a 100644 --- a/crypto/openssl/doc/ssl/SSL_get_error.pod +++ b/crypto/openssl/doc/ssl/SSL_get_error.pod @@ -14,8 +14,8 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation SSL_get_error() returns a result code (suitable for the C "switch" statement) for a preceding call to SSL_connect(), SSL_accept(), -SSL_read(), or SSL_write() on B<ssl>. The value returned by that -TLS/SSL I/O function must be passed to SSL_get_error() in parameter +SSL_read(), SSL_peek(), or SSL_write() on B<ssl>. The value returned by +that TLS/SSL I/O function must be passed to SSL_get_error() in parameter B<ret>. In addition to B<ssl> and B<ret>, SSL_get_error() inspects the @@ -48,16 +48,26 @@ has been closed. =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE The operation did not complete; the same TLS/SSL I/O function should be -called again later. There will be protocol progress if, by then, the -underlying B<BIO> has data available for reading (if the result code is -B<SSL_ERROR_WANT_READ>) or allows writing data (B<SSL_ERROR_WANT_WRITE>). -For socket B<BIO>s (e.g. when SSL_set_fd() was used) this means that -select() or poll() on the underlying socket can be used to find out -when the TLS/SSL I/O function should be retried. +called again later. If, by then, the underlying B<BIO> has data +available for reading (if the result code is B<SSL_ERROR_WANT_READ>) +or allows writing data (B<SSL_ERROR_WANT_WRITE>), then some TLS/SSL +protocol progress will take place, i.e. at least part of an TLS/SSL +record will be read or written. Note that the retry may again lead to +a B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE> condition. +There is no fixed upper limit for the number of iterations that +may be necessary until progress becomes visible at application +protocol level. + +For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or +poll() on the underlying socket can be used to find out when the +TLS/SSL I/O function should be retried. Caveat: Any TLS/SSL I/O function can lead to either of -B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>, i.e. SSL_read() -may want to write data and SSL_write() may want to read data. +B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. In particular, +SSL_read() or SSL_peek() may want to write data and SSL_write() may want +to read data. This is mainly because TLS/SSL handshakes may occur at any +time during the protocol (initiated by either the client or the server); +SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes. =item SSL_ERROR_WANT_X509_LOOKUP diff --git a/crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod b/crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod new file mode 100644 index 000000000000..165c6a5b2cae --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod @@ -0,0 +1,61 @@ +=pod + +=head1 NAME + +SSL_get_ex_data_X509_STORE_CTX_idx - get ex_data index to access SSL structure +from X509_STORE_CTX + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_get_ex_data_X509_STORE_CTX_idx(void); + +=head1 DESCRIPTION + +SSL_get_ex_data_X509_STORE_CTX_idx() returns the index number under which +the pointer to the SSL object is stored into the X509_STORE_CTX object. + +=head1 NOTES + +Whenever a X509_STORE_CTX object is created for the verification of the +peers certificate during a handshake, a pointer to the SSL object is +stored into the X509_STORE_CTX object to identify the connection affected. +To retrieve this pointer the X509_STORE_CTX_get_ex_data() function can +be used with the correct index. This index is globally the same for all +X509_STORE_CTX objects and can be retrieved using +SSL_get_ex_data_X509_STORE_CTX_idx(). The index value is set when +SSL_get_ex_data_X509_STORE_CTX_idx() is first called either by the application +program directly or indirectly during other SSL setup functions or during +the handshake. + +The value depends on other index values defined for X509_STORE_CTX objects +before the SSL index is created. + +=head1 RETURN VALUES + +=over 4 + +=item E<gt>=0 + +The index value to access the pointer. + +=item E<lt>0 + +An error occurred, check the error stack for a detailed error message. + +=back + +=head1 EXAMPLES + +The index returned from SSL_get_ex_data_X509_STORE_CTX_idx() allows to +access the SSL object for the connection to be accessed during the +verify_callback() when checking the peers certificate. Please check +the example in L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, +L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod new file mode 100644 index 000000000000..2b69bb105003 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod @@ -0,0 +1,59 @@ +=pod + +=head1 NAME + +SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_set_ex_data(SSL *ssl, int idx, void *arg); + + void *SSL_get_ex_data(SSL *ssl, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_set_ex_data() is used to store application data at B<arg> for B<idx> into +the B<ssl> object. + +SSL_get_ex_data() is used to retrieve the information for B<idx> from +B<ssl>. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>. + +=head1 EXAMPLES + +An example on how to use the functionality is included in the example +verify_callback() in L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, +L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>, +L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod b/crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod new file mode 100644 index 000000000000..02527dc2edc8 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod @@ -0,0 +1,62 @@ +=pod + +=head1 NAME + +SSL_load_client_CA_file - load certificate names from file + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); + +=head1 DESCRIPTION + +SSL_load_client_CA_file() reads certificates from B<file> and returns +a STACK_OF(X509_NAME) with the subject names found. + +=head1 NOTES + +SSL_load_client_CA_file() reads a file of PEM formatted certificates and +extracts the X509_NAMES of the certificates found. While the name suggests +the specific usage as support function for +L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, +it is not limited to CA certificates. + +=head1 EXAMPLES + +Load names of CAs from file and use it as a client CA list: + + SSL_CTX *ctx; + STACK_OF(X509_NAME) *cert_names; + + ... + cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); + if (cert_names != NULL) + SSL_CTX_set_client_CA_list(ctx, cert_names); + else + error_handling(); + ... + +=head1 RETURN VALUES + +The following return values can occur: + +=over 4 + +=item NULL + +The operation failed, check out the error stack for the reason. + +=item Pointer to STACK_OF(X509_NAME) + +Pointer to the subject names of the successfully read certificates. + +=back + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_new.pod b/crypto/openssl/doc/ssl/SSL_new.pod index 8e8638fa9561..3b084e867d08 100644 --- a/crypto/openssl/doc/ssl/SSL_new.pod +++ b/crypto/openssl/doc/ssl/SSL_new.pod @@ -37,6 +37,7 @@ The return value points to an allocated SSL structure. =head1 SEE ALSO L<SSL_free(3)|SSL_free(3)>, L<SSL_clear(3)|SSL_clear(3)>, +L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<ssl(3)|ssl(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_pending.pod b/crypto/openssl/doc/ssl/SSL_pending.pod index 744e1855e151..b4c48598b25d 100644 --- a/crypto/openssl/doc/ssl/SSL_pending.pod +++ b/crypto/openssl/doc/ssl/SSL_pending.pod @@ -25,6 +25,19 @@ L<SSL_read(3)|SSL_read(3)>. The number of bytes pending is returned. +=head1 BUGS + +SSL_pending() takes into account only bytes from the TLS/SSL record +that is currently being processed (if any). If the B<SSL> object's +I<read_ahead> flag is set, additional protocol bytes may have been +read containing more TLS/SSL records; these are ignored by +SSL_pending(). + +Up to OpenSSL 0.9.6, SSL_pending() does not check if the record type +of pending data is application data. + +=head1 SEE ALSO + L<SSL_read(3)|SSL_read(3)>, L<ssl(3)|ssl(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_read.pod b/crypto/openssl/doc/ssl/SSL_read.pod index 072dc26cf284..9bff32500b89 100644 --- a/crypto/openssl/doc/ssl/SSL_read.pod +++ b/crypto/openssl/doc/ssl/SSL_read.pod @@ -61,7 +61,7 @@ The read operation was not successful, probably because no data was available. Call SSL_get_error() with the return value B<ret> to find out, whether an error occurred. -=item -1 +=item E<lt>0 The read operation was not successful, because either an error occurred or action must be taken by the calling process. Call SSL_get_error() with the diff --git a/crypto/openssl/doc/ssl/SSL_set_session.pod b/crypto/openssl/doc/ssl/SSL_set_session.pod index 9f78d9e434ae..c4f7878579d5 100644 --- a/crypto/openssl/doc/ssl/SSL_set_session.pod +++ b/crypto/openssl/doc/ssl/SSL_set_session.pod @@ -40,6 +40,7 @@ The operation succeeded. =head1 SEE ALSO -L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> +L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)> =cut diff --git a/crypto/openssl/doc/ssl/SSL_write.pod b/crypto/openssl/doc/ssl/SSL_write.pod index db67c187e0ee..8110161522a3 100644 --- a/crypto/openssl/doc/ssl/SSL_write.pod +++ b/crypto/openssl/doc/ssl/SSL_write.pod @@ -2,7 +2,7 @@ =head1 NAME -SSL_read - write bytes to a TLS/SSL connection. +SSL_write - write bytes to a TLS/SSL connection. =head1 SYNOPSIS @@ -31,7 +31,7 @@ when the underlying BIO could not satisfy the needs of SSL_write() to continue the operation. In this case a call to SSL_get_error() with the return value of SSL_write() will yield B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a -call to SSL_write() can also cause write operations! The calling process +call to SSL_write() can also cause read operations! The calling process then must repeat the call after taking appropriate action to satisfy the needs of SSL_write(). The action depends on the underlying BIO. When using a non-blocking socket, nothing is to be done, but select() can be used to check @@ -60,9 +60,9 @@ bytes actually written to the TLS/SSL connection. The write operation was not successful. Call SSL_get_error() with the return value B<ret> to find out, whether an error occurred. -=item -1 +=item E<lt>0 -The read operation was not successful, because either an error occurred +The write operation was not successful, because either an error occurred or action must be taken by the calling process. Call SSL_get_error() with the return value B<ret> to find out the reason. diff --git a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod new file mode 100644 index 000000000000..8142b6b39f75 --- /dev/null +++ b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod @@ -0,0 +1,55 @@ +=pod + +=head1 NAME +d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 representation + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length); + int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); + +=head1 DESCRIPTION + +d2i_SSL_SESSION() transforms the external ASN1 representation of an SSL/TLS +session, stored as binary data at location B<pp> with length B<length>, into +an SSL_SESSION object. + +i2d_SSL_SESSION() transforms the SSL_SESSION object B<in> into the ASN1 +representation and stores it into the memory location pointed to by B<pp>. +The length of the resulting ASN1 representation is returned. If B<pp> is +the NULL pointer, only the length is calculated and returned. + +=head1 NOTES + +The SSL_SESSION object is built from several malloc()ed parts, it can +therefore not be moved, copied or stored directly. In order to store +session data on disk or into a database, it must be transformed into +a binary ASN1 representation. + +When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically +allocated. + +When using i2d_SSL_SESSION(), the memory location pointed to by B<pp> must be +large enough to hold the binary representation of the session. There is no +known limit on the size of the created ASN1 representation, so the necessary +amount of space should be obtained by first calling i2d_SSL_SESSION() with +B<pp=NULL>, and obtain the size needed, then allocate the memory and +call i2d_SSL_SESSION() again. + +=head1 RETURN VALUES + +d2i_SSL_SESSION() returns a pointer to the newly allocated SSL_SESSION +object. In case of failure the NULL-pointer is returned and the error message +can be retrieved from the error stack. + +i2d_SSL_SESSION() returns the size of the ASN1 representation in bytes. +When the session is not valid, B<0> is returned and no operation is performed. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, +L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)> + +=cut diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod index 8ffe5904d523..2911c83e4879 100644 --- a/crypto/openssl/doc/ssl/ssl.pod +++ b/crypto/openssl/doc/ssl/ssl.pod @@ -13,6 +13,69 @@ The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API which is documented here. +At first the library must be initialized; see +L<SSL_library_init(3)|SSL_library_init(3)>. + +Then an B<SSL_CTX> object is created as a framework to establish +TLS/SSL enabled connections (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>). +Various options regarding certificates, algorithms etc. can be set +in this object. + +When a network connection has been created, it can be assigned to an +B<SSL> object. After the B<SSL> object has been created using +L<SSL_new(3)|SSL_new(3)>, L<SSL_set_fd(3)|SSL_set_fd(3)> or +L<SSL_set_bio(3)|SSL_set_bio(3)> can be used to associate the network +connection with the object. + +Then the TLS/SSL handshake is performed using +L<SSL_accept(3)|SSL_accept(3)> or L<SSL_connect(3)|SSL_connect(3)> +respectively. +L<SSL_read(3)|SSL_read(3)> and L<SSL_write(3)|SSL_write(3)> are used +to read and write data on the TLS/SSL connection. +L<SSL_shutdown(3)|SSL_shutdown(3)> can be used to shut down the +TLS/SSL connection. + +=head1 DATA STRUCTURES + +Currently the OpenSSL B<ssl> library functions deals with the following data +structures: + +=over 4 + +=item B<SSL_METHOD> (SSL Method) + +That's a dispatch structure describing the internal B<ssl> library +methods/functions which implement the various protocol versions (SSLv1, SSLv2 +and TLSv1). It's needed to create an B<SSL_CTX>. + +=item B<SSL_CIPHER> (SSL Cipher) + +This structure holds the algorithm information for a particular cipher which +are a core part of the SSL/TLS protocol. The available ciphers are configured +on a B<SSL_CTX> basis and the actually used ones are then part of the +B<SSL_SESSION>. + +=item B<SSL_CTX> (SSL Context) + +That's the global context structure which is created by a server or client +once per program life-time and which holds mainly default values for the +B<SSL> structures which are later created for the connections. + +=item B<SSL_SESSION> (SSL Session) + +This is a structure containing the current TLS/SSL session details for a +connection: B<SSL_CIPHER>s, client and server certificates, keys, etc. + +=item B<SSL> (SSL Connection) + +That's the main SSL/TLS structure which is created by a server or client per +established connection. This actually is the core structure in the SSL API. +Under run-time the application usually deals with this structure which has +links to mostly all other structures. + +=back + + =head1 HEADER FILES Currently the OpenSSL B<ssl> library provides the following C header files @@ -55,46 +118,6 @@ it's already included by ssl.h>. =back -=head1 DATA STRUCTURES - -Currently the OpenSSL B<ssl> library functions deals with the following data -structures: - -=over 4 - -=item B<SSL_METHOD> (SSL Method) - -That's a dispatch structure describing the internal B<ssl> library -methods/functions which implement the various protocol versions (SSLv1, SSLv2 -and TLSv1). It's needed to create an B<SSL_CTX>. - -=item B<SSL_CIPHER> (SSL Cipher) - -This structure holds the algorithm information for a particular cipher which -are a core part of the SSL/TLS protocol. The available ciphers are configured -on a B<SSL_CTX> basis and the actually used ones are then part of the -B<SSL_SESSION>. - -=item B<SSL_CTX> (SSL Context) - -That's the global context structure which is created by a server or client -once per program life-time and which holds mainly default values for the -B<SSL> structures which are later created for the connections. - -=item B<SSL_SESSION> (SSL Session) - -This is a structure containing the current TLS/SSL session details for a -connection: B<SSL_CIPHER>s, client and server certificates, keys, etc. - -=item B<SSL> (SSL Connection) - -That's the main SSL/TLS structure which is created by a server or client per -established connection. This actually is the core structure in the SSL API. -Under run-time the application usually deals with this structure which has -links to mostly all other structures. - -=back - =head1 API FUNCTIONS Currently the OpenSSL B<ssl> library exports 214 API functions. @@ -625,20 +648,48 @@ connection defined in the B<SSL> structure. L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>, L<SSL_accept(3)|SSL_accept(3)>, L<SSL_clear(3)|SSL_clear(3)>, -L<SSL_connect(3)|SSL_connect(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>, +L<SSL_connect(3)|SSL_connect(3)>, +L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>, +L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>, +L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>, +L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>, +L<SSL_CTX_get_ex_new_index(3)|SSL_CTX_get_ex_new_index(3)>, +L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>, +L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> +L<SSL_CTX_new(3)|SSL_CTX_new(3)>, +L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>, +L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>, +L<SSL_CTX_sessions(3)|SSL_CTX_sessions(3)>, +L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, +L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>, +L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, +L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>, +L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>, L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>, +L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, +L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, +L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, -L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_get_fd(3)|SSL_get_fd(3)>, +L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, +L<SSL_get_error(3)|SSL_get_error(3)>, +L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>, +L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>, +L<SSL_get_fd(3)|SSL_get_fd(3)>, L<SSL_get_peer_cert_chain(3)|SSL_get_peer_cert_chain(3)>, L<SSL_get_rbio(3)|SSL_get_rbio(3)>, L<SSL_get_session(3)|SSL_get_session(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, -L<SSL_library_init(3)|SSL_library_init(3)>, L<SSL_new(3)|SSL_new(3)>, +L<SSL_library_init(3)|SSL_library_init(3)>, +L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>, +L<SSL_new(3)|SSL_new(3)>, L<SSL_read(3)|SSL_read(3)>, L<SSL_set_bio(3)|SSL_set_bio(3)>, L<SSL_set_fd(3)|SSL_set_fd(3)>, L<SSL_pending(3)|SSL_pending(3)>, L<SSL_set_session(3)|SSL_set_session(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_write(3)|SSL_write(3)>, -L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> +L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, +L<SSL_SESSION_get_ex_new_index(3)|SSL_SESSION_get_ex_new_index(3)>, +L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>, +L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/ssleay.txt b/crypto/openssl/doc/ssleay.txt index 3e964c2e9aeb..fab8d42c4221 100644 --- a/crypto/openssl/doc/ssleay.txt +++ b/crypto/openssl/doc/ssleay.txt @@ -5743,7 +5743,7 @@ strucutre but also the private key and certificate associated with EXAMPLES. -So lets play at being a wierd SSL server. +So lets play at being a weird SSL server. /* setup a context */ ctx=SSL_CTX_new(); diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h index 0c0784f9a972..4f9c983ef184 100644 --- a/crypto/openssl/e_os.h +++ b/crypto/openssl/e_os.h @@ -355,12 +355,14 @@ extern HINSTANCE _hInstance; # if defined(VMS) && !defined(__DECC) # include <socket.h> # include <in.h> +# include <inet.h> # else # include <sys/socket.h> # ifdef FILIO_H # include <sys/filio.h> /* Added for FIONBIO under unixware */ # endif # include <netinet/in.h> +# include <arpa/inet.h> # endif # if defined(NeXT) || defined(_NEXT_SOURCE) diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec index 18ae94e54cb7..fa8c16b7c76f 100644 --- a/crypto/openssl/openssl.spec +++ b/crypto/openssl/openssl.spec @@ -94,7 +94,7 @@ perl util/perlpath.pl /usr/bin/perl ./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc shared %endif %ifarch alpha -./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha shared +./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha-gcc shared %endif LD_LIBRARY_PATH=`pwd` make LD_LIBRARY_PATH=`pwd` make rehash diff --git a/crypto/openssl/rsaref/Makefile.ssl b/crypto/openssl/rsaref/Makefile.ssl index 69d41a9a6dfb..8f27c48a5a6a 100644 --- a/crypto/openssl/rsaref/Makefile.ssl +++ b/crypto/openssl/rsaref/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl index 04dd3e866349..61b9cee090b6 100644 --- a/crypto/openssl/ssl/Makefile.ssl +++ b/crypto/openssl/ssl/Makefile.ssl @@ -55,7 +55,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c index 47dd09c286f3..28d6d6529616 100644 --- a/crypto/openssl/ssl/s2_clnt.c +++ b/crypto/openssl/ssl/s2_clnt.c @@ -921,6 +921,7 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data) goto err; } ERR_clear_error(); /* but we keep s->verify_result */ + s->session->verify_result = s->verify_result; /* server's cert for this session */ sc=ssl_sess_cert_new(); diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c index 129ed89d9704..a590dbfa5ca6 100644 --- a/crypto/openssl/ssl/s2_lib.c +++ b/crypto/openssl/ssl/s2_lib.c @@ -260,7 +260,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u) int ssl2_pending(SSL *s) { - return(s->s2->ract_data_length); + return SSL_in_init(s) ? 0 : s->s2->ract_data_length; } int ssl2_new(SSL *s) @@ -270,10 +270,16 @@ int ssl2_new(SSL *s) if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err; memset(s2,0,sizeof *s2); +#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2 +# error "assertion failed" +#endif + if ((s2->rbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; + /* wbuf needs one byte more because when using two-byte headers, + * we leave the first byte unused in do_ssl_write (s2_pkt.c) */ if ((s2->wbuf=OPENSSL_malloc( - SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; + SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err; s->s2=s2; ssl2_clear(s); diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c index 56662f29facb..1f119442b4e8 100644 --- a/crypto/openssl/ssl/s2_pkt.c +++ b/crypto/openssl/ssl/s2_pkt.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include "ssl_locl.h" #ifndef NO_SSL2 @@ -66,23 +119,12 @@ static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend); static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len); static int write_pending(SSL *s, const unsigned char *buf, unsigned int len); static int ssl_mt_error(int n); -int ssl2_peek(SSL *s, char *buf, int len) - { - int ret; - ret=ssl2_read(s,buf,len); - if (ret > 0) - { - s->s2->ract_data_length+=ret; - s->s2->ract_data-=ret; - } - return(ret); - } -/* SSL_read - +/* SSL 2.0 imlementation for SSL_read/SSL_peek - * This routine will return 0 to len bytes, decrypted etc if required. */ -int ssl2_read(SSL *s, void *buf, int len) +static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) { int n; unsigned char mac[MAX_MAC_SIZE]; @@ -90,14 +132,14 @@ int ssl2_read(SSL *s, void *buf, int len) int i; unsigned int mac_size=0; -ssl2_read_again: + ssl2_read_again: if (SSL_in_init(s) && !s->in_handshake) { n=s->handshake_func(s); if (n < 0) return(n); if (n == 0) { - SSLerr(SSL_F_SSL2_READ,SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE); return(-1); } } @@ -114,13 +156,22 @@ ssl2_read_again: n=len; memcpy(buf,s->s2->ract_data,(unsigned int)n); - s->s2->ract_data_length-=n; - s->s2->ract_data+=n; - if (s->s2->ract_data_length == 0) - s->rstate=SSL_ST_READ_HEADER; + if (!peek) + { + s->s2->ract_data_length-=n; + s->s2->ract_data+=n; + if (s->s2->ract_data_length == 0) + s->rstate=SSL_ST_READ_HEADER; + } + return(n); } + /* s->s2->ract_data_length == 0 + * + * Fill the buffer, then goto ssl2_read_again. + */ + if (s->rstate == SSL_ST_READ_HEADER) { if (s->first_packet) @@ -133,7 +184,7 @@ ssl2_read_again: (p[2] == SSL2_MT_CLIENT_HELLO) || (p[2] == SSL2_MT_SERVER_HELLO)))) { - SSLerr(SSL_F_SSL2_READ,SSL_R_NON_SSLV2_INITIAL_PACKET); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET); return(-1); } } @@ -211,48 +262,49 @@ ssl2_read_again: (unsigned int)mac_size) != 0) || (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) { - SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_MAC_DECODE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); return(-1); } } INC32(s->s2->read_sequence); /* expect next number */ /* s->s2->ract_data is now available for processing */ -#if 1 - /* How should we react when a packet containing 0 - * bytes is received? (Note that SSLeay/OpenSSL itself - * never sends such packets; see ssl2_write.) - * Returning 0 would be interpreted by the caller as - * indicating EOF, so it's not a good idea. - * Instead, we just continue reading. Note that using - * select() for blocking sockets *never* guarantees + /* Possibly the packet that we just read had 0 actual data bytes. + * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.) + * In this case, returning 0 would be interpreted by the caller + * as indicating EOF, so it's not a good idea. Instead, we just + * continue reading; thus ssl2_read_internal may have to process + * multiple packets before it can return. + * + * [Note that using select() for blocking sockets *never* guarantees * that the next SSL_read will not block -- the available - * data may contain incomplete packets, and except for SSL 2 - * renegotiation can confuse things even more. */ + * data may contain incomplete packets, and except for SSL 2, + * renegotiation can confuse things even more.] */ goto ssl2_read_again; /* This should really be - * "return ssl2_read(s,buf,len)", - * but that would allow for - * denial-of-service attacks if a - * C compiler is used that does not - * recognize end-recursion. */ -#else - /* If a 0 byte packet was sent, return 0, otherwise - * we play havoc with people using select with - * blocking sockets. Let them handle a packet at a time, - * they should really be using non-blocking sockets. */ - if (s->s2->ract_data_length == 0) - return(0); - return(ssl2_read(s,buf,len)); -#endif + * "return ssl2_read(s,buf,len)", + * but that would allow for + * denial-of-service attacks if a + * C compiler is used that does not + * recognize end-recursion. */ } else { - SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_STATE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE); return(-1); } } +int ssl2_read(SSL *s, void *buf, int len) + { + return ssl2_read_internal(s, buf, len, 0); + } + +int ssl2_peek(SSL *s, char *buf, int len) + { + return ssl2_read_internal(s, buf, len, 1); + } + static int read_n(SSL *s, unsigned int n, unsigned int max, unsigned int extend) { @@ -483,6 +535,9 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) { bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx); j=len+mac_size; + /* Two-byte headers allow for a larger record length than + * three-byte headers, but we can't use them if we need + * padding or if we have to set the escape bit. */ if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) && (!s->s2->escape)) { @@ -498,25 +553,39 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) } else if ((bs <= 1) && (!s->s2->escape)) { - /* len=len; */ + /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus + * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */ s->s2->three_byte_header=0; p=0; } - else /* 3 byte header */ + else /* we may have to use a 3 byte header */ { - /*len=len; */ + /* If s->s2->escape is not set, then + * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus + * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */ p=(j%bs); p=(p == 0)?0:(bs-p); if (s->s2->escape) + { s->s2->three_byte_header=1; + if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) + j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER; + } else s->s2->three_byte_header=(p == 0)?0:1; } } + + /* Now + * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + * holds, and if s->s2->three_byte_header is set, then even + * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER. + */ + /* mac_size is the number of MAC bytes * len is the number of data bytes we are going to send * p is the number of padding bytes - * if p == 0, it is a 2 byte header */ + * (if it is a two-byte header, then p == 0) */ s->s2->wlength=len; s->s2->padding=p; diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c index d92c164b0fa9..10d8d3b15afc 100644 --- a/crypto/openssl/ssl/s3_both.c +++ b/crypto/openssl/ssl/s3_both.c @@ -365,7 +365,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) while (s->init_num < 4) { i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num], - 4 - s->init_num); + 4 - s->init_num, 0); if (i <= 0) { s->rwstate=SSL_READING; @@ -434,7 +434,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) n=s->s3->tmp.message_size; while (n > 0) { - i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n); + i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0); if (i <= 0) { s->rwstate=SSL_READING; diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 62040f9f1d01..eec45cfa485d 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -815,6 +815,7 @@ static int ssl3_get_server_certificate(SSL *s) X509_free(s->session->peer); CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); s->session->peer=x; + s->session->verify_result = s->verify_result; x=NULL; ret=1; diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index cee2021b6b0c..c170ceb97dd0 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include <stdio.h> #include <openssl/md5.h> @@ -638,10 +691,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u) return(NULL); } -/* The problem is that it may not be the correct record type */ int ssl3_pending(SSL *s) { - return(s->s3->rrec.length); + return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; } int ssl3_new(SSL *s) @@ -1189,7 +1241,7 @@ int ssl3_shutdown(SSL *s) else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ - ssl3_read_bytes(s,0,NULL,0); + ssl3_read_bytes(s,0,NULL,0,0); } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && @@ -1252,14 +1304,14 @@ int ssl3_write(SSL *s, const void *buf, int len) return(ret); } -int ssl3_read(SSL *s, void *buf, int len) +static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) { int ret; clear_sys_error(); if (s->s3->renegotiate) ssl3_renegotiate_check(s); s->s3->in_read_app_data=1; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); if ((ret == -1) && (s->s3->in_read_app_data == 0)) { /* ssl3_read_bytes decided to call s->handshake_func, which @@ -1269,7 +1321,7 @@ int ssl3_read(SSL *s, void *buf, int len) * by resetting 'in_read_app_data', strangely); so disable * handshake processing and try to read application data again. */ s->in_handshake++; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); s->in_handshake--; } else @@ -1278,26 +1330,14 @@ int ssl3_read(SSL *s, void *buf, int len) return(ret); } -int ssl3_peek(SSL *s, char *buf, int len) +int ssl3_read(SSL *s, void *buf, int len) { - SSL3_RECORD *rr; - int n; - - rr= &(s->s3->rrec); - if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA)) - { - n=ssl3_read(s,buf,1); - if (n <= 0) return(n); - rr->length++; - rr->off--; - } + return ssl3_read_internal(s, buf, len, 0); + } - if ((unsigned int)len > rr->length) - n=rr->length; - else - n=len; - memcpy(buf,&(rr->data[rr->off]),(unsigned int)n); - return(n); +int ssl3_peek(SSL *s, char *buf, int len) + { + return ssl3_read_internal(s, buf, len, 1); } int ssl3_renegotiate(SSL *s) diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c index 14140798539d..9ab76604a645 100644 --- a/crypto/openssl/ssl/s3_pkt.c +++ b/crypto/openssl/ssl/s3_pkt.c @@ -704,7 +704,7 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, * Application data protocol * none of our business */ -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { int al,i,j,ret; unsigned int n; @@ -715,7 +715,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) if (!ssl3_setup_buffers(s)) return(-1); - if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) + if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) || + (peek && (type != SSL3_RT_APPLICATION_DATA))) { SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR); return -1; @@ -728,6 +729,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) unsigned char *dst = buf; unsigned int k; + /* peek == 0 */ n = 0; while ((len > 0) && (s->s3->handshake_fragment_len > 0)) { @@ -763,7 +765,7 @@ start: * s->s3->rrec.length, - number of bytes. */ rr = &(s->s3->rrec); - /* get new packet */ + /* get new packet if necessary */ if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { ret=ssl3_get_record(s); @@ -781,7 +783,8 @@ start: goto err; } - /* If the other end has shutdown, throw anything we read away */ + /* If the other end has shut down, throw anything we read away + * (even in 'peek' mode) */ if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { rr->length=0; @@ -810,12 +813,15 @@ start: n = (unsigned int)len; memcpy(buf,&(rr->data[rr->off]),n); - rr->length-=n; - rr->off+=n; - if (rr->length == 0) + if (!peek) { - s->rstate=SSL_ST_READ_HEADER; - rr->off=0; + rr->length-=n; + rr->off+=n; + if (rr->length == 0) + { + s->rstate=SSL_ST_READ_HEADER; + rr->off=0; + } } return(n); } diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index bb8cfb31e55a..d04232960e30 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -1414,6 +1414,7 @@ static int ssl3_get_client_key_exchange(SSL *s) s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,p,i); + memset(p,0,i); } else #endif diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index fdbdc70ba72f..fad7a0e70b36 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -1178,7 +1178,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void ); #define SSL_CTX_get_read_ahead(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) #define SSL_CTX_set_read_ahead(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL) + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL) /* NB: the keylength is only applicable when is_export is true */ #ifndef NO_RSA @@ -1238,7 +1238,9 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL2_ACCEPT 122 #define SSL_F_SSL2_CONNECT 123 #define SSL_F_SSL2_ENC_INIT 124 +#define SSL_F_SSL2_PEEK 234 #define SSL_F_SSL2_READ 125 +#define SSL_F_SSL2_READ_INTERNAL 236 #define SSL_F_SSL2_SET_CERTIFICATE 126 #define SSL_F_SSL2_WRITE 127 #define SSL_F_SSL3_ACCEPT 128 @@ -1263,6 +1265,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL3_GET_SERVER_DONE 145 #define SSL_F_SSL3_GET_SERVER_HELLO 146 #define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147 +#define SSL_F_SSL3_PEEK 235 #define SSL_F_SSL3_READ_BYTES 148 #define SSL_F_SSL3_READ_N 149 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 diff --git a/crypto/openssl/ssl/ssl2.h b/crypto/openssl/ssl/ssl2.h index df7d03c18f70..f8b56afb6b20 100644 --- a/crypto/openssl/ssl/ssl2.h +++ b/crypto/openssl/ssl/ssl2.h @@ -134,11 +134,11 @@ extern "C" { /* Upper/Lower Bounds */ #define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 #ifdef MPE -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u #else -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ #endif -#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/ +#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */ #define SSL2_CHALLENGE_LENGTH 16 /*#define SSL2_CHALLENGE_LENGTH 32 */ diff --git a/crypto/openssl/ssl/ssl_algs.c b/crypto/openssl/ssl/ssl_algs.c index a91ee6d22e45..dde8918fe0e3 100644 --- a/crypto/openssl/ssl/ssl_algs.c +++ b/crypto/openssl/ssl/ssl_algs.c @@ -88,9 +88,13 @@ int SSL_library_init(void) #ifndef NO_SHA EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif #if !defined(NO_SHA) && !defined(NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); #endif /* If you want support for phased out ciphers, add the following */ diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c index 17b4caf528a9..9945758104b5 100644 --- a/crypto/openssl/ssl/ssl_err.c +++ b/crypto/openssl/ssl/ssl_err.c @@ -91,7 +91,9 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"}, {ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"}, {ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"}, +{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"}, {ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"}, +{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"}, {ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"}, {ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"}, {ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"}, @@ -116,6 +118,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"}, {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"}, {ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"}, +{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"}, {ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"}, {ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"}, {ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"}, diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 635b25062e8b..fec98dd8f43d 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -119,7 +119,9 @@ int SSL_clear(SSL *s) s->client_version=s->version; s->rwstate=SSL_NOTHING; s->rstate=SSL_ST_READ_HEADER; +#if 0 s->read_ahead=s->ctx->read_ahead; +#endif if (s->init_buf != NULL) { @@ -229,6 +231,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; s->options=ctx->options; s->mode=ctx->mode; + s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */ SSL_clear(s); CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data); diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h index d70fff4627d6..bc9c69914331 100644 --- a/crypto/openssl/ssl/ssl_locl.h +++ b/crypto/openssl/ssl/ssl_locl.h @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #ifndef HEADER_SSL_LOCL_H #define HEADER_SSL_LOCL_H @@ -494,7 +547,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u); int ssl3_renegotiate(SSL *ssl); int ssl3_renegotiate_check(SSL *ssl); int ssl3_dispatch_alert(SSL *s); -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len); +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2, const char *sender, int slen,unsigned char *p); diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index 416def8908e8..7064262def86 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -508,6 +508,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) if (s->session != NULL) SSL_SESSION_free(s->session); s->session=session; + s->verify_result = s->session->verify_result; /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ ret=1; } diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl index 480e4bc807cf..8b353795cdf8 100644 --- a/crypto/openssl/test/Makefile.ssl +++ b/crypto/openssl/test/Makefile.ssl @@ -191,7 +191,7 @@ test_bn: @./$(BNTEST) >tmp.bntest @echo quit >>tmp.bntest @echo "running bc" - @bc tmp.bntest 2>&1 | $(PERL) -e 'while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"' + @<tmp.bntest sh -c "`sh ./bctest`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' @echo 'test a^b%c implementations' ./$(EXPTEST) diff --git a/crypto/openssl/test/bctest b/crypto/openssl/test/bctest new file mode 100755 index 000000000000..6fa0663bb008 --- /dev/null +++ b/crypto/openssl/test/bctest @@ -0,0 +1,84 @@ +#!/bin/sh + +# This script is used by test/Makefile.ssl to check whether a sane 'bc' +# is installed. +# ('make test_bn' should not try to run 'bc' if it does not exist or if +# it is a broken 'bc' version that is known to cause trouble.) +# +# If 'bc' works, we also test if it knows the 'print' command. +# +# In any case, output an appropriate command line for running (or not +# running) bc. + + +# Test for SunOS 5.[78] bc bug (or missing bc) +if [ 0 != "`bc <<\EOF +obase=16 +ibase=16 +a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\ +CEEC1A0EC16950233F77F1C2F2363D56DD71A36C57E0B2511FC4BA8F22D261FE2E9356D99AF57\ +10F3817C0E05BF79C423C3F66FDF321BE8D3F18F625D91B670931C1EF25F28E489BDA1C5422D1\ +C3F6F7A1AD21585746ECC4F10A14A778AF56F08898E965E9909E965E0CB6F85B514150C644759\ +3BE731877B16EA07B552088FF2EA728AC5E0FF3A23EB939304519AB8B60F2C33D6BA0945B66F0\ +4FC3CADF855448B24A9D7640BCF473E +b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\ +9209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD\ +8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\ +3ED0E2017D60A68775B75481449 +(a/b)*b + (a%b) - a +EOF`" ] +then + echo "bc does not work. Consider installing GNU bc." >&2 + echo "cat >/dev/null" + exit 1 +fi + + +# Test for SCO bc bug. +if [ "0 +0" != "`bc <<\EOF +obase=16 +ibase=16 +-FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\ +9DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7F5ADFACEE54573F5D256A06\ +11B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99FB9812A0E4A5773D8B254117\ +1239157EC6E3D8D50199 * -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4\ +AEC6F15AC177F176F2274D29DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7\ +F5ADFACEE54573F5D256A0611B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99F\ +B9812A0E4A5773D8B2541171239157EC6E3D8D50199 - FFBACC221682DA464B6D7F123482522\ +02EDAEDCA38C3B69E9B7BBCD6165A9CD8716C4903417F23C09A85B851961F92C217258CEEB866\ +85EFCC5DD131853A02C07A873B8E2AF2E40C6D5ED598CD0E8F35AD49F3C3A17FDB7653E4E2DC4\ +A8D23CC34686EE4AD01F7407A7CD74429AC6D36DBF0CB6A3E302D0E5BDFCD048A3B90C1BE5AA8\ +E16C3D5884F9136B43FF7BB443764153D4AEC176C681B078F4CC53D6EB6AB76285537DDEE7C18\ +8C72441B52EDBDDBC77E02D34E513F2AABF92F44109CAFE8242BD0ECBAC5604A94B02EA44D43C\ +04E9476E6FBC48043916BFA1485C6093603600273C9C33F13114D78064AE42F3DC466C7DA543D\ +89C8D71 +AD534AFBED2FA39EE9F40E20FCF9E2C861024DB98DDCBA1CD118C49CA55EEBC20D6BA51B2271C\ +928B693D6A73F67FEB1B4571448588B46194617D25D910C6A9A130CC963155CF34079CB218A44\ +8A1F57E276D92A33386DDCA3D241DB78C8974ABD71DD05B0FA555709C9910D745185E6FE108E3\ +37F1907D0C56F8BFBF52B9704 % -E557905B56B13441574CAFCE2BD257A750B1A8B2C88D0E36\ +E18EF7C38DAC80D3948E17ED63AFF3B3467866E3B89D09A81B3D16B52F6A3C7134D3C6F5123E9\ +F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\ +9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\ +D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\ +5296964 +EOF`" ] +then + echo "bc does not work. Consider installing GNU bc." >&2 + echo "cat >/dev/null" + exit 1 +fi + + +# bc works, good. +# Now check if it knows the 'print' command. +if [ "OK" = "`bc 2>/dev/null <<\EOF +print \"OK\" +EOF`" ] +then + echo "bc" +else + echo "sed 's/print.*//' | bc" +fi + +exit 0 diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num index 3a72228d6acb..9f0f5988601a 100755 --- a/crypto/openssl/util/libeay.num +++ b/crypto/openssl/util/libeay.num @@ -301,8 +301,8 @@ EVP_des_ede_cfb 308 EXIST::FUNCTION:DES EVP_des_ede_ofb 309 EXIST::FUNCTION:DES EVP_des_ofb 310 EXIST::FUNCTION:DES EVP_desx_cbc 311 EXIST::FUNCTION:DES -EVP_dss 312 EXIST::FUNCTION:DSA -EVP_dss1 313 EXIST::FUNCTION:DSA +EVP_dss 312 EXIST::FUNCTION:DSA,SHA +EVP_dss1 313 EXIST::FUNCTION:DSA,SHA EVP_enc_null 314 EXIST::FUNCTION: EVP_get_cipherbyname 315 EXIST::FUNCTION: EVP_get_digestbyname 316 EXIST::FUNCTION: @@ -926,7 +926,7 @@ PKCS7_add_signature 938 EXIST::FUNCTION: PKCS7_cert_from_signer_info 939 EXIST::FUNCTION: PKCS7_get_signer_info 940 EXIST::FUNCTION: EVP_delete_alias 941 NOEXIST::FUNCTION: -EVP_mdc2 942 EXIST::FUNCTION: +EVP_mdc2 942 EXIST::FUNCTION:MDC2 PEM_read_bio_RSAPublicKey 943 EXIST::FUNCTION:RSA PEM_write_bio_RSAPublicKey 944 EXIST::FUNCTION:RSA d2i_RSAPublicKey_bio 945 EXIST::FUNCTION:RSA diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl index 0ac793555c12..8ec1d07989a9 100755 --- a/crypto/openssl/util/mkdef.pl +++ b/crypto/openssl/util/mkdef.pl @@ -119,7 +119,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-rc4$/) { $no_rc4=1; } elsif (/^no-rc5$/) { $no_rc5=1; } elsif (/^no-idea$/) { $no_idea=1; } - elsif (/^no-des$/) { $no_des=1; } + elsif (/^no-des$/) { $no_des=1; $no_mdc2=1; } elsif (/^no-bf$/) { $no_bf=1; } elsif (/^no-cast$/) { $no_cast=1; } elsif (/^no-md2$/) { $no_md2=1; } @@ -704,7 +704,8 @@ EOF } else { (my $n, my $i) = split /\\/, $nums{$s}; my %pf = (); - my @p = split(/,/, ($i =~ /^.*?:(.*?):/,$1)); + my @p = split(/,/, ($i =~ /^[^:]*:([^:]*):/,$1)); + my @a = split(/,/, ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1)); # @p_purged must contain hardware platforms only my @p_purged = (); foreach $ptmp (@p) { @@ -726,7 +727,26 @@ EOF || (!$negatives && ($rsaref || !grep(/^RSAREF$/,@p))) || ($negatives - && (!$rsaref || !grep(/^!RSAREF$/,@p))))) { + && (!$rsaref || !grep(/^!RSAREF$/,@p)))) + && (!@a || (!$no_rc2 || !grep(/^RC2$/,@a))) + && (!@a || (!$no_rc4 || !grep(/^RC4$/,@a))) + && (!@a || (!$no_rc5 || !grep(/^RC5$/,@a))) + && (!@a || (!$no_idea || !grep(/^IDEA$/,@a))) + && (!@a || (!$no_des || !grep(/^DES$/,@a))) + && (!@a || (!$no_bf || !grep(/^BF$/,@a))) + && (!@a || (!$no_cast || !grep(/^CAST$/,@a))) + && (!@a || (!$no_md2 || !grep(/^MD2$/,@a))) + && (!@a || (!$no_md4 || !grep(/^MD4$/,@a))) + && (!@a || (!$no_md5 || !grep(/^MD5$/,@a))) + && (!@a || (!$no_sha || !grep(/^SHA$/,@a))) + && (!@a || (!$no_ripemd || !grep(/^RIPEMD$/,@a))) + && (!@a || (!$no_mdc2 || !grep(/^MDC2$/,@a))) + && (!@a || (!$no_rsa || !grep(/^RSA$/,@a))) + && (!@a || (!$no_dsa || !grep(/^DSA$/,@a))) + && (!@a || (!$no_dh || !grep(/^DH$/,@a))) + && (!@a || (!$no_hmac || !grep(/^HMAC$/,@a))) + && (!@a || (!$no_fp_api || !grep(/^FP_API$/,@a))) + ) { printf OUT " %s%-40s@%d\n",($W32)?"":"_",$s,$n; # } else { # print STDERR "DEBUG: \"$sym\" (@p):", |